Quantum Oracle Separations from Complex but Easily Specified States

04/15/2021 ∙ by Nicholas LaRacuente, et al. ∙ The University of Chicago 0

A foundational question in quantum computational complexity asks how much more useful a quantum state can be in a given task than a comparable, classical string. Aaronson and Kuperberg showed such a separation in the presence of a quantum oracle, a black box unitary callable during quantum computation. Their quantum oracle responds to a random, marked, quantum state, which is intractable to specify classically. We constrain the marked state in ways that make it easy to specify classically while retaining separations in task complexity. Our method replaces query by state complexity. Furthermore, assuming a widely believed separation between the difficulty of creating a random, complex state and creating a specified state, we propose an experimental demonstration of quantum witness advantage on near-term, distributed quantum computers. Finally, using the fact that a standard, classically defined oracle may enable a quantum algorithm to prepare an otherwise hard state in polynomial steps, we observe quantum-classical oracle separation in heavy output sampling.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

In the black box or oracle model, a computation has access to a subroutine with cost but no knowledge of its implementation. The oracle may perform an otherwise costly computation in time or reveal information that would otherwise not be discoverable from the inputs. A quantum computer may conventionally use a classically-defined oracle in the computational basis, calling from superposition. Quantum-classical oracle separation is at the root of quantum complexity theory, going back to some of the earliest known separations and lower bounds [1, 2, 3]. An oracle function with the form is known as a standard oracle and has a natural extension from classical bit strings to quantum states in the computational basis.

In the quantum setting, there are however more ways in which one could define a sensible notion of an oracle. Aaronson and Kuperberg introduce the notion of a quantum oracle [4], an arbitrary unitary callable with cost as a black box subroutine. Aaronson and Kuperberg’s quantum oracle has no obvious classical analog, relying on states in arbitrary bases. Fefferman and Kimmel construct an “in-place” quantum oracle that appears to possess a classical analog but is still not a standard oracle, as it is not self-inverse [5]. One may consider other forms of potentially restricted, non-classical oracles, such as quantum channels that may introduce mixture, or quantum oracle families with promises on the unitaries available.

Quantum or classical, oracles go hand-in-hand with diagonalization techniques, a notion formalized for subset-based oracles in [5, Section 5, Recipe 1]. Intuitively, one shows that each possible program using polynomial oracle calls must in some case fail to yield a sufficiently distinguishable final state on a string in the language from one not in the language. This approach has an information-theoretic interpretation: the information any fixed program obtains from polynomial oracle calls does not scale as quickly as the information needed to accurately decide the problem. In [4], that information is what’s needed to unlock a secret hidden in the quantum oracle. In particular, it cannot solve the following task:

Definition 1.1 (Marked Quantum State Task (MQST)).

Given and (

-qubit Hilbert space), let

be a unitary (quantum oracle) with the promise that either:

  1. , and acts as identity on orthogonal states.

  2. is the identity.

The task is to distinguish these cases with at least

success probability.

Given an untrusted copy of the marked state, it is easy to verify case (1). Most quantum states on qubits lack a polynomial-length classical description within reasonable orders of approximation (see Section 2.1, or the original explanation of [4]). Hence any scheme to reveal the marked state using polynomially-many bits of classical information must in some cases fail to distinguish superpolynomially large sets of candidates.

As a first result in this paper, we show that the information-theoretic barrier and diagonalization are not necessary for the primary results achieved in [4]. To do so, we find exponentially large families of quantum states that have polynomial classical descriptions but are not approximable using any polynomial-size circuit. We call the state complexity of a quantum state the minimum circuit length needed to prepare it from the initial state using elementary gates.

Theorem 1.2.

There exist families of marked quantum state oracles for which case (1) of MQST can be verified using an untrusted, polynomial-size, classical string as proof and polynomially many queries to but needing exponential time. Given an untrusted, polynomial-size quantum state as proof, case (1) can be verified in polynomial time with one query. The marked states are specified to precision by polynomial, classical bit strings.

For some such families of quantum oracles, polynomial compute time and polynomial queries suffice to verify case (1) of MQST given a trusted, polynomial quantum state as proof that depends on the dimension of the marked state but not otherwise on the marked state.

