Quantum Information and the
PCP Theorem
Ran Raz
Weizmann Institute
PCP Thm [BFL,FGLSS,AS,ALMSS]:
x 2 SAT can be proved by a polysize proof that can be verified by
reading only O(1) of its bits
PCP Thm [BFL,FGLSS,AS,ALMSS]:
x 2 SAT can be proved by poly(n)
blocks of length O(1) that can be
verified by reading only 2 blocks
Same with one block is impossible
(under hardness assumptions)
even if each block is of almost
linear size
x 2 SAT can be proved by
1) a log-size quantum state |i and
2) a classical proof p of poly(n)
blocks of length polylog each
s.t., after measuring |i the
verifier needs to read only one
block of p
Part I:
The Information of a Quantum
State
Information of a Quantum State:
A quantum state |i of n qubits is
described by 2n complex numbers.
However, a measurement only gives
n bits of information about |i
(and the rest is lost)
How much of the information in |i
can be used ?
Holevo’s Theorem (1973):
If Bob encodes a1,..,an by |i s.t.
Alice can retrieve a1,..,an from |i
then |i is a state of ¸ n qubits.
If Alice retrieves each bit ai with
prob 1- then |i is a state of ¸
[1-H()]¢n qubits
We can’t communicate n bits by
sending less than n qubits
ANTV-Nayak’s Theorem (1999):
If Bob encodes a1,..,an by |i s.t.
8 i Alice can retrieve ai from |i
then |i is a state of ¸ n qubits.
If Alice can retrieve each bit ai
with prob 1- then |i is a state
of ¸ [1-H()]¢n qubits
Holevo’s: Alice retrieves a1,..,an
Nayak’s: Alice retrieves only one ai
(of her choice)
Our Result:
Bob can encode N=2n bits a1,..,aN
by a state |i of O(n) qubits, s.t.
8 i, ai can be retrieved from |i
by a (one round) Arthur-Merlin
interactive protocol of size poly(n)
(with a third party, Merlin)
(classical messages)
(polynomially small error)
Retrieving ai from |i:
Alice measures |i (gets result e)
and sends a question q=q(i,e)
Merlin answers by r.
Alice computes V(i,e,r) 2 {0,1,err}
Completeness: 8i,q 9 r, V(i,e,r) = ai
Soundness: 8i,q,r, V(i,e,r)2 {ai,err}
(with high probability)
(q,r are poly(n) classical bits)
Retrieving ai from |i:
Alice measures |i (gets result e)
and sends a question q=q(i,e)
Merlin answers by r.
Alice computes V(i,e,r) 2 {0,1,err}
Completeness: 8i,q 9 r, V(i,e,r) = ai
Soundness: 8i,q,r, V(i,e,r)2 {ai,err}
(with high probability)
(q,r are poly(n) classical bits)
Bob is trustworthy (|i is correct)
Merlin knows a1,..,aN
More Generally:
1) Any constant number of
elements from a1,..,aN can be
retrieved in the same way, by a
protocol of size poly(n)
2) Any k elements can be retrieved
by a protocol of size k¢poly(n)
3) Each ai can be 2 {1,..,N}
A Dequantumized Protocol:
|i is not needed:
Bob can send a (poly-size) random
secret classical string ,
If Merlin doesn’t know
The protocol works as before
Part II:
The Retrieval Protocol
Multilinear Extension:
Given a0,..,aN (N=2n-1)
F = field of size n2
A: Fn ! F, s.t.:
1) 8 i 2 {0,1}n, A(i) = ai
2) A is multilinear (deg(A) · n)
Quantum Multilinear Extension:
A= multilinear extension of a0,..,aN
1) |i is a state of poly(n) qubits
2) When Alice measures |i, she
gets z,A(z) for a random z 2 Fn
(Merlin doesn’t know z)
Retrieving A(i):
Alice knows A(z) and wants A(i)
l = the line through i,z (in Fn)
Al : l ! F = restriction of A to l
(deg(Al) · n)
The Protocol:
Alice sends l, Merlin is required to
give Al : l ! F. Merlin answers by
g : l ! F (deg(g) · n)
If g(z) Al(z) Alice rejects
Otherwise, Alice assumes A(i)=g(i)
If g Al then w.h.p. g(z) Al(z)
(since both are low degree)
Otherwise, A(i) is correct
A Dequantumized Protocol:
|i is not needed:
Bob can send z,A(z), for a random
z 2 Fn (s.t., Merlin doesn’t know z)
The protocol works as before
Part III:
The Exceptional Power of
QIP/qpoly
The Class QIP/qpoly:
IP: [B][GMR] x 2 L can be proved
by a poly-size interactive proof
QIP: [Wat] x 2 L can be proved by
a poly-size quantum interactive
proof
QIP/qpoly: x 2 L can be proved by
a poly-size quantum interactive
proof with poly-size quantum
advice
Quantum Advice:
(captures quantum non-uniformity)
A (poly-size) quantum state |L,ni
given to the verifier as an advice
Alternatively, the verifier is a
