27
Using Prior-Entanglement for Honest Provers Julia Kempe [email protected] Hirotada Kobayashi [email protected] Keiji Matsumoto [email protected] Thomas Vidick [email protected] Department of Computer Science Tel Aviv University T el-Aviv 6997 8, Israel Principles of Informatics Research Division National Institute of Informatics 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 101-8430, Japan Computer Science Department ´ Ecole Normal e Sup ´ erieure Paris, France 7 September 2007 Abstract The central question in quantum multi-prover interactive proof systems is whether or not the prior entangle- ment shared by provers affects the verication power of proof systems. Although it is often stated that sharing prior entanglement has possibility both to strengthen and to weaken the power of quantum multi-prover in- teractive proof systems, all the existing studies focus only on the  negative  aspects of prior entanglement, i.e., wheth er or not dishonest  but prior-entangled provers can break proof systems that are sound for any dishonest and prior-un entan gled prov ers. This paper studies the  positive  aspects of prior entanglement and shows that prior entanglement  is  useful even for  honest  provers. By allowing honest provers to share prior entanglement, the following important properties are proved for quantum multi-prover interactive proof systems:  Any quantum k-prover interactive proof system with two-sided bounded error can be modied to a quan- tum k-prover interactive proof system with  one-sided bounded error  of  perfect completeness, for any k.  Any quantum multi-prover interactive proof system can be parallelized to a  one-round  quantum multi- prov er inter acti ve proof syste m. More preci sely , any genera l quantu m k-prov er inter acti ve proof syst em for some polynomially bounded  k  with two-sided bounded error can be parallelized to a  one-round  quantum k -prover interactive proof system for another polynomially bounded  k of perfect completeness with exponentially small error in soundness.  Any quantum k-prover interactive proof system can be modied to a  public-coin quantum k-prover inter- active proof system, for any  k.  Any language in  QIP  (and thus in  PSPACE) has a  two-prover one-round  quantum interactive proof system of perfect completeness with exponentially small error in soundness. All of these properties except for the rst one are not known to hold when considering only prior-unentangled honest provers, and thus give rst evidence that sharing prior entanglement may be advantageous even to honest prov ers. Also, the third proper ty is in contrast to the classic al case in which classic al public- coin mult i-pro ver in- terac ti ve proof s are only as po werful as cla ssic al si ngle- prove r inte racti ve proofs, and thus, cannot be as powerful as general classical multi-prover interactive proofs unless  NEXP = PSPACE.

1 Round 070907

Embed Size (px)

Citation preview

Page 1: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 1/27

Using Prior-Entanglement for Honest Provers

Julia Kempe∗[email protected] Hirotada Kobayashi†[email protected] Keiji Matsumoto†[email protected]

Thomas Vidick ‡

[email protected]

∗Department of Computer Science

Tel Aviv University

Tel-Aviv 69978, Israel

†Principles of Informatics Research Division

National Institute of Informatics

2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 101-8430, Japan‡Computer Science Department

Ecole Normale Superieure

Paris, France

7 September 2007

Abstract

The central question in quantum multi-prover interactive proof systems is whether or not the prior entangle-

ment shared by provers affects the verification power of proof systems. Although it is often stated that sharing

prior entanglement has possibility both to strengthen and to weaken the power of quantum multi-prover in-

teractive proof systems, all the existing studies focus only on the  negative aspects of prior entanglement, i.e.,

whether or not dishonest  but prior-entangled provers can break proof systems that are sound for any dishonest

and prior-unentangled provers. This paper studies the  positive aspects of prior entanglement and shows that

prior entanglement is  useful even for  honest  provers. By allowing honest provers to share prior entanglement,

the following important properties are proved for quantum multi-prover interactive proof systems:

•   Any quantum k-prover interactive proof system with two-sided bounded error can be modified to a quan-

tum k-prover interactive proof system with  one-sided bounded error  of  perfect completeness, for any k.

•   Any quantum multi-prover interactive proof system can be parallelized to a  one-round  quantum multi-

prover interactive proof system. More precisely, any general quantum k-prover interactive proof system for

some polynomially bounded k  with two-sided bounded error can be parallelized to a  one-round  quantum

k-prover interactive proof system for another polynomially bounded  k of perfect completeness with

exponentially small error in soundness.

•   Any quantum k-prover interactive proof system can be modified to a  public-coin quantum k-prover inter-

active proof system, for any k.

•   Any language in  QIP   (and thus in  PSPACE) has a   two-prover one-round   quantum interactive proof 

system of perfect completeness with exponentially small error in soundness.

All of these properties except for the first one are not known to hold when considering only prior-unentangled

honest provers, and thus give first evidence that sharing prior entanglement may be advantageous even to honest

provers. Also, the third property is in contrast to the classical case in which classical public-coin multi-prover in-

teractive proofs are only as powerful as classical single-prover interactive proofs, and thus, cannot be as powerful

as general classical multi-prover interactive proofs unless  NEXP = PSPACE.

Page 2: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 2/27

1 Introduction

Multi-prover interactive systems are an important generalization of interactive proof systems [14, 4], and were

originally introduced by Ben-Or, Goldwasser, Kilian, and Wigderson [7] for the purpose of removing intractability

assumption from the zero-knowledge proofs for  NP. Babai, Fortnow, and Lund [5], combining the result by

Fortnow, Rompel, and Sipser [13], showed that the class MIP of languages having a multi-prover interactive proof 

system is equal to NEXP, which leads to the development of the theory of inapproximability in the framework of 

probabilistically checkable proofs [11, 3, 2].

In a multi-prover interactive proof system, a verifier communicates with not only one but multiple provers,

while provers cannot communicate with each other prover and cannot know messages exchanged between the veri-

fier and other provers. It is easy to see that allowing provers to share randomness  a priori does not change the power

of multi-prover interactive proof systems (except for zero-knowledge properties [6]). When considering a quantum

version of multi-prover interactive proof systems, however, one may allow provers to share  entanglement a priori.

Particular cases are protocols with two provers initially sharing lots of EPR pairs. In general, provers may initially

share any kind of entanglement, not limited to the EPR-type ones. In fact, the central question in quantum multi-

prover interactive proof systems is whether or not this prior entanglement shared by provers affects the verification

power of proof systems. Kobayashi and Matsumoto [18] introduced the quantum multi-prover interactive proof 

systems with a quantum verifier, and proved that the class of languages having a quantum multi-prover interactiveproof system is necessarily contained by  NEXP   when provers share at most polynomially many prior-entangled

qubits, and is equal to  NEXP   when they do not share any prior entanglement. Cleve, Høyer, Toner, and Wa-

trous [10] studied the multi-prover interactive proof systems in which a verifier remains classical but provers may

initially share entanglement, and presented several protocols for which shared EPR pairs can increase the power

of dishonest provers. They also proved that the class of languages having some restricted version of multi-prover

interactive proof system, denoted by ⊕MIP∗(2, 1), is contained by  EXP  for any two-sided bounded error when

provers are allowed to share prior entanglement (Wehner [27] improved the upper bound to  QIP(2), the class of 

languages having a two-message quantum interactive proof system), which is in contrast to that the corresponding

class ⊕MIP(2, 1) without allowing prior entanglement is equal to NEXP for some two-sided bounded error. Very

recently, Kempe, Kobayashi, Matsumoto, Toner, and Vidick [15] showed the limits of the power of dishonest entan-

gled provers in some quantum and classical multi-prover interactive proof systems for NP, NEXP, and PSPACE.Sun, Yao, and Preda [24] and Cleve, Gavinsky, and Jain [9] proved similar limits in some different classical multi-

prover interactive proof systems for  NP. However, the gaps between the completeness and soundness accepting

probabilities are not satisfiably large for all these results.

All these studies focus only on the   negative  aspects of prior entanglement, i.e., whether or not  dishonest   but

prior-entangled provers can break proof systems that are sound for any dishonest and prior-unentangled provers.

However, more surprisingly, currently no upper bound is known on the power of quantum multi-prover interactive

proofs (or even the case in which a verifier remains classical) when provers are allowed to share arbitrarily huge

amount of prior entanglement. This suggests the possibility that the prior entanglement may be advantageous even

to  honest  provers. Indeed, it is often stated that sharing prior entanglement has possibility both to strengthen and

to weaken the power of quantum multi-prover interactive proof systems, although, to the best knowledge of the

authors, all the previous studies analyze only the negative aspects of prior entanglement.

This paper studies the  positive   aspects of prior entanglement and shows a number of general properties of 

quantum multi-prover interactive proof systems by intensively using prior entanglement for  honest  provers, which

gives the first evidence that prior entanglement   is  useful even for honest provers. The main technical theorem of 

this paper is that any quantum k-prover interactive proof system that may involve polynomially many rounds can

be parallelized to a one-round  quantum (k + 1)-prover interactive proof system by allowing honest provers to share

prior entanglement, in which the gap between completeness and soundness accepting probabilities is still bounded

by an inverse-polynomial. More precisely, letting  QMIP(k,m,c,s)  denote the class of languages having an  m-

turn quantum k -prover interactive proof system with completeness accepting probability at least c  and soundness

1

Page 3: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 3/27

accepting probability at most s, we have the following theorem.

Theorem (Theorem 7).   Let  k , m :  Z+ →  N  be polynomially bounded functions and let  c, s :  Z+ → [0, 1]  be any

 functions that satisfy c − s ≥   1 p  for some polynomially bounded function p :  Z+ →  N. Then, there exists another 

 polynomially bounded function p :  Z+ →  N such that  QMIP(k,m,c,s) ⊆ QMIP

k + 1, 2, 1, 1 −   1 p

.

 Remark.   Although the term “round” is commonly used in classical multi-prover interactive proofs for describingeach set of verifier’s questions and the corresponding provers’ responses, the term “turn” is often used instead of 

“round” in this paper. One round consists of two turns: the turn for a verifier and the turn for provers.

Since it is easy to amplify the success probability without increasing the number of rounds by running multiple

attempts of a protocol in parallel using a different set of provers for every attempt, the above theorem essentially

shows that one-round (i.e., two-turn) quantum multi-prover interactive proofs are as powerful as general quantum

multi-prover interactive proofs.

Corollary (Corollary 8).   Let  k, m :  Z+ →  N  be polynomially bounded functions and let  c, s :  Z+ → [0, 1] be any

 functions that satisfy  c − s ≥   1 p   for some polynomially bounded function  p :  Z+ →  N. Then, for any polynomi-

ally bounded function  p :  Z+ →  N , there exists another polynomially bounded function  k :  Z+ →  N  such that 

QMIP(k,m,c,s) ⊆ QMIP(k, 2, 1, 2− p

).

The proof of our main technical theorem basically consists of three parts.

The first part is a pre-processing that converts any quantum  k-prover interactive proof system with two-sided

bounded error into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-

ness. The second part proves that any quantum k-prover interactive proof system that may involve polynomially

many turns can be parallelized to one that involves only three turns (messages from provers followed by questions

from a verifier followed by responses from provers) in which the gap between completeness and soundness ac-

cepting probabilities is still bounded by an inverse-polynomial. Finally, the third part proves that any three-turn

quantum  k-prover interactive proof system with sufficiently large gap between the completeness and soundness

accepting probabilities can be converted into a two-turn (i.e., one-round) quantum  (k + 1)-prover interactive proof 

system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-

polynomial.For the first and second parts, similar statements are already shown by Kitaev and Watrous [17] for the single-

prover quantum interactive proofs. Their proofs, however, heavily rely on the fact that a quantum prover can apply

arbitrary operators over all the space except for the private space for a verifier. This is not the case for the quantum

multi-prover interactive proofs, since now each quantum prover cannot touch the qubits in the private spaces and

the message channels for other quantum provers, in addition to those in the private space for a verifier. Therefore,

new techniques are required for the multi-prover case.

For making proof systems perfect complete, our basic idea is to use the quantum rewinding technique developed

for quantum zero-knowledge proofs by Watrous [26] in a different way. In our case we use it to “rewind” an

unsuccessful computation that would result in rejection into a successful one. To apply the quantum rewinding

technique, we first modify the protocol so that the honest provers can convince the verifier with probability exactly12  if they optimize their initial state to share. This initial shared state corresponds to the auxiliary input in the caseof quantum zero-knowledge proofs, and thus, the sequence of forward, backward, and forward executions of the

protocol basically achieves the perfect completeness. The obvious problem of this construction lies in soundness

in that dishonest provers may not use the same strategies for all of the three executions of the protocol. To settle

this, we design a simple protocol that tests if the second backward execution is indeed a backward simulation

of the first forward exection. The verifier performs either the original rewinding protocol or this invertibility test

chosen uniformly at random without revealing which test is undergoing. This forces the provers to use essentially

same strategies for the first two executions of the protocol, which is sufficient to bound the soundness accepting

probability.

