Abstract.
The recent theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows that the complexity class of multiprover proof systems with entangled provers contains all recursively enumerable languages. Prior work of Grilo, Slofstra, and Yuen [FOCS ’19] further shows (via a technique called simulatable codes) that every language in has a perfect zero knowledge () protocol. The theorem uses two-prover one-round proof systems, and hence such systems are complete for . However, the construction in Grilo, Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect zero knowledge with two provers via simulatable codes. This leads to a natural question: are there two-prover - protocols for all of ?
In this paper, we show that every language in has a two-prover one-round - protocol, answering the question in the affirmative. For the proof, we use a new method based on a key consequence of the theorem, which is that every protocol can be turned into a family of boolean constraint system (BCS) nonlocal games. This makes it possible to work with protocols as boolean constraint systems, and in particular allows us to use a variant of a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto ’92] which gives a classical protocol for 3SAT with perfect zero knowledge. To show quantum soundness of this classical construction, we develop a toolkit for analyzing quantum soundness of reductions between BCS games, which we expect to be useful more broadly. This toolkit also applies to commuting operator strategies, and our argument shows that every language with a commuting operator BCS protocol has a two prover commuting operator protocol.
1. Introduction
In an interactive proof protocol, a prover tries to convince a verifier that a string belongs to . Interactive proof systems can be more powerful than non-interactive systems; famously, the class of interactive proofs with a polynomial time verifier and a single prover is equal to [Sha92], and the class with a polynomial time verifier and multiple provers is equal to [BFL90]. In this latter class, the provers can communicate with the verifier, but are assumed not to be able to communicate with each other. The proof systems used in [BFL90] are very efficient, and require only two provers and one-round of communication. Interactive proof systems also allow zero knowledge protocols, in which the prover demonstrates that without revealing any other information to the verifier. As a result, interactive proof systems are important to both complexity theory and cryptography. The first zero knowledge proof systems go back to the invention of interactive proof systems by Goldwasser, Micali, and Rackoff [GMR85], and every language in MIP admits a two-prover one-round perfect zero knowledge proof system by a result of Ben-Or, Goldwasser, Kilian, and Wigderson [BOGKW88]. Perfect means that absolutely no information is revealed to the verifier, in contrast to statistical zero knowledge (in which the amount of knowledge gained by the verifier is small but bounded), or computational zero knowledge (in which zero knowledge relies on some computational intractability assumption).
Since the provers in a MIP protocol are not allowed to communicate, it is natural to ask what happens if they are allowed to share entanglement. This leads to the complexity class , first introduced by Cleve, Hoyer, Toner, and Watrous [CHTW04]. Entanglement allows the provers to break some classical proof systems by coordinating their answers, but the improved ability of the provers also allows the verifier to set harder tasks. As a result, figuring out the power of has been difficult, and there have been successive lower bounds in [KKM+11, IKM09, IV12, Vid16, Vid20, Ji16, NV18b, Ji17, NV18a, FJVY19]. Most recently (and spectacularly), Ji, Natarajan, Vidick, Wright, and Yuen showed that , the class of languages equivalent to the halting problem [JNV+22b]. Reichardt, Unger, and Vazirani also showed that is equal to the class , in which the verifier is quantum, and can communicate with the provers via quantum channels [RUV13]. On the perfect zero knowledge front, Chiesa, Forbes, Gur, and Spooner showed that every language in (and hence in classical ) has a perfect zero knowledge proof system, or in other words belongs to - [CFGS22]. Grilo, Slofstra, and Yuen show that all of belongs to - [GSY19].
Combining - with shows that there are one-round perfect zero-knowledge proof systems for all languages that can be reduced to the halting problem, a very large class. However, the construction in [GSY19] is involved. The idea behind the proof is to encode a circuit for an arbitrary verifier in a “simulatable” quantum error correcting code, and then hide information from the verifier by splitting the physical qubits of this code between different provers. The resulting proof systems in [GSY19] require provers, and because the core concept of the proof is to split information between provers, bringing this down to provers (as can be done with perfect zero-knowledge for ) seems to require new ideas.
The purpose of this paper is to show that all languages in do indeed have two-prover one-round perfect zero knowledge proof systems. Specifically, we show that:
Theorem 1.1.
Every language in (and hence in ) admits a two-prover one-round perfect zero knowledge protocol with completeness probability and soundness probability , in which the verifier chooses questions uniformly at random.
The idea behind the proof is to use the output of the theorem, rather than encoding arbitrary -protocols. The proof that in [JNV+22b] is very difficult, but requires only two-prover one-round proof systems. Natarajan and Zhang have sharpened the proof to show that these proof systems require only a constant number of questions, and length answers from the provers [NZ23]. This shows that , the complexity class of languages with two-prover -protocols in which the verifier chooses their messages to the prover uniformly at random. A one-round or proof system is equivalent to a family of nonlocal games, in which the provers (now also called players) are given questions and return answers to a verifier (now also called a referee), who decides whether to accept (in which case the players are said to win) or reject (the players lose). In both [JNV+22b] and [NZ23], the games are synchronous, meaning that if the players receive the same question then they must reply with the same answer, and admit what are called oracularizable strategies. As we observe in this paper, one-round proof systems in which the games are synchronous and oracularizable are equivalent to the class of - proof systems, which are one-round two-prover proof systems in which the nonlocal games are boolean constraint system (BCS) games. In a boolean constraint system, two provers try to convince the verifier that a given BCS is satisfiable. BCS games were introduced by Cleve and Mittal [CM14], and include famous examples of nonlocal games such as the Mermin-Peres magic square [Mer90, Per90]. Boolean constraint systems are much easier to work with than general protocols, so rather than showing that every protocol can be transformed to a perfect zero knowledge protocol, we prove Theorem 1.1 by showing that every - protocol can be transformed to a perfect zero knowledge protocol. As we explain at the end of Section 2, when combined with the theorem this gives an effective way to transform any -protocol (including protocols with many provers and rounds) into a perfect zero knowledge - protocol.
