Abstract.
The recent theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows
that the complexity class of multiprover proof systems with entangled
provers contains all recursively enumerable languages. Prior work of Grilo,
Slofstra, and Yuen [FOCS ’19] further shows (via a technique called simulatable
codes) that every language in has a perfect zero knowledge ()
protocol. The theorem uses two-prover one-round proof systems, and
hence such systems are complete for . However, the construction in Grilo,
Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect
zero knowledge with two provers via simulatable codes. This leads to a natural
question: are there two-prover - protocols for all of ?
In this paper, we show that every language in has a two-prover one-round
- protocol, answering the question in the affirmative. For the proof, we
use a new method based on a key consequence of the theorem, which is
that every protocol can be turned into a family of boolean constraint
system (BCS) nonlocal games. This makes it possible to work with protocols
as boolean constraint systems, and in particular allows us to use a variant of
a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto ’92] which
gives a classical protocol for 3SAT with perfect zero knowledge. To show
quantum soundness of this classical construction, we develop a toolkit for
analyzing quantum soundness of reductions between BCS games, which we expect to
be useful more broadly. This toolkit also applies to commuting operator
strategies, and our argument shows that every language with a commuting
operator BCS protocol has a two prover commuting operator protocol.
1. Introduction
In an interactive proof protocol, a prover tries to convince a verifier that a
string belongs to . Interactive proof systems can be more powerful
than non-interactive systems; famously, the class of interactive proofs
with a polynomial time verifier and a single prover is equal to
[Sha92], and the class with a polynomial time verifier and
multiple provers is equal to [BFL90]. In this latter class, the
provers can communicate with the verifier, but are assumed not to be able to
communicate with each other. The proof systems used in [BFL90] are very
efficient, and require only two provers and one-round of communication.
Interactive proof systems also allow zero knowledge protocols, in which the
prover demonstrates that without revealing any other information
to the verifier. As a result, interactive proof systems are important to both
complexity theory and cryptography. The first zero knowledge proof systems go
back to the invention of interactive proof systems by Goldwasser, Micali, and
Rackoff [GMR85], and every language in MIP admits a two-prover
one-round perfect zero knowledge proof system by a result of Ben-Or,
Goldwasser, Kilian, and Wigderson [BOGKW88]. Perfect means that
absolutely no information is revealed to the verifier, in contrast to
statistical zero knowledge (in which the amount of knowledge gained by the
verifier is small but bounded), or computational zero knowledge (in which zero
knowledge relies on some computational intractability assumption).
Since the provers in a MIP protocol are not allowed to communicate, it is
natural to ask what happens if they are allowed to share entanglement. This
leads to the complexity class , first introduced by Cleve, Hoyer,
Toner, and Watrous [CHTW04]. Entanglement allows the
provers to break some classical proof systems by coordinating their answers,
but the improved ability of the provers also allows the verifier to set harder
tasks. As a result, figuring out the power of has been difficult, and
there have been successive lower bounds in [KKM+11, IKM09, IV12, Vid16, Vid20, Ji16, NV18b, Ji17, NV18a, FJVY19]. Most recently (and
spectacularly), Ji, Natarajan, Vidick, Wright, and Yuen showed that
, the class of languages equivalent to the halting problem
[JNV+22b].
Reichardt, Unger, and Vazirani also showed that
is equal to the class , in which the verifier is quantum, and can
communicate with the provers via quantum channels [RUV13]. On
the perfect zero knowledge front, Chiesa, Forbes, Gur, and Spooner showed that
every language in (and hence in classical ) has a perfect zero
knowledge proof system, or in other words belongs to -
[CFGS22]. Grilo, Slofstra, and Yuen show that all of
belongs to - [GSY19].
Combining - with shows that there are one-round
perfect zero-knowledge proof systems for all languages that can be
reduced to the halting problem, a very large class. However, the construction
in [GSY19] is involved. The idea behind the proof is to encode a circuit
for an arbitrary verifier in a “simulatable” quantum error correcting code, and then
hide information from the verifier by splitting the physical qubits of this
code between different provers. The resulting proof systems in [GSY19]
require provers, and because the core concept of the proof is to split
information between provers, bringing this down to provers (as can be done
with perfect zero-knowledge for ) seems to require new ideas.
The purpose of this paper is to show that all languages in do indeed have two-prover one-round
perfect zero knowledge proof systems. Specifically, we show that:
Theorem 1.1.
Every language in (and hence in ) admits a two-prover one-round
perfect zero knowledge protocol with completeness probability
and soundness probability , in which the verifier chooses questions
uniformly at random.
The idea behind the proof is to use the output of the theorem, rather
than encoding arbitrary -protocols. The proof that in
[JNV+22b] is very difficult, but requires only two-prover one-round proof
systems. Natarajan and Zhang have sharpened the proof to show that these proof
systems require only a constant number of questions, and length
answers from the provers [NZ23]. This shows that , the
complexity class of languages with two-prover -protocols in which the verifier
chooses their messages to the prover uniformly at random. A one-round or
proof system is equivalent to a family of nonlocal games, in which the
provers (now also called players) are given questions and return answers to a
verifier (now also called a referee), who decides whether to accept (in which
case the players are said to win) or reject (the players lose). In both
[JNV+22b] and [NZ23], the games are synchronous,
meaning that if the players receive the same question then they must reply with
the same answer, and admit what are called oracularizable strategies. As we
observe in this paper, one-round proof systems in which the games are
synchronous and oracularizable are equivalent to the class of -
proof systems, which are one-round two-prover proof systems in which the
nonlocal games are boolean constraint system (BCS) games. In a boolean
constraint system, two provers try to convince the verifier that a given BCS is
satisfiable. BCS games were introduced by Cleve and Mittal
[CM14], and include famous examples of nonlocal games
such as the Mermin-Peres magic square [Mer90, Per90].
Boolean constraint systems are much easier to work with than general
protocols, so rather than showing that every protocol can be
transformed to a perfect zero knowledge protocol, we prove Theorem 1.1 by
showing that every - protocol can be transformed to a perfect
zero knowledge protocol. As we explain at the end of Section 2, when
combined with the theorem this gives an effective way to transform
any -protocol (including protocols with many provers and rounds) into a
perfect zero knowledge - protocol.