2

Page 4: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 4/27

For parallelization, our approach is to show that any quantum k-prover interactive proof system with sufficiently

large gap between the completeness and soundness accepting probabilities can be converted into another quantum

k-prover interactive proof system (with some weaker completeness and soundness conditions) in which the number

of rounds (turns) becomes almost half of that in the original proof system. The idea to prove this is that the verifier

first receives the snapshot state after (almost) half of turns have been executed in the original system, and then

executes a forward-simulation of the original system from that turn with probability   1

2 and a backward-simulation

of the original system from that turn with probability   12 . The honest provers have only to simulate the original

system to convince the verifier, while any strategy of dishonest provers with unallowably high success probability

would lead to a strategy of dishonest provers in the original system that contradicts the soundness condition. By

repeatedly applying this modification together with appropriate use of sequential repetition as a preprocessing,

we can convert any quantum k-prover interactive proof system into a three-turn quantum  k-prover interactive proof 

system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-

polynomial. If  k  = 1, this gives a simpler proof of the parallelization theorem due to Kitaev and Watrous [17] for

single-prover quantum interactive proofs.

To prove the third part, we will take a detour by proving (i) any three-turn quantum k-prover interactive proof 

system with sufficiently large gap between the completeness and soundness accepting probabilities can be modified

to a three-turn public-coin quantum k-prover interactive proof system (with some weaker completeness and sound-

ness conditions), and (ii) any three-turn public-coin quantum  k-prover interactive proof system can be converted

into a two-turn quantum  (k + 1)-prover interactive proof system without changing the completeness and sound-

ness accepting probabilities. The notion of public-coin quantum multi-prover interactive proofs we use is a natural

generalization of public-coin quantum interactive proofs in the single-prover case introduced by Marriott and Wa-

trous [19]. Intuitively, at every round, a public-coin quantum verifier for quantum multi-prover interactive proof 

systems flips a fair classical coin at most polynomially many times, and then simply broadcasts the result of these

coin-flippings to all the provers. The property (i) is a generalization of the result by Marriott and Watrous [19]

to the multi-prover case, whereas the property (ii) is completely new. The idea to prove (ii) is to send questions

only to the first  k  provers to request the original second messages from the  k  provers in the original system and

to receive from the  (k + 1)-st prover the original first messages from the k  provers in the original system without

asking any question to him. The public-coin property of the original system implies the nonadaptiveness of the

messages from the verifier, which is essential to prove (ii). In fact, there is a way of directly proving the thirdpart, but our detour enables us to show another two important properties of quantum multi-prover interactive proof 

systems. Specifically, the property (i) essentially proves the equivalence of  public-coin  quantum k-prover interac-

tive proofs and general quantum k -prover interactive proofs, for any  k, while the property (ii) for the case k  = 1implies that any language in QIP  (and thus in  PSPACE) has a  two-prover one-round   quantum interactive proof 

system of perfect completeness with exponentially small error in soundness, since any language in QIP has a three-

message public-coin quantum interactive proof system of perfect completeness with exponentially small error in

soundness [19].

Corollary (Corollary 13).   Let k, m :  Z+ →  N be polynomially bounded functions and let  c, s :  Z+ → [0, 1] be any

 functions that satisfy c − s ≥   1 p   for some polynomially bounded function p :  Z+ →  N. Then, for any polynomially

bounded function  p :  Z+

→ N , there exists another polynomially bounded function  m :  Z+

→ N  such that any

language in QMIP(k,m,c,s)   necessarily has an m-turn public-coin quantum  k-prover interactive proof system

of perfect completeness with soundness accepting probability at most  2− p.

Corollary (Corollary 15).  For any polynomially bounded function p :  Z+ →  N , QIP ⊆ QMIP(2, 2, 1, 2− p).

Note that, in the classical case, public-coin multi-prover interactive proofs are only as powerful as single-prover

interactive proofs, because that every prover receives the same question from the verifier means that every prover

can know how other provers will behave. Hence, they cannot be as powerful as general classical multi-prover

interactive proofs unless NEXP = PSPACE. In contrast, our result shows that, in the quantum case, public-coin

3

Page 5: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 5/27

quantum multi-prover interactive proofs  are  as powerful as general quantum multi-prover interactive proofs. The

reason for the nontriviality of public-coin quantum multi-prover interactive proofs may be explained as follows:

even if every quantum prover can know how other quantum provers will behave, still each quantum prover can

apply only local transformations over some state that may be entangled among provers, which is not enough to

simulate every possible strategy a single quantum prover could take.

Another remark is that, in the classical case, a similar statement to the last corollary was shown by Cai, Con-

don, and Lipton [8] (and a stronger statement was shown later by Feige and Lovasz [12] that two-prover one-round

multi-prover interactive proofs are as powerful as general multi-prover interactive proofs). All these results are,

however, not known to hold under the existence of prior entanglement among provers. Before our result, it has

been open if even PSPACE has a two-prover one-round quantum multi-prover interactive proof system (very re-

cently, Kempe, Kobayashi, Matsumoto, Toner, and Vidick [15] succeeded in proving that the classical two-prover

one-round multi-prover interactive proof system for  PSPACE  in Ref. [8] is sound in a weak sense against any

pair of dishonest prior-entangled provers that the soundness accepting probablity is bounded away from one by an

inverse-polynomial – their result is incomparable to ours since ours have much stronger soundness condition, but

both a verifier and honest provers must be quantum, while both of them have only to follow classical protocols in

their result).

Finally, it is stressed that our constructions make intensively use of provers’ prior entanglement in a positive

sense. In particular, even if the honest provers in the original proof system do not need any prior entanglement

at all, the honest provers in the constructed proof system do need prior entanglement in many cases. Most of the

properties proved in this paper (Theorem 7 and Corollaries 8, 13, and 15, in particular) are not known to hold when

considering only prior-unentangled honest provers, and thus give first evidence that sharing prior entanglement

may be advantageous even to honest provers.

2 Preliminaries

We assume the reader is familiar with the quantum formalism, including the quantum circuit model and definitions

of mixed quantum states (density operators) and fidelity (all of which are discussed in detail in Refs. [21, 16],

for instance). This section summarizes some of the notions and notations that are used in this paper and reviews

the model of quantum multi-prover interactive proof systems with introducing the notion of  public-coin  quantum

multi-prover interactive proof systems.

Throughout this paper, let  N  and  Z+ denote the sets of positive and nonnegative integers, respectively. In this

paper, all Hilbert spaces are of dimension power of two.

For any Hilbert space H,D(H) denotes the set of density operators over H. The following property on fidelity

is often used in this paper.

Lemma 1 ([23, 20]).  For any ρ, σ, ξ  ∈ D(H) , F (ρ, σ)2 + F (σ, ξ )2 ≤ 1 + F (ρ, ξ ).

Polynomial-Time Uniformly Generated Families of Quantum Circuits   As in the preceding studies [25, 17,

18], we define quantum interactive proof systems in terms of quantum circuits. In particular, we use the following

notion of polynomial-time uniformly generated families of quantum circuits.A family {Qx} of quantum circuits is  polynomial-time uniformly generated   if there exists a deterministic pro-

cedure that, on every input  x, outputs a description of  Qx  and runs in time polynomial in |x|. It is assumed that

the circuits in such a family are composed of gates in some reasonable, universal, finite set of quantum gates. Fur-

thermore, it is assumed that the number of gates in any circuit is not more than the length of the description of that

circuit. Therefore Qx  must have size polynomial in |x|. For convenience, we may identify a circuit  Qx  with the

unitary operator it induces.

Since non-unitary and unitary quantum circuits are equivalent in computational power [1], it is sufficient to

treat only unitary quantum circuits, which justifies the above definition. For avoiding unnecessary complication,

4

Page 6: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 6/27

however, the descriptions of procedures often include non-unitary operations in the subsequent sections. Even in

such cases, it is always possible to construct unitary quantum circuits that essentially achieve the same procedures

described.

When proving statements that involve the perfect-completeness property, we assume that our universal gate

set satisfies some conditions, since these perfect-completeness properties may not hold with an arbitrary universal

gate set. Specifically, when claiming these perfect-completeness properties, we assume that the Hadamard trans-

formation and any classical reversible transformations are exactly implementable in our gate set. Note that this

condition is satisfied by most of the standard gate sets including the Shor basis [22] consisting of the Hadamard

gate, the controlled-i-phase-shift gate, and the Toffoli gate, and thus, the authors believe that our condition is not

so restrictive. It is stressed that most of our main statements do hold with an arbitrary choice of the gate set (the

completeness and soundness conditions may become worse by negligible amounts in some of the claims, which

does not affect the final main statements).

Quantum Multi-Prover Interactive Proof Systems   Here we review the model of quantum multi-prover interac-

tive proof systems introduced in [18] and introduce the new notion of  public-coin quantum multi-prover interactive

proof systems. Although the term “round” is commonly used in classical multi-prover interactive proofs for de-

scribing each set of verifier’s questions and the corresponding provers’ responses, the term “turn” is often used

instead of “round” in this paper. One round consists of two turns: the turn for a verifier and the turn for provers.

Let k   be the number of provers. A quantum k-prover interactive proof system consists of  (k + 1)   parties: a

quantum verifier  V   and k   quantum provers P 1, . . . , P  k. Associated with the quantum k -prover interactive proof 

system are the Hilbert spaces V , P i, and Mi for 1 ≤ i ≤ k , where V  corresponds to the private space of the verifier

V , each P i  corresponds to the private space of the  ith prover  P i, and each Mi  corresponds to the space used for

communication between the verifier  V   and the  ith prover  P i. Note that no communication is allowed between

different provers. Without loss of generality, it is assumed that P i  has same dimension for each i, and so does Mi.

For every input of length n, each space V , P i, and Mi consists of q V (n), q P (n), and q M(n) qubits, respectively,

for some polynomially bounded functions  q V , q M :  Z+ →  N  and some function  q P :  Z+ →  N. Accordingly, the

entire system consists of  q (n) = q V (n) + k(q M(n) + q P (n)) qubits. Such a system is called (q V , q M, q P )-space-

bounded , and the associated verifier and provers are called (q 

V , q 

M)-space-bounded  and (q 

M, q 

P )-space-bounded ,

respectively. One of the private qubits of the verifier is designated as the output qubit.Formally, an   m-turn   (q V , q M)-space-bounded quantum verifier   V   for quantum   k-prover interactive proof 

systems is a polynomial-time computable mapping of the form   V  : {0, 1}∗ → {0, 1}∗. For every   n   and for

every input   x ∈ {0, 1}∗   of length   n,   V   uses at most   q V (n)   qubits for his private space and at most   q M(n)qubits for communication with each prover. The string   V (x)   is interpreted as a (m(n) + 1)/2-tuple

(V (x)1, . . . , V  (x)(m(n)+1)/2), with each  V (x) j  a description of a polynomial-time uniformly generated quan-

tum circuit acting on q V (n) + kq M(n) qubits.

Similarly, an   m-turn   (q M, q P )-space-bounded quantum verifier   P    is a mapping of the form

P  : {0, 1}∗ → {0, 1}∗. For every n   and for every input  x ∈ {0, 1}∗   of length  n,  P   uses at most  q P (n)   qubits

for his private space and at most  q M(n) qubits for communication with the verifier. The string P (x) is interpreted

as a m(n)/2-tuple   (P (x)1, . . . , P  (x)m(n)/2), with each  P (x) j   a description of a quantum circuit acting on

q M(n) + q P (n) qubits. No restrictions are placed on the complexity of the mapping  P  (i.e., each P (x) j  can be anarbitrary unitary transformation).

Given an   m-turn   (q V , q M)-space-bounded quantum verifier   V ,   m-turn   (q M, q P )-space-bounded quantum

provers   P 1, . . . , P  k , and an input   x   of length   n, we define a circuit   (V  (x), P 1(x), . . . , P  k(x))   acting over

V ⊗ M1 ⊗ · · · ⊗ Mk ⊗P 1 ⊗ · · · ⊗ P  k   of  q (n)   qubits as follows. If  m(n)   is odd, circuits  P 1(x)1, . . . , P  k(x)1,

V (x)1,   . . .,   P 1(x)(m(n)+1)/2, . . . , P  k(x)(m(n)+1)/2,   V (x)(m(n)+1)/2   are applied in sequence, each   P i(x) j   to

Mi ⊗ P i, and each  V (x) j   to V ⊗ M1 ⊗ · · · ⊗ Mk. If  m(n)  is even, circuits  V (x)1,  P 1(x)1, . . . , P  k(x)1,   . . .,

V (x)m(n)/2, P 1(x)m(n)/2, . . . , P  k(x)m(n)/2, V  (x)m(n)/2+1 are applied in sequence. Note that the order of applica-

tions of the circuits of the provers at each turn has actually no sense since the space Mi ⊗ P i on which the circuits

5

Page 7: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 7/27

of the ith prover act is separated from each other prover.

At any given instant, the state of the entire system is a unit vector in the space

V ⊗ M1 ⊗ · · · ⊗ Mk ⊗P 1 ⊗ · · · ⊗ P  k. At the beginning of the protocol, the system is in the initial state

such that all the qubits in V ⊗ M1 ⊗ · · · ⊗ Mk   are in state |0. Note that the provers may prepare any kind

of prior-entanglement in their private spaces. Still it may be assumed with out loss of generality that the initial

state is a pure state, and thus, that the provers initially prepare some pure state |

Φ(x) ∈ P 1 ⊗ · · · ⊗ P  k

. This

|Φ(x)   is referred to as the   prior-shared state   of the provers. Thus the   legal initial state   may be written as

|ψinit(x) = |0⊗(qV (n)+kqM(n))|Φ(x) for some |Φ(x) ∈ P 1 ⊗ · · · ⊗ P  k.

