Distributed Quantum Proofs for Replicated Data
Pierre Fraigniaud, François Le Gall, Harumichi Nishimura, Ami Paz
DDistributed Quantum Proofs for Replicated Data
Pierre Fraigniaud
IRIF, CNRS and Université de Paris, France
François Le Gall
Graduate School of Mathematics, Nagoya University, Japan
Harumichi Nishimura
Graduate School of Informatics, Nagoya University, Japan
Ami Paz
Faculty of Computer Science, Universität Wien, Austria
Abstract
This paper tackles the issue of checking that all copies of a large data set replicated at several nodesof a network are identical. The fact that the replicas may be located at distant nodes preventsthe system from verifying their equality locally, i.e., by having each node consult only nodes inits vicinity. On the other hand, it remains possible to assign certificates to the nodes, so thatverifying the consistency of the replicas can be achieved locally. However, we show that, as thereplicated data is large, classical certification mechanisms, including distributed Merlin-Arthurprotocols, cannot guarantee good completeness and soundness simultaneously, unless they use verylarge certificates. The main result of this paper is a distributed quantum
Merlin-Arthur protocolenabling the nodes to collectively check the consistency of the replicas, based on small certificates,and in a single round of message exchange between neighbors, with short messages. In particular,the certificate-size is logarithmic in the size of the data set, which gives an exponential advantageover classical certification mechanisms. We propose yet another usage of a fundamental quantumprimitive, called the SWAP test, in order to show our main result.
Theory of computation → Quantum communication complexity;Theory of computation → Distributed computing models
Keywords and phrases
Quantum Computing, Distributed Network Computing, Algorithmic Aspectsof Networks.
Funding
Pierre Fraigniaud : Additional support from the ANR project
DESCARTES . François Le Gall : JSPS KAKENHI grants Nos. JP16H01705, JP19H04066, JP20H04139 andJP20H00579 and MEXT Quantum Leap Flagship Program Grant Number JPMXS0120319794.
Harumichi Nishimura : JSPS KAKENHI grants Nos. JP16H01705, JP19H04066 and MEXT QuantumLeap Flagship Program Grant Number JPMXS0120319794.
Ami Paz : Supported by the Austrian Science Fund (FWF): P 33775-N, Fast Algorithms for aReactive Network Layer.
Acknowledgements
We thank an anonymous reviewer of ITCS 2021 for pointing us to [44].
In the context of distributed systems, the presence of faults potentially corrupting theindividual states of the nodes creates a need to regularly check whether the system is in aglobal state that is legal with respect to its specification. A basic example is a system storingdata, and using replicas in order to support crash failures. In this case, the applicationmanaging the data is in charge of regularly checking that the several replicas of the samedata, stored at different nodes scattered in the network, are all identical. Another exampleis an application maintaining a tree spanning the nodes of a network, e.g., for multicastcommunication. In this case, every node stores a pointer to its parent in the tree, and theapplication must regularly check that the collection of pointers forms a spanning tree. This a r X i v : . [ c s . D C ] N ov Distributed Quantum Proofs for Replicated Data paper addresses the issue of checking the correctness of a distributed system configuration atlow cost.Several mechanisms have been designed for certifying the correctness of the global stateof a system in a distributed manner. One popular mechanism is called locally checkableproofs [24], and it extends the seminal concept of proof-labeling schemes [35]. In theseframeworks, the distributed application does not only construct or maintain some distributeddata structure (e.g., a spanning tree), but also constructs a distributed proof that the datastructure is correct. This proof has the form of a certificate assigned to each node (thecertificates assigned to different nodes do not need to be the same). For collectively checkingthe legality of the current global system state, the nodes exchange their certificates withtheir neighbors in the network. Then, based on its own individual state, its certificate, andthe certificates of its neighbors, every node accepts or rejects, according to the followingspecification. If the global state is legal, and if the certificates are assigned properly by theapplication, then all nodes accept. Conversely, if the global state is illegal, then at least onenode rejects, no matter which certificates are assigned to the nodes . Such a rejecting nodecan raise an alarm, or launch a recovery procedure. The main aim of locally checkable proofsis to be compact , that is, to use certificates as small as possible, for two reasons: first, tolimit the space complexity at each node, and, second, to limit the message complexity of theverification procedure involving communications between neighbors.For instance, in the case of the Spanning Tree predicate, the application does not onlyconstruct a spanning tree T of the network, but also a distributed proof that T is indeed aspanning tree, i.e., that the collection T of pointers forms a cycle-free connected spanningsubgraph. It has been known for long [2, 6, 26] that, by assigning to every node a certificateof logarithmic size, the nodes can collectively check whether T is indeed a spanning tree, in asingle round of communication between neighboring nodes. The certificate assigned to a nodeis the identity of the root of the tree, and its distance to this root (both are of logarithmicsize as long as the IDs are in a range polynomial in the number of nodes). Every node justchecks that it is provided with the same root-ID as all its neighbors in the network, and thatthe distance given to its parent in its certificate is one less than its own given distance —a node with distance 0 checks that its ID is indeed the root-ID provided in its certificate.Obviously, if the collection T of pointers forms a spanning tree, and if the certificates areassigned properly by the application, then all nodes pass these tests, and accept. On theother hand, it is easy to check that if T is not a spanning tree (it is not connected, or itcontains a cycle), then at least one node detects a discrepancy and rejects, no matter whichcertificates are assigned to the nodes.Unfortunately, not all boolean predicates on labeled graphs can be distributedly certifiedusing certificates as small as for spanning tree. This is typically the case of the aforementionedscenario of a distributed data storage using replicas, for which one must certify equality.Let us for instance consider the case of two nodes Alice and Bob at the two extremitiesof a path, that is, the two players are separated by intermediate nodes. Alice and Bobrespectively store two n -bit strings x and y , and the objective is to certify that x = y . Thatis, one wants to certify equality ( EQ ) between distant players. A direct reduction from thenon-deterministic communication complexity of EQ shows that certifying EQ cannot beachieved with certificates smaller than Ω( n ) bits.Randomization may help circumventing the difficulty of certifying some boolean predicateson labeled graphs using small certificates. Hence, a weaker form of protocols has beenconsidered, namely distributed Merlin-Arthur protocols ( dMA ), a.k.a. randomized proof-labeling schemes [22]. In this latter context, Merlin provides the nodes with a proof, just . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 3 like in locally checkable proofs, and Arthur performs a randomized local verification at eachnode. Unfortunately, some predicates remain hard in this framework too. In particular, aswe show in the paper, there are no classical dMA protocols for (distant) EQ using compactcertificates. Recently, several extensions of dMA protocols were proposed, e.g., by allowingmore interaction between the prover and the verifier [15, 21, 39]. In this work, we add thequantum aspect, while considering only a single interaction, and only in the prescribed order:Merlin sends a proof to Arthur, and then there is no more interaction between them. We carry on the recent trend of research consisting of investigating the power of quantumresources in the context of distributed network computing (cf., e.g., [17, 37, 27, 38, 28, 23]),by designing a distributed Quantum Merlin-Arthur ( dQMA ) protocol for distant EQ , usingcompact certificates and small messages. While we use the dQMA terminology in order tobe consistent with prior work, we emphasize that the structure of the discussed protocols israther simple: each node is given a quantum state as a certificate, the nodes exchange thesestates, perform a local computation, and finally accept or reject.Our main result is the following. A collection of n -bit strings x , . . . , x t are stored at t terminal nodes u , . . . , u t in a network G = ( V, E ), where node u i stores x i . We denote EQ tn the problem of checking the equality x = · · · = x t between the t strings. Let us define the radius of a given instance of EQ tn as r = min i max j dist G ( u i , u j ), where dist G denotes thedistance in the (unweighted) graph G . Our main result is the design of a dQMA protocol for EQ tn , using small certificate. This can be summarized by the following informal statement(the formal statement is in Section 5): (cid:73) Main Result.
