Lecture 26: QIP and QMIP

Similar documents
6.896 Quantum Complexity Theory 30 October Lecture 17

Witness-preserving Amplification of QMA

Introduction to Interactive Proofs & The Sumcheck Protocol

6.896 Quantum Complexity Theory November 4th, Lecture 18

Basic Probabilistic Checking 3

Lecture 22: Quantum computational complexity

QUANTUM ARTHUR MERLIN GAMES

arxiv:cs/ v1 [cs.cc] 15 Jun 2005

On the power of quantum, one round, two prover interactive proof systems

6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14

Lecture 26. Daniel Apon

. An introduction to Quantum Complexity. Peli Teloni

Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST)

Lecture 19: Interactive Proofs and the PCP Theorem

Notes on Complexity Theory Last updated: November, Lecture 10

CS286.2 Lecture 8: A variant of QPCP for multiplayer entangled games

Parallelization, amplification, and exponential time simulation of quantum interactive proof systems

Upper Bounds for Quantum Interactive Proofs with Competing Provers

QMA(2) workshop Tutorial 1. Bill Fefferman (QuICS)

Lecture 26: Arthur-Merlin Games

Lecture 13: Lower Bounds using the Adversary Method. 2 The Super-Basic Adversary Method [Amb02]

Zero-Knowledge Against Quantum Attacks

2 Natural Proofs: a barrier for proving circuit lower bounds

Classical Verification of Quantum Computations

arxiv: v2 [cs.cc] 20 Oct 2009

2 Evidence that Graph Isomorphism is not NP-complete

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

Limits on the power of quantum statistical zero-knowledge

Some Results on Circuit Lower Bounds and Derandomization of Arthur-Merlin Problems

Classical Verification of Quantum Computations

Quantum interactive proofs with weak error bounds

By allowing randomization in the verification process, we obtain a class known as MA.

Identifying an Honest EXP NP Oracle Among Many

Lecture 14: IP = PSPACE

1 On Proofs and Interactive Proofs

Great Theoretical Ideas in Computer Science

ON PARALLEL COMPOSITION OF ZERO-KNOWLEDGE PROOFS WITH BLACK-BOX QUANTUM SIMULATORS

Lecture 23: Introduction to Quantum Complexity Theory 1 REVIEW: CLASSICAL COMPLEXITY THEORY

Lecture 12: Interactive Proofs

Lecture 18: Quantum Information Theory and Holevo s Bound

Graph Non-Isomorphism Has a Succinct Quantum Certificate

Bounding laconic proof systems by solving CSPs in parallel

On the Power of Multi-Prover Interactive Protocols. Lance Fortnow. John Rompel y. Michael Sipser z. Massachusetts Institute of Technology

Quantum Information and the PCP Theorem

Lecture 16 November 6th, 2012 (Prasad Raghavendra)

Algebrization: A New Barrier in Complexity Theory

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

Quantum interactive proofs with short messages

arxiv: v1 [quant-ph] 12 May 2012

Quantum Computational Complexity

Almost transparent short proofs for NP R

Lecture 18: Zero-Knowledge Proofs

Quantum Information and the PCP Theorem

Oracle Separations for Quantum Statistical Zero-Knowledge

Lecture 14: Secure Multiparty Computation

Lecture 3: Superdense coding, quantum circuits, and partial measurements

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture 3: Interactive Proofs and Zero-Knowledge

6-1 Computational Complexity

Definition 1. NP is a class of language L such that there exists a poly time verifier V with

6.080/6.089 GITCS May 6-8, Lecture 22/23. α 0 + β 1. α 2 + β 2 = 1

Introduction to Quantum Computing

Quantum Communication Complexity

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Spatial Isolation Implies Zero Knowledge Even in a Quantum World

IP = PSPACE using Error Correcting Codes

QUANTUM COMMUNICATIONS BASED ON QUANTUM HASHING. Alexander Vasiliev. Kazan Federal University

Quantum Computing Lecture 8. Quantum Automata and Complexity

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Succinct quantum proofs for properties of finite groups

6.896 Quantum Complexity Theory September 9, Lecture 2

arxiv: v1 [cs.cc] 30 Apr 2015

A Quantum inspired proof of P #P IP

Lecture 15: Interactive Proofs

arxiv: v1 [cs.cc] 8 May 2009

6.896 Quantum Complexity Theory Oct. 28, Lecture 16

Mathematics, Proofs and Computation

Quantum Merlin-Arthur Proof Systems: Are Multiple Merlins More Helpful to Arthur?