Formally, we introduce the notion of state-sharing functions. A  state-sharing function Φ  for k quantum provers

of  (q M, q P )-space-bounded is a mapping of the form Φ : {0, 1}∗ → P 1 ⊗ · · · ⊗ P  k, such that, for every n  and for

every input  x ∈ {0, 1}∗  of length  n,  Φ(x)   is a pure quantum state of  kq P (n)  qubits in P 1 ⊗ · · · ⊗ P  k. In what

follows, Φ(x) will often be denoted by |Φ(x).

For every input   x   of length   n, the probability   pacc(x,V,P 1, . . . , P  k, Φ)   that   (V, P 1, . . . , P  k)   ac-

cepts   x   is defined to be the probability that an observation of the output qubit in the   {|0, |1}   ba-

sis yields |1, after the circuit   (V (x), P 1(x), . . . , P  k(x))   is applied to |ψinit(x) = |0⊗(qV (n)+kqM(n))|Φ(x).

Let   Πacc   be the projection onto the space consisting of states whose output qubit is in state

|1

, and let   P (x) j   be the shorthand of    P 1(x) j

 ⊗ · · · ⊗P k(x) j , for   1

 ≤ j

 ≤ m(n)/2

. Then,

 pacc(x,V,P 1, . . . , P  k, Φ) = ΠaccV (x)(m(n)+1)/2 P (x)(m(n)+1)/2 · · · V (x)1 P (x)1|ψinit(x)2 if m(n) is odd, and

 pacc(x,V,P 1, . . . , P  k, Φ) = ΠaccV (x)m(n)/2+1 P (x)m(n)/2V  (x)m(n)/2 · · ·  P (x)1V (x)1|ψinit(x)2 if   m(n)   is

even.

Although k, the number of provers, has been treated to be constant so far, the above definition can be naturally

extended to the case that k :  Z+ →  N is a function of the input length  n. In what follows, we treat k  as a function.

Note that the number of provers possible to communicate with the verifier must be bounded by a polynomial in n.

Definition 2.   Given polynomially bounded functions k, m :  Z+ →  N and functions c, s :  Z+ → [0, 1], a language Lis in QMIP(k,m,c,s) iff there exist polynomially bounded functions q V , q M :  Z+ →  N and an m-turn (q V , q M)-

space-bounded quantum verifier  V   for quantum  k-prover interactive proof systems such that, for every  n  and for

every input x  of length n:

(Completeness) if  x ∈ L, there exist a function   q P :  Z+ →  N, a set of  k(n)   quantum provers  P 1, . . . , P  k(n)   of 

m-turn   (q M, q P )-space-bounded, and a state-sharing function   Φ   for  k(n)   quantum provers of  (q M, q P )-

space-bounded such that (V, P 1, . . . , P  k(n)) accepts x  with probability at least  c(n),

(Soundness) if  x ∈ L, for any function  q P :  Z+ →  N, any set of  k(n)  quantum provers  P 1, . . . , P  k(n)   of  m-turn

(q M, q P )-space-bounded, and any state-sharing function  Φ   for k(n)  quantum provers of  (q M, q P )-space-

bounded, (V, P 1, . . . , P  k(n)) accepts x  with probability at most s(n).

Next, we introduce the notions of  public-coin  quantum verifiers for quantum multi-prover interactive proof 

systems and  public-coin   quantum multi-prover interactive proof systems. These are natural generalizations of 

public-coin quantum verifiers and  public-coin  quantum interactive proof systems in the single-prover case intro-

duced by Marriott and Watrous [19]. Intuitively, a quantum verifier for quantum multi-prover interactive proof systems is public-coin if, at every turn for the verifier, after receiving messages from the provers that are possibly

quantum, he first flips a fair classical coin at most polynomially many times, and then simply broadcasts the result

of these coin-flippings to all the provers. No other messages are sent from the verifier to the provers. At the end of 

the protocol, the verifier applies some quantum operation to the messages received so far, and decides acceptance

or rejection.

Formally, an m-turn (q V , q M)-space-bounded quantum verifier V   for quantum k-prover interactive proof sys-

tems is public-coin if V  has the following properties for every  n and for every input  x ∈ {0, 1}∗ of length n. At the

 jth transformation of  V   for 1 ≤ j ≤ m(n)/2, V  first receives at most q M(n) qubits from each prover, then flips

6

Page 8: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 8/27

a fair classical coin at most  q M(n) times to generate a random string  r j  of length at most  q M(n), and broadcasts

r j  to all the prover.

An  m-turn  (q V , q M, q P )-space-bounded quantum multi-prover interactive proof system is  public-coin   if the

associated m-turn (q V , q M)-space-bounded quantum verifier is public-coin.

3 QMIP with Perfect Completeness Equals General QMIP

For readability, in what follows, the arguments  x  and n  are dropped in the various functions, if it is not confusing.

It is assumed that operators acting on subsystems of a given system are extended to the entire system by tensoring

with the identity, since it will be clear from context upon what part of a system a given operator acts.

This section proves that any quantum  k -prover interactive proof system with two-sided bounded error can be

transformed into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-

ness, for any k.

Theorem 3.   Let   k, m :  Z+ →  N   be polynomially bounded functions and let   c, s :  Z+ → [0, 1]   be any func-

tions that satisfy   c − s ≥   1 p   for some polynomially bounded function   p :  Z+ →  N. Then, for any polynomi-

ally bounded function  p :  Z+

→ N , there exists another polynomially bounded function m :  Z+

→ N   such that,

QMIP(k,m,c,s) ⊆ QMIP(k, m, 1, 2− p).

First, we introduce the notion of  perfectly rewindable  quantum multi-prover interactive proof systems.

Definition 4.   Given polynomially bounded functions k, m :  Z+ →  N  and a function s :  Z+ → [0, 1]   that satisfies

s <   12 , a language L  has a perfectly rewindable  m-turn quantum k-prover interactive proof system with soundness

accepting probability at most  s  iff there exist polynomially bounded functions  q V , q M :  Z+ →  N  and an  m-turn

(q V , q M)-space-bounded quantum verifier V   for quantum k-prover interactive proof systems such that, for every nand for every input x  of length n:

(Perfect Rewindability) if   x ∈ L, there exist a function   q P :  Z+ →  N   and a set of   k(n)   quantum provers

P 1, . . . , P  k(n)   of  m-turn (q 

M, q 

P )-space-bounded such that the maximum accepting probability is exactly

equal to   12   when  V   communicates with  P 1, . . . , P  k(n), where maximum is taken over all possible state-

sharing functions Φ  for k(n) quantum provers of  (q M, q P )-space-bounded,

(Soundness) if  x ∈ L, for any function  q P :  Z+ →  N, any set of  k(n)  quantum provers  P 1, . . . , P  k(n)   of  m-turn

(q M, q P )-space-bounded, and any state-sharing function  Φ   for k(n)  quantum provers of  (q M, q P )-space-

bounded, (V, P 1, . . . , P  k(n)) accepts x  with probability at most s(n).

We first show the way of modifying any general quantum multi-prover interactive proof system (with some

appropriate conditions on completeness and soundness) to a perfectly rewindable one that involves the same number

of provers and the same number of turns. The proof is straightforward and will be found in Appendix A.

Lemma 5.   Let  k, m : Z

+

→  N be polynomially bounded functions and let  c, s :

 Z+

→ [0, 1] be any functions that satisfy c ≥   1

2  > s. Then, any language L in QMIP(k,m,c,s) has a perfectly rewindable m-turn quantum k-prover 

interactive proof system with soundness accepting probability at most  s.

Now, we are ready to show the following lemma.

Lemma 6.   Let  k, m :  Z+ →  N  be polynomially bounded functions and let  c, s :  Z+ → [0, 1] be any functions that 

satisfy c ≥   12   and  s <   1

25 . Then, QMIP(k,m,c,s) ⊆ QMIP

k, 3m, 1,  12  + 2√ 

s +  5s2

.

7

Page 9: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 9/27

We first intuitively sketch the proof idea for Lemma 6. For simplicity, assume that the number of provers is two.

Without loss of generality, our starting protocol is assumed to be perfectly rewindable with soundness accepting

probability being exponentially small (this is easily achieved by sequential repetition and Lemma 5). It is also

assumed that our starting protocol involves 2m turns.

The basic strategy is to use Watrous’s quantum rewinding technique for quantum zero-knowledge in a differ-

ent way — in our case we use it to ”rewind” an unsuccessful computation that would results in rejection into a

successful one.

Let V 1, . . . , V  m+1  be the transformations of the verifier  V   in our starting protocol. First notice that, for any

input in a language, there are sequences of transformations P 1,1, . . . , P  1,m and P 2,1, . . . , P  2,m of the first and second

provers P 1 and P 2 such that, if we optimize a state-sharing function for provers, V  accepts the input with probability

exactly   12 , which is the maximum accepting probability when V  communicates with these fixed provers P 1  and P 2.

Let us write R j  = P 1,j ⊗ P 2,j  and U  = V m+1RmV m · · · R1V 1   for notational convenience. Then this actually says

that the matrix M  = Π initU †ΠaccU Πinit has the maximum eigenvalue exactly   12 , and the corresponding eigenvector

may be of the form |Ψ = |Φ∗ ⊗ |0 · · · 0. Here, Πacc  is the projection over the accepting states in the original

protocol, Πinit  is the projection over the states in which all the qubits are in state |0 except for those in the private

spaces of provers, and |Φ∗ is the state initially shared by the provers  P 1  and  P 2  by using the optimal state-sharing

function.

Now we apply the quantum rewinding technique by performing forward, backward, and forward executions

of the protocol in sequence. The perfect completeness property follows from the fact that the initial state |Ψis an eigenvector of  M   with the corresponding eigenvalue exactly   1

2  The problem of this construction lies in the

soundness. If the input is a no-instance, the maximum eigenvalue is exponentially small for any matrix M  resulting

from our starting protocol. This shows that, if dishonest provers are actually “not so dishonest”, i.e., if they use

the same strategies for all of the three (forward, backward, and forward) executions of the starting protocol, the

accepting probability is still exponentially small. However, the problem arises when dishonest provers change their

strategies for some of the three executions. To settle this, we design a simple protocol that tests if the backward

execution is indeed a backward simulation of the first forward exection. The verifier performs the original rewinding

protocol or this invertibility test uniformly at random without revealing which test is undergoing. It is obvious that

the honest provers can always pass this invertibility test, and thus, it does not harm the perfect completeness

property when the input is a yes-instance. When the input is a no-instance, this forces the provers to use essentiallysame strategies for the first two executions of the protocol, which is sufficient to bound the soundness accepting

probability.

Now we give a detailed proof.

Proof of Lemma 6.   Let L  be a language in  QMIP(k,m,c,s). From Lemma 5, L   has a perfectly rewindable  m-

turn quantum  k-prover interactive proof system with soundness accepting probability at most  s. Let  V   be the

corresponding  m-turn quantum verifier for the perfectly rewindable quantum  k-prover interactive proof system

for  L. Let  V   be the quantum register consisting of all the qubits in the private space of  V  , and let  Mi   be that

consisting of all the qubits in the message channel between V   and the ithe prover, for 1 ≤ i ≤ k. For every input x,

V   applies V  j  for his j th transformation to the qubits in  (V,M1, . . . ,Mk), for 1 ≤ j ≤ m2

 + 1, and performs the

measurement Π = {

Πacc, Πrej

} at the end of the original protocol to decide acceptance of rejection. We construct

a protocol of a  3m-turn quantum verifier  W  of a new quantum  k-prover interactive proof system for  L.   W   will

perform one of the two tests, which we call “R EWINDING  TEST” and “INVERTIBILITY  TEST”, without revealing

to the provers which test is undergoing. For simplicity, in what follows, it is assumed that m  is even (the cases in

which m is odd can be proved in a similar manner).

For every input x, the new verifier W   prepares the quantum registers  V  and  Mi, for 1 ≤ i ≤ k. All the qubits

in (V,M1, . . . ,Mk) are initialized to |0.

Using first   m   turns,   W    attempts to simulate the original protocol, by applying   V  j   to the qubits in

(V,M1, . . . ,Mk) as his jth transformation and sending  Mi  to the ith prover, for 1 ≤ i ≤ k  and 1 ≤ j ≤  m2 .

8

Page 10: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 10/27

At the  (m + 1)-st turn, which is them2   + 1

-st transformation of the verifier,   W   first chooses   b ∈ {0, 1}

uniformly at random. If b = 0, W  moves to the REWINDING T EST, while if b = 1, W  moves to the INVERTIBILITY

TEST .

