aa r X i v : . [ qu a n t - ph ] M a r A Quantum inspired proof of P ⊆ IP Dorit Aharonov, Ayal GreenSchool of Computer Science and Engineering, The Hebrew University, Jerusalem 91904, IsraelMarch 14, 2018
Abstract
We provide a new, quantum inspired, proof for the celebrated claim of [LFKN92] that P ⊆ IP. The protocolis fundamentally different from the original sum-check protocol of [LFKN92, Sha92], as well as from variantsof this proof [GKR08, Mei09], though it still possesses the overall structure of inductively checking consistencybetween subsequent step. The protocol is inspired by [AAV13]. Hopefully, this protocol will be helpful inmaking progress towards two major open problems: resolving the quantum PCP question, and verificationof quantum computations using a classical BPP verifier. Given the historical importance of the sum-checkprotocol in classical computational complexity, we hope that the new protocol will also find applications inclassical complexity theory.
The sum-check protocol, introduced in the celebrated P ⊆ IP and the IP = PSPACE results [LFKN92, Sha92],played a key role in computational complexity, most notably leading to the proof that MIP = NEXP [BFL91] andthen to the (original, algebraic) proof of the celebrated PCP Theorem [ALM +
98, AS98]. Another importantexample application comes from cryptography: secure delegation of computations (initiated in [GKR08]), inwhich the honest server is a BPP machine, but the user (verifier) is much weaker computationally.Deriving quantum versions of both of these major results remains open. The quantum PCP conjecture[AALV09, AAV13] remains unresolved despite many recent advancements (in both directions), see e.g. [BH13,FH13, EH15, FV15, Ji16a, Ji16b, NV16]. It is considered a major problem in the field of Hamiltoniam Complex-ity. Interestingly, yet another holy grail in quantum complexity has to do with the delegation of quantum com-putation. Here the goal is slightly different than its classical counterpart. The question is whether a BPP verifiercan delegate polynomial time quantum computations (namely computations in BQP) to an honest BQP prover(like in the classical case, security is required against dishonest provers with unbounded computational power).The initial protocols for the problem [ABOE10, FK12] allowed the BPP verifier to process constantly manyquantum bits; However despite much follow-up work on related questions (see, e.g., [RUV13, MF16, ABOEM17]it is still open whether verification can be done with a single prover, when the verifier is entirely classical, namelya BPP machine.The fact that these two central questions remain open despite increasing interest and research, and althoughthe respective classical results are well known, is no coincidence. There seem to be some inherent obstaclestowards quantum generalizations of classical interactive proof techniques (see, e,g, [AALV09, AAV13]). Inparticular, these tools rely heavily on local tests, whereas the correlations in quantum states are highly non-localand cannot be addressed locally. We are thus motivated to develop alternative tools for interactive protocols,which are more natural to the quantum setting. In this work we revisit the fundamental sum-check protocolof [LFKN92, Sha92], and provide an alternative protocol for the task; we believe the new protocol is betteradapted to the quantum world, and in particular possesses an inherent tensor product structure. We stress thatthe resulting theorem itself, namely a rederivation of [LFKN92], is entirely classical, and in particular neitherthe verifier nor the prover in the protocol need be quantum. .1 Our Results For two complexity classes V , P , denote the complexity class IP[ V , P ] to be (informally) the set of all languagesfor which there exists an interactive proof protocol between a verifier which has computational power V and aprover, such that the protocol is complete even if the prover is computationally limited to P , but where thesoundness holds regardless of any computational assumption on the prover.Our basic protocol works in the quantum setting; it works for problems in BQP (in fact, in PostBQP. Recallthat roughly, this class is the class of problems which can be solved by quantum computers which are allowedto project some of the qubits on desired results; see Section 2.5 for exact definition). The verifier is a BPPmachine, and the honest prover is required to be PostBQP. We derive an interactive protocol which proves: Theorem 1.1.
PostBQP ∈ IP[BPP , PostBQP] . Furthermore, the
IP[BPP , PostBQP] protocol has completeness1.
However, as Aaronson showed, PostBQP = PP [Aar05], hence the prover is a PP machine. It is not difficultto apply the fact that P = P PP to arrive at the well known result of [LFKN92] : Theorem 1.2. P ∈ IP[BPP , PP] . Furthermore, the
IP[BPP , PP] protocol has completeness 1.
The derivation of Theorem 1.2 from Theorem 1.1 first uses P PP = P [FG02], and works for a language inP PP . It then relies on the verifier simulating the P machine for any language in P PP and invoking the interactiveprotocol of Theorem 1.1 whenever P would have called the PP oracle. The detailed proof can be found inappendix C.Thus, we arrive at a new proof of the celebrated theorem of [LFKN92], and a new sum-check protocol. Theprotocol is very natural to use when considering quantum related problems, since it applies directly to evalu-ating products of local projections and local unitary matrices which appear naturally in quantum complexity.Considering the classical setting, our protocol can be used for a P problem, as in [LFKN92], in the followingway: given a P problem, one would need to map the problem first into a P PP problem, using P = P PP [FG02], then map each of the PP problems into a PostBQP circuit, (this can be done using an easy combinatorialreduction, by [Aar05]) and then invoke the interactive protocol for each of the PostBQP problems. Our protocol differs from that of [LFKN92, Sha92] in a few crucial points, but still exhibits the same overallstructure of the original sum-check protocol [LFKN92, Sha92], of inductive consistency checking along a pathfrom the root of a tree to a leaf. Let us review this overall structure since it is useful to have in mind whenexplaining the new protocol.At the root of the tree we have a complicated calculation, and the children of the root correspond to slightlysimpler calculations; as we go down the tree, the calculations become simpler and simpler so that at a leaf,we reach a calculation that the verifier can compute on his own. The prover first commits (namely sends tothe verifier) the values of the calculations at the root, and at all its children. The verifier first performs some consistency test between the values of children and that of the root, and then picks randomly one of thesechildren, and challenges the prover to prove that value (which is again a root of a tree, except one level shorter).They now continue starting from the new node as a root. As the protocol progresses, the verifier goes downalong one path of this tree towards a leaf, whose value he can verify on his own. The main idea is that if theclaimed value at a certain node q was wrong then in order for the consistency check between that node and thevalues of its children to pass with high probability, many of the children’s values must also be wrong. So withhigh probability, if the prover committed to a wrong claim, he is still committed to a wrong claim also in thenext round - so he is “caught in his lies” until the verifier and prover reach a simple claim which the verifier cancalculate by himself, at which point he will catch the lie.In the sum check protocol, the claimed value was the value of the exponential sum of the evaluations of apolynomial in n variables b , . . . , b n : P b ∈{ , } · · · P b n ∈{ , } P ( b , . . . , b n ) = K . While the original result might be more closely regarded as P ∈ IP[BPP , = P PP we get an equivalence, as canbe seen in Section 3 ere, our claimed value at the root would be the trace of what we call a top row matrix (see definition 2.1).This is an exponential size matrix A = | n i h n | · G T · G T − · · · G , where each of the G i is a quantum gate actingnon-trivially on at most 3 out of n qubits. That value too can be viewed as an exponential sum. Protocol overview:
Imagine we are a BPP verifier, and we would like to verify that the value of tr ( A ) = tr ( | n i h n | · G T · · · G ) = C , by interacting with a PostBQP prover. To do this, the prover and verifier will keepupdating the matrix A = A ; at the i th round, the verifier will pick a random unitary U i acting non-triviallyonly on the three qubits that the gate G i works on, and the prover will be challenged to prove the trace of theupdated matrix A i , defined to be A i = U i · U i − · · · U | n i h n | G T · · · G i +1 .The interaction goes as follows: each round, the verifier asks the prover to provide him with the reduceddensity matrix of A i on the set of qubits which the next gate, G i +1 , works non-trivially on (The first round isthe 0’th round, at which the prover is asked to provide A reduced to the qubits of G ). His consistency checkat round i > trace of this reduced matrix, denoted M i , and the trace of a threequbit matrix derived by some simple manipulation involving a rotation by U i , on the matrix M i − he recievedfrom the prover in the previous round.Notice that it is critical for our protocol, that the randomness is provided by matrices U i which are notgeneral 3-qubits unitaries, but which have a very particular structure: they are tensor products of random singlequbit matrices . Since the multiplication of such matrices ( U T · · · U ) is still in the form of tensor product of singlequbit matrices, this is what allows the verifier at the end to compute the trace of A T = U T · U T − · · · U | n i h n | on his own.We must prove that this structure provides sufficient randomness to catch a cheating prover; namely, thatthe prover could not give us a false original reduced matrix with a false trace, and then in the next round, switchto a reduced matrix which is true, but will pass the consistency test.The soundness relies on the following central basic fact. Consider round i . Suppose the difference betweenthe correct reduced matrix M i and the one the prover actually sent (which we denote by M ′ i ), is ∆ i = M i − M ′ i .The fact that the randomness in tensor product unitaries is sufficient to detect that this difference is non-zero,is captured by the following Lemma 1, central to this work (and proven in appendix A): Lemma 1.
