Parallel repetition with a threshold in quantum interactive proofs
PParallel repetition with a threshold in quantuminteractive proofs
Abel Molina
Institute for Quantum Computing and School of Computer ScienceUniversity of Waterloo
August 18, 2020
Abstract
In this note, we show that O (log(1 /(cid:15) )) rounds of parallel repetition witha threshold suffice to reduce completeness and soundness error to (cid:15) for single-prover quantum interactive proof systems. This improves on a previous O (log(1 /(cid:15) ) log log(1 /(cid:15) )) bound from Hornby (2018), while also simplifying itsproof. A key element in our proof is a concentration bound from Impagliazzoand Kabanets (2010). When we have a probabilistic procedure that computes a binary output, one canoften reduce the probability that the procedure errs by conducting parallel repetitionwith a threshold. The number of needed parallel instances scales as O (log(1 /(cid:15) )),with (cid:15) being the desired error. For example, this applies to those computationscorresponding to the complexity classes BPP , BQP , and IP [AB09]. Similar ideascan be made to work in the context of quantum interactive proof systems withperfect completeness [KW00].In the classical prover-verifier interactions corresponding to the class IP , onecan use standard averaging arguments to show that it is optimal for a prover (whowe shall call Bob) to play both deterministically and independently when his goalis to win at least k out of n parallel instances. By applying Chernoff bounds, thisgives us a naive proof of correctness for error reduction via parallel repetition witha threshold. 1 a r X i v : . [ c s . CC ] A ug n the case of quantum prover-verifier interactions, it is however not optimalin general for Bob to play independently when his goal is to win at least k out of n parallel instances, although it is optimal for the case where k = n [Gut10]. Inparticular, a counterexample when k = 1 and n = 2 was provided in [MW12], withfurther examples in [AMR18 , GS18].This means that in the context of computational complexity classes correspond-ing to quantum prover-verifier protocols with a single prover, there is no naive proofof correctness for error reduction via parallel repetition with a threshold. In par-ticular, it means that it is not possible to trivially use Chernoff bounds in order toprove a decrease in the soundness error.For those quantum prover-verifier interactions with at least 3 messages, oneway to sidestep this complication as far as error reduction is concerned is to findan equivalent protocol with fewer or the same messages and perfect completeness[KW00], and then perform parallel repetition where the prover is required to win allinstances. For 2 messages, one can make usage of a more complex error-reductionprocedure [JUW09], which considers several parallel instances and then divides theminto subgroups for the purposes of determining a final outcome.However, none of those results directly address the question of whether parallelrepetition with a threshold is effective for the purpose of error reduction in quantumprover-verifier interactions with a single prover. This question was then addressedin [Hor18], where it was proved that for all such quantum prover-verifier protocols,parallel repetition with a threshold does, in fact, bring both soundness and com-pleteness errors down to 0 asymptotically. In particular, it is proved there that O (log(1 /(cid:15) ) log log(1 /(cid:15) )) parallel instances suffice in order to bring the completenessand soundness errors below (cid:15) . This is proved by a reduction to the technique in[JUW09].We now prove here that O (log(1 /(cid:15) ) number of parallel instances will suffice tobring the completeness and soundness errors below (cid:15) . Furthermore, we are able to dothis without an explicit reduction to any other setting. Our key technique will be theusage of a concentration bound of Impagliazo and Kabanets [IK10]. The conditionsneeded for the application of the lemma correspond to the result in [Gut10] thatlooks at the situation where Bob aims to succeed in all parallel instances. Thisconcentration bound has been previously used [Gav12, PYJ +
12] to study attackson certain prover-verifier interactions corresponding to quantum money protocols,while making usage of properties of the specific protocols rather than of the generalresult in [Gut10]. Note as well that the bound in [IK10] can be seen as a rephrasingof a previous one in [PS97]. 2
