# Two-message verification of quantum computation

We describe a two-message protocol that enables a purely classical verifier to delegate any quantum computation to an untrusted quantum prover. The protocol begins with the verifier publishing a problem instance together with a public cryptographic key. The prover then transmits the computation result, appropriately encoded. Finally, the verifier uses their private key to detect any cheating and extract the result. We achieve this by upgrading the verification protocol of Mahadev in two steps. First, the protocol is repeated many times in parallel, yielding a four-message protocol with negligible soundness error. This enables the second step: the "challenge round" is eliminated via the Fiat-Shamir transform, in which the prover computes their own challenges using a public hash function. We show that this protocol is secure under the same assumptions underlying many candidate schemes for post-quantum public-key cryptography. Specifically, it is secure in the Quantum Random Oracle Model, and assuming the quantum hardness of the Learning with Errors problem. The main technical advance in our security proof is a parallel repetition theorem for the Mahadev protocol.

## Authors

• 7 publications
• 18 publications
• 10 publications
12/02/2019

### Classical Verification of Quantum Computations with Efficient Verifier

In this paper, we extend the protocol of classical verification of quant...
11/19/2019

### Non-interactive classical verification of quantum computation

In a recent breakthrough, Mahadev constructed an interactive protocol th...
11/23/2020

### On The Round Complexity of Two-Party Quantum Computation

We investigate the round complexity of maliciously-secure two-party quan...
11/26/2021

### Advantage of the key relay protocol over secure network coding

The key relay protocol (KRP) plays an important role in improving the pe...
09/05/2019

### A Private and Unlinkable Message Exchange Using a Public bulletin board in Opportunistic Networks

We plan to simulate a private and unlinkable exchange of messages by usi...
03/15/2021

### Post-Quantum Succinct Arguments

We prove that Kilian's four-message succinct argument system is post-qua...
11/05/2020

### Quantum randomized encoding, verification of quantum computing, no-cloning, and blind quantum computing

Randomized encoding is a powerful cryptographic primitive with various a...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

### 1.1 Background

#### Quantum verification.

Quantum computing devices can apparently solve problems that are infeasible for classical computers. As significant progress is made toward constructing quantum computers, a major challenge is the verification of such devices, particularly as they reach scales that rule out direct classical simulation.

One approach is to test for violations of Bell’s inequality [Bel64, CHSH69]. The self-testing technique introduced by Mayers and Yao [MY04] has been extended into various verification schemes [RUV13, MaK16, GKW15, HPDF15, FH15, NV17, CGJV19]

. In these schemes, multiple entangled quantum provers can be verified by an efficient classical verifier, with information-theoretic security. However, verification schemes based on quantum nonlocality require enforcing spacelike separations between the provers, making it unlikely that they have implications for verification of a single quantum device. That challenge has been studied in various relaxed settings, and several results have shown that a classical verifier with limited quantum resources (e.g., performing a fixed set of quantum operations on a small number of qubits) may verify any language in

[ABOE08, BFK09, Bro18, MF16, ABOEM17].

In a major breakthrough, Mahadev recently described the first secure protocol enabling a purely classical verifier to certify the quantum computations of a single untrusted quantum prover [Mah18]. The Mahadev protocol uses a quantum-secure cryptographic assumption to give the classical verifier leverage over the quantum prover. Specifically, the protocol is sound under the assumption that the Learning with Errors (LWE) problem does not admit a polynomial-time quantum algorithm. This assumption is widely accepted, and underlies some of the most promising candidates for the eventual replacement of RSA and ECC as the standard for public-key cryptography [NIST19].

From a theoretical perspective, Mahadev’s result settled a major open question concerning the power of quantum-prover interactive arguments (QPIAs). In a QPIA, two computationally-bounded parties interact: a quantum prover and a classical verifier. The verifier’s goal is to use the added power of the prover to solve a decision problem. The completeness error

of a QPIA is the probability of the verifier failing to accept a YES instance even though the prover is honest. The

soundness error is the probability that the verifier accepts a NO instance when interacting with a dishonest prover. In these terms, Mahadev’s result showed that there is a four-round111We take one round to mean a single one-way message from the prover to the verifier, or vice-versa. The Mahadev protocol involves four such messages. QPIA for with negligible completeness error and constant soundness error . Of course, one can repeat the protocol in series to suppress the soundness error, at the cost of many additional rounds of interaction. A natural question is whether this can be improved significantly. Ideally, we would like to simultaneously reduce both the soundness error and the number of interaction rounds.

The Mahadev protocol has a high-level structure analogous to that of classical -protocols [Dam02]. The goal of the verifier is to decide whether an input Hamiltonian from a certain class is a YES instance or a NO instance for .

