Parallelization, amplification, and exponential time simulation of quantum interactive proof systems

In this paper we consider quantum interactive proof systems, which are interactive proof systems in which the prover and verifier may perform quantum computations and exchange quantum information. We prove that any polynomial-round quan tum interactive proof system with two-sided bounded error can be parallelized to a quantum interactive proof system with exponentially small one-sided error in which the prover and verifier exchange only 3 messages. This yields a simplified proof that PSPACE has 3-message quantum interactive proof systems. We also prove that any language having a quantum interactive proof system can be decided in deterministic exponential time, implying that single-prover quantum interactive proof systems are strictly less powerful than multiple-prover classical interactive proof systems unless EXP -NEXP. 1. I N T R O D U C T I O N Interactive proof systems were introduced by Babai [3] and Goldwasser, Micali, and Rackoff [17] in 1985. In the same year, Deutsch [10] gave the first formal t reatment of quantum computation. Since then, both subjects have received a great deal of at tention and have generated a number of exciting results, perhaps most notably the IP ---PSPACE characterization of Lund, Fortnow, Karloff, and Nisan [25] and Shamir [26], and the polynomial-time quan tum algorithms for factoring and discrete logarithms due to Shor [28]. In this paper we consider quantum interactive proof systems, which merge notions from these two subjects. A quantum interactive proof system consists of two par t ies -a prover with unbounded quantum computational power and a quantum polynomiai-time verifier--that communicate through a *Microsoft Research, One Microsoft Way, Redmond, WA 98052, e-mail: kitaev(~microsoft.com. On leave from L.D. Landau Insti tute for Theoretical Physics tDepar tment of Computer Science, University of Calgary, 2500 University Drive NW, Calgary (Alberta), Canada T2N 1N4, e-mail: jwatrous@cpsc.ucalgary.ca. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the lull citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. STOC 2000 Portland Oregon USA Copyright ACM 2000 1-58113 184-4/00/5...$5.00 quantum channel. As in the case of classical interactive proof systems, the prover at tempts to prove to the verifier that a given input string satisfies some specified property, while the verifier tries to determine the validity of this proof. A language L is said. to have a quantum interactive proofsystem if there exists a quantum verifier V such that (i) there exists a quan tum prover P that can always convince V to accept when the input is in L, and (ii) no quan tum prover P can convince V to accept with nonnegligible probability when the input is not in L. Quantum interactive proof systems were first studied in a paper by one of us [30], wherein it was shown that every PSPACE language has a quantum interactive proof system, with exponentially small one-sided error, in which the prover and verifier exchange a total of only 3 messages. This implies that any classical interactive proof system can be parallelized to require just 3 messages in the quantum setting, which is a task that cannot be accomplished classically unless the polynomial-time hierarchy collapses to AM [3; 18]. In this paper we prove the following stronger result: any quantum interactive proof system can be parallelized to a 3-message quan tum protocol with exponentially small onesided error. In order to achieve exponentially small error in the 3-message case, we prove the somewhat surprising fact that entanglement among parallel repetitions of a 3message quantum interactive proof system gives a cheating prover absolutely no increase in success probability. Our result simplifies the proof that PSPACE has 3-message quantum interactive proof systems, in the sense that it treats any classical protocol for a given PSPACE language as a black-box. While (single-prover) classical interactive proof systems recognize precisely those languages in PSPACE, it was shown by Babai, Fortnow, and Lund [4] that any language in nondeterministic exponential time (NEXP) has a two-prover interactive proof system, wherein the two provers are not permitted to communicate with one another during the protocol. A sequence of papers [9; 13; 24] led to a result of Feige and Lov~sz [14] that any language in NEXP has a two-prover interactive proof system requiring just one round of communication (meaning that the verifier sends one question to each of the provers in parallel, then receives their responses). A natural question to ask is whether NEXP has single-prover quantum interactive proof systems, or equivalently whether single-prover quantum interactive proof systems can simulate multiple classical provers. We show that this is not likely to be the case, as any language having a quantum interactive proof system is necessarily contained in determin-