We replace the query complexity separation of [4] by a separation in state complexity. Given the the marked state’s classical description, it is possible to construct the marked state using an exponentially large quantum circuit and verify case (1) of MQST using one query. The surprising aspect of Theorem 1.2 is that the usual oracle and query complexity machinery is largely bypassed. We may even restrict the marked state to a family that is deterministically known to the program as a function of the input size, but because of the state’s complexity, such marked states may still be impossible to efficiently verify without an externally-provided quantum witness.

Variants of MQST are convert to decision problems to show separations in computational complexity. We recall the complexity class Quantum Merlin Arthur (QMA), in which a quantum, polynomially-bounded verifier checks a polynomial-size quantum witness state. We recall the class Quantum-Classical Merlin Arthur (QCMA), in which the witness state is constrained to be a classical bitstring. We also recall the notion of advice, which is a classical string or quantum state that depends on the input size but not otherwise on the input string. For a complexity class , we denote by and the modified class respectively with logarithmic or polynomial advice. By and we denote the respective classes with quantum advice. By we denote the modified class with access to a family of quantum oracles , where is the input size.

In [4], it is shown that , and for families of quantum oracles as in MQST. Unsurprisingly, we are able to combine these separations. More surprisingly, we do so bypassing the query separation argument.

Corollary 1.3.

There exists a quantum oracle family for which

though one query is sufficient to verify a classical witness given exponential computation time.

The technical version appears as Corollary 4.2. When we replace the oracle herein by a standard oracle, we find that does not contain or relative to this oracle.

Proposition 1.4.

Let be a family of standard oracles with marked states in the computational basis. Then , and . Let be a family of quantum oracles with marked states as binary strings in the Hadamard basis. Then .

The technical version of this Proposition appears as 4.5. The power of NP relative to this oracle and its replacement by QCMA when the oracle is transformed to the Hadamard basis illustrates the barrier to replacing the quantum oracle by a standard oracle. More substantially, we may ask why we cannot replace the complex state by, for instance, an efficient polynomial design (see for example [6]). The primary barrier here is that whenever the state admits an efficient quantum circuit, a polynomial quantum computation suffices to generate the marked state from that string. Hence schemes based on classical, hard-to-discover keys/seeds may fail to separate QMA from QCMA, as a classical prover can reveal the secret that cracks the scheme. Though it would be easy to show that NP does not contain QMA or QCMA relative to a quantum oracle, this separation is arguably trivial and unfair without a way for classical programs to access information hidden in the quantum oracle.

Though it is by definition hard to prepare a specified complex state, [7, p27] notes that it may not be hard to generate random states that are typically complex. Assuming that the procedure therein does generate a random, complex state, we propose an experimental demonstration of the quantum oracle complexity separation. For this, we need to relax the oracle definition further, allowing a once-callable quantum channel to take the place of the oracle. Rather than inserting a specified unitary at arbitrary points in computation, we will allow the computation to insert one call to the quantum channel with assume cost. Then:

Theorem 1.5.

There exists a quantum channel oracle for which .

Assume that the complex state generation procedure as suggested in [7, p27] indeed generates complex states. Then polynomial quantum space and time suffice to:

  1. Generate a marked state and quantum channel oracle such that with high probability, and where the marked state for is classically specified in polynomially many bits.

  2. Make the marked state’s classical description known to the prover and verifier.

  3. Apply once when called by the verifier.

The once-callable aspect of technically arises from the fact that one copy of the specific marked state is created, and this copy is consumed in the oracle call. An exponentially more powerful prover can generate as many copies as desired from the obtained classical description. This channel oracle could be used in a quantum proof of work scheme, in which a polynomial quantum computer generates instances that probably require exponentially stronger, quantum quantum resources to solve.

Counter-intuitively, a standard oracle may spoil the secret of a quantum oracle as above. As shown in [7, Proposition 3.3.5], one may prepare arbitrary states using a standard oracle that directly reveals bits and phases of the marked state. Although the standard oracle is defined by a classical function, it may be called in superposition, enabling a procedure that builds up an exponential number of amplitudes directly, without ever having to obtain the exponentially long bit string needed to specify the state classically.