Setting
In the protocols that we study, verifier Alice and prover Bob exchange a series ofmessages, with Alice making a final binary decision. We assume without loss ofgenerality that the first message is sent by Alice. Alice’s actions are fixed by theprotocol, while Bob is free to choose his actions. Formally, the protocol is representedby the following objects:1. Two series of r finite-dimensional Hilbert spaces X , . . . , X r and Y , . . . , Y r ,corresponding to the state spaces for the r messages from Alice to Bob, andviceversa.2. A series of r finite-dimensional Hilbert spaces Z , . . . , Z r , corresponding toAlice’s internal memory after she sends each of her r messages.3. A density operator ρ ∈ D ( X ⊗ Z ), corresponding to Alice’s first message toBob.4. A series of r − r − , . . . , Ψ r , with Ψ i mapping inputs in D ( Y i − ⊗ Z i − ) to outputs in D ( X i ).5. A binary POVM { P , P } ⊂ Pos ( Y r ⊗ Z r ), which determines the final out-come of the interaction. 0 is identified as the losing outcome for Bob, while 1is identified as the winning outcome.A corresponding circuit diagram for the case where r = 3 can be seen in Figure 1.In a parallel repetition context, we have n parallel instances of such a proto-col. The verifier Alice will be acting identically and independently between theseinstances, while the prover Bob can entangle his answers between the n instances.This is depicted for the case of two parallel instances in Figure 2.As discussed earlier, the work in [Gut10] determines that for Bob, correlating hisanswers does not help when he intends to win n out of n parallel instances. Moreformally, we have the following: Theorem 1 ([Gut10], Theorem 4.9) . Let the optimal chance for Bob of achieving thewinning outcome in a prover-verifier interaction be equal to p . Consider n parallelinstances. Then, Bob’s optimal chance of achieving the winning outcome in allinstances is equal to p n . Ψ Ψ { P , P } Φ Φ Φ Z Z Z X X X Y Y Y output W W Figure 1: An example of a prover-verifier interaction, showing each of the objectsenumerated in Section 2. This example corresponds to the case where r = 3. Notethat Bob’s channels and his intermediate memory state spaces W and W are notpart of the protocol’s definition. Instead, Bob is free to choose them in order tomanipulate the final output bit. ρ Ψ Ψ { P , P } ρ Ψ Ψ { P , P } Φ Φ Φ Z Z Z Z Z Z X X X Y Y Y outputoutput X X X Y Y Y W W Figure 2: Two parallel instances of the prover-verifier interaction from Figure 1..We can see that Bob is allowed to arbitrarily entangle his actions between bothinstances, while Alice acts identically and independently.4n alternative proof of this result is provided in Chapter 4 of [VW16], and it canalso be seen as a specific case of the product properties discussed in [MS07, LM08].We now formally discuss interactive proof systems. In this setting, we areconcerned with prover-verifier interactions where the actions of the verifier areparametrized by a string s , which belongs to one of two sets L yes and L no . Foreach value of s , there will be an associated optimal probability p ( s ) of Bob obtain-ing the winning outcome. For some constants 0 ≤ a < a < b ≤
1, it is aproperty of the proof system that if s ∈ L no , then p ( s ) ≤ a , while if s ∈ L yes , then p ( s ) ≥ b . The soundness and completeness errors are then defined as a and 1 − b ,respectively.Given such a proof system, one can seek to find another one where the soundnessand completeness errors are reduced to (cid:15) . That is to say, the new proof systemcorresponds to the same tuple ( L yes , L no ), and we have that a ≤ (cid:15) and b ≥ − (cid:15) . Wewill discuss in Section 3 how to make usage of parallel repetition with a threshold inorder to perform this task. Our main result will follow from a threshold theorem ofImpagliazzo and Kabanets, together with Theorem 1. In particular, the thresholdtheorem that we use is as follows: Theorem 2 ([IK10], Theorem 1) . Let X , . . . , X n be Boolean random variables.Assume that for some ≤ δ ≤ and any subset S ⊆ { , . . . , n } , it holds that Pr (cid:32)(cid:94) s ∈ S X s = 1 (cid:33) ≤ δ | S | . (1) Then, for any value of γ such that δ ≤ γ ≤ , it holds that Pr (cid:32) n (cid:88) i =1 X i ≥ γn (cid:33) ≤ e − nD ( γ || δ ) ≤ e − n ( γ − δ ) . (2) where D ( γ || δ ) denotes the binary relative entropy. Combining Theorem 1 with Theorem 2, we derive the following bound to quantumhedging:
Theorem 3.
