0009:cs0009002/cs0009002

1: \documentclass[11pt]{article}

2:

3: \usepackage{amsfonts}

4: \usepackage{amssymb}

5: \usepackage{amsmath}

6: \usepackage{graphicx}

7:

8: \setlength{\textheight}{8.75in}

9: \setlength{\textwidth}{6.5in}

10: \setlength{\topmargin}{0in}

11: \setlength{\headheight}{0.0in}

12: \setlength{\headsep}{0.0in}

13: \setlength{\oddsidemargin}{0in}

14: \setlength{\evensidemargin}{0in}

15:

16: % Dirac notation:

17: \newcommand{\ket}[1]{|#1\rangle}

18: \newcommand{\bigket}[1]{\left|#1\right\rangle}

19: \newcommand{\bra}[1]{\langle #1|}

20: \newcommand{\bigbra}[1]{\left\langle #1\right|}

21: \newcommand{\bracket}[2]{\langle #1|#2\rangle}

22:

23: % Environments and commands:

24: \newcommand{\op}[1]{\operatorname{#1}}

25: \def \qed {\hfill \rule{0.2cm}{0.2cm}\vspace{3mm}}

26: \newenvironment{mylist}[1]

27: 	{\begin{list}{}{\setlength{\leftmargin}{#1}

28: 	\setlength{\rightmargin}{0.0cm}\setlength{\labelsep}{1.3mm}

29: 	\setlength{\labelwidth}{0.8cm}\setlength{\itemsep}{0.2cm}}}

30: 	{\end{list}}

31: \newcommand{\inpar}[3]{

32: 	\setlength{\twidth}{\textwidth}

33: 	\addtolength{\twidth}{-#1}

34: 	\rule{#1}{0mm}\parbox{\twidth}{#3}\\[#2]}

35: \newtheorem{theorem}{Theorem}

36: \newtheorem{lemma}[theorem]{Lemma}

37: \newtheorem{cor}[theorem]{Corollary}

38: \newtheorem{prop}[theorem]{Proposition}

39: \newtheorem{definition}{Definition}

40:

41: \begin{document}

42:

43: \title{\Large\bf Succinct quantum proofs for properties of finite

44: groups\thanks{Research partially supported by Canada's NSERC.}

45: }

46:

47: \author{

48: John Watrous\\

49: Department of Computer Science\\

50: University of Calgary\\

51: Calgary, Alberta, Canada\\

52: jwatrous@cpsc.ucalgary.ca}

53:

54: \maketitle

55: \thispagestyle{empty}

56:

57: \begin{abstract}\rm

58: In this paper we consider a quantum computational variant of

59: nondeterminism based on the notion of a {\em quantum proof}, which is a

60: quantum state that plays a role similar to a certificate in an NP-type proof.

61: Specifically, we consider quantum proofs for properties of

62: {\em black-box groups}, which are finite groups whose elements

63: are encoded as strings of a given length and whose group operations are

64: performed by a {\em group oracle}.

65: We prove that for an arbitrary group oracle there exist succinct

66: (polynomial-length) quantum proofs for the Group Non-Membership problem

67: that can be checked with small error in polynomial time on a quantum computer.

68: Classically this is impossible---it is proved that there exists a group

69: oracle relative to which this problem does not have succinct proofs that can

70: be checked classically with bounded error in polynomial time (i.e., the

71: problem is not in MA relative to the group oracle constructed).

72: By considering a certain subproblem of the Group Non-Membership problem we

73: obtain a simple proof that there exists an oracle relative to which BQP is not

74: contained in MA.

75: Finally, we show that quantum proofs for non-membership and classical proofs

76: for various other group properties can be combined to yield succinct

77: quantum proofs for other group properties not having succinct proofs in the

78: classical setting, such as verifying that a number divides the order of

79: a group and verifying that a group is not a simple group.

80: \end{abstract}

81:

82: %=============================================================================%

83:

84: \section{Introduction}

85: \label{sec:introduction}

86:

87: \noindent

88: There are several equivalent ways to view nondeterminism in the classical

89: setting that apparently yield inequivalent notions in the quantum setting.

90: Two such ways are as follows.

91:

92: First, we may view a nondeterministic process as a probabilistic process,

93: and consider whether the resulting process has zero or nonzero probability of

94: success.

95: Along these lines, Adleman, DeMarrais, and Huang~\cite{AdlemanD+97} and Fenner,

96: Green, Homer, and Pruim~\cite{FennerG+99} have defined QNP to be

97: the class of languages $L$ for which there exist polynomial time quantum Turing

98: machines that accept with nonzero probability if and only if the input is in

99: $L$.

100: This class coincides with the counting class $\op{co-C}_=\op{P}$

101: \cite{FennerG+99, FortnowR99}.

102: This notion of quantum nondeterminism has also been investigated recently

103: in the context of communication complexity and query complexity by de~Wolf

104: \cite{deWolf00}.

105:

106: Second, we way view nondeterminism as it relates to verification.

107: A common way to view NP is that NP is the class of languages consisting of

108: those strings for which there exist polynomial-length proofs of membership

109: that can be checked in polynomial time, and one may extend this viewpoint to

110: the quantum setting in several ways.

111: For instance, we may consider {\em quantum proofs} (or {\em quantum

112: certificates}), which are quantum states that certify membership of strings in

113: given languages, or we may consider ordinary (classical) certificates that are

114: checked by polynomial-time quantum computers.

115: In each case we may consider various constraints on the error allowed by the

116: quantum checking procedure.

117:

118: In this paper, we investigate the second way of viewing nondeterminism in the

119: quantum setting.

120: We will restrict our attention to the case where certificates may be quantum

121: and the polynomial-time quantum verification procedure may operate with

122: (two-sided) bounded error.