The techniques of [8] use a state preparation oracle model to bound a quantum computer’s ability to generate heavily-weighted output strings of a quantum state. The analogous task without oracles is believed hard for classical computers [9, 10]. In the formulation presented there, the use of a quantum oracle precludes a classical analog. We replace this oracle by a standard oracle, showing separation between classically stochastic and quantum use analogous to that in oracle-free models. As in MQST, superiority of quantum resources arises not from the information required to specify arbitrary quantum states, but from hardness of preparing states. To do this, we define a rotated version of the heavy output sampling problem, using classical inaccessability of a complementary basis as in Proposition 1.4, but without needing an explicit, quantum oracle:

Theorem 1.6 (Classical Hardness of RXHOG).

Let a classical algorithm attempt to solve the sampling problem RXHOG as in Definition 6.1 with access to polynomially many calls to a standard state preparation oracle, and a table of coefficients of a quantum state that defines the sampling problem. Such an algorithm achieves a value no higher than , whereas a quantum algorithm may achive a value of .

The technical version appears as Theorem 6.2.

Ultimately, if QMA QCMA without an oracle, then there must exist low-energy states of local, gapped Hamiltonians that are polynomially specified (by the Hamiltonian’s description) but not preparable by polynomial circuits. Reformulating quantum oracle separation in terms of state complexity, rather than state codeability, brings it closer to the oracle-free setting. We have already seen that there exist states with simple classical descriptions that are hard to prepare. To separate QMA from QCMA, it would suffice to find a polynomial time routine for a class of such states that verifies if a provided such state matches a classical description, in which case the language of classical descriptions would fall in QMA and not QCMA. In this work, we see that the presence of quantum oracle can provide such verification, while a standard oracle can break the preparation hardness.

In Section 2, we review known results on state complexity and define the hard state preparation routine that allows us to efficiently index some hard states. In Section 3, we show Theorem 1.2 without directly invoking complexity classes. In Section 4, we show Corollary 1.3 and Proposition 1.4, discussing the implications of marked states for complexity classes relative to quantum oracles. In Section 5, we show Theorem 1.5 and discuss possible experimental implementations. In Section 6, we show Theorem 1.6 and discuss standard state preparation oracles in the context of sampling problems.

1.1. Basic Notations

For a pair of pure states , recall the overlap be defined via the inner product as . We denote by the (squared) fidelity between two quantum states, given by in trace norm. For pure states, fidelity is equal to the overlap. For a set , we denote by its cardinality, and otherwise, denotes the absolute value of a complex function. We use to denote the ceiling function and for the floor function.

2. Complex State Generation

2.1. Background on Information and Complexity of Quantum States

A typical quantum state has Komogorov complexity at least polynomial in the dimension of the Hilbert space. As in [11], the total number of

-distinguishable (in operator norm) states is estimated at

, such that for any classical description length , the fraction of -describable states is approximately . While it is not possible to verify the Kolmogorov complexity of a quantum state, it is possible to verify minimum circuit size with a fixed gate set via exhaustive search.

More definitively, to -approximate in operator norm an arbitrary unitary in via gates from universal set requires

where is a dimension-dependent constant such that for all , and is the Haar-measured volume of a ball of radius in [12, eq 23].

A simple bound in [13] states that to -approximate an arbitrary pure state in Hilbert space norm,


The essential realization is that the space of pure states on qubits is the unit -sphere, on which volumes are simpler than in . There are at most -distanced states preparable from via gates when each gate acts on input qubits. The number of states in any circuit -approximation scheme is .

The Solovay-Kitaev theorem [14] gives an upper bound on the number of universal gates required, showing that equation (1) is optimal up to a polynomial factor.

Equation (1) appears to show that even when , grows superpolynomially in . The derivation relies however on approximating the surface area of states near a given by the volume of a hypersphere in one dimension lower. For small , the neighborhood of a state is approximately flat. As , the approximation must be checked carefully. In principle, this might be accomplished via the distribution of distances between points on a hypersphere [15, 16] or the areas of hyperspherical caps [17]. In practice, it is easier to work directly from results on the distribution of fidelities of quantum states [18]. Aaronson & Kuperberg show a similar result as Lemma 3.3 in [4].

In [19], it is shown that to determine if a given state has polynomial creation complexity requires exponential time in the absence of advice or witnesses (though this may include some additional assumptions). Equation (1) implies that a random or typical state is probably hard to prepare.

2.2. Enumerating Complex States

Let be a classical quantum program that takes , encoded in binary, and a universal, finite gate set as its input. does the following:

  1. Let be a set initially containing all circuits using at most gates, where is the maximum number of qubits on which any gate acts and the initial state.