Let ∆ be an operator on n qubits and let u = u ⊗ · · · ⊗ u n be a unitary operator on n qubits: ∆ = 0 ⇒ P r u , ··· ,u n ∽ U (2) u = u ⊗···⊗ u n (cid:16) tr (∆ · u ) = 0 (cid:17) = 0 , Where U (2) in the above is a probability distribution over single qubit matrices, which is closely related tothe Haar measure but not equal to it (see Definition 4.1). The reason not to work with Haar measure is thatlater, when handling precision issues - see below - the distribution U (2) seems simpler to work with. This lemmaallows us to prove that if the prover cheated in an earlier round, he must continue to cheat in the next round,or the consistecy check will detect an “inconsistency”. Handling Precision errors
Of course, all the above discussion neglected the fact that the verifier and provercannot work with infinite precision, namely, with real numbers and coninuous probability measures. We modifythe protocol by approximating all the above to include exponentially small errors (where also the consistencytest is performed up to exponentially small errors); thus, the communication between the verifier and proveris ploynomially bounded. The proof that the entire analysis goes through is much more tedious than theproof for the basic protocol which assumes infinite precision calculations; however it uses only simple algebraicmanipulations. The main idea in the proof is given by Claim 6.2. In this claim, a very important observation ismade. It turns out that the prover in the protocol can always reduce the trace of the error matrix ∆ by someconstant factor each round. Our main lemma for the approximation case, Claim 6.2 states that if the proveris not caught in the protocol, it must mean that the error is not decreasing faster than some exponent in thenumber of rounds. Since the precision of the calculations of the verifier at the final stage is exponentially good,the error cannot decrease below that precision, and thus the cheating will be detected.It should be mentioned that this effect in which the prover can reduce its error exponentially in the numberof rounds, is very important for the possible application to verification with a BQP prover. See Subsection 1.4for further discussion on this point. .3 Comparison to the Sum-Check protocol [LFKN92, Sha92], and other Relatedwork A crucial difference between the known classical protocol [LFKN92, Sha92] and ours is this. In the classicalsum-check protocol, the final verification at a leaf is always of a single value out of exponentially many in thesum. In our protocol, on the other hand, the computation that the verifier needs to perform at the leaf is of theform tr ( U T · · · U · U | n i h n | ) = tr ( w n ⊗ ... ⊗ w ⊗ w · | n i h n | )for single qubit matrices w i . Notice that naively, this value is the sum of exponentially many terms. It is onlybecause of the tensor product structure of this expression, that this exponential sum can actually be calculatedefficiently by the verifier. The fact that the verification at the leaf is of an exponential sum, and, relatedly,the tensor product structure of the protocol, which is naturally quantum, is an inherent difference between thisprotocol and the classical ones.Our protocol has similarities in structure with the interactive proof protocol for QMA in [AAV13]. The ideain [AAV13] is to consider the local Hamiltonian H , which is the input to the QMA problem, and the result of theQMA computation is encoded in the trace of a highly non-local matrix f ( H ) which involves polynomial powersof H . The randomness in the protocol is provided not by random unitaries but by random projections , eachtime on a single qubit. We note that though implicit in [AAV13], we believe that the essence of the security ofthe [AAV13] protocol could also be highlighted by a similar lemma to Lemma 1, except for random projectionsrather than random unitaries; in both protocols randomization is done by single qubit manipulations. Theexplanation of the protocol of [AAV13] using a similar lemma to Lemma 1 remains to be done.Our work improves on [AAV13] in several aspects. Most importantly, our result applies not only to QMAbut to any problem in P , thus rederiving the celebrated classical result of [LFKN92], and connecting our(quantum-inspired though classical) protocol to the world of classical complexity classes. We do not know howto directly extend the protocol of [AAV13] to apply for P , due to it strongly relying on the structure of localHamiltonians. Another difference is that the protocol presented here itself is considerably simpler than thatof [AAV13], when applied to a problem in BQP; Moreover, when applied to a quantum circuit, our protocolpreserves its structure. In that context, the [AAV13] protocol goes through a series of reductions, in whicha BQP instance would be first reduced to a local Hamiltonian instance, which will in turn be reduced to acalculation of the trace of a matrix which is not a local Hamiltonian. The result is that [AAV13] involves a morecomplicated abstract structure, in which essentially the tree is replaced (roughly) by a tree of trees , namely, aftera sequence of rounds, the parties reach a situation in which the problem becomes slightly simpler, and then theyneed to start again, for the slightly simpler problem, and they repeat this for polynomially many times. We hope that our protocol may be helpful as a starting point towards showing BQP ∈ IP[BPP , BQP], namelyreplacing the prover in our protocol by a BQP prover. This remains as a major open problem and was infact a major motivation for this paper. We explain below however why resolving the problem would requireconsiderably new ideas.First, note that a BQP prover could crudely approximate a PostBQP prover by an additive approximation.This could naively suggest that when applying the protocol to a problem in BQP, the exponential precisionin our protocol is not needed; it is sufficient to request that the prover only provides approximate answers,and the verifier accepts if the consistency checks are approximately satisfied. Hence, perhaps, if only additiveapproximation is required, the prover in our protocol can be replaced by a BQP prover? If possible, that wouldresolve the above major problem of verifying BQP computations using a classical BPP verifier.Unfortunately, there is a serious problem with this suggestion. The problem has to do with exactly theexponential decay in the error mentioned earlier. Let us explain the issue very roughly below (compromisingrigor to make the argument clearer). Recall that in our protocol, consistency checking is done by comparingonly the traces of two matrices (at each round). Let us assume that the prover wants to prove a wrong claim,namely that the trace of the exponential matrix A is in fact C where C is different from the correct value tr ( A )by δ ; In other words, the prover sends in the first round M ′ such that tr ( M ′ ) = C ; recalling that the correctmatrix is denoted M , we have tr ( M ′ ) = tr ( M ) + δ . We refer to δ as the initial error . The idea is that he prover can always decrease the error by a constant factor each round, and still pass the consistency tests.The way the prover will do this, is by “spreading his error” at each round as much as possible, as follows: ateach round he will send M ′ i = M i + ∆ i such that ∆ i = δ i I/
8, where δ i is his current error. In other words, hespreads his error evenly on all diagonal elements in his matrix. The claim is that because of the randomizationprocess, on average, his updated error δ i +1 = tr (∆ i · u i ) for the random unitary u i (chosen by the verifier inthe following round) is smaller than δ i by a constant factor. Hence, as we had mentioned earlier in Subsection1.2 - this strategy will make the initial error decrease by an exponential factor in the number of rounds (makingour analysis of the protocol in which this exponential decay of error appears, namely Claim 6.3, essentiallytight). Hence, the prover can get away with an exponentially large initial error; this is because the consistencytests of the verifier at the final round must allow some inaccuracies if the prover is only BQP. Making theprotocol sufficiently robust to such errors, would lead to a solution to the problem but this seems to requiresignificantly new ideas. We note that the same exponential decay of error is possible to achieve also in theoriginal IP = PSPACE protocol; it is a very interesting problem to try and formalize this property of interactiveprotocols more rigorously.Given the historical connection between interactive proofs and PCP, it is our hope that our protocol will beuseful also for progress on the quantum PCP front. Another interesting open problem is to extend our protocolto all of PSPACE, and derive an alternative proof for the full IP = PSPACE result; we were not able to do thisso far. It is also our hope that this protocol will prove useful in classical contexts, due to its genuinely differentstructure than previous protocols for the same important task. We begin with some notations and background in Sec. 2. In Sec. 3 we formally state our main results and showhow they are derived given an interactive protocol c W for proving the trace of a top row matrix . In Sec. 4,5we present our idealized interactive protocol W (which assumes infinite precision) and prove its soundness andcompleteness. In Sec. 6 we provide the modified version of the protocol, c W and analyze it to show that evenwhen precision limitations are addressed, completeness and soundness hold. We use the following notations throughout the paper: • Given a gate g i on a set s i of less than n qubits, we define G i = g i ⊗ I to be it’s n qubits expansion (where I is over the qubits s i ). • Similarly, given a general unitary u i or h i on less than n qubits, we define U i = u i ⊗ I and H i = h i ⊗ I tobe their n qubits expansions. • Given an operator ρ on hilbert space H = H A ⊗ H B , and given an orthonormal basis {| i i} i for H A and {| l i} l for H B , we can write ρ = P i,k,j,l ρ i,j,k,l | i i h j | ⊗ | k i h l | . Tracing out H B , or equivalently reducing ρ to H A is defined as: ρ | H A = tr H B ( ρ ) = tr H B X i,j,k,l ρ i,k,j,l | i i h j | ⊗ | k i h l | = X i,j X k ρ i,j,k,k | i i h j |• Given a matrix B n × n , and a matrix z on a set s of qubits, we denote B ’s reduction to the qubits s (onwhich z operates) by B | z . Namely: B | z = tr s ( B ). • U (2) - The measure on single qubit unitaries, from which we randomly toss our matrices. See Section 4. • P - The complexity class
P olynomial − T ime . • In definition 6.2 we use the notion ⌊ f ( θ, φ , φ ) ⌋ ξ . By this we mean any deterministic approximation of f ( θ, φ , φ ), which can be computed by a P verifier using poly( n ) bits, s.t |⌊ f ( θ, φ , φ ) ⌋ ξ − f ( θ, φ , φ ) | ≤ ξ While we use P for the complexity class, it should not be confused with P , which we use to call a Prover throught the paper .2 Top Row Matrix A top row matrix is defined as follows: Definition 2.1.
Given a 2 n × n matrix B , we define it’s top row matrix to be: | n ih n | B , where | n i is thecomputational basis state on n qubits | · · · i . By referring to the top row matrix of a quantum circuit on n qubits which is given as a sequence of local gates g T . . . g we mean the top row matrix of B = G T · G T − · · · G . V , P ] The complexity class IP[ V , P ] is defined as such: Definition 2.2.
Given complexity classes V and P , IP[ V , P ] is the class of languages L ⊆ { , } ∗ for whichthere exists a 2 party protocol W between a verifier of computational power V and a prover, such that for allinputs x ,1. Completeness: If x ∈ L , then there exists a prover of computational power P for whichPr[ verif ier − accepts ] ≥ .2. Soundness: If x / ∈ L , then for any prover, Pr[ verif ier − accepts ] ≤ . Definition 2.3 (due to [BV97]) . The complexity class BQP is the set of languages which are accepted withprobability 2/3 by some polynomial time Quantum Turing Machine.
Definition 2.4.
The promise problem Q-Circuit is defined as follows. The input is a description of a sequenceof gates g L , ...g , taken out of a finite universal set of local quantum gates, acting non-trivially on at most 3 outof n qubits. L is polynomial in n . Yes instances and No instances are defined as follows: Q − CIRCU IT
Y ES : k ( | ih | ⊗ I n − ) · G L · G L − · · · G | n ik > Q − CIRCU IT NO : k ( | ih | ⊗ I n − ) · G L · G L − · · · G | n ik Claim 1.
Calculating the trace of the top row matrix for an arbitrary sequence of local gates g T . . . g , actingnon-trivially on out of n input qubits such that T = poly ( n ) , to within ± is hard for BQP . We include this simple proof here since its idea will be used several times later on.
Proof.
Given a Q-Circuit instance, Pr[0] can be written as follows: k ( | ih | ⊗ I n − ) · G L · G L − · · · G | n ik = h n | G † L · G † L − · · · G † · ( | ih | ⊗ I n − ) · ( | ih | ⊗ I n − ) · G L · G L − · · · G | n i = h n | G † L · G † L − · · · G † · ( | ih | ⊗ I n − ) · G L · G L − · · · G | n i = h | ⊗ h n | G † L · G † L − · · · G † · CN OT n +1 · G L · G L − · · · G | n i ⊗ | i = tr (cid:16) h | ⊗ h n | G † L · G † L − · · · G † · CN OT n +1 · G L · G L − · · · G | n i ⊗ | i (cid:17) = tr (cid:16) | n +1 ih n +1 | · G † L · G † L − · · · G † · CN OT n +1 · G L · G L − · · · G (cid:17) Q-Circuit thus reduces to calculating (to within accuracy ) the trace of the following top row matrix , definedfor a sequence of gates consisting of T = 2 L + 1 = poly( n ) unitary local gates: A n +1 × n +1 = | n +1 ih n +1 | · G † L · G † L − · · · G † · CN OT n +1 · G L · G L − · · · G n Section 6 we present our interactive protocol c W , which verifies any such trace to within inverse-exponentialaccuracy, thus showing an explicit IP for BQP. Furthermore, we show that the protocol can be carried out bya PostBQP prover. Introduced by Aaronson in [Aar05], the complexity class PostBQP consists of all of the computational problemssolvable in polynomial time on a quantum Turing machine with postselection and bounded error. Formally, theclass can be defined as such:
Definition 2.5.
PostBQP is the class of languages
L ⊆ { , } ∗ for which there exists a uniform family ofpolynomial-size quantum circuits { C n } n ≥ such that for all inputs x ,1. After C n is applied to the state | · · · i ⊗ | x i , the first qubit has probability ≥ n of being measured | i
2. If x ∈ L , then conditioned on the first qubit being | i , the second qubit is | i with probability at least 2/3.3. If x / ∈ L , then conditioned on the first qubit being | i , the second qubit is | i with probability at most 1/3.We remark that this definition is slightly different than the the original definition of [Aar05], where theprobability in item 1 was only required to be non-negative. As noted by Aaronson later in [Aar14] this correcteddefinition is in fact the one to be used, as only for this definition do we know that PostBQP is equal to PP.Moreover, this equality holds when the quantum circuit is assumed to consist of only Hadamard and Toffoligates.We also remark the simple fact that PostBQP is closed under complement. This can easily be seen by flippingthe second qubit prior to measuring.A claim that will be important for us in order to show an interactive protocol for all languages L in PostBQPis the following. Claim 2.
Any language
L ∈
PostBQP can be decided by calculating a division y/z for two real values y and z which are both traces of top row matrices , each for an arbitrary sequence of local unitary quantum gates g T . . . g , acting non-trivially on (at most) three out of n input qubits such that T = poly ( n ) , and are eachcalculated to within accuracy ǫ = · n .Proof. Given a language
L ∈
PostBQP with input x of n bits, consider the quantum circuit C n as in Definition2.5, where the number of its ancilla qubits is n Anc and it acts on n ′ = n + n Anc qubits. Consider the final stateof the circuit, C n ( | · · · i ⊗ | x i ). Denote by a the outcome of a measurement of the second qubit in that statein the computational basis, and by b the measurement outcome when measuring the first qubit in that state inthe computational basis. • if x ∈ L : Pr[ a = | i | b = | i ] ≥ • if x / ∈ L : Pr[ a = | i | b = | i ] ≤ Consider the sequence of quantum gates g , ...., g L describing the simple quantum computation consiting offirst mapping | n i 7→ | x i by flipping the required bits one by one, and then applying the circuit C n .It holds that:Pr[ a = 0 | b = 0] = Pr[ a = 0 ∩ b = 0]Pr[ b = 0] = k ( | i h | ⊗ I n − ) · G L · G L − · · · G | n ′ ik k ( | ih | ⊗ I n − ) · G L · G L − · · · G | n ′ ik And a similar argument to that used in proof of Claim 1 shows that both the nominator and denominatorcan be calculated by calculating the trace of a top row matrix which comprises poly( n ) local gates. We denotethe value in the nominator y , and the value in the denominator z , we keep in mind that z ≥ ǫ and go back tolook at the two case: • if x ∈ L : y ± ǫz ± ǫ ≥ y − ǫz + ǫ ≥ y − zz + z = ( yz − ) ≥ ( − ) > + 0 . • if x / ∈ L : y ± ǫz ± ǫ ≤ y + ǫz − ǫ ≤ y + zz − z = ( yz + ) ≤ ( + ) < − . top row matrices y and z with accuracy ǫ , we can differentiate between thecases and the claim holds. Derivation of Main Results
We now show how our main results, Theorems 1.1 and 1.2, can be derived from an interactive proof for thevalue of a top row matrix . In Section 6 we provide an interactive protocol c W , with a BPP verifier, in which anhonest PostBQP prover can prove the correctness of a value C claimed to be the trace of a top row matrix , towithin inverse exponential accuracy. We will prove in that section (section 6) that c W has completeness 1 evenif the prover P is computationally limited to PostBQP. We prove that c W has soundness at most against anyprover in the same section.We remark here that throughout the paper, in any place where the (PostBQP) prover P is said to computeentries or traces of matrices to within exponential precision, what we mean is that those values are recovered bythe verifier V by a sequence of (polynomially many) binary search queries, as the prover’s computational poweris assumed to be the decision class PostBQP. Theorem 1.1
PostBQP ∈ IP[BPP , PostBQP]
Furthermore, the
IP[BPP , PP] protocol above has completeness 1.Proof.