1. The verifier generates a private-public key pair and sends to the prover ;

2. prepares the ground state of and then coherently evaluates a certain classical function . This yields a state of the form

 ∑xαx|x⟩X|fpk(x)⟩Y, (1)

where the ground state is in a subregister of register . measures the output register and sends the result to . Note that now holds a superposition over the preimages of .

3. replies with a uniformly random challenge bit .

4. If (“test round”), measures the register in the computational basis and sends the outcome. If (“Hadamard round”), measures in the Hadamard basis and sends the outcome.

After the four message rounds above are completed, the verifier uses their knowledge of and the secret key to either accept or reject the instance .

### 1.2 Our approach

In this work, we show that the Mahadev protocol can be carried out in only two rounds, while simultaneously reducing the soundness error to negligible. Before describing our approach, we make a brief remark about round-optimality. In delegation of computations, it is plausible to suppose that the client needs to send a description of the desired computation (in some form) to the server. In such a setting, our protocol is clearly round-optimal. We remark that, with our protocol, a verifier can publish a single public key and then receive arbitrarily many proofs (i.e., second-round messages) from different provers.

Theoretically, one could ask for more: a protocol where the prover and the verifier both receive the instance from some third party, and then the prover simply sends a proof to the verifier. While we cannot rule such a protocol out, constructing it seems like a major challenge. In fact, it may even be impossible. In such a setting, the proof must be independent of the secret randomness of the verifier. This seems to make it difficult to apply the “cryptographic leash” technique of Mahadev’s protocol. On the other hand, without cryptographic assumptions, a protocol such as this would immediately place in , which is almost certainly false [Aar10].

#### Warmup: a non-interactive test of quantumness.

To explain our approach, we first briefly describe how to make the “cryptographic test of quantumness” of [BCMVV18] into a non-interactive protocol. This is a significantly simplified version of the Mahadev protocol, where the verifier’s goal is now only to ensure that the prover is not classical. At a high level, the test proceeds just as the verification protocol, with two modifications. First, there is no ground state encoded in the register. Second, the initial state (1) is simply in uniform superposition over . This protocol has soundness error , meaning that a classical prover can convince the verifier to accept with probability at most  [BCMVV18]. A quantum prover can easily answer both challenges, so the completeness is .

To reduce the interaction in this protocol, we perform two transformations. First, we repeat the protocol independently in parallel times, with the verifier accepting if and only if all copies accept. This enables the next transformation: we remove Round 3 by asking the prover to compute the challenge coins themselves via a public hash function (e.g., SHA-3). This allows the prover to go directly to Round 4, i.e., measuring the registers. The result is a two-message protocol: the verifier simply sends keys in the first message, and the prover responds with initial and final measurement outcomes and . The verifier then performs the -fold accept/reject verdict calculations, using coins computed as above.

Whereas the verification protocol uses a private-public key pair that depends on the computation to be verified, the cryptographic test of quantumness uses keys drawn from a fixed distribution. In this sense, the test of quantumness can be viewed as non-interactive following an initial setup phase.

Why is this protocol secure? First, recall that the soundness statement is only about classical provers. As the verifier is also classical, our arguments about security can rest on purely classical results. Thus we can apply standard parallel repetition theorems for classical protocols [Hai09, HPWP10, BHT19] to conclude that the parallel-repeated protocol has negligible soundness error.222A slight subtlety is that this is a private-coin protocol. However, the “test” branch is publicly simulable so [HPWP10] applies. Alternatively, one can apply [Hai09] to the “random-terminating” variant of the protocol. By the classical security of the so-called Fiat-Shamir transformation [FS86], the final two-message protocol also has negligible soundness [BR95, PS00]. We note that the second result holds in the so-called Random Oracle Model (ROM), an idealized but fairly standard model in classical cryptography [BR95]. We discuss these issues in more detail below.

Our approach to transforming the full Mahadev protocol for verifying into a two-round protocol follows the same approach. The protocol transformations are unchanged: parallel repetition, followed by the Fiat-Shamir transformation. However, soundness now needs to hold against quantum provers, and we can no longer rely on classical results about these transformations. We now discuss these issues and expand on the above discussion.

#### Parallel repetition.

Any protocol can be amplified with sequential repetition. If the original protocol has soundness error , the -fold repeated protocol will have soundness error . However, this comes at the cost of an increased number of interaction rounds. Parallel repetition is more desirable, but does not always reduce the soundness error, not even in the case of purely classical protocols. Bellare, Impagliazzo, and Naor [BIN97] showed that there exists a 4-round classical argument for which soundness error remains the same under parallel repetition. Whereas parallel repetition reduces the soundness error at an optimal rate for public-coin protocols [PV07, CL10, CP15], the challenging case is that of private-coin protocols, i.e., protocols in which the verifier holds private randomness that cannot be revealed to the prover. A sequence of works showed that parallel repetition does in fact reduce the soundness error of any classical private-coin protocol, provided the protocol is slightly modified to include “random terminations” with low probability [Hai09, HPWP10, BHT19].