    Note that set of -qubit marginals of these states is included in the set of marginals on the 1st qubits by permutation invariance of the starting state and set of -gate circuits.

  2. Iterate through circuits involving more than gates from to prepare -qubit states, in lexograhic order. Let denote the th such circuit. Let be a counter starting at 0.

    1. If the output state of on has fidelity at least with the marginal on the 1st qubits of any circuit in , continue to .

    2. If the output state of on has overlap below with all 1st -qubit marginals of circuits already in , then (i) if , increment and add to (ii) if , return the output of on .

Let denote the output of as a quantum state. To formalize as a quantum channel, we may assume that it takes an -qubit input and pinches it to the computational basis before proceeding.

The main subtlety of using is to show that it has valid states to return within the range of interest.

2.3. Existence of Marked States

Lemma 2.1.

In a system of qubits with and for a set of densities with total rank , there is a set of at least


pure states such that for any in the set, , and for any in the set and , . The probability that a random pure state has for all is at least


Lemma 2.1 replaces equation (1) for arbitrarily close to 1. It is similar to Aaronson & Kuperberg’s Lemma 3.3, though precedent for this result appears in [20, 18].


The distribution of fidelity between pure states in the Fubini-Study/-invariant Haar measure is given by


where here [20, 18, 4]. Integrating the measure,


While this bound is originally for a pair of random densities, as noted in [18], the symmetries of the state space allow us to fix one of the densities.

For an any and diagonalized density ,


Hence we may consider the set of at most pure states , where each is a diagonal basis state of some density in . By the union bound and equation (5),


for chosen uniformly at random from the -dimensional Hilbert space.

If we have already chosen some , then we may add these to the states to avoid. While the probability of finding a state with at most overlap decreases, this does not prevent a search from continuing to find states as long as there is non-zero probability of a state being sufficiently far from the avoided set. Hence the maximum number of pure states with mutual overlap no more than from each other or from any of the original densities is lower bounded as

For the exponential approximation, we recall that . ∎

Remark 2.2.

The fidelity of any pure state with the complete mixture is , and the average overlap between pure states in the Fubini-Study measure is also shown to be in [20, 18]. This point corresponds with , at which the state number bound of Lemma 2.1 may become negative. When for , the number of available states grows double-exponentially with qubit number. Equation (1) scales similarly with and .

Remark 2.3.

We may rewrite the available state number bound given by equation (2) as

and the probability bound of (3) as , where bounds trace distance. The state number bound is then comparable to equation (1), up to a dimension-dependent constant due to differences in the norm considered.

Lemma 2.4.

Let be functions given such that , and . Then there are at least


values of such that definitely halts.


Via Lemma 2.1, there are at least


states with distance at least from those preparable, where we must now calculate from .

Let be a fixed gate set in which each gate acts on a maximum of qubits. A gate sequence of length may act only on qubits in total. Hence the number of preparable states is no more than than the total number of sequences of gates, each choosing at most inputs. We calculate


for some constant . We see that is not of the same order as the term from which it subtracts. ∎

3. Proof of Hardness of MQST

Remark 3.1.

To understand the idea of the proof, one may consider the case of a single query using one pure state on only qubits. We decompose


where , and form a basis with . Let correspond to the 1st possible case of , which applies a phase of to . The inner product of with is given by


for normalized amplitudes. Hence


Via the well-known Fuchs–van de Graaf (in)equalities,


The operational interpretation of the trace distance then bounds the probability of successfully distinguishing between the states and , where the latter is equivalent to applying the identity.

In general, Arthur is neither limited to preparing and testing a single state against the oracle, nor to using the quantum oracle only once on a given state. The main subtlety is that while checked that the marked state is hard to prepare using gate set , Arthur may use the oracle as though it were an extra gate. Formally, we require the marked state to be hard to prepare using gate set , which we have not yet checked. Marked states might be chosen from a small set of easily codeable indices, so it’s not obvious that the original Aaronson and Kuperberg counting arguments [4] apply.