By Claim 2 it suffices to verify the traces of two top row matrices to within ± · n in order to decideon any instance of a language L ∈
PostBQP. By Claims 5 and 6 the protocol c W does just that for a single toprow matrix , with completeness 1 (even when the prover is restricted to be a PostBQP machine) and soundnessat most . By repeating the protocol c W twice and accepting if and only if both runs of c W pass (for each ofthe two top row matrices ), the soundness of each of the top row matrices is reduced to , while maintainingcompleteness 1. By the union bound, this means that conditioned on both (repeated) protocols passing, theprobability for one the values of the traces of not be within ± · n of its actual value is at most < . Thisproves Theorem 1.1. Theorem 1.2 P ∈ IP[BPP , PP].
Furthermore, the
IP[BPP , PP] protocol above has completeness 1.
Proof Sketch:
We first note that the protocol of Theorem 1.1 can be repeated so that the error (soundness)is exponentially reduced. Now, for any language in P = P PP = P PostBQP we construct a protocol where eachquery to the PostBQP oracle is simulated by using the repeated protocol of Theorem 1.1. The repeated Theorem1.1 protocol is used both for the original query and for its complement. The original query is used for verifyingthat the answer is 1 (if that is the case), and if it is not the case - the complement query is used to verify thatthe answer is 0. The combination gives the correct (oracular) answer with probability exponentially close to 1(in the number of repetitions), so by using the union bound - we get that with high probability all the oraclecall simulations give the correct results. This in turn means that the verifier, which simulates the P
PostBQP algorithm, will deduce the correct answer. The complete proof of Theorem 1.2 can be found in Appendix C.
We will now present our first protocol, which verifies the trace of a top row matrix A for a quantum computationgiven by a sequence of local quantum gates g , · · · , g T .That is, our protocol verifies tr ( A ) = C for A = | n ih n | G T · G T − · · · G and value C . This first protocol,denoted W , assumes infinite precision, and works with completeness 1 and soundness 0.The protocol begins by the verifier asking the prover to send the three qubit matrix M , which is the matrix A = A reduced to the qubits of the first gate g . Of course, the prover may not send the correct matrix; Denoteby M ′ the actual matrix the prover sends. The verifier then performs his first consistency check: he checks thatthe trace M ′ is indeed C , as expected.Next, the verifier chooses a random unitary U acting on the three qubits of the gate, G , which will be usedsoon to “replace” the gate G in the matrix. Importantly, U is chosen to be a tensor product of random singlequbit matrices. U will be used to define a new target computation A , A is essentially defined to “peel off” G from A = A and replace it by the random U , in a cyclic manner: A = U · | n ih n | G T · G T − · · · G .Now, the prover is supposed to send M , which is A reduced to the three qubits of the next gate, G ; Thereduced matrices that the verifier has, M ′ and M ′ , don’t even act on the same set of qubits, but if correct, their traces can be related, which is the consistency check that the verifier performs. f they pass, the verifier and prover pass to “peeling off” the next gate: the verifier now picks a randomizationmatrix U for the qubits of G , asks for another matrix M , and so on.At the end of this process, because all U i are tensor product matrices, the verifier is left with a calculationcomposed strictly of tensor product operators, which he can compute by himself.The soundness of the protocol relies on the fact that if M ′ i is different than M i the prover must be extremelylucky (in the choice of U i ) to be able to send M ′ i +1 = M i +1 and still pass the consistency check. Thus he iscaught in his lies, and must continue cheating also in the next round (and send M ′ i +1 = M i +1 ). If he keeps doingthis, he will get caught in the final round which is a computation the verifier can perform.Before moving to a the full description of the protocol, we will define U (2) - the measure on single qubitsunitaries from which unitaries in the protocol are drawn. Definition 4.1.
We define the following measure on unitary operators on a single qubit, denoted U (2): chooseangles θ, ϕ , ϕ uniformly at random from [0 , π ], and define the resulting unitary as: (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) We note that this measure is reminiscent of the Haar measure on single qubit unitaries, Except that accordingto the Haar measure the distribution of the angle θ is different [Ozo09]. We use this modified measure as itsimplifies the calculations.We now give a detailed description of the protocol W , where the verifier V is given a quantum top row matrix A n × n = | n ih n | · G T · G T − · · · G , and interacts with a prover P (which we assume here in this first protocolto be unbounded) to verify tr ( A ) = C : The protocol W: In the 0’th round – V asks for M = A | g , receives back a matrix M ′ , and verifies that C = tr ( M ′ )(rejects otherwise).2. In the i ’th round – V chooses u i , u i , u i ∽ U (2), sets u i = u i ⊗ u i ⊗ u i on the qubits on which g i operates, and asks for: M i = ( U i · U i − · · · U · | n ih n | · G T · · · G i +1 ) | g i +1 V receives back a matrix M ′ i , and verifies that tr ( M ′ i ) = tr (cid:0) M ′ i − · g − i · u i (cid:1) .3. In the T’th round – V chooses u T as before, and accpets if tr ( U T · U T − · · · U · | n ih n | ) = tr (cid:0) M T − · g − T · u T (cid:1) . (rejects otherwise). Theorem 5.1.
Assuming P and V can represent, communicate, and perform calculations on values with infiniteprecision, the protocol W has completeness 1 and soundness 0. The main idea in our protocol is the fact that the u i unitaries are simple enough to allow V to accuratelycompute tr ( U T · U T − · · · U · | n ih n | ) - this is true as | n ih n | = | ih | ⊗ | ih | ⊗ · · · ⊗ | ih | , and so the matrix U T · U T − · · · U | n i h n | is in fact a product of matrices, where each of these matrices is a tensor product ofsingle qubit matrices. But still, the u i unitaries provide enough randomness for our consistency checking to beeffective. That is, if P did not provide us the M i − matrix we asked for at round i −
1, he will not pass theconsistency checking tr ( M i ) = tr ( M i − · h i ) with the M i we asked for. The proof of completeness is given insubsection 5.1, and that of soundness in subsection 5.2. To prove the protocol’s completeness, we will first prove the following basic Lemma 2 (proven in appendix D): emma 2. Let U an operator on a hilbert space H , and q an operator on a subsystem Q of H : U | Q · q = ( U · ( q ⊗ I Q )) | Q Definition 5.1.
We define P ’s Truthful Strategy to be:1.
In the 0’th round – P sends back A | g .2. In the i ’th round – P receives u i from V , and sends back ( U i · U i − · · · U · | n ih n | · G T · · · G i +1 ) | g i +1 . Claim 3. if tr ( A ) = C , P passes W with probability 1Proof. We show that using it’s
Truthful Strategy , P passes each of V ’s verification stages: Claim 3.1. V ’s verification passes the ’th round.Proof. This is obvious, as C = tr ( A ) = tr ( A | g ) Claim 3.2. V ’s verification passes the i ∈ [ T − ’th round.Proof. This is true, as using Lemma 2: tr (cid:0) M i − · g − i · u i (cid:1) = tr (cid:0) ( U i − · U i − · · · U · | n ih n | · · G T · · · G i ) | g i · g − i · u i (cid:1) = tr (cid:0) U i − · U i − · · · U · | n ih n | · G T · · · G i · G − i · U i (cid:1) = tr ( U i − · U i − · · · U · | n ih n | · G T · · · G i − · U i )= tr ( U i · U i − · U i − · · · U · | n ih n | · G T · · · G i − )= tr ( M i ) (1) Claim 3.3. V ’s verification passes the T ’th round.Proof. tr (cid:0) M T − · g − T · u T (cid:1) = tr (cid:0) ( U T − · U T − · · · U · | n ih n | · G T ) | g i · g − T · u T (cid:1) = tr ( U T · U T − · · · U · | n ih n | )And so the proof for Claim 3 is established. Claim 4. if tr ( A ) = C , P passes W with probability 0.Proof. First, let us define for each round i the three qubits matrix ∆ i which is the error matrix for that round. ∆ i is the difference between the correct matrix M i and the matrix M ′ i that the prover actually sent: ∆ i = M i − M ′ i .Using this notation, and assuming P passes the 0 ′ th round, the assumption tr ( A ) = C translates into: tr (∆ ) = tr ( M − M ′ ) = tr ( M ) − tr ( M ′ ) = tr ( A ) − C = 0 (2)So ∆ = 0. In order for P to pass the tests in W , P must pass all of the rounds { , · · · , T − } , and either:1. pass round i (for some 0 < i < T ) with ∆ i − = 0 and ∆ i = 0; or: . pass the T ′ th round with ∆ T − = 0Consider the first case: for some 0 < i < T we have ∆ i − = 0 while ∆ i = 0. We claim that the probability(over the choice of u i ) for P to pass the consistency test tr ( M ′ i − · g − i · u i ) = tr ( M ′ i ) is 0. This is because by thelinearity of the trace, and using the fact that tr ( M i − · g − i · u i ) = tr ( M i ) (as we have seen in the completenessanalysis) this entails: tr (∆ i − · g − i · u i ) = tr (∆ i ) = 0 (3)As g − i is unitary, we have ∆ i − = 0 ⇒ ∆ ′ = ∆ i − · g − i = 0, so we can use Lemma 1 with the non-zero matrix∆ ′ , to show that the probability for this over the choice of u i is 0.Hence, we can deduce that if P passed the tests at all rounds up to round T , it must be that ∆ T − is nonzero.We now remember that tr (cid:0) M T − · g − T · u T (cid:1) = tr ( U T · U T − · · · U · | n ih n | ), and the prover needs to pass thetest tr (cid:0) M ′ T − · g − T · u T (cid:1) = tr ( U T · U T − · · · U · | n ih n | ). For this we must have tr (cid:0) ∆ T − · g − T · u T (cid:1) = 0.Given that ∆ T − · g − T is a non zero matrix, we have again that the probability for u T to satisfy this is zero,using Lemma 1. This means that if P passes the first T − W , we thus conclude the proof of Theorem5.1. The previous discussion of the protocol W made the implicit assumption that all values can be computed andcommunicated over a classical channel with infinite accuracy. But of course, this assumption is false. The proverand verifier cannot communicate real numbers with infinite precision, the verifier cannot truly sample a unitaryfrom the modified Haar measure with infinite precision. Indeed, the protocol W was introduced for didacticpurposes; We now show how it can be slightly adjusted such that it uses only polynomially many bits of classicalcommunication, and can be carried out efficiently. We denote the adjusted protocol c W .The modifications in the protocol are of several types, and we will use several accuracy parameters to describethem. First, since everything is going to work up to some accuracy, the consistency checking can no longer bedone using equality tests. Instead, each test for equality in W ’s verification, is checked up to a small accuracyparameter µ = K χ T where K = · n and χ = 60 T (where T is the number of gates). Another change isthat the u ji unitaries cannot be chosen from the measure U (2), as this requires infinite precision. Instead, weintroduce another accuracy parameter ξ = µ n +11 T = Θ( nc ), and the parameters defining the unitary matrixentries are defined up to this ξ : Definition 6.1.
We define choosing a unitary operator on a single qubit according to the truncated measure aschoosing angles θ, ϕ , ϕ with precision ξ uniformly at random from [0 , π ] (By this, we mean that θ, ϕ , ϕ arechosen uniformly at random from { i · ξ (cid:12)(cid:12) i ∈ N , i · ξ < π } ). These angles are the representation for the unitary (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) We denote generating an operator u on a single qubit according to this altered measure by: u ∽ b U (2)One final issue we have to address, is the fact that given a unitary u on a single qubit, we can not assume V nor P can perform u accurately. We introduce the following approximation notion: Definition 6.2.