There is a distributed Quantum Merlin-Arthur ( dQMA ) protocol for certifyingequality between t binary strings ( EQ tn ) of length n , and located at a radius- r set of t terminals,in a single round of communication between neighboring nodes using certificates of size O ( tr log n ) qubits, and messages of size O ( tr log( n + r )) qubits. It is worth mentioning that, although the dependence in r and t is polynomial, thedependence in the actual size n of the instance remains logarithmic, which is our mainconcern. Indeed, for applications such as the aforementioned distributed data storagemotivating the distant EQ tn problem, it is expected that both the number t of replicas, andthe maximum distance between the nodes storing these replicas are of several orders ofmagnitude smaller than the size n of the stored replicated data.It is also important to note that our protocol satisfies the basic requirement of reusability ,as one aims for protocols enabling regular and frequent verifications that the data are notcorrupted. Specifically, the quantum operations performed on the certificates during thelocal verification phase operated between neighboring nodes preserve the quantum nature ofthese certificates. That is, if EQ tn is satisfied, i.e., if all the replicas x i ’s are equal, then, upto an elementary local relocation of the quantum certificates, these certificates are availablefor a next test. If EQ tn is not satisfied, i.e., if there exists a pair of replicas x i = x j , then thecertificates do not need to be preserved as this scenario corresponds to the case where thecorrectness of the data structure is violated, requiring the activation of recovery proceduresfor fixing the bug, and reassigning certificates to the nodes.Our quantum protocol is based on the SWAP test [12], which is a basic tool in the theoryof quantum computation and quantum information. This test allows to check if a quantumstate is symmetric, and has several applications, such as estimating the inner product of twostates (e.g., [12, 9, 48]), checking whether a given state (or a reduced state of it) is pure or Distributed Quantum Proofs for Replicated Data entangled with the environment system (e.g., [1, 33, 25, 32]), and more. In this paper, weuse the SWAP test in yet another way: for checking if two of the reduced states of a givenstate are close . A similar use was done by Rosgen [44] in a different context — transformingquantum circuits to shallow ones in a hardness reduction proof.Finally, observe that our logarithmic upper bound for dQMA protocols is in contrast tothe linear lower bound that can be shown for classical dMA protocols even for t = 2 on apath of 4 nodes and even for the case where communication between the neighboring nodesis extended to multiple rounds (see precise statement and proof in Section 6). Our resultsthus show that quantum certification mechanism can provide an exponential advantage overclassical certification mechanisms. The concept of distributed proofs is a part of the framework of distributed network computingsince the early works on fault-tolerance (see, e.g., [2, 6, 26]). Proof-labeling schemes wereintroduced in [35], and variants have been studied in [24, 20]. Randomized proof-labelingschemes have been studied in [22]. Extensions of distributed proofs to a hierarchy of decisionmechanisms have been studied in [18] and [7]. Frameworks like cloud computing recentlyenabled envisioning systems in which the nodes of the network could interact with a third party,leading to the concept of distributed interactive proofs [34]. There, each node can interactwith an oracle who has a complete view of the system, is computationally unbounded, but isnot trustable. For instance, in Arthur-Merlin ( dAM ) protocols, the nodes start by queryingthe oracle Merlin, which provides them with answers in their certificates. There is a simpleclassical compact dAM protocol for distant EQ , where the two players stand at the extremitiesof a path (see Section 3). We refer to [15, 21, 39] for recent developments in the framework ofdistributed interactive proofs. While distributed Arthur-Merlin protocols and their extensionsprovide an appealing theoretical framework for studying the power of interactive proofs inthe distributed setting, the practical implementation of such protocols remains questionable,since they all require the existence of a know-all oracle, Merlin, and it is unclear if a Cloudcould play this role. On the other hand, in dMA and dQMA protocols, interaction with anexternal party is not required, but only a one-time assignment of certificates is needed, whichare then reusable for regular verification. As in the classical proof-labeling schemes setting,these certificates can actually be created by the nodes themselves during a pre-processingphase, making the reliance on a know-all oracle unnecessary.After a few early works [8, 17, 23, 45] that shed light on the potential and limitationsof quantum distributed computing (see also [5, 11, 16] for general discussions), evidence ofthe advantage of quantum distributed computing over classical distributed computing havebeen obtained recently for three fundamental models of (synchronous fault-free) distributednetwork computing: the CONGEST model [28, 37], the
CONGEST-CLIQUE model [27] andthe
LOCAL model [38]. The present paper adds to this list another important task for whichquantum distributed computing significantly outperforms classical distributed computing,namely, distributed certification.Note that while this paper is the first to study quantum Merlin-Arthur protocols ina distributed computing framework, there are a number of prior works studying them incommunication complexity [43, 30, 31, 10]. In particular, quantum Merlin-Arthur protocolsare shown to improve some computational measure (say, the total length of the messages fromthe prover to Alice, and of the messages between Alice and Bob) exponentially compared toMerlin-Arthur protocols where the messages from the prover are classical [43, 31].The question of computing functions on inputs that are given to graph nodes was also . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 5 studied in the context of communication complexity. The equality function was studied forthe case where all nodes have inputs [4]. Other works considered a setting similar to ours,i.e., where only some nodes have inputs [13, 14], but did not study the equality problem.
Distributed verification on graphs.
Let t ≥
2, and let f : ( { , } n ) t → { , } be a function.The aim of the nodes is to collectively decide whether f ( x , . . . , x t ) = 1 or not, where x , . . . , x t are assigned to t nodes of a graph. Specifically, an instance of the problem f is a t -tuple ( x , . . . , x t ) ∈ { , } n × · · · × { , } n , a connected graph G = ( V, E ), and anordered sequence v , . . . , v t of distinct nodes of G . The node v i is given x i as input, for i = 1 , . . . , t . All the other nodes receive no inputs. We consider distributed Merlin-Arthur( dMA ) protocols for deciding whether f ( x , . . . , x t ) = 1, in which a non-trustable prover (Merlin) assigns (or “sends”) certificates to the nodes, and then the nodes (Arthur) perform a1-round randomized verification algorithm. The verification algorithm consists of each nodesimultaneously sending messages to all its immediate neighbors, receiving messages fromthem, then performing a local computation, and finally accepting or rejecting locally. Wesay that a dMA protocol has completeness a and soundness b for a function f if the followingholds for every ( x , . . . , x t ) ∈ { , } n × · · · × { , } n , every connected graph G , and everyordered sequence v , . . . , v t of distinct nodes in G : (completeness) if f ( x , . . . , x t ) = 1, then the prover can assign certificates to the nodessuch that Pr[all nodes accept] ≥ a ; (soundness) if f ( x , . . . , x t ) = 0, then, for every certificate assignment by the prover,Pr[all nodes accept] ≤ b .The completeness condition guarantees that, when the system is in a “legal” state (specifiedby f ( x , . . . , x t ) = 1), with probability at least a all nodes accept. The soundness conditionguarantees that, when the system is in an “illegal” state (specified by f ( x , . . . , x t ) = 0),with probability at least 1 − b at least one node rejects. The value b represents the errorprobability of the protocol on an illegal instance, and thus we sometimes refer to it as the soundness error . A node detecting illegality of the state can raise an alarm, or launch arecovery procedure. Protocols with completeness 1 are called 1-sided protocols, or protocolswith perfect completeness. Similarly to prior works on distributed verification, the certificatesize of the protocol is measured as the maximum size (over all the nodes of the network) ofthe certificate sent by the prover to one of the nodes, and the message size of the protocol ismeasured as the maximum size (over all pairs of adjacent nodes) of the message exchangedbetween two adjacent nodes. Specifically, we will consider the multi-party version of theequality function, EQ tn , which is the boolean-valued function from ( { , } n ) t such that EQ tn ( x , . . . , x t ) = 1 ⇐⇒ x = · · · = x t . In this work, we extend the framework of dMA protocols, to consider also cases wherethe certificates given to the nodes can contain qubits (although they may also containclassical bits) and the nodes can exchange messages consisting of qubits. These will be called distributed Quantum Merlin-Arthur ( dQMA ) protocols. More precisely, in a dQMA protocol We can naturally extend this definition to define dMA protocols with µ rounds of communication amongneighbors, for any integer µ ≥
1. In this paper, however, we focus on the case µ = 1 since all theprotocols we design use only 1-round verification algorithms. The only exception is Section 6, where weshow classical lower bounds that hold even for µ > Distributed Quantum Proofs for Replicated Data for a function f , a non-trustable prover first sends a certificate to each node, which consistsof a quantum state and classical bits; the quantum states may be entangled, even thoughall our quantum protocols do not require any prior entanglement, nor any shared classicalrandom bits. Then the nodes perform a 1-round quantum verification algorithm, whereeach node simultaneously sends a quantum message to all its immediate neighbors, receivesquantum messages from them, then performs a local computation, and finally accepts orrejects locally. Note that, as opposed to the classical setting, we cannot assume that a nodesimply broadcasts its certificate to all its neighbors, as quantum states cannot be duplicated.However, a node can still send copies of the classical parts of the certificate. We definecompleteness and soundness of dQMA protocols as for dMA protocols. Remark.
A special case of interest is when the graph G is a path v , . . . , v r , r ≥
1, wherethe left-end node v has an n -bit string x as input, the right-end node v r has an n -bit string y as input, and the intermediate nodes v , . . . , v r − have no inputs. That is, t = 2. Given afunction f : { , } n × { , } n → { , } , the aim of the nodes is to collectively decide whether f ( x, y ) = 1 or not. This setting is very much related to communication complexity. Classical two-party communication complexity.
We refer to [36] for the basic concepts oftwo-party communication complexity. In this paper we will only consider two-party one-waycommunication complexity. In this model two parties, denoted Alice and Bob, each receivesan input x ∈ { , } n and y ∈ { , } n , respectively. The goal is for Bob to output the value f ( x, y ) for some known Boolean function f : { , } n × { , } n → { , } . Only Alice cansend a message to Bob. The one-way two-sided-error communication complexity of f is theminimum number of bits that have to be sent on the worst input in a protocol that outputsthe correct answer with probability at least 2/3. The one-way one-sided-error communicationcomplexity of f is the minimum number of bits that have to be sent on the worst input in aprotocol that outputs the correct answer with probability 1 on any 1-input, and outputs thecorrect answer with probability at least 2/3 on any 0-input.We shall especially consider the following two functions. The equality function EQ n isdefined as EQ n ( x, y ) = 1 when x = y and EQ n ( x, y ) = 0 otherwise, for any x, y ∈ { , } n .Its one-way one-sided-error communication complexity is O (log n ) — see, e.g., [36]. Forany integer d ≥
0, the Hamming distance function
HAM dn is defined as follows: for any x, y ∈ { , } n , HAM dn ( x, y ) = 1 if the Hamming distance between x and y is at most d , and HAM dn ( x, y ) = 0 otherwise. It is known [48] that, for d constant, the one-way two-sided-errorcommunication complexity of HAM dn is O (log n ).For any Boolean function f : { , } n × { , } n → { , } , a set S ⊆ { , } n × { , } n is a1 -fooling set for f if, on the one hand, for every ( x, y ) ∈ S , f ( x, y ) = 1, and, on the otherhand, for every two pairs ( x , y ) = ( x , y ) in S × S , f ( x , y ) = 0 or f ( x , y ) = 0. Quantum two-party communication complexity.
