Two-message quantum interactive proofs are in PSPACE
Rahul Jain, Sarvagya Upadhyay, John Watrous
Introduction
Since their introduction roughly 25 years ago [Bab85, GMR85], interactive proof systems have become a fundamental notion in the theory of computational complexity. The expressive power of one of the most basic variant of the interactive proof system model, wherein a polynomial-time probabilistic verifier interacts with a computationally unbounded prover for a polynomial number of rounds, is characterized [LFKN92, Sha92] by the well-known relationship
Many variants of interactive proof systems have been studied, including public-coin interactive proof systems (or Arthur–Merlin games) [Bab85, BM88, GS89], zero-knowledge interactive proofs [GMR89, GMW91] and multi-prover interactive proofs [BOGKW88].
This paper is concerned primarily with quantum interactive proof systems, which are defined in a similar way to ordinary interactive proof systems except that the prover and verifier may perform quantum computations. Like their classical analogues, several variants of quantum interactive proof systems have been studied, including ordinary quantum interactive proofs [Wat03, KW00], public-coin quantum interactive proofs [MW05], zero-knowledge quantum interactive proofs [Wat02, Wat06, Kob08, HKSZ08], and multi-prover quantum interactive proofs [KM03, KKMV08]. The complexity class QIP of problems having quantum interactive proof systems is known [KW00] to satisfy
The containment follows from the existence of polynomial-time algorithms for approximately solving semidefinite programs [GLS93]. (Somewhat simpler proofs of the containment follow from the results of [BATS09, Wat09b], but these proofs still require efficient algorithms for solving convex/semidefinite programs.)
Quantum interactive proof systems have an interesting property that classical interactive proof systems are conjectured not to hold, which is that they can be parallelized to a constant number of rounds of interaction [KW00]. More precisely, it holds that , where in general denotes the class of problems having quantum interactive proof systems in which messages are exchanged between the prover and verifier (with the prover always sending the last message). This leaves four basic classes that are defined naturally by quantum interactive proof systems: , , , and . Of these classes, seems to be the most mysterious. It is known that [Weh06] and [Wat02, Wat06]. Here, denotes the class of problems having one-round two-prover classical interactive proof systems in which the provers share quantum entanglement, answer one bit each, and the verifier accepts or rejects based on the parity of these bits; and QSZK denotes the class of problems having statistical zero-knowledge quantum interactive proof systems. No upper bound other than the trivial containment , which implies , was previously known.
In this paper we prove the new containment:
Similar to , this containment is proved using semidefinite programming; but this time the containment is achieved by using an NC algorithm rather than a sequential polynomial-time algorithm. Our algorithm is based on the multiplicative weights update method, which was developed by several researchers and is described in the survey [AHK05] and in the PhD thesis of Kale [Kal07]. In particular, our algorithm is based on a general method that was independently discovered by Arora and Kale [AK07] and Warmuth and Kuzmin [WK06]. The key aspect of this approach that makes it useful for proving is its parallelizability: it is an iterative method in which each iteration is easily parallelized, and is such that only a very small number of iterations is needed for an approximation that is accurate enough for our needs. A related approach was used by two of us [JW09] to prove the containment of a different quantum complexity class (called ) in PSPACE, but the specific technical details of the simulations are rather different.
The rest of this paper has the following structure. We begin with Section 2, which includes a brief discussion of background information needed for the rest of the paper, including linear algebra notation and parallel algorithms for matrix computations. Section 3 introduces two-message quantum interactive proof systems and establishes a simple fact concerning their robustness with respect to error bounds. In Section 4 we present a semidefinite programming formulation of the maximum probability with which a verifier in a two-message quantum interactive proof system can be made to accept, and the actual simulation of in PSPACE is split into the three sections that follow: Section 5 presents an overview of the simulation, while Sections 6 and 7 describe in more detail its two most technical parts. The precision requirements of the entire simulation are discussed in Section 8, and the paper concludes with Section 9.
Preliminaries
The following special types of operators are relevant to the paper:
Three operator norms are discussed in this paper: the trace norm, Frobenius norm, and spectral norm, defined as
for positive semidefinite operators and of equal dimension.