One way to transform a - protocol to a perfect zero-knowledge
protocol is to use graph colouring games, which are famous examples of perfect
zero knowledge games. Classically, every BCS instance can be transformed to
a graph such that the graph is -colourable if and only if the BCS is
satisfiable. Ji has shown that every BCS can be transformed to a graph such
that the original BCS game has a perfect quantum strategy if and only if the
-colouring game for the graph has a perfect quantum strategy
[Ji13] (see also [Har23]). Using the
techniques in this paper, it is also possible to show that this transformation
preserves soundness of - protocols, and hence that every
- protocol can be transformed to a protocol based on
graph colouring games. Unfortunately graph colouring games are only perfect zero
knowledge against honest verifiers, so this construction does not give a
perfect zero knowledge protocol for dishonest verifiers. Instead, we use another
classical transformation due to Dwork, Feige, Kilian, Naor, and Safra
[DFK+92], which takes every 3SAT instance to a perfect
zero-knowledge protocol. We show that a modest variant of this
construction remains perfect zero knowledge in the quantum setting, and
preserves soundness of - protocols. In both the original argument
and our argument, it is necessary for soundness to work with -
protocols with small (meaning or ) question length. In the
classical setting, - with question length is equal to ,
so the construction in [DFK+92] only shows that is contained in
-, rather than all of . In the quantum setting,
- with question length is equal to and
this construction suffices to prove perfect zero knowledge for any
protocol — an interesting difference in what techniques can be used
between the classical and quantum setting.
In general, it’s a difficult question to figure out if a classical
transformation of constraint systems (of which there are many) remains
sound (meaning that it preserves soundness of protocols) in the quantum
setting. For instance, one of the key parts of the theorem is the
construction of PCP of proximity which is quantum sound. On the other hand,
there are some transformations which lift fairly easily to the quantum setting.
We identify two such classes of transformations, “classical transformations”
which are applied constraint by constraint, and “context subdivision
transformations”, in which each constraint is split into a number of
subclauses. Both types of transformations are used implicitly throughout the
literature on nonlocal games, including in [Ji13], which was the
first paper to consider reductions between quantum strategies in BCS games.
In this paper, we systematically investigate the quantum soundness of these
transformations. It’s relatively easy to show that classical transformations
preserve soundness, and this is shown in Section 5. In
subdivision, each subclause becomes a different question in the associated BCS
game, and thus a strategy for the subdivided game has many more observables
than the original game. Since these new observables don’t need to commute with
each other, subdivision is more difficult to work with. Nonetheless, we show
that if the subclauses have a bounded number of variables, then subdivision
preserves soundness with a polynomial dropoff. This is shown in
Section 6. The construction in [DFK+92] can be
described as a composition of classical transformations and context subdivision
transformations, so quantum soundness (with polynomial dropoff) of this
construction follows from combining the soundness of these two transformations.
We recover a constant soundness gap by using parallel repetition, which preserves
the class of BCS games.
While reductions between nonlocal games have been important in previous work,
they are difficult to reason about, since it’s necessary to keep track of how
strategies for one game map to strategies for the other game. One advantage of
working with constraint systems in the classical setting is that it’s more
convenient to work with assignments (and think about the fraction of
constraints in the system that can be satisfied) than it is to work with
strategies and winning probabilities. In the quantum setting, it isn’t
possible to work with assignments, because strategies involve observables
that don’t necessarily commute with each other. However, we can achieve
a similar conceptual simplification
by replacing assignments with representations of the BCS algebra of the
constraint system. This algebra is the same as the synchronous algebra of the
BCS game introduced in [HMPS19, KPS18]; we refer to
[PS23] for more background. With this approach, reductions between BCS
games can be expressed as homomorphisms between BCS algebras, and these are
much easier to describe and work with than mappings between strategies. For
soundness arguments, we need to work with near-perfect strategies, and these
correspond to approximate representations of the BCS algebra [Pad22].
Previous work using this idea (see e.g. [Pad22, Har23]) has focused on reductions between single games, and
the definitions are not suitable for working with protocols, as they do not
incorporate question distributions. To solve this problem, we introduce a
notion of weighted algebras and weighted homomorphisms, which allows us to
keep track of soundness of reductions between games using completely algebraic
arguments involving sums of squares.
Another advantage of the weighted algebras framework is that arguments can be made
simultaneously for both quantum and commuting operator strategies. Our
proof methods extend to commuting operator strategies as a result. However,
our results here are not as conclusive, as the exact characterization of the
corresponding complexity class is not known. There is a conjecture
that , and with that conjecture and a parallel repetition
theorem for commuting operator strategies, we expect that it would be possible
to extend Theorem 1.1 to show that all languages in have a
perfect zero knowledge commuting operator protocol. Without these ingredients,
we are limited to showing that ---.
Previous work on perfect zero knowledge for commuting operator protocols
does not preserve soundness gaps [CS19].
Our results also have applications for the membership problem for quantum
correlations. For exact membership, the cohalting problem is many-one reducible
to membership in the set of quantum-approximable correlations , and to membership in the
set of commuting operator correlations
[Slo19, CS19, FMS21]. It follows from that
the halting problem is Turing reducible to approximate membership in , the
set of quantum correlations, but this is not a many-one reduction. Theorem
1.1 immediately implies that there is a many-one reduction from the
halting problem to approximate membership in .
Because we use parallel repetition to reduce an inverse-polynomial soundness
gap to a constant soundness gap, the protocols in Theorem 1.1 use
polynomial length questions and answers. If an inverse-polynomial soundness gap is
allowed, we get perfect zero-knowledge protocols with question
length and constant answer length. Whether it is possible to get
perfect zero-knowledge protocols with question
length, constant answer length, and constant soundness gap is an interesting
open question. This would be possible with an improved analysis or
construction for subdivision such as appears in the low degree test
[JNV+22a] used in the theorem.
Acknowledgements
We thank Connor Paddock and Henry Yuen for helpful conversations.
KM is supported by NSERC. WS is supported by NSERC DG 2018-03968 and an Alfred
P. Sloan Research Fellowship.
2. Nonlocal games and MIP*
A two-player nonlocal (or Bell) scenario consists of
a finite set of questions , and a collection of finite answer sets . Often in this definition there are separate question and answer sets
for each player, but it’s convenient for us to assume that both players have
the same question and answer sets, and we don’t lose any generality by assuming
this. We often think of the question and answer sets as being subsets of
and , respectively, in which case we say
that the questions have length and the answers have length . A nonlocal game consists of a nonlocal scenario , along with a probability distribution on and a
family of functions for
. In the game, the players (commonly called Alice and
Bob) receive questions and from with probability , and
reply with answers and respectively. They win if
, and lose otherwise.
A correlation for scenario is a family of
probability distributions on for all
. Correlations are used to describe the players’
behaviour in a nonlocal scenario. The probability is interpreted
as the probability that the players answer on questions .
A correlation is quantum if there are
-
(a)
finite-dimensional Hilbert spaces and ,
-
(b)
a projective measurement on for every ,
-
(c)
a projective measurement on for every , and
-
(d)
a state
such that for all ,
, . A collection as in (a)-(d) is called a quantum strategy.
A correlation is commuting operator if there is
-
(i)
-
(ii)
projective measurements and on
for every , and
-
(iii)
a state
such that and for all and , . A collection
as in (i)-(iii) is called a commuting
operator strategy. The set of quantum correlations for a scenario
is denoted by , and the set of commuting operator
correlations is denoted by . If the scenario is clear from
context, then we denote these sets by and . Any quantum
correlation is also a commuting operator correlation, so . If a commuting operator correlation has a commuting operator strategy
on a finite-dimensional Hilbert space , then it is also a quantum correlation,
but in general is strictly larger than .