We assume the reader is familiar withthe basics of quantum computation, in particular the notion of qubits, Dirac notation suchas | ψ i and h ψ | := ( | ψ i ) † , and the quantum circuit model (see Sections 2 and 4 in Ref. [40],for instance). In Appendix A we present more advanced concepts such as mixed states thatwill be used in some of our proofs.Quantum two-party communication complexity, first introduced by Yao [47], is definedsimilarly to the classical version. The only difference is that the players are allowed toexchange qubits instead of bits (the cost of a quantum protocol is the number of qubitssent by the protocol). Note that since quantum protocols can trivially simulate classical . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 7 protocols, the quantum communication complexity of a function is never larger than itsclassical communication complexity. More precisely, an m -qubit one-way quantum protocol π for the function f can be described in its most general form as follows. Alice prepares an m -qubit (pure) quantum state | h x i and sends it to Bob. Bob then makes a measurementon the state | h x i , which gives an outcome b ∈ { , } . Finally, Bob outputs b . Since Bob’smeasurement in the above description depends only on his input y , it can be mathematicallydescribed, for each y ∈ { , } n , by two positive semi-definite matrices M y, and M y, suchthat M y, + M y, = I . This pair { M y, , M y, } is called a POVM measurement (POVMmeasurements are the most general form of measurements allowed by quantum mechanics). If | h x i is measured by the POVM { M y, , M y, } , the probability that b = 0 is tr( M y, ( | h x ih h x | )),while the probability that b = 1 is tr( M y, ( | h x ih h x | )). Let us provide an intuition of our protocol in the case of EQ n over a path v , . . . , v r of length r ≥ v and v r (that we rename Alice and Bob,for convenience). Let us call x and y the n -bit strings owned by Alice and Bob, respectively.There is a simple classical protocol for distant equality in a somewhat similar setting, wherethe verifier (Arthur, consisting of all the graph nodes) can send random bits to the prover(Merlin) before receiving the certificates; this is called a dAM protocol. In this protocol,Alice picks a hash function h at random in an appropriate family of hash functions (i.e.,a family such that both h and h ( x ) can be encoded using O (log n ) bits and such that theprobability that h ( x ) = h ( y ) is high when x = y ). Merlin provides every node with thecertificate ( h, h ( x )), each node checks it received the same certificates as its neighbors, andBob additionally checks whether h ( x ) = h ( y ). Obviously, one cannot switch the order ofArthur and Merlin, as letting Merlin choose the hash function would enable him to foolArthur on illegal instances by picking h that hashes identically the distinct input strings x and y . The main idea of our dQMA protocol is to ask Merlin to provide the nodes with aquantum certificate consisting of the quantum superposition of all the possible hashes.Entering slightly more into the details, for any x ∈ { , } n we consider the quantumfingerprint | h x i = √ K P h | h i| h ( x ) i , where the sum is over all the hash functions, and √ K isthe normalization factor of the quantum state. By using the same family of hash functionsas in the aforementioned dAM protocol, these fingerprints can be constructed in such a waythat their length is O (log n ) qubits, and | h x i and | h y i are very far (more precisely, almostorthogonal) when x = y . Checking whether the two quantum fingerprints | h x i and | h y i are either equal or far apart can be achieved by a quantum test called the SWAP test [12].Formally, the probability that the SWAP test accepts is 1 / |h h x | h y i| /
2, where h h x | h y i denotes the inner product between the two quantum states | h x i and | h y i .Let us now describe the outline of our dQMA protocol. In the protocol each intermediatenode v , . . . , v r − expects to receive the quantum fingerprint | h x i . Alice, who does not receiveany certificate, creates by herself the fingerprint | h x i , which depends only on x . Similarly,Bob creates by himself the fingerprint | h y i . The checking procedure simply checks whetherall these ( r + 1) fingerprints are equal. This is done by applying the SWAP test to checkwhether the fingerprints owned by adjacent nodes are equal or not. There are however a few Without loss of generality, we assume that Alice does not use any mixed state (i.e., a probabilitydistribution on pure states) in her message, as she can simulate it using a pure state called the purification [40] whose length is at most twice the one of the mixed state.
Distributed Quantum Proofs for Replicated Data subtleties. In particular, since our analysis crucially requires that the SWAP tests do notoverlap, for each node we need to decide whether it will perform the SWAP test with itsright neighbor or its left neighbor. We do it in a randomized way and deal carefully with theconflicting choices that appear. For the case x = y all the SWAP tests then succeed withprobability 1 and thus all the nodes accept.For the case x = y , let us provide some intuition about why a prover cannot fool thenodes for convincing them to all accept. To simplify the description we assume below that | h x i and | h y i are orthogonal (instead of only almost orthogonal). If the prover was forcedto send certificates restricted to product states of the form | g i ⊗ | g i ⊗ · · · | g r − i where | g j i is the state to the j th node, then a fairly straightforward argument would guarantee that,with large probability, at least one node rejects. Indeed, under the product states restriction,intuitively the best strategy for the prover to cheat is to send states “intermediate” between | h x i and | h y i , namely, to send the state | g j i = cos( πj/ r ) | h x i + sin( πj/ r ) | h y i to node v j for each j ∈ { , . . . , r − } . Then, the probability that all nodes accept when performing theSWAP tests would be roughly Q r − j =1 (1 / |h g j | g j +1 i| /
2) = 1 − Ω(1 /r ). The cheating provercould then be caught with probability Ω(1 /r ), and this probability can be amplified to Ω(1)by asking the prover to send several copies of the certificates (amplification is possible sinceour protocol has perfect completeness).The formal analysis of the protocol however faces several difficulties, which are mostlydue to the nature of quantum computation, and are especially challenging to handle in theframework of distributed computation. For instance, quantum states cannot be duplicated(the “no-cloning Theorem”), which implies that a same quantum state cannot be usedfor parallel tests. Additionally, even sequential tests face the difficulty that the first testmay collapse the quantum state, making the second test impossible to perform (or at leastsignificantly complicating the analysis of the second test). Thus node v i cannot perform theSWAP test with its two neighbors v i − and v i +1 simultaneously and (as already mentioned)we have to design carefully the protocol so that the SWAP tests do not overlap. A second, andmuch more problematic issue is that the non-trustable Merlin can send arbitrary certificatesto the nodes for fooling them. In particular it is not restricted to send certificates that areproduct states. A priori, it may seem that the SWAP test is not strong enough to handlefooling strategies beyond product states. In this work we show that the SWAP test canactually detect such fooling strategies.Specifically, our approach consists in considering the so-called reduced states , and toestablish the following property of the SWAP test (cf. Lemma 5 in Section 4). If the SWAPtest accepts with high probability when applied on the part of any two adjacent nodes in a(possibly non-product) global quantum state resulting from the certificates, then the tworeduced states of that part (which is a bipartite state) must be close. As the two states | h x i and | h y i are very far apart when x = y , we can thus use this result to show that there is agood probability that the SWAP test rejects at some node. Moreover, using reduced statesallows us to overcome other technical difficulties in the analysis of the (non-overlapping)SWAP tests we consider. Indeed, some form of average-case success probability of all theSWAP tests can be considered, instead of having to argue about the probability that all theSWAP tests individually accept. In this section we restrict ourselves to the case of a path v , . . . , v r of length r ≥
1, in whichonly the two extremities v and v r are given inputs. This framework allows us to elaborate . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 9 our main technique, that will be extended to arbitrary graphs in Section 5. Let x ∈ { , } n be the input to v , and y ∈ { , } n be the input to v r . Our goal is to design a dQMA protocolto decide whether f ( x, y ) = 1 or not, for some given Boolean function on { , } n × { , } n .We show the following general theorem that converts a one-way quantum communicationcomplexity protocol into a quantum Merlin-Arthur protocol for the corresponding long-distance problem on the path. This theorem applies not only to one-sided-error protocols,but also to the two-sided-error case (with a logarithmic additional factor in the complexity). (cid:73) Theorem 1.
Let f : { , } n × { , } n → { , } be a Boolean function.If f has a quantum one-way one-sided-error communication protocol transmitting at most q qubits, then there exists a 1-sided distributed quantum Merlin-Arthur protocol for f on the path of length r , with soundness / , using certificates of size O ( r q ) qubits, andexchanging messages of length O ( r ( q + log r )) qubits.If f has a quantum one-way two-sided-error communication protocol transmitting at most q qubits, then, for any constant c , there exists a distributed quantum Merlin-Arthur protocolfor f on the path of length r with completeness − /n c , soundness / , using certificatesof size O ( r q log( n + r )) qubits, and exchanging messages of length O ( r q log( n + r )) qubits. Using known results (cf. Section 2) about one-way communication complexities of EQ n and HAM dn , the following two results are direct applications of Theorem 1. (cid:73) Corollary 2.