General Properties of Quantum Zero-Knowledge Proofs

A Complete Characterization of Unitary Quantum Space

An Axiomatic Approach to Algebrization

On the query complexity of counterfeiting quantum money

Basics of quantum computing and some recent results. Tomoyuki Morimae YITP Kyoto University) min

Lecture 18: Oct 15, 2014

Simon s algorithm (1994)

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Lecture 7: Quantum Fourier Transform over Z N

Interactive proofs with efficient quantum prover for recursive Fourier sampling

PROBABILISTIC COMPUTATION. By Remanth Dabbati

Lecture 21: Quantum communication complexity

Lecture 20: Non-malleable zero knowledge

CS286.2 Lecture 15: Tsirelson s characterization of XOR games

1 Computational Problems

arxiv:cs/ v1 [cs.cc] 27 Jan 1999

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

Some Results on Derandomization

Notes for Lecture Notes 2

Proving SAT does not have Small Circuits with an Application to the Two Queries Problem

CS151 Complexity Theory. Lecture 14 May 17, 2017

MTAT Complexity Theory December 8th, Lecture 12

Transcription:

Quantum Computation (CMU 15-859BB, Fall 2015) Lecture 26: QIP and QMIP December 9, 2015 Lecturer: John Wright Scribe: Kumail Jaffer 1 Introduction Recall QMA and QMA(2), the quantum analogues of MA and AM. Today we will look at QIP, the quantum analogue of the classical IP, the class of languages with polynomial size interactive proof systems. An interactive proof system consists of two algorithms, P, the prover, and V, the verifier. P has access to infinite computational power, while V is limited to computing with the assumptions of BPP. They are allowed to exchange polynomially messages, and at the end the verifier outputs whether or not the input is in the language. More precisely, Definition 1.1. a language L is in IP if there exists a BPP verifier V such that the following two conditions hold: 1. (completeness) If x L, there exists a prover P such that the system consisting of P and V accepts x with probability 2/3. 2. (soundness) If x L, for all provers Q, the system consisting of Q and V accepts x with probability 1/3. This is like MA and AM, except the machines can exchange polynomially many instead of 1 or 2 messages. The discovery of the fact that IP = PSPACE is one of the great stories of classical complexity [Sha92][LFKN92]. Let s dive into the quantum version of this story, which is being written today. 2 Definition of QIP Definition 2.1. a language L is in QIP if there exists a BQP verifier V such that the completeness and soundness conditions hold. The prover and the verifier are additionally allowed to exchange quantum messages. Let s also define another useful notion: Definition 2.2. QIP(k) is the set of languages with quantum interactive proof protocols of length k. 1

Using this definition, the following facts are clear Fact 2.3. QIP = QIP(f(n)) f is polynomial Fact 2.4. QIP(0) = BQP QIP(1) = QMA QAM QIP(2) QIP(3)... QIP. Here s another definition: Definition 2.5. QIP(k, p 1, p 2 ) is the set of languages with quantum interactive proof protocols of length k, correctness probability of accepting at least p 1 and soundness probability of accepting at most p 2. It is not immediately clear that QIP is robust to tweaking the probabilities of the soundness and correctness conditions, but it turns out that it is indeed the case that Fact 2.6. QIP(k, p 1, p 2 ) = QIP(k, 1, 2 poly ), as long as p 1 p 2 poly 1 [KW00]. Finally, Here are two grab bag facts: Fact 2.7. IP QIP The proof is very similar to the proof that MA QMA, with the key being to measure the quantum state before doing anything else. Fact 2.8. Without loss of generality, we can assume in any interactive proof protocol that the last message sent is from the prover to the verifier. Clearly, the verifier accomplishes nothing by sending a message the other way and outputting before receiving a response. With definitions out of the way, let s look at a problem in QIP to better understand the nature of the class. 3 Quantum State Distinguishability You are given two mixed states, ρ 0, ρ 1 C d d in the form of classical descriptions of quantum circuits that output these states. The task is to output YES if d tr (ρ 0, ρ 1 ).9, and NO if d tr (ρ 0, ρ 1 ).1. Where d tr is the trace distance. Equivalently, we saw in a previous lecture that Fact 3.1. { optimal probability of guessing b, d tr (ρ 0, ρ 1 ) = 2 given a uniformly random ρ b from b = {0, 1} } 1 2