The winning probability of a correlation in a nonlocal game
is
|
|
|
The quantum value of is
|
|
|
and the commuting operator value is
|
|
|
A correlation is perfect for if , and
-perfect if . A strategy
is -perfect if its corresponding correlation is -perfect.
The set is closed and compact, so has a perfect commuting
operator correlation if and only if . However, is
not necessarily closed, and there are games with
which do not have a perfect quantum correlation. A correlation is
quantum approximable if it belongs to the closure , and a game has a perfect quantum approximable
correlation if and only if .
A nonlocal game is synchronous if
for all and .
A correlation is synchronous if for all and . The set of synchronous quantum
(resp. commuting operator) correlations is denoted by (resp.
). A correlation belongs to
(resp. ) if and only if there is
-
(A)
a Hilbert space (resp. finite-dimensional Hilbert space ),
-
(B)
a projective measurement on for all , and
-
(C)
a state
such that is tracial, in the sense that for all and in the -algebra
generated by the operators , , , and for all , , . A
collection as in (A)-(C) is called a
synchronous commuting operator strategy. If, in addition,
is finite-dimensional, then is also called a
synchronous quantum strategy. The synchronous quantum and
commuting operator values and of a
game are defined equivalently to and
, but with and replaced by and
. A synchronous strategy for a game
is oracularizable if for all , , with .
A theorem of Vidick [Vid22] (see also [Pad22]) states that every quantum
correlation which is close to being synchronous, in the sense that for all and , is close to a synchronous
quantum correlation. This theorem has been extended to
commuting operator correlations by [Lin23]. As a result, the synchronous
quantum and commuting values of a game are polynomially related to the
non-synchronous quantum and commuting values. We use a version of this result
due to Marrakchi and de la Salle [MdlS23]. Following
[MdlS23], say that a probability distribution on
is -diagonally dominant if and for all .
Then:
Theorem 2.1 ([MdlS23]).
Suppose is a synchronous game with a -diagonally dominant
question distribution. If (resp. ) is
, then (resp. ) is
.
A two-prover one-round protocol is a family of nonlocal games
for ,
along with a probabilistic Turing machine and another Turing machine ,
such that
-
•
for all and , there are integers
and such that and ,
-
•
on input , the Turing machine outputs
with probability , and
-
•
on input , the Turing machine outputs .
Let be computable functions with
for all . A language belongs if
there is a MIP protocol such that and are
polynomial in , and run in polynomial time in , if then , and if then
. The function is called the completeness
probability, and is called the soundness probability. The functions
and are called the question length and answer length
respectively. The class is defined equivalently to
, but with replaced by . The protocols
in these cases are called and protocols. A language
belongs to (resp. ) if it has a -protocol
(resp. -protocol) in which is the uniform distribution on
. Such a protocol is called an protocol. We can
also define classes and by replacing the quantum
and commuting operator values by and .
Any language in is contained in , and this remains true
even if we add more provers and rounds of communication. The theorem
of Ji, Natarajan, Vidick, Wright, and Yuen states that
[JNV+22b]. In this paper, we use the following strong version of due to Natarajan and Zhang [NZ23].
Theorem 2.2 ().
There is a two-prover one round protocol
for the halting problem with completeness and soundness ,
such that is a synchronous game with constant length questions,
and length answers. Furthermore, if has a perfect
strategy, then it has a perfect oracularizable synchronous strategy.
Proof.
[NZ23] shows that there is protocol for the halting problem
meeting this description. As they observe, any protocol with a constant
number of questions can be turned into an protocol with
completeness and soundness , and then parallel repetition
(see Section 7) can be used to lower the soundness back to .
∎
One corollary of Theorem 2.2 is that it is possible to transform any
protocol into an equivalent protocol
as in the theorem. Indeed, suppose is a polynomial-time probabilistic
interactive Turing machine which on input acts as the verifier in a
protocol with rounds, provers, completeness , and soundness
, where , , , and are computable functions of . Let
be the Turing machine which on input , searches through -round
-prover quantum strategies, uses to calculate the success
probability, and halts if it finds a strategy with success probability .
Let be the Turing machine which on empty input writes to the
input tape and then runs . Finally, let be the
one-round protocol for the language . The Turing machines and run in
polynomial time in the size of the input Turing machine , and
has size linear in , so the one-round protocol which runs game
on input is a polynomial-time protocol which
recognizes the same language as . Strikingly, this works for any
computable , , and , not just polynomial functions of ,
since the only requirement is that have polynomial description size.
3. BCS games
We now introduce boolean constraint system games. If is a set of variables,
a constraint on is a subset of . We think of as
rather than , since this is more convenient when working
with observables and measurements. In particular, we use and to
represent true and false respectively, rather than and . An
assignment to is an element , and we refer to the
elements of as satisfying assignments for . For convenience, we
assume every constraint is non-empty, i.e. has a satisfying assignment.
A boolean constraint system (BCS) is a pair
, where is an ordered set of
variables, is a nonempty subset of for all , and
is a constraint on the variables . When working with nonlocal games, the
sets are sometimes called the contexts of the system. The order on
induces an order on the contexts , and this will be used for some
specific models of the weighted BCS algebra in Section 6. This is the
only thing we use the order on for, so it can be ignored otherwise.
A satisfying assignment for is an assignment to such
that for all . Although we won’t use it
until later, we define the connectivity of a BCS to be the maximum
over of , where . In other words, the connectivity is the maximum over of
the number of times the variables in constraint appear in the constraints
of . Also, if and is a constraint on ,
then the conjunction is the constraint on
variables such that if and only if for
all .
Let be a BCS, and let be a
probability distribution on . The BCS game is the nonlocal game , where if , and is otherwise. In other words, in
, the players are given integers according to the
distribution , and must reply with satisfying assignments
and respectively. They win if their assignments agree on the
variables in . With this definition, has questions
of length , and answer sets of length .
A - protocol is a family of BCS games
, where , along
with a probabilistic Turing machine and another Turing machine , such
that
-
(1)
on input , outputs with probability
, and
-
(2)
on input , outputs true if and false
otherwise.
Technically, this definition should also include some way of computing the sets
and . For instance, we might say that the integers and
are all computable, and there are computable order-preserving
injections . However, for simplicity we ignore this
aspect of the definition going forward, and just assume that in any
- protocol, we have some efficient way of working with the sets
and , the intersections , and assignments
.
A language belongs to the complexity class - if there is a
- protocol as above such that and
are polynomial in , and run in polynomial time, if then
, and if then .
The parameter is called the soundness. Any - protocol for
can be transformed into a protocol by playing the game
with the answer sets replaced by , and on input , asking the verifier to first check that and
using , and then checking that .