One way to transform a - protocol to a perfect zero-knowledge protocol is to use graph colouring games, which are famous examples of perfect zero knowledge games. Classically, every BCS instance can be transformed to a graph such that the graph is -colourable if and only if the BCS is satisfiable. Ji has shown that every BCS can be transformed to a graph such that the original BCS game has a perfect quantum strategy if and only if the -colouring game for the graph has a perfect quantum strategy [Ji13] (see also [Har23]). Using the techniques in this paper, it is also possible to show that this transformation preserves soundness of - protocols, and hence that every - protocol can be transformed to a protocol based on graph colouring games. Unfortunately graph colouring games are only perfect zero knowledge against honest verifiers, so this construction does not give a perfect zero knowledge protocol for dishonest verifiers. Instead, we use another classical transformation due to Dwork, Feige, Kilian, Naor, and Safra [DFK+92], which takes every 3SAT instance to a perfect zero-knowledge protocol. We show that a modest variant of this construction remains perfect zero knowledge in the quantum setting, and preserves soundness of - protocols. In both the original argument and our argument, it is necessary for soundness to work with - protocols with small (meaning or ) question length. In the classical setting, - with question length is equal to , so the construction in [DFK+92] only shows that is contained in -, rather than all of . In the quantum setting, - with question length is equal to and this construction suffices to prove perfect zero knowledge for any protocol — an interesting difference in what techniques can be used between the classical and quantum setting.
In general, it’s a difficult question to figure out if a classical transformation of constraint systems (of which there are many) remains sound (meaning that it preserves soundness of protocols) in the quantum setting. For instance, one of the key parts of the theorem is the construction of PCP of proximity which is quantum sound. On the other hand, there are some transformations which lift fairly easily to the quantum setting. We identify two such classes of transformations, “classical transformations” which are applied constraint by constraint, and “context subdivision transformations”, in which each constraint is split into a number of subclauses. Both types of transformations are used implicitly throughout the literature on nonlocal games, including in [Ji13], which was the first paper to consider reductions between quantum strategies in BCS games. In this paper, we systematically investigate the quantum soundness of these transformations. It’s relatively easy to show that classical transformations preserve soundness, and this is shown in Section 5. In subdivision, each subclause becomes a different question in the associated BCS game, and thus a strategy for the subdivided game has many more observables than the original game. Since these new observables don’t need to commute with each other, subdivision is more difficult to work with. Nonetheless, we show that if the subclauses have a bounded number of variables, then subdivision preserves soundness with a polynomial dropoff. This is shown in Section 6. The construction in [DFK+92] can be described as a composition of classical transformations and context subdivision transformations, so quantum soundness (with polynomial dropoff) of this construction follows from combining the soundness of these two transformations. We recover a constant soundness gap by using parallel repetition, which preserves the class of BCS games.
While reductions between nonlocal games have been important in previous work, they are difficult to reason about, since it’s necessary to keep track of how strategies for one game map to strategies for the other game. One advantage of working with constraint systems in the classical setting is that it’s more convenient to work with assignments (and think about the fraction of constraints in the system that can be satisfied) than it is to work with strategies and winning probabilities. In the quantum setting, it isn’t possible to work with assignments, because strategies involve observables that don’t necessarily commute with each other. However, we can achieve a similar conceptual simplification by replacing assignments with representations of the BCS algebra of the constraint system. This algebra is the same as the synchronous algebra of the BCS game introduced in [HMPS19, KPS18]; we refer to [PS23] for more background. With this approach, reductions between BCS games can be expressed as homomorphisms between BCS algebras, and these are much easier to describe and work with than mappings between strategies. For soundness arguments, we need to work with near-perfect strategies, and these correspond to approximate representations of the BCS algebra [Pad22]. Previous work using this idea (see e.g. [Pad22, Har23]) has focused on reductions between single games, and the definitions are not suitable for working with protocols, as they do not incorporate question distributions. To solve this problem, we introduce a notion of weighted algebras and weighted homomorphisms, which allows us to keep track of soundness of reductions between games using completely algebraic arguments involving sums of squares.
Another advantage of the weighted algebras framework is that arguments can be made simultaneously for both quantum and commuting operator strategies. Our proof methods extend to commuting operator strategies as a result. However, our results here are not as conclusive, as the exact characterization of the corresponding complexity class is not known. There is a conjecture that , and with that conjecture and a parallel repetition theorem for commuting operator strategies, we expect that it would be possible to extend Theorem 1.1 to show that all languages in have a perfect zero knowledge commuting operator protocol. Without these ingredients, we are limited to showing that ---. Previous work on perfect zero knowledge for commuting operator protocols does not preserve soundness gaps [CS19].
Our results also have applications for the membership problem for quantum correlations. For exact membership, the cohalting problem is many-one reducible to membership in the set of quantum-approximable correlations , and to membership in the set of commuting operator correlations [Slo19, CS19, FMS21]. It follows from that the halting problem is Turing reducible to approximate membership in , the set of quantum correlations, but this is not a many-one reduction. Theorem 1.1 immediately implies that there is a many-one reduction from the halting problem to approximate membership in .
Because we use parallel repetition to reduce an inverse-polynomial soundness gap to a constant soundness gap, the protocols in Theorem 1.1 use polynomial length questions and answers. If an inverse-polynomial soundness gap is allowed, we get perfect zero-knowledge protocols with question length and constant answer length. Whether it is possible to get perfect zero-knowledge protocols with question length, constant answer length, and constant soundness gap is an interesting open question. This would be possible with an improved analysis or construction for subdivision such as appears in the low degree test [JNV+22a] used in the theorem.
Acknowledgements
We thank Connor Paddock and Henry Yuen for helpful conversations. KM is supported by NSERC. WS is supported by NSERC DG 2018-03968 and an Alfred P. Sloan Research Fellowship.
2. Nonlocal games and MIP*
A two-player nonlocal (or Bell) scenario consists of a finite set of questions , and a collection of finite answer sets . Often in this definition there are separate question and answer sets for each player, but it’s convenient for us to assume that both players have the same question and answer sets, and we don’t lose any generality by assuming this. We often think of the question and answer sets as being subsets of and , respectively, in which case we say that the questions have length and the answers have length . A nonlocal game consists of a nonlocal scenario , along with a probability distribution on and a family of functions for . In the game, the players (commonly called Alice and Bob) receive questions and from with probability , and reply with answers and respectively. They win if , and lose otherwise.
A correlation for scenario is a family of probability distributions on for all . Correlations are used to describe the players’ behaviour in a nonlocal scenario. The probability is interpreted as the probability that the players answer on questions . A correlation is quantum if there are
- (a)
finite-dimensional Hilbert spaces and ,
- (b)
a projective measurement on for every ,
- (c)
a projective measurement on for every , and
- (d)
a state
such that for all , , . A collection as in (a)-(d) is called a quantum strategy. A correlation is commuting operator if there is
- (i)
- (ii)
projective measurements and on for every , and
- (iii)
a state
such that and for all and , . A collection as in (i)-(iii) is called a commuting operator strategy. The set of quantum correlations for a scenario is denoted by , and the set of commuting operator correlations is denoted by . If the scenario is clear from context, then we denote these sets by and . Any quantum correlation is also a commuting operator correlation, so . If a commuting operator correlation has a commuting operator strategy on a finite-dimensional Hilbert space , then it is also a quantum correlation, but in general is strictly larger than .