The following special types of super-operators are relevant to the paper.
2 Remarks on NC and parallel matrix computations
To prove that is contained in PSPACE, we will make use of various facts concerning parallel computation. First, let us recall the definition of two complexity classes based on bounded-depth circuit families: NC and . The class NC contains all functions that can be computed by logarithmic-space uniform Boolean circuits of polylogarthmic depth, while the class contains all functions that can be computed by polynomial-space uniform families of Boolean circuits having polynomial-depth. By restricting these classes to predicates we obtain classes of languages (or more generally promise problems).
There are a few facts about these classes that we will need. The first fact, which follows from [Bor77], is that for languages (or promise problems) we have . (In fact it holds that , but we only need a containment in one direction.) The second fact is that functions in these classes compose nicely. In particular, if is a function in and is a function in NC, then the composition is also in . This follows from the most obvious way of composing the families of circuits that compute and , along with the observation that can be at most exponential in .
Finally, we will make use of the fact that many computations involving matrices can be performed by NC algorithms. We will restrict our attention to matrix computations on matrices whose entries have rational real and imaginary parts. Numbers of this form, for integers , , , and , are sometimes referred to as Gaussian rationals. We assume any number of this form is encoded as a 4-tuple using binary notation, so that the length of is understood to be the total number of bits needed for such an encoding.
It is known that elementary matrix operations, such as additions, multiplications, and inversions, can be performed in NC. (The survey [Gat93], for instance, describes NC algorithms for these tasks.) We will also make use of the fact that matrix exponentials and spectral decompositions can be approximated to high precision in NC. In more precise terms, we have that the following problems are in NC:
Note that in these problems, the description of has roughly bits, which means that highly accurate approximations are possible in NC. The fact that matrix exponentials can be approximated in NC as claimed follows by truncating the series
to a number of terms polynomial in and . (This is not a very practial way to compute matrix exponentials, but it establishes the fact we need.) The fact that spectral and singular value decompositions can be approximated in NC follows from a composition of known facts: in NC one can compute characteristic polynomials and null spaces of matrices, perform orthogonalizations of vectors, and approximate roots of integer polynomials to high precision [Csa76, BGH82, BCP83, BOFKT86, Gat93, Nef94].
Two-message quantum interactive proof systems
The purpose of this section is to introduce the class , including its definition and a simple proof that it is robust with respect to error bounds. For a general discussion of quantum interactive proof systems, as opposed to the somewhat simplified case in which only two messages are exchanged, the reader is referred to [KW00] and [Wat09a].
To define the class , we begin by defining a two-message quantum verifier as a classical polynomial-time algorithm that, on each input string , outputs the description of two quantum circuits: and . The circuit describes the verifier’s initial preparation of a state, part of which is sent to the prover, while the circuit describes the verifier’s actions upon receiving a response from the prover. For the sake of simplicity, and without loss of generality, we assume that for every input string , the circuits and are both composed of gates from some finite, universal set of unitary quantum gates whose entries have rational real and imaginary parts. The number of qubits on which the circuits and act is assumed to be equal to , where and is some polynomial-bounded function. The first qubits represent the communication channel between the prover and verifier, while the remaining qubits serve as the private memory of the verifier. (It is not really necessary that the number of message qubits and private memory qubits agree, but it causes no change in the computational power of the model.)
A two-message quantum prover is simply a collection of quantum operations (or, equivalently, completely positive and trace preserving super-operators) . Such a prover is compatible with a given verifier if each operation acts on qubits for the function mentioned above.
An interaction between a two-message verifier and a compatible prover on an input proceeds as follows:
qubits are initialized in the state.
The circuit is applied to all of the qubits.
The prover’s operation is applied to the first qubits.
The circuit is applied to all of the qubits.
The first qubit is measured with respect to the standard basis, with the outcome 1 indicating acceptance and 0 indicating rejection.
Figure 1 illustrates such an interaction.
Now, a promise problem is in if and only if there exists a two-message verifier with the following completeness and soundness properties:
(Completeness) If , then there exists a prover that causes to accept with probability at least 2/3.