Given a unitary operator u = (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) on a single qubit, we define the truncated unitary b u to be a version of u where each each of the entries iscalculated up to an accuracy of ξ : b u = (cid:18) ⌊ cos θ · e iϕ ⌋ ξ ⌊ sin θ · e iϕ ⌋ ξ ⌊− sin θ · e − iϕ ⌋ ξ ⌊ cos θ · e − iϕ ⌋ ξ (cid:19) ow, using the notation A i = U i · U i − · · · U · | n ih n | · G T · · · G i +1 we present the full protocol c W , in which aBPP verifier V is given a sequence of local quantum gates g T , . . . , g , receives a value C from the prover P , and forthe top row matrix A n × n = | n ih n | · G T · G T − · · · G verifies whether tr ( A ) = C or | tr ( A ) − C | ≥ · n = K by interacting with P . By Claim 2, such a protocol is sufficient to derive an IP for P . The protocol c W : In the 0’th round – V asks for M = A | g , receives a matrix M ′ from P , and verifies that | C − tr ( M ′ ) | ≤ µ (rejects otherwise).2. In the i ’th round – V chooses u i , u i , u i ∽ b U (2), sets u i = u i ⊗ u i ⊗ u i on the qubits on which g i operates,asks for M i = A i | g i +1 , receives a matrix M ′ i , and verifies that (cid:12)(cid:12)(cid:12) tr ( M ′ i ) − tr ( M ′ i − · d g − i · b u i (cid:12)(cid:12)(cid:12) ≤ µ (rejectsotherwise, or if M ′ i has an entry greater than 2 n . This should never be the case as each entry is thesum of less that 2 n values which are at most 1 each)3. In the T’th round – V chooses u T as before, and accepts if: (cid:12)(cid:12)(cid:12) tr ( b U T · b U T − · · · b U · | n ih n | ) − tr ( M ′ T − · d g − T · b u T ) (cid:12)(cid:12)(cid:12) ≤ µ . (rejects otherwise). Claim 5 (Completeness for the bounded case) . if | tr ( A ) − C | ≤ ξ = µ n +11 T , a PostBQP prover P can pass c W with probability 1, using P oly ( n ) bits of communication. We give here the skeleton of the proof, the proofs of the technical lemmas can be found in Appendix E.
Proof.
We first note that for completeness in the bounded precision case, we must require P to have the powerof a PostBQP machine. This means that when P is asked to perform any given unitary u on a single qubit(or tensor product of such, of course), it computes an approximation ˜ u using its universal set of Hadamard andToffoli gates s.t: k ˜ u − u k L ≤ ξ , and operates with ˜ u instead of u . P can do this in P oly ( n ) time as long as ξ = O (2 n c ) for some constant c (By the Solovay-Kitaev Theorem [NC02]).We use the convenient notation A ′ i = ˜ U i · ˜ U i − · · · ˜ U ·| n ih n |· G T · · · G i +1 , and note that a PostBQP machine P can be used to compute A ′ i | s (for any set s of qubits of constant size). This is true because the value of eachentry in A ′ i | s is the difference between the number of paths which have a positive and negative contribution toit, times √ t (where t is the number of Hadamard gates), and as such can be computed by 2 f ∈ L = { ( x, k ) | f ( x ) ≥ k } is inPP [FG02] .We can now define P ’s Truthful Strategy under c W . Definition 6.3. P ’s Truthful Strategy under c W :1. In the 0’th round – P sends back M ′ = A | g .2. In the i ’th round – P receives u i (represented by its parameters) from V , and sends back M ′ i = A ′ i | g i +1 .(Since the prover in this protocol always needs to send an integer multiple of √ k , we assume he just sendsthis integer along with k )Having defined P ’s Truthful Strategy under c W , we show that if T r ( A ) = C , P passes c W with probability1 by using its Truthful Strategy . To do this we set n ′ = 3 the number of qubits on which each of the gates g i operates, and use the following claims ∀ ≤ i ≤ T : Claim 5.1. | tr ( A ′ i ) − tr ( A i ) | ≤ n T · ξ By taking f for each entry in A ′ i | s to be the number of paths which contribute to that entry (once with a positive and once witha negative value), a PostBQP machine can indeed be used to compute A ′ i | s laim 5.2. (cid:12)(cid:12) tr (cid:0) M i − · g − i · u i ) (cid:1) − tr (cid:0) M ′ i − · g − i · u i ) (cid:1)(cid:12)(cid:12) ≤ n ′ · n T · ξ Claim 5.3. (cid:12)(cid:12)(cid:12) tr (cid:0) M ′ i − · g − i · u i (cid:1) − tr (cid:16) M ′ i − · d g − i · b u i (cid:17)(cid:12)(cid:12)(cid:12) ≤ · n ′ · n · ξ Claim 5.4. (cid:12)(cid:12)(cid:12) tr ( b U T · b U T − · · · b U · | n ih n | ) − tr ( U T · U T − · · · U · | n ih n | ) (cid:12)(cid:12)(cid:12) ≤ n T · ξ The Claims 5.1, 5.2, 5.3, 5.4 are proven in Appendix E.Now we are ready to wrap up. By using ξ = µ n +11 T < µ · n +3 n ′ ( T +2) , and remembering that tr ( M i ) = tr ( A i ), tr ( M ′ i ) = tr ( A ′ i ), tr ( M i ) = tr ( M i − · h i ), tr ( U T · U T − · · · U · | n ih n | ) = tr ( M T − · h T ) we get:1. P passes the 0’th round, as | C − tr ( M ′ ) | = 0 < µ .2. P passes the i’th round for ≤ i < T , as: (cid:12)(cid:12)(cid:12) tr ( M ′ i ) − tr ( M ′ i − · d g − i · b u i ) (cid:12)(cid:12)(cid:12) ≤ | tr ( M ′ i ) − tr ( M i ) | + (cid:12)(cid:12) tr ( M i − · g − i · u i ) − tr ( M ′ i − · g − i · u i (cid:12)(cid:12) + (cid:12)(cid:12)(cid:12) tr ( M ′ i − · g − i · u i ) − tr ( M ′ i − · [ g i − · b u i ) (cid:12)(cid:12)(cid:12) ≤ n T · ξ + 2 n ′ · n T · ξ + 2 · n ′ · n · ξ ≤ · n +3 n ′ ( T + 1) · ξ ≤ · n ( T + 1) ≤ µ and of course, each entry of M ′ i is at most the sum of 2 n entries of A i , and each entry of A i is at most 1in absolute value, so all entries of M ′ i are at most 2 n .3. P passes the T’th round, as: (cid:12)(cid:12)(cid:12) tr ( b U T · b U T − · · · b U · | n ih n | ) − tr ( M ′ T − · d g − T · b u T ) (cid:12)(cid:12)(cid:12) ≤ (cid:12)(cid:12)(cid:12) tr ( b U T · b U T − · · · b U · | n ih n | ) − tr ( U T · U T − · · · U · | n ih n | (cid:12)(cid:12)(cid:12) + (cid:12)(cid:12) tr ( M T − · g − T · u T ) − tr ( M ′ T − · g − T · u T (cid:12)(cid:12) + (cid:12)(cid:12)(cid:12) tr ( M ′ T − · g − T · u T ) − tr ( M ′ T − · d g − T · b u T (cid:12)(cid:12)(cid:12) ≤ n T · ξ + 2 n ′ · n T · ξ + 2 · n ′ · n · ξ ≤ · n +3 n ′ ( T + 1) · ξ ≤ · n ( T + 1) · ξ ≤ µ And the communication complexity follows trivially by the fact that there is a total of poly ( n ) rounds, inwhich a total of poly ( n ) values (degrees and matrix entries) are being communicated, and for each value it takes poly ( n ) classical bits to express it’s accuracy ξ . Claim 6 (Soundness for the bounded case) . if | tr ( A ) − C | ≥ K = · n , P passes c W with probability ≤ . Using the same notion for ∆ i as in 5.2, we will show that given | tr ( A ) − C | ≥ K = · n , and conditionedon P passing the first T − tr (∆ T − ) to be small enough for P tobe likely to also pass the final T ’th round.To do this, we introduce an approximate version of Lemma 1, which we use in a similar fashion to the waywe used Lemma 1 in proving the soundness for W . Lemma 3.
Let ∆ be an operator on n ′ qubits, and let u = u ⊗ · · · ⊗ u n ′ : ∀ K ≥ , m ≥ k ∆ k F rob ≥ K ⇒ P r u , ··· ,u n ′ ∽ U (2) | tr (∆ · u ) | < K (16 m ) n ′ ! ≤ n ′ m The proof of Lemma 3 can be found in Appendix D. This Lemma 3 will be used shortly with n ′ = 3 and m = 60 T to bound the probability that tr (∆ · u ) for a randomly chosen unitary u is too small. However, beforedoing this, we have to take care of another issue which arises due to precision matters. In c W the unitaries re not chosen according to U (2), the distribution assumed in Lemma 3, but instead they are chosen fromthe distribution b U (2). Therefore, we also state Claim 6.1 which enables to quantify the similarity of thesetwo distributions and is proven in Appendix F. To present Claim 6.1, we define the two following probabilitydistributions: Definition 6.4.
We define the distribution of unitaries on n ′ qubits, D ( n ′ ), to be the one which is used inprotocol W . Namely, choosing a unitary operator u ∽ D ( n ′ ) means choosing n ′ unitaries on a single qubit u , u , · · · , u n ′ ∽ U (2), and setting u = u ⊗ u ⊗ · · · ⊗ u n ′ . Definition 6.5.
We define the distribution of unitaries on n ′ qubits, b D ( n ′ ), to be the one which is used inprotocol c W . Namely, choosing a unitary operator u ∽ D ( n ′ ) means choosing n ′ unitaries on a single qubit u , u , · · · , u n ′ ∽ b U (2), and setting u = u ⊗ u ⊗ · · · ⊗ u n ′ . Claim 6.1. let ∆ an operator on n qubits: P r u ∽ b D ( n ′ ) (cid:16) | tr (∆ · u ) | < δ − n ′ n ′ · · ξ · k ∆ k F rob (cid:17) ≤ P r u ∽ D ( n ′ ) (cid:16) | tr (∆ · u ) | < δ (cid:17) + 3 n ′ ξ π We can now state the main lemma which will be used to prove Claim 6: this is Claim 6.2, which shows thatthere is only a small probability for ∆ T − to be small. Claim 6.2.
Let χ = 60 T , and let χ T · µ ≤ K . Suppose | tr ( A ) − C | ≥ K . Then, conditioned on P passingthe first i < T rounds in c W : P r u ,u , ··· ,u i ∽ b D ( n ′ ) (cid:16) | tr (∆ i ) | < K χ i (cid:17) ≤ i · (cid:18) T + 3 n ′ ξ π (cid:19) The proof uses both Lemma 3 and the fact that the two distributions are similar, and can be found inSubsection 6.3. Now we can prove Claim 6.
Proof.