Does parallel repetition work for quantum-prover interactive arguments? The Mahadev protocol is a natural case to consider since it already exhibits the full decisional power of QPIAs, i.e., . However, several complications arise when attempting to establish parallel repetition using classical techniques. First, the Mahadev protocol is clearly private-coin, precisely the category that is challenging even in the classical case. Second, classical proofs of parallel repetition typically involve constructing a prover (for the single-copy protocol) that uses many rounds of nested rejection sampling. The quantum analogue of such a procedure is quantum rewinding, which can only be applied in special circumstances [Wat09, ARU14] and seems difficult to apply to parallel repetition.

In this work, we establish a new parallel repetition theorem with alternative techniques, suited specifically for the Mahadev protocol. We show that, for NO instances, the accepting paths of the verifier for the two different challenges ( and ) correspond to two nearly (computationally) orthogonal projectors. We also establish that this persists in -fold parallel repetition, meaning that each pair of distinct challenge strings corresponds to nearly orthogonal projectors. From there, a straightforward argument shows that the prover cannot succeed for more than a non-negligible fraction of challenge strings. Our result shows that -fold parallel repetition yields the same optimal soundness error as sequential repetition. The resulting protocol is a four-round for verifying , with negligible completeness and soundness errors.

#### Fiat-Shamir transformation.

The second and final step is to eliminate the “challenge round” of the -fold parallel protocol. Note that in the -fold protocol, the second message of the verifier to the prover is a uniformly random . To eliminate the need for this message round, we adopt an established approach from classical cryptography: the aforementioned Fiat-Shamir transform. In this approach, the prover is asked to generate the challenge bits themselves by evaluating a public hash function on the transcript of the protocol thus far. In our case, recalling (1), this means that the prover selects . Note that and are now both -tuples, since we are transforming the -fold protocol. The resulting protocol now has only two messages: the initial message from the verifier, and the response from the prover. Of course, the verifier also needs to adapt their actions at the verdict stage, using when deciding whether to accept or reject.

Clearly, the soundness of the transformed protocol now depends crucially on the properties of the hash function . A standard assumption when applying Fiat-Shamir is that behaves like a uniformly random function. In practice, this is a reasonable assumption: standardized hash functions are typically not distinguishable from random in any nontrivial333There are trivial but not useful ways to distinguish, such as simply observing that has an efficient circuit. way. This approach has the advantage of enabling a number of strategies for giving security proofs. Specifically, we work in an idealized model called the Random Oracle Model (ROM), which assumes that all parties in the protocol have black-box access to a uniformly random oracle function . In the ROM, one can show that the Fiat-Shamir transformation is secure, in the sense that it preserves soundness up to a loss that is negligible provided has a superpolynomially-large range [BR95, PS00]. It is straightforward to see that this last condition is required; it is also the reason for applying parallel repetition prior to the Fiat-Shamir transformation.

A complication in the quantum setting is that quantum computers can evaluate any public classical function in superposition via the unitary operator

 UH:|x⟩|y⟩↦|x⟩|y⊕H(x)⟩. (2)

This means that we must work in the Quantum Random Oracle Model (QROM) [BDFLSZ11], which grants all parties oracle access to . Proving the security of transformations like Fiat-Shamir (FS) in the QROM is the subject of recent research, and newly developed techniques have largely shown that FS in the QROM preserves soundness for so-called sigma-protocols [DFMS19, LZ19]. Extending those results so that they also apply to the Mahadev protocol is relatively straightforward.

### 1.3 Technical summary of results

Our results are summarized in the following two theorems. The soundness of our protocols is conditioned on the assumption that there is no polynomial-time quantum algorithm for solving the Learning with Errors (or ) problem [Reg05]. This assumption is needed for the soundness of the Mahadev protocol itself; we do not apply it anywhere else in our arguments. As the assumption is an asymptotic statement, all the protocols are parameterized444To see how to parameterize concretely, see, e.g., [BLPRS13]. by a security parameter . The running time of all the relevant algorithms is then polynomial in , and the cryptographic assumption is that the success probability of any algorithm for solving is bounded by a negligible function of . We refer to this below as the hardness assumption. For simplicity, in our exposition we will assume that is some polynomial in the input instance size , so that efficient algorithms run in time and errors are (ideally) (where denotes a superpolynomially small function of ).

We first state the parallel repetition result.