(Soundness) If , then every prover that is compatible with causes to accept with probability at most 1/3.
2 Robustness of QIP(2) with respect to error bounds
It was proved in [KW00] that quantum interactive proof systems with negligible completeness error are amenable to parallel repetition. This allows for an exponential reduction in error for quantum interactive proof systems with three or more messages, because such proof systems can be transformed to have perfect completeness by a different method. However, this method does not work for two-message quantum interactive proof systems, because the perfect-completeness transformation requires the addition of messages. So, we will require a different method of error reduction.
Assume that is a promise problem in and that is a two-message quantum interactive proof system for with completeness and soundness probabilities bounded by and , where for some polynomial-bounded function . We will define a new verifier that has completeness probability at least and soundness probability at most , for any choice of a polynomial-bounded function . A description of follows.
Let and let . Run independent, parallel executions of the protocol for , one for each pair with and . Measure the output qubit for each execution, and let the result of the measurement for execution be .
Accept if , reject otherwise.
and thus the probability of rejection is at most .
We may view as being the outcomes of parallel executions of a quantum interactive proof system that accepts with probability at most . The verifier accepts if and only if all of these executions accept, and so by the result on parallel repetition proved in [KW00] we may conclude that the probability of acceptance of is at most
Thus, the verifier has been shown to have completeness and soundness probabilities as required, completing the proof.
Maximum acceptance probability as a semidefinite program
The maximum acceptance probability of a verifier in a quantum interactive proof system can be phrased as semidefinite programming problem [KW00]. For this paper a semidefinite programming formulation based on ones described in [GW07, Wat09b] will be used.
Suppose is a two-message verifier, and that an input string of length is being considered. Let us also define
In words, denotes the quantum state initially prepared by the verifier, the first half of which is sent to the prover; and denotes the projection operator corresponding to the accept outcome of the measurement that the verifier effectively performs after receiving the prover’s message.
We therefore find that the probability of acceptance (1) may alternately be written
The feasible region of this semidefinite program is well-bounded (in the sense of [GLS93]), and therefore its optimal value can be approximated to high precision in time polynomial in the size of (which is exponential in ). This fact does not help us to prove , however. As is described in the next section, we will need an NC algorithm rather than just a polynomial-time algorithm to draw this conclusion.
The value is then seen to be the optimal value of the following semidefinite program:
Strong duality follows from strict feasibility, which is easily verified, and so the optimal primal and dual solutions are given by .
Overview of the simulation
We will now explain, in high-level terms, our simulation of in PSPACE. To prove that , it will suffice to prove . This will be facilitated by the fact, discussed in Section 2.2, that many computations involving matrices, including elementary operations such as addition, multiplication, and inversion, as well as approximations of spectral decompositions, singular-value decompositions, and matrix exponentials, can be performed in NC.
For the remainder of this paper, assume that is an arbitrary promise problem in , and let be a two-message verifier for that has exponentially small completeness and soundness error. The goal of the simulation is to determine whether or not can be made to accept a given input string with high probability. The variable will always denote the input length , and will denote the number of qubits exchanged by the verifier and prover on each of the two messages as discussed in Section 3.
There are three main steps of the simulation:
Compute from an explicit description of and .
Process the description of the vector and the projection into a well-conditioned interactive measurement operator and positive rational numbers and satisfying
For some polynomial it will hold that , where denotes the condition number of . Moreover it will hold that and .
Use a parallel algorithm, based on the multiplicative weights update method, to test whether is larger or smaller than .
The first step is easily performed in , using an exact computation. In particular, one may simply compute products of the matrices that describe the individual gates of the verifier’s circuits. Given that this step is straightforward, we will not comment on it further. The second and third steps are more complicated, and are described separately in Sections 6 and 7 below. Both correspond to NC computations (where the input size is exponential in ), and by composing these computations with the first step just described, we will obtain that is in , and therefore .
Preparing a well-conditioned interactive measurement operator
The quantity is precisely the maximum acceptance probability of on input , but nothing can be said about the condition number of (which may not even be invertible).
The interactive measurement operator is well-conditioned: .