Consider n parallel instances of an arbitrary quantum prover-verifierinteraction, as defined in Section 2. Let the optimal chance of Bob obtaining thewinning outcome be equal to the constant p . Consider any value k ∈ N such that = n ( p + δ ) , with δ > a positive constant. Then, Bob’s optimal chance of winningat least k out of the n parallel instances is upper-bounded by e − nδ .Proof. Let X , . . . , X n be Boolean random variables associated with the respectiveoutcomes of the n parallel instances. It must now hold that for any subset S ⊆{ , . . . , n } , Pr (cid:32)(cid:94) s ∈ S X s = 1 (cid:33) ≤ p | S | . (3)The reason why this must be the case is because of Theorem 1. In particular, let usimagine | S | parallel instances of the protocol under consideration. Then, Bob canobtain a probability of winning all of these | S | instances equal to Pr (cid:0)(cid:86) s ∈ S X s = 1 (cid:1) .He can do that by playing as if there were n parallel instances, while simulating theactions of Alice for those of the n instances that do not correspond to elements of S .Theorem 1 then establishes that Pr (cid:0)(cid:86) s ∈ S X s = 1 (cid:1) must be upper-bounded by p | S | .By Theorem 2, it is a consequence of Equation (3) thatPr (cid:32) n (cid:88) i =1 X i ≥ k (cid:33) ≤ e − n ( p + δ − p ) = e − nδ . (4)Theorem 3 then gives us a simple proof of correctness for error reduction viaparallel repetition with a threshold. In particular, let us consider an arbitraryquantum prover-verifier proof system and its corresponding values of a and b . Then,we consider n parallel instances and ask the prover to win in at least n a + b instances(or equivalently, in at least (cid:100) n a + b (cid:101) instances).In order to lower the completeness and soundness errors of this procedure downto (cid:15) , it will be enough to have O (log(1 /(cid:15) )) parallel instances. For the completenesserror, this follows from standard Chernoff bounds. For the soundness error, thisfollows from applying Theorem 3, with p = a and δ = b − a .As previously discussed, this is of special interest for the case of protocols withtwo messages, where there is no known ability to switch to an equivalent protocolwith the same or fewer messages and with perfect completeness.One can alternatively choose to model the gap between a and b not as a constantbut as an inverse polynomial in n . Then, when we invoke Theorem 3 we have δ be aninverse polynomial in n , and the resulting bound on the number of parallel instancesis O (cid:0) (1 /(cid:15) ) δ (cid:1) = O ((1 /(cid:15) ) poly ( n )). 6 cknowledgements This work was performed with funding from Canadas NSERC and a Universityof Waterloo Presidents Graduate Scholarship. Thanks are due to Eric Blais forsuggesting the possible relevance of [IK10], and to John Watrous for encouragingthe writing of this note and providing valuable feedback.
References [AB09] Sanjeev Arora and Boaz Barak.
Computational Complexity: A ModernApproach . Cambridge University Press, 2009.[AMR18] Srinivasan Arunachalam, Abel Molina, and Vincent Russo. Quantumhedging in two-round prover-verifier interactions. In ,2018.[Gav12] Dmitry Gavinsky. Quantum money with classical verification. In , pages 42–52. IEEE,2012.[GS18] Maor Ganz and Or Sattath. Quantum coin hedging, and a counter mea-sure. In , 2018.[Gut10] Gustav Gutoski.
Quantum Strategies and Local Operations . PhD thesis,University of Waterloo, 2010.[Hor18] Taylor Hornby. Concentration bounds from parallel repetition theorems.Master’s thesis, University of Waterloo, 2018.[IK10] Russell Impagliazzo and Valentine Kabanets. Constructive proofs of con-centration bounds. In
Approximation, Randomization, and CombinatorialOptimization. Algorithms and Techniques , pages 617–631. Springer, 2010.[JUW09] Rahul Jain, Sarvagya Upadhyay, and John Watrous. Two-message quan-tum interactive proofs are in PSPACE. In , pages 534–543.IEEE, 2009. 7KW00] Alexei Kitaev and John Watrous. Parallelization, amplification, and expo-nential time simulation of quantum interactive proof systems. In
Proceed-ings of the thirty-second annual ACM symposium on theory of computing ,pages 608–617, 2000.[LM08] Troy Lee and Rajat Mittal. Product theorems via semidefinite program-ming. In
International Colloquium on Automata, Languages, and Pro-gramming , pages 674–685. Springer, 2008.[MS07] Rajat Mittal and Mario Szegedy. Product rules in semidefinite program-ming. In
International Symposium on Fundamentals of Computation The-ory , pages 435–445. Springer, 2007.[MW12] Abel Molina and John Watrous. Hedging bets with correlated quantumstrategies.
Proceedings of the Royal Society A: Mathematical, Physicaland Engineering Sciences , 468(2145):2614–2629, 2012.[PS97] Alessandro Panconesi and Aravind Srinivasan. Randomized distributededge coloring via an extension of the Chernoff–Hoeffding bounds.
SIAMJournal on Computing , 26(2):350–368, 1997.[PYJ +
12] Fernando Pastawski, Norman Y Yao, Liang Jiang, Mikhail D Lukin, andJ Ignacio Cirac. Unforgeable noise-tolerant quantum tokens.
Proceedingsof the National Academy of Sciences , 109(40):16079–16082, 2012.[VW16] Thomas Vidick and John Watrous. Quantum proofs.