###### Theorem 1.

Let be the Mahadev protocol, and let be its -fold parallel repetition. Then is a four-round protocol for verifying the class , such that

1. The completeness error of is .

2. Under the hardness assumption, the soundness error of is at most .

For , we improve Mahadev’s bound on the soundness error (negligibly close to ) to [Mah18]. Our bound is optimal: there is a straightforward cheating prover who succeeds in a test round with probability 1 and in a Hadamard round with negligible probability (see Protocol 2.4).

As discused above, applying the Fiat-Shamir transformation to results in a two-message protocol. We state this formally as follows.

###### Theorem 2.

Let denote the protocol resulting from applying the Fiat-Shamir transformation to the -fold parallel repetition of the Mahadev protocol . Then is a two-round protocol for verifying the class , such that

1. The completeness error of is .

2. In the Quantum Random Oracle Model, under the hardness assumption, the soundness error of is provided .

#### Related results.

Several recent works have pursued research related to the protocols of [Mah18, BCMVV18]. These include the zero-knowledge protocol of Vidick and Zhang [VZ19] and the remote state preparation protocol of Gheorghiu and Vidick [GV19].

Radian and Sattath [RS19] recently established what they call “a parallel repetition theorem for NTCFs.” NTCFs are the functions in the Mahadev protocol above. However, the context of [RS19] is very different from that of our Theorem 1. They work with 1-of-2 puzzles, not verification; in particular, their soundness experiment is quite different. Moreover, their parallel repetition theorem follows from a purely classical result.

#### Organization.

The remainder of the paper is organized as follows. In Section 2, we introduce quantum prover interactive arguments, the local Hamiltonian problem as it relates to verification, and the Mahadev protocol. In Section 3, we show that parallel repetition reduces the soundness error of the Mahadev protocol at the optimal rate. In Section 4, we show that under the Fiat-Shamir transformation, a generalization of -protocols (which includes the Mahadev protocol) remains secure in the QROM. Finally, we combine these results to establish a 2-message protocol for in Section 5.

## 2 Preliminaries

### 2.1 Notation and conventions

Most algorithms we consider are efficient, i.e., run in time polynomial in the size of the input (typically denoted by ) and the security parameter (typically denoted by ). The two main classes of algorithms are PPT (probabilistic, polynomial-time) and QPT (quantum polynomial-time.) We let denote a superpolynomially small function of , i.e., a function in .

Recall that, given a classical circuit for a function , one can easily construct a reversible (and hence also quantum) circuit for the operation

 f:{0,1}n×{0,1}m →{0,1}n×{0,1}m (x,y) ↦(x,y⊕f(x)),

with at most constant overhead. We let denote the unitary operator implemented by this quantum circuit.

### 2.2 Quantum-prover interactive arguments

A quantum-prover interactive argument () is an interactive protocol between two polynomially-bounded parties, a quantum prover and a classical verifier, interacting over a classical channel. A is described by a pair of algorithms: the PPT algorithm of the honest verifier , and the QPT algorithm of the honest prover .

Given an arbitrary prover and verifier , we let denote the process in which and interact for a given input and produce an output .

###### Definition 3.

Fix a language and a .

• We say that is a for with completeness if, for all , . The completeness error is .

• We say that is a for with soundness error if, for all and for all QPT algorithms , . The soundness is .

Two standard approaches to amplifying the soundness of a are as follows.

• (Serial repetition) We run , times in series, with the verifier finally outputting if and only if for all .

• (Parallel repetition) We run , times in parallel, with the verifier finally outputting if and only if for all . By “parallel” we mean that we first initialize copies of , then send the first messages of each copy to the prover, then send back responses, and so on.

It is straightforward to check that serial repetition suppresses soundness error exponentially in . A similar result for parallel repetition is false in general [BIN97, PW07], and is typically much more challenging to prove in cases where it holds.

### 2.3 The local Hamiltonian problem and verification for BQP

Any promise problem can be reduced to the local Hamiltonian problem such that for , the Hamiltonian has a low-energy ground state , and for , all quantum states have large energy [KSV02]. While the quantum witness may be hard to prepare for general , it can be prepared efficiently if . Furthermore, the problem remains QMA-complete even with a Hamiltonian that can be measured by performing standard () and Hadamard () basis measurements [BL08].

###### Problem 1 (The 2-local ZX-Hamiltonian problem [Bl08, Mf16]).

The 2-local ZX-Hamiltonian promise problem , with parameters and gap , is defined as follows. An instance is a local Hamiltonian

 H=∑ihiZi+∑iΔiXi+∑i

where each of is a real number such that the summation and each (resp. ) is a Pauli (resp. Pauli ) gate acting on the th qubit. For

, the smallest eigenvalue of

is at most , while if , the smallest eigenvalue of is at least .