The values and are non-negligible: and .
The value satisfies the properties
The first step in this process is to replace by a more uniform vector that is “similar enough” to in the sense to be described. We will, in particular, take to be maximally entangled over certain subspaces of and . This is done by performing the following operations:
be a Schmidt decomposition of .
For each positive integer , define the interval , and define
Let and choose so that
The fact that such an exists is proved below, and hereafter we write for this choice of .
These are fairly loose bounds—but for the two extremes where is exponentially close to 0 or 1, the corresponding values for will be separated by the reciprocal of a polynomial, which is good enough for our needs.
Thus, there must exist a suitable choice of in step 3 so that
as claimed. A lower bound on the size of may be obtained by noting that
Now, the inner product of and is easily bounded from below as
and by combining this observation with the fact that is traceless we obtain
which establishes the lower bound on claimed in (3) above.
To establish the upper bound on , which is the second inequality in (3), let us first choose an admissible super-operator so that
Because is admissible, we may therefore conclude that
Having obtained a uniform vector that gives (when combined with ) an interactive measurement operator satisfying (3), we must make a couple of additional modifications to be sure that a well-conditioned interactive measurement operator has been obtained.
Now let us verify that has the properties we require of it. First let us consider the condition number . It is easily shown that
and therefore . It remains to define nonnegligible values and , and to consider their relationship to in the two cases: and .
We have assumed that the original interactive proof system has exponentially small completeness and soundness errors, and therefore we may assume that for sufficiently large we have
(Alternately we may assume these bounds hold for all by hard-coding small inputs into the verifier.) Thus, by the bounds (4) above, we have
we therefore have the properties required.
Verifying maximum acceptance probability
We now describe and analyze a parallel algorithm, based on the multiplicative weights update method, to distinguish the two cases (2) from the previous section. The algorithm operates as described in Figure 2, and the super-operators and are as defined in Section 4.
We will need a few basic facts and three lemmas to analyze the algorithm described in Figure 2. We begin by noting two facts concerning matrix exponentials. First, the Golden-Thompson Inequality (see Section IX.3 of [Bha97]) states that, for any two Hermitian matrices and of equal dimension, we have
Second is the following inequality concerning the matrix exponential of positive semidefinite matrices.
It is sufficient to prove the inequality for replaced by a scalar , for then the operator inequality follows by considering a spectral decomposition of . If then the inequality is trivial, so assume . By the Mean Value Theorem there exists a value such that
by taking for each choice of and .
By the monotonicity of the fidelity function, it must hold that for every choice of satisfying . It therefore suffices to show that equality can be achieved.
Lemma 7.2 is a fairly straightforward extension of Uhlmann’s Theorem [Uhl76]. (See also pages 410–411 of [NC00].)
purify and , respectively, so by the monotonicity of the trace norm it holds that
which follows easily from the expressions of the trace and Frobenius norms in terms of singular values, along with the Cauchy–Schwarz inequality, we have
When and for density operators and , we obtain the familiar inequality
which is one of the Fuchs-van de Graaf inequalities [FvdG99].
2 Analysis of the algorithm (ignoring precision)
Our algorithm cannot be implemented exactly using bounded-depth Boolean circuits: the spectral decompositions and matrix exponentials can only be approximated. However, for the sake of exposition, the issue of precision will be completely ignored in this subsection; meaning that we will imagine that all of the operations can be performed exactly. In the section that follows this one, the actual precision requirements of the algorithm are considered. As is shown there, it turns out that the algorithm is not particularly sensitive to errors, and in fact it is possible to perform all of the required computations in parallel with exponentially greater precision than would be required for the correctness of the algorithm.
The operator is defined as follows. First, let , let , and let
It holds that , and we also have
Therefore, given that , we have , and so
Second, given that for the case at hand, we have
and therefore .