Hence - is contained in . Notice that in
this modified version of the BCS game, the players are allowed to answer with
non-satisfying assignments, but they always lose if they do so. Thus any
strategy for the modified game can be converted into a strategy for the original
game with the same winning probability, and perfect strategies for both types of
games (ignoring questions that aren’t in the support of ) are identical,
so the protocol has the same completeness and soundness as the
- protocol. The class - can be defined
similarly by replacing with , and is contained in
. We can also define subclasses of -
and -. For instance, we let 3SAT- be the class of
languages with a - protocol , in which
every constraint of is a 3SAT clause, i.e. a disjunction ,
where are either variables from , or negations of said variables,
or constants.
If the players receive the same question , then they must reply with
the same assignment to win. Consequently, if for all
then is a synchronous game. This version of BCS games is
sometimes called the constraint-constraint version of the game. There is are
other variants of BCS games, sometimes called constraint-variable BCS games, in
which one player receives a constraint and another receives a variable (see
[CM14]). In this paper, we work with constraint-constraint games
exclusively, but the two types of BCS games are closely related, and can often
be used interchangeably. As per the previous section, a synchronous strategy
for consists of projective measurements , , on a Hilbert space , along with a state which is tracial on the algebra generated by .
Conversely, it is well-known that every synchronous game can be turned into a BCS game. One way to do this (see,
e.g. [PS23, Pad22]) is to make a constraint system with variables for and ,
and constraints for
all and whenever .
The variable represents whether the player answers on
input , and the constraints express the idea that the players must choose an answer for
every question, and that they should reply with winning answers (the
synchronous condition on implies that
is a constraint for all and , which means that the players should
choose a single answer for question ). The BCS game associated to
this constraint system has a perfect quantum (resp. quantum approximable,
commuting operator) strategy if
and only if has a perfect quantum (resp. quantum approximable, commuting
operator) strategy. Unfortunately, this construction results in a game with
answer sets , which means that the bit-length of the
answers increases exponentially from . If ,
then , meaning that if this construction
is used in a -protocol, soundness can drop of exponentially.
To fix this, we look at the oracularization of . There are
several versions of in the literature, all closely related. We
use the version from [NW19], in which the verifier picks a question pair
according to . The verifier then picks
uniformly at random. When , they send player both questions ,
and the other player question . Player must respond with
such that , and the other player responds with .
The players win if . If , both players are sent and must respond
with and in . They win if . If has questions of length and answers of length ,
then has questions of length and answers of length ,
so this construction only increases the question and answer length polynomially.
The following lemma shows that this construction is sound, in the sense
that cannot be much larger than .
Let be a synchronous game. If has an perfect oracularizable
synchronous strategy, then has a perfect synchronous strategy.
Conversely, if , then .
Proof.
This is asserted in Definition 17.1 of [NW19]. Although a proof isn’t
supplied, the proof follows the same lines as Theorem 9.3 of [JNV+22b].
∎
Given a synchronous game where and , construct a constraint system
as follows. Take to be the set of variables , where
and . Let , and
identify with bit strings , where the assignment
to corresponds to the th bit, and let
be the subset corresponding to . Let . For , let , and let be the set of pairs
of strings such that , , and .
Then is the constraint system with variables and constraints
and . Let
and be the probability distribution on
such that
|
|
|
Then , so the oracularization of a synchronous game
is a BCS game. As a result, Theorem 2.2 has the following corollary:
Corollary 3.2.
There is a - protocol for the
halting problem with constant soundness , in which has a
constant number of contexts and contexts of size ,
and is the uniform distribution on pairs of contexts.
Proof.
Let be the protocol from Theorem 2.2. Then
is a BCS game in which the underlying BCS has a constant
number of contexts, and the contexts have size .
The probability distribution and the constraints of
can be computed in polynomial time from and , so by
Lemma 3.1 there is a - protocol for the halting
problem with constant soundness . The probability distribution
in the oracularization construction is not uniform. However, it is
not hard to see that changing the distribution in the
oracularization game does not change completeness, and since there are only
a constant number of contexts, replacing with the uniform
distribution yields only a constant dropoff in soundness.
∎
4. BCS algebras and approximate representations
It is often worth thinking about synchronous strategies more abstractly. Recall
that is the -algebra generated by variables ,
satisfying the relations for all , and is the quotient of by the relations for all
. Given an assignment to an ordered set of variables , we let
|
|
|
considered as a polynomial in , where the product is taken
with respect to the order on . Given a constraint on , we let
|
|
|
Since is commutative, the image of in
is independent of the order of ; however, we will work with
in Section 6. The algebra is isomorphic to the algebra
|
|
|
where the isomorphism identifies with . In
particular, is generated by for
. Consequently if is a
-representation, then is a
projective measurement on , and conversely if
is a projective measurement on , then there is a -representation
with .
If is a BCS, then we let denote the
free product . We let denote the natural inclusion of the th factor, so
is generated by the involutions for and . Equivalently, is generated by the projections
for and . To avoid
clogging up formulas with symbols, we’ll often write instead
of when it’s clear what subalgebra
the element belongs to. As with , representations of
are in bijective correspondence with families of projective measurements
, via the relation . If is a
synchronous commuting operator strategy for , and is the representation with , then is a tracial state on
.
Conversely, if is a tracial state on , then the GNS
representation theorem implies that there is a synchronous commuting operator
strategy such that where is the representation corresponding to
. Note that the trace is faithful on the image of the GNS representation. As a result, synchronous commuting operator strategies for
and tracial states on can be used interchangeably, and
in particular if and only if there is a tracial state
with for all
,, , and . A tracial state is said to be finite-dimensional
if its GNS representation has a finite-dimensional Hilbert space, so
finite-dimensional tracial states on can be used interchangeably with
synchronous quantum strategies for , and if and only
if there is a finite-dimensional tracial state with for all ,, , and .
There is also a class of states, called the Connes-embeddable tracial states,
with the property that if and only if there is a Connes-embbedable tracial state
such that for
all ,, , and [KPS18].
A correlation is perfect for a BCS game if
whenever and is a losing
answer to questions . As a result, a tracial state on
is perfect (aka. corresponds to a perfect correlation) if and only if
whenever . Consequently a tracial state on is perfect
for if and only if it is the pullback of a tracial state on the
synchronous algebra of , which is the quotient
|
|
|
|
|
|
|
|
For BCS games, this result about perfect strategies is due to Kim, Paulsen, and
Schafhauser [KPS18]. The general notion of a synchronous algebra is due to
[HMPS19]. In [Gol21, PS23], it is shown that the synchronous algebra
of a BCS game is isomorphic to the so-called BCS algebra of the game. In
working with protocols, we also need to keep track of -perfect
strategies. In [Pad22], it is shown that -perfect strategies
for a BCS game correspond to -representations of the BCS algebra,
where an -representation is a representation of such that
all the defining relations of are bounded by in the
normalized Frobenius norm. In this prior work, the focus was on the behaviour
of -perfect strategies for a fixed game, so the number of questions and
answers was constant. For protocols, the game size is not constant,
and we need to work with approximate representations where the average, rather
than the maximum, of the norms of the defining relations is bounded. For this, we
introduce the following algebraic structure:
Definition 4.1.