Note that any Hamiltonian that is a linear combination of 2-local Pauli operators can be replaced by where . Furthermore, since , the gap of is

. We consider the rescaled Hamiltonian since we can then estimate the energy by sampling a local Pauli operator

with probability and performing or measurements, as in Protocol 1 below.

When working with Hamiltonian terms , we overload the notation for convenience. First, we write to denote the Pauli operator assigned by to qubit , so that . Second, we write to indicate that is a qubit index for which does not act as the identity, i.e., .

As mentioned above, the 2-local ZX Hamiltonian problem is -complete [BL08], and thus -hard. Morimae and Fitzsimons present a protocol (the “MF protocol”) with a quantum prover and a limited verifier, who only needs the ability to perform single-qubit and basis measurements [MF16]. In the MF protocol, under proper rescaling, we construct a Hamiltonian where the sum is over Pauli operators , , and is a distribution over Pauli operators. The prover prepares a quantum state and sends each qubit round by round to , so is not required to have large quantum memory. Then samples a term with probability and performs the corresponding measurement on the associated qubits. Since estimating the energy of can be done by performing or basis measurements for Pauli operator , is only required to be able to perform these measurements.

The Mahadev protocol [Mah18] (introduced in Section 2.4) builds upon the MF protocol and removes the need for to perform quantum measurements, thereby achieving purely classical verification. To understand this construction, we consider a version of the MF protocol in which sends the entire state at once, as in Protocol 1.

[Variant of the MF protocol]

and receive an instance of Problem 1, namely a Hamiltonian , where each

is a tensor product of

.

prepares a quantum state and sends it to .

samples a term with probability and performs the measurement on , getting an outcome . accepts if .

Since and , the success probability of the protocol with input state is

 ∑SpStr(M−mSρ) =1−∑spStr(Mmsρ)=1−tr(Hxρ). (4)

Assuming the completeness-soundness gap satisfies , it may be efficiently amplified by parallel repetition. Specifically, receives a quantum witness for copies of and samples local terms for each copy. By setting the acceptance threshold to , both the completeness error and the soundness error are suppressed to negligible with polynomial (cf. [Mah18, Theorem 8.4]). For a detailed proof of gap amplification, see [VW16, Section 3].

In the following discussion, the term is encoded by an -bit string : for each qubit , set for a basis measurement and for an basis measurement. For other qubits, set for concreteness. We let

 αh,ρ:=tr(M−mSρ) (5)

denote the success probability with when is sampled in Protocol 1.

### 2.4 The Mahadev protocol for BQP verification

We now describe the Mahadev protocol in detail, starting with the required cryptographic primitives.

#### Cryptographic primitives.

The protocol relies crucially on two special classes of functions: Noisy Trapdoor Claw-free Functions (NTCFs) and Noisy Trapdoor Injective Functions (NTIFs) . Both classes of functions are constructed based on the presumed hardness of the Learning with Errors (LWE) problem [BCMVV18, Mah18]. We now sketch the properties of these function families. For complete details, and for the LWE construction, see [BCMVV18]. Let be a security parameter and let be prime. Choose parameters , , and .

The NTCF family is a family of keyed functions

 fpk:{0,1}×X→DY (6)

which, on input a public key , a bit , and , outputs a distribution over . Each function satisfies the injective pair property: there exists a perfect matching such that if and only if .

The NTCF family is equipped with four polynomial-time algorithms , defined as follows.

1. , on input , outputs a secret-public key pair .

2. is a deterministic algorithm for checking if and form a preimage-image pair of . On input , outputs 1 iff .

3. is a deterministic algorithm for inverting the function . On input secret key , bit , and image , returns the preimage such that , or outputs if no such preimage exists.

4. is an efficient quantum process which, on input and , returns a quantum state negligibly close to

 1|X|1/2∑x∈X|b⟩|x⟩|ψfpk(b,x)⟩, (7)

where for distribution . By the injective pair property, we have if , or there exists such that or . This implies that the states in can be perfectly distinguished by performing a standard basis measurement. Thus, intuitively, we may consider an ideal version of these functions, i.e., the distribution is concentrated at a single point.

Similarly, the NTIF family is a family of keyed functions

 gpk:{0,1}×X→DY (8)

which, on input a public key , a bit , and , outputs a distribution over . Instead of the injective pair property of NTCFs, NTIFs satisfy an injectivity property: for all , An NTIF family is also equipped with a tuple of four polynomial-time algorithms , and these are defined exactly as in the NTCF case (but with in place of , and instead of .)

We remark that the states (7) prepared by and should be compared with the “idealized” state described in (1) in our initial sketch of the protocol.