The winning probability of a correlation in a nonlocal game is
| | |
The quantum value of is
| | |
and the commuting operator value is
| | |
A correlation is perfect for if , and -perfect if . A strategy is -perfect if its corresponding correlation is -perfect. The set is closed and compact, so has a perfect commuting operator correlation if and only if . However, is not necessarily closed, and there are games with which do not have a perfect quantum correlation. A correlation is quantum approximable if it belongs to the closure , and a game has a perfect quantum approximable correlation if and only if .
A nonlocal game is synchronous if for all and . A correlation is synchronous if for all and . The set of synchronous quantum (resp. commuting operator) correlations is denoted by (resp. ). A correlation belongs to (resp. ) if and only if there is
- (A)
a Hilbert space (resp. finite-dimensional Hilbert space ),
- (B)
a projective measurement on for all , and
- (C)
a state
such that is tracial, in the sense that for all and in the -algebra generated by the operators , , , and for all , , . A collection as in (A)-(C) is called a synchronous commuting operator strategy. If, in addition, is finite-dimensional, then is also called a synchronous quantum strategy. The synchronous quantum and commuting operator values and of a game are defined equivalently to and , but with and replaced by and . A synchronous strategy for a game is oracularizable if for all , , with .
A theorem of Vidick [Vid22] (see also [Pad22]) states that every quantum correlation which is close to being synchronous, in the sense that for all and , is close to a synchronous quantum correlation. This theorem has been extended to commuting operator correlations by [Lin23]. As a result, the synchronous quantum and commuting values of a game are polynomially related to the non-synchronous quantum and commuting values. We use a version of this result due to Marrakchi and de la Salle [MdlS23]. Following [MdlS23], say that a probability distribution on is -diagonally dominant if and for all . Then:
Theorem 2.1 ([MdlS23]).
Suppose is a synchronous game with a -diagonally dominant question distribution. If (resp. ) is , then (resp. ) is .
A two-prover one-round protocol is a family of nonlocal games for , along with a probabilistic Turing machine and another Turing machine , such that
- •
for all and , there are integers and such that and ,
- •
on input , the Turing machine outputs with probability , and
- •
on input , the Turing machine outputs .
Let be computable functions with for all . A language belongs if there is a MIP protocol such that and are polynomial in , and run in polynomial time in , if then , and if then . The function is called the completeness probability, and is called the soundness probability. The functions and are called the question length and answer length respectively. The class is defined equivalently to , but with replaced by . The protocols in these cases are called and protocols. A language belongs to (resp. ) if it has a -protocol (resp. -protocol) in which is the uniform distribution on . Such a protocol is called an protocol. We can also define classes and by replacing the quantum and commuting operator values by and .
Any language in is contained in , and this remains true even if we add more provers and rounds of communication. The theorem of Ji, Natarajan, Vidick, Wright, and Yuen states that [JNV+22b]. In this paper, we use the following strong version of due to Natarajan and Zhang [NZ23].
Theorem 2.2 ().
There is a two-prover one round protocol for the halting problem with completeness and soundness , such that is a synchronous game with constant length questions, and length answers. Furthermore, if has a perfect strategy, then it has a perfect oracularizable synchronous strategy.
Proof.
[NZ23] shows that there is protocol for the halting problem meeting this description. As they observe, any protocol with a constant number of questions can be turned into an protocol with completeness and soundness , and then parallel repetition (see Section 7) can be used to lower the soundness back to . ∎
One corollary of Theorem 2.2 is that it is possible to transform any protocol into an equivalent protocol as in the theorem. Indeed, suppose is a polynomial-time probabilistic interactive Turing machine which on input acts as the verifier in a protocol with rounds, provers, completeness , and soundness , where , , , and are computable functions of . Let be the Turing machine which on input , searches through -round -prover quantum strategies, uses to calculate the success probability, and halts if it finds a strategy with success probability . Let be the Turing machine which on empty input writes to the input tape and then runs . Finally, let be the one-round protocol for the language . The Turing machines and run in polynomial time in the size of the input Turing machine , and has size linear in , so the one-round protocol which runs game on input is a polynomial-time protocol which recognizes the same language as . Strikingly, this works for any computable , , and , not just polynomial functions of , since the only requirement is that have polynomial description size.
3. BCS games
We now introduce boolean constraint system games. If is a set of variables, a constraint on is a subset of . We think of as rather than , since this is more convenient when working with observables and measurements. In particular, we use and to represent true and false respectively, rather than and . An assignment to is an element , and we refer to the elements of as satisfying assignments for . For convenience, we assume every constraint is non-empty, i.e. has a satisfying assignment. A boolean constraint system (BCS) is a pair , where is an ordered set of variables, is a nonempty subset of for all , and is a constraint on the variables . When working with nonlocal games, the sets are sometimes called the contexts of the system. The order on induces an order on the contexts , and this will be used for some specific models of the weighted BCS algebra in Section 6. This is the only thing we use the order on for, so it can be ignored otherwise. A satisfying assignment for is an assignment to such that for all . Although we won’t use it until later, we define the connectivity of a BCS to be the maximum over of , where . In other words, the connectivity is the maximum over of the number of times the variables in constraint appear in the constraints of . Also, if and is a constraint on , then the conjunction is the constraint on variables such that if and only if for all .
Let be a BCS, and let be a probability distribution on . The BCS game is the nonlocal game , where if , and is otherwise. In other words, in , the players are given integers according to the distribution , and must reply with satisfying assignments and respectively. They win if their assignments agree on the variables in . With this definition, has questions of length , and answer sets of length .
A - protocol is a family of BCS games , where , along with a probabilistic Turing machine and another Turing machine , such that
- (1)
on input , outputs with probability , and
- (2)
on input , outputs true if and false otherwise.
Technically, this definition should also include some way of computing the sets and . For instance, we might say that the integers and are all computable, and there are computable order-preserving injections . However, for simplicity we ignore this aspect of the definition going forward, and just assume that in any - protocol, we have some efficient way of working with the sets and , the intersections , and assignments . A language belongs to the complexity class - if there is a - protocol as above such that and are polynomial in , and run in polynomial time, if then , and if then . The parameter is called the soundness. Any - protocol for can be transformed into a protocol by playing the game with the answer sets replaced by , and on input , asking the verifier to first check that and using , and then checking that . Hence - is contained in . Notice that in this modified version of the BCS game, the players are allowed to answer with non-satisfying assignments, but they always lose if they do so. Thus any strategy for the modified game can be converted into a strategy for the original game with the same winning probability, and perfect strategies for both types of games (ignoring questions that aren’t in the support of ) are identical, so the protocol has the same completeness and soundness as the - protocol. The class - can be defined similarly by replacing with , and is contained in . We can also define subclasses of - and -. For instance, we let 3SAT- be the class of languages with a - protocol , in which every constraint of is a 3SAT clause, i.e. a disjunction , where are either variables from , or negations of said variables, or constants.