A (finitely-supported) weight function on a set is a function
such that
is finite. A weighted -algebra is a pair
where is a -algebra and is a weight function on .
If is a tracial state on , then the defect of is
|
|
|
where is the -norm.
When the weight function is clear, we just write .
Since is finitely supported, the sum in the definition of the
defect is finite, and hence is well-defined. Note that traces on a
weighted algebra with correspond to traces on the
algebra . In general, is a measure of how
far is from being a trace on . Thus we can think of a weighted
algebra as a presentation or model for the algebra that allows us to talk about approximate traces on this
algebra.
Definition 4.2.
Let be a BCS, and let be a
probability distribution on . The (weighted) BCS
algebra is the -algebra , with weight function
defined by
|
|
|
for all and , with , and for all other .
Note that is the synchronous algebra
defined above, so is a model of this synchronous
algebra, and perfect strategies for correspond to tracial states
on with . The following lemma is an immediate
consequence of the definitions:
Lemma 4.3.
Let be a BCS, and let be a
probability distribution on . A tracial state
on is an -perfect strategy for if and only
if .
Proof.
Let be the correlation corresponding to , so . Then
|
|
|
where the sum is across and , with
. So .
∎
5. Homomorphisms between BCS algebras
In addition to looking at BCS games, we also want to consider transformations
between constraint systems and the corresponding games. To keep track of how
near-perfect strategies change, we introduce a notion of homomorphism for
weighted algebras. Recall that if is a -algebra, then if
is a sum of hermitian squares, i.e. there is and
such that . Two
elements are said to be cyclically equivalent if there
is and such that , where . We say that if
is cyclically equivalent to a sum of squares. (For more background on
these definitions, see see e.g. [KS08, Oza13]).
Definition 5.1.
Let and be weighted -algebras, and let . A
-homomorphism is a
-homomorphism such that
|
|
|
The point of this definition is the following:
Lemma 5.2.
Suppose is a -homomorphism. If is a
trace on , then .
Proof.
Let and .
Note that
|
|
|
By the definition of , there are and such that
|
|
|
Since is a tracial state, and
for all and . Hence as required.
∎
One of the first things we can apply this idea to is changing between different
presentations of the BCS algebra. For instance:
Proposition 5.3.
Suppose is a BCS, and is a
probability distribution on . Let be the
weight function on defined by
|
|
|
for all and , and for
other . Then the identity map gives a
-homomorphism , and a
-homomorphism , where
.
Recall that is the natural inclusion of the th factor.
Proof.
Fix . Since is a projection in ,
is cyclically
equivalent to for all , .
For , let be the pairs such
that . Then
|
|
|
and since and can disagree in at most
places,
|
|
|
Fix , and let , .
|
|
|
|
|
|
|
|
where the last equality holds because and
are both equal to .
Finally is
cyclically equivalent to
|
|
|
so the result follows.
∎
Definition 5.4.
If is a BCS and is a
probability distribution on , define
to be the weighted algebra , where
is defined from as in 5.3.
It is not hard to see that , so both and are
weighted algebra models of .
We can also easily handle transformations of constraint systems which apply a
homomorphism to each context. Note that a homomorphism between finite abelian -algebras is equivalent to a function . Indeed, given a function , we can define a
homomorphism by , and it is not hard to see that all homomorphisms
have this form. We extend this notion to BCS algebras in the following way.
Definition 5.5.
Let and be constraint
systems. A homomorphism is a classical homomorphism
if
-
(1)
for all , and
-
(2)
if , , and then for all .
To explain this definition, note that condition (1) implies that restricts to
a homomorphism , and hence gives a collection of functions
for all . Condition (2) states that if for some , , then . Conversely, any collection of functions
satisfying this condition can be turned into a classical homomorphism .
Lemma 5.6.
Let and be constraint systems, and let
be a probability distribution on . If is a classical homomorphism, then is a -homomorphism
.
Proof.
Suppose arises from a family of functions as above.
For any , let , and let . Then
|
|
|
|
|
|
|
|
∎
One situation where we get a classical homomorphism is the following:
Corollary 5.7.
Let be a BCS, and let be a BCS with , for all , for
all , and for all , if
and only if there exists with . Then
for any probability distribution on , the
homomorphism
|
|
|
defined by the inclusions is a -homomorphism
, and there is another -homomorphism
. Furthermore, has the same
connectivity as .
Proof.
The homomorphism is the classical homomorphism defined by the
functions .
For the homomorphism , define by choosing an
element such that for all
. Since , if , then , so this collection of functions defines a
classical homomorphism .
∎
In other words, Corollary 5.7 implies that any tracial state
on (resp. ) with pulls back to a
tracial state on (resp. ) with defect also bounded by
.
Remark 5.8.
Let be a - protocol for a
language with soundness , where . Since is polynomial in
, and runs in polynomial time, the Cook-Levin theorem implies that
we can find sets and constraints on as in
Corollary 5.7 in which is polynomial in , and
is a 3SAT instance with number of clauses polynomial in . By
Lemma 5.2, we get a - protocol
for with the same soundness,
such that is a constraint system
where all the clauses are 3SAT instances, and the connectivity
of is the same as .
6. BCS algebras, subdivision and stability
Suppose we have a BCS where each constraint is made up of subconstraints on
subsets of the variables (for instance, a 3SAT instance made up of 3SAT
clauses). In this section, we look at what happens when we split up the
contexts and constraints so that each subconstraint is in its own contex. In
the weighted BCS algebra, splitting up a context changes the commutative
subalgebra corresponding to the context to a non-commutative subalgebra. To
deal with this, we use a tool from the approximate representation theory of
groups, namely the stability of .
Lemma 6.1 ([CVY23]).
Let be a tracial von Neumann algebra, and suppose is a function such that for all and
for all , where and
. Then there is a homomorphism such that
for all , where the generate .
Here a tracial von Neumann algebra is a von Neumann algebra equipped with a faithful normal tracial state , and is the unitary group of . If is a tracial state on a -algebra , and is the GNS representation, then the closure of in the weak operator topology is a von Neumann algebra, and is a faithful normal tracial state on .
A function satisfying the conditions of Lemma 6.1 is called an
-homomorphism from to .
The following lemma is useful for the proofs in this section:
Lemma 6.2.
Suppose is a -algebra, and let denote the
hermitian square of . Then ,
where .
Proof.
Since , we see that .
Thus , and repeated applications gives the
desired inequality.
∎
We now formally define a subdivision of a BCS.
Definition 6.3.
Let be a BCS. Suppose that for
all there exists a constant and a set of constraints
on variables respectively, such
that
-
(1)
for all and ,
-
(2)
for every and , there is a such
that , and
-
(3)
for all , where is
conjunction.
The BCS is called a
subdivision of . When working with subdivisions, we refer to
as the clauses of constraint , and as the
number of clauses in constraint . A subdivision is
uniform if for all .