There exists a one-sided quantum Merlin-Arthur protocol for EQ n in the pathof length r with soundness / , using certificates of size O ( r log n ) qubits, and exchangingmessages of length O ( r log( n + r )) qubits. (cid:73) Corollary 3.
For any c > and d > , there exists a quantum Merlin-Arthur protocol for HAM dn in the path of length r with completeness − /n c , soundness / , using certificates oflength O ( r (log n ) log( n + r )) qubits, and exchanging messages of length O ( r (log n ) log( n + r )) qubits. The rest of this section is dedicated to proving Theorem 1. Let us first give an overviewof the proof. In our dQMA protocol in the path, the verification algorithm performed by thenodes on the line is merely a simulation of a two-party one-way quantum communicationcomplexity protocol π between Alice and Bob for the function f ( x, y ), with the help ofcertificates provided by the prover. Specifically, every intermediate node v , . . . , v r − expectsto receive the quantum state sent by Alice to Bob in π , as certificate. Let us denote by | h x i this state, which depends on x . The right-end node v r simulates the two-party protocol π using | h x i received from the left neighbor v r − , and applying Bob’s measurement (i.e., thePOVM measurement). If f ( x, y ) = 1, the prover honestly sends the desired state, and v r accepts as it does receive | h x i . However, if f ( x, y ) = 0, then the malicious prover does notnecessarily send a desired state. To catch the potentially malicious behavior of the prover on“illegal” instances (i.e., those for which f ( x, y ) = 0), each intermediate node checks whetherits local proof is “close to” the one of its right neighbor. This is performed by an applicationof the SWAP test.Section 4.1 below describes in more detail how to construct the distributed quantumMerlin-Arthur protocol, denoted P π , from an arbitrary one-way quantum communicationprotocol π for the function f . Section 4.2 analyzes the completeness and the soundness of Here we are using the fact that log n + log r is of the same order as log( n + r ) for conciseness. the protocol P π . Finally, Section 4.3 shows how to reduce the soundness error using “parallelrepetitions” and how to apply this analysis to prove Theorem 1. Let ε ≥ π be aquantum one-way communication protocol for f transmitting at most q qubits, such that,for every input pair ( x, y ), if f ( x, y ) = 1 then π outputs 1 with probability at least 1 − ε , andif f ( x, y ) = 0 then π outputs 0 with probability at least 2 /
3. Let | h x i be the q -qubit (pure)state sent from Alice to Bob, and let { M y, , M y, } be the POVM measurement performedby Bob on | h x i , where M y, corresponds to the measurement result 1 (accept) and M y, tothe measurement result 0 (reject). Our quantum Merlin-Arthur protocol P π is as follows. Protocol P π for function f on input pair ( x, y ) in path v , . . . , v r : If f ( x, y ) = 1 then the prover sends the quantum register R j that has the state | h x i (or | h x ih h x | as the mixed state representation) as certificate to each of theintermediate nodes v j , j ∈ { , . . . , r − } . The left-end node v prepares the state ρ = | h x ih h x | in quantum register R . For every j = 0 , . . . , r −
1, the node v j chooses a bit b j uniformly at random, andsends its quantum register R j to the right neighbor v j +1 whenever b j = 0. For every j = 1 , . . . , r −
1, if v j receives a quantum register from its left neighbor v j − , and if b j = 1, then v j performs the SWAP test on the registers ( R j − , R j ),and accepts or rejects accordingly; Otherwise, v j accepts. If the right-end node v r receives a quantum register R r − from its left neighbor,then v r performs the POVM measurement { M y, , M y, } corresponding to π appliedto the state in R r − , and accepts or rejects accordingly; Otherwise, v r accepts.In the above protocol P π , the size of the quantum certificate that each node receivesfrom the prover is at most q , and the length of the quantum message that each node sendsto the neighbor is also at most q . In the next subsection, we prove that the above protocolhas completeness 1 − ε/ − / r . P π For the analysis, we recall the SWAP test. The test is a protocol with a given input state on H = H ⊗ H , where H and H are complex Euclidian spaces. Here, we consider H and H as quantum registers R and R . SWAP test on a pure state | ψ i on H , which is given in registers ( R , R ). Prepare the single-qubit state | + i = √ ( | i + | i ) in register R . If the content of R is 1, then apply the swap operator S on the state | ψ i in registers ( R , R ), where S is defined by S ( | j i| j i ) = | j i| j i (namely, S swaps register R and register R ). Apply the Hadamard operator H = √ (cid:0) − (cid:1) on the state in register R , and measure the content in the standard basis. Accept if thecontent is 0, and reject otherwise. Completeness.
The following lemma is a direct consequence of the definition of the SWAPtest. Here, H S is the symmetric subspace in H (namely, the subspace spanned by the statesinvariant by the swap operator S , or equivalently, the eigenstates of S with eigenvalue 1), and . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 11 H A is the anti-symmetric subspace in H (namely, the subspace spanned by the eigenstatesof S with eigenvalue − H is represented as the superposition of astate in H S (symmetric state) and a state in H A (anti-symmetric state) as the swap operator S is a Hermitian matrix that only has +1 and − (cid:73) Lemma 4.
Assume that | ψ i = α | ψ S i + β | ψ A i where | ψ S i ∈ H S and | ψ A i ∈ H A . Then,the SWAP test on input | ψ i accepts with probability | α | . Proof.
Noting that S | ψ S i = | ψ S i and S | ψ A i = −| ψ A i , the state after Step 2 is1 √ | i| ψ i + | i S | ψ i ) = 1 √ α | i| ψ S i + β | i| ψ A i + α | i| ψ S i − β | i| ψ A i )= 1 √ | i ( α | ψ S i + β | ψ A i ) + | i ( α | ψ S i − β | ψ A i )] . The final state obtained in Step 3 is1 √ H | i )( α | ψ S i + β | ψ A i ) + ( H | i )( α | ψ S i − β | ψ A i )]= 12 [( | i + | i )( α | ψ S i + β | ψ A i ) + ( | i − | i )( α | ψ S i − β | ψ A i )]= α | i| ψ S i + β | i| ψ A i . Thus, the probability that 0 is measured on R (and thus is accepted) is | α | . (cid:74) For the completeness, assume f ( x, y ) = 1. The prover then sends | h x i to all theintermediate nodes. Then, all the nodes except the right-end node have | h x i . By Lemma 4,all the SWAP tests done in Step 4 are accepted with probability 1 (note that | h x i ⊗ | h x i is a symmetric state). Furthermore, the right-end node accepts with probability at least(1 − ε ) / / − ε/ v r can receive | h x i and simulate π with probability 1 / Soundness.
The following lemma presents a crucial property of the SWAP test: its ap-plicability for checking whether the two reduced states are close. It is a trace-distanceversion of a lemma by Rosgen [44, Lemma 5.1]. Here, a reduced state intuitively rep-resents the local information on its own quantum system, by disregarding the outsidesystems. Note that the trace distance between two quantum states ρ and σ is character-ized as dist ( ρ, σ ) = max M tr( M ( ρ − σ )) , where the maximization is taken over all positivesemi-definite matrices M such that M ≤ I . (cid:73) Lemma 5.
Let z ≥ , and assume that the SWAP test on input ρ in the input register ( R , R ) accepts with probability − /z . Then, dist ( ρ , ρ ) ≤ / √ z + 1 /z , where ρ j is thereduced state on R j of ρ . Moreover, if the SWAP test on input ρ accepts with probability 1,then ρ = ρ (and hence dist ( ρ , ρ ) = 0 ). Proof.