Of Claim 6 . To pass c W , P must pass all rounds i < T , and then pass the T ’th round. By Claim 6.2,passing all rounds i < T implies: P r u ,u , ··· ,u T − ∽ b D ( n ′ ) (cid:16) | tr (∆ T − ) | < K χ T − (cid:17) ≤ ( T − · (cid:18) T + 3 n ′ ξ π (cid:19) So, denoting the probability that P passes c W by P r (cid:16)
Success (cid:17) , we have:
P r (cid:16)
Success (cid:17) ≤ P r u ,u , ··· ,u T − ∽ b D ( n ′ ) (cid:16) | tr (∆ T − ) | < K χ T − (cid:17) + P r u T ∽ b D ( n ′ ) | tr (∆ T − ) |≥ K χT − (cid:18) (cid:12)(cid:12)(cid:12) tr (cid:16) b U T · b U T − · · · b U · | n ih n | (cid:17) − tr (cid:16) M ′ T − · d g − T · b u T (cid:17)(cid:12)(cid:12)(cid:12) ≤ µ (cid:19) To evaluate the second term, we review the proof of Claim 3.3 to note: (cid:12)(cid:12) tr (cid:0) ∆ T − · g − T · u T (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12) tr (cid:0)(cid:0) M T − − M ′ T − (cid:1) · g − T · u T (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) tr (cid:16) U T · U T − · · · U · | n ih n | − b U T · b U T − · · · b U · | n ih n | (cid:17) + tr (cid:16) b U T · b U T − · · · b U · | n ih n | (cid:17) − tr (cid:16) M ′ T − · d g − T · b u T (cid:17) + tr (cid:16) M ′ T − · d g − T · b u T − M ′ T − · g − T · u T (cid:17) (cid:12)(cid:12)(cid:12) ≤ n T · ξ + 2 · n ′ · n · ξ + (cid:12)(cid:12)(cid:12) tr (cid:16) b U T · b U T − · · · b U · | n ih n | (cid:17) − tr (cid:16) M ′ T − · d g − T · b u T (cid:17)(cid:12)(cid:12)(cid:12) Where we used a triangle inequality and Claims 5.4 and 5.3 for the inequality (noting the only assumptionmade on M i − for Claim 5.3 was its entries being smaller than 2 n so as to pass i ’th round test) We can now ound P r (cid:16)
Success (cid:17) by:
P r (cid:16)
Success (cid:17) ≤ ( T − · (cid:18) T + 3 n ′ ξ π (cid:19) + P r u T ∽ b D ( n ′ ) | tr (∆ T − ) |≥ K χT − (cid:18) (cid:12)(cid:12) tr (cid:0) ∆ T − · g − T · u T (cid:1)(cid:12)(cid:12) ≤ n T · ξ + 2 · n ′ · n · ξ + µ (cid:19) It holds that Kχ T > n T · ξ + 2 · n ′ · n · ξ + µ + 2 n ′ n ′ · · ξ · n ′ · n , and so: P r u T ∽ b D ( n ′ ) | tr (∆ T − ) |≥ K χT − (cid:18) (cid:12)(cid:12) tr (cid:0) ∆ T − · g − T · u T (cid:1)(cid:12)(cid:12) ≤ n T · ξ + 2 · n ′ · n · ξ + µ (cid:19) ≤ P r u T ∽ b D ( n ′ ) | tr (∆ T − ) |≥ K χT − (cid:18) (cid:12)(cid:12) tr (cid:0) ∆ T − · g − T · u T (cid:1)(cid:12)(cid:12) ≤ Kχ T − n ′ n ′ · · ξ · n ′ · n (cid:19) ≤ P r u T ∽ D ( n ′ ) | tr (∆ T − ) |≥ K χT − (cid:16) (cid:12)(cid:12) tr (cid:0) ∆ T − · g − T · u T (cid:1)(cid:12)(cid:12) < Kχ T (cid:17) + 3 n ′ ξ π ≤ T + 3 n ′ ξ π Where the second inequality is by Claim 6.1, and the last inequality is by using Inequality (7) (in the proofof Claim 6.2) for i = T − P r (cid:16)
Success (cid:17) ≤ T · (cid:16) T + 3 n ′ ξ π (cid:17) < as required. Claim 6.2
Let χ = 60 T , and let 4 χ T · µ ≤ K . Suppose | tr ( A ) − C | ≥ K . Then, conditioned on P passingthe first i < T rounds in c W : P r u ,u , ··· ,u i ∽ b D ( n ′ ) (cid:16) | tr (∆ i ) | < K χ i (cid:17) ≤ i · (cid:18) T + 3 n ′ ξ π (cid:19) Proof.
By finite induction on 0 ≤ i ≤ T − • Induction base:
For i = 0, the condition on passing the 0’th round gives us | C − tr ( M ′ ) | ≤ µ and so wehave: K ≤ | tr ( A ) − C | = | C − tr ( M ) | ≤ | C − tr ( M ′ ) | + | tr ( M ′ ) − tr ( M ) | ≤ µ + | tr (∆ ) |⇒ | tr (∆ ) | ≥ K − µ ≥ K P r (cid:16) | tr (∆ ) | < K (cid:17) = 0 as required. • Induction step:
Assuming correctness for 1 ≤ i < T −
2, we prove for i + 1. We use the total probabilityequation to bound the required probability by the probability of 3 separate events: P r u ,u , ··· ,u i +1 ∽ b D ( n ′ ) (cid:16) | tr (∆ i +1 ) | < K χ i +1 (cid:17) ≤ P r u ,u , ··· ,u i +1 ∽ b D ( n ′ ) (cid:16) | tr (∆ i ) | < K χ i (cid:17)| {z } P + P r u ,u , ··· ,u i +1 ∽ b D ( n ′ ) | tr (∆ i ) |≥ K χi (cid:16) (cid:12)(cid:12) tr (cid:0) ∆ i · g − i +1 · u i +1 (cid:1)(cid:12)(cid:12) < K χ i +1 (cid:17)| {z } P + P r u ,u , ··· ,u i +1 ∽ b D ( n ′ ) | tr (∆ i ) |≥ K χi | tr ( ∆ i · g − i +1 · u i +1 ) | ≥ K χi +1 (cid:16) | tr (∆ i +1 ) | < K χ i +1 (cid:17)| {z } P e upper bound each of the addends P , P , P : – P : By the condition on passing all the first i rounds, along with the induction assumption, we have P ≤ i · (cid:16) T + 3 n ′ ξ π (cid:17) – P : We note: | tr (∆ i ) | ≥ K χ i ⇒ k ∆ i k F rob ≥ K χ i ⇒ (cid:13)(cid:13) ∆ i · g − i +1 (cid:13)(cid:13) F rob ≥ K χ i Using the fact that the Frobenius norm upper bounds the trace of a matrix for the first derivation,and the fact that operating on a matrix by a unitary on either of its sides does not affect it’s Frobeniusnorm. We can now use Lemma 3 on ˜∆ i = ∆ i · g − i +1 (with n ′ = 3, m = 60 T ) to achieve: (cid:13)(cid:13)(cid:13) ˜∆ i (cid:13)(cid:13)(cid:13) F rob ≥ K χ i ⇒ · T ≥ P r u i +1 ∽ D ( n ′ ) (cid:12)(cid:12)(cid:12) tr (cid:16) ˜∆ i · u i +1 (cid:17)(cid:12)(cid:12)(cid:12) < Kχ i · (cid:16)
16 (60 T ) (cid:17) ≥ P r u i +1 ∽ D ( n ′ ) (cid:12)(cid:12)(cid:12) tr (cid:16) ˜∆ i · u i +1 (cid:17)(cid:12)(cid:12)(cid:12) < Kχ i · (cid:16)
60 (60 T ) (cid:17) = P r u i +1 ∽ D ( n ′ ) (cid:18)(cid:12)(cid:12)(cid:12) tr (cid:16) ˜∆ i · u i +1 (cid:17)(cid:12)(cid:12)(cid:12) < Kχ i +1 (cid:19) And so: | tr (∆ i ) | ≥ K χ i ⇒ P r u i +1 ∽ D ( n ′ ) (cid:18)(cid:12)(cid:12)(cid:12) tr (cid:16) ˜∆ i · u i +1 (cid:17)(cid:12)(cid:12)(cid:12) < Kχ i +1 (cid:19) ≤ T (4)By the fact that ∆ i has 2 n ′ entries, all of which at most 2 n , we have k ˜∆ i k F rob = k ∆ i k F rob ≤ n ′ · n and so: 2 n ′ n ′ · · ξ · k ˜∆ i k F rob + K χ i +1 ≤ n ′ n ′ · · ξ · n ′ · n + K χ i +1 ≤ Kχ i +1 (5)Using Claim 6.1, we have: P ≤ P r u i +1 ∽ D ( n ′ ) | tr (∆ i ) |≥ K χi (cid:16) (cid:12)(cid:12) tr (cid:0) ∆ i · g − i +1 · u i +1 (cid:1)(cid:12)(cid:12) < K χ i +1 + 2 n ′ n ′ · · ξ · k ∆ i · g − i +1 k F rob (cid:17) + 3 n ′ ξ π (6)And we can now evaluate: P ≤ P r u i +1 ∽ D ( n ′ ) | tr (∆ i ) |≥ K χi (cid:16) (cid:12)(cid:12) tr (cid:0) ∆ i · g − i +1 · u i +1 (cid:1)(cid:12)(cid:12) < Kχ i +1 (cid:17) + 3 n ′ ξ π ≤ T + 3 n ′ ξ π (7)Where the first inequality follows from Inequalities (6) and (5), and the second inequality from In-equality (4). – P : Using the condition | tr (∆ i · h i +1 ) | ≥ K χ i +1 we have: K χ i +1 ≤ | tr (∆ i · h i +1 ) | = | tr ( M i · h i +1 ) − tr ( M ′ i · h i +1 ) | = | tr ( M i +1 ) − tr ( M ′ i · h i +1 ) | = (cid:12)(cid:12) tr ( M i +1 ) − tr (cid:0) M ′ i +1 (cid:1) + tr (cid:0) M ′ i +1 (cid:1) − tr ( M ′ i · h i +1 ) (cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) tr (∆ i +1 ) + tr (cid:0) M ′ i +1 (cid:1) − tr (cid:16) M ′ i · b h i +1 (cid:17) + tr (cid:16) M ′ i · b h i +1 (cid:17) − tr ( M ′ i · h i +1 ) (cid:12)(cid:12)(cid:12) ≤ | tr (∆ i +1 ) | + µ + 2 · n ′ · n · ξ ⇒ | tr (∆ i +1 ) | ≥ K χ i +1 − µ − · n ′ · n · ξ ≥ K χ i +1 ⇒ P = 0 (8) here we used a triangle inequality along with the condition on passing the ( i + 1)’th round and Claim5.3 to achieve the inequality.Summing the 3 addends, we get: P + P + P ≤ T + 3 n ′ ξ π + i · (cid:18) T + 3 n ′ ξ π (cid:19) = ( i + 1) · (cid:18) T + 3 n ′ ξ π (cid:19) As required, thus concluding the proof for the induction step and hence of Claim 6.2 as well.
Both authors acknowledge the generous support of ERC grant number 280157.We also thank Or Sattath and Thomas Vidick for helpful discussions.
References [AALV09] Dorit Aharonov, Itai Arad, Zeph Landau, and Umesh Vazirani. The detectability lemma andquantum gap amplification. In
Proceedings of the forty-first annual ACM symposium on Theoryof computing , pages 417–426. ACM, 2009.[Aar05] Scott Aaronson. Quantum computing, postselection, and probabilistic polynomial-time. In
Pro-ceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences ,volume 461, pages 3473–3482. The Royal Society, 2005.[Aar14] Scott Aaronson. Postbqp postscripts: A confession of mathematical errors. , 2014.[AAV13] Dorit Aharonov, Itai Arad, and Thomas Vidick. Guest column: the quantum pcp conjecture.
Acmsigact news , 44(2):47–79, 2013.[ABOE10] D Aharonov, M Ben-Or, and E Eban. Interactive proofs for quantum computations.
Proceedingsof Innovations in Computer Science (ITCS2010), arXiv preprint (2008) arXiv:0810.5375 .[ABOEM17] Dorit Aharonov, Michael Ben-Or, Elad Eban, and Urmila Mahadev. Interactive proofs for quantumcomputations. arXiv preprint arXiv:1704.04487 , 2017.[ALM +
98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. Proof verifi-cation and the hardness of approximation problems.
Journal of the ACM (JACM) , 45(3):501–555,1998.[AS98] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characterization of np.
Journal of the ACM (JACM) , 45(1):70–122, 1998.[BFL91] L´aszl´o Babai, Lance Fortnow, and Carsten Lund. Non-deterministic exponential time has two-prover interactive protocols.
Computational complexity , 1(1):3–40, 1991.[BH13] Fernando GSL Brandao and Aram W Harrow. Product-state approximations to quantum groundstates. In
Proceedings of the forty-fifth annual ACM symposium on Theory of computing , pages871–880. ACM, 2013.[BV97] Ethan Bernstein and Umesh Vazirani. Quantum complexity theory.
SIAM Journal on Computing ,26(5):1411–1473, 1997.[EH15] Lior Eldar and Aram W Harrow. Local hamiltonians whose ground states are hard to approximate. arXiv preprint arXiv:1510.02082 , 2015.[FG02] Lance Fortnow and Bill Gasarch. Computational complexity, complexity class of the week: pp . http://blog.computationalcomplexity.org/2002/09/complexity-class-of-week-pp.html ,2002. FH13] Michael H Freedman and Matthew B Hastings. Quantum systems on non- k -hyperfinite com-plexes: A generalization of classical statistical mechanics on expander graphs. arXiv preprintarXiv:1301.1363 , 2013.[FK12] Joseph F Fitzsimons and Elham Kashefi. Unconditionally verifiable blind computation. arXivpreprint arXiv:1203.5217 , 2012.[FV15] Joseph Fitzsimons and Thomas Vidick. A multiprover interactive proof system for the local hamil-tonian problem. In Proceedings of the 2015 Conference on Innovations in Theoretical ComputerScience , pages 103–112. ACM, 2015.[GKR08] Shafi Goldwasser, Yael Tauman Kalai, and Guy N Rothblum. Delegating computation: interactiveproofs for muggles. In
Proceedings of the fortieth annual ACM symposium on Theory of computing ,pages 113–122. ACM, 2008.[Ji16a] Zhengfeng Ji. Classical verification of quantum proofs. In
Proceedings of the forty-eighth annualACM symposium on Theory of Computing , pages 885–898. ACM, 2016.[Ji16b] Zhengfeng Ji. Compression of quantum multi-prover interactive proofs. arXiv preprintarXiv:1610.03133 , 2016.[LFKN92] Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. Algebraic methods for interactiveproof systems.