Given a subdivision of as in the definition, let ,
and pick a bijection between and the set of pairs with and . If is a probability distribution on , let be the probability distribution on
with . Note that if is uniform
and the subdivision is uniform, then is uniform. Any subdivision
can be turned into a uniform subdivision by repeating pairs
to increase . Note that subdivision can increase connectivity.
Part of the point of the definition of subdivisions is that they preserve
the synchronous algebra of the system.
Proposition 6.4.
Let be a BCS, and let be a subdivision. Let be a
probability distribution on , and let be the
probability distribution defined from as above. Then
.
Proof.
Because every pair of elements belongs to some , we
get an isomorphism
|
|
|
where is the set of relations
for all
and which do not agree on , and
for all . From these
latter relations, it is possible to recover the relations for , and then to recover all the relations of
.
∎
6.4 implies that has a perfect quantum (resp.
commuting operator) strategy if and only if has a perfect
quantum (resp. commuting operator) strategy. The main result of this section is that near perfect strategies for can be pulled back to near perfect strategies for . For the theorem, we say that is
maximized on the diagonal if and
for all .
Theorem 6.5.
Let be a BCS, and let be a subdivision of with clauses in constraint .
Let be a
probability distribution on that is maximized on the diagonal, and let be the
probability distribution defined from as above. If there is a
trace on , then there is a trace on
with , where , , and .
For the proof of the theorem we consider several other versions of the weighted
BCS algebra, where is replaced by , and the
defining relations of are moved into the weight function.
Definition 6.6.
Let be a BCS with a probability
distribution on , and let be a subdivision, with clauses
in constraint and probability
distribution induced by .
Let denote the
inclusion of the th factor. Let , and
define weight functions , , , and on by
|
|
|
|
|
|
|
|
|
|
|
|
and , , , and for any
elements other than those listed.
Let be the weighted algebra ,
where .
Note that is the same as the weight function of the algebra
defined in 5.4, except that it’s defined on
rather than . The weight function comes
from the defining relations for , while comes from the
defining relations for , so is a mix of relations
from and . As mentioned previously,
the context has an order inherited from , and this is used for the
order of the product when talking about and
in . In particular, the order on
is compatible with the order on .
The weight functions , and can also be
defined on using the same formula as in
6.6, and we use the same notation for both versions. The
following lemma shows that we can relax to , as long as is maximized on the diagonal.
Lemma 6.7.
Let be a BCS, and let be a
probability distribution on that is maximized on the diagonal. Let and
be the weight functions defined above with respect to . Then there is an
-homomorphism ,
where is the connectivity of .
Furthermore, if is a subdivision of , then
there is an -homomorphism , where is the maximum number of clauses
in constraint .
Proof.
Since is non-empty by convention, we can choose for every . Define the homomorphism by
|
|
|
Let , and let denote the hermitian square of as in Lemma 6.2. Then
|
|
|
Observe that , so
|
|
|
Thus
|
|
|
|
|
|
|
|
|
|
|
|
since is maximized on the diagonal.
Next, suppose is a subdivision of . If , then we can choose such that
. Since ,
|
|
|
Hence
|
|
|
where the comes from the fact that we divide by in the definition of .
Thus the identity map is an -homomorphism.
∎
The following proposition shows how to construct tracial states on from tracial states on .
Proposition 6.8.
Let be a BCS, and let be a
probability distribution on which is maximized on the
diagonal. Let be a subdivision of with
clauses in constraint .
If is a trace on , then there is a
trace on such that , where , , and . Furthermore, if is finite-dimensional then so is .
Proof.
Since is maximized on the diagonal, if then for all , and the variables in do not appear
in . Thus we may assume without loss of generality that
for all . Let be a trace on
. By the GNS construction there is
a -representation of acting on a Hilbert
space with a unit cyclic vector such that for all . Let
be the weak operator closure of the image of , and let
be the faithful normal tracial state on corresponding to
(so .
For all the restriction of to is a -homomorphism from into , so by Lemma 6.1 there is a representation such that
(6.1) |
|
|
|
for all generators . Suppose , and let be
the homomorphism defined by for . Then
|
|
|
|
|
|
|
|
|
|
|
|
Since is maximalized on the diagonal, and where is the connectivity of , we conclude that
|
|
|
|
|
|
|
|
For any , let , where the
order of the product is inherited from the order on . By Equation 6.1,
|
|
|
where the degree of has increased by one. Since , we get that
|
|
|
If , , and , then
|
|
|
and hence
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We conclude that is a tracial state on with
bounded by
|
|
|
Since , we conclude that
|
|
|
By Lemma 6.7, there is a
-homomorphism , and pulling
back by this homomorphism gives the proposition.
∎
Finally, we can pull back tracial states from the subdivision algebra
to traces on .
Proposition 6.9.
Let be a BCS, and let be a subdivision of .
Let be a
probability distribution on , and let be the
probability distribution defined from as above. Then there is a -homomorphism ,
where and .
Proof.
For each and , choose an index
such that . Also, for each , choose an index
such that . Define by
. It follows immediately from
the definitions that is a -homomorphism .
Moving on to , observe that if as in Lemma 6.2 then
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
where we use the fact that , and that is cyclically equivalent to if . For any given
and , the number of elements with is bounded by
. Hence
|
|
|
where is the inclusion of the th factor.
We conclude that there is an -homomorphism
.
Finally, for , if , , and then , so
|
|
|
|
|
|
|
|
|
|
|
|
where is the product of for appearing
before in the order on , and is the product of
for appearing after in the order on . Since there are less than
terms in this sum, and and are unitary,
|
|
|
|
|
|
|
|
|
|
|
|
Hence
|
|
|
|
|
|
|
|
Since every term in the latter sum occurs in the sum for the weight function of ,
is a -homomorphism . We conclude that is an -homomorphism
, and .
∎
Applying 6.9 and 6.8 yields the result.
∎
7. Parallel repetition
Let be a nonlocal game. The
-fold parallel repetition of is the game
|
|
|
where
-
(1)
is the -fold product of ,
-
(2)
if , then ,
-
(3)
if , then , and
-
(4)
if , , , then
.
In other words, the players each receive a vector of questions and from , and must reply
with a vector of answers and to each
question. Each pair of questions , is sampled
independently from , and the players win if and only if is a
winning answer to questions for all . If
has questions of length and answers of length , then
has questions of length and answers of length .
If is a correlation for , let be the correlation for
defined by
|
|
|
It is easy to see that is a quantum (resp. commuting operator)
correlation if and only if is a quantum (resp. commuting operator) correlation, and
that . Hence if
(resp. ) then (resp.
) as well. If ,
then (and the same
for the commuting operator value), but this inequality is not always tight.
However, Yuen’s parallel repetition theorem states that the game value goes
down at least polynomially in :
Theorem 7.1 ([Yue16]).
For any nonlocal game , if , then
, where is the length
of the answers of .