123: Thus, this version of ``quantum NP'' represents the quantum generalization of

124: the class MA (based on the Arthur-Merlin games of

125: Babai~\cite{Babai85,BabaiM88}), and for this reason we will call the resulting

126: class QMA.

127: This notion of quantum nondeterminism was apparently first discussed by

128: Knill~\cite{Knill96}, and was later studied by Kitaev~\cite{Kitaev99}

129: (who instead referred to the class we call QMA as BQNP).

130: Kitaev proved $\op{QMA}\subseteq\op{P}^{\#P}$, and we claim that the technique

131: based on GapP functions used by Fortnow and Rogers~\cite{FortnowR99} to prove

132: $\op{BQP}\subseteq\op{PP}$ may be extended to prove $\op{QMA}\subseteq\op{PP}$

133: (this result was obtained jointly by A.~Kitaev and the present author).

134: One may also view QMA as a class that results by considering (two-sided error)

135: one-message quantum interactive proof systems

136: \cite{KitaevW00, Watrous99-qip-focs}, in which there is really no interaction

137: since only one message is sent.

138:

139: Our main focus is on the power of QMA in the context of {\em black-box groups}.

140: Of particular interest to us is the Group Non-Membership problem, which may be

141: stated as follows:

142:

143: \begin{center}

144: \underline{Group Non-Membership (GNM)}\\[2mm]

145: \begin{tabular}{ll}

146: Instance: & Group elements $g_1,\ldots,g_k$ and $h$ in some finite group $G$.\\

147: Question: & Is $h$ outside the group generated by $g_1,\ldots,g_k$

148: (i.e., is $h\not\in\langle g_1,\ldots,g_k\rangle$)?

149: \end{tabular}

150: \end{center}

151: The statement of this problem mentions neither the particular representation

152: of group elements used nor the underlying group or groups.

153: While it is interesting to consider this problem in the case that the group

154: elements are represented in some natural way (e.g., by invertible matrices

155: over a finite field), we will consider the case that group elements are

156: uniquely represented in some arbitrary way by strings, and that we have at our

157: disposal some oracle $B$ (known as a group oracle) that performs group

158: operations for us (with each operation requiring a single step).

159: In this setting, we assume nothing can be learned about group elements by

160: examining their representative strings except whether or not two elements are

161: distinct.

162: For each $n\in\mathbb{N}$ there will correspond a group consisting of some

163: subset of the length $n$ strings; this group will be denoted $B_n$ and is

164: called a {\em black-box} group.

165: Black-box groups were first considered by Babai and

166: Szemer\'edi~\cite{BabaiS84}, and have since been studied in several works

167: \cite{ArvindV97,Babai91,Babai92,Babai97,BabaiB99}.

168: Further details regarding black-box groups will be discussed in the next

169: section.

170:

171: For a given group oracle $B$ we let $\op{GNM}(B)$ be the language consisting

172: of all positive instances of the Group Non-Membership problem relative to $B$.

173: By the Reachability Theorem of Babai and Szemer\'edi~\cite{BabaiS84}

174: it follows that $\op{GNM}(B)\in\op{co-NP}^B$ for any group oracle $B$.

175: Furthermore, Babai \cite{Babai91, Babai92} proved that

176: $\op{GNM}(B)\in\op{AM}^B$ for any group oracle $B$, while there exists choices

177: for the group oracle $B$ such that $\op{GNM}(B)\not\in\op{BPP}^B$ and

178: \mbox{$\op{GNM}(B)\not\in\op{NP}^B$}.

179: In Section~\ref{sec:oracle} we extend this result slightly by constructing a

180: group oracle $B$ such that \mbox{$\op{GNM}(B)\not\in\op{MA}^B$}.

181:

182: In contrast to the fact that $\op{GNM}(B)\not\in\op{MA}^B$ for some choices of

183: the group oracle $B$, we prove that $\op{GNM}(B)\in\op{QMA}^B$ for any group

184: oracle $B$.

185: Thus, for any black-box group $G$ and elements $h,g_1\ldots,g_k\in G$, there

186: exists a polynomial-length quantum proof that $h$ is not in the

187: group generated by $g_1,\ldots,g_k$.

188: This fact is proved in Section~\ref{sec:non-membership}.

189: Naturally, a similar result holds in case group elements are represented in

190: any way that allows the group oracle to be replaced by a polynomial-time

191: computation, such as matrix groups over a finite field.

192: For such groups it is not known if GNM is in MA, although Babai~\cite{Babai92}

193: conjectures that in fact $\op{GNM}\in\op{NP}\cap\op{co-NP}$ in this restricted

194: case.

195: This conjecture is based on presently unproved conjectures relating to the

196: classification of finite simple groups.

197: A polynomial-time algorithm is known for permutation groups~\cite{Sims70}.

198:

199: In certain limited cases it is possible to solve GNM in quantum polynomial

200: time without the help of a certificate, such as when $k=1$ in the statement

201: of the GNM problem.

202: The oracle $B$ we construct in Section~\ref{sec:oracle} in fact puts

203: $\op{GNM}(B)$ outside of $\op{MA}^B$ for this special case, and therefore

204: gives an oracle relative to which $\op{BQP}\not\subseteq\op{MA}$.

205: Bernstein and Vazirani \cite{BernsteinV93} claimed a stronger result

206: (specifically that there exists an oracle relative to which

207: $\op{EQP}\not\subseteq\op{MA}$), but the proof has not yet appeared.

208:

209: Quantum proofs for group non-membership may be used to devise quantum

210: proofs for other group problems.

211: Several such problems, include the problem of testing whether a given number

212: divides the order of a group, testing that one group is a proper subgroup of

213: another, and testing that a given group is not a simple group, are

214: mentioned in Section~\ref{sec:other}.