When entering the REWINDING   TEST ,  W   applies V m2 +1  to the qubits in  (V,M1, . . . ,Mk)  and then performs

the measurement Π = {Πacc, Πrej}, just as the original verifier V  does. If this results in acceptance,  W  just accepts,

otherwise W  continues the protocol for another  2m turns.

Using the next m  turns, W  attempts a backward simulation of the original protocol by applying  V  †m2 +2− j  to the

qubits in (V,M1, . . . ,Mk) as hism2   + j

-th transformation and sending  Mi   to the ith prover, for 1 ≤ i ≤ k  and

1 ≤ j ≤   m2 .

At the (2m + 1)-st turn, which is the (m + 1)-st transformation of the verifier, W  first applies V †1  to the qubits

in  (V,M1, . . . ,Mk). Next W  performs a controlled-phase-flip controlled by the qubits in  (V,M1, . . . ,Mk):   W multiplies the phase by −1 if all the qubits in (V,M1, . . . ,Mk) are in state |0.  W   then applies V 1  to the qubits in

(V,M1, . . . ,Mk), and sends Mi to the ith prover, for 1 ≤ i ≤ k.

Finally, using the last (m − 1) turns, W  attempts a forward simulation of the original protocol by applying  V  jto the qubits in (V,M1, . . . ,Mk) as his (m + j)-th transformation and sending  Mi  to the ith prover, for 1 ≤ i ≤ kand 2 ≤ j ≤   m

2 . At the last transformation of the verifier,  W   applies V m2 +1  to the qubits in (V,M1, . . . ,Mk), and

then performs the measurement  Π = {Πacc, Πrej}.  W  accepts if this results in acceptance, and rejects otherwise.On the other hand, when entering the INVERTIBILITY   TEST ,  W   immediately starts a backward simulation of 

the original protocol without performing the measurement  Π = {Πacc, Πrej}.  W   applies V †m2 +2− j  to the qubits in

(V,M1, . . . ,Mk) as hism2   + j

-th transformation and sending Mi to the ith prover, for 1 ≤ i ≤ k  and 1 ≤ j ≤  m

2 .

At the (2m + 1)-st turn, which is the (m + 1)-st transformation of the verifier, W  first applies V †1  to the qubits

in (V,M1, . . . ,Mk).  W  accepts if all the qubits in (V,M1, . . . ,Mk) are in state |0, and rejects otherwise.

The precise description of the protocol of  W  is described in Figure 1.

For the completeness, suppose that the input x  is in L.

Let P i   be the m-turn honest  ith quantum prover for the original perfect rewindable proof system, and let  Pibe the quantum register consisting of all the qubits in the private space of  P i, for  1 ≤ i ≤ k. Let P i,j   be the j th

transformation of the original ith prover P i  on input x  in the original protocol, for 1 ≤ i ≤ k  and  1 ≤ j ≤  m2  . Let

Φ∗  be any optimal state-sharing function for  k  quantum provers such that the state |Φ∗(x) in  (P1, . . . ,Pk) sharedby the provers  P 1, . . . , P  k   maximizes the accepting probability of  V   when communicating with these specific

provers  P 1, . . . , P  k . Note that the accepting probability is exactly equal to   12   when  V   communicates with the

provers P 1, . . . , P  k  who initially share |Φ∗(x). In what follows, we write |Φ∗ in short to denote |Φ∗(x).

Let Ri  be the honest   ith quantum prover in the constructed  3m-turn system, for  1 ≤ i ≤ k.   Ri   prepares the

quantum register  Pi   in his private space for  1 ≤ i ≤ k.   R1, . . . , Rk   initially share |Φ∗   in  (P1, . . . ,Pk). At the

 jth transformation of the provers for  1 ≤ j ≤  m2 , each Ri  applies P i,j  to the qubits in  (Mi,Pi), for 1 ≤ i ≤ k. At

them2   + j

-th transformation of the provers for 1 ≤ j ≤   m

2 , each Ri  applies P †i,m

2 − j+1  to the qubits in  (Mi,Pi),

for 1 ≤ i ≤ k. Finally, at the (m + j)-th transformation of the provers for 1 ≤ j ≤   m2 , each Ri  applies P i,j  to the

qubits in (Mi,Pi), for 1 ≤ i ≤ k .

It is obvious from this construction that the provers  R1, . . . , Rk  can convince  W  with certainty when W   per-

forms the INVERTIBILITY T EST. We show that R1, . . . , Rk  can convince W  with certainty even when W  performsthe REWINDING   TEST . Shortly speaking, this holds for essentially the same reason that the quantum rewinding

technique works well in the case of quantum zero-knowledge proofs.

For notational covenience, let P  j  = P 1,j ⊗ · · · ⊗ P k,j   for   1 ≤ j ≤   m2  , and let   Q =  V m

2 +1 P m

2V m

2

· · · P 1V 1.

Then the perfect rewindability property of the original proof system essentially implies that the maximum eigen-

value of the Hermitian matrix M  = ΠinitQ†ΠaccQΠinit  is exactly equal to   12   and |Ψ∗ = |0V⊗M1⊗···⊗Mk

|Φ∗ is

an eigenvector of  M   corresponding to the eigenvalue   12 , where Πinit  is the projection onto states in which all the

qubits in (V,M1, . . . ,Mk) are in state |0, and V  and each Mi  are the Hilbert spaces corresponding to the registers

9

Page 11: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 11/27

Verifier’s Protocol for Achieving Perfect Completeness

1. Prepare quantum registers  V   and  Mi, for  1 ≤ i ≤ k. Initialize all the qubits in V   and  Mi   in state |0, for

1 ≤ i ≤ k. Apply V 1  to the qubits in (V,M1, . . . ,Mk), and send Mi  to the ith prover, for 1 ≤ i ≤ k.

2. For j  = 2 to  m2 , do the following:

Receive  Mi  from the  ith prover, for 1 ≤ i ≤ k. Apply V  j  to the qubits in (V,M1, . . . ,Mk), and send  Mi   to

the ith prover, for 1 ≤ i ≤ k.

3. Receive Mi  from the  ith prover, for 1 ≤ i ≤ k. Choose b ∈ {0, 1}  uniformly at random. If  b  = 0, move to

the REWINDING  TEST  described in Step 4, while if  b  = 1, move to the INVERTIBILITY   TEST   described in

Step 5, and do not reveal to the provers which test is undergoing.

4. (REWINDING  TEST)

If  b  = 0, do the following:

4.1 Apply V m2 +1  to the qubits in  (V,M1, . . . ,Mk). Accept if the content of  (V,M1, . . . ,Mk) corresponds

to an accepting state in the original protocol. Otherwise apply V †m2 +1  to the qubits in  (V,M1, . . . ,Mk),

and send Mi  to the ith prover, for 1 ≤ i ≤ k.

4.2 For j  =   m2   down to 2, do the following:

Receive  Mi  from the  ith prover, for 1 ≤ i ≤ k. Apply V † j   to the qubits in (V,M1, . . . ,Mk), and send

Mi  to the ith prover, for 1 ≤ i ≤ k.

4.3 Receive  Mi   from the   ith prover, for  1 ≤ i ≤ k. Apply  V †1   to the qubits in  (V,M1, . . . ,Mk). Per-

form the phase-flip if all the qubits in   (V,M1, . . . ,Mk)  are in state |0. Apply  V 1   to the qubits in

(V,M1, . . . ,Mk), and send  Mi  to the ith prover, for 1 ≤ i ≤ k.

4.4 For j  = 2 to  m2 , do the following:

Receive  Mi  from the ith prover, for  1 ≤

 i ≤

 k. Apply V  j   to the qubits in  (V,M1, . . . ,Mk), and send

Mi  to the ith prover, for 1 ≤ i ≤ k.

4.5 Receive Mi  from the ith prover, for 1 ≤ i ≤ k. Apply V m2 +1  to the qubits in (V,M1, . . . ,Mk). Accept

if the content of  (V,M1, . . . ,Mk) corresponds to an accepting state in the original protocol, and reject

otherwise.

5. (INVERTIBILITY TEST)

If  b  = 1, do the following:

5.1 Send Mi  to the ith prover, for 1 ≤ i ≤ k.

5.2 For j  =   m2   down to 2, do the following:

Receive  Mi from the  ith prover, for 1

 ≤ i ≤

 k. Apply V † j

  to the qubits in (V,M1

, . . . ,Mk

), and send

Mi  to the ith prover, for 1 ≤ i ≤ k.

5.3 Receive Mi  from the  ith prover, for 1 ≤ i ≤ k. Apply V †1   to the qubits in (V,M1, . . . ,Mk). Accept if 

all the qubits in (V,M1, . . . ,Mk) are in state |0, and reject otherwise.

Figure 1: Verifier’s protocol for achieving perfect completeness

10

Page 12: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 12/27

V and Mi, respectively, for each 1 ≤ i ≤ k.

Define the unnormalized states |φ0, |φ1, |ψ0, and |ψ1 by

|φ0 = ΠaccQ|Ψ∗,   |φ1 = ΠrejQ|Ψ∗,   |ψ0 = ΠinitQ†|φ0,   |ψ1 = ΠillegalQ†|φ0,

where Πillegal  =  I 

V⊗M1

⊗···⊗Mk

 −Πinit  is the projection onto states orthogonal to

 |0

V⊗M1

⊗···⊗Mk

.

Then, noticing that |Ψ∗ = Πinit|Ψ∗, we have

|ψ0 = ΠinitQ†ΠaccQ|Ψ∗ = ΠinitQ†ΠaccQΠinit|Ψ∗ =  M |Ψ∗ = 1

2|Ψ∗,

and thus,

Q†|φ1 =  Q†(I V⊗M1⊗···⊗Mk − Πacc)Q|Ψ∗ = |Ψ∗ − Q†|φ0 = 2|ψ0 − (|ψ0 + |ψ1) = |ψ0 − |ψ1.

Hence, the state just before the controlled-phase-flip in Step 4.3 when entering the R EWINDING  T EST is exactly

1

|φ1

Q†|φ1 =  1

|φ1

(|ψ0 − |ψ1).

Since Πinit|ψ0 = |ψ0 and Πinit|ψ1 = 0, the controlled-phase-flip changes the state to

−   1

|φ1(|ψ0 + |ψ1) = −   1

|φ1Q†|φ0.

Therefore, the state just after V m2 +1  is applied in Step 4.5 is exactly

−   1

|φ1QQ†|φ0 = −   1

|φ1|φ0,

and thus, the fact that Πacc|φ0 = |φ0 implies that the verifier W  always accepts in Step 4.5.

Hence the provers R1, . . . , Rk  can convince W  with certainty even when W  performs the REWINDING  T EST,

and the perfect completeness property follows.

Now for the soundness, suppose that the input x  is not in L.

Let Ri  be any 3m-turn ith quantum prover for the constructed proof system, and let Pi be the quantum register

consisting of all the qubits in the private space of  Ri, for 1 ≤ i ≤ k. Let ψ be any state-sharing function for k  quan-

tum provers so that the state |ψ(x) in  (P1, . . . ,Pk) is initially shared by the provers  R1, . . . , R

k. In what follows,

we write |ψ in short to denote |ψ(x). Suppose that, at the jth transformation of the provers for 1 ≤ t ≤   3m2   , each

Ri  applies X i,j  to the qubits in (Mi,P

i).

Let Z  denote the controlled-phase-flip operator controlled by the qubits in  (V,M1, . . . ,Mk) that multiplies the

phase by −1 if all the qubits in (V,M1, . . . ,Mk) are in state |0.

For notational convenience, let X  j  = X 1,j ⊗ · · · ⊗ X k,j   for 1 ≤ t ≤   3m2   , let

U 1 = X m2 V m2 · · · X 2V 2 X 1V 1,

U 2 = V †1 X m · · · V †m2 −1

X m2 +2V  †m

2

X m2 +1,

U 3 = X 3m2

V m2

· · · X m+2V 2 X m+1V 1.

There are three cases of acceptance in the constructed protocol.

In the first case, the verifier  W  performs the REWINDING   TEST  and accepts in Step 4.1. This propability of 

acceptance is given by   p12  , where

 p1 = ΠaccV m2 +1U 1|ψ2.

11

Page 13: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 13/27

In the second case, the verifier W  performs the REWINDING  T EST and accepts in Step 4.5. This propability of 

acceptance is given by   p22  , where

 p2 = ΠaccV m2 +1U 3ZU 2V  †m

2 +1ΠrejV m

2 +1U 1|ψ2.

Finally, in the third case, the verifier  W   performs the INVERTIBILITY   TEST   and accepts in Step 5.3. This

propability of acceptance is given by  p32 , where

 p3 = ΠinitU 2U 1|ψ2.

Then the probability   pacc   that   W    accepts   x   when communicating with   R1, . . . , R

k   is given by

 pacc =   12( p1 + p2 + p3). From the soundness condition of the original protocol, it is obvious that  p1 ≤ s. We

shall show that  p2 ≤ 1 + 4√ 

s + 4s − p3. This implies that pacc ≤   12 + 2

√ s +   5s

2   , and the soundness condition

follows.