Suppose is a BCS and that is a probability
distribution on . For any , let , and . We can think of
as the disjoint union of copies of , and as the
copy of from the copy of . Since is a copy of
, we can identify with in the natural way. If , let and . Let . Given a distribution on
, consider the game , where
is the product distribution as above. In this game, the players are
given questions and from respectively, and must reply
with elements and
respectively. They win if and only if and agree on
. But this happens if and only if and agree on
. Thus is the
parallel repetition . We record this in the following
lemma:
Lemma 7.2.
If is a BCS game, then so is the parallel repetition .
To illustrate the purpose of parallel repetition, suppose that is a -protocol for
a language , where and has
answer length . If is a polynomial in , then can be sampled in polynomial time by running independently times,
and can also be computed in polynomial time by running
repeatedly. If and are these Turing
machines for sampling and computing
respectively, then is a -protocol for , where . Since is polynomial in , if , then we can choose such that is any constant . By Lemma 7.2 the same can be done for -.
8. Perfect zero knowledge
An protocol is perfect zero knowledge
if the verifier gains no new information from interacting with the provers. If the players’ behaviour in a game is given by the correlation , then what the verifier
(or any outside observer) sees is the distribution
over tuples . Consequently a -protocol
is said to be perfect zero-knowledge against an honest verifier if
the players can use correlations for such that the distribution
can be sampled in polynomial time in . However, a
dishonest verifier seeking to get more information from the players might
sample the questions from a different distribution from . To be
perfect zero-knowledge against a dishonest verifier, it must be possible
to efficiently sample for any efficiently sampleable distribution ,
and this is equivalent to being able to efficiently sample from for any . This leads to the definition (following
[CS19, Definition 6.3]):
Definition 8.1.
Let be a two-prover one-round protocol for a
language with completeness and soundness , where . The protocol is perfect zero
knowledge if for every string , there is
a correlation for such
that
-
(1)
for all , the distribution can be sampled in polynomial time in , and
-
(2)
if then and .
The class - is the class of languages with a perfect zero knowledge
two-prover one round protocol with completeness and soundness .
By replacing with , we get another class
-. If we replace protocols with - (resp. -) protocols and with (resp. ) we get the class -- (resp. --).
For the one-round protocols that we are considering, parallel repetition
preserves the property of being perfect zero knowledge.
Proposition 8.2.
Let be a - protocol, and let be a
polynomial function of .
Then the parallel repeated protocol
is also perfect zero knowledge.
Proof.
Let be a correlation for the game that satisfies the two
requirements of Definition 8.1. Then
can be
sampled in polynomial time in for all , by independently sampling from for each pair from and . If , then
, and it is not hard to see
that .
∎
We will now prove our main result that any proof system in
- or - can be turned into a perfect zero
knowledge - or - protocol. For this purpose, we
use the perfect zero knowledge proof system for 3SAT due to Dwork, Feige,
Kilian, Naor, and Safra [DFK+92], slightly modified for the proof
of quantum soundness. For the construction, we assume that we start with a
- protocol (and in the proof of Theorem 1.1, this will be a
3SAT- protocol). Following [DFK+92], the new proof system
is constructed in three steps. First, we apply a transformation called
oblivation, then turn the resulting system into a permutation branching program
via Barrington’s theorem [Bar86], and finally rewrite the
permutation branching programs using the randomizing tableaux of Kilian
[Kil90]. We start by describing obliviation.
Definition 8.3.
Given a BCS and , let , and for any . To make the elements of look more like variables, we denote
by . Let be the set of
assignments to such that the assignment to
defined by is in . The
obliviation of of degree is the constraint system
.
The point of obliviation is the following:
Lemma 8.4.
Suppose is a BCS, and let
for some . Then there is a classical homomorphism such that for all and , where is in the
inclusion of the th factor for and .
Furthermore, if is a probability distribution on , and
is a tracial state on , then there is a tracial state on
such that ,
, and for any ordered set of pairs with
and .
In particular, if is perfect then is perfect.
Proof.
Define for each by
for
and . By definition, if and only
if , so . If for some , ,
and , then we must have
for some . Since
|
|
|
for all , , the functions correspond to a
classical homomorphism with
for all and
.
Conversely, given and ,
define by ,
for , and . Since , the function sends
to . Also if and , then
if and only if
, so the functions
determine a local homomorphism with , for , and
for all and .
Define a tracial state on by
, where the sum is over all
.
Since is the identity on , .
Since and are -homomorphisms,
|
|
|
for any , so
and hence .
Finally, if is an ordered set of pairs with , then
there is an element and set
such that
|
|
|
for all , where .
If , then is non-empty. Hence
|
|
|
and if is non-empty.
∎
A permutation branching
program of width and depth on a set of variables is a tuple where
and are elements of the
permutation group for all , and is a
5-cycle. A permutation branching program defines a map via . A program
recognizes a constraint if
for all , and for all , where is
the identity in .
Theorem 8.5 (Barrington [Bar86]).
Suppose a constraint is recognized by a depth fan-in 2
boolean circuit. Then is recognized by a permutation branching program
of depth on the variables .
For the rest of the section, we assume that we have a canonical way of turning
constraints described by fan-in 2 boolean circuits into permutation branching
programs using Barrington’s theorem.
The final ingredient is randomizing tableaux, which are described using
constraints of the form , where the variables
take values in , is a constant in , and the
product is the group multiplication. Since , we can encode
permutations as bit strings of length by choosing an enumeration
, and identifying by its
index in binary. This means that any permutation-valued variable can be
represented by boolean variables, and similarly a permutation-valued
constraint can be rewritten as the constraint on
boolean variables which requires the boolean variables corresponding to
to encode a permutation value, and the product of all the permutations to be
equal to . Since we want our final output to be a boolean constraint system,
we use permutation-valued variables and permutation-valued constraints as
short-hand for boolean constraint systems constructed in this way. We can now
define randomizing tableaux, still following [DFK+92] with small
modifications.
Definition 8.6.
Let be a BCS, where each is described
by a fan-in 2 boolean circuit. Let be the permutation branching program
recognizing . For each , let
|
|
|
where and are new permutation-valued variables (and thus
represent 7 boolean variables each), and let
|
|
|
be the union of all the original and new variables. The variables
are called tableau elements, and the variables are called randomizers.
Let be the constraint on variables which is the conjunction of the
following clauses:
-
(1)
for all ,
-
(2)
for and , where
we use the notation ,
-
(3)
, and
-
(4)
a trivial constraint (meaning that all assignment are allowed) on any pair
of original or permutation-valued variables which do not appear in one of the above
constraints.
The tableau of is , interpreted as a
boolean constraint system. We further let
be a list of the clauses in (1)-(4) making up . The subdivided
tableau of is .
