QIP 08 Delhi Using Entanglement in Quantum MultiProver

  • Slides: 40
Download presentation
QIP’ 08, Delhi Using Entanglement in Quantum Multi-Prover Interactive Proofs Thomas Vidick UC Berkeley

QIP’ 08, Delhi Using Entanglement in Quantum Multi-Prover Interactive Proofs Thomas Vidick UC Berkeley Joint work with Julia Kempe (Tel-Aviv University) Hirotada Kobayashi (NII, Tokyo) Keiji Matsumoto (NII, Tokyo)

Quantum multi-prover interactive proof systems [KM 03] P 1 P 2. . . Pk

Quantum multi-prover interactive proof systems [KM 03] P 1 P 2. . . Pk |ψ> Verifier accept reject All messages are quantum. The provers share an entangled state |ψ> L is in QMIP(k, m, c, s) if: For every x, there is a polynomial verifier Vx that interacts with k infinitely-powerful provers in m turns and • if x L there exist provers that are accepted w. prob. > c • if x L any set of provers are accepted w. prob. < s

Known Parallelization Results [Babai. Fortnow. Lund’ 91], [Feige. Lovász’ 92] . . . P

Known Parallelization Results [Babai. Fortnow. Lund’ 91], [Feige. Lovász’ 92] . . . P 1 P 2 . . . Pk |ψ> MIP(k=poly, m=poly) = = ? MIP(k=2, m=2) [Kitaev. Watrous’ 00] Verifier QMIP(k=poly, m=poly) QIP(k=1, m=poly) = Very little is known! QIP(k=1, m=3)

What role does entanglement play? • QMIP(no entanglement) = MIP =NEXP [KMY 02] •

What role does entanglement play? • QMIP(no entanglement) = MIP =NEXP [KMY 02] • What happens when |ψ> comes into play ? • Provers can cheat: they can produce non-local correlations (Bell inequalities) • Verifier can be tougher. He knows they share entanglement. • We focus on the second point: can entanglement be useful even to honest provers?

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can – Make QMIP perfectly complete. . P 1 P 2 – Parallelize to 3 turns – Make it public-coin 1) Provers send a state σ1 σ Pk 1 to the verifier QMIP(k, m, c, s) . . 1 -1/O(m 2) Verifier QMIPpub(k, 3, 1, s’)

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can – Make QMIP perfectly complete. . P 1 P 2 – Parallelize to 3 turns – Make it public-coin b {0, 1} 2) Verifier broadcasts a public coin b to the provers QMIP(k, m, c, s) Pk 1 -1/O(m 2) Verifier QMIPpub(k, 3, 1, s’)

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can – Make QMIP perfectly complete. . P 1 P 2 – Parallelize to 3 turns – Make it public-coin 3) Provers respond with σ a second message σ2. Verifier applies V and accepts or rejects. QMIP(k, m, c, s) . . Pk 2 1 -1/O(m 2) Verifier QMIPpub(k, 3, 1, s’) accept reject

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can to two turns: complete –Parallelize Make QMIP perfectly. . P 1 P 2 – Parallelize to 3 turns – Make it public-coin b {0, 1} 1) Verifier broadcasts b to all but one prover QMIP(k, m, c, s) Pk 1 -1/O(m 2) Verifier QMIPpub(k, 3, 1, s’) Pk+1

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can to two turns: complete –Parallelize Make QMIP perfectly. . P 1 P 2 – Parallelize to 3 turns – Make it public-coin 2) Provers respond with σ a message σ1. Verifier applies V and accepts or rejects. QMIP(k, m, c, s) . . Pk 1 1 -1/O(m 2) Verifier QMIPpub(k, 3, 1, s’) accept reject Pk+1

Our Results Entanglement can help even in the honest setting • We show that,

Our Results Entanglement can help even in the honest setting • We show that, using entanglement, one can – Make QMIP perfectly complete ü True (class. ) – Parallelize to 3 turns ü True (class. ) False (class. ) ! – Make it public-coin QMIP(k, m, c, s) QMIPpub(k, 3, 1, s’)

Public-coin protocols. . . public = + Provers know each other’s questions : they

Public-coin protocols. . . public = + Provers know each other’s questions : they can perfectly coordinate! U 1 U 2 . . . Uk + public ! ≠ Provers are still restricted to apply local unitaries U 1

Roadmap: QMIP(k, m, c, s) Idea: use Watrous’ “rewinding” technique QMIP(k, 3 m, 1,

Roadmap: QMIP(k, m, c, s) Idea: use Watrous’ “rewinding” technique QMIP(k, 3 m, 1, s’) Ideas from [KW 00] for QIP Amplify in sequence QMIP(k, m’, 1, 2 -poly) Idea: sequentially half #turns using snapshot states, starting in the “middle” QMIP(k, 3, 1, s’’) Idea: start in the middle, verifier only says “forward” or “backward” publicly QMIPpub(k, 3, 1, s’’’)