First, we observe the second statement. By Lemma 4, if ρ includes some asymmetricstate, the SWAP test rejects with a non-zero probability. Hence, ρ must consist of onlysymmetric states, which means that the two reduced states of ρ coincides.In the remaining part, we prove the first statement. The mixed state ρ can be representedas ρ = P j p j | ψ j ih ψ j | (which means that the state is in a (pure) state | ψ j i with probability p j ). Moreover, each | ψ j i can be represented as a superposition of a symmetric state andan antisymetric state, namely, | ψ j i = α j | ψ Sj i + β j | ψ Aj i with some symmetric state | ψ Sj i and some antisymmetric state | ψ Aj i , where | α j | + | β j | = 1. Then, by Lemma 4 and theassumption, P j p j | α j | ≥ − /z , and thus, X j p j | β j | ≤ z . (1)The mixed state ρ is furthermore rewritten as ρ = X j p j (cid:0) | α j | | ψ Sj ih ψ Sj | + α j β ∗ j | ψ Sj ih ψ Aj | + α ∗ j β | ψ Aj ih ψ Sj | + | β | | ψ Aj ih ψ Aj | (cid:1) , (2)and the reduced state ρ − i = tr i ( ρ ) ( i = 1 ,
2) on H − i (obtained by tracing out on H i ) istr i ( ρ ) = X j p j (cid:0) | α j | tr i ( | ψ Sj ih ψ Sj | ) + α j β ∗ j tr i ( | ψ Sj ih ψ Aj | )+ α ∗ j β tr i ( | ψ Aj ih ψ Sj | ) + | β j | tr i ( | ψ Aj ih ψ Aj | ) (cid:1) . As tr ( | ψ Sj ih ψ Sj | ) = tr ( | ψ Sj ih ψ Sj | ) from the definition of the symmetric state,tr ( ρ ) − tr ( ρ )= X j p j (cid:0) α j β ∗ j [tr ( ρ saj ) − tr ( ρ saj )] + α ∗ j β j [tr ( ρ asj ) − tr ( ρ asj )] + | β j | [tr ( ρ aj ) − tr ( ρ aj )] (cid:1) , where ρ saj = | ψ Sj ih ψ Aj | , ρ asj = | ψ Aj ih ψ Sj | , and ρ aj = | ψ Aj ih ψ Aj | . By the positive scalability andthe triangle inequality of the trace norm, k tr ( ρ ) − tr ( ρ ) k tr is at most X j p j (cid:0) | α j || β j |k tr ( ρ saj ) − tr ( ρ saj ) k tr + | α j || β j |k tr ( ρ asj ) − tr ( ρ asj ) k tr + | β j | k tr ( ρ aj ) − tr ( ρ aj ) k tr (cid:1) . As ρ aj is a quantum state (with trace norm 1), we have k tr ( ρ aj ) − tr ( ρ aj ) k tr ≤ k tr ( ρ aj ) k tr + k tr ( ρ aj ) k tr = 1 + 1 ≤ . On the contrary, we notice that ρ saj (or ρ asj ) is not a quantum state. However, by Lemma 11and the fact that the fidelity between two quantum states is at most 1, k tr i ( ρ saj ) k tr = k tr i ( | ψ Sj ih ψ Aj | ) k tr = F (tr − i ( | ψ Aj ih ψ Aj | ) , tr − i ( | ψ Sj ih ψ Sj | )) ≤ , and thus, k tr ( ρ saj ) − tr ( ρ saj ) k tr ≤ . Similarly, we have k tr ( ρ asj ) − tr ( ρ asj ) k tr ≤
2. Therefore, k tr ( ρ ) − tr ( ρ ) k tr ≤ X j p j | α j || β j | + X j p j | β j | . (3)By Eq. (1), the second term of the right-hand side is at most 2 /z . By the Cauchy-Schwarzinequality (and | α j | ≤ X j √ p j √ p j | β j | ≤ X j p j / X j p j | β j | / ≤ r z . This induces that dist ( ρ , ρ ) = 12 k tr ( ρ ) − tr ( ρ ) k tr ≤ z + 2 r z . (cid:74) . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 13 For the soundness, let ( x, y ) be any pair such that f ( x, y ) = 0. (cid:73) Lemma 6.
For every j ∈ { , . . . , r } , let F j be the event that v j performs the local test(SWAP or POVM) in Protocol P π , and let E j be the event that this local test rejects. Thenwe have P rj =1 Pr[ E j | F j ] ≥ r . Proof.
Let α j = Pr[ E j | F j ]. Then, for every j ∈ { , . . . , r } , Pr[ E j | F j ] = 1 − α j , where wenote that the complementary event E j for j = 1 , . . . , r − q -qubit states ρ j − and ρ j accepts, and E r represents the event that the result ofthe POVM measurement is 1 (accept), which corresponds to the POVM element M y, . ByLemma 5, the trace distance dist between the reduced q -qubit states ρ j − on v j − and ρ j on v j is dist ( ρ j − , ρ j ) ≤ ( √ /α j + /α j if α j = 00 otherwiseThus dist ( ρ j − , ρ j ) ≤ √ α j . Then, by the triangle inequality, dist ( ρ , ρ r − ) ≤ r − X j =1 dist ( ρ j − , ρ j ) ≤ r − X j =1 √ α j . For Pr[ E r | F r ], the soundness of π promises that the probability that the test { M y, , M y, } rejects ρ = | h x ih h x | is at least 2 /
3, i.e., tr( M y, ρ ) ≥ /
3. Hence, α r = Pr[ E r | F r ] = tr( M y, ρ r − ) ≥ − dist ( ρ , ρ r − ) ≥ − r − X j =1 √ α j , where the first inequality comes from the characterization of dist on indistinguishability oftwo states, that is, | tr( M y, ρ ) − tr( M y, ρ r − ) | ≤ dist ( ρ , ρ r − ). Thus, we have3 r X j =1 √ α j ≥ α r + 3 r − X j =1 √ α j ≥ . By the Cauchy-Schwarz inequality, √ r vuut r X j =1 α j ≥ r X j =1 √ α j , and thus we have r X j =1 α j ≥ (cid:18) √ r (cid:19) ≥ r . (cid:74) In Steps 4 and 5, node v j , 1 ≤ j ≤ r , performs the local test (SWAP or POVM) withprobability at least 1 / v j , 1 ≤ j ≤ r −
1, performs the SWAP test withprobability 1 / v r performs the POVM with probability 1 / j ∈ { , . . . , r } , the event F j occurs in at least (1 / × r outcomes of all the 2 r possibleoutcomes b · · · b r − that can be obtained in Step 3. Here, we consider any fixed outcomes b · · · b r − that induce k events F j , F j , . . . , F j k with k = 0 where we note that 0 ≤ k ≤ b r/ c in general. The probability that some node rejects in Steps 4 or 5 under this outcome isPr[ ∨ ki =1 E j i | ∧ ki =1 F j i ] ≥ b r/ c k X i =1 Pr[ E j i | ∧ ki =1 F j i ] = 1 b r/ c k X i =1 Pr[ E j i | F j i ] , where the inequality comes from Lemma 12 in Appendix B, and the equality comes from thefact that each of F j i and E j i is independent from all the other event F j i with i = i (notethat | j i − j i | ≥ F j − and F j never occur at the same time). As each outcome occurswith probability 1 / r , the probability that some node rejects in Steps 4 or 5 is at least12 r · [(1 / · r ] · b r/ c r X j =1 Pr[ E j | F j ] ≥ r r X j =1 Pr[ E j | F j ] ≥ r · r = 142 r , where the second last inequality comes from Lemma 6. So far, we have shown that the protocol P π has a completeness parameter very close to 1, buthigh soundness error. To establish Theorem 1, we need to reduce the soundness error withoutdegrading the completeness too much. This is achieved via a form of parallel repetition of P π , by taking the logical conjunction of the outputs obtained by repetitions. The protocolresulting from k repetitions of P π is denoted by P π [ k ], and works as follows. Protocol P π [ k ] : Soundness reduction of Protocol P π If f ( x, y ) = 1 then the prover sends the k quantum registers R j,i ( i = 1 , . . . , k ),each of which has a state | h x i as certificate, to each of the intermediate nodes v j , j ∈ { , . . . , r − } . The left-end node v prepares the k quantum registers R ,i , each of which has | h x i . For every j = 0 , . . . , r −
1, the node v j chooses a k -bit string b j, · · · b j,k uniformlyat random, and sends R j,i , together with the index i , to its right neighbor v j +1 whenever b j,i = 0. For every j = 1 , . . . , r − i = 1 , . . . , k , if the node v j receives anindex i , and if b j,i = 1, then v j performs the SWAP test on ( R j − ,i , R j,i ). Node v j rejects whenever at least one of the performed SWAP tests rejects, and it acceptsotherwise. If the right-end node v r receives an index i ∈ { , . . . , k } , then it performs thePOVM measurement { M y, , M y, } corresponding to π applied to the state in R r − ,i . Node v r rejects if at least one of the performed POVM measurementsrejects, and it accepts otherwise.Protocol P π [ k ] has completeness (1 − ε/ k , that is, the completeness has not reducedmuch whenever ε is small. By a similar analysis of standard error reduction techniquesfor quantum Merlin-Arthur games as the analysis in [3, 29], one can show that P π [ k ] hassoundness (1 − / r ) k . By choosing k = 84 r , the resulting protocol P π [ k ] has completeness1 − r ε and soundness error (1 /e ) < /
3, while the size of the certificates is O ( r q ) qubits,and the length of the message exchanged between neighbors is O ( r ( q + log r )) (where theadditional term log r comes from the index to the right neighbor in Step 3 of P π [ k ]).Theorem 1 can now be easily derived from the above analysis. For the first part of thetheorem, where f is having a one-sided-error one-way protocol π , simply use the protocol P π from Section 4.1 with ε = 0. The result then follows from the analysis of Section 4.2 andfrom the above discussion about soundness reduction.For the case of second part of the theorem, where f is having a two-sided-error one-wayprotocol, we repeat the protocol π for O (log( n + r )) times and using majority voting toget a protocol that correctly computes the value of the function with probability at least1 − / n c r . The protocol π of Section 4.1 can thus be chosen with ε = 1 / n c r , withmessage size O ( q log( n + r )). The result then follows similarly. (cid:74) . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 15 Figure 1
The construction of a spanning tree: a graph G (left) and its corresponding spanningtree T (right). Terminals are marked by squares, and c is the root. Node b (resp. c ), which was aterminal, is replaced by a non-terminal node b (resp. c ), while the other terminals are leaves in thetree so they remain unmodified. We now extend our protocol for checking equality between n -bit strings x , . . . , x t stored at t ≥ u , . . . , u t of a connected simple graph G . We first show how to reducethe problem to trees of a specific structure, and then present a protocol for trees. Let G = ( V, E ) be a connected simple graph, and let u , . . . , u t be t ≥ G .Assume, without loss of generality, that u is the most central node among them, i.e., it satisfiesmax i =1 ,...,t dist G ( u , u i ) = min j =1 ,...,t max i =1 ,...,t dist G ( u j , u i ) . Let r = max i =1 ,...,t dist G ( u , u i )be the radius of the t terminals u , . . . , u t . We construct a tree T rooted at u , that has allterminals as leaves, maximum degree t and depth at most r + 1 (see Figure 1). To this end,start with a BFS tree T in G , rooted at u . Truncate the tree at each terminal u i that doesnot have any terminal as successors, thus limiting the depth to r and the degree to t . Forevery terminal u i that is not a leaf, including u , replace u i with a node u i , and connect u i to u i as a leaf, where the input x i stays at u i — this guarantees that all inputs are now onleaves, the same degree bound holds, and the depth is increased by at most 1.While T is not a sub-tree of G , we can easily emulate an algorithm or a labeling schemedesigned for T , in G (specifically, in T ). To this end, every internal terminal u i in T simulatesthe behavior of u i itself, and also of u i . The following lemma is using classical assumptionsof network computing (see, e.g., [42]) and can be proved using standard techniques (see, e.g.,[35]). We refer to the tree T in the construction described above. (cid:73) Lemma 7.