215:

216: %=============================================================================%

217:

218: \section{Definitions}

219: \label{sec:definitions}

220:

221: \noindent

222: In this section we define the class QMA and discuss black-box groups in the

223: context of quantum circuits.

224: We assume the reader is familiar with the quantum circuit model, and with

225: basic notions from complexity theory and group theory.

226: For a detailed discussion of quantum circuits see Kitaev \cite{Kitaev97}.

227: (Readers not familiar with quantum computation may find the more introductory

228: papers of Berthiaume \cite{Berthiaume97} and Cleve \cite{Cleve99} helpful as

229: well.)

230: See, for example, Balc\'{a}zar, D\'{i}az, and Gabarr\'{o}

231: \cite{BalcazarG+88,BalcazarG+90} for background on complexity theory and, for

232: example, Isaacs~\cite{Isaacs94} for background on group theory.

233:

234: Let us begin by making clear our assumptions regarding uniformity of quantum

235: circuits.

236: A family $\{Q_x\}$ of quantum circuits is said to be {\em polynomial-time

237: uniformly generated} if there exists a deterministic procedure that, on input

238: $x$, outputs a description of $Q_x$ and runs in time polynomial in $|x|$.

239: (For simplicity we assume all input strings are over the alphabet

240: $\Sigma = \{0,1\}$.)

241: It is assumed that the circuits in such a family are composed of gates in

242: some reasonable, universal, finite set of quantum gates (for instance, the

243: {\em standard basis} discussed by Kitaev \cite{Kitaev97} or the {\em Shor

244: basis} discussed by Boykin, et.~al.~\cite{BoykinM+99}).

245: In addition the circuits may include oracle gates as discussed below.

246: Furthermore, it is assumed that the size of any circuit in such a family is not

247: more than the length of that circuit's description (i.e., no compact

248: descriptions of large circuits are allowed), so that $Q_x$ must have size

249: polynomial in $|x|$.

250: To make matters simple when dealing with oracle gates below, we define the

251: size of a quantum circuit to be the number of gates in the circuit plus the

252: number of qubits upon which the circuit acts.

253:

254: When we describe quantum circuits, we do so in a high-level manner that

255: may suggest that measurements are taking place at various times during the

256: circuit's computation; such measurements, however, do not occur and are

257: assumed to be simulated in the sense described by Aharonov, Kitaev, and

258: Nisan~\cite{AharonovK+98}.

259:

260: For each circuit $Q_x$, some number of the qubits upon which $Q_x$ acts are

261: specified as {\em input qubits}, and all other qubits are {\em ancilla qubits}.

262: The input qubits are assumed to be initialized in some specified input state

263: $\ket{\psi}$, while all ancilla qubits are initialized to the $\ket{0}$ state.

264: One of the qubits is also specified as the {\em output qubit} and is assumed

265: to be observed after the circuit has been applied.

266: The probability that $Q_x$ accepts $\ket{\psi}$ is defined to be the

267: probability that an observation of the output qubit (in the

268: $\{\ket{0},\ket{1}\}$ basis) yields 1, given that the input qubits are

269: initially set to~$\ket{\psi}$.

270:

271: We now define the class QMA as follows.

272: \begin{definition}\em

273: A language $A\subseteq\Sigma^{\ast}$ is in QMA if there exists a

274: polynomial-time uniformly generated family of quantum circuits

275: $\{Q_x\}_{x\in\Sigma^{\ast}}$ such that

276: (i)~if $x\in A$ then there exists a quantum state $\ket{\psi}$ such that

277: $\op{Pr}[\mbox{$Q_x$ accepts $\ket{\psi}$}] > 2/3$, and (ii)~if $x\not\in A$

278: then for all quantum states $\ket{\psi}$, $\op{Pr}[\mbox{$Q_x$ accepts

279: $\ket{\psi}$}] < 1/3$.

280: \end{definition}

281: Note that the circuit $Q_x$ does not take $x$ as an input, but rather the

282: procedure that produces the description of $Q_x$ takes $x$ as input---the

283: input $\ket{\psi}$

284: to a given circuit $Q_x$ corresponds to a quantum certificate that purportedly

285: proves the property that $x\in A$.

286: Information regarding $x$ may of course be ``hard-coded'' into $Q_x$, however,

287: which eliminates the need for inputting $x$.

288: It should be noted that the class QMA would not change if the definition was

289: such that there were just one circuit for each input length (rather than each

290: input), with each circuit taking $\ket{\psi}$ and $x$ as input (as would be the

291: case for the more standard notion of circuit uniformity).

292:

293: Similar to classical bounded error classes, the bounds of 1/3 and 2/3 in the

294: definition of QMA may be replaced by $2^{-p(|x|)}$ and $1-2^{-p(|x|)}$,

295: respectively, for any polynomial $p$.

296: In the other direction, the bounds of 1/3 and 2/3 may be replaced by functions

297: $b(|x|)$ and $a(|x|)$, respectively, for $a,b:\mathbb{Z}^{+}\rightarrow[0,1]$

298: such that (i) $a$ and $b$ are computable in polynomial time, and

299: (ii)~\mbox{$a(|x|) - b(|x|)\geq 1/p(|x|)$} for some polynomial $p$.

300: In both cases, this follows from the fact that for any polynomial $q$

301: we may run $q(|x|)$ independent copies of a given verification procedure on

302: a ``compound certificate'' consisting of $q(|x|)$ certificates for the

303: independent copies, and make a decision to accept or reject depending on the

304: proportion of the individual copies that accept appropriately.

305: A simple analysis reveals that entanglement among the individual certificates

306: can yield no increase in the probability of acceptance as compared to the

307: situation in which the certificates are not entangled, and that the

308: probability of error is bounded by the tail of a binomial series as expected.

309:

310: Next we will discuss black-box groups.