#### The protocol.

The Mahadev protocol [Mah18] for verification allows to request an or basis measurement outcome without revealing the basis to . The aim of the protocol is to verify that the prover’s response, when appropriately decoded, is close to the measurement outcomes of some -qubit quantum state . Crucially, this guarantee will hold simultaneously for all basis choices , where denotes a basis measurement and denotes an basis measurement. With this guarantee, the verifier can then apply the verification procedure of the MF protocol to the decoded responses of the prover, knowing that this will correctly decide whether the instance should be accepted or rejected.

In the following protocol, for each qubit, if requests a basis measurement, then an NTIF key is sent; if requests an basis measurement, then an NTCF key is sent. Since and are identical, we denote them by Chk. Similarly, and are identical, so we denote them by Samp.

We now describe the protocol, as it takes place between an honest verifier and an honest prover .

Choose a security parameter . Both and receive an instance of Problem 1, namely .

samples a term and computes .

For each qubit , if , samples ; otherwise samples . sends to .

prepares the -qubit ground state of in register . For each qubit in , performs Samp on input the key coherently and yields a quantum state negligibly close to

 1|X|n/2∑x∈Xn∑b∈{0,1}nϕb|b⟩W|x⟩X|ψfpk(b,x)⟩Y, (9)

where , and . Next, measures and sends the outcome to .

responds with a uniformly random “challenge” bit . We call “test round” and “Hadamard round,” and set labels and .

If , measures in the computational basis. If , measures in the Hadamard basis. In either case, sends the measurement outcome to ;

In a test round, accepts if for each bit .

In a Hadamard round, performs the following:

1. For each qubit with , run . For each qubit with , run and to get both preimages. Then compute .

If any of the above the algorithms returns for any , or is trivial (e.g., , see [BCMVV18]), reject. Otherwise store as the witness to the next check.

2. Discard all the bits of but the ones specified in term . Accept if the witness satisfies (defined in Protocol 1).

The following is a paraphrase of the main result of [Mah18].

###### Theorem 4 (Theorems 1.1 and 8.6 in [Mah18]).

Protocol 2.4 is a four-message quantum-prover interactive argument for the class with completeness error . Under the hardness assumption, the soundness error of Protocol 2.4 is .

## 3 A parallel repetition theorem for the Mahadev protocol

In a -fold parallel repetition of Protocol 2.4, the honest prover runs the honest single-fold prover independently for each copy of the protocol, while the honest verifier runs the single-fold verifier independently for each copy, accepting if and only if all single-fold verifiers accept. The completeness error clearly remains negligible. We now analyze the soundness error and establish a parallel repetition theorem for the protocol.

In preparation, we fix the following notation related to the Verdict stage of Protocol 2.4. First, for each basis choice , the check is represented by a projection acting on registers . Specifically, this is the projector whose image is spanned by all inputs that are accepted by the verifier in the Verdict stage. Note that running Chk does not require the trapdoor , but the relation implicitly depends on it. Second, the two Hadamard round checks 1 and 2 are represented by projectors and , respectively. These two projectors commute since they are both diagonal in the standard basis. We define the overall Hadamard round projector .

### 3.1 A lemma for the single-copy protocol

We begin by showing an important fact about the single-copy protocol: the verifier’s accepting paths associated to the two challenges (denoted and for “test” and “Hadamard,” respectively) correspond to nearly orthogonal555Strictly speaking, the projectors are only nearly orthogonal when applied to states prepared by efficient provers. projectors. Moreover, in a certain sense this property holds even for input states that are adaptively manipulated by a dishonest prover after he has learned which challenge will take place. This fact is essential in our analysis of the parallel repetition of many copies in the following sections.

#### The setup.

As discussed in [Mah18], any prover can be characterized as follows. First, pick a state family ; this state is prepared on registers after receiving . Here is the register that will be measured in Round 2, and are the registers that will be measured in Round 4, and is the private workspace of . Then, choose two unitaries and to describe the Round 4 actions of before any measurements, in the test round and Hadamard round, respectively. Both and act on , but can only be classically controlled on , as they must be implemented after has measured and sent the result to the verifier. We will write , where it is implicit that is a family of states parameterized by .

At the end of the protocol, the registers will have been measured and given to the verifier. Recall that we can view the final actions of the verifier as applying one of two measurements: a test-round measurement, or a Hadamard-round measurement. Recall also that and denote the “accept” projectors for those two measurements, respectively. We now additionally define, for a given prover ,

 ΠUth,sk,t :=U†t(Πh,sk,t⊗1E)Ut, ΠUhh,sk,h :=U†h(HWXΠh,sk,hHWX⊗1E)Uh, (10)

where denotes the Hadamard transform on registers , i.e., the Hadamard gate applied to every qubit in those registers. These projectors have a natural interpretation: they describe the action of the two accepting projectors of the verifier on the initial state of the prover, taking into account the (adaptive) attacks the prover will make in Round 4.