If the players receive the same question , then they must reply with the same assignment to win. Consequently, if for all then is a synchronous game. This version of BCS games is sometimes called the constraint-constraint version of the game. There is are other variants of BCS games, sometimes called constraint-variable BCS games, in which one player receives a constraint and another receives a variable (see [CM14]). In this paper, we work with constraint-constraint games exclusively, but the two types of BCS games are closely related, and can often be used interchangeably. As per the previous section, a synchronous strategy for consists of projective measurements , , on a Hilbert space , along with a state which is tracial on the algebra generated by .
Conversely, it is well-known that every synchronous game can be turned into a BCS game. One way to do this (see, e.g. [PS23, Pad22]) is to make a constraint system with variables for and , and constraints for all and whenever . The variable represents whether the player answers on input , and the constraints express the idea that the players must choose an answer for every question, and that they should reply with winning answers (the synchronous condition on implies that is a constraint for all and , which means that the players should choose a single answer for question ). The BCS game associated to this constraint system has a perfect quantum (resp. quantum approximable, commuting operator) strategy if and only if has a perfect quantum (resp. quantum approximable, commuting operator) strategy. Unfortunately, this construction results in a game with answer sets , which means that the bit-length of the answers increases exponentially from . If , then , meaning that if this construction is used in a -protocol, soundness can drop of exponentially.
To fix this, we look at the oracularization of . There are several versions of in the literature, all closely related. We use the version from [NW19], in which the verifier picks a question pair according to . The verifier then picks uniformly at random. When , they send player both questions , and the other player question . Player must respond with such that , and the other player responds with . The players win if . If , both players are sent and must respond with and in . They win if . If has questions of length and answers of length , then has questions of length and answers of length , so this construction only increases the question and answer length polynomially. The following lemma shows that this construction is sound, in the sense that cannot be much larger than .
Let be a synchronous game. If has an perfect oracularizable synchronous strategy, then has a perfect synchronous strategy. Conversely, if , then .
Proof.
This is asserted in Definition 17.1 of [NW19]. Although a proof isn’t supplied, the proof follows the same lines as Theorem 9.3 of [JNV+22b]. ∎
Given a synchronous game where and , construct a constraint system as follows. Take to be the set of variables , where and . Let , and identify with bit strings , where the assignment to corresponds to the th bit, and let be the subset corresponding to . Let . For , let , and let be the set of pairs of strings such that , , and . Then is the constraint system with variables and constraints and . Let and be the probability distribution on such that
| | |
Then , so the oracularization of a synchronous game is a BCS game. As a result, Theorem 2.2 has the following corollary:
Corollary 3.2.
There is a - protocol for the halting problem with constant soundness , in which has a constant number of contexts and contexts of size , and is the uniform distribution on pairs of contexts.
Proof.
Let be the protocol from Theorem 2.2. Then is a BCS game in which the underlying BCS has a constant number of contexts, and the contexts have size . The probability distribution and the constraints of can be computed in polynomial time from and , so by Lemma 3.1 there is a - protocol for the halting problem with constant soundness . The probability distribution in the oracularization construction is not uniform. However, it is not hard to see that changing the distribution in the oracularization game does not change completeness, and since there are only a constant number of contexts, replacing with the uniform distribution yields only a constant dropoff in soundness. ∎
4. BCS algebras and approximate representations
It is often worth thinking about synchronous strategies more abstractly. Recall that is the -algebra generated by variables , satisfying the relations for all , and is the quotient of by the relations for all . Given an assignment to an ordered set of variables , we let
| | |
considered as a polynomial in , where the product is taken with respect to the order on . Given a constraint on , we let
| | |
Since is commutative, the image of in is independent of the order of ; however, we will work with in Section 6. The algebra is isomorphic to the algebra
| | |
where the isomorphism identifies with . In particular, is generated by for . Consequently if is a -representation, then is a projective measurement on , and conversely if is a projective measurement on , then there is a -representation with .
If is a BCS, then we let denote the free product . We let denote the natural inclusion of the th factor, so is generated by the involutions for and . Equivalently, is generated by the projections for and . To avoid clogging up formulas with symbols, we’ll often write instead of when it’s clear what subalgebra the element belongs to. As with , representations of are in bijective correspondence with families of projective measurements , via the relation . If is a synchronous commuting operator strategy for , and is the representation with , then is a tracial state on . Conversely, if is a tracial state on , then the GNS representation theorem implies that there is a synchronous commuting operator strategy such that where is the representation corresponding to . Note that the trace is faithful on the image of the GNS representation. As a result, synchronous commuting operator strategies for and tracial states on can be used interchangeably, and in particular if and only if there is a tracial state with for all ,, , and . A tracial state is said to be finite-dimensional if its GNS representation has a finite-dimensional Hilbert space, so finite-dimensional tracial states on can be used interchangeably with synchronous quantum strategies for , and if and only if there is a finite-dimensional tracial state with for all ,, , and . There is also a class of states, called the Connes-embeddable tracial states, with the property that if and only if there is a Connes-embbedable tracial state such that for all ,, , and [KPS18].
A correlation is perfect for a BCS game if whenever and is a losing answer to questions . As a result, a tracial state on is perfect (aka. corresponds to a perfect correlation) if and only if whenever . Consequently a tracial state on is perfect for if and only if it is the pullback of a tracial state on the synchronous algebra of , which is the quotient
| | | |
| | | |
For BCS games, this result about perfect strategies is due to Kim, Paulsen, and Schafhauser [KPS18]. The general notion of a synchronous algebra is due to [HMPS19]. In [Gol21, PS23], it is shown that the synchronous algebra of a BCS game is isomorphic to the so-called BCS algebra of the game. In working with protocols, we also need to keep track of -perfect strategies. In [Pad22], it is shown that -perfect strategies for a BCS game correspond to -representations of the BCS algebra, where an -representation is a representation of such that all the defining relations of are bounded by in the normalized Frobenius norm. In this prior work, the focus was on the behaviour of -perfect strategies for a fixed game, so the number of questions and answers was constant. For protocols, the game size is not constant, and we need to work with approximate representations where the average, rather than the maximum, of the norms of the defining relations is bounded. For this, we introduce the following algebraic structure:
Definition 4.1.