311: Here, we will consider a variation on black-box groups that is appropriate

312: for the quantum circuit model.

313: A group oracle $B$ is a family of bijections $\{B_n\}$ with

314: each member having the form $B_n:\Sigma^{2n+2}\rightarrow\Sigma^{2n+2}$ and

315: satisfying constraints to be discussed shortly.

316: We interpret the input and output of each $B_n$ as consisting of four parts:

317: a control bit, an error bit, and two $n$-bit strings representing group

318: elements.

319: This situation is pictured in Figure~\ref{fig:black-box}.

320: \begin{figure}[t]

321: \begin{center}

322: \begin{picture}(210,135)(80,50)

323: \setlength{\unitlength}{65000sp}%

324: \put(100,50){\framebox(50,125){$B_n$}}

325:

326: \put(100,60){\line(-1,0){10}}

327: \put(100,65){\line(-1,0){10}}

328: \put(100,70){\line(-1,0){10}}

329: \put(100,75){\line(-1,0){10}}

330: \put(100,80){\line(-1,0){10}}

331: \put(100,85){\line(-1,0){10}}

332: \put(100,90){\line(-1,0){10}}

333:

334: \put(100,105){\line(-1,0){10}}

335: \put(100,110){\line(-1,0){10}}

336: \put(100,115){\line(-1,0){10}}

337: \put(100,120){\line(-1,0){10}}

338: \put(100,125){\line(-1,0){10}}

339: \put(100,130){\line(-1,0){10}}

340: \put(100,135){\line(-1,0){10}}

341:

342: \put(100,150){\line(-1,0){10}}

343:

344: \put(100,165){\line(-1,0){10}}

345:

346: \put(150,60){\line(1,0){10}}

347: \put(150,65){\line(1,0){10}}

348: \put(150,70){\line(1,0){10}}

349: \put(150,75){\line(1,0){10}}

350: \put(150,80){\line(1,0){10}}

351: \put(150,85){\line(1,0){10}}

352: \put(150,90){\line(1,0){10}}

353:

354: \put(150,105){\line(1,0){10}}

355: \put(150,110){\line(1,0){10}}

356: \put(150,115){\line(1,0){10}}

357: \put(150,120){\line(1,0){10}}

358: \put(150,125){\line(1,0){10}}

359: \put(150,130){\line(1,0){10}}

360: \put(150,135){\line(1,0){10}}

361:

362: \put(150,150){\line(1,0){10}}

363:

364: \put(150,165){\line(1,0){10}}

365:

366: \put(80,165){\makebox(0,0)[r]{$c$}}

367: \put(80,150){\makebox(0,0)[r]{$b$}}

368: \put(80,120){\makebox(0,0)[r]{$x$}}

369: \put(80,75){\makebox(0,0)[r]{$y$}}

370:

371: \put(168,165){\makebox(0,0)[l]{$c$}}

372: \put(168,150){\makebox(0,0)[l]{$b'= \left\{\begin{array}{ll}b &

373: \op{if}\;x,y\in G(B_n)\\

374: \neg b & \op{otherwise}\end{array}\right.$}}

375: \put(168,120){\makebox(0,0)[l]{$x$}}

376: \put(168,75){\makebox(0,0)[l]{$z = \left\{\begin{array}{ll}

377: yx & \op{if}\;c = 0\;\op{and}\;x,y\in G(B_n)\\

378: yx^{-1} & \op{if}\;c = 1\;\op{and}\;x,y\in G(B_n)\\

379: y &  \op{otherwise}

380: \end{array}\right.$}}

381:

382: \end{picture}

383: \end{center}

384: \caption{Reversible gate for a black-box group}

385: \label{fig:black-box}

386: \end{figure}

387: Associated with each $B_n$ is a group denoted $G(B_n)$ whose elements

388: form some subset of $\Sigma^n$ and whose group structure is determined

389: by the function $B_n$.

390: If $x,y\in G(B_n)$ then $yx = z$ for the unique value of $z$ that satisfies

391: $B(0,b,x,y) = (0,b,x,z)$ for each $b\in\Sigma$.

392: Similarly, if $x,y\in G(B_n)$ then $yx^{-1} = z$ for the unique value of $z$

393: that satisfies $B(1,b,x,y) = (1,b,x,z)$.

394: The first input bit (the control bit) thus determines whether $y$ is multiplied

395: (on the right) by $x$ or by $x^{-1}$.

396: Whenever we have $x\not\in G(B_n)$ or $y\not\in G(B_n)$, then it must be the

397: case that $B(c,b,x,y) = (c,\neg b,x,y)$ for each $b,c\in\Sigma$, i.e.,

398: the error bit $b$ is negated to indicate that the inputs were not valid group

399: elements.

400: Naturally, the constraint that must be obeyed by each $B_n$ in order for

401: $B = \{B_n\}$ to be considered a group oracle is that there must exist a

402: family of underlying groups $\{G_n\}$ along with encodings $\{f_n\}$ (each

403: $f_n:G_n\rightarrow\Sigma^n$ one-to-one and satisfying $f_n(G_n) = G(B_n)$)

404: that yields the above structure.

405: Each group $G(B_n)$, and more generally any subgroup of $G(B_n)$ given by

406: a list of generators, is known as a black-box group.

407:

408: For a given group oracle $B$ each $B_n$ is invertible, and may therefore be

409: viewed as a $(2n+2)$-qubit quantum gate as suggested by

410: Figure~\ref{fig:black-box}.

411: When we say that a polynomial-time uniformly generated family of quantum

412: circuits has access to group oracle $B$, we mean that the circuits in the

413: family may, in addition to the standard gates mentioned previously, be

414: composed of any of the gates in the collection $\{B_n\}$.

415: Note that any quantum circuit containing a $B_n$ gate must have size

416: $\Omega(n)$.