QMIP(k, m, c, s) QMIP(k, 3 m, 1, s’) Perfect Completeness An application of

QMIP(k, m, c, s) QMIP(k, 3 m, 1, s’) Perfect Completeness An application of Watrous’ rewinding technique Start with c= ½ : honest provers are such that verifier’s projection Unitary circuit Projection of the Verifier’s on provers’ V’s private qubits and are verifier’s transformations qubits initialised to |0… 0>to , |0… 0> on “accept” |ψ’> = |ψ>|0> is the largest eigenvector of πinit Q† πacc. Q πinit

QMIP(k, m, c, s) The initial protocol QMIP(k, 3 m, 1, s’) P |ψ’>

QMIP(k, m, c, s) The initial protocol QMIP(k, 3 m, 1, s’) P |ψ’> Q πinit πacc V P 1 2 P 1 3 Pm V 1 Vm+1 Q 1 Qm

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) Δ =

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) Δ = Id – 2 πinit P |ψ’> πinit Q πacc Q† Δ Q πacc V P 1 • • • 2 3 4 5 6 Q : the unitary circuit of provers’ and verifier’s transformations, πinit : projection on V’s ancilla qubits to |0… 0> πacc : verifier’s projection on “accept”. 7

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) |ψ’> Δ

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) |ψ’> Δ = Id – 2πinit P πinit Q πacc Q† Δ Q πacc V P 1 2 3 4 5 6 7 • Completeness : ok • Soundness : we need to check that the provers perform Q† !

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) |ψ’> Δ

QMIP(k, m, c, s) The new protocol QMIP(k, 3 m, 1, s’) |ψ’> Δ = Id – 2 πinit P πinit Q πId acc Q† πinit Δ Q πacc V P 1 2 3 44 5 6 7 • Completeness : ok • Soundness : we need to check that the provers perform Q†! • Only apply πacc with prob ½ • Instead of Δ, apply πinit : check we are back to initial state.

Roadmap QMIP(k, m, c, s) Done QMIP(k, 3 m, 1, s’) Amplify in sequence

Roadmap QMIP(k, m, c, s) Done QMIP(k, 3 m, 1, s’) Amplify in sequence QMIP(k, m’, 1, 2 -poly) Coming next QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’)

Parallelizing to 3 turns QMIP(k, 4 m+1, 1, s) QMIP(k, 2 m+1, 1, s’)

Parallelizing to 3 turns QMIP(k, 4 m+1, 1, s) QMIP(k, 2 m+1, 1, s’) • Idea : sequentially half the number of turns by starting in the middle and iterating • s’ = (1 + √s)/2 • Similar idea to [KW 00], but we are more communication-efficient

QMIP(k, 4 m+1, 1, s) Parallelizing to 3 turns QMIP(k, 2 m+1, 1, s’)

QMIP(k, 4 m+1, 1, s) Parallelizing to 3 turns QMIP(k, 2 m+1, 1, s’) b=1 b=0 P 1 M 1 V πinit V 1 Pm Q 1 Pm+1 Vm+1 Q 2 V 2 m πacc M 2 P 2 Q 1 Qm Pm+1 Honest provers need entanglement!

Roadmap QMIP(k, m, c, s) Done QMIP(k, 3 m, 1, s’) Done QMIP(k, m’,

Roadmap QMIP(k, m, c, s) Done QMIP(k, 3 m, 1, s’) Done QMIP(k, m’, 1, 2 -poly) Done QMIP(k, 3, 1, s’’) Coming next QMIPpub(k, 3, 1, s’’’)

Public-coin Systems QMIP(k, 3, 1, s) QMIPpub(k, 3, 1, s’) • Transform any 3

Public-coin Systems QMIP(k, 3, 1, s) QMIPpub(k, 3, 1, s’) • Transform any 3 -turn protocol into a public-coin protocol • The verifier’s only message is the broadcast of a single bit • In the purely classical setting, MIPpub = IP ! • Proof idea : start in the middle : verifier’s message is “forwards” or “backwards”. • Constant soundness is preserved

QMIP(k, 3, 1, s’’) The original protocol QMIPpub(k, 3, 1, s’’’) 1 2 3

QMIP(k, 3, 1, s’’) The original protocol QMIPpub(k, 3, 1, s’’’) 1 2 3 P 1 4 5 6 7 8 P 1 M 1 V |ψ> πinit V 2 V 1 M 2 P 2 πacc

QMIP(k, 3, 1, s’’) 1. Prover 1 sends register V QMIPpub(k, 3, 1, s’’’)

QMIP(k, 3, 1, s’’) 1. Prover 1 sends register V QMIPpub(k, 3, 1, s’’’) 1 2 3 4 P 1 5 6 7 8 P 1 M 1 V |ψ> πinit V 1 V 2 1 M 2 P 2 πacc

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 2. Verifier broadcasts a bit b

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 2. Verifier broadcasts a bit b b=1 b=0 P 1 M 1 V |ψ> πinit V 1 V 2 1 M 2 P 2 πacc

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 3(b=0). Provers send message registers 2

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 3(b=0). Provers send message registers 2 b=0 P 1 5 P 1 M 1 V |ψ> πinit V 1 7 V 2 3 P 2 8 3 1 M 2 P 2 6 πacc

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 4(b=0). Verifier measures as in original

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 4(b=0). Verifier measures as in original protocol 2 b=0 P 1 5 P 1 M 1 V |ψ> πinit V 1 7 V 2 3 P 2 8 3 1 M 2 P 2 6 πacc π

QMIP(k, 3, 1, s’’) 3(b=1). Provers send message registers QMIPpub(k, 3, 1, s’’’) 1

QMIP(k, 3, 1, s’’) 3(b=1). Provers send message registers QMIPpub(k, 3, 1, s’’’) 1 2 3 2 b=1 4 P 1 V M 2 P 2 |ψ> πinit V 1 6 7 8 P 1 3 M 1 5 V 2 1 3 P 2 πacc

QMIP(k, 3, 1, s’’) 4(b=1). Verifier checks initial qubits are |0> QMIPpub(k, 3, 1,

QMIP(k, 3, 1, s’’) 4(b=1). Verifier checks initial qubits are |0> QMIPpub(k, 3, 1, s’’’) 1 2 3 2 b=1 P 1 3 M 1 V M 2 P 1 |ψ> πinit V 1 V 2 1 3 P 2 πacc

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok (but honest provers need entanglement!) • Soundness : put together “forward” (b=0) and “backwards” (b=1) provers to construct provers for the original protocol

QMIP(k, 3, 1, s’’) 1. Prover 1 sends register V QMIPpub(k, 3, 1, s’’’)

QMIP(k, 3, 1, s’’) 1. Prover 1 sends register V QMIPpub(k, 3, 1, s’’’) 1 2 3 4 P 1 5 6 7 8 P 1 M 1 V |ψ> πinit V 1 V 2 1 M 2 P 2 πacc

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok (but honest provers need entanglement!) • Soundness : put together “forward” (b=0) and “backwards” (b=1) provers to construct provers for the original protocol • Can be parallelized to two turns by adding an extra prover (who will not see the bit b)

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 1. Verifier broadcasts a bit b

QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 1. Verifier broadcasts a bit b to the original two provers P 1 b=0 P 1 M 1 V |ψ> V 2 πinit V 1 M 2 P 2 πacc

2. Prover 3 sends register V Provers 1, 2 send message registers QMIP(k, 3,

2. Prover 3 sends register V Provers 1, 2 send message registers QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 1 2 3 4 P 1 b=0 5 P 1 M 1 V |ψ> πinit V 1 7 V 2 2 P 2 8 1 3 M 2 P 2 6 πacc

2. Prover 3 sends register V Provers 1, 2 send message registers QMIP(k, 3,

2. Prover 3 sends register V Provers 1, 2 send message registers QMIP(k, 3, 1, s’’) QMIPpub(k, 3, 1, s’’’) 1 2 3 b=1 4 P 1 V M 2 P 2 |ψ> πinit V 1 6 7 8 P 1 1 M 1 5 V 2 3 2 P 2 πacc

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok

QMIP(k, 3, 1, s’’) Public-coin Systems QMIPpub(k, 3, 1, s’’’) • Completeness : ok (but honest provers need entanglement!) • Soundness : put together “forward” (b=0) and “backwards” (b=1) provers to construct provers for the original protocol • Can be parallelized to two turns only by adding an extra prover (who will not see the bit b) • Message length is the same as in original protocol

Roadmap QMIP(k, m, c, s) Done QMIPpub(k, 3, 1, s’’’) Done QMIP(k+1, 2, 1,

Roadmap QMIP(k, m, c, s) Done QMIPpub(k, 3, 1, s’’’) Done QMIP(k+1, 2, 1, s’’’) Amplify with new set of provers each time QMIP(k’, 2, 1, 2 -poly)

A Corollary QMIPpub(k, 3, 1, s’’’) QMIP(k+1, 2, 1, s’’’) For k=1 this gives

A Corollary QMIPpub(k, 3, 1, s’’’) QMIP(k+1, 2, 1, s’’’) For k=1 this gives PSPACE QMIP(2, 2, 1, 2 -poly) quantum two-prover one-round with entanglement (strongest inclusion known) Using [Marriott. Watrous 04] and [Kitaev. Watrous 03]: PSPACE QIP QMAM =QMIPpub(1, 3, 1, 2 -poly).

Conclusion and Open Problems • Any QMIP protocol can be made perfectly complete, 3

Conclusion and Open Problems • Any QMIP protocol can be made perfectly complete, 3 -turn and public-coin, with soundness = 1 -poly-1 • Make it 2 -turn by adding an extra prover • Make the soundness constant by repeating with different sets of provers • What about a parallel repetition theorem? – It suffices to prove it for 3 turns and public-coin – [MW 04] did the k=1 case • More turns are not useful. What about more provers?

Thank you!

Thank you!