Intuition from constraints on search [3, 2] suggests that Arthur shouldn’t be able to amplify overlap of a prepared state with the marked state too quickly, even including in computation. The first step to make this intuition rigorous is to show that even if is not the identity, its effect on any state with small overlap with the marked state is small. Then we may apply a standard argument from the study of query complexity, showing that a polynomial length, alternating sequence of calls to and circuits of gates from neither prepares a state that is close to the marked state nor distinguishes case (1) of MQST from case (2) with high probability. Departing from the usual argument, we actually show a weaker separation than query complexity when marked states are easily codeable, as exponential-length circuits with few queries might be sufficient. Unlike full query complexity separation, the circuit length separation holds in a wider range of regimes and may appear in simple physical situations as described in Section 5.

Lemma 3.2.

Let , form a basis of a given subspace , and form a basis of . Let be defined by and . Then for any pure state on qubits on which is extended to ,


where is the marginal of on the 1st qubits, are the eigenstates of , and

are the associated eigenvalues.


We Schmidt decompose and rewrite it in terms of a basis such that .


Via direct calculation,


The second inequality follows primarily from state orthogonality. We note that


so for each ,


yielding the first equality of the Lemma, where . We also have that


which completes the Lemma.

Corollary 3.3.

Let , , , and be as in Lemma 3.2. For given such that , let be defined by for all , and for all . Then


where is the marginal of on the 1st qubits.


commutes with a partial trace over the last qubits. Applying to as decomposed in equation (16), we see that acts as the identity on and preserves orthogonality of states, so we may absorb its effect into the definition of . The sum is not affected by , so by Lemma 3.2,

The Corollary then follows the Lemma for . ∎

Lemma 3.4.

For given , let , be a pure state such that , and form a basis of for each . For each , let be defined by , and for . Let , and . Let be isometries such that for any , is within the set of states such that

where is the marginal of on the 1st qubits. Then


which bounds the probability of distinguishing for a given unitary family whether or for each using circuits of the form .


We will show this Lemma by induction, using the fact that after applying to a state that has low overlap with , the new state has high overlap with the original. First, for any ,


for some normalizing and that is orthogonal to . Hence


which we rewrite as

for some and . Let . By induction starting from ,


for some normalizing and state , which need not be orthogonal to . By Lemma 3.2, for any . Hence


Via Bernoulli’s inequality and assuming ,




Since both states are pure, the fidelity is exactly related to the trace distance, yielding


This trace distance is between the and case. That it bounds distinguishability follows from the operational interpretation of the trace norm. ∎

Remark 3.5.

We could easily extend Lemma 3.4 to marked subspaces from marked states, but in this work there is no reason to do so, and it would complicate the analysis.

3.1. State Complexity in Computation

In this section, we show the technical definition of MQST and proof of its hardness for a polynomial quantum computation with possibly unbounded classical pre-computation and witnesses.

Polynomial classical information at the start of computation, including witnesses, inputs, and advice, can be expressed as an extra circuit that prepares the classical state as a quantum state in the computational basis. With polynomial overhead, we may thereby include all possibilities for polynomial classical witnesses, inputs, and advice in the set of circuits considered by .

When all resources are polynomially bounded, including classical witnesses and pre-computation, it is a standard procedure to absorb classical resources into the quantum computation. We would like, however, to allow classical witnesses and pre-computation to be superpolynomially large while restricting their quantum counterparts to polynomial size or time. To do so, we will formulate the problem in a way that separates these classes of resource.

Even when classical witnesses and pre-processing are superpolynomial, a polynomial quantum circuit included with this computation accesses only polynomially-many classical bits. Hence we may re-express these bits with an extra circuit that depends on results of classical pre-computation. Adding this to the original, quantum circuit, we replace a polynomial quantum circuit by a conditional, still polynomial quantum circuit , where is a classical bit string that may depend on all classical information available at the start of computation. Hence instead of trying to formulate the polynomial quantum circuit as running on a larger classical input, we equivalently think of applying a polynomial circuit with polynomial input that depends on available classical information.

Theorem 3.6 (Technical Version of 1.2).

Let the sequence be defined by choosing from a sequence of non-empty sets on which halts. For all , there exist valid of cardinality . Let be a family of marked state oracles, where the th marked state is equal to for . By we denote the cardinality of set . For sufficiently large and with unbounded quantum circuit size,

  1. if , then generally requires an exponential classical or polynomial quantum proof of case (1) to verify with fewer than queries. It is nonetheless verifiable with one query given either such proof;

  2. If , then one query may verify a (polynomially long, classical) binary representation of as a proof of case (1);

  3. If , then a trusted, polynomial, classical description of is sufficient to perform MQST with queries. It is similarly possible to verify an untrusted such description as a proof of case (1).