417:

418: %=============================================================================%

419:

420: \section{Verification of non-membership}

421: \label{sec:non-membership}

422:

423: \noindent

424: In this section we prove that the Group Non-Membership problem is in QMA

425: for an arbitrary group oracle $B$.

426: Before giving the technical proof, we will discuss informally the basic idea

427: of the proof.

428:

429: Suppose group elements $g_1,\ldots,g_k$ and $h$ are given,

430: and let us write $H = \langle g_1,\ldots,g_k\rangle$.

431: Consider the state $|H|^{-1/2}\sum_{g\in H}\ket{g}$,

432: and assume that this state is contained in a quantum register $\mathbf R$.

433: In general, given any finite set $A$ we will let $\ket{A}$ denote the

434: state $|A|^{-1/2}\sum_{a\in A}\ket{a}$, so that we may say that

435: $\mathbf R$ is in state $\ket{H}$.

436: In addition let $\mathbf B$ be a register consisting of a single qubit, and

437: suppose $\mathbf B$ is initialized to state $(\ket{0}+\ket{1})/\sqrt{2}$.

438: Assuming we have a gate that performs group operations as discussed in the

439: previous section, we may built a quantum circuit acting on $\mathbf R$ and

440: $\mathbf B$ that effectively acts as a controlled-multiply-by-$h$ operation on

441: $\mathbf R$, where $\mathbf B$ is the control.

442: If this operation is performed, we may express the resulting state of the pair

443: $(\mathbf B,\mathbf R)$ as $(\ket{0}\ket{H} + \ket{1}\ket{Hh})/\sqrt{2}$.

444: Now perform a Hadamard transform on $\mathbf B$ to yield the state

445: \[

446: \frac{1}{2}\ket{0}(\ket{H}+\ket{Hh})+\frac{1}{2}\ket{1}(\ket{H}-\ket{Hh}).

447: \]

448: At this point, observing $\mathbf B$ in the $\{\ket{0},\ket{1}\}$ basis yields

449: 1 with probability $p = \|(\ket{H}-\ket{Hh})/2\|^2$.

450: In case $h\in H$ we have $\ket{H}=\ket{Hh}$, and so $p=0$; in case $h\not\in H$

451: we have that $\ket{H}$ and $\ket{Hh}$ are orthogonal, and so $p = 1/2$.

452: Thus, given several copies of the state $\ket{H}$ one may determine with

453: very high probability whether or not $h\in H$.

454:

455: Unfortunately, the state $\ket{H}$ may be difficult to construct in some

456: cases, but it may be given as a quantum certificate.

457: Naturally we may not assume that a given certificate $\ket{\psi}$ coincides

458: with $\ket{H}$, so this must be verified before the above test is performed.

459: In fact, it is not necessary to check that $\ket{\psi} = \ket{H}$, but only

460: that $\ket{\psi}$ is invariant under right multiplication by elements of $H$.

461: Our technique to do this is as follows.

462: Consider a (classical) randomized procedure for generating elements of $H$

463: uniformly (for now we assume this is possible without error---we will

464: take errors into account in the proof below).

465: We may modify such a probabilistic process to make it quantum by

466: simulating the act of choosing any random number in some given range

467: $\{0,\ldots,N-1\}$ by using a quantum transformation $Q_N$ satisfying

468: $Q_N\ket{0} = N^{-1/2}\sum_{a = 0}^{N-1}\ket{a}$, and simulating the

469: entire process reversibly.

470: (To do this, assume all random choices are made first, and that the remaining

471: part of the process is deterministic and hence can be simulated reversibly.)

472: Let $F$ denote the resulting quantum transformation.

473: It will not be the case that $F$ produces $\ket{H}$, but rather we will have

474: \[

475: F:\ket{0}\mapsto\frac{1}{\sqrt{|H|}}\sum_{g\in H}\ket{g}\ket{\op{garbage}(g)}

476: \]

477: for $\ket{\op{garbage}(g)}$ denoting some arbitrary unit vector representing

478: whatever is left over from this process (for instance, copies of the

479: simulated random numbers yielding the random choice of $g$ in superposition).

480: Now, to check that the state contained in $\mathbf R$, which purportedly

481: contains $\ket{H}$, is invariant under right multiplication by elements

482: of $H$, we do the following: (i) apply $F$ to some register $\mathbf S$

483: that is initially in the state $\ket{0}$, (ii) multiply (on the right) the

484: contents of $\mathbf R$ by the ``random'' group element contained in

485: $\mathbf S$, (iii) apply $F^{\dagger}$ to $\mathbf S$, and (iv) observe

486: $\mathbf S$.

487: If $\mathbf R$ was invariant under multiplication by elements of $H$,

488: then $\mathbf S$ will revert back to state $\ket{0}$ with certainty, while

489: if not there will be some probability that the observation of $\mathbf S$

490: yields some other result (indicating that this certificate should be rejected).

491: Under the assumption that the observation of $\mathbf S$ does yield 0,

492: however, the state of $\mathbf R$ will in fact be changed (by quantum magic!)

493: to one that is invariant under right multiplication by elements in $H$.

494: At this point, $\mathbf R$ will be suitable for the first test that determines

495: whether $h\in H$.

496:

497: Before proceeding to the formal proof, we mention the following theorem due to

498: Babai~\cite{Babai91} that will be used in the proof.

499: The theorem essentially states that elements in a given black-box group can be

500: randomly generated in such a way that the resulting distribution is very close

501: to uniform.

502:

503: \begin{theorem}[Babai]

504: \label{theorem:uniform}

505: For any group oracle $B$ there exists a randomized procedure

506: $\mathcal{P}$ acting as follows.