One natural thing we might want to try is to send the optimal POVM for distinguishing the two states as a certificate. Then the verifier can just measure random states with the POVM many times, and if it gets back the same one it put in sufficiently many times, we can say YES. The trouble with this is that it s unclear how we can encode a POVM efficiently into a message. Even if we just use the Pretty Good Measurement, we don t know an efficient way to encode it. If we could find a nice way to encode it, we d solve this problem in QMA. But if we allow ourselves a polynomial length protocol, we have more freedom. In fact, it turns out we don t need to send any information about how the prover solves the problem at all (!). We can use the standard coke-pepsi trick from classical zero knowledge proofs. Claim 3.2. The following protocol solves the problem in QIP: 1. Verifier picks b {0, 1} uniformly at random, and sends the prover ρ b without saying which one it is. 2. Prover responds with a guess, b, for b 3. Verifier accepts if and only if b = b. Proof. If d tr (ρ 0, ρ 1 ) 0.9, then by fact 3.1, there s a measurement which gives the prover a probability (1 + 0.9)/2 = 0.95 of guessing b correctly. So the correctness condition is satisfied. On the other hand, if d tr (ρ 0, ρ 1 ) 0.1, then again by fact 3.1, there s no measurement which gives the prover a probability better than (1 + 0.1)/2 = 0.55 of guessing correctly. So the soundness condition is satisfied. This protocol has the nice property that is zero-knowledge, that is, the protocol gives the verifier no information about how to solve the problem itself. It only allows it to conclude that the prover knows what it s doing. Further, it turns out out that the Quantum State Distinguishability problem is complete for QSZK, the class of languages with zero-knowledge quantum interactive proof protocols [Wat02]. Now let s turn to the related problem of quantum circuit distinguishability. 3.1 Quantum Circuit Distinguishability You are given two classical descriptions of quantum circuits, c 0 and c 1. The task is to determine if they compute noticeably different functions. To make the notion of noticeably different more concrete, we use the following definition Definition 3.3 (Diamond distance). d (c 0, c 1 ) = max d tr(c 0 χ, c 1 χ ) pure states χ The task, then, is to output YES if d (c 0, c 1 ) 0.9, and NO if d (c 0, c 1 ) 0.1. 3

Claim 3.4. The following protocol solves the problem in QIP: 1. Prover sends χ, a state claimed to cause noticeably different outputs on c 0 and c 1. 2. Verifier picks b {0, 1} uniformly at random, calculates c b χ and sends it, without saying which one it is. 3. Prover responds with a guess, b for b. 4. Verifier accepts if and only if b = b. Proof. This clearly works for the same reason that our protocol for Quantum State Distinguishability worked. 4 QIP collapses to QIP(3) (!!) Kitaev and Watrous showed in 2000 that every protocol in QIP can be turned into a protocol using only 3 messages [KW00]. In particular, they showed Theorem 4.1. QIP(k, 1, 1 ɛ) = QIP(3, 1, 1 ɛ2 4k 2 ) Proof (sketch). Note first that any quantum interactive proof looks something like the following diagram. Verifier qubits Message qubits Prover qubits U V 1 U V 2 U P 1 U P 2 U V k U P k U V f Figure 1: Quantum Interactive Proof System That is, it consists of multiple rounds of the verifier and the prover applying unitary transformations (Ui V for the verifier, and Ui P for the prover) to a set of qubits, where they share some message qubits, and both the prover and the verifier have their own private qubits that the other cannot interfere with. The protocol ends with the Verifier applying a final unitary transformation, Uf V, and measuring the first qubit. If it is a 0 it rejects, if it is a 1 it accepts. 4