A (finitely-supported) weight function on a set is a function such that is finite. A weighted -algebra is a pair where is a -algebra and is a weight function on .
If is a tracial state on , then the defect of is
| | |
where is the -norm. When the weight function is clear, we just write .
Since is finitely supported, the sum in the definition of the defect is finite, and hence is well-defined. Note that traces on a weighted algebra with correspond to traces on the algebra . In general, is a measure of how far is from being a trace on . Thus we can think of a weighted algebra as a presentation or model for the algebra that allows us to talk about approximate traces on this algebra.
Definition 4.2.
Let be a BCS, and let be a probability distribution on . The (weighted) BCS algebra is the -algebra , with weight function defined by
| | |
for all and , with , and for all other .
Note that is the synchronous algebra defined above, so is a model of this synchronous algebra, and perfect strategies for correspond to tracial states on with . The following lemma is an immediate consequence of the definitions:
Lemma 4.3.
Let be a BCS, and let be a probability distribution on . A tracial state on is an -perfect strategy for if and only if .
Proof.
Let be the correlation corresponding to , so . Then
| | |
where the sum is across and , with . So . ∎
5. Homomorphisms between BCS algebras
In addition to looking at BCS games, we also want to consider transformations between constraint systems and the corresponding games. To keep track of how near-perfect strategies change, we introduce a notion of homomorphism for weighted algebras. Recall that if is a -algebra, then if is a sum of hermitian squares, i.e. there is and such that . Two elements are said to be cyclically equivalent if there is and such that , where . We say that if is cyclically equivalent to a sum of squares. (For more background on these definitions, see see e.g. [KS08, Oza13]).
Definition 5.1.
Let and be weighted -algebras, and let . A -homomorphism is a -homomorphism such that
| | |
The point of this definition is the following:
Lemma 5.2.
Suppose is a -homomorphism. If is a trace on , then .
Proof.
Let and . Note that
| | |
By the definition of , there are and such that
| | |
Since is a tracial state, and for all and . Hence as required. ∎
One of the first things we can apply this idea to is changing between different presentations of the BCS algebra. For instance:
Proposition 5.3.
Suppose is a BCS, and is a probability distribution on . Let be the weight function on defined by
| | |
for all and , and for other . Then the identity map gives a -homomorphism , and a -homomorphism , where .
Recall that is the natural inclusion of the th factor.
Proof.
Fix . Since is a projection in , is cyclically equivalent to for all , . For , let be the pairs such that . Then
| | |
and since and can disagree in at most places,
| | |
Fix , and let , .
| | | |
| | | |
where the last equality holds because and are both equal to .
Finally is cyclically equivalent to
| | |
so the result follows. ∎
Definition 5.4.
If is a BCS and is a probability distribution on , define to be the weighted algebra , where is defined from as in 5.3.
It is not hard to see that , so both and are weighted algebra models of .
We can also easily handle transformations of constraint systems which apply a homomorphism to each context. Note that a homomorphism between finite abelian -algebras is equivalent to a function . Indeed, given a function , we can define a homomorphism by , and it is not hard to see that all homomorphisms have this form. We extend this notion to BCS algebras in the following way.
Definition 5.5.
Let and be constraint systems. A homomorphism is a classical homomorphism if
- (1)
for all , and
- (2)
if , , and then for all .
To explain this definition, note that condition (1) implies that restricts to a homomorphism , and hence gives a collection of functions for all . Condition (2) states that if for some , , then . Conversely, any collection of functions satisfying this condition can be turned into a classical homomorphism .
Lemma 5.6.
Let and be constraint systems, and let be a probability distribution on . If is a classical homomorphism, then is a -homomorphism .
Proof.
Suppose arises from a family of functions as above. For any , let , and let . Then
| | | |
| | | |
∎
One situation where we get a classical homomorphism is the following:
Corollary 5.7.
Let be a BCS, and let be a BCS with , for all , for all , and for all , if and only if there exists with . Then for any probability distribution on , the homomorphism
| | |
defined by the inclusions is a -homomorphism , and there is another -homomorphism . Furthermore, has the same connectivity as .
Proof.
The homomorphism is the classical homomorphism defined by the functions .
For the homomorphism , define by choosing an element such that for all . Since , if , then , so this collection of functions defines a classical homomorphism . ∎
In other words, Corollary 5.7 implies that any tracial state on (resp. ) with pulls back to a tracial state on (resp. ) with defect also bounded by .
Remark 5.8.
Let be a - protocol for a language with soundness , where . Since is polynomial in , and runs in polynomial time, the Cook-Levin theorem implies that we can find sets and constraints on as in Corollary 5.7 in which is polynomial in , and is a 3SAT instance with number of clauses polynomial in . By Lemma 5.2, we get a - protocol for with the same soundness, such that is a constraint system where all the clauses are 3SAT instances, and the connectivity of is the same as .
6. BCS algebras, subdivision and stability
Suppose we have a BCS where each constraint is made up of subconstraints on subsets of the variables (for instance, a 3SAT instance made up of 3SAT clauses). In this section, we look at what happens when we split up the contexts and constraints so that each subconstraint is in its own contex. In the weighted BCS algebra, splitting up a context changes the commutative subalgebra corresponding to the context to a non-commutative subalgebra. To deal with this, we use a tool from the approximate representation theory of groups, namely the stability of .
Lemma 6.1 ([CVY23]).
Let be a tracial von Neumann algebra, and suppose is a function such that for all and for all , where and . Then there is a homomorphism such that for all , where the generate .
Here a tracial von Neumann algebra is a von Neumann algebra equipped with a faithful normal tracial state , and is the unitary group of . If is a tracial state on a -algebra , and is the GNS representation, then the closure of in the weak operator topology is a von Neumann algebra, and is a faithful normal tracial state on . A function satisfying the conditions of Lemma 6.1 is called an -homomorphism from to . The following lemma is useful for the proofs in this section:
Lemma 6.2.
Suppose is a -algebra, and let denote the hermitian square of . Then , where .
Proof.
Since , we see that . Thus , and repeated applications gives the desired inequality. ∎
We now formally define a subdivision of a BCS.
Definition 6.3.
Let be a BCS. Suppose that for all there exists a constant and a set of constraints on variables respectively, such that
- (1)
for all and ,
- (2)
for every and , there is a such that , and
- (3)
for all , where is conjunction.