quantum circuit with working space
initiated with |L,ni
[NY],[Aar]: Limitations on BQP/qpoly
QIP/qpoly:
QIP/qpoly: x 2 L can be proved by
a poly-size interactive proof where
the verifier is a poly-size quantum
circuit with working space initiated
with an arbitrary state |L,ni
Our Result:
QIP/qpoly contains all languages
Proof:
Denote ai 2 {0,1}, ai =1 iff i 2 L
|L,ni = the quantum multilinear
extension of a0,..,aN (N=2n-1)
ai can be retrieved from |L,ni by
Arthur-Merlin interactive protocol
of size poly(n)
(one round, classical communication)
Randomized Advice:
A (poly-size) random string ,
chosen from a distribution DL,n, and
given to the verifier as an advice
Alternatively, the verifier is a
distribution over poly-size classical
circuits
Randomized Advice:
A (poly-size) random string ,
chosen from a distribution DL,n, and
given to the verifier as an advice
Alternatively, the verifier is a
distribution over poly-size classical
circuits
IP/rpoly: x 2 L can be proved by
a poly-size interactive proof where
the verifier is a distribution over
poly-size classical circuits
IP/rpoly contains all languages
Part IV:
Quantum Versions of the
PCP Theorem
PCP Thm [BFL,FGLSS,AS,ALMSS]:
x 2 SAT can be proved by a polysize proof that can be verified by
reading only O(1) of its bits
PCP Thm [BFL,FGLSS,AS,ALMSS]:
x 2 SAT can be proved by poly(n)
blocks of length O(1) that can be
verified by reading only 2 blocks
Same with one block is impossible
(under hardness assumptions)
even if each block is of almost
linear size
We Show:
x 2 SAT can be proved by
1) a log-size quantum state |i and
2) a classical proof p of poly(n)
blocks of length polylog each
s.t., after measuring |i the
verifier needs to read only one
block of p
We Show:
x 2 SAT can be proved by
1) a log-size quantum state |i and
2) a classical proof p of poly(n) blocks of length
polylog each
s.t., after measuring |i the
verifier needs to read only one
block of p
Naive Attempt:
a1,..,aN = classical PCP (N=poly(n))
|i = quantum multilinear extension
of a1,..,aN O(log N) qubits
p = Merlin’s answers in the
retrieval protocol
The verifier retrieves a
constant number of bits
by reading one block
Problem:
The verifier can’t trust that |i is
a quantum multilinear extension
In the settings of communication or
quantum advice, the verifier could
trust that |i is correct. In the
setting of PCP, |i can be anything
e.g. |i is concentrated on a point
Quantum Low Degree Test:
The verifier checks that |i is a
quantum encoding of a low degree
polynomial. This is done with the
aid of the classical proof
(or equivalently, a classical prover)
Problem:
We are only allowed one query
How can we do both:
quantum low degree test and
retrieval of bits
We combine the two tasks using
ideas from [DFKRS]
Part V:
Scaling up to NEXP
Our Result (for L 2 NEXP):
x 2 L can be proved by
1) a poly-size quantum state |i
2) a classical proof p of exp(n)
blocks of length poly each
s.t., after measuring |i the
verifier needs to read only one
block of p
Our Result (for L 2 NEXP):
x 2 L can be proved by
1) a poly-size quantum state |i
2) a classical proof p of exp(n) blocks of length poly
each
s.t., after measuring |i the
verifier needs to read only one
block of p
Alternatively (for L 2 NEXP):
x 2 L has a 3 messages (MAM)
interactive proof, where the prover
is quantum in round 1 and classical
in round 2:
1) Prover sends |i
2) Verifier sends q
3) Prover answers p(q)
Models of 3 Messages Proofs:
IP(3): prover is classical
QIP(3): prover is quantum
The hybrid model:
HIP(3): prover is quantum in first
round and classical in second
Models of 3 Messages Proofs:
IP(3): prover is classical
QIP(3): prover is quantum
The hybrid model:
HIP(3): prover is quantum in first round and classical
in second
IP(3) µ IP
µ PSPACE
QIP(3) µ QIP µ EXP
Our result:
HIP(3) = NEXP
[KW]
Why the prover in our protocol
can’t be quantum in both rounds ?
A quantum prover can answer in
round 2, based on a measurement
of a state entangled to the state
given in round 1
(fancy version of the EPR paradox)
The End
© Copyright 2026 Paperzz