507: On input $g_1,\ldots,g_k\in G(B_n)$ and $\epsilon>0$, $\mathcal{P}$ outputs an

508: element of $H=\langle g_1,\ldots,g_k\rangle$ in time polynomial in

509: $n + \log 1/\epsilon$ such that each $g\in H$ is output with probability in

510: the range $(1/|H|-\epsilon,1/|H|+\epsilon)$.

511: \end{theorem}

512: This is in fact a weaker result than the one proved by Babai, but it is

513: sufficient for our needs.

514:

515: Now we are prepared to state and prove the main result of this section.

516:

517: \begin{theorem}

518: \label{theorem:non-membership}

519: $\op{GNM}(B)\in\op{QMA}^{B}$ for any group oracle $B$.

520: \end{theorem}

521:

522: \noindent

523: {\bf Proof.}

524: As above, given any set $A$, we write $\ket{A}$ to denote the uniform

525: superposition over elements of $A$, i.e.,

526: $\ket{A} = |A|^{-1/2}\sum_{a\in A}\ket{a}$.

527: Let $g_1,\ldots,g_k$ and $h$ denote input group elements of length $n$, let

528: $H = \langle g_1,\ldots,g_k\rangle$, and consider the procedure described in

529: Figure~\ref{fig:arthur_non-membership}.

530: \begin{figure}[!ht]

531: \hrulefill

532: \begin{mylist}{0mm}

533: \item Assume register $\mathbf R$ contains the quantum certificate,

534: and all other registers are initialized to $\ket{0}$.

535:

536: \item Let $F$ be a transformation such that

537: \[

538: F:\ket{0}\mapsto\sum_{g\in H}\alpha_g\ket{g}\ket{\op{garbage}(g)},

539: \]

540: where $|\alpha_g|^2\in\left(1/|H|-2^{-2n},1/|H|+2^{-2n}\right)$ for each

541: $g\in H$, and $\ket{\op{garbage}(g)}$ denotes some arbitrary unit vector that

542: depends on $g$.

543: The fact that transformation $F$ can be performed in by

544: polynomial-time uniform quantum circuits follows from

545: Theorem~\ref{theorem:uniform}, as described previously.

546:

547: \vspace{2mm}

548: \item {\bf Step 1:}

549: \vspace{2mm}

550:

551: Using the group oracle, check that $\mathbf R$ contains a valid

552: element of $G(B_n)$.  \underline{Reject} if this is not the case.

553:

554: Apply transformation $F$ to register $\mathbf S$.

555:

556: Using the group oracle, multiply the contents of register $\mathbf R$

557: by the group element contained in $\mathbf S$.

558:

559: Apply transformation $F^{\dagger}$ to $\mathbf S$.

560: If $\mathbf S$ does not contain $0$, then \underline{reject}.

561: Otherwise proceed to step 2.

562:

563: \vspace{2mm}

564: \item {\bf Step 2:}

565: \vspace{2mm}

566:

567: Apply Hadamard transform to an initialized register $\mathbf B$ (i.e.,

568: set register $\mathbf B$ to state $(\ket{0} + \ket{1})/\sqrt{2}$).

569:

570: Using the group oracle, perform a controlled-multiply-by-$h$ operation on

571: register $\mathbf R$, where $\mathbf B$ is the control bit.

572: (Specifically, this operation has the effect of multiplying the contents of

573: register $\mathbf R$ on the right by $h$ if $\mathbf B$ has value 1, and has

574: no effect if $\mathbf B$ has value 0.)

575:

576: Perform a Hadamard transform on $\mathbf B$, and \underline{reject} if

577: $\mathbf B$ contains 0.

578:

579: If the computation has not rejected thus far, then \underline{accept}.

580:

581: \end{mylist}

582:

583: \hrulefill

584: \caption{Quantum verification procedure for Group Non-Membership.}

585: \label{fig:arthur_non-membership}

586: \end{figure}

587:

588: Assume first that $h\not\in H$.

589: In this case we must prove that there exists a certificate $\ket{\psi}$ causing

590: the procedure to accept with high probability.

591: The certificate will be $\ket{H}$.

592: The verification procedure first performs transformation $F$ on $\mathbf S$,

593: which was initialized to $\ket{0}$ at the start of the procedure.

594: The state of the pair of registers $(\mathbf R,\mathbf S)$ is now

595: \begin{equation}

596: \label{eq:step1}

597: \ket{H}\sum_{g\in H}\alpha_g(\ket{g}\ket{\op{garbage}(g)}).

598: \end{equation}

599: The contents of register $\mathbf R$ is multiplied by the group element

600: contained in $\mathbf S$, which has no effect on the state in (\ref{eq:step1})

601: following from the fact that $\ket{H}$ is invariant under multiplication by

602: any element $g\in H$.

603: Now the inverse of transformation $F$ is applied, which returns $\mathbf S$ to

604: the state $\ket{0}$ with certainty.

605: The probability that the verification procedure rejects in step 1 is therefore

606: 0.

607: Now step 2 is performed.

608: After preparing register $\mathbf B$ and performing the

609: controlled-multiply-by-$h$ operation, the state of the pair

610: $(\mathbf B,\mathbf R)$ is

611: $(\ket{0}\ket{H} + \ket{1}\ket{Hh})/\sqrt{2}$.

612: A Hadamard transform is performed on $\mathbf B$, producing the state

613: \[

614: \frac{1}{2}\ket{0}(\ket{H}+\ket{Hh})+

615: \frac{1}{2}\ket{1}(\ket{H}-\ket{Hh}).

616: \]

617: Under the assumption $h\not\in H$, we have that $\ket{H}$ and $\ket{Hh}$

618: are orthogonal, and consequently the probability of acceptance is

619: $\left\|(\ket{H} - \ket{Hh})/2\right\|^2 = 1/2$.