For any graph G = ( V, E ) with nodes IDs taken in a range polynomial in | V | ,there is a deterministic distributed Merlin-Arthur protocol for the tree T using certificates on O (log | V | ) bits. The term deterministic in the above lemma means that the verification process isdeterministic, which implies perfect completeness and perfect soundness (i.e., soundnesserror 0). Roughly speaking, in this protocol each non-tree node will have a (non-quantum)label indicating its distance from the tree, and each tree node will have as label its depth inthe tree, the ID of its parent, and the ID of the root.
Based on our tree construction from a graph and Lemma 7, we can restrict our attention tothe case in which the t terminals u , . . . , u t , who hold the n -bit strings x , . . . , x t , belong to a tree T rooted at u , of depth equal to r + 1, where r is the radius of the terminals, withmaximum degree t , and with leaves u , . . . , u t . Moreover, we assume that the root u itselfis of degree 1 due to our tree construction. We present a distributed quantum Merlin-Arthurprotocol for the equality function EQ tn in this setting, and hence prove our main result. (cid:73) Theorem 8.
There is a distributed quantum Merlin-Arthur protocol on T for EQ tn between t terminals of radius r , with perfect completeness, soundness / , certificate size O ( t r log n ) qubits, and message length O ( t r log( n + r )) qubits. Proof.
Let π be a one-way communication protocol for EQ n transmitting m = O (log n ) qubitssuch that, for every input pair ( x, y ), if x = y then π outputs 1 with probability 1 and if x = y then π outputs 0 with probability at least 2 / x, y ), let | h x i be the quantum message from Alice to Bob in π , and let { M y, , M y, } be the POVM measurement done by Bob on | h x i in π , where M y, correspondsto the measurement result 1 (accept), and M y, corresponds to the measurement result 0(reject), respectively. Our quantum Merlin-Arthur protocol is as follows. Protocol P ( EQ tn ) for equality in trees If EQ tn ( x , . . . , x t ) = 1 then the prover sends an m -qubit state equal to | h x i toeach of the nodes v that have no input. For every i ∈ { , . . . , t } , node u i prepares the m -qubit state | h x i i . Every non-root node v of the tree chooses a bit b v uniformly at random. If b v = 0,then v sends its m -qubit state to its parent in T . For every non-terminal node v , if v receives a state from the children, and if b v = 1,then v performs the SWAP test on the 2 m -qubit state that consists of the m -qubitstate received from the prover and an m -qubit state received from the children,which is chosen uniformly at random if he/she receives multiple m -qubit statesfrom the children, and accepts or rejects accordingly. Otherwise, v accepts. If the root node u receives a state from its children, then u performs the POVMmeasurement { M x , , M x , } on an m -qubit state received from the children, whichis chosen uniformly at random if he/she receives multiple m -qubit states from thechildren, and accepts or rejects accordingly. Otherwise, u accepts.The perfect completeness trivially holds since every local test yields acceptance withcertainty. For the soundness, if EQ tn ( x , . . . , x t ) = 0 then there is a leaf u i , i >
1, with x i = x . Then, we can perform almost the same analysis as in Section 4, but for the pathconnecting u and u i in T . The only difference is the probability that each local test occurs;it is at least 1 / P π done in Section 4, while it is at least (1 / · (1 /t ) in theprotocol P ( EQ tn ) we are now considering, as every non-terminal node v j or u on the pathchooses the m -qubit state from the child on the path uniformly at random from the multiple m -qubit states (possibly) sent from all the children. Hence, P ( EQ tn ) has soundness error1 − O (1 /tr ). The proof is completed by performing O ( tr ) parallel repetitions of P ( EQ tn )for error reduction, similarly to the O ( r ) parallel repetitions of P π in Section 4. (cid:74) Remark.
Using Lemma 7, we get that, up to adding O (log | V | ) classical bits in the certificatesof the nodes, Theorem 8 can be extended to the case where the terminals are in a connectedgraph G = ( V, E ). . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 17 In this section, we show that non-quantum distributed Merlin-Arthur ( dMA ) protocols fordistant EQ require certificates of linear size. In fact, we establish a more general lowerbound which applies to all functions f with large fooling set, even using shared randomness.In addition, the bound holds for settings which allow the graph nodes to have multiplecommunication rounds among them, after receiving the certificates and before deciding ifthey finally accept (see, e.g., [19, 41]).For the lower bound, it is sufficient to consider the path v , . . . , v r in which v and v r areprovided with inputs x and y , respectively. (cid:73) Theorem 9.
Let r ≥ µ + 1 , and let f ( x, y ) be any Boolean function with a -fooling setof size at least k . Let P be a classical Merlin-Arthur protocol for f in a path of r edges,with µ rounds of communication among the nodes, shared randomness, certificates of size b µ log( k − c bits, and completeness − p . Then P has soundness error at least − p . Proof.
Consider the path v , . . . , v r with a fixed identifier assignment, and inputs x and y given to v and v r , respectively. Since f has large 1-fooling set but small certificates, there existtwo distinct pairs of “fooling” inputs that have the same certificate assignments on the 2 µ node v , . . . , v µ . That is, we can fix two input pairs ( x, y ) and ( x , y ), with f ( x, y ) = f ( x , y ) = 1,and, w.l.o.g., f ( x, y ) = 0, with corresponding certificate assignments w and w , such that w ( v i ) = w ( v i ) for every i ∈ { , . . . , µ } , where w ( v i ) and w ( v i ) are the certificate assigned to the node v i in the assignments w and w , respectively.We interpret the outputs as Boolean values, where accept = 1 and reject = 0, and denoteby out i ( x, y, w ) the output of v i when the inputs are x and y and the certificate assignmentis w . Since P has completeness 1 − p , we havePr s (cid:2) ^ i ≤ µ out i ( x, y, w ) = 1 ∧ ^ i ≥ µ +1 out i ( x, y, w ) = 1 (cid:3) ≥ − p, and the same holds for ( x , y , w ). Hence,Pr s h ^ i ≤ µ out i ( x, y, w ) = 1 i ≥ − p, and Pr s h ^ i ≥ µ +1 out i ( x , y , w ) = 1 i ≥ − p. The output out i of every node v i is a function of its own identifier and certificate, thecertificates of the nodes in its distance- µ neighborhood, and the public random string s . Inaddition, the outputs of v , v , . . . , v µ may also depend on the input x to v , and the outputsof v r − µ , . . . , v r may also depend on the input y to v r . Formally speaking, the outputs canalso depend on the identifiers of the neighbors, but these are fixed given the node’s identifier,so we ignore them henceforth.Let w be the certificate assignment defined by w ( v ) = w ( v ); w ( v i ) = w ( v i ) = w ( v i ) for i ∈ { , . . . , µ } ; w ( v i ) = w ( v i ) for i ∈ { µ + 1 , . . . , r } . Consider the input assignment ( x, y ) combined with the certificate assignment w . Thedefinition of w implies that nodes v , . . . , v µ receive the same certificates as in w , and thus nodes v , . . . , v µ cannot distinguish this form the input assignment ( x, y ) with certificatesassignment w . On the other hand, nodes v , . . . , v r receive the same certificates as in w ,so the nodes v µ +1 , . . . , v r cannot distinguish this form the input assignment ( x , y ) withcertificates assignment w .A union bound finishes the proof:Pr s h ^ i ≤ µ out i ( x, y , w ) = 1 ∧ ^ i ≥ µ +1 out i ( x, y , w ) = 1 i = Pr s h ^ i ≤ µ out i ( x, y, w ) = 1 ∧ ^ i ≥ µ +1 out i ( x , y , w ) = 1 i ≥ − Pr s h ¬ ^ i ≤ µ out i ( x, y, w ) = 1 i − Pr s h ¬ ^ i ≥ µ +1 out i ( x , y , w ) = 1 i ≥ − p. That is, we found a certificate assignment w for the input ( x, y ) which makes all nodeaccept with probability at least 1 − p , even though f ( x, y ) = 0. Hence, the soundness erroris at least 1 − p , as claimed. (cid:74) Since EQ n has a 1-fooling set of size 2 n , the corollary below follows directly from Theorem 9.The case r = 3 and µ = 1 gives a linear lower bound for dMA protocols on a 4-node path. (cid:73) Corollary 10.