As mentioned above, the product in the constraints on the permutation-valued
variables in parts (1)-(4) of the definition is the group product in . The
constraints in part (1) involve both original variables and
permutation-valued variables , and say that the value of
is either or depending on the value of
. In part (4), and can be either an original or a
permutation-valued variable. If one of them is a permutation-valued variable,
then all the corresponding boolean variables encoding the permutation-valued
variable are included in the constraint (so the constraint on and may
involve up to boolean variables). Since the constraints in part (4) are
trivial, they do not contribute to , but they are included in the list of
clauses of the subdivided tableau. The point of the
constraints in part (4) is that, with them, is a subdivision of
. Finally, observe that the constraints encode the constraints
as follows:
Lemma 8.7 ([DFK+92]).
Suppose is a BCS, and let . If , then .
Conversely, if , where is the set of randomizers in , and ,
then there is a unique element such that and .
In this lemma, the statement that means that for every
randomizer , the restriction of to the boolean
variables corresponding to is the encoding of the permutation
. Although the permutation-valued variables in are
shorthand for boolean variables, it is helpful to be able to work with the
permutation-valued variables directly in . Suppose for a moment
that are variables in a set , and is a constraint on
which includes the requirement that encode a
permutation-valued variable . Let . If , then in unless is the binary
representation of an index , in which case we also write
as . Hence the subalgebra of is
generated by the single unitary , which we denote by the same symbol as the permutation-valued
variable . In particular, if and as in Definition 8.6, then we can refer to
and as unitary elements of of order
, and they generate the same subalgebra as the boolean variables encoding
them. Since these variables do not occur in any other context for , we also use and to refer to
and in .
We use the same convention for .
The algebra is generated by the original variables and the
randomizers.
Lemma 8.8.
Suppose is a BCS, and let . Let be the set of randomizers in , and let .
Then is generated as an algebra by , and
is generated by .
This means that a homomorphism is completely
described by its action on . The following lemma extends
Lemma 8.7 to weighted BCS algebras.
Lemma 8.9.
Suppose is a BCS, and let . Then there is a classical homomorphism
such that for all and .
Conversely, let be the set of randomizers in . If , then
there is a classical homomorphism
such that for all and
, and for all , where
in the enumeration of fixed above.
Proof.
The proof is immediate from Corollary 5.7,
Lemma 8.7, and the definition of in .
∎
Theorem 8.10.
Let be a - protocol for a
language with completeness and soundness , such that
each context of has constant size, and is maximized on the
diagonal. Then there is a -- protocol
for with completeness
and soundness , where is the number of
contexts in . If is uniform, then
is also uniform.
Proof.
Let , and let be the subdivision
of corresponding to the subdivision of into
. If is uniform, then is also
uniform. For completeness, if there’s a perfect tracial state on
, then there is a perfect tracial state on
by Lemma 8.4, and consequently a perfect tracial state on
by Lemma 8.9. By 6.4,
there is a perfect tracial state on . Hence if ,
then has a perfect strategy.
Because has contexts of constant size, and hence
also has contexts of constant size. As a result, the
number and size of the clauses in the constraints of
are also constant. We conclude that the parameters , , and in
Theorem 6.5 when going from
to are all constant. Since
has contexts, if is a tracial state on , then
there is a tracial state on with
. Since there is a classical
homomorphism by Lemmas 8.4
and 8.9, we conclude that there is a tracial state on
with . Hence if
, then there is no synchronous strategy for
with .
Because all the contraints in have constant size, it is not hard
to see that the Turing machines and can be turned into Turing
machines and such that
is a - protocol for .
To prove that this protocol is perfect zero knowledge, we need to find a
polynomial time simulator which samples a correlation
that is perfect for the tableau game. Furthermore, must be a
quantum correlation if and only if is an accept instance of the tableau
game.
The tableau game involves the verifier requesting from each prover exactly
one of the constraints (1)-(4) from Definition 8.6, and checking their answers
for consistency. The simulator can efficiently sample any element
from the clauses of of the first row of the corresponding
tableau by uniformly sampling from . Elements of the tableau
and randomizers can be sampled efficiently by uniformly
sampling from . In this way, may efficiently simulate answers to
(1) and (2) by sampling the elements on the right side of the equation, and
computing the element on the left side. Answers to (3) are simulated by
sampling elements of , where is the constant depth of the
permutation branching program used to construct the tableau, and computing the
correct entry such that the product of the elements is equal to
, the output of the permutation branching program. Lastly, can
simulate ansers to (4) by sampling elements of the first row of the tableau
uniformly as above (matching any pair that are labeled by the same oblivious
variable), and sampling other elements uniformly from . Thus, simulating
the response of an individual player Alice is trivial. The responses from Bob
need only be consistent with those of Alice on the overlap, with the remainder
of the answer sampled as above. This defines our simulatable correlation
and our simulator . It is clear that the correlation
sampled by is perfect for the tableau game. All that
remains is to show that is an accept instance if and only if
is a quantum correlation.
Suppose that is a quantum correlation. Then is an accept
instance, as there is a quantum correlation that allows the players to play the
instance of the tableau game perfectly.
Suppose that is an accept instance of the tableau game. Then there is some
quantum strategy for the tableau game such that the players always win. By
the gapped soundness of the reduction from 3SAT, this implies that the
underlying 3SAT instance has a perfect quantum strategy with observables
for . Alice and Bob may now choose any set of oblivious
observables such that the exclusive
disjunction of these is , that is
. So choose
to be observables that are with equal probability
for and let
and note that The values of any four of the are efficiently
sampleable. To play the tableau game, when Alice and Bob receive their
questions and respectively, they use auxiliary observables to generate
shared uniformly distributed randomizers and construct the tableaux
corresponding to the clauses of and according to relations (1) to (5)
in Definition 8.6. The value for each element of row one of the
tableau is equally likely to be either element of
. Note that the simulator only ever has to
sample at most four elements of the first row of a tableau, and only the
correlation of five or more of these variables depends on the perfect strategy
of . Each randomizer is an independently uniformly sampled
element of and thus any element of the second and third rows of the
tableau is equally likely to be any element of . Therefore the correlation
generated this way is .
∎
Theorem 8.11.
There is a perfect zero knowledge - protocol for the halting
problem in which the verifier selects questions according to the uniform distribution, the questions
have length , and the answers have constant length.
Proof.
By Theorem 2.2, there is a - protocol
for the halting problem with constant
soundness , in which has a constant number of contexts and
contexts of size , and is the uniform distribution
on pairs of contexts. By 5.8,
can be turned into a - protocol
where , is a 3SAT instance with
number of clauses polynomial in , and is polynomial in
. Then by subdividing the into a 3SAT we obtain a 3SAT protocol
with number of clauses polynomial
in , and is uniform. The theorem follows from 8.10.
∎
Let be the - protocol from
Theorem 8.11, so in particular has contexts, where , and is the uniform distribution on . Since the uniform distribution is -diagonally dominant,
Theorem 2.1 implies that has
soundness when considered as a protocol.
The result follows from 7.1 using a polynomial amount of parallel repetition.
∎
Theorem 8.12.
---.