Journal of the ACM (JACM) , 39(4):859–868, 1992.[Mei09] Or Meir. Combinatorial pcps with efficient verifiers. In
Foundations of Computer Science, 2009.FOCS’09. 50th Annual IEEE Symposium on , pages 463–471. IEEE, 2009.[MF16] Tomoyuki Morimae and Joseph F Fitzsimons. Post hoc verification with a single prover. arXivpreprint arXiv:1603.06046 , 2016.[NC02] Michael A Nielsen and Isaac Chuang. Quantum computation and quantum information, 2002.[NV16] Anand Natarajan and Thomas Vidick. Robust self-testing of many-qubit states. arXiv preprintarXiv:1610.03574 , 2016.[Ozo09] Maris Ozols. How to generate a random unitary matrix, 2009.[RUV13] Ben W Reichardt, Falk Unger, and Umesh Vazirani. Classical command of quantum systems.
Nature , 496(7446):456, 2013.[Sha92] Adi Shamir. Ip= pspace.
Journal of the ACM (JACM) , 39(4):869–877, 1992.[Shi02] Yaoyun Shi. Both toffoli and controlled-not need little help to do universal quantum computation. arXiv preprint quant-ph/0205115 , 2002. Lemma 1 proof
Lemma 1.
Let ∆ an operator on n qubits and let u = u ⊗ · · · ⊗ u n a unitary operator on n qubits:∆ = 0 ⇒ P r u , ··· ,u n ∽ U (2) (cid:16) tr (∆ · u ) = 0 (cid:17) = 0 Proof.
By induction on n : • For n = 1 we have: u = u = (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) , ∆ = (cid:18) a cd b (cid:19) , and we can assume a = 0, as the following derivation is similar regardless of which entry of ∆ is non-zero.So we have: P r u ∽ U (2) (cid:16) tr (∆ · u ) = 0 (cid:17) = P r θ,ϕ ,ϕ ∽ [0 , π ] (cid:16) a · cos θ · e iϕ + d · sin θ · e iϕ − c · sin θ · e − iϕ + b · cos θ · e − iϕ = 0 (cid:17) = P r θ,ϕ ,ϕ ∽ [0 , π ] (cid:16) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1) + sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1) = 0 (cid:17) ≤ P r θ ∽ [0 , π ] (cid:16) sin θ = 0 (cid:17) + P r θ ∽ [0 , π ] (cid:16) cos θ = 0 (cid:17) + P r ϕ ∽ [0 , π ] (cid:16) a · e iϕ + b · e − iϕ = 0 (cid:17) ++ P r a · e iϕ + b · e − iϕ =0cos θ =0sin θ =0 (cid:16) (cid:12)(cid:12) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12) sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1)(cid:12)(cid:12) (cid:17) we calculate an upper bound on the sum by proving an upper bound on each of the probabilities separately:1. P r θ ∽ [0 , π ] (cid:16) sin θ = 0 (cid:17) = 02. P r θ ∽ [0 , π ] (cid:16) cos θ = 0 (cid:17) = 03. To see P r ϕ ∽ [0 , π ] (cid:16) a · e iϕ + b · e − iϕ = 0 (cid:17) = 0 we observe: P r ϕ ∽ [0 , π ] (cid:16) a · e iϕ + b · e − iϕ = 0 (cid:17) = P r ϕ ∽ [0 , π ] (cid:16) a (cos ϕ + i · sin ϕ ) + b (cos ϕ − i · sin ϕ ) = 0 (cid:17) = P r ϕ ∽ [0 , π ] (cid:18)q (( a + b ) cos ϕ ) + (( a − b ) sin ϕ ) = 0 (cid:19) we assume b and a have the same sign, and so: P r ϕ ∽ [0 , π ] (cid:18)q (( a + b ) cos ϕ ) + (( a − b ) sin ϕ ) = 0 (cid:19) ≤ P r ϕ ∽ [0 , π ] (cid:18)q (( a + b ) cos ϕ ) = 0 (cid:19) = P r ϕ ∽ [0 , π ] (cid:16) cos ϕ = 0 (cid:17) = 0Where the final equality comes from the fact that a = 0 and a has the same sign as b . If a and b donot have the same sign - we simply bound using q (( a − b ) sin ϕ ) . . P r a · e iϕ + b · e − iϕ =0cos θ =0sin θ =0 (cid:16) (cid:12)(cid:12) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12) sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1)(cid:12)(cid:12) (cid:17) = P r a · e iϕ + b · e − iϕ =0cos θ =0sin θ =0 (cid:16) | cotθ | (cid:12)(cid:12)(cid:0) a · e iϕ + b · e − iϕ (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12) d · e iϕ − c · e − iϕ (cid:12)(cid:12) (cid:17) = P r a · e iϕ + b · e − iϕ =0cos θ =0sin θ =0 | cot ( θ ) | = (cid:12)(cid:12)(cid:12)(cid:12) d · e iϕ − c · e − iϕ a · e iϕ + b · e − iϕ (cid:12)(cid:12)(cid:12)(cid:12)| {z } H = 0As H is some constant number independent of θ .Summing the 4 probabilities, we get the induction base for Lemma 1. • Assuming correctness for n , we prove for n + 1. Choosing a basis for the n + 1 qubitswhere the ( n + 1)’th qubit is the most significant qubit, we have: u n +1 = (cid:18) u u u u (cid:19) , u = (cid:18) u · (cid:0) U (cid:1) n u · (cid:0) U (cid:1) n u · (cid:0) U (cid:1) n u · (cid:0) U (cid:1) n (cid:19) , ∆ = (cid:18)(cid:0) ∆ (cid:1) n (cid:0) ∆ (cid:1) n (cid:0) ∆ (cid:1) n (cid:0) ∆ (cid:1) n (cid:19) Where ( U ) n = u ⊗ u ⊗ · · · ⊗ u n , and we denote the number of qubits each block operates on in subscript,for clarity. Now we have: tr (∆ · u ) = tr (cid:18)(cid:18)(cid:0) ∆ (cid:1) (cid:0) ∆ (cid:1)(cid:0) ∆ (cid:1) (cid:0) ∆ (cid:1)(cid:19) · (cid:18) u · (cid:0) U (cid:1) u · (cid:0) U (cid:1) u · (cid:0) U (cid:1) u · (cid:0) U (cid:1)(cid:19)(cid:19) = u · tr (cid:0) ∆ · U (cid:1) + u · tr (cid:0) ∆ · U (cid:1) + u · tr (cid:0) ∆ · U (cid:1) + u · tr (cid:0) ∆ · U (cid:1) = tr (cid:18) tr (∆ · U ) tr (∆ · U ) tr (∆ · U ) tr (∆ · U (cid:19) · | {z } ∆ ′ (cid:18) u u u u (cid:19) ⇒ tr (∆ · u ) = tr (∆ ′ · u n +1 ) (9)W.L.O.G we can assume ∆ = 0, so our induction base tells us tr (∆ · U ) = 0, meaning ∆ ′ = 0. Using theinduction base once again on ∆ ′ , u n +1 , we obtain the required induction step. Lemma 2 proof
Lemma 2.
Let U an operator on a hilbert space H , and q an operator on a subsystem Q of H , then U | Q · q = ( U · ( q ⊗ I Q )) | Q Proof.
By induction on i , the number of qubits Q works on non-trivially: • Induction base:
For i = 1 we have (choosing a basis for H where the single qubit in Q is the most significantqubit): q = (cid:18) q q q q (cid:19) , U = (cid:18)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:19) and so: ( U · ( q ⊗ I Q )) | Q = (cid:18)(cid:18)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:19) · (cid:18) q · (cid:0) I n − (cid:1) q · (cid:0) I n − (cid:1) q · (cid:0) I n − (cid:1) q · (cid:0) I n − (cid:1)(cid:19)(cid:19)(cid:12)(cid:12)(cid:12)(cid:12) Q = (cid:18)(cid:0) q · U + q · U (cid:1) (cid:0) q · U + q · U (cid:1)(cid:0) q · U + q · U (cid:1) (cid:0) q · U + q · U (cid:1)(cid:19)(cid:12)(cid:12)(cid:12)(cid:12) Q = (cid:18) tr (cid:0) q · U + q · U (cid:1) tr (cid:0) q · U + q · U (cid:1) tr (cid:0) q · U + q · U (cid:1) tr (cid:0) q · U + q · U (cid:1)(cid:19) = (cid:18) q · tr (cid:0) U (cid:1) + q · tr (cid:0) U (cid:1) q · tr (cid:0) U (cid:1) + q · tr (cid:0) U (cid:1) q · tr (cid:0) U (cid:1) + q · tr (cid:0) U (cid:1) q · tr (cid:0) U (cid:1) + q · tr (cid:0) U (cid:1)(cid:19) = (cid:18) tr (cid:0) U (cid:1) tr (cid:0) U (cid:1) tr (cid:0) U (cid:1) tr (cid:0) U (cid:1)(cid:19) · (cid:18) q q q q (cid:19) = U | Q · q • Induction step:
Assuming correctness for i , we prove for i + 1. Choosing a basis for H where the ( i + 1)’thqubit in Q is the most significant qubit, and Q ’s other i qubits are the following significant bits - we have: q = (cid:18)(cid:0) q (cid:1) i (cid:0) q (cid:1) i (cid:0) q (cid:1) i (cid:0) q (cid:1) i (cid:19) i +1 , U = (cid:0) U (cid:1) n − (cid:0) U (cid:1) n − (cid:0) U (cid:1) n − (cid:0) U (cid:1) n − ! n And we denote the number of qubits each operator operates on in subscript, for clarity. Now we have:( U ( q ⊗ I Q )) | Q == (cid:18)(cid:18)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:0) U (cid:1) (cid:0) U (cid:1)(cid:19) · (cid:18)(cid:0) q (cid:1) ⊗ (cid:0) I n − i − (cid:1) (cid:0) q (cid:1) ⊗ (cid:0) I n − i − (cid:1)(cid:0) q (cid:1) ⊗ (cid:0) I n − i − (cid:1) (cid:0) q (cid:1) ⊗ (cid:0) I n − i − (cid:1)(cid:19)(cid:19)(cid:12)(cid:12)(cid:12)(cid:12) Q = (cid:18)(cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1) (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1) (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:19)(cid:12)(cid:12)(cid:12)(cid:12) Q = (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:12)(cid:12) Q \ (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:12)(cid:12) Q \ (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:12)(cid:12) Q \ (cid:0) U ( q ⊗ I n − i − ) + U ( q ⊗ I n − i − ) (cid:1)(cid:12)(cid:12) Q \ ! = (cid:18)(cid:0) U | Q \ · q + U | Q \ · q (cid:1) (cid:0) U | Q \ · q + U | Q \ · q (cid:1)(cid:0) U | Q \ · q + U | Q \ · q (cid:1) (cid:0) U | Q \ · q + U | Q \ · q (cid:1)(cid:19) = (cid:18)(cid:0) U (cid:1) | Q \ (cid:0) U (cid:1) | Q \ (cid:0) U (cid:1) | Q \ (cid:0) U (cid:1) | Q \ (cid:19) · (cid:18)(cid:0) q (cid:1) (cid:0) q (cid:1)(cid:0) q (cid:1) (cid:0) q (cid:1)(cid:19) = U | Q · q Where we used the induction step assumption for the 4’th equality.And so, by induction we conclude the proof of Lemma 2. Proof of Theorem 1.2 given Theorem 1.1
Theorem 1.2 P ∈ IP[BPP , PP].
Proof.