The BCS is called a subdivision of . When working with subdivisions, we refer to as the clauses of constraint , and as the number of clauses in constraint . A subdivision is uniform if for all .
Given a subdivision of as in the definition, let , and pick a bijection between and the set of pairs with and . If is a probability distribution on , let be the probability distribution on with . Note that if is uniform and the subdivision is uniform, then is uniform. Any subdivision can be turned into a uniform subdivision by repeating pairs to increase . Note that subdivision can increase connectivity.
Part of the point of the definition of subdivisions is that they preserve the synchronous algebra of the system.
Proposition 6.4.
Let be a BCS, and let be a subdivision. Let be a probability distribution on , and let be the probability distribution defined from as above. Then .
Proof.
Because every pair of elements belongs to some , we get an isomorphism
| | |
where is the set of relations for all and which do not agree on , and for all . From these latter relations, it is possible to recover the relations for , and then to recover all the relations of . ∎
6.4 implies that has a perfect quantum (resp. commuting operator) strategy if and only if has a perfect quantum (resp. commuting operator) strategy. The main result of this section is that near perfect strategies for can be pulled back to near perfect strategies for . For the theorem, we say that is maximized on the diagonal if and for all .
Theorem 6.5.
Let be a BCS, and let be a subdivision of with clauses in constraint . Let be a probability distribution on that is maximized on the diagonal, and let be the probability distribution defined from as above. If there is a trace on , then there is a trace on with , where , , and .
For the proof of the theorem we consider several other versions of the weighted BCS algebra, where is replaced by , and the defining relations of are moved into the weight function.
Definition 6.6.
Let be a BCS with a probability distribution on , and let be a subdivision, with clauses in constraint and probability distribution induced by . Let denote the inclusion of the th factor. Let , and define weight functions , , , and on by
| | |
| | |
| | |
| | |
and , , , and for any elements other than those listed. Let be the weighted algebra , where .
Note that is the same as the weight function of the algebra defined in 5.4, except that it’s defined on rather than . The weight function comes from the defining relations for , while comes from the defining relations for , so is a mix of relations from and . As mentioned previously, the context has an order inherited from , and this is used for the order of the product when talking about and in . In particular, the order on is compatible with the order on .
The weight functions , and can also be defined on using the same formula as in 6.6, and we use the same notation for both versions. The following lemma shows that we can relax to , as long as is maximized on the diagonal.
Lemma 6.7.
Let be a BCS, and let be a probability distribution on that is maximized on the diagonal. Let and be the weight functions defined above with respect to . Then there is an -homomorphism , where is the connectivity of . Furthermore, if is a subdivision of , then there is an -homomorphism , where is the maximum number of clauses in constraint .
Proof.
Since is non-empty by convention, we can choose for every . Define the homomorphism by
| | |
Let , and let denote the hermitian square of as in Lemma 6.2. Then
| | |
Observe that , so
| | |
Thus
| | | |
| | | |
| | | |
since is maximized on the diagonal.
Next, suppose is a subdivision of . If , then we can choose such that . Since ,
| | |
Hence
| | |
where the comes from the fact that we divide by in the definition of . Thus the identity map is an -homomorphism. ∎
The following proposition shows how to construct tracial states on from tracial states on .
Proposition 6.8.
Let be a BCS, and let be a probability distribution on which is maximized on the diagonal. Let be a subdivision of with clauses in constraint . If is a trace on , then there is a trace on such that , where , , and . Furthermore, if is finite-dimensional then so is .
Proof.
Since is maximized on the diagonal, if then for all , and the variables in do not appear in . Thus we may assume without loss of generality that for all . Let be a trace on . By the GNS construction there is a -representation of acting on a Hilbert space with a unit cyclic vector such that for all . Let be the weak operator closure of the image of , and let be the faithful normal tracial state on corresponding to (so .
For all the restriction of to is a -homomorphism from into , so by Lemma 6.1 there is a representation such that
(6.1) | | | |
for all generators . Suppose , and let be the homomorphism defined by for . Then
| | | |
| | | |
| | | |
Since is maximalized on the diagonal, and where is the connectivity of , we conclude that
| | | |
| | | |
For any , let , where the order of the product is inherited from the order on . By Equation 6.1,
| | |
where the degree of has increased by one. Since , we get that
| | |
If , , and , then
| | |
and hence
| | | |
| | | |
| | | |
| | | |
We conclude that is a tracial state on with bounded by
| | |
Since , we conclude that
| | |
By Lemma 6.7, there is a -homomorphism , and pulling back by this homomorphism gives the proposition. ∎
Finally, we can pull back tracial states from the subdivision algebra to traces on .
Proposition 6.9.
Let be a BCS, and let be a subdivision of . Let be a probability distribution on , and let be the probability distribution defined from as above. Then there is a -homomorphism , where and .
Proof.
For each and , choose an index such that . Also, for each , choose an index such that . Define by . It follows immediately from the definitions that is a -homomorphism . Moving on to , observe that if as in Lemma 6.2 then
| | | |
| | | |
| | | |
| | | |
where we use the fact that , and that is cyclically equivalent to if . For any given and , the number of elements with is bounded by . Hence
| | |
where is the inclusion of the th factor. We conclude that there is an -homomorphism .
Finally, for , if , , and then , so
| | | |
| | | |
| | | |
where is the product of for appearing before in the order on , and is the product of for appearing after in the order on . Since there are less than terms in this sum, and and are unitary,
| | | |
| | | |
| | | |
Hence
| | | |
| | | |
Since every term in the latter sum occurs in the sum for the weight function of , is a -homomorphism . We conclude that is an -homomorphism , and . ∎
Applying 6.9 and 6.8 yields the result. ∎
7. Parallel repetition
Let be a nonlocal game. The -fold parallel repetition of is the game
| | |
where
- (1)
is the -fold product of ,
- (2)
if , then ,
- (3)
if , then , and
- (4)
if , , , then .
In other words, the players each receive a vector of questions and from , and must reply with a vector of answers and to each question. Each pair of questions , is sampled independently from , and the players win if and only if is a winning answer to questions for all . If has questions of length and answers of length , then has questions of length and answers of length .
If is a correlation for , let be the correlation for defined by
| | |
It is easy to see that is a quantum (resp. commuting operator) correlation if and only if is a quantum (resp. commuting operator) correlation, and that . Hence if (resp. ) then (resp. ) as well. If , then (and the same for the commuting operator value), but this inequality is not always tight. However, Yuen’s parallel repetition theorem states that the game value goes down at least polynomially in :
Theorem 7.1 ([Yue16]).
For any nonlocal game , if , then , where is the length of the answers of .