Now, for the sake of clarity, let us write . Note that, for , it holds that
where we have used the Golden–Thompson Inequality. Given that we have by Lemma 7.1 that
(Here we have used the inequality , which holds for all real numbers , as well as the fact that whenever and ). Repeating this argument, and substituting , we have
Substituting the specified value of , and using the fact that (which holds for any ), we have
We therefore have that the algorithm works correctly, modulo the precision issues to be discussed in the section following this one. It remains only to observe that it can be implemented in NC (meaning that it results in an computation when composed with the first two steps of the simulation). Some of the details required to argue this can be found below; but at a high level one sees that each iteration of the loop in step 3 can be performed with high precision in NC, and the total number of iterations required is polynomial in (and therefore polylogarithmic in the size of ).
Precision requirements for the simulation
We now discuss the precision that is required for the simulation to yield a correct answer. It will turn out that the simulation is not particularly sensitive to errors, and one could in fact afford to take exponentially more precision than is required and still be within the class .
The first step of the simulation, in which an explicit description of and is obtained, can be performed exactly in as has already been observed. So, let us move on to the second step, in which and are processed to obtain a well-conditioned interactive measurement operator . This step requires the approximation of one singular value decomposition (to approximate the Schmidt decomposition of ), along with a few other operations that can be performed exactly or with high precision in NC.
For the moment let us denote by the actual operator that is computed by an NC implementation of this step, as opposed to the true operator that would be output by an idealized, exact complex number algorithm. By computing the singular value decomposition to high precision, it is possible to take such an approximation so that
where denotes any polynomial of our choice. It is not difficult to prove that the quantity is upper-bounded by times , and therefore we may take so that
again for denoting any polynomial of our choice. We do not need this much precision: we only need a separation between the values of for the cases and , which requires that is exponentially (rather than double-exponentially) small in . So, to be concrete, we may decide to take sufficient precision so that
Hereafter we will return to writing rather than , with the understanding that now represents an approximation that is stored by our algorithm. In addition, we will assume that , and therefore as well, has Gaussian rational entries and is known precisely. This assumption is easily met by replacing with the square of a high precision approximation to . The point of this assumption is that we avoid having to consider an additional error term every time or is involved in any computation. (There is no reason beyond simplifying the analysis to make this assumption.)
Now suppose that the algorithm described in Section 7 is performed with limited precision. Consider first the case that the algorithm accepts, and let denote the density operator that is stored by the algorithm on the iteration in which acceptance occurs. Note that it is not necessary to view that is an approximation of something else: the simple fact that causes acceptance will allow us to conclude that in a similar way to the error-free analysis.
to denote the approximate value of the spectral decomposition, so that represents the error in this approximation, and let us assume that sufficient accuracy is taken so that
As above, this is significantly less accuracy than is available—for we could take
if it were advantageous. Continuing on as before, let
Now let us consider the case that the algorithm rejects, and in particular let us focus on the operators that are computed over the course of the algorithm. As for the case of acceptance, these operators are not viewed as approximations to anything: the fact that these operators exist and cause rejection in the algorithm is enough to conclude that . Let us continue to write
and for each ; but we must keep in mind that the algorithm only computes approximations of these operators. The algorithm must also approximate the spectral decomposition of each , where the source of errors in this case comes from both the spectral decomposition computation and the fact that is approximated.
Now, in the error free analysis, the conditions
were proved, and these conditions allowed us to conclude that satisfies
If we follow precisely the same proof, but with the condition replaced by
for some choice of , we once again find immediately that . This time we have
Thus, given that the conditions and follow from an inspection of the algorithm as before, it suffices to compute the matrix exponentials and spectral decompositions with sufficient accuracy that . This is easily done: as the argument of the matrix exponentials have norm bounded by , one is able to compute both the matrix exponentials and the spectral decompositions with exponentially greater accuracy in NC than is required.
Conclusion
We have proved that using a semidefinite programming formulation of the maximum acceptance probability of two-message quantum interactive proof systems, along with the multiplicative weights update method for verifying these values. An obvious question remains: can this method be extended, or some other method devised, to prove ?
The research presented in this paper was supported by Canada’s NSERC, MITACS, the Canadian Institute for Advanced Research, and the US Army Research Office and National Security Agency; and was partially done while Rahul Jain was a member of the Institute for Quantum Computing and the School of Computer Science at the University of Waterloo.