Let
L ∈ P = P PP = P PostBQP , then there exists an algorithm A ( x ) that runs in time polynomial intime | x | using m = poly( | x | ) queries to a PostBQP oracle, such that if x ∈ L A ( x ) = 1 and otherwise A ( x ) = 0.For i ∈ { . . . m } we denote the i ’th query in A ( x ) q i , and its answer by the oracle r i . Each such quesry q i can be thought of as a request for the truth value of a term y ∈ L ′ for some y (of size polynomial in | x | ) anda PostBQP complete language L ′ . We denote the query for the truth value of y ∈ L ′ by q i . Since PostBQPis closed under complement, L ′ ∈ PostBQP as well. By Theorem 1.1, this means that there is an interactiveprotocol W i between a BPP verifier V and a prover P with soundness at most and completeness at least for q i , and a similar protocol W i for q i , and the completeness holds even if P is restricted to be a PostBQPmachine. We now consider the following interactive protocol between a BPP verifier V and a prover P : V simulates A , but whenever A calls for a query q i , V perform the following:1. V repeats the protocol W i log( m ) + 2 times. If all runs results with accepting, sets r ′ i = 1. Otherwise:2. V repeats the protocol W i log( m ) + 2 times. If all runs results with accepting, sets r ′ i = 0. Otherwise, V rejects. V regards the r ′ i values as though they were the correct answers for the PostBQP queries, and he then acceptsor rejects according to the result of the simulated A . Analysing this protocol, we have: • Completeness: Let x ∈ L , and let P a PostBQP machine. Assume P tries to make W i accept if and onlyif r i = 1, and that P tries to make W i accept if and only if r i = 0. By the completeness of W i , this meansthat r i = 1 ⇒ r ′ i = 1. On the other hand, if r i = 0, P deliberately fails his W i protocol, and then goesthrough the series of W i protocols. Along with the completeness of W i this means r i = 0 ⇒ r ′ i = 0, andtogether we have that r i = r ′ i , and so V will accept with probably 1, since A ( x ) accepts. • Soundness Let x / ∈ L . By the soundness of W i , W i we have: ∀ i ∈ { . . . m } : Pr[ r i = r ′ i ] ≤ Pr[ r ′ i = 1 | r i = 0] + Pr[ r ′ i = 0 | r i = 1] ≤ (Pr[ W i = 1 | r i = 0]) log m +2 + (Pr[ W i = 0 | r i = 1]) log m +2 ≤ log m +2 Now, as we know that A ( x ) = 0, we can use the union bound to get:Pr[ V Accepts ] ≤ Pr[ ∃ i : r i = r ′ i ] ≤ m ∗ Pr[ r i = r ′ i ] ≤ m log m +2 < L with soundness less than and completeness 1, even whenthe prover P is restricted to be a PostBQP machine, this shows P ∈ IP[BPP , PP], and by PP = PostBQP wehave Theorem 1.2. Lemma 3 proof
Lemma 3.
Let ∆ be an operator on n ′ qubits, and let u = u ⊗ · · · ⊗ u n ′ : ∀ K ≥ , m ≥ k ∆ k F rob ≥ K ⇒ P r u , ··· ,u n ′ ∽ U (2) | tr (∆ · u ) | < K (16 m ) n ′ ! ≤ n ′ m Proof.
By induction on n ′ : • Induction base:
For n ′ = 1 we have: u = u = (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) , ∆ = (cid:18) a cd b (cid:19) , and we can assume | a | = max ( | a | , | b | , | c | , | d | ) ⇒ | a | ≥ K , as the following derivation is similar regardlessof which entry of ∆ is maximal in absolute value. So we have: P r u ∽ U (2) (cid:18) | tr (∆ · u ) | < K m (cid:19) = P r θ,ϕ ,ϕ ∽ [0 , π ] (cid:18)(cid:12)(cid:12) a · cos θ · e iϕ + d · sin θ · e iϕ − c · sin θ · e − iϕ + b · cos θ · e − iϕ (cid:12)(cid:12) < K m (cid:19) = P r θ,ϕ ,ϕ ∽ [0 , π ] (cid:18)(cid:12)(cid:12) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1) + sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1)(cid:12)(cid:12) < K m (cid:19) ≤ P r θ ∽ [0 , π ] (cid:18) | sin θ | ≤ m (cid:19) + P r θ ∽ [0 , π ] (cid:18) | cos θ | ≤ m (cid:19) + P r ϕ ∽ [0 , π ] (cid:18)(cid:12)(cid:12) a · e iϕ + b · e − iϕ (cid:12)(cid:12) ≤ K m (cid:19) ++ P r | cos θ | > m | sin θ | > m | a · e iϕ + b · e − iϕ | > K m (cid:18)(cid:12)(cid:12)(cid:12)(cid:12) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1)(cid:12)(cid:12) − (cid:12)(cid:12) sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1)(cid:12)(cid:12)(cid:12)(cid:12) < K m (cid:19) we calculate an upper bound on the sum by proving an upper bound on each of the probabilities separately: – P r θ ∽ [0 , π ] (cid:16) | sin θ | ≤ m (cid:17) ≤ m : We will prove for cos θ instead (and the probabilities are equal, as thefunctions only differ by a cyclic offset in the section): Lemma 3.1:
P r θ ∽ [0 , π ] (cid:16) | cos θ | ≤ m (cid:17) ≤ m Proof.
Due to symmetry around π , we have: P r θ ∽ [0 , π ] (cid:18) | cos θ | ≤ m (cid:19) = P r θ ∽ [ π, π ] (cid:18) | cos θ | ≤ m (cid:19) We denote θ = cos − (cid:0) m (cid:1) , θ = cos − (cid:0) − m (cid:1) , θ , ∈ [ π, π ] and as the cosine function is monotoni-cally increasing in [ π, π ] we have: P r θ ∽ [ π, π ] (cid:18) | cos θ | ≤ m (cid:19) = (cid:12)(cid:12)(cid:12)(cid:12) θ − θ π (cid:12)(cid:12)(cid:12)(cid:12) Remembering the lemma assumes m ≥
2, we have: θ ∈ [ π, π ] , | cos θ | ≤ m ⇒ θ ∈ [1 13 π, π ]since the derivative for cos θ in this section is at least √ , we can use The Mean Value Theorem on θ , to achieve | θ − θ | ≤ m − ( − m ) √ = √ m , and so: P r θ ∽ [0 , π ] (cid:18) | cos θ | ≤ m (cid:19) ≤ √ m · π ≤ . m ≤ m P r θ ∽ [0 , π ] (cid:16) | cos θ | ≤ m (cid:17) ≤ m : This follows trivially by a variable change to Lemma 3.1. – To see
P r ϕ ∽ [0 , π ] (cid:16) (cid:12)(cid:12) a · e iϕ + b · e − iϕ (cid:12)(cid:12) ≤ K m (cid:17) ≤ m we observe: P r ϕ ∽ [0 , π ] (cid:18)(cid:12)(cid:12) a · e iϕ + b · e − iϕ (cid:12)(cid:12) ≤ K m (cid:19) = P r ϕ ∽ [0 , π ] (cid:18) | a (cos ϕ + i · sin ϕ ) + b (cos ϕ − i · sin ϕ ) | ≤ K m (cid:19) = P r ϕ ∽ [0 , π ] (cid:18)q (( a + b ) cos ϕ ) + (( a − b ) sin ϕ ) ≤ K m (cid:19) W.L.O.G we assume a, b have the same sign (otherwise, we bound using the sine) and so:
P r ϕ ∽ [0 , π ] (cid:18)q (( a + b ) cos ϕ ) + (( a − b ) sin ϕ ] ≤ K m (cid:19) ≤ P r ϕ ∽ [0 , π ] (cid:18)q [( a + 0) cos ϕ ] + [( a − a ) sin ϕ ) ≤ K m (cid:19) = P r ϕ ∽ [0 , π ] (cid:18) | a | · | cos ϕ | ≤ K m (cid:19) ≤ P r ϕ ∽ [0 , π ] (cid:18) K · | cos ϕ | ≤ K m (cid:19) = P r ϕ ∽ [0 , π ] (cid:18) | cos ϕ | ≤ m (cid:19) And we conclude by using Lemma 3.1 again. – P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:0)(cid:12)(cid:12) cos θ (cid:0) a · e iϕ + b · e − iϕ (cid:1)(cid:12)(cid:12) − (cid:12)(cid:12) sin θ (cid:0) d · e iϕ − c · e − iϕ (cid:1)(cid:12)(cid:12) < K m (cid:1) = P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:18)(cid:12)(cid:12) | cot ( θ ) | (cid:12)(cid:12) a · e iϕ + b · e − iϕ (cid:12)(cid:12) − (cid:12)(cid:12) d · e iϕ − c · e − iϕ (cid:12)(cid:12)(cid:12)(cid:12) < K m | sin θ | (cid:19) ≤ P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) | cot ( θ ) | − (cid:12)(cid:12)(cid:12)(cid:12) d · e iϕ − c · e − iϕ a · e iϕ + b · e − iϕ (cid:12)(cid:12)(cid:12)(cid:12)| {z } H (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) < K m | a · e iϕ + b · e − iϕ | ≤ P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:18) || cot ( θ ) | − H | < m (cid:19) = P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:18) − m < | cot ( θ ) | − H < m (cid:19) = P r | a · e iϕ + b · e − iϕ | > K m | cos θ | > m | sin θ | > m (cid:18) H − m < | cot ( θ ) | < H + 12 m (cid:19) Again, due to the period and symmetry of the cotangent function, it suffices to evaluate this probabilityover the section [0 , π ]. We denote by [ x , x ] ⊂ [0 , π ] the section where | cos θ | > m , | sin θ | > m , and remembering m ≥
2, have [ x , x ] ⊃ [ π , π ]. As in the proof of Lemma 3.1, we denote θ = cot − (cid:0) max (cid:0) H − m , (cid:1)(cid:1) , θ = cot − (cid:0) H + m (cid:1) , θ , ∈ [0 , π ] and as the cotangent function ismonotonically decreasing in [0 , π ] have: P r θ ∽ [ x ,x ] (cid:18) H − m < | cot ( θ ) | < H + 12 m (cid:19) = θ − θ x − x and by the Mean Value Theorem and due to the fact the cotangent function’s derivative is (in absolutevalue) at least 1, we can use The Mean Value Theorem on θ , to achieve θ − θ ≤ H + m − ( H − m ) = m nd so we get that the probability is less than θ − θ π − π ≤ m · π < m .Summing the 4 probabilities, we get the induction base for Lemma 3. • Induction step:
Assuming correctness for n ′ , we prove for a matrix ∆ on n ′ + 1 qubits, assuming k ∆ k ≥ K .Choosing a basis for the n ′ + 1 qubits where the ( n ′ + 1)’th qubit is the most significant qubit, we have: u n ′ +1 = (cid:18) u u u u (cid:19) , u = (cid:18) u · (cid:0) U (cid:1) n ′ u · (cid:0) U (cid:1) n ′ u · (cid:0) U (cid:1) n ′ u · (cid:0) U (cid:1) n ′ (cid:19) , ∆ = (cid:18)(cid:0) ∆ (cid:1) n ′ (cid:0) ∆ (cid:1) n ′ (cid:0) ∆ (cid:1) n ′ (cid:0) ∆ (cid:1) n ′ (cid:19) Where ( U ) n ′ = u ⊗ u ⊗ · · · ⊗ u n ′ , and we denote the number of qubits each block operates on in subscript,for clarity. We now use the same notation as in the induction step in the proof of Lemma 1, and denote∆ ′ = (cid:18) tr (∆ · U ) tr (∆ · U ) tr (∆ · U ) tr (∆ · U ) (cid:19) Again we can assume W.L.O.G that k ∆ k F rob ≥ K , and so by our induction step assumption applied onthe n ′ qubit matrix ∆ , we have: P r u , ··· ,u n ′ ∽ U (2) k ∆ ′ k F rob < K · (16 m ) n ′ ! ≤ P r u , ··· ,u n ′ ∽ U (2) | tr (∆ · U ) | < K · (16 m ) n ′ ! ≤ n ′ m (10)where the first inequality is due to the fact that | tr (∆ · U ) | ≤ k ∆ ′ k F rob . By the induction base, appliedto the one qubit matrix ∆ ′ , we also have that if k ∆ ′ k F rob ≥ K · (16 m ) n ′ , P r u n ′ +1 ∽ U (2) (cid:12)(cid:12)(cid:12) tr (∆ ′ · u n ′ +1 ) (cid:12)(cid:12)(cid:12) < · K m · · (16 m ) n ′ ! ≤ m . (11)We now recall that as in the proof of Lemma 1, Equation (9) we have tr (∆ · u ) = tr (∆ ′ · u n ′ +1 ) (12)thus we can conclude by: P r u , ··· ,u n ′ +1 ∽ U (2) | tr (∆ · u ) | < K (16 m ) n ′ +1 ! ≤ P r u , ··· ,u n ′ ∽ U (2) k ∆ ′ k F rob < K · (16 m ) n ′ ! + P r u n ′ +1 ∽ U (2) k ∆ ′ k Frob ≥ K · ( m ) n ′ (cid:12)(cid:12)(cid:12) tr (∆ ′ · u n ′ +1 ) (cid:12)(cid:12)(cid:12) < K (16 m ) n ′ +1 ! ≤ n ′ m + P r u n ′ +1 ∽ U (2) k ∆ ′ k Frob ≥ K · ( m ) n ′ (cid:12)(cid:12)(cid:12) tr (∆ ′ · u n ′ +1 ) (cid:12)(cid:12)(cid:12) < K · m (16 m ) n ′ ! ≤ m + 5 n ′ m = 5( n ′ + 1) m When the first inequality follows from the total probability equation along with Equation (12), the secondinequality follows from Inequality (10) along with the simple observation that the probability to be smallerthan a value - increases with that value, and the third inequality follows from Inequality (11). Claim 5 proof details
Herein are the proofs of Claims 5.1, 5.2, 5.3, 5.4:
Claim 5.1 | tr ( A ′ i ) − tr ( A i ) | ≤ n T · ξ Proof.