#### A key lemma.

We now prove a fact about the single-copy protocol. The proof is largely a matter of making some observations about the results from [Mah18], and then combining them in the right way.

Recall that, for any instance of the ZX-Hamiltonian problem (Problem 1), Protocol 2.4 begins with the verifier making a measurement basis choice for all the qubits. After interacting with a prover , the verifier either rejects or produces a candidate measurement outcome, which is then tested as in the MF protocol (Protocol 1). We let denote the distribution of this candidate measurement outcome for a prover and basis choice , averaged over all measurements and randomness of and . It is useful to compare with an “ideal” distribution obtained by simply measuring some -qubit quantum state (a candidate ground state) according to the basis choices specified by , with no protocol involved.

###### Lemma 5.

Let be a prover in the Mahadev protocol such that, for every ,

 Esk[⟨Ψpk|ΠUth,sk,t|Ψpk⟩]≥1−negl(n). (11)

Then there exists an efficiently preparable -qubit quantum state such that, for every ,

 Esk[⟨Ψpk|ΠUhh,sk,h|Ψpk⟩]≤αh,ρ+negl(n), (12)

where (defined in (5)) is the success probability in the MF protocol with basis choice and quantum state .

###### Proof.

Up to negligible terms, (11) means that is what Mahadev calls a perfect prover. She establishes two results ([Mah18, Claim 7.3] and [Mah18, Claim 5.7]) which, when taken together, directly imply the following fact about perfect provers. For every perfect prover , there exists an efficiently preparable quantum state such that is computationally indistinguishable from for all basis choices . In particular, the proof is obtained in two steps. First, for every perfect prover, there exists a nearby “trivial prover” whose attack in a Hadamard round commutes with standard basis measurement on the committed state [Mah18, Claim 5.7]. Second, for every trivial prover, the distribution is computationally indistinguishable from measuring a consistent quantum state in any basis [Mah18, Claim 7.3]. Technically, Mahadev shows this for exactly perfect provers, but her proofs have straightforward relaxations to our “negligibly-far-from-perfect” case.

Now consider two ways of producing a final accept/reject output of the verifier. In the first case, an output is sampled from the distribution and the verifier applies the final checks in the Mahadev protocol. In this case, the final outcome is obtained by performing the measurement on the state , and accepting if the first outcome is observed. In the second case, an output is sampled from the distribution and the verifier applies the final checks in the MF protocol. In this case, the acceptance probability is simply by definition. The result then follows directly. ∎

We remark that Lemma 5 has the following interpretation in the soundness experiment. For soundness, we are dealing with a NO instance, which implies that there is no ground state which succeeds non-negligibly in the MF protocol. By the Lemma, for perfect provers the averaged projection is then negligible. It follows that provers who succeed almost perfectly in the test round must almost certainly fail in the Hadamard round. We emphasize that this is the case even though the prover can adaptively change their state (by applying or ) after learning which round will take place. This formalizes the intuitive claim we made at the beginning of the section about “adaptive orthogonality” of the two acceptance projectors corresponding to the two round types.

### 3.2 The parallel repetition theorem

#### Characterization of a prover in the k-fold protocol.

We now discuss the behavior of a general prover in a -fold protocol. We redefine some notation we already used in the single-copy setting. Let be the verifier and an arbitrary prover in the -fold protocol.

In Round 1, selects terms of the instance and records the corresponding basis choices . Then samples key pairs , where each is an -tuple of key pairs selected according to . Then sends to the prover in register .

In Round 2, without loss of generality, the action of prior to measurement is to apply a unitary to the input state . Each of is now a -tuple of registers, and is the prover’s workspace. To generate the “commitment” message to , performs standard basis measurement on . We write . When the measurement outcome is , the side state holds is then . In the following analysis of the success probability of , we consider the superposition instead of a classical mixture of the states using the principle of deferred measurement.

In Round 3, after receiving the commitment from the prover, sends challenge coins . For the remainder of the protocol, we take the following point of view. We assume that and share access to a register whose state is fixed forever to be the standard basis state . This is clearly equivalent to the real situation, as there measured and committed to the outcome by sending it to .

In Round 4, without loss of generality, the action of consists of a general operation (that can depend on ), followed by the honest action. The general operation is some efficiently implementable unitary on . The honest action is measurement in the appropriate basis, i.e., for each , is measured in the standard basis (if ) or the Hadamard basis (if ). Equivalently, the honest action is (i.) apply , i.e., for each apply a Hadamard to every qubit of , and then (ii.) apply standard basis measurement.