Suppose is a BCS and that is a probability distribution on . For any , let , and . We can think of as the disjoint union of copies of , and as the copy of from the copy of . Since is a copy of , we can identify with in the natural way. If , let and . Let . Given a distribution on , consider the game , where is the product distribution as above. In this game, the players are given questions and from respectively, and must reply with elements and respectively. They win if and only if and agree on . But this happens if and only if and agree on . Thus is the parallel repetition . We record this in the following lemma:
Lemma 7.2.
If is a BCS game, then so is the parallel repetition .
To illustrate the purpose of parallel repetition, suppose that is a -protocol for a language , where and has answer length . If is a polynomial in , then can be sampled in polynomial time by running independently times, and can also be computed in polynomial time by running repeatedly. If and are these Turing machines for sampling and computing respectively, then is a -protocol for , where . Since is polynomial in , if , then we can choose such that is any constant . By Lemma 7.2 the same can be done for -.
8. Perfect zero knowledge
An protocol is perfect zero knowledge if the verifier gains no new information from interacting with the provers. If the players’ behaviour in a game is given by the correlation , then what the verifier (or any outside observer) sees is the distribution over tuples . Consequently a -protocol is said to be perfect zero-knowledge against an honest verifier if the players can use correlations for such that the distribution can be sampled in polynomial time in . However, a dishonest verifier seeking to get more information from the players might sample the questions from a different distribution from . To be perfect zero-knowledge against a dishonest verifier, it must be possible to efficiently sample for any efficiently sampleable distribution , and this is equivalent to being able to efficiently sample from for any . This leads to the definition (following [CS19, Definition 6.3]):
Definition 8.1.
Let be a two-prover one-round protocol for a language with completeness and soundness , where . The protocol is perfect zero knowledge if for every string , there is a correlation for such that
- (1)
for all , the distribution can be sampled in polynomial time in , and
- (2)
if then and .
The class - is the class of languages with a perfect zero knowledge two-prover one round protocol with completeness and soundness .
By replacing with , we get another class -. If we replace protocols with - (resp. -) protocols and with (resp. ) we get the class -- (resp. --).
For the one-round protocols that we are considering, parallel repetition preserves the property of being perfect zero knowledge.
Proposition 8.2.
Let be a - protocol, and let be a polynomial function of . Then the parallel repeated protocol is also perfect zero knowledge.
Proof.
Let be a correlation for the game that satisfies the two requirements of Definition 8.1. Then can be sampled in polynomial time in for all , by independently sampling from for each pair from and . If , then , and it is not hard to see that . ∎
We will now prove our main result that any proof system in - or - can be turned into a perfect zero knowledge - or - protocol. For this purpose, we use the perfect zero knowledge proof system for 3SAT due to Dwork, Feige, Kilian, Naor, and Safra [DFK+92], slightly modified for the proof of quantum soundness. For the construction, we assume that we start with a - protocol (and in the proof of Theorem 1.1, this will be a 3SAT- protocol). Following [DFK+92], the new proof system is constructed in three steps. First, we apply a transformation called oblivation, then turn the resulting system into a permutation branching program via Barrington’s theorem [Bar86], and finally rewrite the permutation branching programs using the randomizing tableaux of Kilian [Kil90]. We start by describing obliviation.
Definition 8.3.
Given a BCS and , let , and for any . To make the elements of look more like variables, we denote by . Let be the set of assignments to such that the assignment to defined by is in . The obliviation of of degree is the constraint system .
The point of obliviation is the following:
Lemma 8.4.
Suppose is a BCS, and let for some . Then there is a classical homomorphism such that for all and , where is in the inclusion of the th factor for and .
Furthermore, if is a probability distribution on , and is a tracial state on , then there is a tracial state on such that , , and for any ordered set of pairs with and .
In particular, if is perfect then is perfect.
Proof.
Define for each by for and . By definition, if and only if , so . If for some , , and , then we must have for some . Since
| | |
for all , , the functions correspond to a classical homomorphism with for all and .
Conversely, given and , define by , for , and . Since , the function sends to . Also if and , then if and only if , so the functions determine a local homomorphism with , for , and for all and .
Define a tracial state on by , where the sum is over all . Since is the identity on , . Since and are -homomorphisms,
| | |
for any , so and hence .
Finally, if is an ordered set of pairs with , then there is an element and set such that
| | |
for all , where . If , then is non-empty. Hence
| | |
and if is non-empty. ∎
A permutation branching program of width and depth on a set of variables is a tuple where and are elements of the permutation group for all , and is a 5-cycle. A permutation branching program defines a map via . A program recognizes a constraint if for all , and for all , where is the identity in .
Theorem 8.5 (Barrington [Bar86]).
Suppose a constraint is recognized by a depth fan-in 2 boolean circuit. Then is recognized by a permutation branching program of depth on the variables .
For the rest of the section, we assume that we have a canonical way of turning constraints described by fan-in 2 boolean circuits into permutation branching programs using Barrington’s theorem.
The final ingredient is randomizing tableaux, which are described using constraints of the form , where the variables take values in , is a constant in , and the product is the group multiplication. Since , we can encode permutations as bit strings of length by choosing an enumeration , and identifying by its index in binary. This means that any permutation-valued variable can be represented by boolean variables, and similarly a permutation-valued constraint can be rewritten as the constraint on boolean variables which requires the boolean variables corresponding to to encode a permutation value, and the product of all the permutations to be equal to . Since we want our final output to be a boolean constraint system, we use permutation-valued variables and permutation-valued constraints as short-hand for boolean constraint systems constructed in this way. We can now define randomizing tableaux, still following [DFK+92] with small modifications.
Definition 8.6.
Let be a BCS, where each is described by a fan-in 2 boolean circuit. Let be the permutation branching program recognizing . For each , let
| | |
where and are new permutation-valued variables (and thus represent 7 boolean variables each), and let
| | |
be the union of all the original and new variables. The variables are called tableau elements, and the variables are called randomizers.
Let be the constraint on variables which is the conjunction of the following clauses:
- (1)
for all ,
- (2)
for and , where we use the notation ,
- (3)
, and
- (4)
a trivial constraint (meaning that all assignment are allowed) on any pair of original or permutation-valued variables which do not appear in one of the above constraints.
The tableau of is , interpreted as a boolean constraint system. We further let be a list of the clauses in (1)-(4) making up . The subdivided tableau of is .