Using the triangle inequality, we have that

ΠaccV m2 +1U 3ZU 2V †m

2 +1ΠrejV m

2 +1U 1|ψ

≤ ΠaccV m2 +1U 3ZU 2V †m

2 +1ΠrejV m

2 +1U 1|ψ − ΠaccV m

2 +1U 3ZU 2U 1|ψ

+ ΠaccV m2 +1U 3ZU 2U 1|ψ − ΠaccV m

2 +1U 3Z ΠinitU 2U 1|ψ

+ ΠaccV m2 +1U 3Z ΠinitU 2U 1|ψ.   (1)

The first term of Eq. (1) can be bounded from above as follows:

ΠaccV m2 +1U 3ZU 2V  †m

2 +1ΠrejV m

2 +1U 1|ψ − ΠaccV m

2 +1U 3ZU 2U 1|ψ

≤ V m2 +1U 3ZU 2V †m

2 +1ΠrejV m

2 +1U 1|ψ − V m

2 +1U 3ZU 2U 1|ψ

= V †m2 +1ΠrejV m

2 +1U 1|ψ − U 1|ψ = ΠrejV m

2 +1U 1|ψ − V m

2 +1U 1|ψ

=  − ΠaccV m2 +1U 1|ψ = ΠaccV m

2 +1U 1|ψ =

 √  p1 ≤

√ s.

The second term of Eq. (1) can be bounded from above as follows:

ΠaccV m2 +1U 3ZU 2U 1|ψ − ΠaccV m

2 +1U 3Z ΠinitU 2U 1|ψ

≤ V m2 +1U 3ZU 2U 1|ψ − V m

2 +1U 3Z ΠinitU 2U 1|ψ

= U 2U 1|ψ − ΠinitU 2U 1|ψ = ΠillegalU 2U 1|ψ = 

1 − p3.

Here the last equality comes from the facts that  U 2U 1|ψ = ΠinitU 2U 1|ψ + ΠillegalU 2U 1|ψ is a unit vector, that

ΠinitU 2U 1|ψ and ΠillegalU 2U 1|ψ are orthogonal, and that ΠinitU 2U 1|ψ2 = p3.

Finally, since  ΠinitU 2U 1|ψ  is an unnormalized state parallel to some legal initial state and  Z Πinit  = −Πinit

from the definitions of  Z   and Πinit, the third term of Eq. (1) can be bounded as follows by using the soundness

condition of the original protocol:

ΠaccV m2  +1U 3Z ΠinitU 2U 1|ψ = − ΠaccV m2  +1U 3ΠinitU 2U 1|ψ = ΠaccV m2  +1U 3ΠinitU 2U 1|ψ ≤ √ s.

Putting things together, we have

 p2 = ΠaccV m2 +1U 3ZU 2V †m

2 +1ΠrejV m

2 +1U 1|ψ2

≤ (2√ 

s + 

1 − p3)2 = 1 + 4 

s(1 − p3) + 4s − p3 ≤ 1 + 4√ 

s + 4s − p3,

as desired.  

From Lemma 6, it is immediate to show Theorem 3 by appropriately applying sequential repetitions.

12

Page 14: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 14/27

4 Parallelization of Quantum Multi-Prover Interactive Proof Systems

This section proves that any quantum k-prover interactive proof system that involves polynomially many turns can

be parallelized to one that involves only one round (i.e., two turns) by just adding one more prover, in which the

gap between completeness and soundness accepting probabilities is still bounded by an inverse-polynomial.

Theorem 7.   Let k, m :  Z+ →  N be polynomially bounded functions and let  c, s :  Z+ → [0, 1] be any functions that satisfy  c − s ≥   1

 p  for some polynomially bounded function  p :  Z+ →  N. Then, there exists another polynomially

bounded function p :  Z+ →  N such that  QMIP(k,m,c,s) ⊆ QMIP

k + 1, 2, 1, 1 −   1 p

.

It is easy to see that we can amplify the success probability without increasing the number of rounds (turns)

by running multiple attempts of a protocol in parallel using a different set of provers for every attempt. Hence,

Theorem 7 implies that   one-round  quantum multi-prover interactive proofs are as powerful as general quantum

multi-prover interactive proofs.

Corollary 8.   Let   k, m :  Z+ →  N   be polynomially bounded functions and let   c, s :  Z+ → [0, 1]   be any func-

tions that satisfy   c − s ≥   1 p   for some polynomially bounded function   p :  Z+ →  N. Then, for any polynomi-

ally bounded function  p : Z

+

→  N , there exists another polynomially bounded function  k :

 Z+

→  N such that 

QMIP(k,m,c,s) ⊆ QMIP(k, 2, 1, 2− p).

The proof of Theorem 7 basically consists of three parts.

The first part is a pre-processing that converts any quantum  k-prover interactive proof system with two-sided

bounded error into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-

ness, which has already been proved in the previous section.

The second part proves that any   (2l + 1)-turn quantum   k-prover interactive proof system with two-sided

bounded error can be converted into a  (2l−1 + 1)-turn quantum k-prover interactive proof system with two-sided

bounded error, in which the gap between the completeness and soundness accepting probabilities decreases, but

is still bounded by an inverse-polynomial if the gap in the original proof system is sufficiently large. By repeat-

edly applying this modification together with appropriate use of sequential repetition as a preprocessing, we can

convert any m-turn quantum k-prover interactive proof system into a three-turn quantum  k-prover interactive proof system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-

polynomial. If  k  = 1, this gives a simpler proof of the parallelization theorem due to Kitaev and Watrous [17] for

single-prover quantum interactive proofs.

Now the third part proves that any three-turn quantum  k-prover interactive proof system with sufficiently large

gap between the completeness and soundness accepting probabilities can be converted into a two-turn quantum

(k + 1)-prover interactive proof system, in which the gap between the completeness and soundness accepting

probabilities is bounded by an inverse-polynomial. Although there is a direct proof for this as will be shown

in Appendix C, we will take a detour by proving (i) any three-turn quantum  k-prover interactive proof system

with sufficiently large gap between the completeness and soundness accepting probabilities can be modified to a

three-turn public-coin  quantum k-prover interactive proof system in which the gap between the completeness and

soundness accepting probabilities is bounded by an inverse-polynomial, and (ii) any three-turn public-coin quantumk-prover interactive proof system can be converted into a two-turn quantum  (k + 1)-prover interactive proof system

without changing the completeness and soundness accepting probabilities. It follows from the property (i) that, for

any polynomially bounded k, public-coin quantum k-prover interactive proofs are as powerful as general quantum

k-prover interactive proofs. The property (ii) for the case k  = 1 shows that any language in QIP, in particular in

PSPACE, has a two-prover one-round (i.e., two-turn) quantum interactive proof system of perfect completeness

with exponentially small error in soundness. Notice that the direct proof also shows a bit weaker claim that any

language in QIP  has a two-prover one-round quantum interactive proof system of perfect completeness, but the

soundness accepting probability is bounded only by exponentially close to   12 . This is indeed weaker than what we

13

Page 15: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 15/27

can show with the detour, since it is not known how to amplify the success probability of quantum multi-prover

interactive proofs without increasing either the number of provers or the number of turns.

4.1 Parallelizing to Three Turns

This subsection shows the first part of the proof of Theorem 7. We first show the following lemma, which states

that any (2l + 1)-turn quantum k-prover interactive proof system with sufficiently small two-sided bounded error

can be converted into a (2l−1 + 1)-turn quantum k-prover interactive proof system with two-sided bounded error.

The idea is that the verifier first receives the snapshot state after the  (2l−1 + 1)-st turn of the original system, and

then executes a forward-simulation of the original system from the  (2l−1 + 1)-st turn with probability   12   and a

backward-simulation of the original system from the (2l−1 + 1)-st turn with probability   12 .

Lemma 9.   Let k :  Z+ →  N be a polynomially bounded function, let l :  Z+ →  N be a function such that  4 ≤ 2l ≤ p for some polynomially bounded function   p :  Z+ →  N , and let   ε, δ :  Z+ → [0, 1]   be any functions that satisfy

δ > 1 − (1 − ε)2. Then, QMIP(k, 2l + 1, 1 − ε, 1 − δ ) ⊆ QMIP

k, 2l−1 + 1, 1 −   ε2 ,  12 +

√ 1−δ2

.

Proof.   Let L be a language in QMIP(k, 2l + 1, 1 − ε, 1 − δ ) and let V  be the corresponding (2l + 1)-turn quantum

verifier for the quantum  k-prover interactive proof system for  L. Let  V  be the quantum register consisting of allthe qubits in the private space of  V  , and let  Mi  be that consisting of all the qubits in the message channel between

V   and the  ithe prover, for  1 ≤ i ≤ k. For every input x,  V   applies  V  j   for his j th transformation on the qubits in

(V,M1, . . . ,Mk), for 1 ≤ j ≤ 2l−1 + 1, and performs the measurement  Π = {Πacc, Πrej} at the end of the original

protocol to decide acceptance of rejection. We construct a protocol of a  (2l−1 + 1)-turn quantum verifier W  of the

new quantum k-prover interactive proof system for  L.

For every input x, at the first turn the new verifier W  receives quantum registers V and Mi for 1 ≤ i ≤ k, where

V is sent from the first prover and each Mi is sent from the ith prover. W  expects that the qubits in (V,M1, . . . ,Mk)form the quantum state the original  (2l + 1)-turn verifier V  would possess just after the  (2l−1 + 1)-st turn (i.e., just

after the (2l−2 + 1)-st transformations of the provers) of the original protocol.

Now W  chooses b ∈ {0, 1} uniformly at random. If  b  = 0, W  starts a forward-simulation of the original proof 

system from the (2l−1 + 1)-st turn, and W  accepts if and only if the simulation results in acceptance in the original

proof system. On the other hand, if  b  = 1, W   starts a backward-simulation of the original proof system from the

(2l−1 + 1)-st turn, and W  accepts if and only if all the qubits in V are in state |0  after the simulation (here recall

that 2l + 1   is odd, and thus the first turn is done by provers in the original proof system). Thus the constructed

system has 2l−1 + 1 turns.

The precise description of the protocol of  W  is found in Figure 2.

First suppose that the input x  is in L.

Let P i be the (2l + 1)-turn honest quantum prover for the original proof system, and let Pi be the quantum reg-

ister consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Let |Φ be a quantum state in (P1, . . . ,Pk)such that, if  P 1, . . . , P  k  initially share |Φ, they can convince V  with probability at least 1 − ε in the original proof 

system. Let |ψ2l−1+1  be the quantum state in  (V,M1, . . . ,Mk,P1, . . . ,Pk)  just after the (2l−1 + 1)-st turn (i.e.,

 just after the  (2l−2 + 1)-st transformations of the provers) of the original protocol if  V   communicates with the

provers P 1, . . . , P  k  who initially share |Φ in their private spaces.

Let Ri  be the honest  ith prover in the constructed  (2l−1 + 1)-turn system, for  1 ≤ i ≤ k. In addition to the

registers   V   and  M1,   R1   prepares the quantum register   P1   in his private space. Similarly, in addition to  Mi,

Ri  prepares the quantum register  Pi   in his private space for  2 ≤ i ≤ k.   R1, . . . , Rk   initially share |ψ2l−1+1   in

(V,M1, . . . ,Mk,P1, . . . ,Pk). At the first turn of the constructed protocol, R1  sends  V  and  M1   to W , while each

Ri, 2 ≤ i ≤ k, sends Mi  to  W .If b = 0, at the tth transformation of the provers for 2 ≤ t ≤ 2l−2 + 1, each Ri applies P i,2l−2+t to the qubits in

(Mi,Pi), while if  b  = 1, at the tth transformation of the provers for  2 ≤ t ≤ 2l−2 + 1, each Ri  applies P †i,2l−2−t+3

14

Page 16: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 16/27

Verifier’s Protocol to Reduce the Number of Turns by Half 

1. Receive quantum registers V  from the first prover and Mi  from the ith prover for 1 ≤ i ≤ k.

2. Choose b ∈ {0, 1} uniformly at random.

3. If  b  = 0, execute a forward-simulation of the original protocol as follows:

3.1 Apply V 2l−2+1   to the qubits in  (V,M1, . . . ,Mk). Send b  and the qubits in  Mi   to the  ith prover, for

1 ≤ i ≤ k.

3.2 For j  = 2l−2 + 2 to 2l−1, do the following:

Receive a quantum register   Mi   from the   ith prover, for   1 ≤ i ≤ k. Apply   V  j   to the qubits in

(V,M1, . . . ,Mk). Send the qubits in Mi to the ith prover, for 1 ≤ i ≤ k.

3.3 Receive a quantum register  Mi   from the   ith prover, for  1 ≤ i ≤ k. Apply  V 2l−1+1   to the qubits in

(V,M1, . . . ,Mk). Accept if the content of  (V,M1, . . . ,Mk) is an accepting state of the original proto-

col, and reject otherwise.