We have: ∀ ≤ i ≤ T k ˜ u i − u i k L ≤ ξ ⇒ k A ′ i − A i k ≤ T · ξ Where the right inequality follows by a simple telescopic argument.Clearly, the difference between the traces of the two operators is bounded by the number of entries on theirdiagonal times their L distance. The claim follows by the fact A i , A ′ i have 2 n entries on their diagonal. Claim 5.2 (cid:12)(cid:12) tr (cid:0) M i − · g − i · u i (cid:1) − tr (cid:0) M ′ i − · g − i · u i (cid:1)(cid:12)(cid:12) ≤ n ′ · n T · ξ Proof.
We have: (cid:12)(cid:12) tr (cid:0) M ′ i − · g − i · u i (cid:1) − tr (cid:0) M i − · g − i · u i (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12) tr (cid:0)(cid:0) M ′ i − − M i − (cid:1) g − i · u i (cid:1)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) X ≤ j,k ≤ n ′ (cid:0) M ′ i − − M i − (cid:1) k,j · (cid:0) g − i · u i (cid:1) j,k (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ X ≤ j,k ≤ n ′ (cid:12)(cid:12)(cid:12)(cid:0) M ′ i − − M i − (cid:1) k,j (cid:12)(cid:12)(cid:12) ≤ n ′ · n T · ξ Where we used ∀ ≤ j,k ≤ n ′ : (cid:12)(cid:12)(cid:12)(cid:0) g − i · u i (cid:1) j,k (cid:12)(cid:12)(cid:12) ≤ (cid:0) M ′ i − − M i − (cid:1) in the second inequality (namely that (cid:12)(cid:12)(cid:12)(cid:0) M ′ i − − M i − (cid:1) k,j (cid:12)(cid:12)(cid:12) ≤ (cid:13)(cid:13) M ′ i − − M i − (cid:13)(cid:13) ≤ n (cid:13)(cid:13) A ′ i − − A i − (cid:13)(cid:13) ). Claim 5.3 (cid:12)(cid:12)(cid:12) tr (cid:0) M ′ i − · g − i · u i (cid:1) − tr (cid:16) M ′ i − · d g − i · b u i (cid:17)(cid:12)(cid:12)(cid:12) ≤ · n ′ · n · ξ Proof.
We first note:max ≤ j,k ≤ n ′ (cid:12)(cid:12)(cid:12)(cid:12)(cid:16) g − i · u i − d g − i · b u i (cid:17) j,k (cid:12)(cid:12)(cid:12)(cid:12) = max ≤ j,k ≤ n ′ (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) X ≤ l ≤ n ′ (cid:16) g − i j,l · u i l,k − d g − i j,l · b u i l,k (cid:17)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ n ′ · max ≤ j,k,l ≤ n ′ (cid:12)(cid:12)(cid:12) g − i j,k · u i l,k − d g − i j,k · b u i l,k (cid:12)(cid:12)(cid:12) ≤ n ′ · max ≤ j,k,l ≤ n ′ (cid:12)(cid:12)(cid:12) g − i j,k · u i l,k − g − i j,k · b u i l,k + g − i j,k · b u i l,k − d g − i j,k · b u i l,k (cid:12)(cid:12)(cid:12) = 2 n ′ · max ≤ j,k,l ≤ n ′ (cid:12)(cid:12)(cid:12) g − i j,k (cid:0) u i l,k − b u i l,k (cid:1) + b u i l,k (cid:16) g − i j,k − d g − i j,k (cid:17)(cid:12)(cid:12)(cid:12) ≤ n ′ · (cid:18) max ≤ j,k,l ≤ n ′ (cid:12)(cid:12)(cid:12) g − i j,k (cid:0) u i l,k − b u i l,k (cid:1)(cid:12)(cid:12)(cid:12) + max ≤ j,k,l ≤ n ′ (cid:12)(cid:12)(cid:12)b u i l,k (cid:16) g − i j,k − d g − i j,k (cid:17)(cid:12)(cid:12)(cid:12)(cid:19) ≤ n ′ · (cid:18) max ≤ k,l ≤ n ′ (cid:12)(cid:12) u i l,k − b u i l,k (cid:12)(cid:12) + max ≤ j,k ≤ n ′ (cid:12)(cid:12)(cid:12) g − i j,k − d g − i j,k (cid:12)(cid:12)(cid:12)(cid:19) ≤ · n ′ ξ here the fourth inequality follows from the fact that u, g are unitaries. And so: (cid:12)(cid:12)(cid:12) tr (cid:0) M ′ i − · g − i · u i (cid:1) − tr (cid:16) M ′ i − · d g − i · b u i (cid:17)(cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) tr (cid:16) M ′ i − (cid:16) g − i · u i − d g − i · b u i (cid:17)(cid:17)(cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) X ≤ j,k ≤ n ′ M ′ i − k,j · (cid:16) g − i · u i − d g − i · b u i (cid:17) j,k (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ n ′ · n · max ≤ j,k ≤ n ′ (cid:12)(cid:12)(cid:12)(cid:12)(cid:16) g − i · u i − d g − i · b u i (cid:17) j,k (cid:12)(cid:12)(cid:12)(cid:12) ≤ · n ′ · n · ξ Where we used max ≤ j,k ≤ n ′ (cid:12)(cid:12) M i − j,k (cid:12)(cid:12) ≤ n (as explained in the protocol description) for the first inequality. Claim 5.4 (cid:12)(cid:12)(cid:12) tr ( b U T · b U T − · · · b U · | n ih n | ) − tr ( U T · U T − · · · U · | n ih n | ) (cid:12)(cid:12)(cid:12) ≤ n T · ξ Proof. (cid:12)(cid:12)(cid:12) tr ( b U T · · · b U · | n ih n | ) − tr ( U T · · · U · | n ih n | ) (cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) h n | b U T · · · b U − U T · · · U | n i (cid:12)(cid:12)(cid:12) ≤ (cid:13)(cid:13)(cid:13) b U T · · · b U − U T · · · U (cid:13)(cid:13)(cid:13) L ≤ T max ≤ i ≤ T (cid:13)(cid:13)(cid:13) b U i − U i (cid:13)(cid:13)(cid:13) F rob ≤ n T · ξ Where we used a telescopic argument together with the fact that the fact the operator norm is bounded fromabove by the Frobenius norm for the second inequality. Claim 6 proof details
Herein is the proof of Claim 6.1.
Claim 6.1 let ∆ an operator on n ′ qubits: P r u ∽ b D ( n ′ ) (cid:16) | tr (∆ · u ) | < δ − n ′ n ′ · · ξ · k ∆ k F rob (cid:17) ≤ P r u ∽ D ( n ′ ) (cid:16) | tr (∆ · u ) | < δ (cid:17) + 3 n ′ ξ π Proof.
To prove the claim, we remember that choosing a unitary u ∽ U (2) is equivalent to choosing θ, ϕ , ϕ ∽ [0 , π ) by defining: u = (cid:18) cos θ · e iϕ sin θ · e iϕ − sin θ · e − iϕ cos θ · e − iϕ (cid:19) And u ∽ U (2) ⇔ θ, ϕ , ϕ ∽ [0 , π ).Choosing a unitary u ∽ D ( n ′ ) is then equivalent to choosing θ , ϕ , ϕ , · · · , θ n ′ , ϕ n ′ , ϕ n ′ ∽ [0 , π ) for u , · · · , u n ′ , with u = u ⊗ · · · ⊗ u n ′ .We also note that for any κ ≥ π , and any event F : P r x ∽ [0 ,κ ) (cid:16) F (cid:17) ≤ P r x ∽ [0 ,κ ) (cid:16) x ∈ [2 π, κ ) (cid:17) + P r x ∽ [0 ,κ ) x/ ∈ [2 π,κ ) (cid:16) F (cid:17) = κ − πκ + P r x ∽ [0 , π ) (cid:16) F (cid:17) By applying the previous argument 3 n ′ times we get: P r θ ,ϕ ,ϕ , ··· ,θ n ′ ,ϕ n ′ ,ϕ n ′ ∽ [0 ,κ ) (cid:16) F (cid:17) ≤ n ′ κ − πκ + P r θ ,ϕ ,ϕ , ··· ,θ n ′ ,ϕ n ′ ,ϕ n ′ ∽ [0 , π ) (cid:16) F (cid:17) = 3 n ′ κ − πκ + P r u ∽ D ( n ′ ) (cid:16) F (cid:17) Setting κ = min i ∈ N i · ξ ≥ π ( i · ξ ), we have κ − π < ξ and so Claim 6.1 can be proven by showing: P r u ∽ b D ( n ′ ) (cid:16) | tr (∆ · u ) | < δ − n ′ n ′ · · ξ · k ∆ k F rob (cid:17) ≤ P r θ ,ϕ ,ϕ , ··· ,θ n ′ ,ϕ n ′ ,ϕ n ′ ∽ [0 ,κ ) (cid:16) | tr (∆ · u ) | < δ (cid:17) (13)Now, let us denote the rounding down of any value v to within accuracy ξ by ¨ v (formally, ¨ v = max i ∈ N i · ξ ≤ v i · ξ ).Assuming we generate a unitary u by choosing θ , ϕ , ϕ , · · · , θ n ′ , ϕ n ′ , ϕ n ′ ∽ [0 , κ ), let us abuse notation anduse ¨ u to denote the unitary which is defined by ¨ θ , ¨ ϕ , ¨ ϕ , · · · , ¨ θ n ′ , ¨ ϕ n ′ , ¨ ϕ n ′ . It is straightforward to see that¨ u ∽ b D ( n ′ ), so (13) will follow from proving: | tr (∆ · u ) | = δ ⇒ | tr (∆ · ¨ u ) | ≥ δ − n ′ n ′ · · ξ · k ∆ k F rob (14)We note: δ = | tr (∆ · u ) | = | tr (∆( u − ¨ u )) + tr (∆ · ¨ u ) | ≤ | tr (∆( u − ¨ u )) | + | tr (∆ · ¨ u ) |⇒ | tr (∆ · ¨ u ) | ≥ δ − | tr (∆( u − ¨ u )) | (15)Also, similarly to Claim 5.1 | tr (∆( u − ¨ u )) | ≤ n ′ k ∆( u − ¨ u ) k ≤ n ′ k ∆ kk u − ¨ u k ≤ n ′ k ∆ k F rob · n ′ · max ≤ i ≤ n ′ k u i − ¨ u i k (16)And: max ≤ i ≤ n ′ k u i − ¨ u i k ≤ max ≤ i ≤ n ′ k u i − ¨ u i k F rob ≤ max ≤ θ,ϕ<κ · | cos θ · e iϕ − cos ¨ θ · e i ¨ ϕ | (17)Ultimately, we have:max ≤ θ,ϕ<κ | cos θ · e iϕ − cos ¨ θ · e i ¨ ϕ | = max ≤ θ,ϕ<κ r(cid:16) cos θ cos ϕ − cos ¨ θ cos ¨ ϕ (cid:17) + (cid:16) cos θ sin ϕ − cos ¨ θ sin ¨ ϕ (cid:17) ⇒ max ≤ θ,ϕ<κ | cos θ · e iϕ − cos ¨ θ · e i ¨ ϕ | ≤ max ≤ θ<κ √ | cos θ − cos ¨ θ | ≤ max ≤ θ<κ √ | θ − ¨ θ | ≤ √ ξ (18)We conclude the proof by noting that Inequality (14) follows from the Inequalities (15), (16), (17), (18).(18)We conclude the proof by noting that Inequality (14) follows from the Inequalities (15), (16), (17), (18).