In the Verdict stage, the verifier first applies for each coordinate the two-outcome measurement corresponding to the from the single-copy protocol. The overall decision is then to accept if the measurements in every coordinate accept. We let

 (Πh,sk,c)WXY:=k⨂i=1(Πhi,ski,ci)WiXiYi (13)

denote the corresponding acceptance projector for the entire -copy protocol. The effective measurement on is then described by the projection

 (ΠUch,sk,c)WXYE:=(U†c)WXYE(HcΠh,sk,c,yHc⊗1E)(Uc)WXYE. (14)

The success probability of , which is characterized by the state and family of unitaries , is thus

 Eh,sk,c[⟨Ψpk|ΠUch,sk,c|Ψpk⟩]. (15)

#### The proof.

Recall that Lemma 5 states that the projectors corresponding to the two challenges in the single-copy Protocol 2.4 are nearly orthogonal, even when one takes into account the prover’s adaptively applied unitaries. We show that this property persists in the -copy protocol. Specifically, we show that all challenges are nearly orthogonal (in the same sense as in Lemma 5) with respect to any state and any post-commitment unitaries of the prover.

This can be explained informally as follows. For any two distinct challenges , there exists a coordinate such that , meaning that one enters a test round in that coordinate while the other enters a Hadamard round. In coordinate , by the single-copy result (Lemma 5), the prover who succeeds with one challenge should fail with the other. A complication is that, since we are dealing with an interactive argument, we must show that a violation of this claim leads to an efficient single-copy prover that violates the single-copy result. Once we have shown this, we can then apply it to any distinct challenge pairs . It then follows that we may (approximately) decompose into components accepted in each challenge, each of which occurs with probability . We can then use this decomposition to express the overall success probability of in terms of this decomposition. As is of course a normalized state, it will follow that the overall soundness error is negligibly close to .

The “adaptive orthogonality” discussed above is formalized in the following lemma. Recall that any prover in the -fold parallel repetition of the Mahadev protocol can be characterized by a state family that is prepared in Round 2 and a family of unitaries that are applied in Round 4.

###### Lemma 6 (Adaptive orthogonality lemma).

Let be a prover in the -fold parallel repetition of the Mahadev protocol that prepares in Round 2 and performs in Round 4. Let such that and choose such that . Then there exists an -qubit quantum state such that for every basis choice ,

 Esk[⟨Ψpk|ΠUbh,sk,bΠUah,sk,a+ΠUah,sk,aΠUbh,sk,b|Ψpk⟩]≤2α1/2hi,ρ+negl(n), (16)

where (defined in (5)) is the success probability with in the MF protocol conditioned on the event that is sampled.

###### Proof.

Since we are proving an upper bound for a quantity that is symmetric under the interchange of and , we can assume that and without loss of generality.

We first claim that there exists a quantum state such that

 Esk[⟨Ψpk|ΠUbh,sk,bΠUah,sk,aΠUbh,sk,b|Ψpk⟩]≤αhi,ρ+negl(n) (17)

for all basis choices . For a contradiction, suppose that is not the case. Then there exists a basis choice and a polynomial such that for every state ,

 Esk[⟨Ψpk|ΠUbh∗,sk,bΠUah∗,sk,aΠUbh∗,sk,b|Ψpk⟩]>αh∗i,ρ+1/r(n). (18)

We show that this implies the existence of an efficient prover for the single-copy Mahadev protocol who violates Lemma 5. Define the following projector on :

 Σa:=U†a(Ha⊗1E)((1⊗⋯⊗1⊗Π⊗1⊗⋯⊗1)⊗1E)(Ha⊗1E)Ua. (19)

Here denotes the single-copy protocol acceptance projector for the Hadamard round, with key and basis choice . In the above, acts on the th set of registers, i.e., . The projector corresponds to performing the appropriate Hadamard test in the th protocol copy, and simply accepting all other copies unconditionally. It follows that , and we thus have

 Esk[⟨Ψpk|ΠUbh∗,sk,bΣaΠUbh∗,sk,b|Ψpk⟩]≥Esk[⟨Ψpk|ΠUbh∗,sk,bΠUah∗,sk,aΠUbh∗,sk,b|Ψpk⟩]>αh∗i,ρ+1/r. (20)

The single-copy prover interacts with the single-copy verifier as follows.

• In Round 1, after receiving the public key of , initialize internally simulated verifiers, and set to be the list of their keys, with inserted in the th position. Let be the basis choices, and note that all but are known to .

• Using the algorithms of , perform the following repeat-until-success (RUS) procedure for at most steps.

1. Prepare the state on registers , and then apply the unitary .

2. Apply the measurement determined by (defined in (13)); for index we can use because ; for the rest we know the secret keys.

3. If the measurement rejects, go to step (1.), and otherwise apply and output the state.

If the RUS procedure does not terminate within steps, then