4. If  b  = 1, execute a backward-simulation of the original protocol as follows:

4.1 Send b  and the qubits in Mi  to the ith prover, for 1 ≤ i ≤ k.

4.2 For j  = 2l−2 down to 2, do the following:

Receive a quantum register   Mi   from the   ith prover, for   1 ≤ i ≤ k. Apply   V † j   to the qubits in

(V,M1, . . . ,Mk). Send the qubits in Mi to the ith prover, for 1 ≤ i ≤ k.

4.3 Receive a quantum register   Mi   from the   ith prover, for   1 ≤ i ≤ k. Apply   V †1   to the qubits in

(V,M1, . . . ,Mk). Accept if all the qubits in V are in state |0, and reject otherwise.

Figure 2: Verifier’s protocol to reduce the number of turns by half.

15

Page 17: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 17/27

to the qubits in (Mi,Pi), for 1 ≤ i ≤ k, where each P i,j   is the j th transformation of the original  ith prover P i  on

input x  in the original protocol, for 1 ≤ j ≤ 2l−1 + 1.

It is obvious that the provers  R1, . . . , Rk   can convince  W   with probability at least  1 − ε   if  b  = 0, and with

certainty if  b  = 1. Hence, W  accepts every input x ∈ L  with probability at least  1 −   ε2 .

Now suppose that the input  x  is not in L.

Let Ri be any (2l

−1 + 1)-turn ith quantum prover for the constructed proof system, for  1

 ≤ i ≤

 k. Let |

ψ

 be

an arbitrary quantum state that represents the state just after the first transformations of the provers  R1, . . . , R

k   in

the constructed system. Suppose that, at the tth transformation of the provers for  2 ≤ t ≤ 2l−2 + 1, each Ri applies

X i,t  if  b  = 0 and Y i,t if  b  = 1, for 1 ≤ i ≤ k  and write X t =  X 1,t ⊗ · · · ⊗ X k,t  and Y t  =  Y 1,t ⊗ · · · ⊗ Y k,t.

Define unitary transformations   U 0   and   U 1   by   U 0 =  V 2l−1+1 X 2l−2+1V 2l−1 · · · X 2V 2l−2+1   and

U 1 =  V †1 Y 2l−2+1 · · · V  †2l−2

Y 2, and let   |α =   1ΠaccU 0|ψΠaccU 0|ψ   and   |β  =   1

ΠinitU 1|ψΠinitU 1|ψ, where

Πacc  is the projection onto accepting states in the original protocol and Πinit  is the projection onto states in which

all the qubits in V are in state |0.

Then we have

ΠaccU 0|ψ =  1

ΠaccU 0

ψ|U †0ΠaccU 0|ψ

 =  F 

|αα|, U 0|ψψ|U †0

 =  F 

U †0 |αα|U 0, |ψψ|

,

and thus, the probability  p0   of acceptance when  b  = 0  is given by  p0 =  F 

U †0 |αα|U 0, |ψψ|2. Similarly, the

probability p1  of acceptance when b = 1  is given by  p1 =  F 

U †1 |β β |U 1, |ψψ|2. Hence the probability paccthat W  accepts x  when communicating with R

1, . . . , Rk  is given by

 pacc = 1

2( p0 + p1) =

 1

2

U †0 |αα|U 0, |ψψ|2 + F 

U †1 |β β |U 1, |ψψ|2.

Therefore, from Lemma 1, we have

 pacc ≤  1

2

1 + F 

U †0 |αα|U 0, U †1 |β β |U 1

 =

 1

2

1 + F 

|αα|, U 0U †1 |β β |U 1U †0

.

Noticing that Πinit|β  = |β , |β   is a legal quantum state just after the first transformations of the provers inthe original protocol. Hence, from the property of the original protocol,ΠaccU 0U †1 |β 2 =

ΠaccV 2l−1+1 X 2l−2+1V 2l−1 · · · X 2V 2l−2+1

Y †2 V 2l−2 · · · Y †2l−2+1

V 1|β 2 ≤ 1 − δ,

since V 1, Y †2l−2+1

, · · ·   , V 2l−2 , Y †2 , V 2l−2+1, X 2, · · ·   , V 2l−1 , X 2l−2+1, V 2l−1+1  form a legal sequence of transforma-

tions in the original protocol.

Now, from the fact that Πacc|α = |α, we have

F |αα|, U 0U †1 |β β |U 1U †0

 =

α|U 0U †1 |β  = α|ΠaccU 0U †1 |β  ≤ ΠaccU 0U †1 |β  ≤√ 

1 − δ.

Hence the probability pacc that W  accepts x  is bounded by pacc ≤  1

2 +

√ 1

−δ

2   , which completes the proof.  

Now, by repeatedly applying the modification in the proof of Lemma 9, we have the following theorem. The

proof is mostly straightforward, but involves a careful analysis of the efficiency of the modification in the proof of 

Lemma 9, since the modification is repeatedly applied logarithmically many times.

Theorem 10.   Let  k, m :  Z+ →  N  be polynomially bounded functions and let  ε, δ :  Z+ → [0, 1]  be any functions

such that  m ≥ 4  and  δ > 2(m − 1)ε. Then, QMIP(k,m, 1 − ε, 1 − δ ) ⊆ QMIP

k, 3, 1 −   2εm−1 , 1 −   δ

(m−1)2

.

16

Page 18: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 18/27

Proof.   Let l :  Z+ →  N be a function such that 2l + 1 ≤ m ≤ 2l+1 + 1.

It is trivial that   QMIP(k,m, 1 − ε, 1 − δ ) ⊆ QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ ), and we show that

QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ ) ⊆ QMIP

k, 3, 1 −   2εm−1 , 1 −   δ

(m−1)2

.

Consider a language in  QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ )   and let  V (0) be the corresponding   (2l+1 + 1)-turn

quantum verifier for quantum k-prover interactive proof systems.

For every x, given a description of V (0)(x), one can compute in time polynomial in |x| a description V (1)(x) of a (2l + 1)-turn quantum verifier V (1) for quantum k-prover interactive proof systems by applying the modification

in the proof of Lemma 9. The resulting proof system has completeness accepting probability at least  1 −   ε2  and the

soundness accepting probability at most   12  +√ 1−δ2   ≤ 1 −   δ

4 . Furthermore, the description of  V (1)(x)  may be at

most some constant times the size of  V (0)(x) plus an amount bounded by a polynomial in |x|.Now, for every  x, it is obvious that, given a description of  V (0)(x), one can compute in time polynomial

in |x|   a description   V (l)(x)   of a three-turn quantum verifier   V (l) for quantum   k-prover interactive proof sys-

tems by repeatedly applying the modification in the proof of Lemma 9  l   times. The resulting proof system has

completeness accepting probability at least  1 −   ε2l ≥  1 −   2ε

m−1   and the soundness accepting probability at most

1 −   δ4l ≤  1 −   δ

(m−1)2, as desired.  

From Theorems 3 and 10, it is immediate to show the following theorem.

Theorem 11.   Let  k, m :  Z+ →  N  be polynomially bounded functions and let  c, s :  Z+ → [0, 1]  be any functions

that satisfy c − s ≥   1 p   for some polynomially bounded function  p :  Z+ →  N. Then, there exists another polynomi-

ally bounded function p :  Z+ →  N such that  QMIP(k,m,c,s) ⊆ QMIP

k, 3, 1, 1 −   1 p

.

Proof.   From Theorem 3, we have that, for any polynomially bounded function  p :  Z+ →  N, there exists some

polynomially bounded function  m :  Z+ →  N  such that  QMIP(k,m,c,s) ⊆ QMIP(k, m, 1, 2− p). Now Theo-

rem 10 implies that QMIP(k, m, 1, 2− p) ⊆ QMIP

k, 3, 1, 1 −   1−2−p

(m−1)2

. Since   1−2−p

(m−1)2 ≥   1

 p   for some polyno-

mially bounded function p :  Z+ →  N, the claim follows.  

4.2 Converting to Public-Coin Systems

Now we move to the second part of the proof of Theorem 7. We first show that any three-turn quantum  k-prover

interactive proof system with sufficiently large gap between the completeness and soundness accepting probabilities

can be modified to a three-turn public-coin quantum  k-prover interactive proof system in which the gap between

the completeness and soundness accepting probabilities is bounded by an inverse-polynomial. In the single-prover

case, Marriott and Watrous [19] proved a similar statement that any three-message quantum interactive proof system

can be modified to a three-message public-coin one. The proof is a modification of this to the multi-prover case

and will be found in Appendix B.

Theorem 12.   Let k :  Z+ →  N be a polynomially bounded function, and let  ε, δ :  Z+ → [0, 1] be any functions that 

satisfy δ > 1

−(1

−ε)2. Then, any language having a three-turn quantum  k-prover interactive proof system with

completeness accepting probability at least  1 − ε  and soundness accepting probability at most  1 − δ  has a three-turn public-coin quantum k-prover interactive proof system with completeness accepting probability at least  1 −   ε

2

and soundness accepting probability at most   12 +√ 1−δ2   . Moreover, the message from the verifier to each prover in

the public-coin system consists of only one classical bit.

From Theorems 11 and 12 together with sequential repetition, we have the following corollary, which states the

equivalence of public-coin quantum  k-prover interactive proofs and general quantum  k-prover interactive proofs,

for any k.

17

Page 19: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 19/27

Corollary 13.   Let  k, m :  Z+ →  N  be polynomially bounded functions and let  c, s :  Z+ → [0, 1]  be any functions

that satisfy c − s ≥   1 p   for some polynomially bounded function p :  Z+ →  N. Then, for any polynomially bounded 

 function p :  Z+ →  N , there exists another polynomially bounded function m :  Z+ →  N  such that any language

in QMIP(k,m,c,s)  necessarily has an m-turn public-coin quantum  k-prover interactive proof system of perfect 

completeness with soundness accepting probability at most  2− p .

Proof.   Theorem 11 implies that there exists a polynomially bounded function   p :  Z+ →  N, such

that   QMIP(k,m,c,s) ⊆ QMIP

k, 3, 1, 1 −   1 p

. Now Theorem 12 implies that any language in

QMIP

k, 3, 1, 1 −   1 p

 has a three-turn public-coin quantum  k-prover interactive proof system of perfect com-

pleteness with soundness accepting probability at most   12 +   12

 1 −   1

 p ≤  1 −   14 p . Finally, sequential repetition

shows that, for any polynomially bounded function p :  Z+ →  N, there exists some polynomially bounded function

m :  Z+ →  N  such that such a three-turn public-coin quantum k-prover interactive proof system can be converted

to an m-turn public-coin quantum k -prover interactive proof system of perfect completeness with soundness ac-

cepting probability at most 2− p.  

4.3 Parallelizing to Two TurnsFinally, we prove that any three-turn public-coin quantum  k-prover interactive proof system can be converted into

a two-turn (i.e., one-round) quantum  (k + 1)-prover interactive proof system without changing completeness and

soundness conditions. The idea of the proof is to send questions only to the first k  provers to request the original

second messages from the k  provers in the original system and to receive from the  (k + 1)-st prover the original

first messages from the k  provers in the original system without asking any question.

Theorem 14.   Let  k :  Z+ →  N   be a polynomially bounded function, and let  c, s :  Z+ → [0, 1]   be any functions

that satisfy   c > s. Then, any language having a three-turn public-coin quantum   k-prover interactive proof 

system with completeness accepting probability at least   c   and soundness accepting probability at most  s   is in

QMIP(k + 1, 2, c , s).

Proof.   Let L  be a language having a three-turn public-coin quantum  k-prover interactive proof system with com-pleteness accepting probability at least  c  and soundness accepting probability at most  s, and let  V   be the corre-

sponding three-turn public-coin quantum verifier for quantum  k-prover interactive proof systems. For every input

x, at the first turn,  V  first receives a quantum register  Mi  from the ith prover, for 1 ≤ i ≤ k, At the second turn,  V flips a fair classical coin l  times to generate a random string r  of length l, for some polynomially bounded function

l :  Z+ →  N, and broadcasts r  to all the prover.  V   also stores r  in a quantum register Q in his private space. Finally,

at the third turn,  V   receives a quantum register  Ni  from the ith prover, for 1 ≤ i ≤ k.  V   then prepares a quantum

register  V   for his work space, where all the qubits in  V  are initialized to state |0. Now  V   applies the transfor-

mation V final  to the qubits in  (Q,V,M1, . . . ,Mk,N1, . . . ,Nk), and performs the measurement  Π = {Πacc, Πrej}to decide acceptance of rejection. We construct a protocol of a two-turn quantum verifier W  of the new quantum

(k + 1)-prover interactive proof system for L.

For every input x, the constructed prover W  supposes that the ith prover prepares the quantum register Ni in hisprivate space, for 1 ≤ i ≤ k, and the (k + 1)-st prover prepares the k  quantum registers  M1, . . . ,Mk  in his private

space. W  prepares the quantum register  V, where all the qubits in V are initialized to state |0.

At the first turn,  W  flips a fair classical coin  l  times to generate a random string  r  of length l, and sends  r  to

the ith prover for 1 ≤ i ≤ k.  V   also stores r  in a quantum register  Q in his private space.  W  sends nothing to the

(k + 1)-st prover.