For every r ≥ µ + 1 , every distributed (classical) Merlin-Arthur protocol for EQ n with µ rounds of communication among the nodes in the path of r edges with certificatesof size at most b ( n − / µ c bits, and completeness − p has soundness error at least − p . The requirements for a good protocol is to have a high completeness (i.e., small valuefor p , ideally p = 0) and a reasonably small soundness error. Corollary 10 precisely showsthat for the equality function such protocols cannot exist in the classical setting unless thecertificate size is linear in n . Remark.
The completeness-soundness gap of Theorem 9 is optimal in general, in the sensethat it cannot be improved for EQ , i.e., distant equality between two input bits. Considerthe following protocol P for EQ , on input ( x, y ) ∈ { , } × { , } . It uses a shared randomvariable X ∈ {− , , } with Pr[ X = 0] = Pr[ X = 1] = p , and Pr[ X = −
1] = 1 − p . Inthe case X = −
1, all the nodes accept. In the case X ∈ { , } , v accepts whenever X = x , v r accepts whenever X = y , and all the other nodes accept. If x = y , the probability that allthe nodes accept is 1 − p + (1 / · (2 p ) = 1 − p . If x = y , then either v or v r systematicallyrejects for X = −
1, and thus the probability that all the nodes accept is 1 − p . In this paper, we extended the notion of randomized proof-labeling scheme to the quantumsetting. We showed the efficiency of distributed quantum certification mechanisms bydesigning a distributed quantum Merlin-Arthur protocol for EQ tn between t parties spreadout in a graph, using certificates and messages whose size depend logarithmically on n , thesize of the data. This is in contrast to classical distributed Merlin-Arthur protocols, whichrequire certificates of size linear in n , even when messages of unbounded size can be used.Our result was obtained by using an interesting property of the SWAP test: it can be appliedfor checking proximity properties between reduced states. . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 19 Which other Boolean predicates on labeled graphs, beyond equality, could take benefitfrom quantum resources for the design of compact distributed certification schemes is anintriguing question. Theorem 1 gives a partial answer on the path. A complete answer tothis question would significantly help improving our comprehension of the power of quantumcomputing in the distributed setting.
References Scott Aaronson, Salman Beigi, Andrew Drucker, Bill Fefferman, and Peter W. Shor. The powerof unentanglement.
Theory of Computing , 5:1:1–1:42, 2009. doi:10.4086/toc.2009.v005a001 . Yehuda Afek, Shay Kutten, and Moti Yung. The local detection paradigm and its applicationto self-stabilization.
Theoretical Computer Science , 186(1-2):199–229, 1997. doi:10.1016/S0304-3975(96)00286-1 . Dorit Aharonov and Tomer Naveh. Quantum NP – a survey. arXiv:quant-ph/0210077v1, 2002.URL: https://arxiv.org/abs/quant-ph/0210077 . Noga Alon, Klim Efremenko, and Benny Sudakov. Testing equality in communication graphs.
IEEE Transactions on Information Theory , 63(11):7569–7574, 2017. doi:10.1109/TIT.2017.2744608 . Heger Arfaoui and Pierre Fraigniaud. What can be computed without communications?
SIGACT News , 45(3):82–104, 2014. doi:10.1145/2670418.2670440 . Baruch Awerbuch, Boaz Patt-Shamir, and George Varghese. Self-stabilization by local checkingand correction (extended abstract). In , pages 268–277, 1991. doi:10.1109/SFCS.1991.185378 . Alkida Balliu, Gianlorenzo D’Angelo, Pierre Fraigniaud, and Dennis Olivetti. What canbe verified locally?
Journal of Computer System and Sciences , 97:106–120, 2018. doi:10.1016/j.jcss.2018.05.004 . Michael Ben-Or and Avinatan Hassidim. Fast quantum byzantine agreement. In , pages 481–485, 2005. doi:10.1145/1060590.1060662 . Hugue Blier and Alain Tapp. A quantum characterization of NP.
Computational Complexity ,21(3):499–510, 2012. doi:10.1007/s00037-011-0016-2 . Ralph Bottesch, Dmitry Gavinsky, and Hartmut Klauck. Equality, revisited. In , volume 9235of
LNCS , pages 127–138. Springer, 2015. doi:10.1007/978-3-662-48054-0\_11 . Anne Broadbent and Alain Tapp. Can quantum mechanics help distributed computing?
SIGACT News , 39(3):67–76, 2008. doi:10.1145/1412700.1412717 . Harry Buhrman, Richard Cleve, John Watrous, and Ronald de Wolf. Quantum fingerprint-ing.
Physical Review Letters , 87(16):167902:1–167902:4, 2001. doi:10.1103/PhysRevLett.87.167902 . Arkadev Chattopadhyay, Jaikumar Radhakrishnan, and Atri Rudra. Topology matters incommunication. In , pages 631–640, 2014. doi:10.1109/FOCS.2014.73 . Arkadev Chattopadhyay and Atri Rudra. The range of topological effects on communication.In
Automata, Languages, and Programming - 42nd International Colloquium, ICALP , pages540–551, 2015. doi:10.1007/978-3-662-47666-6\_43 . Pierluigi Crescenzi, Pierre Fraigniaud, and Ami Paz. Trade-offs in distributed interactiveproofs. In , pages 13:1–13:17,2019. doi:10.4230/LIPIcs.DISC.2019.13 . Vasil S. Denchev and Gopal Pandurangan. Distributed quantum computing: a new frontierin distributed systems or science fiction?
SIGACT News , 39(3):77–95, 2008. doi:10.1145/1412700.1412718 . Michael Elkin, Hartmut Klauck, Danupon Nanongkai, and Gopal Pandurangan. Can quantumcommunication speed up distributed computation? In , pages 166–175, 2014. doi:10.1145/2611462.2611488 . Laurent Feuilloley, Pierre Fraigniaud, and Juho Hirvonen. A hierarchy of local decision. In , pages118:1–118:15, 2016. doi:10.4230/LIPIcs.ICALP.2016.118 . Laurent Feuilloley, Pierre Fraigniaud, Juho Hirvonen, Ami Paz, and Mor Perry. Redundancyin distributed proofs. In ,pages 24:1–24:18, 2018. doi:10.4230/LIPIcs.DISC.2018.24 . Pierre Fraigniaud, Amos Korman, and David Peleg. Towards a complexity theory for localdistributed computing.
Journal of the ACM , 60(5):35:1–35:26, 2013. doi:10.1145/2499228 . Pierre Fraigniaud, Pedro Montealegre, Rotem Oshman, Ivan Rapaport, and Ioan Todinca. Ondistributed Merlin-Arthur decision protocols. In , volume 11639 of
LNCS , pages230–245. Springer, 2019. doi:10.1007/978-3-030-24922-9\_16 . Pierre Fraigniaud, Boaz Patt-Shamir, and Mor Perry. Randomized proof-labeling schemes.
Distributed Computing , 32(3):217–234, 2019. doi:10.1007/s00446-018-0340-8 . Cyril Gavoille, Adrian Kosowski, and Marcin Markiewicz. What can be observed locally?In , volume 5805 of
LNCS ,pages 243–257. Springer, 2009. doi:10.1007/978-3-642-04355-0\_26 . Mika Göös and Jukka Suomela. Locally checkable proofs in distributed computing.
Theory ofComputing , 12:19:1–19:33, 2016. doi:10.4086/toc.2016.v012a019 . Aram W. Harrow and Ashley Montanaro. Testing product states, quantum Merlin-Arthurgames and tensor optimization.
Journal of the ACM , 60(1):3:1–3:43, 2013. doi:10.1145/2432622.2432625 . Gene Itkis and Leonid A. Levin. Fast and lean self-stabilizing asynchronous protocols. In , pages 226–239, 1994. doi:10.1109/SFCS.1994.365691 . Taisuke Izumi and François Le Gall. Quantum distributed algorithm for the All-Pairs ShortestPath problem in the CONGEST-CLIQUE model. In , pages 84–93, 2019. doi:10.1145/3293611.3331628 . Taisuke Izumi, François Le Gall, and Frédéric Magniez. Quantum distributed algorithm fortriangle finding in the CONGEST model. In , pages 23:1–23:13, 2020. doi:10.4230/LIPIcs.STACS.2020.23 . Alexei Yu. Kitaev, Alexander H. Shen, and Mikhail N. Vyalyi.