All of the above cases require superpolynomial quantum computation.

(Proof of Theorem 3.6).

By Lemma 2.4, valid marked states exist for all sufficiently large .

To fully formalize the task, assume the Arthur starts with the state on qubits, plus a classical auxiliary systems in a configuration that may not depend on whether is the identity, but may convey any other information, including what the marked stat would be. Arthur may apply gates from the set , single-qubit measurements in the computational basis, the oracle to any -qubit subsystem, and partial traces to subsets of qubits.

Let denote the set of states of Arthur’s classical system, in state after receiving a classical proof from Merlin and an arbitrary amount of classical pre-computation, but before any quantum operations. It is possible that classically describes what the marked state would be if is not the identity.

All steps in computation after classical precomputation but before final traces have (up to equivalence) the form

where are unitaries that may depend on , and . By the definition of and the parameters of the problem, the sequence results in a state that has at most fidelity with . We apply Lemma 3.4 to , and by approximating away higher orders in , obtain


where is the non-identity case of . The operational interpretation of the 1-norm bound then shows that with access to this state, Arthur can’t correctly guess whether or with probability higher than . Convexity of the 1-norm implies that a mixture of achieves no higher value, and the related monotonicity under channels shows that neither does nor the differed traces.

For the particular cases, the cardiality determines the number of bits needed either to enumerate all possible marked states or to specify a particular marked state classically. ∎

Remark 3.7.

What if Arthur is allowed arbitrary classical computation interspersed with elements of a polynomially-bounded quantum circuit? This case is left open. The proof strategy of Theorem 3.6 no longer applies, as it is not possible to dilate arbitrary, intermediate classical processing within polynomially bounded quantum space and time. Arthur could measure intermediate states and apply superpolynomial classical processing to determine subsequent unitaries, and it is not entirely clear whether these measurements could be deferred to the end without a superpolynomial expansion in the quantum circuit size.

4. Computational Complexity

Definition 4.1 (Marked Quantum State Oracle (MQSO)).

Let be a given, binary language. Let the sequence be defined by choosing from a sequence of non-empty sets on which halts, and let , and be defined by

and for all -qubit . Let denote the constructed oracle family . We restrict to parameter ranges for which the indexed marked state exists.

Corollary 4.2 (Technical Version of Cor 1.3).

Let the sequence be defined by choosing from a sequence of non-empty sets on which halts. For all , there exist valid of cardinality . Let be a language constructed by randomly choosing of possible -length strings for each , and let be a sequence of index sets such that for all . With access to the family of marked state oracles . Then

  1. . This holds even with the promise that for all . Even if we relax the complexity class to allow unbounded, classical, untrusted witness size and unbounded, classical pre-computation, polynomial quantum circuits (including oracle queries) and polynomial, classical advice fail to decide with bounded error.

  2. .

  3. With the promise that , .

Hence a quantum oracle family such that .

A & K showed as their primary result that for a related quantum oracle as theorem 1.1. Though A & K did not claim , this is not surprising given their arguments for in theorem 3.4. Again more surprising in our formulation is the lack of reliance on query complexity.

Remark 4.3.

With unbounded quantum circuit size, as defined in Theorem 4.2 is decidable with and…

  1. An exponential, classical or polynomial, quantum witness and one query, or exponentially many queries, if .

  2. A polynomial, untrusted witness and one query if for all .

  3. Polynomial queries and a (trusted or untrusted) description of if .

  4. One query if and is given by a computable function for each .

Lemma 4.4.

Let be a binary language, for which membership of strings in is determined arbitrarily (having no pre-determined dependence on the value of ). For given and of length , there are at least values of for which cannot be determined from .


This Lemma follows from a counting argument mirroring that of Aaronson & Kuperberg. There are possible assignments of , and possible values of . Hence at least 1 value of distinguishes a class of at least possible assignments. Within this class, at least values of must not be fixed. ∎

In Lemma 4.4, we do not know that conditioned on , the may vary independently. It might be that the class implied by forces strong correlations between whether particular strings are in the language. These correlations will not matter too much for the complexity of determining whether a particular .

(Proof of Corollary 4.2 part 1).