Let s call the state before the i th verifier unitary V i, M i, P i, where the entries of the tuple are the verifier s qubits, the message qubits, and the prover s qubits, respectively. A transcript is a list of all the states. The following protocol proves the theorem. 1. Prover generates a transcript for the full run of the original length 2k + 1 protocol on the given input, and sends it to the verifier. Verifier preforms Uf V on V k, M k and rejects if the first bit of the result is not 1. 2. Verifier prepares entangled state b, b = 1 2 ( 0 0 + 1 1 ), and picks i {1... k 1} uniformly at random. Verifier applies V i to V i, M i, controlled swaps V i and V i+1 with control bit b, and sends V i, V i+1, b, i to the prover. 3. Prover applies U P i to M i, P i and controlled swaps it with M i+1, P i+1 with control bit b, and sends it back. Verifier receives b from prover, controlled nots it with b, applies hadamard to b and accepts if and only if result is 0 The high level idea of this protocol is that the verifier picks a random step of the proof to check, and checks it by doing the computation for that step itself, preforming a swap test to confirm that it is what the prover claimed it was. It is easy to show that if the original protocol accepts with certainty, this protocol does as well. Proving soundness is a bit more difficult. For more details, see [KW00]. In fact, it turns out that the above protocol can be somehow formulated as a semidefinite program solvable in exponential time, showing QIP NEXP [KW00]. It even turns out to be true that QIP = PSPACE = IP, so quantum gives us no additional power in the domain of interactive proofs [JJUW10]. 5 QMIP One interesting variation on the IP setting that s been widely studied is to allow multiple independent non-communicating provers, resulting in the classical class MIP. Intuitively, this would seem to give us more power because it is the mathematical formalism for the classic policework trick of separating two co-conspirators before interrogating them in an effort to discover the truth. A famous result of Babai, Fortnow, and Lund says that MIP NEXP [BFL90]. We can generalize this to the quantum setting where we are again allowed multiple noncommunicating provers, except that the verifier is in BQP, and the provers are allowed to prepare an entangled state before beginning the protocol. This is, of course, a highly realistic assumption, since you couldn t prevent two co-conspirators from walking into their interrogation rooms with halves of EPR pairs in their pockets. The resulting class is called QMIP. Currently, we don t know much about QMIP. It is not immediately clear even that MIP QMIP, since the entanglement of the provers prevents us from simply measuring 5

to avoid sneaky quantum behavior. In 2012, however, it was shown that this is the case, as a corollary of the fact that NEXP QMIP [IV12]. It s also true that QMIP = MIP, where MIP is MIP except the provers are allowed to share an entangled state before the protocol (note that the verifier is of BPP and not BQP), so the power of QMIP lies in prover entanglement and not in quantum messaging [RUV13]. The most glaring gap in our knowledge is the lack of an analogue of MIP NEXP. In fact, it s quite a bit worse than that: We don t know any upper bound at all! Not even the class of decidable languages is known to be an upper bound. For all we know, QMIP could be powerful enough to solve the halting problem, or indeed all possible problems. References [BFL90] [IV12] L. Babai, L. Fortnow, and C. Lund. Nondeterministic exponential time has twoprover interactive protocols. In Foundations of Computer Science, 1990. Proceedings., 31st Annual Symposium on, volume 1, pages 16 25, October 1990. Tsuyoshi Ito and Thomas Vidick. A multi-prover interactive proof for NEXP sound against entangled provers. In Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, FOCS 12, pages 243 252, Washington, DC, USA, 2012. IEEE Computer Society. [JJUW10] Rahul Jain, Zhengfeng Ji, Sarvagya Upadhyay, and John Watrous. QIP = PSPACE. Commun. ACM, 53(12):102 109, December 2010. [KW00] Alexei Kitaev and John Watrous. Parallelization, amplification, and exponential time simulation of quantum interactive proof systems. In Proceedings of the Thirty-second Annual ACM Symposium on Theory of Computing, STOC 00, pages 608 617, New York, NY, USA, 2000. ACM. [LFKN92] Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. Algebraic methods for interactive proof systems. J. ACM, 39(4):859 868, October 1992. [RUV13] Ben W. Reichardt, Falk Unger, and Umesh Vazirani. A classical leash for a quantum system: Command of quantum systems via rigidity of CHSH games. In Proceedings of the 4th Conference on Innovations in Theoretical Computer Science, ITCS 13, pages 321 322, New York, NY, USA, 2013. ACM. [Sha92] Adi Shamir. IP = PSPACE. J. ACM, 39(4):869 877, October 1992. [Wat02] J. Watrous. Limits on the power of quantum statistical zero-knowledge. In Foundations of Computer Science, 2002. Proceedings. The 43rd Annual IEEE Symposium on, pages 459 468, 2002. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback