Two prover perfect zero knowledge for MIP*

Kieran Mastel^1,2 and William Slofstra^1,2 Institute for Quantum Computing, University of Waterloo, Canada Department of Pure Mathematics, University of Waterloo, Canada william.slofstra@uwaterloo.ca kmastel@uwaterloo.ca

Abstract.

The recent $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows that the complexity class $\operatorname{MIP}^{*}$ of multiprover proof systems with entangled provers contains all recursively enumerable languages. Prior work of Grilo, Slofstra, and Yuen [FOCS ’19] further shows (via a technique called simulatable codes) that every language in $\operatorname{MIP}^{*}$ has a perfect zero knowledge ( $\operatorname{PZK}$ ) $\operatorname{MIP}^{*}$ protocol. The $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem uses two-prover one-round proof systems, and hence such systems are complete for $\operatorname{MIP}^{*}$ . However, the construction in Grilo, Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect zero knowledge with two provers via simulatable codes. This leads to a natural question: are there two-prover $\operatorname{PZK}$ - $\operatorname{MIP}^{*}$ protocols for all of $\operatorname{MIP}^{*}$ ?

In this paper, we show that every language in $\operatorname{MIP}^{*}$ has a two-prover one-round $\operatorname{PZK}$ - $\operatorname{MIP}^{*}$ protocol, answering the question in the affirmative. For the proof, we use a new method based on a key consequence of the $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem, which is that every $\operatorname{MIP}^{*}$ protocol can be turned into a family of boolean constraint system (BCS) nonlocal games. This makes it possible to work with $\operatorname{MIP}^{*}$ protocols as boolean constraint systems, and in particular allows us to use a variant of a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto ’92] which gives a classical $\operatorname{MIP}$ protocol for 3SAT with perfect zero knowledge. To show quantum soundness of this classical construction, we develop a toolkit for analyzing quantum soundness of reductions between BCS games, which we expect to be useful more broadly. This toolkit also applies to commuting operator strategies, and our argument shows that every language with a commuting operator BCS protocol has a two prover $\operatorname{PZK}$ commuting operator protocol.

1. Introduction

In an interactive proof protocol, a prover tries to convince a verifier that a string $x$ belongs to $\mathcal{L}$ . Interactive proof systems can be more powerful than non-interactive systems; famously, the class $\operatorname{IP}$ of interactive proofs with a polynomial time verifier and a single prover is equal to $\operatorname{PSPACE}$ [Sha92], and the class $\operatorname{MIP}$ with a polynomial time verifier and multiple provers is equal to $\operatorname{NEXP}$ [BFL90]. In this latter class, the provers can communicate with the verifier, but are assumed not to be able to communicate with each other. The proof systems used in [BFL90] are very efficient, and require only two provers and one-round of communication. Interactive proof systems also allow zero knowledge protocols, in which the prover demonstrates that $x\in\mathcal{L}$ without revealing any other information to the verifier. As a result, interactive proof systems are important to both complexity theory and cryptography. The first zero knowledge proof systems go back to the invention of interactive proof systems by Goldwasser, Micali, and Rackoff [GMR85], and every language in MIP admits a two-prover one-round perfect zero knowledge proof system by a result of Ben-Or, Goldwasser, Kilian, and Wigderson [BOGKW88]. Perfect means that absolutely no information is revealed to the verifier, in contrast to statistical zero knowledge (in which the amount of knowledge gained by the verifier is small but bounded), or computational zero knowledge (in which zero knowledge relies on some computational intractability assumption).

Since the provers in a MIP protocol are not allowed to communicate, it is natural to ask what happens if they are allowed to share entanglement. This leads to the complexity class $\operatorname{MIP}^{*}$ , first introduced by Cleve, Hoyer, Toner, and Watrous [CHTW04]. Entanglement allows the provers to break some classical proof systems by coordinating their answers, but the improved ability of the provers also allows the verifier to set harder tasks. As a result, figuring out the power of $\operatorname{MIP}^{*}$ has been difficult, and there have been successive lower bounds in [KKM⁺11, IKM09, IV12, Vid16, Vid20, Ji16, NV18b, Ji17, NV18a, FJVY19]. Most recently (and spectacularly), Ji, Natarajan, Vidick, Wright, and Yuen showed that $\operatorname{MIP}^{*}=\operatorname{RE}$ , the class of languages equivalent to the halting problem [JNV⁺22b]. Reichardt, Unger, and Vazirani also showed that $\operatorname{MIP}^{*}$ is equal to the class $\operatorname{QMIP}^{*}$ , in which the verifier is quantum, and can communicate with the provers via quantum channels [RUV13]. On the perfect zero knowledge front, Chiesa, Forbes, Gur, and Spooner showed that every language in $\operatorname{NEXP}$ (and hence in classical $\operatorname{MIP}$ ) has a perfect zero knowledge $\operatorname{MIP}^{*}$ proof system, or in other words belongs to $\operatorname{PZK}$ - $\operatorname{MIP}^{*}$ [CFGS22]. Grilo, Slofstra, and Yuen show that all of $\operatorname{MIP}^{*}$ belongs to $\operatorname{PZK}$ - $\operatorname{MIP}^{*}$ [GSY19].

Combining $\operatorname{PZK}$ - $\operatorname{MIP}^{*}=\operatorname{MIP}^{*}$ with $\operatorname{MIP}^{*}=\operatorname{RE}$ shows that there are one-round perfect zero-knowledge $\operatorname{MIP}^{*}$ proof systems for all languages that can be reduced to the halting problem, a very large class. However, the construction in [GSY19] is involved. The idea behind the proof is to encode a circuit for an arbitrary $\operatorname{MIP}$ verifier in a “simulatable” quantum error correcting code, and then hide information from the verifier by splitting the physical qubits of this code between different provers. The resulting proof systems in [GSY19] require $6$ provers, and because the core concept of the proof is to split information between provers, bringing this down to $2$ provers (as can be done with perfect zero-knowledge for $\operatorname{MIP}$ ) seems to require new ideas.

The purpose of this paper is to show that all languages in $\operatorname{MIP}^{*}$ do indeed have two-prover one-round perfect zero knowledge proof systems. Specifically, we show that:

Theorem 1.1.

Every language in $\operatorname{MIP}^{*}$ (and hence in $\operatorname{RE}$ ) admits a two-prover one-round perfect zero knowledge $\operatorname{MIP}^{*}$ protocol with completeness probability $c=1$ and soundness probability $s=1/2$ , in which the verifier chooses questions uniformly at random.

The idea behind the proof is to use the output of the $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem, rather than encoding arbitrary $\operatorname{MIP}^{*}$ -protocols. The proof that $\operatorname{MIP}^{*}=\operatorname{RE}$ in [JNV⁺22b] is very difficult, but requires only two-prover one-round proof systems. Natarajan and Zhang have sharpened the proof to show that these proof systems require only a constant number of questions, and $\operatorname{polylog}$ length answers from the provers [NZ23]. This shows that $\operatorname{MIP}^{*}=\operatorname{AM}^{*}(2)$ , the complexity class of languages with two-prover $\operatorname{MIP}^{*}$ -protocols in which the verifier chooses their messages to the prover uniformly at random. A one-round $\operatorname{MIP}$ or $\operatorname{MIP}^{*}$ proof system is equivalent to a family of nonlocal games, in which the provers (now also called players) are given questions and return answers to a verifier (now also called a referee), who decides whether to accept (in which case the players are said to win) or reject (the players lose). In both [JNV⁺22b] and [NZ23], the games are synchronous, meaning that if the players receive the same question then they must reply with the same answer, and admit what are called oracularizable strategies. As we observe in this paper, one-round $\operatorname{MIP}^{*}$ proof systems in which the games are synchronous and oracularizable are equivalent to the class of $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ proof systems, which are one-round two-prover proof systems in which the nonlocal games are boolean constraint system (BCS) games. In a boolean constraint system, two provers try to convince the verifier that a given BCS is satisfiable. BCS games were introduced by Cleve and Mittal [CM14], and include famous examples of nonlocal games such as the Mermin-Peres magic square [Mer90, Per90]. Boolean constraint systems are much easier to work with than general $\operatorname{MIP}^{*}$ protocols, so rather than showing that every $\operatorname{MIP}^{*}$ protocol can be transformed to a perfect zero knowledge protocol, we prove Theorem 1.1 by showing that every $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol can be transformed to a perfect zero knowledge protocol. As we explain at the end of Section 2, when combined with the $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem this gives an effective way to transform any $\operatorname{MIP}^{*}$ -protocol (including protocols with many provers and rounds) into a perfect zero knowledge $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol.

One way to transform a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol to a perfect zero-knowledge protocol is to use graph colouring games, which are famous examples of perfect zero knowledge games. Classically, every BCS instance can be transformed to a graph such that the graph is $3$ -colourable if and only if the BCS is satisfiable. Ji has shown that every BCS can be transformed to a graph such that the original BCS game has a perfect quantum strategy if and only if the $3$ -colouring game for the graph has a perfect quantum strategy [Ji13] (see also [Har23]). Using the techniques in this paper, it is also possible to show that this transformation preserves soundness of $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocols, and hence that every $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol can be transformed to a $\operatorname{MIP}^{*}$ protocol based on graph colouring games. Unfortunately graph colouring games are only perfect zero knowledge against honest verifiers, so this construction does not give a perfect zero knowledge protocol for dishonest verifiers. Instead, we use another classical transformation due to Dwork, Feige, Kilian, Naor, and Safra [DFK⁺92], which takes every 3SAT instance to a perfect zero-knowledge $\operatorname{MIP}$ protocol. We show that a modest variant of this construction remains perfect zero knowledge in the quantum setting, and preserves soundness of $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocols. In both the original argument and our argument, it is necessary for soundness to work with $\operatorname{BCS}$ - $\operatorname{MIP}$ protocols with small (meaning $\log$ or $\operatorname{polylog}$ ) question length. In the classical setting, $\operatorname{BCS}$ - $\operatorname{MIP}$ with $\log$ question length is equal to $\operatorname{NP}$ , so the construction in [DFK⁺92] only shows that $\operatorname{NP}$ is contained in $\operatorname{PZK}$ - $\operatorname{MIP}$ , rather than all of $\operatorname{NEXP}$ . In the quantum setting, $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ with $\operatorname{polylog}$ question length is equal to $\operatorname{MIP}^{*}$ and this construction suffices to prove perfect zero knowledge for any $\operatorname{MIP}^{*}$ protocol — an interesting difference in what techniques can be used between the classical and quantum setting.

In general, it’s a difficult question to figure out if a classical transformation of constraint systems (of which there are many) remains sound (meaning that it preserves soundness of protocols) in the quantum setting. For instance, one of the key parts of the $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem is the construction of PCP of proximity which is quantum sound. On the other hand, there are some transformations which lift fairly easily to the quantum setting. We identify two such classes of transformations, “classical transformations” which are applied constraint by constraint, and “context subdivision transformations”, in which each constraint is split into a number of subclauses. Both types of transformations are used implicitly throughout the literature on nonlocal games, including in [Ji13], which was the first paper to consider reductions between quantum strategies in BCS games. In this paper, we systematically investigate the quantum soundness of these transformations. It’s relatively easy to show that classical transformations preserve soundness, and this is shown in Section 5. In subdivision, each subclause becomes a different question in the associated BCS game, and thus a strategy for the subdivided game has many more observables than the original game. Since these new observables don’t need to commute with each other, subdivision is more difficult to work with. Nonetheless, we show that if the subclauses have a bounded number of variables, then subdivision preserves soundness with a polynomial dropoff. This is shown in Section 6. The construction in [DFK⁺92] can be described as a composition of classical transformations and context subdivision transformations, so quantum soundness (with polynomial dropoff) of this construction follows from combining the soundness of these two transformations. We recover a constant soundness gap by using parallel repetition, which preserves the class of BCS games.

While reductions between nonlocal games have been important in previous work, they are difficult to reason about, since it’s necessary to keep track of how strategies for one game map to strategies for the other game. One advantage of working with constraint systems in the classical setting is that it’s more convenient to work with assignments (and think about the fraction of constraints in the system that can be satisfied) than it is to work with strategies and winning probabilities. In the quantum setting, it isn’t possible to work with assignments, because strategies involve observables that don’t necessarily commute with each other. However, we can achieve a similar conceptual simplification by replacing assignments with representations of the BCS algebra of the constraint system. This algebra is the same as the synchronous algebra of the BCS game introduced in [HMPS19, KPS18]; we refer to [PS23] for more background. With this approach, reductions between BCS games can be expressed as homomorphisms between BCS algebras, and these are much easier to describe and work with than mappings between strategies. For soundness arguments, we need to work with near-perfect strategies, and these correspond to approximate representations of the BCS algebra [Pad22]. Previous work using this idea (see e.g. [Pad22, Har23]) has focused on reductions between single games, and the definitions are not suitable for working with protocols, as they do not incorporate question distributions. To solve this problem, we introduce a notion of weighted algebras and weighted homomorphisms, which allows us to keep track of soundness of reductions between games using completely algebraic arguments involving sums of squares.

Another advantage of the weighted algebras framework is that arguments can be made simultaneously for both quantum and commuting operator strategies. Our proof methods extend to commuting operator strategies as a result. However, our results here are not as conclusive, as the exact characterization of the corresponding complexity class $\operatorname{MIP}^{co}$ is not known. There is a conjecture that $\operatorname{MIP}^{co}=\operatorname{coRE}$ , and with that conjecture and a parallel repetition theorem for commuting operator strategies, we expect that it would be possible to extend Theorem 1.1 to show that all languages in $\operatorname{MIP}^{co}$ have a perfect zero knowledge commuting operator protocol. Without these ingredients, we are limited to showing that $\operatorname{BCS}$ - $\operatorname{MIP}^{co}=\operatorname{PZK}$ - $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ . Previous work on perfect zero knowledge for commuting operator protocols does not preserve soundness gaps [CS19].

Our results also have applications for the membership problem for quantum correlations. For exact membership, the cohalting problem is many-one reducible to membership in the set of quantum-approximable correlations $C_{qa}$ , and to membership in the set of commuting operator correlations $C_{qc}$ [Slo19, CS19, FMS21]. It follows from $\operatorname{MIP}^{*}=\operatorname{RE}$ that the halting problem is Turing reducible to approximate membership in $C_{q}$ , the set of quantum correlations, but this is not a many-one reduction. Theorem 1.1 immediately implies that there is a many-one reduction from the halting problem to approximate membership in $C_{q}$ .

Because we use parallel repetition to reduce an inverse-polynomial soundness gap to a constant soundness gap, the protocols in Theorem 1.1 use polynomial length questions and answers. If an inverse-polynomial soundness gap is allowed, we get perfect zero-knowledge protocols with $\operatorname{polylog}$ question length and constant answer length. Whether it is possible to get perfect zero-knowledge protocols with $\operatorname{polylog}$ question length, constant answer length, and constant soundness gap is an interesting open question. This would be possible with an improved analysis or construction for subdivision such as appears in the low degree test [JNV⁺22a] used in the $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem.

Acknowledgements

We thank Connor Paddock and Henry Yuen for helpful conversations. KM is supported by NSERC. WS is supported by NSERC DG 2018-03968 and an Alfred P. Sloan Research Fellowship.

2. Nonlocal games and MIP*

A two-player nonlocal (or Bell) scenario consists of a finite set of questions $I$ , and a collection of finite answer sets $(O_{i})_{i\in I}$ . Often in this definition there are separate question and answer sets for each player, but it’s convenient for us to assume that both players have the same question and answer sets, and we don’t lose any generality by assuming this. We often think of the question and answer sets as being subsets of $\{0,1\}^{n}$ and $\{0,1\}^{m_{i}}$ , $i\in I$ respectively, in which case we say that the questions have length $n$ and the answers have length $\max_{i\in I}m_{i}$ . A nonlocal game consists of a nonlocal scenario $(I,(O_{i})_{i\in I})$ , along with a probability distribution $\pi$ on $I\times I$ and a family of functions $V(\cdot,\cdot|i,j):O_{i}\times O_{j}\to\{0,1\}$ for $(i,j)\in I\times I$ . In the game, the players (commonly called Alice and Bob) receive questions $i$ and $j$ from $I$ with probability $\pi(i,j)$ , and reply with answers $a\in O_{i}$ and $b\in O_{j}$ respectively. They win if $V(a,b|i,j)=1$ , and lose otherwise.

A correlation for scenario $(I,\{O_{i}\}_{i\in I})$ is a family $p$ of probability distributions $p(\cdot,\cdot|i,j)$ on $O_{i}\times O_{j}$ for all $(i,j)\in I\times I$ . Correlations are used to describe the players’ behaviour in a nonlocal scenario. The probability $p(a,b|i,j)$ is interpreted as the probability that the players answer $(a,b)$ on questions $(i,j)$ . A correlation $p$ is quantum if there are

(a)
finite-dimensional Hilbert spaces $H_{A}$ and $H_{B}$ ,
(b)
a projective measurement $\{M^{i}_{a}\}_{a\in O_{i}}$ on $H_{A}$ for every $i\in I$ ,
(c)
a projective measurement $\{N^{i}_{a}\}_{a\in O_{i}}$ on $H_{B}$ for every $i\in I$ , and
(d)
a state $\ket{v}\in H_{A}\otimes H_{B}$

such that $p(a,b|i,j)=\braket{v}{M^{i}_{a}\otimes N^{j}_{b}}{v}$ for all $i,j\in I$ , $a\in O_{i}$ , $b\in O_{j}$ . A collection $(H_{A},H_{B},\{M^{i}_{a}\},\{N^{i}_{a}\},\ket{v})$ as in (a)-(d) is called a quantum strategy. A correlation $p$ is commuting operator if there is

(i)
a Hilbert space $H$ ,
(ii)
projective measurements $\{M^{i}_{a}\}_{a\in O_{i}}$ and $\{N^{i}_{a}\}_{a\in O_{i}}$ on $H$ for every $i\in I$ , and
(iii)
a state $\ket{v}\in H$

such that $M^{i}_{a}N^{j}_{b}=N^{j}_{b}M^{i}_{a}$ and $p(a,b|i,j)=\braket{v}{M^{i}_{a}N^{j}_{b}}{v}$ for all $i,j\in I$ and $a\in O_{i}$ , $b\in O_{j}$ . A collection $(H,\{M^{i}_{a}\},\{N^{i}_{a}\},\ket{v})$ as in (i)-(iii) is called a commuting operator strategy. The set of quantum correlations for a scenario $(I,\{O_{i}\})$ is denoted by $C_{q}(I,\{O_{i}\})$ , and the set of commuting operator correlations is denoted by $C_{qc}(I,\{O_{i}\})$ . If the scenario is clear from context, then we denote these sets by $C_{q}$ and $C_{qc}$ . Any quantum correlation is also a commuting operator correlation, so $C_{q}\subseteq C_{qc}$ . If a commuting operator correlation has a commuting operator strategy on a finite-dimensional Hilbert space $H$ , then it is also a quantum correlation, but in general $C_{qc}$ is strictly larger than $C_{q}$ .

The winning probability of a correlation $p$ in a nonlocal game $\mathcal{G}=(I,\{O_{i}\},\pi,V)$ is

\omega(\mathcal{G};p):=\sum_{i,j\in I}\sum_{a\in O_{i},b\in O_{j}}\pi(i,j)V(a,b|i,j)p(a,b|i,j).

The quantum value of $\mathcal{G}$ is

\omega_{q}(\mathcal{G}):=\sup_{p\in C_{q}}\omega(\mathcal{G};p)

and the commuting operator value is

\omega_{qc}(\mathcal{G}):=\sup_{p\in C_{qc}}\omega(\mathcal{G};p).

A correlation $p$ is perfect for $\mathcal{G}$ if $\omega(\mathcal{G};p)=1$ , and $\epsilon$ -perfect if $\omega(\mathcal{G};p)\geq 1-\epsilon$ . A strategy is $\epsilon$ -perfect if its corresponding correlation is $\epsilon$ -perfect. The set $C_{qc}$ is closed and compact, so $\mathcal{G}$ has a perfect commuting operator correlation if and only if $\omega_{qc}(\mathcal{G})=1$ . However, $C_{q}$ is not necessarily closed, and there are games $\mathcal{G}$ with $\omega_{q}(\mathcal{G})=1$ which do not have a perfect quantum correlation. A correlation $p$ is quantum approximable if it belongs to the closure $C_{qa}:=\overline{C_{q}}$ , and a game $\mathcal{G}$ has a perfect quantum approximable correlation if and only if $\omega_{q}(\mathcal{G})=1$ .

A nonlocal game $\mathcal{G}=(I,\{O_{i}\},\pi,V)$ is synchronous if $V(a,b|i,i)=0$ for all $i\in I$ and $a\neq b\in O_{i}$ . A correlation $p$ is synchronous if $p(a,b|i,i)=0$ for all $i\in I$ and $a\neq b\in O_{i}$ . The set of synchronous quantum (resp. commuting operator) correlations is denoted by $C_{q}^{s}$ (resp. $C_{qc}^{s}$ ). A correlation $p$ belongs to $C_{qc}^{s}$ (resp. $C_{q}^{s}$ ) if and only if there is

(A)
a Hilbert space $H$ (resp. finite-dimensional Hilbert space $H$ ),
(B)
a projective measurement $\{M^{i}_{a}\}_{a\in O_{i}}$ on $H$ for all $i\in I$ , and
(C)
a state $\ket{v}\in H$

such that $\ket{v}$ is tracial, in the sense that $\braket{v}{\alpha\beta}{v}=\braket{v}{\beta\alpha}{v}$ for all $\alpha$ and $\beta$ in the $*$ -algebra generated by the operators $M^{i}_{a}$ , $i\in I$ , $a\in O_{i}$ , and $p(a,b|i,j)=\braket{v}{M^{i}_{a}M^{j}_{b}}{v}$ for all $i,j\in I$ , $a\in O_{i}$ , $b\in O_{j}$ . A collection $(H,\{M^{i}_{a}\},\ket{v})$ as in (A)-(C) is called a synchronous commuting operator strategy. If, in addition, $H$ is finite-dimensional, then $(H,\{M^{i}_{a}\},\ket{v})$ is also called a synchronous quantum strategy. The synchronous quantum and commuting operator values $\omega_{q}^{s}(\mathcal{G})$ and $\omega_{qc}^{s}(\mathcal{G})$ of a game $\mathcal{G}$ are defined equivalently to $\omega_{q}(\mathcal{G})$ and $\omega_{qc}(\mathcal{G})$ , but with $C_{q}$ and $C_{qc}$ replaced by $C_{q}^{s}$ and $C_{qc}^{s}$ . A synchronous strategy $(H,\{M^{i}_{a}\},\ket{v})$ for a game $\mathcal{G}=(I,\{O_{i}\},\pi,V)$ is oracularizable if $M^{i}_{a}M^{j}_{b}=M^{j}_{b}M^{i}_{a}$ for all $i,j\in I$ , $a\in O_{i}$ , $b\in O_{j}$ with $\pi(i,j)>0$ .

A theorem of Vidick [Vid22] (see also [Pad22]) states that every quantum correlation which is close to being synchronous, in the sense that $p(a,b|i,i)\approx 0$ for all $i\in I$ and $a\neq b\in O_{i}$ , is close to a synchronous quantum correlation. This theorem has been extended to commuting operator correlations by [Lin23]. As a result, the synchronous quantum and commuting values of a game are polynomially related to the non-synchronous quantum and commuting values. We use a version of this result due to Marrakchi and de la Salle [MdlS23]. Following [MdlS23], say that a probability distribution on $I\times I$ is $C$ -diagonally dominant if $\pi(i,i)\geq C\sum_{j\in I}\pi(i,j)$ and $\pi(i,i)\geq C\sum_{j\in I}\pi(j,i)$ for all $i\in I$ . Then:

Theorem 2.1 ([MdlS23]).

Suppose $\mathcal{G}$ is a synchronous game with a $C$ -diagonally dominant question distribution. If $\omega_{q}(\mathcal{G})$ (resp. $\omega_{qc}(\mathcal{G})$ ) is $\geq 1-\epsilon$ , then $\omega_{q}^{s}(\mathcal{G})$ (resp. $\omega_{qc}^{s}(\mathcal{G})$ ) is $\geq 1-O((\epsilon/C)^{1/4})$ .

A two-prover one-round $\operatorname{MIP}$ protocol is a family of nonlocal games $\mathcal{G}_{x}=(I_{x},\{O_{xi}\}_{i\in I_{x}},\pi_{x},V_{x})$ for $x\in\{0,1\}^{*}$ , along with a probabilistic Turing machine $S$ and another Turing machine $V$ , such that

•
for all $x\in\{0,1\}^{*}$ and $i\in I_{x}$ , there are integers $n_{x}$ and $m_{xi}$ such that $I_{x}=\{0,1\}^{n_{x}}$ and $O_{xi}=\{0,1\}^{m_{xi}}$ ,
•
on input $x$ , the Turing machine $S$ outputs $(i,j)\in I\times I$ with probability $\pi_{x}(i,j)$ , and
•
on input $(x,a,b,i,j)$ , the Turing machine $V$ outputs $V_{x}(a,b|i,j)$ .

Let $c,s:\{0,1\}^{*}\to\mathbb{Q}$ be computable functions with $c(x)>s(x)$ for all $x\in\{0,1\}^{*}$ . A language $\mathcal{L}\subset\{0,1\}^{*}$ belongs $\operatorname{MIP}^{*}(2,1,c,s)$ if there is a MIP protocol $(\{\mathcal{G}_{x}\},S,V)$ such that $n_{x}$ and $m_{xi}$ are polynomial in $|x|$ , $S$ and $V$ run in polynomial time in $|x|$ , if $x\in\mathcal{L}$ then $\omega_{q}(\mathcal{G}_{x})\geq c$ , and if $x\not\in\mathcal{L}$ then $\omega_{q}(\mathcal{G}_{x})\leq s$ . The function $c$ is called the completeness probability, and $s$ is called the soundness probability. The functions $n_{x}$ and $m_{xi}$ are called the question length and answer length respectively. The class $\operatorname{MIP}^{co}(2,1,c,s)$ is defined equivalently to $\operatorname{MIP}^{*}(2,1,c,s)$ , but with $\omega_{q}$ replaced by $\omega_{qc}$ . The protocols in these cases are called $\operatorname{MIP}^{*}$ and $\operatorname{MIP}^{co}$ protocols. A language belongs to $\operatorname{AM}^{*}(2)$ (resp. $\operatorname{AM}^{qc}(2)$ ) if it has a $\operatorname{MIP}^{*}$ -protocol (resp. $\operatorname{MIP}^{qc}$ -protocol) in which $\pi_{x}$ is the uniform distribution on $I_{x}\times I_{x}$ . Such a protocol is called an $\operatorname{AM}^{*}(2)$ protocol. We can also define classes $\operatorname{SynMIP}^{*}$ and $\operatorname{SynMIP}^{co}$ by replacing the quantum and commuting operator values by $\omega_{q}^{s}$ and $\omega_{qc}^{s}$ .

Any language in $\operatorname{MIP}^{*}(2,1,c,s)$ is contained in $\operatorname{RE}$ , and this remains true even if we add more provers and rounds of communication. The $\operatorname{MIP}^{*}=\operatorname{RE}$ theorem of Ji, Natarajan, Vidick, Wright, and Yuen states that $\operatorname{MIP}^{*}(2,1,1,1/2)=\operatorname{RE}$ [JNV⁺22b]. In this paper, we use the following strong version of $\operatorname{MIP}^{*}=\operatorname{RE}$ due to Natarajan and Zhang [NZ23].

Theorem 2.2 ( $\operatorname{MIP}^{*}=\operatorname{RE}$ ).

There is a two-prover one round $\operatorname{AM}^{*}(2)$ protocol $(\{\mathcal{G}_{x}\},S,V)$ for the halting problem with completeness $c=1$ and soundness $s=1/2$ , such that $\mathcal{G}_{x}$ is a synchronous game with constant length questions, and $\operatorname{polylog}(|x|)$ length answers. Furthermore, if $\mathcal{G}_{x}$ has a perfect strategy, then it has a perfect oracularizable synchronous strategy.

Proof.

[NZ23] shows that there is $\operatorname{MIP}^{*}$ protocol for the halting problem meeting this description. As they observe, any $\operatorname{MIP}^{*}$ protocol with a constant number of questions can be turned into an $\operatorname{AM}^{*}(2)$ protocol with completeness $c=1$ and soundness $s<1$ , and then parallel repetition (see Section 7) can be used to lower the soundness back to $1/2$ . ∎

One corollary of Theorem 2.2 is that it is possible to transform any $\operatorname{MIP}^{*}$ protocol into an equivalent $\operatorname{AM}^{*}(2)$ protocol $(\{\mathcal{G}_{x}\},S,V)$ as in the theorem. Indeed, suppose $\mathcal{P}$ is a polynomial-time probabilistic interactive Turing machine which on input $x$ acts as the verifier in a $\operatorname{MIP}^{*}$ protocol with $k$ rounds, $p$ provers, completeness $c$ , and soundness $s$ , where $k$ , $p$ , $c$ , and $s$ are computable functions of $|x|$ . Let $\mathcal{T}$ be the Turing machine which on input $x$ , searches through $k$ -round $p$ -prover quantum strategies, uses $\mathcal{P}$ to calculate the success probability, and halts if it finds a strategy with success probability $>s$ . Let $\mathcal{T}(x)$ be the Turing machine which on empty input writes $x$ to the input tape and then runs $\mathcal{T}$ . Finally, let $(\{\mathcal{G}_{M}\},S,V)$ be the one-round protocol for the language $\operatorname{HALT}=\{M:M\text{ is a Turing machine that halts on empty input}\}$ . The Turing machines $S$ and $V$ run in polynomial time in the size $|M|$ of the input Turing machine $M$ , and $\mathcal{T}(x)$ has size linear in $|x|$ , so the one-round protocol which runs game $\mathcal{G}_{\mathcal{T}(x)}$ on input $x$ is a polynomial-time $\operatorname{AM}^{*}(2)$ protocol which recognizes the same language as $\mathcal{P}$ . Strikingly, this works for any computable $k$ , $p$ , and $s$ , not just polynomial functions of $|x|$ , since the only requirement is that $\mathcal{T}(x)$ have polynomial description size.

Remark 2.3.

The underlying statement of Theorem 1.1 (see Theorem 8.11) is that there is a two-prover perfect-zero knowledge $\operatorname{MIP}^{*}$ protocol for the halting problem. Hence the same argument as above shows that there is an effective procedure for transforming any $\operatorname{MIP}^{*}$ protocol into a two-prover perfect zero knowledge $\operatorname{MIP}^{*}$ protocol.

3. BCS games

We now introduce boolean constraint system games. If $V$ is a set of variables, a constraint on $V$ is a subset $C$ of $\mathbb{Z}_{2}^{V}$ . We think of $\mathbb{Z}_{2}$ as $\{\pm 1\}$ rather than $\{0,1\}$ , since this is more convenient when working with observables and measurements. In particular, we use $-1$ and $1$ to represent true and false respectively, rather than $1$ and $0$ . An assignment to $V$ is an element $\phi\in\mathbb{Z}_{2}^{V}$ , and we refer to the elements of $C$ as satisfying assignments for $C$ . For convenience, we assume every constraint is non-empty, i.e. has a satisfying assignment. A boolean constraint system (BCS) $B$ is a pair $\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ , where $X$ is an ordered set of variables, $V_{i}$ is a nonempty subset of $X$ for all $1\leq i\leq m$ , and $C_{i}$ is a constraint on the variables $V_{i}$ . When working with nonlocal games, the sets $V_{i}$ are sometimes called the contexts of the system. The order on $X$ induces an order on the contexts $V_{i}$ , and this will be used for some specific models of the weighted BCS algebra in Section 6. This is the only thing we use the order on $X$ for, so it can be ignored otherwise. A satisfying assignment for $B$ is an assignment $\phi$ to $X$ such that $\phi|_{V_{i}}\in C_{i}$ for all $1\leq i\leq m$ . Although we won’t use it until later, we define the connectivity of a BCS $B$ to be the maximum over $i$ of $|\{(x,j)\in V_{i}\times[m]:x\in V_{j}\}|$ , where $[m]:=\{1,\ldots,m\}$ . In other words, the connectivity is the maximum over $i$ of the number of times the variables in constraint $i$ appear in the constraints of $B$ . Also, if $V=\bigcup_{i=1}^{k}V_{i}$ and $C_{i}$ is a constraint on $V_{i}$ , then the conjunction $\wedge_{i=1}^{k}C_{i}$ is the constraint $C$ on variables $V$ such that $\phi\in C$ if and only if $\phi|_{V_{i}}\in C_{i}$ for all $1\leq i\leq k$ .

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $\pi$ be a probability distribution on $[m]\times[m]$ . The BCS game $\mathcal{G}(B,\pi)$ is the nonlocal game $([m],C_{i\in m},\pi,V)$ , where $V(\phi_{i},\phi_{j}|i,j)=1$ if $\phi_{i}|_{V_{i}\cap V_{j}}=\phi_{j}|_{V_{i}\cap V_{j}}$ , and is $0$ otherwise. In other words, in $\mathcal{G}(B,\pi)$ , the players are given integers $i,j\in[m]$ according to the distribution $\pi$ , and must reply with satisfying assignments $\phi_{i}\in C_{i}$ and $\phi_{j}\in C_{j}$ respectively. They win if their assignments agree on the variables in $V_{i}\cap V_{j}$ . With this definition, $\mathcal{G}(B,\pi)$ has questions of length $\lceil\log m\rceil$ , and answer sets of length $|V_{i}|$ .

A $\operatorname{BCS}$ - $\operatorname{MIP}$ protocol is a family of BCS games $\mathcal{G}(B_{x},\pi_{x})$ , where $B_{x}=(X_{x},\{(V_{i}^{x},C_{i}^{x})\}_{i=1}^{m_{x}})$ , along with a probabilistic Turing machine $S$ and another Turing machine $C$ , such that

(1)
on input $x$ , $S$ outputs $(i,j)\in[m_{x}]\times[m_{x}]$ with probability $\pi_{x}(i,j)$ , and
(2)
on input $(x,\phi,i)$ , $C$ outputs true if $\phi\in C_{i}^{x}$ and false otherwise.

Technically, this definition should also include some way of computing the sets $X_{x}$ and $V_{i}^{x}$ . For instance, we might say that the integers $|N_{x}|$ and $|V_{i}^{x}|$ are all computable, and there are computable order-preserving injections $[|V_{i}^{x}|]\to[|X_{x}|]$ . However, for simplicity we ignore this aspect of the definition going forward, and just assume that in any $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol, we have some efficient way of working with the sets $X_{x}$ and $V_{i}^{x}$ , the intersections $V_{i}^{x}\cap V_{j}^{x}$ , and assignments $\phi\in\mathbb{Z}_{2}^{V_{i}^{x}}$ . A language $\mathcal{L}$ belongs to the complexity class $\operatorname{BCS}$ - $\operatorname{MIP}^{*}(s)$ if there is a $\operatorname{BCS}$ - $\operatorname{MIP}$ protocol as above such that $\lceil\log m_{x}\rceil$ and $|V_{i}^{x}|$ are polynomial in $|x|$ , $S$ and $C$ run in polynomial time, if $x\in\mathcal{L}$ then $\omega_{q}^{s}(\mathcal{G}_{x})=1$ , and if $x\not\in\mathcal{L}$ then $\omega_{q}^{s}(\mathcal{G}_{x})\leq s$ . The parameter $s$ is called the soundness. Any $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol for $\mathcal{L}$ can be transformed into a $\operatorname{SynMIP}^{*}$ protocol by playing the game $\mathcal{G}_{x}$ with the answer sets $C_{i}$ replaced by $\mathbb{Z}_{2}^{V^{x}_{i}}$ , and on input $(x,\phi,\psi,i,j)$ , asking the verifier $V$ to first check that $\phi\in C_{i}$ and $\psi\in C_{j}$ using $C$ , and then checking that $\phi|_{V_{i}\cap V_{j}}=\psi|_{V_{i}\cap V_{j}}$ . Hence $\operatorname{BCS}$ - $\operatorname{MIP}^{*}(s)$ is contained in $\operatorname{SynMIP}^{*}(2,1,1,s)$ . Notice that in this modified version of the BCS game, the players are allowed to answer with non-satisfying assignments, but they always lose if they do so. Thus any strategy for the modified game can be converted into a strategy for the original game with the same winning probability, and perfect strategies for both types of games (ignoring questions that aren’t in the support of $\pi$ ) are identical, so the $\operatorname{SynMIP}^{*}$ protocol has the same completeness and soundness as the $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol. The class $\operatorname{BCS}$ - $\operatorname{MIP}^{co}(s)$ can be defined similarly by replacing $\omega_{q}$ with $\omega_{qc}$ , and is contained in $\operatorname{SynMIP}^{co}(2,1,1,s)$ . We can also define subclasses of $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ and $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ . For instance, we let 3SAT- $\operatorname{MIP}^{*}$ be the class of languages with a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ , in which every constraint of $B_{x}$ is a 3SAT clause, i.e. a disjunction $x\vee y\vee z$ , where $x,y,z$ are either variables from $B_{x}$ , or negations of said variables, or constants.

If the players receive the same question $i\in[m]$ , then they must reply with the same assignment $\phi$ to win. Consequently, if $\pi(i,i)>0$ for all $i$ then $\mathcal{G}(B,\pi)$ is a synchronous game. This version of BCS games is sometimes called the constraint-constraint version of the game. There is are other variants of BCS games, sometimes called constraint-variable BCS games, in which one player receives a constraint and another receives a variable (see [CM14]). In this paper, we work with constraint-constraint games exclusively, but the two types of BCS games are closely related, and can often be used interchangeably. As per the previous section, a synchronous strategy for $\mathcal{G}(B,\pi)$ consists of projective measurements $\{M^{i}_{\phi}\}_{\phi\in\mathbb{Z}_{2}^{V_{i}}}$ , $i\in[m]$ , on a Hilbert space $\mathcal{H}$ , along with a state $\ket{v}\in\mathcal{H}$ which is tracial on the algebra generated by $M^{i}_{\phi}$ .

Conversely, it is well-known that every synchronous game $\mathcal{G}=(I,\{\mathcal{O}_{i}\},\pi,V)$ can be turned into a BCS game. One way to do this (see, e.g. [PS23, Pad22]) is to make a constraint system with variables $x_{ia}$ for $i\in I$ and $a\in\mathcal{O}_{i}$ , and constraints $\vee_{a\in\mathcal{O}_{i}}x_{ia}=\operatorname{true}$ for all $i\in[m]$ and $x_{ia}\wedge x_{jb}=\operatorname{false}$ whenever $V(a,b|i,j)=0$ . The variable $x_{ia}$ represents whether the player answers $a$ on input $i$ , and the constraints express the idea that the players must choose an answer for every question, and that they should reply with winning answers (the synchronous condition on $V$ implies that $x_{ia}\wedge x_{ib}=\operatorname{false}$ is a constraint for all $i$ and $a\neq b$ , which means that the players should choose a single answer for question $i$ ). The BCS game $\mathcal{G}^{\prime}$ associated to this constraint system has a perfect quantum (resp. quantum approximable, commuting operator) strategy if and only if $\mathcal{G}$ has a perfect quantum (resp. quantum approximable, commuting operator) strategy. Unfortunately, this construction results in a game with answer sets $\{\pm 1\}^{O_{i}}$ , which means that the bit-length of the answers increases exponentially from $\mathcal{G}$ . If $\omega_{q}(\mathcal{G})=1-\epsilon$ , then $\omega_{q}(\mathcal{G})=1-O(\epsilon/|O_{i}|)$ , meaning that if this construction is used in a $\operatorname{MIP}^{*}$ -protocol, soundness can drop of exponentially.

To fix this, we look at the oracularization $\mathcal{G}^{orac}$ of $\mathcal{G}$ . There are several versions of $\mathcal{G}^{orac}$ in the literature, all closely related. We use the version from [NW19], in which the verifier picks a question pair $(i_{1},i_{2})\in I$ according to $\pi$ . The verifier then picks $a,b,c\in\{1,2\}$ uniformly at random. When $a=1$ , they send player $b$ both questions $(i_{1},i_{2})$ , and the other player question $(i_{c})$ . Player $b$ must respond with $a_{j}\in O_{j}$ such that $V(a_{1},a_{2}|i_{1},i_{2})=1$ , and the other player responds with $b\in O_{i_{c}}$ . The players win if $a_{c}=b$ . If $a=2$ , both players are sent $(i_{1},i_{2})$ and must respond with $(a_{1},a_{2})$ and $(b_{1},b_{2})$ in $O_{i_{1}}\times O_{i_{2}}$ . They win if $(a_{1},a_{2})=(b_{1},b_{2})$ . If $\mathcal{G}$ has questions of length $q$ and answers of length $a$ , then $\mathcal{G}^{orac}$ has questions of length $2q$ and answers of length $2a$ , so this construction only increases the question and answer length polynomially. The following lemma shows that this construction is sound, in the sense that $\omega_{q}(\mathcal{G}^{orac})$ cannot be much larger than $\omega_{q}(\mathcal{G})$ .

Lemma 3.1 ([NW19, JNV⁺22b]).

Let $\mathcal{G}$ be a synchronous game. If $\mathcal{G}$ has an perfect oracularizable synchronous strategy, then $\mathcal{G}^{orac}$ has a perfect synchronous strategy. Conversely, if $\omega_{q}(\mathcal{G}^{orac})=1-\epsilon$ , then $\omega_{q}(\mathcal{G})\geq 1-\operatorname{poly}(\epsilon)$ .

Proof.

This is asserted in Definition 17.1 of [NW19]. Although a proof isn’t supplied, the proof follows the same lines as Theorem 9.3 of [JNV⁺22b]. ∎

Given a synchronous game $\mathcal{G}=(I,\{O_{i}\},\pi,V)$ where $I\subseteq\{0,1\}^{n}$ and $O_{i}\subseteq\{0,1\}^{m_{i}}$ , construct a constraint system $B$ as follows. Take $X$ to be the set of variables $x_{ij}$ , where $i\in I$ and $1\leq j\leq m_{i}$ . Let $V_{i}=\{x_{ij},1\leq j\leq m_{i}\}$ , and identify $\mathbb{Z}_{2}^{V_{i}}$ with bit strings $\{0,1\}^{m_{i}}$ , where the assignment to $x_{ij}$ corresponds to the $j$ th bit, and let $C_{i}\subseteq\mathbb{Z}_{2}^{V_{i}}$ be the subset corresponding to $O_{i}$ . Let $P=\{(i,j)\in I\times I:\pi(i,j)>0\}$ . For $(i,j)\in P$ , let $V_{ij}=V_{i}\cup V_{j}$ , and let $C_{ij}\subset\mathbb{Z}_{2}^{V_{ij}}=\mathbb{Z}_{2}^{V_{i}}\times\mathbb{Z}_{2}^{V_{j}}$ be the set of pairs of strings $(a,b)$ such that $a\in O_{i}$ , $b\in O_{j}$ , and $V(a,b|i,j)=1$ . Then $B$ is the constraint system with variables $X$ and constraints $\{(V_{i},C_{i})\}_{i\in I}$ and $\{(V_{ij},C_{ij})\}_{(i,j)\in P}$ . Let $I^{\prime}=I\cup P$ and $\pi^{orac}$ be the probability distribution on $I^{\prime}\times I^{\prime}$ such that

\pi^{orac}(i^{\prime},j^{\prime})=\begin{cases}\tfrac{1}{8}\pi(i,j)&i^{\prime}=(i,j),j^{\prime}=i\\ \tfrac{1}{8}\pi(i,j)&i^{\prime}=(i,j),j^{\prime}=j\\ \tfrac{1}{8}\pi(i,j)&i^{\prime}=i,j^{\prime}=(i,j)\\ \tfrac{1}{8}\pi(i,j)&i^{\prime}=j,j^{\prime}=(i,j)\\ \tfrac{1}{2}\pi(i,j)&i^{\prime}=j^{\prime}=(i,j)\\ 0&\text{ otherwise}\end{cases}

Then $\mathcal{G}(B,\pi^{orac})=\mathcal{G}^{orac}$ , so the oracularization of a synchronous game is a BCS game. As a result, Theorem 2.2 has the following corollary:

Corollary 3.2.

There is a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B_{x},\pi_{x})\},S,V)$ for the halting problem with constant soundness $s<1$ , in which $B_{x}$ has a constant number of contexts and contexts of size $\operatorname{polylog}(|x|)$ , and $\pi_{x}$ is the uniform distribution on pairs of contexts.

Proof.

Let $(\{\mathcal{G}_{x}\},S,V)$ be the protocol from Theorem 2.2. Then $\mathcal{G}_{x}^{orac}$ is a BCS game in which the underlying BCS has a constant number of contexts, and the contexts have size $\operatorname{polylog}(|x|)$ . The probability distribution $\pi^{orac}$ and the constraints of $\mathcal{G}^{orac}$ can be computed in polynomial time from $S$ and $V$ , so by Lemma 3.1 there is a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol for the halting problem with constant soundness $s^{\prime}<1$ . The probability distribution $\pi_{x}$ in the oracularization construction is not uniform. However, it is not hard to see that changing the distribution $\pi_{x}$ in the oracularization game does not change completeness, and since there are only a constant number of contexts, replacing $\pi_{x}$ with the uniform distribution yields only a constant dropoff in soundness. ∎

4. BCS algebras and approximate representations

It is often worth thinking about synchronous strategies more abstractly. Recall that $\mathbb{C}\mathbb{Z}_{2}^{*V}$ is the $*$ -algebra generated by variables $x\in V$ , satisfying the relations $x^{2}=x^{*}x=xx^{*}=1$ for all $x\in V$ , and $\mathbb{C}\mathbb{Z}_{2}^{V}$ is the quotient of $\mathbb{C}\mathbb{Z}_{2}^{*V}$ by the relations $xy=yx$ for all $x,y\in V$ . Given an assignment $\phi$ to an ordered set of variables $V$ , we let

\Phi_{V,\phi}:=\prod_{x\in V}\tfrac{1}{2}(1+\phi(x)x)

considered as a polynomial in $\mathbb{C}\mathbb{Z}_{2}^{*V}$ , where the product is taken with respect to the order on $V$ . Given a constraint $C$ on $V$ , we let

\mathcal{A}(V,C)=\mathbb{C}\mathbb{Z}_{2}^{V}/\langle\Phi_{V,\phi}=0\text{ for }\phi\not\in C\rangle.

Since $\mathbb{C}\mathbb{Z}_{2}^{V}$ is commutative, the image of $\Phi_{V,\phi}$ in $\mathbb{C}\mathbb{Z}_{2}^{V}$ is independent of the order of $V$ ; however, we will work with $\mathbb{C}\mathbb{Z}_{2}^{*V}$ in Section 6. The algebra $\mathcal{A}(V,C)$ is isomorphic to the algebra

\mathbb{C}^{*}\langle m_{\phi},\phi\in C:m_{\phi}^{*}=m_{\phi}=m_{\phi}^{2}\text{ for all }\phi\in C\text{ and }\sum_{\phi\in C}m_{\phi}=1\rangle,

where the isomorphism identifies $m_{\phi}$ with $\Phi_{V,\phi}$ . In particular, $\mathbb{C}\mathbb{Z}_{2}^{V}=\mathcal{A}(V,\mathbb{Z}_{2}^{V})$ is generated by $\Phi_{V,\phi}$ for $\phi\in\mathbb{Z}_{2}^{V}$ . Consequently if $\sigma:\mathcal{A}(V,C)\to\mathcal{B}(\mathcal{H})$ is a $*$ -representation, then $\{\sigma(\Phi_{V,\phi})\}_{\phi\in C}$ is a projective measurement on $\mathcal{H}$ , and conversely if $\{M_{\phi}\}_{\phi\in C}$ is a projective measurement on $\mathcal{H}$ , then there is a $*$ -representation $\sigma:\mathcal{A}(V,C)\to\mathcal{B}(\mathcal{H})$ with $\sigma(\Phi_{V,\phi})=M_{\phi}$ .

If $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS, then we let $\mathcal{A}(B)$ denote the free product $\mathcal{A}(B):=\ast_{i\in[m]}\mathcal{A}(V_{i},C_{i})$ . We let $\sigma_{i}:\mathcal{A}(V_{i},C_{i})\to\mathcal{A}(B)$ denote the natural inclusion of the $i$ th factor, so $\mathcal{A}(B)$ is generated by the involutions $\sigma_{i}(x)$ for $i\in[m]$ and $x\in V_{i}$ . Equivalently, $\mathcal{A}(B)$ is generated by the projections $\sigma_{i}(\Phi_{V_{i},\phi})$ for $i\in[m]$ and $\phi\in C_{i}$ . To avoid clogging up formulas with symbols, we’ll often write $\Phi_{V_{i},\phi}$ instead of $\sigma_{i}(\Phi_{V_{i},\phi})$ when it’s clear what subalgebra $\mathcal{A}(V_{i},C_{i})$ the element belongs to. As with $\mathcal{A}(V,C)$ , representations $\alpha$ of $\mathcal{A}(B)$ are in bijective correspondence with families of projective measurements $\{M^{i}_{\phi}\}_{\phi\in C_{i}}$ , $i\in[m]$ via the relation $M^{i}_{\phi}=\alpha(\Phi_{V_{i},\phi})$ . If $(\{M^{i}_{\phi}\},\ket{v},\mathcal{H})$ is a synchronous commuting operator strategy for $\mathcal{G}(B,\pi)$ , and $\alpha:\mathcal{A}(B)\to\mathcal{B}(\mathcal{H})$ is the representation with $\alpha(\Phi_{V_{i},\phi})=M^{i}_{\phi}$ , then $a\mapsto\braket{v}{\alpha(a)}{v}$ is a tracial state on $\mathcal{A}(B)$ .¹¹1Here an (abstract) state on a $*$ -algebra $\mathcal{A}$ is a linear functional $\tau:\mathcal{A}\to\mathbb{C}$ such that $\tau(1)=1$ , $\tau(a^{*}a)\geq 0$ for all $a\in\mathcal{A}$ , and $\tau(a^{*})=\overline{\tau(a)}$ for all $a\in\mathcal{A}$ . A state is tracial if $\tau(ab)=\tau(ba)$ for all $a,b\in\mathcal{A}$ , and faithful if $\tau(a^{*}a)>0$ for all $a\neq 0$ . Conversely, if $\tau$ is a tracial state on $\mathcal{A}(B)$ , then the GNS representation theorem implies that there is a synchronous commuting operator strategy $\mathcal{S}=(\{M^{i}_{\phi}\},\ket{v},\mathcal{H})$ such that $\tau(a)=\braket{v}{\alpha(a)}{v}$ where $\alpha$ is the representation corresponding to $\{M^{i}_{\phi}\}$ . Note that the trace is faithful on the image of the GNS representation. As a result, synchronous commuting operator strategies for $\mathcal{G}(B,\pi)$ and tracial states on $\mathcal{A}(B)$ can be used interchangeably, and in particular $p\in C_{qc}$ if and only if there is a tracial state $\tau$ with $p(\phi,\psi|i,j)=\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})$ for all $i$ , $j$ , $\phi$ , and $\psi$ . A tracial state is said to be finite-dimensional if its GNS representation has a finite-dimensional Hilbert space, so finite-dimensional tracial states on $\mathcal{A}(B)$ can be used interchangeably with synchronous quantum strategies for $\mathcal{G}(B,\pi)$ , and $p\in C_{q}$ if and only if there is a finite-dimensional tracial state $\tau$ with $p(\phi,\psi|i,j)=\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})$ for all $i$ , $j$ , $\phi$ , and $\psi$ . There is also a class of states, called the Connes-embeddable tracial states, with the property that $p\in C_{qa}$ if and only if there is a Connes-embbedable tracial state $\tau$ such that $p(\phi,\psi|i,j)=\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})$ for all $i$ , $j$ , $\phi$ , and $\psi$ [KPS18].

A correlation $p$ is perfect for a BCS game $\mathcal{G}(B,\pi)$ if $p(\phi,\psi|i,j)=0$ whenever $\pi(i,j)>0$ and $(\phi,\psi)$ is a losing answer to questions $(i,j)$ . As a result, a tracial state $\tau$ on $\mathcal{A}(B)$ is perfect (aka. corresponds to a perfect correlation) if and only if $\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})=0$ whenever $\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}$ . Consequently a tracial state on $\mathcal{A}(B)$ is perfect for $\mathcal{G}(B,\pi)$ if and only if it is the pullback of a tracial state on the synchronous algebra of $\mathcal{G}(B,\pi)$ , which is the quotient

	$\displaystyle\operatorname{SynAlg}(B,\pi)=\mathcal{A}(B)/\langle$	$\displaystyle\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}=0\text{ for all }i,j\in[m]\text{ with }\pi(i,j)>0$
		$\displaystyle\text{ and }\phi\in C_{i},\psi\in C_{j}\text{ with }\phi\|_{V_{i}\cap V_{j}}\neq\psi\|_{V_{i}\cap V_{j}}\rangle.$

For BCS games, this result about perfect strategies is due to Kim, Paulsen, and Schafhauser [KPS18]. The general notion of a synchronous algebra is due to [HMPS19]. In [Gol21, PS23], it is shown that the synchronous algebra of a BCS game is isomorphic to the so-called BCS algebra of the game. In working with $\operatorname{MIP}^{*}$ protocols, we also need to keep track of $\epsilon$ -perfect strategies. In [Pad22], it is shown that $\epsilon$ -perfect strategies for a BCS game correspond to $\epsilon$ -representations of the BCS algebra, where an $\epsilon$ -representation is a representation of $\mathcal{A}(B)$ such that all the defining relations of $\operatorname{SynAlg}(B,\pi)$ are bounded by $\epsilon$ in the normalized Frobenius norm. In this prior work, the focus was on the behaviour of $\epsilon$ -perfect strategies for a fixed game, so the number of questions and answers was constant. For $\operatorname{MIP}^{*}$ protocols, the game size is not constant, and we need to work with approximate representations where the average, rather than the maximum, of the norms of the defining relations is bounded. For this, we introduce the following algebraic structure:

Definition 4.1.

A (finitely-supported) weight function on a set $X$ is a function $\mu:X\to[0,+\infty)$ such that $\operatorname{supp}(\mu):=\mu^{-1}((0,+\infty))$ is finite. A weighted $*$ -algebra is a pair $(\mathcal{A},\mu)$ where $\mathcal{A}$ is a $*$ -algebra and $\mu$ is a weight function on $\mathcal{A}$ .

If $\tau$ is a tracial state on $\mathcal{A}$ , then the defect of $\tau$ is

\operatorname{def}(\tau;\mu):=\sum_{a\in\mathcal{A}}\mu(a)\|a\|^{2}_{\tau},

where $\|a\|_{\tau}:=\sqrt{\tau(a^{*}a)}$ is the $\tau$ -norm. When the weight function is clear, we just write $\operatorname{def}(\tau)$ .

Since $\mu$ is finitely supported, the sum in the definition of the defect is finite, and hence is well-defined. Note that traces $\tau$ on a weighted algebra $(\mathcal{A},\mu)$ with $\operatorname{def}(\tau)=0$ correspond to traces on the algebra $\mathcal{A}/\langle\operatorname{supp}(\mu)\rangle$ . In general, $\operatorname{def}(\tau)$ is a measure of how far $\tau$ is from being a trace on $\mathcal{A}$ . Thus we can think of a weighted algebra $(\mathcal{A},\mu)$ as a presentation or model for the algebra $\mathcal{A}/\langle\operatorname{supp}(\mu)\rangle$ that allows us to talk about approximate traces on this algebra.

Definition 4.2.

Let $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ be a BCS, and let $\pi$ be a probability distribution on $[m]\times[m]$ . The (weighted) BCS algebra $\mathcal{A}(B,\pi)$ is the $*$ -algebra $\mathcal{A}(B)$ , with weight function $\mu_{\pi}$ defined by

\mu_{\pi}(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})=\pi(i,j)

for all $i,j\in[m]$ and $\phi\in C_{i}$ , $\psi\in C_{j}$ with $\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}$ , and $\mu_{\pi}(r)=0$ for all other $r\in\mathcal{A}(B)$ .

Note that $\mathcal{A}(B)/\langle\operatorname{supp}(\mu_{\pi})\rangle$ is the synchronous algebra $\operatorname{SynAlg}(B,\pi)$ defined above, so $\mathcal{A}(B,\pi)$ is a model of this synchronous algebra, and perfect strategies for $\mathcal{G}(B,\pi)$ correspond to tracial states $\tau$ on $\mathcal{A}(B,\pi)$ with $\operatorname{def}(\tau)=0$ . The following lemma is an immediate consequence of the definitions:

Lemma 4.3.

Let $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ be a BCS, and let $\pi$ be a probability distribution on $[m]\times[m]$ . A tracial state $\tau$ on $\mathcal{A}(B)$ is an $\epsilon$ -perfect strategy for $\mathcal{G}(B,\pi)$ if and only if $\operatorname{def}(\tau)\leq\epsilon$ .

Proof.

Let $p$ be the correlation corresponding to $\tau$ , so $p(\phi,\psi|i,j)=\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})$ . Then

\operatorname{def}(\tau)=\sum\pi(i,j)\tau(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}),

where the sum is across $i,j\in[m]$ and $\phi\in C_{i}$ , $\psi\in C_{j}$ with $\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}$ . So $\operatorname{def}(\tau)=1-\omega(\mathcal{G}(B,\pi);p)$ . ∎

5. Homomorphisms between BCS algebras

In addition to looking at BCS games, we also want to consider transformations between constraint systems and the corresponding games. To keep track of how near-perfect strategies change, we introduce a notion of homomorphism for weighted algebras. Recall that if $\mathcal{A}$ is a $*$ -algebra, then $a\geq b$ if $a-b$ is a sum of hermitian squares, i.e. there is $k\geq 0$ and $c_{1},\ldots,c_{k}\in\mathcal{A}$ such that $a-b=\sum_{i=1}^{k}c_{i}^{*}c_{i}$ . Two elements $a,b\in\mathcal{A}$ are said to be cyclically equivalent if there is $k\geq 0$ and $f_{1},\ldots,f_{k},g_{1},\ldots,g_{k}\in\mathcal{A}$ such that $a-b=\sum_{i=1}^{k}[c_{i},d_{i}]$ , where $[c,d]=cd-dc$ . We say that $a\gtrsim b$ if $a-b$ is cyclically equivalent to a sum of squares. (For more background on these definitions, see see e.g. [KS08, Oza13]).

Definition 5.1.

Let $(\mathcal{A},\mu)$ and $(\mathcal{B},\nu)$ be weighted $*$ -algebras, and let $C>0$ . A $C$ -homomorphism $\alpha:(\mathcal{A},\mu)\to(\mathcal{B},\nu)$ is a $*$ -homomorphism $\alpha:\mathcal{A}\to\mathcal{B}$ such that

\alpha(\sum_{a\in\mathcal{A}}\mu(a)a^{*}a)\lesssim C\sum_{b\in\mathcal{B}}\nu(b)b^{*}b.

The point of this definition is the following:

Lemma 5.2.

Suppose $\alpha:(\mathcal{A},\mu)\to(\mathcal{B},\nu)$ is a $C$ -homomorphism. If $\tau$ is a trace on $(\mathcal{B},\nu)$ , then $\operatorname{def}(\tau\circ\alpha)\leq C\operatorname{def}(\tau)$ .

Proof.

Let $A=\alpha(\sum_{a\in\mathcal{A}}\mu(a)a^{*}a)$ and $B=\sum_{b\in\mathcal{B}}\nu(b)b^{*}b$ . Note that

\operatorname{def}(\tau\circ\alpha)=\sum_{a\in\mathcal{A}}\mu(a)\|a\|_{\tau\circ\alpha}=\sum_{a\in\mathcal{A}}\mu(a)\tau(\alpha(a^{*}a))=\tau(A),

By the definition of $\lesssim$ , there are $c_{1},\ldots,c_{k}$ and $f_{1},\ldots,f_{\ell},g_{1},\ldots,g_{\ell}\in\mathcal{B}$ such that

CB-A=\sum_{i=1}^{k}c_{i}^{*}c_{i}+\sum_{j=1}^{\ell}[f_{j},g_{j}].

Since $\tau$ is a tracial state, $\tau(c_{i}^{*}c_{i})\geq 0$ and $\tau([f_{j},g_{j}])=0$ for all $i$ and $j$ . Hence $C\tau(B)\geq\tau(A)$ as required. ∎

One of the first things we can apply this idea to is changing between different presentations of the BCS algebra. For instance:

Proposition 5.3.

Suppose $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS, and $\pi$ is a probability distribution on $[m]\times[m]$ . Let $\mu_{inter}$ be the weight function on $\mathcal{A}(B)$ defined by

\mu_{inter}(\sigma_{i}(x)-\sigma_{j}(x))=\pi(i,j)

for all $i\neq j\in[m]$ and $x\in V_{i}\cap V_{j}$ , and $\mu_{inter}(r)=0$ for other $r\in\mathcal{A}(B)$ . Then the identity map $\mathcal{A}(B)\to\mathcal{A}(B)$ gives a $O(1)$ -homomorphism $(\mathcal{A}(B),\mu_{\pi})\to(\mathcal{A}(B),\mu_{inter})$ , and a $O(L)$ -homomorphism $(\mathcal{A}(B),\mu_{inter})\to(\mathcal{A}(B),\mu_{\pi})$ , where $L=\max_{i,j}|V_{i}\cap V_{j}|$ .

Recall that $\sigma_{i}:\mathcal{A}(V_{i},C_{i})\to\mathcal{A}(B)$ is the natural inclusion of the $i$ th factor.

Proof.

Fix $1\leq i,j\leq m$ . Since $\Phi_{V_{i},\phi}$ is a projection in $\mathcal{A}(V_{i},C_{i})$ , $(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})^{*}(\Phi_{V_{i},\phi}\Phi_{V_{j},\psi})$ is cyclically equivalent to $\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}$ for all $\phi\in C_{i}$ , $\psi\in C_{j}$ . For $x\in V_{i}\cap V_{j}$ , let $R_{x}$ be the pairs $(\phi,\psi)\in C_{i}\times C_{j}$ such that $\phi(x)\neq\psi(x)$ . Then

\sum_{\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}}\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}\lesssim\sum_{x\in V_{i}\cap V_{j}}\sum_{(\phi,\psi)\in R_{x}}\Phi_{V_{i},\phi}\Phi_{V_{j},\psi},

and since $\phi|_{V_{i}\cap V_{j}}$ and $\psi|_{V_{i}\cap V_{j}}$ can disagree in at most $|V_{i}\cap V_{j}|$ places,

\sum_{x\in V_{i}\cap V_{j}}\sum_{(\phi,\psi)\in R_{x}}\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}\lesssim|V_{i}\cap V_{j}|\sum_{\phi|_{V_{i}\cap V_{j}}\neq\psi_{V_{i}\cap V_{j}}}\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}.

Fix $x\in V_{i}\cap V_{j}$ , and let $V_{i}^{\prime}=V_{i}\setminus\{x\}$ , $V_{j}^{\prime}=V_{j}\setminus\{x\}$ .

	$\displaystyle\sum_{(\phi,\psi)\in R_{x}}\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}$	$\displaystyle=\sum_{\phi\in\mathbb{Z}_{2}^{V_{i}^{\prime}},\psi\in\mathbb{Z}_{2}^{V_{j}^{\prime}}}\Phi_{V_{i}^{\prime},\phi}\tfrac{1}{4}\left[(1+\sigma_{i}(x))(1-\sigma_{j}(x))+(1-\sigma_{i}(x))(1+\sigma_{j}(x))\right]\Phi_{V_{j}^{\prime},\psi}$
		$\displaystyle=(1+\sigma_{i}(x))(1-\sigma_{j}(x))+(1-\sigma_{i}(x))(1+\sigma_{j}(x)),$

where the last equality holds because $\sum_{\phi\in\mathbb{Z}_{2}^{V_{i}^{\prime}}}\Phi_{V_{i}^{\prime},\phi}$ and $\sum_{\psi\in\mathbb{Z}_{2}^{V_{j}^{\prime}}}\Phi_{V_{i}^{\prime},\psi}$ are both equal to $1$ .

Finally $(\sigma_{i}(x)-\sigma_{j}(x))^{*}(\sigma_{i}(x)-\sigma_{j}(x))$ is cyclically equivalent to

2-2\sigma_{i}(x)\sigma_{j}(x)=(1+\sigma_{i}(x))(1-\sigma_{j}(x))+(1-\sigma_{i}(x))(1+\sigma_{j}(x)),

so the result follows. ∎

Definition 5.4.

If $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS and $\pi$ is a probability distribution on $[m]\times[m]$ , define $\mathcal{A}_{inter}(B,\pi)$ to be the weighted algebra $(\mathcal{A}(B),\mu_{inter})$ , where $\mu_{inter}$ is defined from $\pi$ as in 5.3.

It is not hard to see that $\mathcal{A}(B)/\langle\operatorname{supp}(\mu_{inter})\rangle\cong\mathcal{A}(B)/\langle\operatorname{supp}(\mu_{\pi})\rangle$ , so both $\mathcal{A}(B,\pi)$ and $\mathcal{A}_{inter}(B,\pi)$ are weighted algebra models of $\operatorname{SynAlg}(B,\pi)$ .

We can also easily handle transformations of constraint systems which apply a homomorphism to each context. Note that a homomorphism $\sigma:\mathcal{A}(V,C)\to\mathcal{A}(W,D)$ between finite abelian $C^{*}$ -algebras is equivalent to a function $f:D\to C$ . Indeed, given a function $f:D\to C$ , we can define a homomorphism $\sigma$ by $\sigma(\Phi_{V,\phi})=\sum_{W,\psi\in f^{-1}(\phi)}\Phi_{W,\psi}$ , and it is not hard to see that all homomorphisms have this form. We extend this notion to BCS algebras in the following way.

Definition 5.5.

Let $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ and $B^{\prime}=(X^{\prime},\{(W_{i},D_{i})\}_{i=1}^{m})$ be constraint systems. A homomorphism $\sigma:\mathcal{A}(B)\to\mathcal{A}(B^{\prime})$ is a classical homomorphism if

(1)
$\sigma(\mathcal{A}(V_{i},C_{i}))\subseteq\mathcal{A}(W_{i},D_{i})$ for all $1\leq i\leq m$ , and
(2)
if $\sigma(\Phi_{V_{i},\phi_{i}})=\sum_{k}\Phi_{W_{i},\psi_{ik}}$ , $\sigma(\Phi_{V_{j},\phi_{j}})=\sum_{k}\Phi_{W_{j},\psi_{jl}}$ , and $\phi_{i}|_{V_{i}\cap V_{j}}\neq\phi_{j}|_{V_{i}\cap V_{j}}$ then $\psi_{ik}|_{W_{i}\cap W_{j}}\neq\psi_{jl}|_{W_{i}\cap W_{j}}$ for all $k,l$ .

To explain this definition, note that condition (1) implies that $\sigma$ restricts to a homomorphism $\mathcal{A}(V_{i},C_{i})\to\mathcal{A}(W_{i},D_{i})$ , and hence gives a collection of functions $f_{i}:D_{i}\to C_{i}$ for all $1\leq i\leq m$ . Condition (2) states that if $f_{i}(\phi)|_{V_{i}\cap V_{j}}\neq f_{j}(\psi)|_{V_{i}\cap V_{j}}$ for some $\phi\in D_{i}$ , $\psi\in D_{j}$ , then $\phi|_{W_{i}\cap W_{j}}\neq\psi|_{W_{i}\cap W_{j}}$ . Conversely, any collection of functions $f_{i}:D_{i}\to C_{i}$ satisfying this condition can be turned into a classical homomorphism $\sigma:\mathcal{A}(B)\to\mathcal{A}(B^{\prime})$ .

Lemma 5.6.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ and $B^{\prime}=\left(Y,\{(W_{i},D_{i})\}_{i=1}^{m}\right)$ be constraint systems, and let $\pi$ be a probability distribution on $[m]\times[m]$ . If $\sigma:\mathcal{A}(B)\to\mathcal{A}(B^{\prime})$ is a classical homomorphism, then $\sigma$ is a $1$ -homomorphism $\mathcal{A}(B,\pi)\to\mathcal{A}(B^{\prime},\pi)$ .

Proof.

Suppose $\sigma$ arises from a family of functions $f_{i}:D_{i}\to C_{i}$ as above. For any $1\leq i,j\leq m$ , let $R_{ij}=\{(\phi,\psi)\in C_{i}\times C_{j}:\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}\}$ , and let $T_{ij}=\{(\phi,\psi)\in D_{i}\times D_{j}:\phi|_{W_{i}\cap W_{j}}\neq\psi|_{W_{i}\cap W_{j}}$ . Then

	$\displaystyle\sigma\left(\sum_{i,j}\sum_{(\phi,\psi)\in R_{ij}}\pi(i,j)\Phi_{V_{i},\phi}\Phi_{V_{j},\psi}\right)$	$\displaystyle=\sum_{i,j}\sum_{\phi^{\prime}\in f_{i}^{-1}(\phi),\psi^{\prime}\in f_{i}^{-1}(\psi)}\pi(i,j)\Phi_{W_{i},\phi^{\prime}}\Phi_{W_{j},\psi^{\prime}}$
		$\displaystyle\leq\sum_{i,j}\sum_{(\phi,\psi)\in T_{ij}}\pi(i,j)\Phi_{W_{i},\phi}\Phi_{W_{j},\psi}.$

∎

One situation where we get a classical homomorphism is the following:

Corollary 5.7.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $B^{\prime}=\left(X^{\prime},\{(W_{i},D_{i})\}_{i=1}^{m}\right)$ be a BCS with $X\subset X^{\prime}$ , $V_{i}\subseteq W_{i}$ for all $1\leq i\leq m$ , $W_{i}\cap W_{j}=V_{i}\cap V_{j}$ for all $1\leq i,j\leq m$ , and for all $1\leq i\leq m$ , $\phi\in V_{i}$ if and only if there exists $\psi\in W_{j}$ with $\psi|_{V_{i}}=\phi$ . Then for any probability distribution $\pi$ on $[m]\times[m]$ , the homomorphism

\sigma:\mathcal{A}(B)\to\mathcal{A}(B^{\prime}):\sigma_{i}(x)\mapsto\sigma_{i}(x)\text{ for }i\in[m],x\in V_{i}

defined by the inclusions $V_{i}\subseteq W_{i}$ is a $1$ -homomorphism $\mathcal{A}(B,\pi)\to\mathcal{A}(B^{\prime},\pi)$ , and there is another $1$ -homomorphism $\sigma^{\prime}:\mathcal{A}(B^{\prime},\pi)\to\mathcal{A}(B,\pi)$ . Furthermore, $B^{\prime}$ has the same connectivity as $B$ .

Proof.

The homomorphism $\sigma$ is the classical homomorphism defined by the functions $D_{i}\to C_{i}:\psi\mapsto\psi|_{V_{i}}$ .

For the homomorphism $\sigma^{\prime}$ , define $f_{i}:V_{i}\to W_{i}$ by choosing an element $f_{i}(\phi)\in W_{i}$ such that $f_{i}(\phi)|_{V_{i}}=\phi$ for all $\phi\in V_{i}$ . Since $W_{i}\cap W_{j}=V_{i}\cap V_{j}$ , if $f_{i}(\phi)|_{W_{i}\cap W_{j}}\neq f_{j}(\psi)|_{W_{i}\cap W_{j}}$ , then $\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}$ , so this collection of functions defines a classical homomorphism $\mathcal{A}(B^{\prime})\to\mathcal{A}(B)$ . ∎

In other words, Corollary 5.7 implies that any tracial state $\tau$ on $\mathcal{A}(B^{\prime})$ (resp. $\mathcal{A}(B)$ ) with $\operatorname{def}(\tau)\leq\epsilon$ pulls back to a tracial state on $\mathcal{A}(B)$ (resp. $\mathcal{A}(B^{\prime})$ ) with defect also bounded by $\epsilon$ .

Remark 5.8.

Let $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ be a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol for a language $\mathcal{L}$ with soundness $s$ , where $B_{x}=(X_{x},\{(V^{x}_{i},C_{i}^{x})\}_{i=1}^{m_{x}})$ . Since $|V^{x}_{i}|$ is polynomial in $|x|$ , and $C$ runs in polynomial time, the Cook-Levin theorem implies that we can find sets $W^{x}_{i}$ and constraints $D_{i}^{x}$ on $W^{x}_{i}$ as in Corollary 5.7 in which $|W^{x}_{i}|$ is polynomial in $|x|$ , and $D_{i}^{x}$ is a 3SAT instance with number of clauses polynomial in $|x|$ . By Lemma 5.2, we get a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B_{x}^{\prime},\pi_{x})\},S,\widetilde{C})$ for $\mathcal{L}$ with the same soundness, such that $B_{x}^{\prime}=(X_{x}^{\prime},\{(W_{i}^{x},D_{i}^{x})\})$ is a constraint system where all the clauses $D_{i}^{x}$ are 3SAT instances, and the connectivity of $B_{x}^{\prime}$ is the same as $B_{x}$ .

6. BCS algebras, subdivision and stability

Suppose we have a BCS where each constraint is made up of subconstraints on subsets of the variables (for instance, a 3SAT instance made up of 3SAT clauses). In this section, we look at what happens when we split up the contexts and constraints so that each subconstraint is in its own contex. In the weighted BCS algebra, splitting up a context changes the commutative subalgebra corresponding to the context to a non-commutative subalgebra. To deal with this, we use a tool from the approximate representation theory of groups, namely the stability of $\mathbb{Z}_{2}^{k}$ .

Lemma 6.1 ([CVY23]).

Let $(\mathcal{M},\tau)$ be a tracial von Neumann algebra, and suppose $f:[k]\to\mathcal{M}$ is a function such that $f(i)^{2}=1$ for all $i\in[k]$ and $\|[f(i),f(j)]\|_{\tau}^{2}\leq\epsilon$ for all $i,j\in[k]$ , where $k\geq 1$ and $\epsilon\geq 0$ . Then there is a homomorphism $\psi:\mathbb{Z}_{2}^{k}\to\mathcal{U}(\mathcal{M})$ such that $\|\psi(x_{i})-f(i)\|_{\tau}^{2}\leq\operatorname{poly}(k)\epsilon$ for all $i\in[k]$ , where the $x_{i}$ generate $\mathbb{Z}_{2}^{k}$ .

Here a tracial von Neumann algebra is a von Neumann algebra $\mathcal{M}$ equipped with a faithful normal tracial state $\tau$ , and $\mathcal{U}(\mathcal{M})$ is the unitary group of $\mathcal{M}$ . If $\tau$ is a tracial state on a $*$ -algebra $\mathcal{A}$ , and $(\rho:\mathcal{A}\to\mathcal{B}(\mathcal{H}),\ket{v})$ is the GNS representation, then the closure $\mathcal{M}=\overline{\rho(\mathcal{A})}$ of $\rho(\mathcal{A})$ in the weak operator topology is a von Neumann algebra, and $\tau_{0}(a)=\bra{v}a\ket{v}$ is a faithful normal tracial state on $\mathcal{M}$ . A function $f$ satisfying the conditions of Lemma 6.1 is called an $\epsilon$ -homomorphism from $\mathbb{Z}_{2}^{k}$ to $\mathcal{U}(\mathcal{M})$ . The following lemma is useful for the proofs in this section:

Lemma 6.2.

Suppose $\mathcal{A}$ is a $*$ -algebra, and let $h(a):=a^{*}a$ denote the hermitian square of $a\in\mathcal{A}$ . Then $h(\sum_{i=1}^{n}a_{i})\leq k\sum_{i}h(a_{i})$ , where $k=2^{\lceil\log_{2}n\rceil}$ .

Proof.

Since $h(a+b)+h(a-b)=2h(a)+2h(b)$ , we see that $h(a+b)\leq 2h(a)+2h(b)$ . Thus $h(\sum_{i=1}^{n}a_{i})\leq 2h(\sum_{i=1}^{\lfloor n/2\rfloor}a_{i})+2h(\sum_{i=\lfloor n/2\rfloor+1}^{n}a_{i})$ , and repeated applications gives the desired inequality. ∎

We now formally define a subdivision of a BCS.

Definition 6.3.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS. Suppose that for all $1\leq i\leq m$ there exists a constant $m_{i}\geq 1$ and a set of constraints $\{D_{ij}\}_{j=1}^{m_{i}}$ on variables $\{V_{ij}\}_{j=1}^{m_{i}}$ respectively, such that

(1)
$V_{ij}\subseteq V_{i}$ for all $i\in[m]$ and $j\in[m_{i}]$ ,
(2)
for every $x,y\in V_{i}$ and $i\in[m]$ , there is a $j\in[m_{i}]$ such that $x,y\in V_{ij}$ , and
(3)
$C_{i}=\wedge_{j=1}^{m_{i}}D_{ij}$ for all $i\in[m]$ , where $\wedge$ is conjunction.

The BCS $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ is called a subdivision of $B$ . When working with subdivisions, we refer to $D_{ij}$ as the clauses of constraint $C_{i}$ , and $m_{i}$ as the number of clauses in constraint $i$ . A subdivision is uniform if $m_{i}=m_{j}$ for all $i,j$ .

Given a subdivision of $B$ as in the definition, let $M=\sum_{i=1}^{m}m_{i}$ , and pick a bijection between $[M]$ and the set of pairs $(i,j)$ with $1\leq i\leq m$ and $1\leq j\leq m_{i}$ . If $\pi$ is a probability distribution on $[m]\times[m]$ , let $\pi_{sub}$ be the probability distribution on $[M]\times[M]$ with $\pi_{sub}(ij,k\ell)=\pi(i,k)/m_{i}m_{k}$ . Note that if $\pi$ is uniform and the subdivision is uniform, then $\pi_{sub}$ is uniform. Any subdivision can be turned into a uniform subdivision by repeating pairs $(V_{ij},D_{ij})$ to increase $m_{i}$ . Note that subdivision can increase connectivity.

Part of the point of the definition of subdivisions is that they preserve the synchronous algebra of the system.

Proposition 6.4.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ be a subdivision. Let $\pi$ be a probability distribution on $[m]\times[m]$ , and let $\pi_{sub}$ be the probability distribution defined from $\pi$ as above. Then $\operatorname{SynAlg}(B,\pi)\cong\operatorname{SynAlg}(B^{\prime},\pi_{sub})$ .

Proof.

Because every pair of elements $x,y\in V_{i}$ belongs to some $V_{ij}$ , we get an isomorphism

\operatorname{SynAlg}(B^{\prime},\pi_{sub})\cong*_{i=1}^{m}\mathbb{Z}_{2}^{V_{i}}/\langle R\rangle,

where $R$ is the set of relations $\sigma_{i}(\Phi_{V_{ij},\phi})\sigma_{i}(\Phi_{V_{k\ell},\psi})=0$ for all $\phi$ and $\psi$ which do not agree on $V_{ij}\cap V_{k\ell}$ , and $\sigma_{i}(\Phi_{V_{ij},\phi})=0$ for all $\phi\not\in D_{ij}$ . From these latter relations, it is possible to recover the relations $\Phi_{V_{i},\phi}=0$ for $\phi\not\in C_{i}$ , and then to recover all the relations of $\operatorname{SynAlg}(B,\pi)$ . ∎

6.4 implies that $\mathcal{G}(B,\pi)$ has a perfect quantum (resp. commuting operator) strategy if and only if $\mathcal{G}(B^{\prime},\pi_{sub})$ has a perfect quantum (resp. commuting operator) strategy. The main result of this section is that near perfect strategies for $\mathcal{G}(B^{\prime},\pi_{sub})$ can be pulled back to near perfect strategies for $\mathcal{G}(B,\pi)$ . For the theorem, we say that $\pi$ is maximized on the diagonal if $\pi(i,i)\geq\pi(i,j)$ and $\pi(i,i)\geq\pi(j,i)$ for all $i,j\in[m]$ .

Theorem 6.5.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ be a subdivision of $B$ with $m_{i}$ clauses in constraint $C_{i}$ . Let $\pi$ be a probability distribution on $[m]\times[m]$ that is maximized on the diagonal, and let $\pi_{sub}$ be the probability distribution defined from $\pi$ as above. If there is a trace $\tau$ on $\mathcal{A}(B^{\prime},\pi_{sub})$ , then there is a trace $\widetilde{\tau}$ on $\mathcal{A}(B,\pi)$ with $\operatorname{def}(\widetilde{\tau})\leq\operatorname{poly}(m,2^{C},M,K)\operatorname{def}(\tau)$ , where $C=\max_{i,j}|V_{ij}|$ , $K=\max_{i}|V_{i}|$ , and $M=\max_{i}m_{i}$ .

For the proof of the theorem we consider several other versions of the weighted BCS algebra, where $\mathcal{A}(V_{i},C_{i})$ is replaced by $\mathbb{C}\mathbb{Z}_{2}^{*V_{i}}$ , and the defining relations of $\mathcal{A}(V_{i},C_{i})$ are moved into the weight function.

Definition 6.6.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS with a probability distribution $\pi$ on $[m]\times[m]$ , and let $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ be a subdivision, with $m_{i}$ clauses in constraint $C_{i}$ and probability distribution $\pi_{sub}$ induced by $\pi$ . Let $\sigma_{i}:\mathbb{C}\mathbb{Z}_{2}^{*V_{i}}\to*_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{*V_{i}}$ denote the inclusion of the $i$ th factor. Let $\mathcal{A}_{free}(B):=*_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{*V_{i}}$ , and define weight functions $\mu_{inter}$ , $\mu_{sat}$ , $\mu_{clause}$ , and $\mu_{comm}$ on $\mathcal{A}_{free}(B)$ by

	$\displaystyle\mu_{inter}(\sigma_{i}(x)-\sigma_{j}(x))=\pi(i,j)\text{ for all }i\neq j\in[m]\text{ and }x\in V_{i}\cap V_{j},$
	$\displaystyle\mu_{sat}(\Phi_{V_{i},\phi})=\pi(i,i)\text{ for all }i\in[m]\text{ and }\phi\in\mathbb{Z}_{2}^{V_{i}}\setminus C_{i},$
	$\displaystyle\mu_{clause}(\Phi_{V_{ij},\phi})=\pi(i,i)/m_{i}^{2}\text{ for all }(i,j)\in[m]\times[m_{i}]\text{ and }\phi\in\mathbb{Z}_{2}^{V_{ij}}\setminus D_{ij},\text{ and }$
	$\displaystyle\mu_{comm}([\sigma_{i}(x),\sigma_{i}(y)])=\pi(i,i)\text{ for all }i\in[m]\text{ and }x,y\in V_{i},$

and $\mu_{inter}(r)=0$ , $\mu_{sat}(r)=0$ , $\mu_{clause}(r)=0$ , and $\mu_{comm}(r)=0$ for any elements $r$ other than those listed. Let $\mathcal{A}_{free}(B,B^{\prime},\pi)$ be the weighted algebra $(\mathcal{A}_{free}(B),\mu_{all})$ , where $\mu_{all}:=\mu_{inter}+\mu_{clause}+\mu_{comm}$ .

Note that $\mu_{inter}$ is the same as the weight function of the algebra $\mathcal{A}_{inter}(B,\pi)$ defined in 5.4, except that it’s defined on $\mathcal{A}_{free}(B)$ rather than $\mathcal{A}(B)$ . The weight function $\mu_{sat}$ comes from the defining relations for $\mathcal{A}(B)$ , while $\mu_{clause}$ comes from the defining relations for $\mathcal{A}(B^{\prime})$ , so $\mathcal{A}_{free}(B,B^{\prime},\pi)$ is a mix of relations from $\mathcal{A}_{inter}(B,\pi)$ and $\mathcal{A}_{inter}(B^{\prime},\pi)$ . As mentioned previously, the context $V_{i}$ has an order inherited from $X$ , and this is used for the order of the product when talking about $\Phi_{V_{i},\phi}$ and $\Phi_{V_{ij},\phi}$ in $\mathcal{A}_{free}(B)$ . In particular, the order on $V_{ij}$ is compatible with the order on $V_{i}$ .

The weight functions $\mu_{inter}$ , $\mu_{sat}$ and $\mu_{clause}$ can also be defined on $\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}$ using the same formula as in 6.6, and we use the same notation for both versions. The following lemma shows that we can relax $\mathcal{A}_{inter}(B,\pi)$ to $(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{clause})$ , as long as $\pi$ is maximized on the diagonal.

Lemma 6.7.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $\pi$ be a probability distribution on $[m]\times[m]$ that is maximized on the diagonal. Let $\mu_{inter}$ and $\mu_{sat}$ be the weight functions defined above with respect to $\pi$ . Then there is an $O(t)$ -homomorphism $\mathcal{A}_{inter}(B,\pi)\to(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{sat})$ , where $t$ is the connectivity of $B$ . Furthermore, if $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ is a subdivision of $B$ , then there is an $M^{2}$ -homomorphism $(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{sat})\to(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{clause})$ , where $M=\max_{i}m_{i}$ is the maximum number of clauses $m_{i}$ in constraint $i$ .

Proof.

Since $C_{i}$ is non-empty by convention, we can choose $\psi_{i}\in C_{i}$ for every $1\leq i\leq m$ . Define the homomorphism $\alpha:\mathcal{A}_{inter}(B,\pi)\to(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{sat})$ by

\alpha(\sigma_{i}(x))=\sum_{\varphi\in C_{i}}\Phi_{V_{i},\varphi}\sigma_{i}(x)+\sum_{\mathclap{\varphi\in\mathbb{Z}^{V_{i}}_{2}\setminus C_{i}}}\Phi_{V_{i},\varphi}\psi_{i}(x).

Let $\Phi_{i}=\sum_{\varphi\in C_{i}}\Phi_{V_{i},\varphi}$ , and let $h(a)=a^{*}a$ denote the hermitian square of $a$ as in Lemma 6.2. Then

\begin{split}\alpha\left[h(\sigma_{i}(x)-\sigma_{j}(x))\right]&=h(\Phi_{i}\sigma_{i}(x)+(1-\Phi_{i})\psi_{i}(x)-\Phi_{j}\sigma_{j}(x)-(1-\Phi_{j})\psi_{j}(x))\\ &\leq 4h[\Phi_{i}\sigma_{i}(x)+(1-\Phi_{i})\psi_{i}(x)-\sigma_{i}(x)]\\ &\quad+4h[\Phi_{j}\sigma_{j}(x)+(1-\Phi_{j})\psi_{j}(x)-\sigma_{j}(x)]+4h[\sigma_{i}(x)-\sigma_{j}(x)].\end{split}

Observe that $\sigma_{i}(x)=\sum_{\varphi\in\mathbb{Z}_{2}^{V_{i}}}\Phi_{V_{i},\varphi}\varphi(x)$ , so

h(\Phi_{i}\sigma_{i}(x)+(1-\Phi_{i})\psi_{i}(x)-\sigma_{i}(x))=\sum_{\mathclap{\varphi\in\mathbb{Z}_{2}^{V_{i}}\setminus C_{i}}}\Phi_{V_{i},\varphi}(\psi_{i}(x)-\varphi(x))^{2}\leq 4\sum_{\mathclap{\varphi\in\mathbb{Z}_{2}^{V_{i}}\setminus C_{i}}}\Phi_{V_{i},\varphi}.

Thus

	$\displaystyle\alpha\left(\sum_{\begin{subarray}{c}1\leq i\neq j\leq m\\ x\in V_{i}\cap V_{j}\end{subarray}}\pi(i,j)h(\sigma_{i}(x)-\sigma_{j}(x))\right)$	$\displaystyle\leq\sum_{\begin{subarray}{c}1\leq i\neq j\leq m\\ x\in V_{i}\cap V_{j}\end{subarray}}\pi(i,j)\left(16\sum_{\mathclap{\varphi\in\mathbb{Z}_{2}^{V_{i}}\setminus C_{i}}}\Phi_{V_{i},\varphi}+16\sum_{\mathclap{\varphi\in\mathbb{Z}_{2}^{V_{j}}\setminus C_{j}}}\Phi_{V_{j},\varphi}+4h(\sigma_{i}(x)-\sigma_{j}(x))\right)$
		$\displaystyle\leq\sum_{a\in\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}}4\mu_{inter}(a)a^{}a+\sum_{a\in\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}}32t\mu_{sat}(a)a^{}a$
		$\displaystyle\leq O(t)\sum_{a\in\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}}(\mu_{inter}(a)+\mu_{sat}(a))a^{*}a,$

since $\pi$ is maximized on the diagonal.

Next, suppose $B^{\prime}$ is a subdivision of $B$ . If $\phi\in\mathbb{Z}_{2}^{V_{i}}\setminus C_{i}$ , then we can choose $j_{\phi}\in[m_{i}]$ such that $\phi|_{V_{i{j_{\phi}}}}\not\in D_{i{j_{\phi}}}$ . Since $\displaystyle\sum_{\phi:\phi|_{V_{ij}}=\phi^{\prime}}\Phi_{V_{i},\phi}=\Phi_{V_{ij},\phi^{\prime}}$ ,

\sum_{\phi\not\in C_{i}}\Phi_{V_{i},\phi}=\sum_{1\leq j\leq m_{i}}\sum_{\phi:j_{\phi}=j}\Phi_{V_{i},\phi}\leq\sum_{1\leq j\leq m_{i}}\sum_{\phi:\phi|_{V_{ij}}\not\in D_{ij}}\Phi_{V_{i},\phi}=\sum_{1\leq j\leq m_{i}}\sum_{\phi^{\prime}\not\in D_{ij}}\Phi_{V_{ij},\phi^{\prime}}.

Hence

\sum_{r}\mu_{sat}(r)r^{*}r\leq M^{2}\sum_{r}\mu_{clause}(r)r^{*}r,

where the $M^{2}$ comes from the fact that we divide by $m_{i}^{2}$ in the definition of $\mu_{clause}$ . Thus the identity map $(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{sat})\to(\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}},\mu_{inter}+\mu_{clause})$ is an $M^{2}$ -homomorphism. ∎

The following proposition shows how to construct tracial states on $\mathcal{A}_{inter}(B,\pi)$ from tracial states on $\mathcal{A}_{free}(B,B^{\prime},\pi)$ .

Proposition 6.8.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $\pi$ be a probability distribution on $[m]\times[m]$ which is maximized on the diagonal. Let $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ be a subdivision of $B$ with $m_{i}$ clauses in constraint $C_{i}$ . If $\tau$ is a trace on $\mathcal{A}_{free}(B,B^{\prime},\pi)$ , then there is a trace $\widetilde{\tau}$ on $\mathcal{A}_{inter}(B,\pi)$ such that $\operatorname{def}(\widetilde{\tau})\leq\operatorname{poly}(m,2^{C},M,K)\operatorname{def}(\tau)$ , where $C=\max_{ij}|V_{ij}|$ , $K=\max_{i}|V_{i}|$ , and $M=\max_{i}m_{i}$ . Furthermore, if $\tau$ is finite-dimensional then so is $\widetilde{\tau}$ .

Proof.

Since $\pi$ is maximized on the diagonal, if $\pi(i,i)=0$ then $\pi(i,j)=\pi(j,i)=0$ for all $j\in[m]$ , and the variables in $V_{i}$ do not appear in $\operatorname{supp}(\mu_{inter})$ . Thus we may assume without loss of generality that $\pi(i,i)>0$ for all $i\in[m]$ . Let $\tau$ be a trace on $\mathcal{A}_{free}(B,B^{\prime},\pi)$ . By the GNS construction there is a $*$ -representation $\rho$ of $\mathcal{A}_{free}(B,B^{\prime},\pi)$ acting on a Hilbert space $\mathcal{H}_{0}$ with a unit cyclic vector $\psi$ such that $\tau(a)=\langle\psi|\rho(a)|\psi\rangle$ for all $a\in\mathcal{A}_{free}(B)$ . Let $\mathcal{M}_{0}=\overline{\rho(\mathcal{A}_{free}(B))}$ be the weak operator closure of the image of $\rho$ , and let $\tau_{0}$ be the faithful normal tracial state on $\mathcal{M}_{0}$ corresponding to $\ket{\psi}$ (so $\tau_{0}\circ\rho=\tau)$ .

For all $i\in[m]$ the restriction of $\rho$ to $\mathbb{Z}_{2}^{*V_{i}}$ is a $\operatorname{def}(\tau;\mu_{comm})/\pi(i,i)$ -homomorphism from $\mathbb{Z}_{2}^{V_{i}}$ into $(\mathcal{M}_{0},\tau_{0})$ , so by Lemma 6.1 there is a representation $\rho_{i}:\mathbb{Z}_{2}^{V_{i}}\rightarrow\mathcal{U}(\mathcal{M}_{0})$ such that

(6.1)

\|\rho_{i}(x_{j})-\rho(x_{j})\|_{\tau_{0}}^{2}\leq\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm})

for all generators $x_{j}\in\mathbb{Z}_{2}^{V_{i}}$ . Suppose $x\in V_{i}\cap V_{j}$ , and let $\widetilde{\rho}:\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}\to\mathcal{M}_{0}$ be the homomorphism defined by $\widetilde{\rho}(x)=\rho_{i}(x)$ for $x\in\mathbb{Z}_{2}^{V_{i}}$ . Then

	$\displaystyle\\|\widetilde{\rho}(\sigma_{i}(x)-\sigma_{j}(x))\\|_{\tau_{0}}^{2}$	$\displaystyle\leq 4\\|\widetilde{\rho}(\sigma_{i}(x))-\rho(\sigma_{i}(x))\\|_{\tau_{0}}^{2}+4\\|\widetilde{\rho}(\sigma_{j}(x))-\rho(\sigma_{j}(x))\\|_{\tau_{0}}^{2}$
		$\displaystyle\quad\quad\quad+4\\|\rho(\sigma_{i}(x)-\sigma_{j}(x))\\|_{\tau_{0}}^{2}$
		$\displaystyle\leq\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm})+4\\|\sigma_{i}(x)-\sigma_{j}(x)\\|_{\tau}^{2}.$

Since $\pi$ is maximalized on the diagonal, and $|\{(i,j,x):i\neq j\in[n],x\in V_{i}\cap V_{j}\}|\leq mt$ where $t$ is the connectivity of $B$ , we conclude that

	$\displaystyle\operatorname{def}(\tau_{0}\circ\widetilde{\rho};\mu_{inter})$	$\displaystyle\leq\sum_{i\neq j}\sum_{x\in V_{i}\cap V_{j}}\pi(i,j)\left(\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm})+4\\|\sigma_{i}(x)-\sigma_{j}(x)\\|_{\tau}^{2}\right)$
		$\displaystyle\leq O(mt\operatorname{poly}(K)\operatorname{def}(\tau;\mu_{comm})+\operatorname{def}(\tau;\mu_{inter})).$

For any $S\subseteq V_{i}$ , let $x_{S}:=\prod_{x\in S}x\in\mathbb{Z}_{2}^{*V_{i}}$ , where the order of the product is inherited from the order on $X$ . By Equation 6.1,

\|\widetilde{\rho}(x_{S})-\rho(x_{S})\|_{\tau_{0}}^{2}\leq\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm}),

where the degree of $K$ has increased by one. Since $\Phi_{V_{ij},\phi}=\tfrac{1}{2^{|V_{ij}|}}\sum_{S\subseteq V_{ij}}\phi(x_{S})x_{S}$ , we get that

\|\widetilde{\rho}(\Phi_{V_{ij},\phi})-\rho(\Phi_{V_{ij},\phi})\|_{\tau_{0}}^{2}\leq\frac{1}{2^{|V_{ij}|}}\sum_{S\subseteq V_{ij}}\|\widetilde{\rho}(x_{S})-\rho(x_{S})\|_{\tau_{0}}^{2}\leq\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm}).

If $1\leq i\leq m$ , $1\leq j\leq m_{i}$ , and $\phi\not\in D_{ij}$ , then

\|\widetilde{\rho}(\Phi_{V_{ij},\phi})\|_{\tau_{0}}^{2}\leq 2\|\widetilde{\rho}(\Phi_{V_{ij},\phi})-\rho(\Phi_{V_{ij},\phi})\|_{\tau_{0}}^{2}+2\|\rho(\Phi_{V_{ij},\phi})\|_{\tau_{0}}^{2},

and hence

	$\displaystyle\operatorname{def}(\tau_{0}\circ\widetilde{\rho};\mu_{clause})$	$\displaystyle=\sum_{i,j}\frac{\pi(i,i)}{m_{i}^{2}}\sum_{\phi\not\in D_{ij}}\\|\widetilde{\rho}(\Phi_{V_{ij},\phi})\\|_{\tau_{0}}^{2}$
		$\displaystyle\leq\sum_{i,j}\sum_{\phi\not\in D_{ij}}\frac{\pi(i,i)}{m_{i}^{2}}\left(\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm})+2\\|\Phi_{V_{ij},\phi}\\|_{\tau}\right)$
		$\displaystyle\leq\sum_{i,j}2^{C}\frac{\operatorname{poly}(K)}{m_{i}^{2}}\operatorname{def}(\tau;\mu_{comm})+2\operatorname{def}(\tau;\mu_{clause})$
		$\displaystyle\leq m^{2}2^{C}\operatorname{poly}(K)\operatorname{def}(\tau;\mu_{comm})+2\operatorname{def}(\tau;\mu_{clause}).$

We conclude that $\widetilde{\tau}=\tau_{0}\circ\widetilde{\rho}$ is a tracial state on $\ast_{i=1}^{m}\mathbb{C}\mathbb{Z}_{2}^{V_{i}}$ with $\operatorname{def}(\widetilde{\tau};\mu_{inter}+\mu_{clause})$ bounded by

\displaystyle O(\operatorname{def}(\tau;\mu_{inter})+\operatorname{def}(\tau;\mu_{clause})+(m^{2}2^{C}+mt)\operatorname{poly}(K)\operatorname{def}(\tau;\mu_{comm})).

Since $t\leq O(mK)$ , we conclude that

\operatorname{def}(\widetilde{\tau};\mu_{inter}+\mu_{clause})\leq\operatorname{poly}(m,2^{C},K)\operatorname{def}(\tau;\mu_{inter}+\mu_{clause}+\mu_{comm}).

By Lemma 6.7, there is a $O(tM^{2})$ -homomorphism $\mathcal{A}_{inter}(B,\pi)\to(\ast^{m}_{i=1}\mathbb{C}\mathbb{Z}^{V_{i}}_{2},\mu_{inter}+\mu_{clause})$ , and pulling $\widetilde{\tau}$ back by this homomorphism gives the proposition. ∎

Finally, we can pull back tracial states from the subdivision algebra $\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ to traces on $\mathcal{A}_{free}(B,B^{\prime},\pi)$ .

Proposition 6.9.

Let $B=\left(X,\{(V_{i},C_{i})\}_{i=1}^{m}\right)$ be a BCS, and let $B^{\prime}=\left(X,\{V_{ij},D_{ij}\}_{i,j}\right)$ be a subdivision of $B$ . Let $\pi$ be a probability distribution on $[m]\times[m]$ , and let $\pi_{sub}$ be the probability distribution defined from $\pi$ as above. Then there is a $\operatorname{poly}(M,2^{C})$ -homomorphism $\mathcal{A}_{free}(B,B^{\prime},\pi)\to\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ , where $C=\max_{ij}|V_{ij}|$ and $M=\max_{i}m_{i}$ .

Proof.

For each $1\leq i\leq m$ and $x\in V_{i}$ , choose an index $1\leq r_{ix}\leq m_{i}$ such that $x\in V_{ir_{ix}}$ . Also, for each $x,y\in V_{i}$ , choose an index $i_{xy}$ such that $x,y\in V_{i_{xy}}$ . Define $\alpha:*_{i=1}^{m}\mathbb{Z}_{2}^{*V_{i}}\to\mathcal{A}(B^{\prime})$ by $\alpha(\sigma_{i}(x))=\sigma_{ir_{ix}}(x)$ . It follows immediately from the definitions that $\alpha$ is a $O(M^{2})$ -homomorphism $(\mathcal{A}_{free}(B),\mu_{inter})\to\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ . Moving on to $\mu_{comm}$ , observe that if $h(a)=a^{*}a$ as in Lemma 6.2 then

	$\displaystyle\alpha(h([\sigma_{i}(x),\sigma_{i}(y)]))$	$\displaystyle=h\left(\sigma_{ir_{ix}}(x)\sigma_{ir_{iy}}(y)-\sigma_{ir_{iy}}(y)\sigma_{ir_{ix}}(x)\right)$
		$\displaystyle\leq 4h((\sigma_{ir_{ix}}(x)-\sigma_{i_{xy}}(x))\sigma_{ir_{iy}}(y))+4h(\sigma_{i_{xy}}(x)(\sigma_{i_{xy}}(y)-\sigma_{ir_{iy}}(y)))+$
		$\displaystyle\quad+4h((\sigma_{ir_{iy}}(y)-\sigma_{i_{xy}}(y))\sigma_{ir_{ix}}(x))+4h(\sigma_{i_{xy}}(y)(\sigma_{ir_{ix}}(x)-\sigma_{i_{xy}}(x)))$
		$\displaystyle\lesssim 8h(\sigma_{ir_{ix}}(x)-\sigma_{i_{xy}}(x))+8h(\sigma_{ir_{iy}}(y)-\sigma_{i_{xy}}(y)),$

where we use the fact that $[\sigma_{i_{xy}}(x),\sigma_{i_{xy}}(y)]=0$ , and that $U^{*}a^{*}aU$ is cyclically equivalent to $a^{*}a$ if $UU^{*}=1$ . For any given $x\in V_{i}$ and $1\leq j\leq m_{i}$ , the number of elements $y\in V_{i}$ with $i_{xy}=j$ is bounded by $|V_{ij}|$ . Hence

\sum_{i}\sum_{x,y\in V_{i}}\pi(i,i)\alpha(h([\sigma_{i}(x),\sigma_{i}(y)]))\lesssim O(CM^{2})\sum_{i,j,j^{\prime}}\sum_{x\in V_{ij}\cap V_{ij^{\prime}}}\frac{\pi(i,i)}{m_{i}^{2}}h(\sigma_{ij}(x)-\sigma_{ij^{\prime}}(x)),

where $\sigma_{ij}:\mathbb{C}\mathbb{Z}_{2}^{V_{ij}}\to\mathcal{A}(B^{\prime})$ is the inclusion of the $ij$ th factor. We conclude that there is an $O(CM^{2})$ -homomorphism $(\mathcal{A}_{free}(B),\mu_{comm})\to\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ .

Finally, for $\mu_{clause}$ , if $i\in[m]$ , $j\in[m_{i}]$ , and $\phi\not\in D_{ij}$ then $\sigma_{ij}(\Phi_{V_{ij},\phi})=0$ , so

	$\displaystyle\alpha(\Phi_{V_{ij},\phi})$	$\displaystyle=\alpha(\Phi_{V_{ij},\phi})-\sigma_{ij}(\Phi_{V_{ij},\phi})$
		$\displaystyle=\frac{1}{2^{\|V_{ij}\|}}\sum_{S\subseteq V_{ij}}\prod_{x\in S}\phi(x)\sigma_{ir_{ix}}(x)-\frac{1}{2^{\|V_{ij}\|}}\sum_{S\subseteq V_{ij}}\prod_{x\in S}\phi(x)\sigma_{ij}(x)$
		$\displaystyle=\frac{1}{2^{\|V_{ij}\|}}\sum_{S\subseteq V_{ij}}\sum_{x\in S}u_{x,S}\phi(x)(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x))v_{x,S},$

where $u_{x,S}$ is the product of $\phi(y)\sigma_{ij}(y)$ for $y\in S$ appearing before $x$ in the order on $V_{i}$ , and $v_{x,S}$ is the product of $\phi(y)\sigma_{ir_{iy}}(y)$ for $y\in S$ appearing after $x$ in the order on $V_{i}$ . Since there are less than $|V_{ij}|\cdot 2^{|V_{ij}|}$ terms in this sum, and $\phi(x)u_{x,S}$ and $v_{x,S}$ are unitary,

	$\displaystyle h(\alpha(\Phi_{V_{ij},\phi}))$	$\displaystyle\lesssim\frac{2\|V_{ij}\|}{2^{\|V_{ij}\|}}\sum_{S\subseteq V_{ij}}\sum_{x\in S}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x))$
		$\displaystyle=\frac{\|V_{ij}\|}{2^{\|V_{ij}\|-1}}\sum_{x\in V_{ij}}\sum_{x\in S\subseteq V_{ij}}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x))$
		$\displaystyle=\|V_{ij}\|\sum_{x\in V_{ij}}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x)).$

Hence

	$\displaystyle\sum_{i\in[m],j\in[m_{i}]}\frac{\pi(i,i)}{m_{i}^{2}}\sum_{\phi\not\in D_{ij}}\alpha(h(\Phi_{V_{ij},\phi}))$	$\displaystyle\lesssim\sum_{i,j}\frac{\pi(i,i)}{m_{i}^{2}}\sum_{\phi\not\in D_{ij}}C\sum_{x\in V_{ij}}h(\sigma_{ir_{ix}(x)}-\sigma_{ij}(x))$
		$\displaystyle\leq C\cdot 2^{C}\sum_{i,j}\frac{\pi(i,i)}{m_{i}^{2}}\sum_{x\in V_{ij}}h(\sigma_{ir_{ix}}-\sigma_{ij}(x)).$

Since every term in the latter sum occurs in the sum $\sum_{r}\mu^{\prime}(r)r^{*}r$ for the weight function $\mu^{\prime}$ of $\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ , $\alpha$ is a $C\cdot 2^{C}$ -homomorphism $(\mathcal{A}_{free}(B),\mu_{clause})\to\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ . We conclude that $\alpha$ is an $O(M^{2}+CM^{2}+C2^{C})$ -homomorphism $\mathcal{A}_{free}(B,\pi)\to\mathcal{A}_{inter}(B^{\prime},\pi_{sub})$ , and $O(M^{2}+CM^{2}+C2^{C})\leq\operatorname{poly}(M,2^{C})$ . ∎

proof of Theorem 6.5.

Applying 6.9 and 6.8 yields the result. ∎

7. Parallel repetition

Let $\mathcal{G}=(I,\{O_{i}\}_{i\in I},\pi,V)$ be a nonlocal game. The $n$ -fold parallel repetition of $\mathcal{G}$ is the game

\mathcal{G}^{\otimes n}=(I^{n},\{O_{\underline{i}}\}_{\underline{i}\in I^{n}},\pi^{\otimes n},V^{\otimes n}),

where

(1)
$I^{n}$ is the $n$ -fold product of $I$ ,
(2)
if $\underline{i}\in I^{n}$ , then $O_{\underline{i}}:=O_{i_{1}}\times O_{i_{2}}\times\cdots\times O_{i_{n}}$ ,
(3)
if $\underline{i},\underline{j}\in I^{n}$ , then $\pi^{\otimes n}(\underline{i},\underline{j})=\prod_{k=1}^{n}\pi(i_{k},j_{k})$ , and
(4)
if $\underline{i},\underline{j}\in I^{n}$ , $\underline{a}\in O_{\underline{i}}$ , $\underline{b}\in O_{\underline{j}}$ , then $V^{\otimes n}(\underline{a},\underline{b}|\underline{i},\underline{j})=\prod_{k=1}^{n}V(a_{k},b_{k}|i_{k},j_{k})$ .

In other words, the players each receive a vector of questions $\underline{i}=(i_{1},\ldots,i_{n})$ and $\underline{j}=(j_{1},\ldots,j_{n})$ from $\mathcal{G}$ , and must reply with a vector of answers $(a_{1},\ldots,a_{n})$ and $(b_{1},\ldots,b_{n})$ to each question. Each pair of questions $(i_{k},j_{k})$ , $1\leq k\leq n$ is sampled independently from $\pi$ , and the players win if and only if $(a_{k},b_{k})$ is a winning answer to questions $(i_{k},j_{k})$ for all $1\leq k\leq n$ . If $\mathcal{G}$ has questions of length $q$ and answers of length $a$ , then $\mathcal{G}^{\otimes n}$ has questions of length $nq$ and answers of length $na$ .

If $p$ is a correlation for $\mathcal{G}$ , let $p^{\otimes n}$ be the correlation for $\mathcal{G}^{\otimes n}$ defined by

p^{\otimes n}(\underline{a},\underline{b}|\underline{i},\underline{j})=\prod_{k=1}^{n}p(a_{k},b_{k}|i_{k},j_{k}).

It is easy to see that $p^{\otimes n}$ is a quantum (resp. commuting operator) correlation if and only if $p$ is a quantum (resp. commuting operator) correlation, and that $\omega(\mathcal{G}^{\otimes n};p^{\otimes n})=\omega(\mathcal{G},p)^{n}$ . Hence if $\omega_{q}(\mathcal{G})=1$ (resp. $\omega_{qc}(\mathcal{G})=1$ ) then $\omega_{q}(\mathcal{G}^{\otimes n})=1$ (resp. $\omega_{qc}(\mathcal{G}^{\otimes n})=1$ ) as well. If $\omega_{q}(\mathcal{G})<1$ , then $\omega_{q}(\mathcal{G}^{\otimes n})\geq\omega_{q}(\mathcal{G})^{n}$ (and the same for the commuting operator value), but this inequality is not always tight. However, Yuen’s parallel repetition theorem states that the game value goes down at least polynomially in $n$ :

Theorem 7.1 ([Yue16]).

For any nonlocal game $\mathcal{G}$ , if $\delta=1-\omega_{q}(\mathcal{G})>0$ , then $\omega_{q}(\mathcal{G}^{\otimes n})\leq b/\operatorname{poly}(\delta,n)$ , where $b$ is the length of the answers of $\mathcal{G}$ .

Suppose $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS and that $\pi$ is a probability distribution on $[m]\times[m]$ . For any $n\geq 1$ , let $X^{(n)}:=X\times[n]$ , and $V^{(k)}_{i}=V_{i}\times\{k\}\subseteq X^{(n)}$ . We can think of $X^{(n)}$ as the disjoint union of $n$ copies of $X$ , and $V^{(k)}_{i}$ as the copy of $V_{i}$ from the $k^{th}$ copy of $X$ . Since $V^{(k)}_{i}$ is a copy of $V_{i}$ , we can identify $\mathbb{Z}_{2}^{V_{i}^{(k)}}$ with $\mathbb{Z}_{2}^{V_{i}}$ in the natural way. If $\underline{i}\in[m]^{n}$ , let $V_{\underline{i}}=\cup_{j=1}^{k}V^{(k)}_{i_{j}}$ and $C_{\underline{i}}=C_{i_{1}}\times\cdots\times C_{i_{k}}\subseteq\mathbb{Z}_{2}^{V_{\underline{i}}}=\mathbb{Z}_{2}^{V^{(1)}_{i_{1}}}\times\cdots\times\mathbb{Z}_{2}^{V_{i_{k}}^{(k)}}$ . Let $B^{(n)}:=(X^{(n)},\{(V_{\underline{i}},C_{\underline{i}})_{\underline{i}\in[m]^{n}}\})$ . Given a distribution $\pi$ on $[m]\times[m]$ , consider the game $\mathcal{G}(B^{(n)},\pi^{\otimes n})$ , where $\pi^{\otimes n}$ is the product distribution as above. In this game, the players are given questions $\underline{i}$ and $\underline{j}$ from $[m]^{n}$ respectively, and must reply with elements $\underline{\phi}\in C_{\underline{i}}$ and $\underline{\psi}\in C_{\underline{j}}$ respectively. They win if and only if $\underline{\phi}$ and $\underline{\psi}$ agree on $V_{\underline{i}}\cap V_{\underline{j}}=\bigcup_{k=1}^{n}V^{(k)}_{i_{k}}\cap V^{(k)}_{j_{k}}$ . But this happens if and only if $\phi_{k}$ and $\psi_{k}$ agree on $V_{i_{k}}\cap V_{j_{k}}$ . Thus $\mathcal{G}(B^{(n)},\pi^{\otimes n})$ is the parallel repetition $\mathcal{G}(B,\pi)^{\otimes n}$ . We record this in the following lemma:

Lemma 7.2.

If $\mathcal{G}$ is a BCS game, then so is the parallel repetition $\mathcal{G}^{\otimes n}$ .

To illustrate the purpose of parallel repetition, suppose that $(\{\mathcal{G}_{x}\},S,V)$ is a $\operatorname{MIP}^{*}(2,1,1,s)$ -protocol for a language $\mathcal{L}$ , where $\mathcal{G}_{x}=(I_{x},\{O_{xi}\},\pi_{x},V_{x})$ and has answer length $a_{x}$ . If $n_{x}$ is a polynomial in $|x|$ , then $\pi_{x}^{\otimes n_{x}}$ can be sampled in polynomial time by running $S$ independently $n$ times, and $V_{x}^{\otimes n_{x}}$ can also be computed in polynomial time by running $V$ repeatedly. If $S^{\otimes n_{x}}$ and $V^{\otimes n_{x}}$ are these Turing machines for sampling $\pi_{x}^{\otimes n_{x}}$ and computing $V_{x}^{\otimes n_{x}}$ respectively, then $(\{\mathcal{G}_{x}^{\otimes n_{x}}\},S^{\otimes n_{x}},V^{\otimes n_{x}})$ is a $\operatorname{MIP}^{*}(2,1,1,s^{\prime})$ -protocol for $\mathcal{L}$ , where $s^{\prime}=a_{x}/\operatorname{poly}(1-s)\cdot\operatorname{poly}(n_{x})$ . Since $a_{x}$ is polynomial in $|x|$ , if $1-s=1/\operatorname{poly}(|x|)$ , then we can choose $n_{x}$ such that $s^{\prime}$ is any constant $<1$ . By Lemma 7.2 the same can be done for $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ .

8. Perfect zero knowledge

An $\operatorname{MIP}$ protocol is perfect zero knowledge if the verifier gains no new information from interacting with the provers. If the players’ behaviour in a game $\mathcal{G}=(I,\{O_{i}\}_{i\in I},\pi,V)$ is given by the correlation $p$ , then what the verifier (or any outside observer) sees is the distribution $\{\pi(i,j)p(a,b|i,j)\}$ over tuples $(a,b|i,j)$ . Consequently a $\operatorname{MIP}^{*}$ -protocol $(\{\mathcal{G}_{x}\},S,V)$ is said to be perfect zero-knowledge against an honest verifier if the players can use correlations $p_{x}$ for $\mathcal{G}_{x}$ such that the distribution $\{\pi(i,j)p(a,b|i,j)\}$ can be sampled in polynomial time in $|x|$ . However, a dishonest verifier seeking to get more information from the players might sample the questions from a different distribution $\pi^{\prime}$ from $\pi$ . To be perfect zero-knowledge against a dishonest verifier, it must be possible to efficiently sample $\{\pi^{\prime}(i,j)p_{x}(a,b|i,j)\}$ for any efficiently sampleable distribution $\pi^{\prime}$ , and this is equivalent to being able to efficiently sample from $\{p_{x}(a,b|i,j)\}_{(a,b)\in O_{i}\times O_{j}}$ for any $i,j$ . This leads to the definition (following [CS19, Definition 6.3]):

Definition 8.1.

Let $\mathcal{P}=(\{\mathcal{G}_{x}\},S,V)$ be a two-prover one-round $\operatorname{MIP}^{*}$ protocol for a language $\mathcal{L}$ with completeness $c$ and soundness $s$ , where $\mathcal{G}_{x}=(I_{x},\{O_{xi}\},\pi_{x},V_{x})$ . The protocol $\mathcal{P}$ is perfect zero knowledge if for every string $x$ , there is a correlation $p_{x}$ for $\mathcal{G}_{x}$ such that

(1)
for all $i,j\in I_{x}$ , the distribution $\{p_{x}(a,b|i,j)\}$ can be sampled in polynomial time in $|x|$ , and
(2)
if $x\in\mathcal{L}$ then $p_{x}\in C_{qa}$ and $\omega(\mathcal{G}_{x},p_{x})=1$ .

The class $\operatorname{PZK}$ - $\operatorname{MIP}^{*}(2,1,c,s)$ is the class of languages with a perfect zero knowledge two-prover one round $\operatorname{MIP}^{*}$ protocol with completeness $c$ and soundness $s$ .

By replacing $C_{qa}$ with $C_{qc}$ , we get another class $\operatorname{PZK}$ - $\operatorname{MIP}^{co}$ . If we replace $\operatorname{MIP}^{*}$ protocols with $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ (resp. $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ ) protocols and $C_{qa}$ with $C^{s}_{qa}$ (resp. $C^{s}_{qc}$ ) we get the class $\operatorname{PZK}$ - $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ (resp. $\operatorname{PZK}$ - $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ ).

For the one-round protocols that we are considering, parallel repetition preserves the property of being perfect zero knowledge.

Proposition 8.2.

Let $(\{\mathcal{G}_{x}\},S,V)$ be a $\operatorname{PZK}$ - $\operatorname{MIP}^{*}(2,1,1,s)$ protocol, and let $n_{x}$ be a polynomial function of $|x|$ . Then the parallel repeated protocol $(\{\mathcal{G}_{x}^{\otimes n_{x}}\},S^{\otimes n_{x}},V^{\otimes n_{x}})$ is also perfect zero knowledge.

Proof.

Let $p_{x}$ be a correlation for the game $\mathcal{G}$ that satisfies the two requirements of Definition 8.1. Then $\{p_{x}^{\otimes n_{x}}(\underline{a},\underline{b}|\underline{i},\underline{j})\}_{\underline{a},\underline{b}}$ can be sampled in polynomial time in $|x|$ for all $\underline{i}$ , $\underline{j}$ by independently sampling from $\{p_{x}(a,b,i_{\ell},j_{\ell})\}_{a,b}$ for each pair $(i_{\ell},j_{\ell})$ from $\underline{i}=(i_{1},\dots,i_{n_{x}})$ and $\underline{j}=(j_{1},\dots,j_{n_{x}})$ . If $x\in\mathcal{L}$ , then $\omega(\mathcal{G}_{x}^{\otimes n_{x}};p_{x}^{\otimes n})=1$ , and it is not hard to see that $p_{x}^{\otimes n_{x}}\in C_{qa}$ . ∎

We will now prove our main result that any proof system in $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ or $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ can be turned into a perfect zero knowledge $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ or $\operatorname{BCS}$ - $\operatorname{MIP}^{co}$ protocol. For this purpose, we use the perfect zero knowledge proof system for 3SAT due to Dwork, Feige, Kilian, Naor, and Safra [DFK⁺92], slightly modified for the proof of quantum soundness. For the construction, we assume that we start with a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol (and in the proof of Theorem 1.1, this will be a 3SAT- $\operatorname{MIP}^{*}$ protocol). Following [DFK⁺92], the new proof system is constructed in three steps. First, we apply a transformation called oblivation, then turn the resulting system into a permutation branching program via Barrington’s theorem [Bar86], and finally rewrite the permutation branching programs using the randomizing tableaux of Kilian [Kil90]. We start by describing obliviation.

Definition 8.3.

Given a BCS $B=(X,\{(V_{i},C_{i})\}^{m}_{i=1})$ and $n\geq 1$ , let $Y=X\times[n]$ , and $W_{i}=V_{i}\times[n]$ for any $1\leq i\leq m$ . To make the elements of $Y$ look more like variables, we denote $(x,i)$ by $x(i)$ . Let $D_{i}\subseteq\mathbb{Z}_{2}^{W_{i}}$ be the set of assignments $\phi$ to $W_{i}$ such that the assignment $\psi$ to $V_{i}$ defined by $\psi(x)=\psi(x(1))\cdots\psi(x(n))$ is in $C_{i}$ . The obliviation of $B$ of degree $n$ is the constraint system $\operatorname{Obl}_{n}(B)=(Y,\{W_{i},D_{i}\}_{i=1}^{m})$ .

The point of obliviation is the following:

Lemma 8.4.

Suppose $B=(X,\{(V_{i},C_{i})\}^{m}_{i=1})$ is a BCS, and let $B^{\prime}=\operatorname{Obl}_{n}(B)$ for some $n\geq 1$ . Then there is a classical homomorphism $\alpha:\mathcal{A}(B)\to\mathcal{A}(B^{\prime})$ such that $\alpha(\sigma_{i}(x))=\sigma_{i}(x(1)\cdots x(n))$ for all $i\in[m]$ and $x\in V_{i}$ , where $\sigma_{i}$ is in the inclusion of the $i$ th factor for $\mathcal{A}(B)$ and $\mathcal{A}(B^{\prime})$ .

Furthermore, if $\pi$ is a probability distribution on $[m]\times[m]$ , and $\tau$ is a tracial state on $\mathcal{A}(B)$ , then there is a tracial state $\widetilde{\tau}$ on $\mathcal{A}(B^{\prime})$ such that $\tau=\widetilde{\tau}\circ\alpha$ , $\operatorname{def}(\widetilde{\tau};\mu_{\pi})=\operatorname{def}(\tau;\mu_{\pi})$ , and $\widetilde{\tau}(\prod_{(i,x)\in S}\sigma_{i}(x))=0$ for any ordered set $S$ of pairs $(i,x)$ with $x\in W_{i}$ and $1\leq|S|\leq n-1$ .

In particular, if $\tau$ is perfect then $\widetilde{\tau}$ is perfect.

Proof.

Define $f_{i}:\mathbb{Z}_{2}^{W_{i}}\to\mathbb{Z}_{2}^{V_{i}}$ for each $i\in[m]$ by $f_{i}(\phi)(x)=\phi(x(1))\cdots\phi(x(n))$ for $\phi\in\mathbb{Z}_{2}^{W_{i}}$ and $x\in V_{i}$ . By definition, $\phi\in D_{i}$ if and only if $f_{i}(\phi)\in C_{i}$ , so $f_{i}(D_{i})=C_{i}$ . If $f_{i}(\phi)(x)\neq f_{j}(\psi)(x)$ for some $\phi\in\mathbb{Z}_{2}^{W_{i}}$ , $\psi\in\mathbb{Z}_{2}^{W_{j}}$ , and $x\in V_{i}\cap V_{j}$ , then we must have $\phi(x(i))\neq\psi(x(i))$ for some $i$ . Since

\sigma_{i}(x(1)\cdots x(n))=\sum_{\phi\in\mathbb{Z}_{2}^{W_{i}}}f_{i}(\phi)(x)\Phi_{W_{i},\phi}

for all $x\in V_{i}$ , $i\in[m]$ , the functions $f_{i}$ correspond to a classical homomorphism $\alpha:\mathcal{A}(B)\to\mathcal{A}(B^{\prime})$ with $\alpha(\sigma_{i}(x))=\sigma_{i}(x(1)\cdots x(n))$ for all $i\in[m]$ and $x\in V_{i}$ .

Conversely, given $y\in\mathbb{Z}_{2}^{X\times[n-1]}$ and $\phi\in\mathbb{Z}_{2}^{V_{i}}$ , define $\phi_{y}\in\mathbb{Z}_{2}^{W_{i}}$ by $\phi_{y}(x(1))=\phi(x)y(x,1)$ , $\phi_{y}(x(j))=y(x,j-1)y(x,j)$ for $2\leq j\leq n-1$ , and $\phi_{y}(x(n))=y(x,n-1)$ . Since $f_{i}(\phi_{y})=\phi$ , the function $\phi\mapsto\phi_{y}$ sends $C_{i}$ to $D_{i}$ . Also if $\phi\in\mathbb{Z}_{2}^{V_{i}}$ and $\psi\in\mathbb{Z}_{2}^{V_{j}}$ , then $\phi_{y}|_{W_{i}\cap W_{j}}\neq\psi_{y}|_{W_{i}\cap W_{j}}$ if and only if $\phi|_{V_{i}\cap V_{j}}\neq\psi|_{V_{i}\cap V_{j}}$ , so the functions $\phi\mapsto\phi_{y}$ determine a local homomorphism $\beta_{y}:\mathcal{A}(B^{\prime})\to\mathcal{A}(B)$ with $\beta_{y}(\sigma_{i}(x(1)))=\sigma_{i}(x)y(x,1)$ , $\beta_{y}(\sigma_{i}(x(j)))=y(x,j-1)y(x,j)$ for $2\leq j\leq n-1$ , and $\beta_{y}(\sigma_{i}(x(n)))=y(x,n-1)$ for all $i\in[m]$ and $x\in V_{i}$ .

Define a tracial state $\widetilde{\tau}$ on $\mathcal{A}(B^{\prime})$ by $\widetilde{\tau}=2^{-|X|(n-1)}\sum_{y}\tau\circ\beta_{y}$ , where the sum is over all $y\in\mathbb{Z}_{2}^{X\times[n-1]}$ . Since $\beta_{y}\circ\alpha$ is the identity on $\mathcal{A}(B)$ , $\widetilde{\tau}\circ\alpha=\tau$ . Since $\beta_{y}$ and $\alpha$ are $1$ -homomorphisms,

\operatorname{def}(\tau\circ\beta_{y};\mu_{\pi})\leq\operatorname{def}(\tau;\mu_{\pi})=\operatorname{def}(\tau\circ\beta_{y}\circ\alpha;\mu_{\pi})\leq\operatorname{def}(\tau\circ\beta_{y};\mu_{\pi})

for any $y$ , so $\operatorname{def}(\tau\circ\beta_{y};\mu_{\pi})=\operatorname{def}(\tau;\mu_{\pi})$ and hence $\operatorname{def}(\widetilde{\tau};\mu_{\pi})=\operatorname{def}(\tau;\mu_{\pi})$ .

Finally, if $S$ is an ordered set of pairs $(i,x)$ with $x\in W_{i}$ , then there is an element $a\in\mathcal{A}(B)$ and set $S^{\prime}\subseteq X\times[n-1]$ such that

\beta_{y}(\prod_{(i,x)\in S}\sigma_{i}(x))=m_{y}\tau(a)

for all $y\in\mathbb{Z}_{2}^{X\times[n-1]}$ , where $m_{y}:=\prod_{(x,j)\in S^{\prime}}y(x,j)$ . If $|S|\leq n-1$ , then $S^{\prime}$ is non-empty. Hence

\widetilde{\tau}(\prod_{(i,x)\in S}\sigma_{i}(x))=2^{-|X|(n-1)}\sum_{y}m_{y}\tau(a),

and $\sum_{y}m_{y}=0$ if $S^{\prime}$ is non-empty. ∎

A permutation branching program of width $5$ and depth $d$ on a set of variables $X$ is a tuple $P=(X,\{(x_{i},\pi_{1}^{(i)},\pi_{-1}^{(i)})\}_{i=1}^{d},\sigma)$ where $x_{i}\in X$ and $\pi_{1}^{(i)},\pi_{-1}^{(i)}$ are elements of the permutation group $S_{5}$ for all $1\leq i\leq d$ , and $\sigma\in S_{5}$ is a 5-cycle. A permutation branching program $P$ defines a map $P:\mathbb{Z}_{2}^{X}\to S_{5}$ via $P(\phi)=\prod_{i=1}^{d}\pi^{(i)}_{\phi(x_{i})}$ . A program $P$ recognizes a constraint $C\subseteq\mathbb{Z}_{2}^{X}$ if $P(\phi)=\sigma$ for all $\phi\in C$ , and $P(\phi)=e$ for all $\phi\not\in C$ , where $e$ is the identity in $S_{5}$ .

Theorem 8.5 (Barrington [Bar86]).

Suppose a constraint $C\subseteq\mathbb{Z}_{2}^{X}$ is recognized by a depth $d$ fan-in 2 boolean circuit. Then $C$ is recognized by a permutation branching program of depth $4^{d}$ on the variables $X$ .

For the rest of the section, we assume that we have a canonical way of turning constraints described by fan-in 2 boolean circuits into permutation branching programs using Barrington’s theorem.

The final ingredient is randomizing tableaux, which are described using constraints of the form $x_{1}\cdots x_{n}=\gamma$ , where the variables $x_{1},\ldots,x_{n}$ take values in $S_{5}$ , $\gamma$ is a constant in $S_{5}$ , and the product is the group multiplication. Since $|S_{5}|=120<2^{7}$ , we can encode permutations as bit strings of length $7$ by choosing an enumeration $S_{5}=\{e=\gamma_{0},\ldots,\gamma_{119}\}$ , and identifying $\gamma_{j}$ by its index $j$ in binary. This means that any permutation-valued variable can be represented by $7$ boolean variables, and similarly a permutation-valued constraint $x_{1}\cdots x_{n}=\gamma$ can be rewritten as the constraint on $7n$ boolean variables which requires the boolean variables corresponding to $x_{i}$ to encode a permutation value, and the product of all the permutations to be equal to $\gamma$ . Since we want our final output to be a boolean constraint system, we use permutation-valued variables and permutation-valued constraints as short-hand for boolean constraint systems constructed in this way. We can now define randomizing tableaux, still following [DFK⁺92] with small modifications.

Definition 8.6.

Let $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ be a BCS, where each $C_{i}$ is described by a fan-in 2 boolean circuit. Let $P_{i}=(V_{i},\{(x_{ij},\pi_{1}^{(ij)},\pi_{-1}^{(ij)})\}_{j=1}^{d_{i}},\sigma_{i})$ be the permutation branching program recognizing $C_{i}$ . For each $i\in[m]$ , let

W_{i}=V_{i}\sqcup\{T_{i}(p,q):(p,q)\in[3]\times[d_{i}]\}\sqcup\{r_{i}(j,k):(j,k)\in[2]\times[d_{i}-1]\},

where $T_{i}(p,q)$ and $r_{i}(j,k)$ are new permutation-valued variables (and thus represent 7 boolean variables each), and let

Y=X\sqcup\{T_{i}(p,q),r_{i}(j,k):(i,p,q,k,j)\in{[m]\times[3]\times[d_{i}]\times[2]\times[d_{i}-1]}\}

be the union of all the original and new variables. The variables $T_{i}(p,q)$ are called tableau elements, and the variables $r_{i}(j,k)$ are called randomizers.

Let $D_{i}$ be the constraint on variables $W_{i}$ which is the conjunction of the following clauses:

(1)
$T_{i}(1,q)=\pi^{(iq)}_{x_{q}}$ for all $q\in[d_{i}]$ ,
(2)
$T_{i}(p+1,q)=r_{i}(p,q-1)^{-1}T_{i}(p,q)r_{i}(p,q)$ for $q\in[d_{i}]$ and $p\in[2]$ , where we use the notation $r_{i}(p,0)=r_{i}(p,d_{i})=e$ ,
(3)
$\prod_{1\leq q\leq d_{i}}T_{i}(3,q)=\sigma_{i}$ , and
(4)
a trivial constraint (meaning that all assignment are allowed) on any pair $x,y$ of original or permutation-valued variables which do not appear in one of the above constraints.

The tableau of $B$ is $\operatorname{Tab}(B)=(Y,\{(W_{i},D_{i})\}_{i=1}^{m})$ , interpreted as a boolean constraint system. We further let $\{W_{ij},D_{ij})\}_{j=1}^{m_{i}}$ be a list of the clauses in (1)-(4) making up $D_{i}$ . The subdivided tableau of $B$ is $\operatorname{Tab}_{sub}(B)=(Y,\{(W_{ij},D_{ij})\}_{i\in[m],j\in[m_{i}]})$ .

As mentioned above, the product in the constraints on the permutation-valued variables in parts (1)-(4) of the definition is the group product in $S_{5}$ . The constraints in part (1) involve both original variables $x_{p}$ and permutation-valued variables $T_{i}(1,p)$ , and say that the value of $T_{i}(1,q)$ is either $\pi^{(iq)}_{1}$ or $\pi^{(iq)}_{-1}$ depending on the value of $x_{q}$ . In part (4), $x$ and $y$ can be either an original or a permutation-valued variable. If one of them is a permutation-valued variable, then all the corresponding boolean variables encoding the permutation-valued variable are included in the constraint (so the constraint on $x$ and $y$ may involve up to $14$ boolean variables). Since the constraints in part (4) are trivial, they do not contribute to $D_{i}$ , but they are included in the list of clauses $(W_{ij},D_{ij})$ of the subdivided tableau. The point of the constraints in part (4) is that, with them, $\operatorname{Tab}_{sub}(B)$ is a subdivision of $\operatorname{Tab}(B)$ . Finally, observe that the constraints $D_{i}$ encode the constraints $C_{i}$ as follows:

Lemma 8.7 ([DFK⁺92]).

Suppose $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS, and let $\operatorname{Tab}(B)=(Y,\{(W_{i},D_{i})\}_{i=1}^{m})$ . If $\psi\in D_{i}$ , then $\psi|_{V_{i}}\in C_{i}$ . Conversely, if $r\in\S_{5}^{R_{i}}$ , where $R_{i}=\{r_{i}(j,k):(j,k)\in[2]\times[d_{i}-1]\}$ is the set of randomizers in $W_{i}$ , and $\phi\in C_{i}$ , then there is a unique element $\phi_{r}\in D_{i}$ such that $\phi_{r}|_{V_{i}}=\phi$ and $\phi_{r}|_{R_{i}}=r$ .

In this lemma, the statement that $\phi_{r}|_{R_{i}}=r$ means that for every randomizer $r_{i}(j,k)\in R_{i}$ , the restriction of $\phi$ to the boolean variables corresponding to $r_{i}(j,k)$ is the encoding of the permutation $r(r_{i}(j,k))$ . Although the permutation-valued variables in $\operatorname{Tab}(B)$ are shorthand for boolean variables, it is helpful to be able to work with the permutation-valued variables directly in $\mathcal{A}(\operatorname{Tab}(B))$ . Suppose for a moment that $x_{1},\ldots,x_{7}$ are variables in a set $V$ , and $C$ is a constraint on $V$ which includes the requirement that $x_{1},\ldots,x_{7}$ encode a permutation-valued variable $x$ . Let $S=\{x_{1},\ldots,x_{7}\}$ . If $\phi\in\mathbb{Z}_{2}^{S}$ , then $\Phi_{S,\phi}=0$ in $\mathcal{A}(V,C)$ unless $\phi$ is the binary representation of an index $0\leq j<120$ , in which case we also write $\Phi_{S,\phi}$ as $\Phi_{S,j}$ . Hence the subalgebra of $\mathcal{A}(V,C)$ is generated by the single unitary $\sum_{j=0}^{119}e^{2\pi ij/120}\Phi_{S,j}$ , which we denote by the same symbol as the permutation-valued variable $x$ . In particular, if $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ and $\operatorname{Tab}(B)=(Y,\{(W_{i},D_{i})\}_{i=1}^{m})$ as in Definition 8.6, then we can refer to $T_{i}(p,q)$ and $r_{i}(j,k)$ as unitary elements of $\mathcal{A}(W_{i},D_{i})$ of order $120$ , and they generate the same subalgebra as the boolean variables encoding them. Since these variables do not occur in any other context $W_{j}$ for $j\neq i$ , we also use $T_{i}(p,q)$ and $r_{i}(j,k)$ to refer to $\sigma_{i}(T_{i}(p,q))$ and $\sigma_{i}(r_{i}(j,k))$ in $\mathcal{A}(\operatorname{Tab}(B))$ . We use the same convention for $\mathcal{A}(\operatorname{Tab}_{sub}(B))$ .

The algebra $\mathcal{A}(\operatorname{Tab}(B))$ is generated by the original variables and the randomizers.

Lemma 8.8.

Suppose $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS, and let $\operatorname{Tab}(B)=(Y,\{(W_{i},D_{i})\}_{i=1}^{m})$ . Let $R_{i}=\{r_{i}(j,k):(j,k)\in[2]\times[d_{i}-1]\}$ be the set of randomizers in $W_{i}$ , and let $R=\bigcup_{i}R_{i}$ . Then $\mathcal{A}(W_{i},D_{i})$ is generated as an algebra by $V_{i}\cup R_{i}$ , and $\mathcal{A}(\operatorname{Tab}(B))$ is generated by $\bigcup_{i}\{\sigma_{i}(x):x\in V_{i}\}\cup R$ .

This means that a homomorphism $\mathcal{A}(\operatorname{Tab}(B))\to\mathcal{A}(B)$ is completely described by its action on $V_{i}\cup R$ . The following lemma extends Lemma 8.7 to weighted BCS algebras.

Lemma 8.9.

Suppose $B=(X,\{(V_{i},C_{i})\}_{i=1}^{m})$ is a BCS, and let $\operatorname{Tab}(B)=(Y,\{(W_{i},D_{i})\}_{i=1}^{m})$ . Then there is a classical homomorphism $\alpha:\mathcal{A}(B)\to\mathcal{A}(\operatorname{Tab}(B))$ such that $\alpha(\sigma_{i}(x))=\sigma_{i}(x)$ for all $i\in[m]$ and $x\in V_{i}$ .

Conversely, let $R=\{r_{i}(j,k):(i,j,k)\in[m]\times[2]\times[d_{i}-1]\}$ be the set of randomizers in $Y$ . If $r\in S_{5}^{R}$ , then there is a classical homomorphism $\beta_{r}:\mathcal{A}(\operatorname{Tab}(B))\to\mathcal{A}(B)$ such that $\beta_{r}(\sigma_{i}(x))=\sigma_{i}(x)$ for all $i\in[m]$ and $x\in V_{i}$ , and $\beta_{r}(x)=e^{2\pi ij/120}$ for all $x\in R$ , where $r(x)=\gamma_{j}$ in the enumeration of $S_{5}$ fixed above.

Proof.

The proof is immediate from Corollary 5.7, Lemma 8.7, and the definition of $r_{i}(j,k)$ in $\mathcal{A}(\operatorname{Tab}(B))$ . ∎

Theorem 8.10.

Let $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ be a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol for a language $\mathcal{L}$ with completeness $1$ and soundness $1-f(x)$ , such that each context of $B_{x}$ has constant size, and $\pi_{x}$ is maximized on the diagonal. Then there is a $\operatorname{PZK}$ - $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B_{x}^{\prime},\pi_{x}^{\prime})\},\widetilde{S},\widetilde{C})$ for $\mathcal{L}$ with completeness $1$ and soundness $1-f(x)/\operatorname{poly}(m_{x})$ , where $m_{x}$ is the number of contexts in $B_{x}$ . If $\pi_{x}$ is uniform, then $\pi_{x}^{\prime}$ is also uniform.

Proof.

Let $B_{x}^{\prime}=\operatorname{Tab}_{sub}(\operatorname{Obl}_{5}(B_{x}))$ , and let $\pi_{x}^{\prime}$ be the subdivision of $\pi_{x}$ corresponding to the subdivision of $\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x}))$ into $\operatorname{Tab}_{sub}(\operatorname{Obl}_{5}(B_{x}))$ . If $\pi_{x}$ is uniform, then $\pi_{x}^{\prime}$ is also uniform. For completeness, if there’s a perfect tracial state on $\mathcal{A}(B_{x})$ , then there is a perfect tracial state on $\mathcal{A}(\operatorname{Obl}_{5}(B_{x}))$ by Lemma 8.4, and consequently a perfect tracial state on $\mathcal{A}(\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x})))$ by Lemma 8.9. By 6.4, there is a perfect tracial state on $\mathcal{A}(B_{x}^{\prime})$ . Hence if $x\in\mathcal{L}$ , then $\mathcal{G}(B_{x}^{\prime},\pi_{x}^{\prime})$ has a perfect strategy.

Because $B_{x}$ has contexts of constant size, $\operatorname{Obl}_{5}(B_{x})$ and hence $\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x}))$ also has contexts of constant size. As a result, the number and size of the clauses in the constraints of $\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x}))$ are also constant. We conclude that the parameters $C$ , $M$ , and $K$ in Theorem 6.5 when going from $\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x}))$ to $\operatorname{Tab}_{sub}(\operatorname{Obl}_{5}(B_{x}))$ are all constant. Since $\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x}))$ has $m_{x}$ contexts, if $\tau$ is a tracial state on $\mathcal{A}(B_{x}^{\prime})$ , then there is a tracial state $\tau_{0}$ on $\mathcal{A}(\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x})))$ with $\operatorname{def}(\tau_{0})\leq\operatorname{poly}(m_{x})\operatorname{def}(\tau)$ . Since there is a classical homomorphism $\mathcal{A}(B_{x})\to\mathcal{A}(\operatorname{Tab}(\operatorname{Obl}_{5}(B_{x})))$ by Lemmas 8.4 and 8.9, we conclude that there is a tracial state $\tau_{1}$ on $\mathcal{A}(B_{x})$ with $\operatorname{def}(\tau_{1})\leq\operatorname{poly}(m_{x})\operatorname{def}(\tau)$ . Hence if $x\not\in\mathcal{L}$ , then there is no synchronous strategy $p$ for $\mathcal{G}(B_{x}^{\prime},\pi_{x}^{\prime})$ with $\omega_{q}(\mathcal{G}(B_{x}^{\prime},\pi_{x}^{\prime}),p)\geq 1-f(n)/\operatorname{poly}(m_{x})$ .

Because all the contraints in $B_{x}$ have constant size, it is not hard to see that the Turing machines $S$ and $C$ can be turned into Turing machines $\widetilde{S}$ and $\widetilde{C}$ such that $(\{\mathcal{G}(B_{x}^{\prime},\pi_{x}^{\prime})\},\widetilde{S},\widetilde{C})$ is a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol for $\mathcal{L}$ .

To prove that this protocol is perfect zero knowledge, we need to find a polynomial time simulator $M_{x}$ which samples a correlation $p_{x}(a,b|i,j)$ that is perfect for the tableau game. Furthermore, $p_{x}(a,b|i,j)$ must be a quantum correlation if and only if $x$ is an accept instance of the tableau game.

The tableau game involves the verifier requesting from each prover exactly one of the constraints (1)-(4) from Definition 8.6, and checking their answers for consistency. The simulator $M_{x}$ can efficiently sample any element $z$ from the clauses of $\operatorname{Obl}_{5}(B_{x})$ of the first row of the corresponding tableau by uniformly sampling from $\{\pm 1\}$ . Elements of the tableau $T_{i}(p,q)$ and randomizers $r_{i}(p,q)$ can be sampled efficiently by uniformly sampling from $S_{5}$ . In this way, $M_{x}$ may efficiently simulate answers to (1) and (2) by sampling the elements on the right side of the equation, and computing the element on the left side. Answers to (3) are simulated by sampling $d-1$ elements of $S_{5}$ , where $d$ is the constant depth of the permutation branching program used to construct the tableau, and computing the correct $d^{th}$ entry such that the product of the $d$ elements is equal to $\sigma$ , the output of the permutation branching program. Lastly, $M_{x}$ can simulate ansers to (4) by sampling elements of the first row of the tableau uniformly as above (matching any pair that are labeled by the same oblivious variable), and sampling other elements uniformly from $S_{5}$ . Thus, simulating the response of an individual player Alice is trivial. The responses from Bob need only be consistent with those of Alice on the overlap, with the remainder of the answer sampled as above. This defines our simulatable correlation $p_{x}(a,b|i,j)$ and our simulator $M_{x}$ . It is clear that the correlation $p_{x}(a,b|i,j)$ sampled by $M_{x}$ is perfect for the tableau game. All that remains is to show that $x$ is an accept instance if and only if $p_{x}(a,b|i,j)$ is a quantum correlation.

Suppose that $p_{x}(a,b|i,j)$ is a quantum correlation. Then $x$ is an accept instance, as there is a quantum correlation that allows the players to play the $x$ instance of the tableau game perfectly.

Suppose that $w\in\mathcal{L}$ is an accept instance of the tableau game. Then there is some quantum strategy for the $w$ tableau game such that the players always win. By the gapped soundness of the reduction from 3SAT, this implies that the underlying 3SAT instance has a perfect quantum strategy with observables $\sigma_{i}(x)$ for $x\in V_{i}$ . Alice and Bob may now choose any set of oblivious observables $\sigma^{\prime}_{i}(x(1)),\dots,\sigma^{\prime}_{i}(x(5))$ such that the exclusive disjunction of these is $\sigma_{i}(x)$ , that is $\sigma^{\prime}_{i}(x(1))\cdots\sigma^{\prime}_{i}(x(5))=\sigma_{i}(x)$ . So choose $\sigma^{\prime}_{i}(x(j))$ to be observables that are ${\pm 1}$ with equal probability for $1\leq j\leq 4$ and let $\sigma^{\prime}_{i}(x(5))=\sigma_{i}(x)\sigma^{\prime}_{i}(x(1))\cdots\sigma^{\prime}_{i}(x(4)),$ and note that The values of any four of the $\sigma_{i}^{\prime}(x(j))$ are efficiently sampleable. To play the tableau game, when Alice and Bob receive their questions $x$ and $y$ respectively, they use auxiliary observables to generate shared uniformly distributed randomizers $r_{i}(p,q)$ and construct the tableaux corresponding to the clauses of $x$ and $y$ according to relations (1) to (5) in Definition 8.6. The value for each element $T_{i}(1,q)$ of row one of the tableau is equally likely to be either element of $\{\pi_{i,1}^{p},\pi_{i,-1}^{p}\}$ . Note that the simulator only ever has to sample at most four elements of the first row of a tableau, and only the correlation of five or more of these variables depends on the perfect strategy of $B_{w}$ . Each randomizer is an independently uniformly sampled element of $S_{5}$ and thus any element of the second and third rows of the tableau is equally likely to be any element of $S_{5}$ . Therefore the correlation generated this way is $p_{w}(a,b|i,j)$ . ∎

Theorem 8.11.

There is a perfect zero knowledge $\operatorname{BCS}$ - $\operatorname{MIP}^{*}(2,1,1,1-1/\operatorname{poly}(n))$ protocol for the halting problem in which the verifier selects questions according to the uniform distribution, the questions have length $\operatorname{polylog}(n)$ , and the answers have constant length.

Proof.

By Theorem 2.2, there is a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B_{x},\pi_{x})\},S,V)$ for the halting problem with constant soundness $s<1$ , in which $B_{x}$ has a constant number of contexts and contexts of size $\operatorname{polylog}(|x|)$ , and $\pi_{x}$ is the uniform distribution on pairs of contexts. By 5.8, $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ can be turned into a $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol $(\{\mathcal{G}(B^{\prime}_{x},\pi_{x})\},S,C)$ where $B_{x}^{\prime}=(X_{x}^{\prime},\{(W_{i}^{x},D_{i}^{x})\})$ , $D_{i}$ is a 3SAT instance with number of clauses polynomial in $|x|$ , and $|W^{x}_{i}|$ is polynomial in $|x|$ . Then by subdividing the $B_{x}^{\prime}$ into a 3SAT we obtain a 3SAT protocol $(\{\mathcal{G}(B^{3SAT}_{x},\pi^{3SAT}_{x})\},S,C)$ with number of clauses polynomial in $|x|$ , and $\pi^{3SAT}_{x}$ is uniform. The theorem follows from 8.10. ∎

Proof of Theorem 1.1.

Let $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ be the $\operatorname{BCS}$ - $\operatorname{MIP}^{*}$ protocol from Theorem 8.11, so in particular $B_{x}$ has $m_{x}$ contexts, where $m_{x}=\operatorname{poly}(|x|)$ , and $\pi_{x}$ is the uniform distribution on $[m_{x}]\times[m_{x}]$ . Since the uniform distribution is $1/2m_{x}$ -diagonally dominant, Theorem 2.1 implies that $(\{\mathcal{G}(B_{x},\pi_{x})\},S,C)$ has soundness $1-1/\operatorname{poly}(n)$ when considered as a $\operatorname{MIP}^{*}$ protocol. The result follows from 7.1 using a polynomial amount of parallel repetition. ∎

We also have

Theorem 8.12.

$\operatorname{PZK}$ - $\operatorname{BCS}$ - $\operatorname{MIP}^{co}(2,1,1,1-1/\operatorname{poly}(n))=\operatorname{BCS}$ - $\operatorname{MIP}^{co}(2,1,1,1-1/\operatorname{poly}(n))$ .

The proof is similar to the proof of Theorem 8.11.

References

[Bar86] D A Barrington. Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. In Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, STOC ’86, page 1–5, New York, NY, USA, 1986. Association for Computing Machinery.
[BFL90] L. Babai, L. Fortnow, and C. Lund. Nondeterministic exponential time has two-prover interactive protocols. In Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science, pages 16–25 vol.1, 1990.
[BOGKW88] Michael Ben-Or, Shafi Goldwasser, Joe Kilian, and Avi Wigderson. Multi-prover interactive proofs: How to remove intractability assumptions. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, page 113–131, New York, NY, USA, 1988. Association for Computing Machinery.
[CFGS22] Alessandro Chiesa, Michael A. Forbes, Tom Gur, and Nicholas Spooner. Spatial isolation implies zero knowledge even in a quantum world. J. ACM, 69(2), jan 2022.
[CHTW04] R. Cleve, P. Hoyer, B. Toner, and J. Watrous. Consequences and limits of nonlocal strategies. In Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004., pages 236–249, 2004.
[CM14] Richard Cleve and Rajat Mittal. Characterization of binary constraint system games. In Automata, Languages, and Programming: 41st International Colloquium, ICALP 2014, Copenhagen, Denmark, July 8-11, 2014, Proceedings, Part I 41, pages 320–331. Springer, 2014.
[CS19] Matt Coudron and William Slofstra. Complexity lower bounds for computing the approximately-commuting operator value of nonlocal games to high precision. Computational Complexity Conference (CCC), 2019.
[CVY23] Michael Chapman, Thomas Vidick, and Henry Yuen. Efficiently stable presentations from error-correcting codes, 2023.
[dCOT18] Marcus de Chiffre, Narutaka Ozawa, and Andreas Thom. Operator algebraic approach to inverse and stability theorems for amenable groups. Mathematika, 65(1):98–118, aug 2018.
[DFK⁺92] Cynthia Dwork, Uriel Feige, Joe Kilian, Moni Naor, and Shmuel Safra. Low communication 2-prover zero-knowledge proofs for NP. In Annual International Cryptology Conference, 1992.
[FJVY19] Joseph Fitzsimons, Zhengfeng Ji, Thomas Vidick, and Henry Yuen. Quantum proof systems for iterated exponential time, and beyond. In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, STOC 2019, page 473–480, New York, NY, USA, 2019. Association for Computing Machinery.
[FMS21] Honghao Fu, Carl Miller, and Willim Slofstra. The membership problem for constant-sized quantum correlations is undecidable. arXiv:2101.11087, 2021.
[GMR85] S Goldwasser, S Micali, and C Rackoff. The knowledge complexity of interactive proof-systems. In Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC ’85, page 291–304, New York, NY, USA, 1985. Association for Computing Machinery.
[Gol21] Adina Goldberg. Synchronous linear constraint system games. Journal of Mathematical Physics, 62(3), mar 2021.
[GSY19] Alex Bredariol Grilo, William Slofstra, and Henry Yuen. Perfect zero knowledge for quantum multiprover interactive proofs. In David Zuckerman, editor, 60th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2019, Baltimore, Maryland, USA, November 9-12, 2019, pages 611–635. IEEE Computer Society, 2019.
[Har23] Samuel J. Harris. Universality of graph homomorphism games and the quantum coloring problem. arXiv:2305.18116, 2023.
[HMPS19] J William Helton, Kyle P Meyer, Vern I Paulsen, and Matthew Satriano. Algebras, synchronous games, and chromatic numbers of graphs. New York J. Math, 25:328–361, 2019.
[IKM09] Tsuyoshi Ito, Hirotada Kobayashi, and Keiji Matsumoto. Oracularization and two-prover one-round interactive proofs against nonlocal strategies. In 2009 24th Annual IEEE Conference on Computational Complexity, pages 217–228, 2009.
[IV12] Tsuyoshi Ito and Thomas Vidick. A multi-prover interactive proof for nexp sound against entangled provers. In 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, pages 243–252, 2012.
[Ji13] Zhengfeng Ji. Binary constraint system games and locally commutative reductions. arXiv:1310.3794, 2013.
[Ji16] Zhengfeng Ji. Classical verification of quantum proofs. In Proceedings of the Forty-Eighth Annual ACM Symposium on Theory of Computing, STOC ’16, page 885–898, New York, NY, USA, 2016. Association for Computing Machinery.
[Ji17] Zhengfeng Ji. Compression of quantum multi-prover interactive proofs. In Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, page 289–302, New York, NY, USA, 2017. Association for Computing Machinery.
[JNV⁺22a] Z. Ji, A. Natarajan, T. Vidick, J. Wright, and H. Yuen. Quantum soundness of testing tensor codes. In 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pages 586–597, Los Alamitos, CA, USA, feb 2022. IEEE Computer Society.
[JNV⁺22b] Zhengfeng Ji, Anand Natarajan, Thomas Vidick, John Wright, and Henry Yuen. Mip*=re. arXiv:2001.04383, 2022.
[Kil90] Joe Kilian. Uses of randomness in algorithms and protocols. MIT Press, 1990.
[KKM⁺11] Julia Kempe, Hirotada Kobayashi, Keiji Matsumoto, Ben Toner, and Thomas Vidick. Entangled games are hard to approximate. SIAM Journal on Computing, 40(3):848–877, 2011.
[KPS18] Se-Jin Kim, Vern Paulsen, and Christopher Schafhauser. A synchronous game for binary constraint systems. Journal of Mathematical Physics, 59(3), mar 2018.
[KS08] Igor Klep and Markus Schweighofer. Connes’ embedding conjecture and sums of hermitian squares. Advances in Mathematics, 217(4):1816–1837, 2008.
[Lin23] Junqiao Lin. Almost synchronous correlations in the commuting operator model. ariXiv:2304.01940, 2023.
[MdlS23] Amine Marrakchi and Mikael de la Salle. Almost synchronous correlations and tomita-takesaki theory. arXiv:2307.08129, 2023.
[Mer90] N. David Mermin. Simple unified form for the major no-hidden-variables theorems. Phys. Rev. Lett., 65:3373–3376, Dec 1990.
[NV18a] Anand Natarajan and Thomas Vidick. Low-degree testing for quantum states, and a quantum entangled games PCP for QMA. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS). IEEE, oct 2018.
[NV18b] Anand Natarajan and Thomas Vidick. Two-player entangled games are NP-hard. In Proceedings of the 33rd Computational Complexity Conference, CCC ’18, Dagstuhl, DEU, 2018. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.
[NW19] Anand Natarajan and John Wright. Neexp in mip*. 2019.
[NZ23] Anand Natarajan and Tina Zhang. Quantum free games. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, STOC 2023, page 1603–1616, New York, NY, USA, 2023. Association for Computing Machinery.
[Oza13] Narutaka Ozawa. About the connes embedding conjecture: algebraic approaches. Japanese Journal of Mathematics, 8(1):147–183, 2013.
[Pad22] Connor Paddock. Rounding near-optimal quantum strategies for nonlocal games to strategies using maximally entangled states. arXiv:2203.02525, 2022.
[Per90] Asher Peres. Incompatible results of quantum measurements. Physics Letters A, 151(3):107–108, 1990.
[PS23] Connor Paddock and William Slofstra. Satisfiability and boolean constraint system algebras. arXiv:2310.07901, 2023.
[RUV13] Ben W. Reichardt, Falk Unger, and Umesh Vazirani. A classical leash for a quantum system: Command of quantum systems via rigidity of chsh games. In Proceedings of the 4th Conference on Innovations in Theoretical Computer Science, ITCS ’13, page 321–322, New York, NY, USA, 2013. Association for Computing Machinery.
[Sha92] Adi Shamir. Ip = pspace. J. ACM, 39(4):869–877, oct 1992.
[Slo19] William Slofstra. The set of quantum correlations is not closed. Forum of Mathematics, Pi, 7(E1), 2019.
[Vid16] Thomas Vidick. Three-player entangled xor games are np-hard to approximate. SIAM Journal on Computing, 45(3):1007–1063, 2016.
[Vid20] Thomas Vidick. Erratum: Three-player entangled XOR games are NP-hard to approximate. SIAM Journal on Computing, 49(6):1423–1427, 2020.
[Vid22] Thomas Vidick. Almost synchronous quantum correlations. Journal of Mathematical Physics, 63(2), feb 2022.
[Yue16] Henry Yuen. A parallel repetition theorem for all entangled games. arXiv:1604.04340, 2016.

	$\displaystyle\\|\widetilde{\rho}(\sigma_{i}(x)-\sigma_{j}(x))\\|_{\tau_{0}}^{2}$	$\displaystyle\leq 4\\|\widetilde{\rho}(\sigma_{i}(x))-\rho(\sigma_{i}(x))\\|_{\tau_{0}}^{2}+4\\|\widetilde{\rho}(\sigma_{j}(x))-\rho(\sigma_{j}(x))\\|_{\tau_{0}}^{2}$
		$\displaystyle\quad\quad\quad+4\\|\rho(\sigma_{i}(x)-\sigma_{j}(x))\\|_{\tau_{0}}^{2}$
		$\displaystyle\leq\dfrac{\operatorname{poly}(K)}{\pi(i,i)}\operatorname{def}(\tau;\mu_{comm})+4\\|\sigma_{i}(x)-\sigma_{j}(x)\\|_{\tau}^{2}.$

	$\displaystyle h(\alpha(\Phi_{V_{ij},\phi}))$	$\displaystyle\lesssim\frac{2\|V_{ij}\|}{2^{\|V_{ij}\|}}\sum_{S\subseteq V_{ij}}\sum_{x\in S}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x))$
		$\displaystyle=\frac{\|V_{ij}\|}{2^{\|V_{ij}\|-1}}\sum_{x\in V_{ij}}\sum_{x\in S\subseteq V_{ij}}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x))$
		$\displaystyle=\|V_{ij}\|\sum_{x\in V_{ij}}h(\sigma_{ir_{ix}}(x)-\sigma_{ij}(x)).$

Two prover perfect zero knowledge for MIP*

Abstract.

1. Introduction

Theorem 1.1.

Acknowledgements

2. Nonlocal games and MIP*

Theorem 2.1 ([MdlS23]).

Theorem 2.2 (MIP∗=REsuperscriptMIPRE\operatorname{MIP}^{*}=\operatorname{RE}).

Proof.

Remark 2.3.

3. BCS games

Lemma 3.1 ([NW19, JNV+22b]).

Proof.

Corollary 3.2.

Proof.

4. BCS algebras and approximate representations

Definition 4.1.

Definition 4.2.

Lemma 4.3.

Proof.

5. Homomorphisms between BCS algebras

Definition 5.1.

Lemma 5.2.

Proof.

Proposition 5.3.

Proof.

Definition 5.4.

Definition 5.5.

Lemma 5.6.

Proof.

Corollary 5.7.

Proof.

Remark 5.8.

6. BCS algebras, subdivision and stability

Lemma 6.1 ([CVY23]).

Lemma 6.2.

Proof.

Definition 6.3.

Proposition 6.4.

Proof.

Theorem 6.5.

Definition 6.6.

Lemma 6.7.

Proof.

Proposition 6.8.

Proof.

Proposition 6.9.

Proof.

proof of Theorem 6.5.

7. Parallel repetition

Theorem 7.1 ([Yue16]).

Lemma 7.2.

8. Perfect zero knowledge

Definition 8.1.

Proposition 8.2.

Proof.

Definition 8.3.

Lemma 8.4.

Proof.

Theorem 8.5 (Barrington [Bar86]).

Definition 8.6.

Lemma 8.7 ([DFK+92]).

Lemma 8.8.

Lemma 8.9.

Proof.

Theorem 8.10.

Proof.

Theorem 8.11.

Proof.

Proof of Theorem 1.1.

Theorem 8.12.

References

Theorem 2.2 ( $\operatorname{MIP}^{*}=\operatorname{RE}$ ).

Lemma 3.1 ([NW19, JNV⁺22b]).

Lemma 8.7 ([DFK⁺92]).