620:

621: Now suppose $h\in H$ and let $\ket{\psi}$ denote the initial state of register

622: $\mathbf R$.

623: In this case our goal is to bound the probability of acceptance.

624: Let us write

625: \[

626: \ket{\psi} = \sum_{x\in G(B_n)}\beta_x\ket{x} + \ket{\gamma}

627: \]

628: for $\ket{\gamma}\in\op{span}\{\ket{x}\,:\,x\not\in G(B_n)\}$ denoting

629: the ``invalid'' portion of $\ket{\psi}$.

630: The verification procedure first checks that $\mathbf R$ contains a

631: superposition over valid elements of $G(B_n)$, which has the effect of

632: projecting the state of $\mathbf R$ to $\sum_{x\in G(B_n)}\beta_x\ket{x}$

633: (renormalized) in case this test does not result in rejection.

634: As we are interested in bounding the overall (unconditional) probability of

635: accepting, however, we need not renormalize this state.

636: Transformation $F$ is performed on $\mathbf S$, and the group element contained

637: in $\mathbf S$ is multiplied to the contents of $\mathbf R$, producing state

638: \[

639: \sum_{x\in G(B_n)}\sum_{g\in H}\alpha_g \beta_x\ket{xg}\ket{g}

640: \ket{\op{garbage}(g)}

641: \]

642: in registers $(\mathbf R,\mathbf S)$.

643: Now $F^{\dagger}$ is applied to $\mathbf S$ and the verification procedure

644: rejects if $\mathbf S$ has not been returned to it's initial 0 value.

645: Under the assumption that an observation of $\mathbf S$ reveals 0 (which is

646: necessary if the procedure accepts), the state of register $\mathbf R$ becomes

647: \[

648: \sum_{x\in G(B_n)}\sum_{g\in H}\alpha_g \beta_x\ket{xg}

649: \bra{0}F^{\dagger}(\ket{g}\ket{\op{garbage}(g)})

650: \:=\: \sum_{x\in G(B_n)}\sum_{g\in H}|\alpha_g|^2 \beta_x\ket{xg}

651: \]

652: (where again we do not renormalize in order to calculate the unconditional

653: probability of acceptance).

654: Now step 2 is performed.

655: After the controlled-multiply-by-$h$ and Hadamard operations have been

656: performed, the state of the pair $(\mathbf B,\mathbf R)$ will be

657: \[

658: \frac{1}{2}\ket{0}\sum_{x\in G(B_n)}\sum_{g\in H}

659: \left(|\alpha_g|^2 \beta_x\ket{xg} + |\alpha_g|^2 \beta_x\ket{xgh}\right)

660: + \frac{1}{2}\ket{1}\sum_{x\in G(B_n)}\sum_{g\in H}

661: \left(|\alpha_g|^2 \beta_x\ket{xg} -|\alpha_g|^2 \beta_x\ket{xgh}\right).

662: \]

663: The probability of acceptance is therefore

664: \begin{equation}

665: \label{eq:prob_acc1}

666: \frac{1}{4}\left\|

667: \sum_{x\in G(B_n)}\sum_{g\in H}

668: \left(|\alpha_g|^2\beta_x\ket{xg}-|\alpha_g|^2

669: \beta_x\ket{xgh}\right)\right\|^2.

670: \end{equation}

671: Under the assumption that $h\in H$, we have that $xgh$ and $xg$ range over

672: the same set as $g$ ranges over $H$.

673: Thus we may rewrite (\ref{eq:prob_acc1}) as

674: \begin{equation}

675: \label{eq:prob_acc2}

676: \frac{1}{4}\left\|\sum_{x\in G(B_n)}\sum_{g\in H}\beta_x

677: \left(|\alpha_g|^2-|\alpha_{gh^{-1}}|^2\right)\ket{xg}\right\|^2.

678: \end{equation}

679: By the triangle inequality, we see that (\ref{eq:prob_acc2}) is at most

680: \[

681: \frac{1}{4}\left(\sum_{g\in H}\left(|\alpha_g|^2 -

682: |\alpha_{gh^{-1}}|^2\right)

683: \left\|\sum_{x\in G(B_n)}\beta_x\ket{xg}\right\|\right)^2 \leq 2^{-2n}.

684: \]

685: Thus we have that the verification procedure accepts with exponentially small

686: probability.

687:

688: The definition of QMA requires that positive instances be accepted with

689: probability at least 2/3 and negative instances to be accepted with

690: probability at most 1/3.

691: Thus, we must address the fact that although our verification procedure

692: accepts with exponentially small probability for all certificates on negative

693: instances, the probability of acceptance is only guaranteed to be 1/2 for

694: positive instances.

695: As discussed in Section~\ref{sec:definitions}, this may be remedied by

696: running several copies of the verification procedure in parallel and

697: deciding to accept or reject depending on the number of parallel

698: executions that accept.

699: In the present case we may achieve exponentially small probability of

700: error by running a polynomial number of copies of the above verification

701: procedure on a compound certificate and accepting if and only if at least

702: one of the copies accepts.

703: \qed

704:

705: %=============================================================================%

706:

707: \section{Oracle separations}

708: \label{sec:oracle}

709:

710: \noindent

711: In this section we discuss oracle separations regarding MA, QMA, and BQP.

712: First, we prove that there exists a group oracle $B$ relative to which the

713: Group Non-Membership problem is not contained in $\op{MA}$, and thus

714: $\op{MA}^B\subsetneq\op{QMA}^{B}$.

715: Our proof follows the same general ideas used by Babai~\cite{Babai91,Babai92}

716: to prove $\op{GNM}\not\in\op{NP}$ and $\op{GNM}\not\in\op{BPP}$ for some

717: group oracles.

718: We then identify a restricted version of the Group Non-Membership problem,

719: which we call the 2-Element Group Non-Membership problem, that in fact is

720: contained in BQP but still lies outside of MA relative to the group oracle $B$.