As mentioned above, the product in the constraints on the permutation-valued variables in parts (1)-(4) of the definition is the group product in . The constraints in part (1) involve both original variables and permutation-valued variables , and say that the value of is either or depending on the value of . In part (4), and can be either an original or a permutation-valued variable. If one of them is a permutation-valued variable, then all the corresponding boolean variables encoding the permutation-valued variable are included in the constraint (so the constraint on and may involve up to boolean variables). Since the constraints in part (4) are trivial, they do not contribute to , but they are included in the list of clauses of the subdivided tableau. The point of the constraints in part (4) is that, with them, is a subdivision of . Finally, observe that the constraints encode the constraints as follows:
Lemma 8.7 ([DFK+92]).
Suppose is a BCS, and let . If , then . Conversely, if , where is the set of randomizers in , and , then there is a unique element such that and .
In this lemma, the statement that means that for every randomizer , the restriction of to the boolean variables corresponding to is the encoding of the permutation . Although the permutation-valued variables in are shorthand for boolean variables, it is helpful to be able to work with the permutation-valued variables directly in . Suppose for a moment that are variables in a set , and is a constraint on which includes the requirement that encode a permutation-valued variable . Let . If , then in unless is the binary representation of an index , in which case we also write as . Hence the subalgebra of is generated by the single unitary , which we denote by the same symbol as the permutation-valued variable . In particular, if and as in Definition 8.6, then we can refer to and as unitary elements of of order , and they generate the same subalgebra as the boolean variables encoding them. Since these variables do not occur in any other context for , we also use and to refer to and in . We use the same convention for .
The algebra is generated by the original variables and the randomizers.
Lemma 8.8.
Suppose is a BCS, and let . Let be the set of randomizers in , and let . Then is generated as an algebra by , and is generated by .
This means that a homomorphism is completely described by its action on . The following lemma extends Lemma 8.7 to weighted BCS algebras.
Lemma 8.9.
Suppose is a BCS, and let . Then there is a classical homomorphism such that for all and .
Conversely, let be the set of randomizers in . If , then there is a classical homomorphism such that for all and , and for all , where in the enumeration of fixed above.
Proof.
The proof is immediate from Corollary 5.7, Lemma 8.7, and the definition of in . ∎
Theorem 8.10.
Let be a - protocol for a language with completeness and soundness , such that each context of has constant size, and is maximized on the diagonal. Then there is a -- protocol for with completeness and soundness , where is the number of contexts in . If is uniform, then is also uniform.
Proof.
Let , and let be the subdivision of corresponding to the subdivision of into . If is uniform, then is also uniform. For completeness, if there’s a perfect tracial state on , then there is a perfect tracial state on by Lemma 8.4, and consequently a perfect tracial state on by Lemma 8.9. By 6.4, there is a perfect tracial state on . Hence if , then has a perfect strategy.
Because has contexts of constant size, and hence also has contexts of constant size. As a result, the number and size of the clauses in the constraints of are also constant. We conclude that the parameters , , and in Theorem 6.5 when going from to are all constant. Since has contexts, if is a tracial state on , then there is a tracial state on with . Since there is a classical homomorphism by Lemmas 8.4 and 8.9, we conclude that there is a tracial state on with . Hence if , then there is no synchronous strategy for with .
Because all the contraints in have constant size, it is not hard to see that the Turing machines and can be turned into Turing machines and such that is a - protocol for .
To prove that this protocol is perfect zero knowledge, we need to find a polynomial time simulator which samples a correlation that is perfect for the tableau game. Furthermore, must be a quantum correlation if and only if is an accept instance of the tableau game.
The tableau game involves the verifier requesting from each prover exactly one of the constraints (1)-(4) from Definition 8.6, and checking their answers for consistency. The simulator can efficiently sample any element from the clauses of of the first row of the corresponding tableau by uniformly sampling from . Elements of the tableau and randomizers can be sampled efficiently by uniformly sampling from . In this way, may efficiently simulate answers to (1) and (2) by sampling the elements on the right side of the equation, and computing the element on the left side. Answers to (3) are simulated by sampling elements of , where is the constant depth of the permutation branching program used to construct the tableau, and computing the correct entry such that the product of the elements is equal to , the output of the permutation branching program. Lastly, can simulate ansers to (4) by sampling elements of the first row of the tableau uniformly as above (matching any pair that are labeled by the same oblivious variable), and sampling other elements uniformly from . Thus, simulating the response of an individual player Alice is trivial. The responses from Bob need only be consistent with those of Alice on the overlap, with the remainder of the answer sampled as above. This defines our simulatable correlation and our simulator . It is clear that the correlation sampled by is perfect for the tableau game. All that remains is to show that is an accept instance if and only if is a quantum correlation.
Suppose that is a quantum correlation. Then is an accept instance, as there is a quantum correlation that allows the players to play the instance of the tableau game perfectly.
Suppose that is an accept instance of the tableau game. Then there is some quantum strategy for the tableau game such that the players always win. By the gapped soundness of the reduction from 3SAT, this implies that the underlying 3SAT instance has a perfect quantum strategy with observables for . Alice and Bob may now choose any set of oblivious observables such that the exclusive disjunction of these is , that is . So choose to be observables that are with equal probability for and let and note that The values of any four of the are efficiently sampleable. To play the tableau game, when Alice and Bob receive their questions and respectively, they use auxiliary observables to generate shared uniformly distributed randomizers and construct the tableaux corresponding to the clauses of and according to relations (1) to (5) in Definition 8.6. The value for each element of row one of the tableau is equally likely to be either element of . Note that the simulator only ever has to sample at most four elements of the first row of a tableau, and only the correlation of five or more of these variables depends on the perfect strategy of . Each randomizer is an independently uniformly sampled element of and thus any element of the second and third rows of the tableau is equally likely to be any element of . Therefore the correlation generated this way is . ∎
Theorem 8.11.
There is a perfect zero knowledge - protocol for the halting problem in which the verifier selects questions according to the uniform distribution, the questions have length , and the answers have constant length.
Proof.
By Theorem 2.2, there is a - protocol for the halting problem with constant soundness , in which has a constant number of contexts and contexts of size , and is the uniform distribution on pairs of contexts. By 5.8, can be turned into a - protocol where , is a 3SAT instance with number of clauses polynomial in , and is polynomial in . Then by subdividing the into a 3SAT we obtain a 3SAT protocol with number of clauses polynomial in , and is uniform. The theorem follows from 8.10. ∎
Let be the - protocol from Theorem 8.11, so in particular has contexts, where , and is the uniform distribution on . Since the uniform distribution is -diagonally dominant, Theorem 2.1 implies that has soundness when considered as a protocol. The result follows from 7.1 using a polynomial amount of parallel repetition. ∎
Theorem 8.12.
---.