Let be a quantum oracle family as in Definition 4.1. Let denote a particular input string.

Let be the set of Merlin’s possible, classical responses for a given , and be Merlin’s particular response in a given case, which may depend on the input and on randomness as well as on the language and oracle. Let analogously denote the respective particular quantum advice given for input size , and set of possible advice states. As in the proof of Theorem 3.6, after Merlin’s response is given, Arthur’s computation can be modeled as a polynomial quantum circuit of the form for , followed by partial traces, where index calls to oracles in the given family.

In the starting configuration with Merlin’s witness, Arthur’s state has the form . The witness and input don’t distinguish between and when Merlin is untrusted (the binary string representing contains no information about whether , so with no advice or oracle access, is undecidable even with unbounded time). The advice state may depend on whether is in the language, but it is the same value for all possible . By Lemma 4.4, there are at least possible values of for which fails to distinguish whether . We may restrict our attention to these values of .

Formally, the trace distance between the and is zero, and it upper bounds the completeness-soundness gap. We may easily subsume into

by allowing any of Arthur’s non-oracle unitaries to prepare in the computational basis if desired, so it is not necessary to retain these explicitly as separate parts of the state. Hence we aim to show that

has small difference as measured by the trace distance between the case in which and that in which for the same value of , regardless of what actually is. Hence if Merlin can send a classical that convinces Arthur that , the same will probably trick Arthur if in truth .

For any , let be the marginal on the 1st qubits of , be the

th eigenvector of

, and the corresponding eigenvalue. Let be the marked state for any . Then


in a Schmidt decomposition. We then have from the above sum,

Comparing to the identity for each ,

We note that

so by replacing by the identity,

Let be the 1st -qubit marginal of , which has eigenvectors with associated eigenvalues . We rewrite

where is the marginal of on the 1st qubits, and for arbitrary .

We may now apply Lemma 3.4 with the unitary sequence and , replacing in the Lemma by , and assuming that all mark states that would be hard to prepare in steps with fidelity greater than . The rest of the proof would then follow as does the end of Theorem 3.6 after equation (30), via the operational interpretation, convexity, and monotonicty of the 1-norm.

The one problem is that Arthur may apply for sufficiently small that the marked state for this oracle is approximable with circuits of length . We then note that by running the preparation circuit in reverse, running a simple circuit that marks the state , and then running the preparation circuit again, we can emulate such an oracle in at most gates with no oracle calls. Replacing these oracle calls by said emulation, we replace all oracle calls with marked states aproximable with larger than fidelity using gates by up to gates each. Substituting , we may assume that no states are prepared that resemble marked states for oracle calls, including , with precision larger than , and we apply Lemma 3.4.

(Proof of Corollary 4.2 part, Remark 4.3).

The 2nd part of the Theorem follow from allowing Merlin or the advice to send the marked state.

The Remark follows from Merlin specifying the index of the marked state, or from Arthur having access to a known set of possible marked states, as well as the parameters passed to . Arthur may then run the program to generate the marked state, and verify it with the oracle. ∎

Proposition 4.5.

Let be a family of arbitrarily chosen binary strings, a binary language, and be a family of standard oracles on states of qubits each defined for an -length computational basis string state and qubit state by

  1. if .

  2. for any -bit string or if but .

Then , and . Let be a family of quantum oracles defined by

where is the -qubit identity, and the -qubit Hadamard transform. Then .


For each and input string , is essentially a Grover oracle. The optimality of Grover search [3] implies that with access to , it takes at least oracle queries to find the marked state given a fixed or to determine whether is a marked string for arbitrary and . Given a copy of the marked string, trusted or not, a classical algorithm can use the standard oracle to verify an untrusted copy of as witness that .

The same bound applies to . In this case, the oracle is no longer callable as a standard oracle. ∎

5. Physical Realizability

As in [7, p27] one may construct for any qubits a bipartite quantum system of qubits initially prepared in the state . One then applies a random circuit of polynomial size, and measures the first qubits in the computational basis, yielding a state of the form , where is a classical variable storing the measurement result, and is a classical variable storing the random circuit applied. As noted in [7], is thought to have complexity .

(Proof of Theorem 1.5).

Let be an arbitrary, unary language. Let , and . We construct a classical-quantum channel formally a completely positive, trace-preserving, linear map that extends via linearity to densities. When clear from context, we denote