At the second turn, the provers are requested to send the qubits in   (M1, . . . ,Mk,N1, . . . ,Nk)   so that the

qubits in  (Q,V,M1, . . . ,Mk,N1, . . . ,Nk)   form the quantum state the original three-turn verifier  V   would pos-

sess just after the third turn (i.e., just after the second messages from the provers) of the original protocol.

18

Page 20: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 20/27

Verifier’s Protocol in One-Round System

1. Prepare a quantum register V, and initialize all the qubits in  V  to state |0. Flip a fair classical coin  l  times

to generate a random string  r  of length  l . Store r  in a quantum register  Q, and send r  to the ith prover for

1 ≤ i ≤ k. Send nothing to the (k + 1)-st prover.

2. Receive a quantum registerNi  from the ith prover, for 1 ≤ i ≤ k, and k  quantum registers M1, . . . ,Mk  fromthe (k + 1)-st prover. Apply V final to the qubits in (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) and accepts if and only if 

the content of  (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) is an accepting state of the original protocol.

Figure 3: Verifier’s protocol to reduce the number of turns to two.

Now W   applies  V final  to the qubits in  (Q,V,M1, . . . ,Mk,N1, . . . ,Nk)  and accepts if and only if the content of 

(Q,V,M1, . . . ,Mk,N1, . . . ,Nk) is an accepting state of the original protocol.

First suppose that the input x  is in L.

Let  P i   be the honest   ith quantum prover for the original proof system, and let  Pi   be the quantum register

consisting of all the qubits in the private space of  P i, for  1 ≤ i ≤ k. Without loss of generality, it is assumed

that some of the qubits in  Pi   form the quantum register  Ni, for each 1 ≤ i ≤ k. Let |ψ1  be the quantum state in

(M1, . . . ,Mk,P1, . . . ,Pk)   that the provers  P 1, . . . , P  k  generate just after the first turn of the original protocol so

that they can convince V   with probability at least c  in the original proof system.

Let  Ri   be the honest   ith quantum prover in the constructed two-turn system, for  1 ≤ i ≤ k  + 1. Each  Ri

prepares the quantum register  Pi   in his private space for  1 ≤ i ≤ k , and  Rk+1  prepares the quantum registers

M1, . . . ,Mk  in his private space.   R1, . . . , Rk+1   initially share |ψ1   in (M1, . . . ,Mk,P1, . . . ,Pk). At the second

turn of the protocol,  Rk+1  does nothing and always sends the qubits in (M1, . . . ,Mk)  to  W , while each Ri, after

receiving r , first applies  P i,2,r   to the qubits in  Pi, and then sends  Ni, which is a part of  Pi, to W , for 1 ≤ i ≤ k,

where P i,2,r is the second transformation of the original ith prover P i on input x in the original protocol, conditioned

that the message from V   is r.

It is obvious from the construction that the provers  R1, . . . , Rk+1  can convince  W  with probability at least  c,the same probability with which the original provers P 1, . . . , P  k  can convince the original verifier V .

Now suppose that the input  x  is not in L.

Let Ri  be any two-turn quantum prover for the constructed proof system, and let  Ri  be the quantum register

consisting of all the qubits in the private space of  Ri, for 1 ≤ i ≤ k + 1. Without loss of generality, it is assumed

that some of the qubits in  Rk+1   form the quantum register  M = (M1, . . . ,Mk). Let |ψ  be an arbitrary quantum

state in (R1, . . . ,Rk+1)  that is initially shared by the  (k + 1)  provers in the constructed system. Suppose that, at

the second turn, if the message from  W   is r, each Ri  applies X i,r , for 1 ≤ i ≤ k. Without loss of generality, it is

assumed that Rk+1 does nothing, and just sends the qubits in (M1, . . . ,Mk) at the second turn, since  R

k+1 receives

nothing from W   (that Rk+1 applies some transformation Z  is equivalent to sharing Z |ψ at the beginning).

Consider three-turn quantum provers P 1, . . . , P  k  for the original proof system with the following properties: (1)

each P i  prepares the quantum register  Mi  and  Ri  in his private space, for 1 ≤ i ≤ k, (2) P 1, . . . , P  k   initially share|ψ  in  (R1, . . . ,Rk+1), where all the qubits in  Rk+1  except for those in  M  = (M1, . . . ,Mk)  are shared arbitrarily,

(3) at the first turn, each P i   sends Mi to  V , for 1 ≤ i ≤ k, and (4) if the message from V   is r, each P i   applies X i,rat his second transformation to the qubits received from  V  and those in  R

i, for 1 ≤ i ≤ k. It is obvious that these

provers  P 1, . . . , P  k   can convince the original verifier  V  with the same probability as  R1, . . . , R

k+1  can convince

W . Hence, the probability  W  accepts x  is at most s, as desired.  

Now Theorem 7 follows from Theorems 11, 12, and 14. The following is an immediate but important corollary

of Theorem 14.

19

Page 21: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 21/27

Page 22: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 22/27

[15] Julia Kempe, Hirotada Kobayashi, Keiji Matsumoto, Benjamin F. Toner, and Thomas Vidick. On the power of 

entangled provers: Immunizing games against entanglement. arXiv.org e-Print archive, arXiv:0704.2903v1

[quant-ph], April 2007.

[16] Alexei Yu. Kitaev, Alexander H. Shen, and Mikhail N. Vyalyi.  Classical and Quantum Computation, vol-

ume 47 of  Graduate Studies in Mathematics. American Mathematical Society, 2002.

[17] Alexei Yu. Kitaev and John H. Watrous. Parallelization, amplification, and exponential time simulation of 

quantum interactive proof systems. In  Proceedings of the Thirty-Second Annual ACM Symposium on Theory

of Computing, pages 608–617, 2000.

[18] Hirotada Kobayashi and Keiji Matsumoto. Quantum multi-prover interactive proof systems with limited prior

entanglement.  Journal of Computer and System Sciences, 66(3):429–450, 2003.

[19] Chris Marriott and John H. Watrous. Quantum Arthur-Merlin games.  Computational Complexity, 14(2):122–

152, 2005.

[20] Ashwin Nayak and Peter W. Shor. Bit-commitment-based quantum coin flipping.   Physical Review A,

67(1):012304, 2003.

[21] Michael A. Nielsen and Isaac L. Chuang.   Quantum Computation and Quantum Information. Cambridge

University Press, 2000.

[22] Peter W. Shor. Fault-tolerant quantum computation. In 37th Annual Symposium on Foundations of Computer 

Science, pages 56–65, 1996.

[23] Robert W. Spekkens and Terry Rudolph. Degrees of concealment and bindingness in quantum bit-commitment

protocols.  Physical Review A, 65(1):012310, 2002.

[24] Xiaoming Sun, Andrew C.-C. Yao, and Daniel Preda. On entangled quantum 3-prover systems for SAT and

the magic square. Unpublished manuscript.

[25] John H. Watrous.   PSPACE   has constant-round quantum interactive proof systems.   Theoretical Computer 

Science, 292(3):575–588, 2003.

[26] John H. Watrous. Zero-knowledge against quantum attacks. In Proceedings of the 38th Annual ACM Sympo-

sium on Theory of Computing, pages 296–305, 2006.

[27] Stephanie Wehner. Entanglement in interactive proof systems with binary answers. In   STACS 2006, 23rd 

 Annual Symposium on Theoretical Aspects of Computer Science, volume 3884 of  Lecture Notes in Computer 

Science, pages 162–171, 2006.

Appendix

A Proof of Lemma 5

Proof.   Let L  be a language in  QMIP(k,m,c,s), and let V   be the corresponding  m-turn quantum verifier for the

quantum k-prover interactive proof system for L. Let V  be the quantum register consisting of all the qubits in the

private space of  V , and let  Mi  be that consisting of all the qubits in the message channel between  V   and the ithe

prover, for 1 ≤ i ≤ k. For every input x, V   applies V  j  for his jth transformation to the qubits in (V,M1, . . . ,Mk),

for 1 ≤ j ≤ m2

+ 1. We slightly modify the protocol of  V  to construct another protocol of an  m-turn quantum

21

Page 23: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 23/27

verifier W  of the perfectly rewindable quantum  k-prover interactive proof system for  L. For simplicity, in what

follows, it is assumed that m  is even (the cases in which m  is odd can be proved in a similar manner).

For every input x, the new verifier  W  prepares the quantum registers  V  and  Mi  for  1 ≤ i ≤ k, and two single-

qubit quantum registers  B   and  X. Let  Y   be the single-qubit quantum register consisting of the qubit in  V   that

corresponds to the output qubit of the original verifier V . All the qubits in (X,V,B,M1, . . . ,Mk) are initialized to

|0

.

Using first   (m − 2)   turns,   W   attempts to simulate the original protocol, by applying   V  j   to the qubits in

(V,M1, . . . ,Mk) as his jth transformation and sending  Mi  to the ith prover, for 1 ≤ i ≤ k  and 1 ≤ j ≤  m2 − 1.

At the (m − 1)-st turn, which is a turn for the verifier,  W  applies V m2

to the qubits in (V,M1, . . . ,Mk) and then

sends Mi  to the ith prover, for 1 ≤ i ≤ k. In addition to M1, W  also sends B to the first prover.

At the mth turn, which is a turn for the provers,  W   receives  B  in addition to  M1  from the first prover.  W   then

applies V m2 +1  to the qubits in (V,M1, . . . ,Mk), and further performs Toffoli over the qubits in  (B,Y,X), using the

qubit in X as the target.  W  accepts if and only if the content of X is 1. Notice that the content of X is 1  if and only

if the content of  B  is  1  and the state in  (V,M1, . . . ,Mk)  is an accepting state of the original protocol. Therefore,

the soundness accepting probability is obviously at most  s  in the constructed protocol.

Now we present a specific protocol for honest provers to show the perfect rewindablity condition in the case

the input x  is in L.

Let P i  be the  m-turn honest ith quantum prover for the original protocol, and let  Pi  be the quantum register

consisting of all the qubits in the private space of  P i, for 1 ≤ i ≤ k. For each 1 ≤ i ≤ k, let P i,j  be the j th trans-

formation of  P i  on input x  in the original protocol, for  1 ≤ j ≤  m2  . Let Φ∗   be any optimal state-sharing function

for  k  quantum provers such that the state |Φ∗(x)   in  (P1, . . . ,Pk)  shared by the provers  P 1, . . . , P  k   maximizes

the accepting probability of  V  when communicating with these specific provers  P 1, . . . , P  k, and let  pmax  be the

probability that (V, P 1, . . . , P  k) accepts x  when P 1, . . . , P  k  initially share |Φ∗(x).

For each 1 ≤ i ≤ k, the honest ith prover Ri in the constructed protocol prepares the quantum register Pi in his

private space.  R1, . . . , Rk  use the state-sharing function Φ∗  to initially share |Φ∗(x) in  (P1, . . . ,Pk) on input x.

At the jth transformation of  Ri  for  1 ≤ i ≤ k  and  1 ≤ j ≤  m2 − 1, after receiving the register  Mi  from W , Ri

applies P i,j  to the qubits in (Mi,Pi) and sends Mi  to  W   to just simulate the original protocol.

At the  m2 -th transformation of R1, after receiving the registers B and M1 from W , R1 applies P 1,m

2

to the qubits

in (M1,P1) and applies the unitary transformation T  defined by

T   =

   1

2 pmax

√ 2 pmax − 1   −1

1  √ 

2 pmax − 1

to the qubit in B to generate the state 

1 −   12 pmax

|0 + 

  12 pmax

|1 in B. R1  then sends B and M1  back to W .

At the  m2 -th transformation of  Ri for  2 ≤ i ≤ k, after receiving the register Mi from W , Ri applies P i,m

2to the

qubits in (Mi,Pi) and sends  Mi back to W , just as in the case of the original protocol.

Then, from the construction of Ri for 1 ≤ i ≤ k, it is obvious that the maximum accepting probability is exactly

equal to   12   when  W   communicates with  R1, . . . , Rk(n), and the maximum is achieved when  R1, . . . , Rk   use the

state-sharing function Φ∗. This shows the perfect rewindability property, and the claim follows.  

B Proof of Theorem 12

Proof of Theorem 12.   The proof is a modification of the proof of Theorem 5.4 in Ref. [19] to the multi-prover case.

Let L be a language in QMIP(k, 3, 1 − ε, 1 − δ ) and let V  be the corresponding three-turn quantum verifier for

quantum k-prover interactive proof systems. Let V be the quantum register consisting of all the qubits in the private

space of  V , and let  Mi  be that consisting of all the qubits in the message channel between  V   and the  ithe prover,

for 1 ≤ i ≤ k. For every input x,  V   applies  V  j   for his  jth transformation on the qubits in  (V,M1, . . . ,Mk), for

22

Page 24: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 24/27

Verifier’s Protocol in Three-Turn Public-Coin System

1. Receive a quantum register V from the first prover and receive nothing from the  ith prover, for 2 ≤ i ≤ k.

2. Choose b ∈ {0, 1} uniformly at random. Send b  to each prover.

3. Receive quantum registers Mi from the ith prover for 1 ≤ i ≤ k.

3.1 If  b  = 0, apply  V 2  to the qubits in (V,M1, . . . ,Mk). Accept if the content of  (V,M1, . . . ,Mk)  is an

accepting state of the original protocol, and reject otherwise.