Classical and QuantumComputation . Graduate Studies in Mathematics 47. American Mathematical Society, 2002. Hartmut Klauck. On Arthur Merlin games in communication complexity. In , pages 189–199, 2011. doi:10.1109/CCC.2011.33 . Hartmut Klauck and Supartha Podder. Two results about quantum messages. In , volume8635 of
LNCS , pages 445–456. Springer, 2014. doi:10.1007/978-3-662-44465-8\_38 . Hirotada Kobayashi, François Le Gall, and Harumichi Nishimura. Stronger methods of makingquantum interactive proofs perfectly complete.
SIAM Journal on Computing , 44(2):243–289,2015. doi:10.1137/140971944 . Hirotada Kobayashi, Keiji Matsumoto, and Tomoyuki Yamakami. Quantum Merlin-Arthurproof systems: Are multiple Merlins more helpful to Arthur?
Chicago Journal of TheoreticalComputer Science , 2009:3:1–3:19, 2009. doi:10.4086/cjtcs.2009.003 . Gillat Kol, Rotem Oshman, and Raghuvansh R. Saxena. Interactive distributed proofs. In , pages 255–264, 2018. doi:10.1145/3212734.3212771 . . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 21 Amos Korman, Shay Kutten, and David Peleg. Proof labeling schemes.
Distributed Computing ,22(4):215–233, 2010. doi:10.1007/s00446-010-0095-3 . Eyal Kushilevitz and Noam Nisan.
Communication Complexity . Cambridge University Press,1997. François Le Gall and Frédéric Magniez. Sublinear-time quantum computation of the diameterin CONGEST networks. In , pages 337–346, 2018. doi:10.1145/3212734.3212744 . François Le Gall, Harumichi Nishimura, and Ansis Rosmanis. Quantum advantage for theLOCAL model in distributed computing. In , pages 49:1–49:14, 2019. doi:10.4230/LIPIcs.STACS.2019.49 . Moni Naor, Merav Parter, and Eylon Yogev. The power of distributed verifiers in interactiveproofs. In , pages 1096–115,2020. doi:10.1137/1.9781611975994.67 . Michael A. Nielsen and Isaac L. Chuang.
Quantum Computation and Quantum Information .Cambridge University Press, 2000. Rafail Ostrovsky, Mor Perry, and Will Rosenbaum. Space-time tradeoffs for distributedverification. In
Structural Information and Communication Complexity - 24th InternationalColloquium, SIROCCO , pages 53–70, 2017. doi:10.1007/978-3-319-72050-0\_4 . David Peleg.
Distributed Computing: A Locality-Sensitive Approach . SIAM, 2000. Ran Raz and Amir Shpilka. On the power of quantum proofs. In , pages 260–274, 2004. doi:10.1109/CCC.2004.1313849 . Bill Rosgen. Distinguishing short quantum computations. In , pages 597–608, 2008. doi:10.4230/LIPIcs.STACS.2008.1322 . Seiichiro Tani, Hirotada Kobayashi, and Keiji Matsumoto. Exact quantum algorithms forthe leader election problem.
ACM Transactions on Computation Theory , 4(1):1:1–1:24, 2012. doi:10.1145/2141938.2141939 . John Watrous.
The Theory of Quantum Information . Cambridge University Press, 2018. Andrew Chi-Chih Yao. Quantum circuit complexity. In , pages 352–361, 1993. doi:10.1109/SFCS.1993.366852 . Andrew Chi-Chih Yao. On the power of quantum fingerprinting. In , pages 77–81, 2003. doi:10.1145/780542.780554 . A P P E N D I X
A Quantum Fundamentals
Here we summarize some notation and properties that are used in this paper. As a terminol-ogy, we sometime identify physical concepts (such as pure states) and their mathematicalrepresentations (such as vectors).A mixed state on a complex Euclidian space H is considered as a representation of aprobability distribution of pure quantum states (represented like | ψ i as vectors on H ). If thequantum state in H is a pure state | ψ j i with probability p j , its mixed state is representedas the positive semi-definite matrix σ = P j p j | ψ j ih ψ j | (the symbol ρ or σ is often used forrepresenting a mixed state). In particular, a (pure) quantum state | ψ i is written as theprojector | ψ ih ψ | of rank 1. If this state evolves by a unitary operation U , the state changesinto U σU † = P j U | ψ j ih ψ j | U † . We call a mixed state simply a (quantum) state (as far aswe do not care about the difference between pure and mixed states). For any complex Euclidian spaces H A and H B and any matrix M on H A ⊗ H B , thereduced matrix on H A obtained by tracing out on H B , denoted as tr B ( M ) istr B ( M ) = X j ( I ⊗ h j | ) M ( I ⊗ | j i ) , where {| j i} is the standard basis in H B (in fact, it may be any orthonormal basis). If M represents a mixed state σ , tr B ( σ ) is called the reduced state on H A , which represents thelocally visible state on H A of σ obtained by disregarding the part on H B of σ .A POVM (positive operator valued measure) on a complex Euclidian space H representsa general measurement on a quantum state on H . In particular, a binary-valued POVM(which we use in this paper) on H is a set { M , M } that consists of two positive semi-definitematrices M and M on H such that M + M = I . If a mixed state ρ is measured by { M , M } , the probability that the outcome with M j ( j = 0 ,
1) is obtained is tr( M j ρ ).For any matrix M on complex Euclidian space H , the trace norm of M is defined as k A k tr = tr( √ M † M ) . For any two mixed states ρ and σ in H , the trace distance between ρ and σ is defined as dist ( ρ, σ ) = 12 k ρ − σ k tr , which satisfies that 0 ≤ dist ( ρ, σ ) ≤ dist ( ρ, σ ) becomes close to 0, ρ and σ become close).In particular, for any pure states | ψ i , | φ i , it holds that dist ( | ψ ih ψ | , | φ ih φ | ) = p − |h ψ | φ i| . An important characterization of the trace distance is dist ( ρ, σ ) = max M tr( M ( ρ − σ )) , where the maximization is taken over all positive semi-definite matrices M such that M ≤ I .This characterization means that dist ( ρ, σ ) is equal to the difference between the probabilitythat the “best” POVM measurement { M, I − M } , for distinguishing ρ and σ , on the state ρ gives the outcome with the POVM element M , tr( M ρ ), and the probability that the samePOVM measurement on σ gives the outcome with M , tr( M σ ).For any two mixed states ρ and σ in H , the fidelity between ρ and σ , denoted as F ( ρ, σ ),is another measure of their closeness, and it holds that 0 ≤ F ( ρ, σ ) ≤ F ( ρ, σ ) becomesclose to 1, ρ and σ become close). For this measure, we need only the following equality,which is found in Ref. [46] for instance. (cid:73) Lemma 11 (Corollary 3.23 in Ref. [46]) . Let | ψ i and | φ i be two pure states on H ⊗ H forcomplex Euclidian spaces H and H . It holds that F (tr H ( | ψ ih ψ | ) , tr H ( | φ ih φ | )) = k tr H ( | φ ih ψ | ) k tr . Let H and H be two complex Euclidean spaces consisting of m qubits for each (namely,each of the space has the standard basis states {| x i | x ∈ { , } m } ). Then, H = H ⊗ H canbe written as the direct sum of the symmetric space H S and the antisymmetric subspace H A , Here, the symmetric space H S is the subspace of H spanned by the states | ψ i in H such that S | ψ i = | ψ i where S is the swap operator defined by S ( | j i| j i ) = | j i| j i . Theantisymmetric subspace is the subspace | ψ i in H such that S | ψ i = −| ψ i . Note that H A isthe orthogonal complement of H S . The dimensions of H S and H A are M ( M + 1) / M ( M − /
2, respectively, where M = 2 m . See Ref. [46], for instance, for more informationon (bipartite as well as multipartite) symmetric states and anti-symmetric states. . Fraigniaud, F. Le Gall, H. Nishimura and A. Paz 23 B Elementary Lemma on Probability
For any events
A, B , we denote the complementary event of A by A or ¬ A , the sum event of A and B by A ∨ B , and the product event of A and B by A ∧ B . The following lemma isbasic on probability, while we give it with the proof for the self-containment. (cid:73) Lemma 12.
Let A j ( j = 1 , , . . . , n ) be an event. Then, following holds. Pr[ A ∧ A ∧ · · · ∧ A n ] ≤ n P nj =1 Pr[ A j ]Pr[ A ∨ A ∨ · · · ∨ A n ] ≥ n P nj =1 Pr[ A j ] Proof.
We show the first item by induction. The base case trivially holds. Assume that thecase n − A ∧ · · · ∧ A n ]= n − n Pr[ A ∧ · · · ∧ A n − ] Pr[ A n | A ∧ · · · ∧ A n − ] + 1 n Pr[ A n ] Pr[ A ∧ · · · ∧ A n − | A n ] ≤ n − n Pr[ A ∧ · · · ∧ A n − ] + 1 n Pr[ A n ] ≤ n − n · n − n − X j =1 Pr[ A j ] + 1 n Pr[ A n ]= 1 n n X j =1 Pr[ A j ] , where the last inequality comes from the assumption. Thus, the case n holds, and theinduction is completed.The second item is proved byPr[ A ∨ · · · ∨ A n ] = 1 − Pr[ A ∧ · · · ∧ A n ] ≥ − n n X j =1 Pr[ A j ]= 1 n n X j =1 Pr[ A j ] , where the inequality comes from the first item.where the inequality comes from the first item.