3.2 If  b  = 1, apply V †1   to the qubits in (V,M1, . . . ,Mk). Accept if all the qubits in  V  are in state |0, and

reject otherwise.

Figure 4: Verifier’s protocol in three-turn public-coin system.

1 ≤ j ≤ 2, and performs the measurement Π = {Πacc, Πrej} at the end of the original protocol to decide acceptance

of rejection. We construct a protocol of a three-turn public-coin quantum verifier  W  of the new quantum  k-proverinteractive proof system for L.

For every input  x, at the first turn the constructed verifier  W   receives the quantum register  V   from the first

prover.   W   receives nothing from the   ith prover at the first turn, for  2 ≤ i ≤ k.   W   expects that the   ith prover

prepares the quantum register  Mi  in his private space, for 1 ≤ i ≤ k, and that the qubits in (V,M1, . . . ,Mk) form

the quantum state the original three-turn verifier  V   would possess just after the second turn (i.e., just after the first

transformation of  V ) of the original protocol.

At the second turn, W  chooses b ∈ {0, 1} uniformly at random and sends  b  to each prover.

If  b  = 0, the ith prover is requested to send  Mi, for 1 ≤ i ≤ k, so that the qubits in  (V,M1, . . . ,Mk) form the

quantum state the original verifier V   would possess just after the third turn (i.e., just after the second transformations

of the provers) of the original protocol. Now W  applies V 2 to the qubits in (V,M1, . . . ,Mk) and accepts if and only

if the content of  (V

,M

1, . . . ,M

k) is an accepting state of the original protocol.On the other hand, if   b = 1, the   ith prover is requested to send  Mi, for   1 ≤ i ≤ k, so that the qubits in

(V,M1, . . . ,Mk) form the quantum state the original verifier V   would possess just after the second turn (i.e., just

after the first transformation of  V ) of the original protocol. Now W   applies V †1   to the qubits in  (V,M1, . . . ,Mk)and accepts if and only if all the qubits in V are in state |0.

The precise description of the protocol of  W  is found in Figure 4.

First suppose that the input x  is in L.

Let P i be the three-turn honest quantum prover for the original proof system, and let Pi be the quantum register

consisting of all the qubits in the private space of  P i, for  1 ≤ i ≤ k. Let |Φ  be a quantum state in  (P1, . . . ,Pk)such that, if  P 1, . . . , P  k  initially share |Φ, they can convince V  with probability at least 1 − ε in the original proof 

system. Let |ψ2 be the quantum state in (V,M1, . . . ,Mk,P1, . . . ,Pk) just after the second turn (i.e., just after the

first transformation of  V ) of the original protocol if  V  communicates with the provers  P 1, . . . , P  k  who initially

share |Φ in their private spaces.

Let Ri be the honest ith prover in the constructed three-turn system, for 1 ≤ i ≤ k. In addition to the registers V

and M1, R1 prepares a quantum register P1 in his private space. Similarly, in addition to Mi, Ri prepares a quantum

register Pi   in his private space for  2 ≤ i ≤ k.  R1, . . . , Rk   initially share |ψ2 in  (V,M1, . . . ,Mk,P1, . . . ,Pk). At

the first turn of the constructed protocol, R1  sends V  to W , while each Ri, 2 ≤ i ≤ k, sends nothing to W .At the second transformation of the provers, if  b  = 0, each Ri   first applies P i,2   to the qubits in (Mi,Pi), and

then sends Mi  to  W , where P i,2 is the second transformation of the original  ith prover P i  on input x  in the original

protocol, for 1 ≤ i ≤ k. If  b  = 1, each Ri  does nothing and just sends Mi to W  at the second transformation of the

23

Page 25: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 25/27

provers, for 1 ≤ i ≤ k.

It is obvious that the provers  R1, . . . , Rk   can convince  W   with probability at least  1 − ε   if  b  = 0, and with

certainty if  b  = 1. Hence, W  accepts every input x ∈ L  with probability at least  1 −   ε2 .

Now suppose that the input  x  is not in L.

Let  Ri   be any three-turn quantum prover for the constructed proof system, for  1 ≤ i ≤ k. Let |ψ   be an

arbitrary quantum state that represents the state just after the first transformations of the provers  R1

, . . . , Rk

 in the

constructed system. Suppose that, at the second transformation of the provers, each Ri  applies X i  if  b  = 0 and Y i

if  b  = 1, for 1 ≤ i ≤ k  and write X  = X 1 ⊗ · · · ⊗ X k   and Y   = Y 1 ⊗ · · · ⊗ Y k. Notice that X   and Y   are unitary

transformations that do not act over the qubits in V.

Let |α =   1

ΠaccV 2  eX |ψΠaccV 2 X |ψ  and |β  =   1

ΠinitV †1

eY  |ψΠinitV †1 Y |ψ, where  Πacc   is the projection onto

accepting states in the original protocol and Πinit   is the projection onto states in which all the qubits in  V  are in

state |0.

Then, with a similar argument to that in the proof of Lemma 9, the probability  pacc   that  W   accepts  x  when

communicating with R1, . . . , R

k+1  is bounded by

 pacc ≤  1

2 1 + F 

 X †V  †2 |αα|V 2

 X,

 Y  †V 1|β β |V  †1

 Y 

 =

 1

2 1 + F 

|αα|, V 2

 X 

Y †V 1|β β |V  †1

 Y 

 X †V †2

.

Since Πinit|β  = |β   is a legal quantum state just after the first transformations of the provers in the original

protocol, V 1, X Y †

, V 2 form a legal sequence of transformations in the original protocol, and Πacc|α = |α, again

a similar argument to that in the proof of Lemma 9 shows that F |αα|, V 2 X Y †V 1|β β |V  †1 Y  X †V †2

 ≤ √ 1 − δ .

Hence the probability pacc that W  accepts x  is bounded by pacc ≤   12 +

√ 1−δ2   , which completes the proof.  

C Direct Proof of Modifying Three-Turn Systems to Two-Turn Systems

For completeness, here we give a direct proof of that any  k-prover three-turn system can be converted into a

(k + 1)-prover two-turn system.

Theorem 16.   Let k :  Z+ →  N be a polynomially bounded function, and let  ε, δ :  Z+ → [0, 1] be any functions that 

satisfy δ > 1 − (1 − ε)2. Then, QMIP(k, 3, 1 − ε, 1 − δ ) ⊆ QMIP

k + 1, 2, 1 −   ε2 ,  12 +

√ 1−δ2

.

Proof.   The proof is similar to the proofs of Lemma 9 and Theorem 12.

Let L  be a language in  QMIP(k, 3, 1 − ε, 1 − δ )  and let V   be the corresponding three-turn quantum verifier

for the quantum   k-prover interactive proof system for   L. Let  V  be the quantum register consisting of all the

qubits in the private space of  V , and let  Mi  be that consisting of all the qubits in the message channel between

V   and the  ithe prover, for  1 ≤ i ≤ k. For every input x,  V   applies  V  j   for his  jth transformation on the qubits

in  (V,M1, . . . ,Mk), for  1 ≤ j ≤ 2, and performs the measurement  Π = {Πacc, Πrej}  at the end of the original

protocol to decide acceptance of rejection. We construct a protocol of a two-turn quantum verifier W  of the new

quantum (k + 1)-prover interactive proof system for L.

For every input  x,  W   supposes that the  ith prover prepares a quantum register  Mi   in his private space, for1 ≤ i ≤ k, and the (k + 1)-st prover prepares a quantum register  V  in his private space.  W  expects that the qubits

in (V,M1, . . . ,Mk)  form the quantum state the original three-turn verifier  V  would possess just after the second

turn (i.e., just after the first transformation of  V  ) of the original protocol.

At the first turn,  W   chooses b ∈ {0, 1} uniformly at random, and sends  b  only to the first  k   provers.  W   sends

nothing to the (k + 1)-st prover.

If  b  = 0, the provers are requested to send the qubits in  (V,M1, . . . ,Mk) so that they form the quantum state

the original three-turn verifier V  would possess just after the third turn (i.e., just after the second transformations of 

24

Page 26: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 26/27

Verifier’s Protocol in One-Round System (Direct Construction)

1. Choose b ∈ {0, 1} uniformly at random. Send b only to the first k provers. and send nothing to the  (k + 1)-st

prover.

2. Receive a quantum registerMi from the ith prover, for 1

 ≤ i

 ≤ k, and a quantum register V from the (k + 1)-

st prover.

2.1 If  b  = 0, apply  V 2  to the qubits in (V,M1, . . . ,Mk). Accept if the content of  (V,M1, . . . ,Mk)  is an

accepting state of the original protocol, and reject otherwise.

2.2 If  b  = 1, apply V †1   to the qubits in (V,M1, . . . ,Mk). Accept if all the qubits in  V  are in state |0, and

reject otherwise.

Figure 5: Verifier’s protocol to reduce the number of turns to two (direct construction).

the provers) of the original protocol. Now W   applies V 2  to the qubits in (V,M1, . . . ,Mk) and accepts if and only

if the content of  (V,M1, . . . ,Mk) is an accepting state of the original protocol.

On the other hand, if  b  = 1, the provers are requested to send the qubits in  (V,M1, . . . ,Mk) so that they form

the quantum state the original three-turn verifier  V   would possess just after the second turn (i.e., just after the first

transformation of  V ) of the original protocol. Now W   applies V  †1   to the qubits in (V,M1, . . . ,Mk) and accepts if 

and only if all the qubits in V are in state |0.

The precise description of the protocol of  W  is found in Figure 5.

First suppose that the input x  is in L.

Let P i be the three-turn honest quantum prover for the original proof system, and let Pi be the quantum register

consisting of all the qubits in the private space of  P i, for  1 ≤ i ≤ k. Let |Φ  be a quantum state in  (P1, . . . ,Pk)such that, if  P 1, . . . , P  k  initially share |Φ, they can convince V  with probability at least 1 − ε in the original proof 

system. Let |ψ2 be the quantum state in (V,M1, . . . ,Mk,P1, . . . ,Pk) just after the second turn (i.e., just after the

first transformation of  V ) of the original protocol if  V  communicates with the provers  P 1, . . . , P  k  who initiallyshare |Φ in their private spaces.

Let  Ri   be the honest   ith prover in the constructed three-turn system, for  1 ≤ i ≤ k + 1. In addition to the

register Mi, Ri prepares a quantum register Pi in his private space, for 1 ≤ i ≤ k. Rk+1 only prepares the quantum

register  V in his private space.   R1, . . . , Rk+1   initially share |ψ2  in  (V,M1, . . . ,Mk,P1, . . . ,Pk). At the second

turn of the protocol,  Rk+1  does nothing and always sends  V  to  W . At the second turn of the protocol, if  b  = 0,

each Ri first applies P i,2 to the qubits in (Mi,Pi), and then sends Mi to W , where P i,2 is the second transformation

of the original ith prover P i  on input x  in the original protocol, for 1 ≤ i ≤ k. If  b  = 1, each Ri, 1 ≤ i ≤ k, does

nothing and just sends  Mi to  W  at the second turn of the protocol.

It is obvious that the provers  R1, . . . , Rk+1  can convince  W  with probability at least 1 − ε if  b  = 0, and with

certainty if  b  = 1. Hence, W  accepts every input x ∈ L  with probability at least  1 −   ε2 .

Now suppose that the input  x  is not in L.Let R

i  be any two-turn quantum prover for the constructed proof system, for  1 ≤ i ≤ k + 1. Let |ψ  be an

arbitrary but legal initial state in the constructed system. Suppose that, at the second turn each  Ri   applies  X i

if   b = 0   and  Y i   if  b = 1, for  1 ≤ i ≤ k, and write X  = X 1 ⊗ · · · ⊗ X k   and Y   = Y 1 ⊗ · · · ⊗ Y k. Without loss

of generality, it is assumed that Rk+1  does nothing, and just sends the qubits in  V  at the second turn, since  R

k+1

receives nothing from W  (that Rk+1 applies some transformation Z  is equivalent to sharing Z |ψ at the beginning).

Let |α =   1

ΠaccV 2  eX |ψΠaccV 2 X |ψ  and |β  =   1

ΠinitV †1

eY  |ψΠinitV †1 Y |ψ, where  Πacc   is the projection onto

accepting states in the original protocol and Πinit   is the projection onto states in which all the qubits in  V  are in

25

Page 27: 1 Round 070907

8/9/2019 1 Round 070907

http://slidepdf.com/reader/full/1-round-070907 27/27

state |0. Then, with the same argument as in the proof of Theorem 12, the probability that  W   accepts  x  when

communicating with R1, . . . , R

k+1  is given by   12

1 + F 

|αα|, V 2 X Y †V 1|β β |V  †1 Y  X †V  †2

, which is at most

12  +

√ 1−δ2   , as claimed.