721: Thus we have an oracle separating BQP and MA.

722: A stronger result was claimed by Bernstein and Vazirani \cite{BernsteinV93},

723: but their proof has not yet appeared---they claimed the existence of an

724: oracle relative to which $\op{EQP}$ is not contained in $\op{MA}$.

725:

726: The oracle separations we prove rely on a strong amplification property

727: possessed by MA, which is that the probability of error can be made much

728: smaller than the reciprocal of the number of possible certificates for each

729: input length.

730: With this in mind, we take the following as our definition of $\op{MA}^B$:

731: \begin{definition}\em

732: \label{def:MA}

733: For a given group oracle $B$, a language $A$ is in $\op{MA}^B$ if there exists

734: a predicate $R$, computable in polynomial time by a deterministic Turing

735: machine with access to the group oracle $B$, and polynomials $q$ and $r$, such

736: that for every $x\in\Sigma^{\ast}$ we have:

737:

738: \begin{mylist}{\parindent}

739: \item If $x\in A$, then there exists $y\in\Sigma^{q(|x|)}$ such that

740: \[

741: \left|\left\{\left.z\in\Sigma^{r(|x|)}\right|R(x,y,z)=1\right\}\right|

742: \:=\: 2^{r(|x|)}.

743: \]

744:

745: \item If $x\not\in A$, then for all $y\in\Sigma^{q(|x|)}$,

746: \[

747: \left|\left\{\left.z\in\Sigma^{r(|x|)}\,\right|\,R(x,y,z) = 1\right\}\right|

748: \: < \: 2^{-2q(|x|)}2^{r(|x|)}.

749: \]

750: \end{mylist}

751: \end{definition}

752: This definition also includes the fact that the error can be made one-sided

753: without changing the resulting class (see, for instance,

754: Zachos~\cite{Zachos88})---a property that we do not know holds for QMA.

755: This fact is not essential in our proof, but has the advantage of simplifying

756: our analysis.

757:

758: \begin{theorem}

759: \label{theorem:oracle}

760: There exists a group oracle $B$ for which we have

761: $\op{GNM}(B)\not\in\op{MA}^B$.

762: \end{theorem}

763: \noindent

764: {\bf Proof.}

765: For each $n\geq 4$, let $p(n)$ be a prime number satisfying

766: $2^{n-2}<p(n)^2<2^n$.

767: Existence of such a sequence of primes follows from Bertrand's Postulate,

768: first proved by Chebyshev (see, for instance, Rosser and Schoenfeld

769: \cite{RosserS62}).

770: Let $[p(n)^2]$ denote the set $\{1,\ldots,p(n)^2\}$, and for fixed $n$

771: identify each element of $[p(n)^2]$ with its representation as an $n$-bit

772: string in binary.

773: Let $\mathcal{F}(n)$ denote the set of one-to-one functions of the form

774: $f:[p(n)^2]\rightarrow \mathbb{Z}_{p(n)}\times\mathbb{Z}_{p(n)}$, and define

775: \begin{eqnarray*}

776: \mathcal{F}_1(n) & = & \left\{f\in\mathcal{F}(n)\,|\,f(1) = (1,0)\;

777: \mbox{and}\;f(2) = (0,1)\right\},\\

778: \mathcal{F}_0(n) & = & \{f\in\mathcal{F}(n)\,|\,f(1) = (1,0)\;\mbox{and}\;

779: f(2) = (a,0) \mbox{for some $a\in\{2,\ldots,p(n)-1\}$}\}.

780: \end{eqnarray*}

781: We have $|\mathcal{F}_0(n)| = (p(n)-2)|\mathcal{F}_1(n)|$.

782: Associated with each $f\in\mathcal{F}(n)$ is a black-box group

783: isomorphic to \mbox{$\mathbb{Z}_{p(n)}\times\mathbb{Z}_{p(n)}$} that labels

784: each $(\alpha,\beta)\in\mathbb{Z}_{p(n)}\times\mathbb{Z}_{p(n)}$ with the

785: $n$-bit string $f^{-1}(\alpha,\beta)$.

786: When $n$ is fixed, or understood from context, we will simply write $p$,

787: $\mathcal{F}_0$, $\mathcal{F}_1$, etc., to mean $p(n)$, $\mathcal{F}_0(n)$,

788: $\mathcal{F}_1(n)$, etc.

789:

790: We will restrict our attention to the case where the input to the GNM problem

791: consists of the pair of $n$-bit strings representing labels $1$ and $2$

792: in binary for some $n$---we will write this pair as $(1,2)_n$ in order to

793: stress the dependence on $n$.

794: Furthermore, we also restrict our attention to the case that the group oracle

795: is associated with some $f\in\mathcal{F}_1(n)\cup\mathcal{F}_0(n)$ for each

796: $n$ as described previously.

797: For fixed $n$, if the group in question is associated with

798: $f\in\mathcal{F}_1$, then $f(2)\not\in\langle f(1)\rangle$, and so $(1,2)_n$

799: is a positive instance of GNM.

800: If the group is associated with $f\in\mathcal{F}_0$, then

801: $f(2)\in\langle f(1)\rangle$, and so $(1,2)_n$ is a negative instance of GNM.

802:

803: Below we will diagonalize over all polynomial time oracle Turing machines

804: in order to prove the existence of $B$ as in the statement of the theorem.

805: First, let us consider an arbitrary polynomial-time deterministic oracle Turing

806: machine $M$, and let $q$, $r$, and $t$ be strictly increasing polynomials such

807: that the following holds: for any $x\in\Sigma^{\ast}$, $y\in\Sigma^{q(|x|)}$,

808: and $z\in\Sigma^{r(|x|)}$, $M$ runs in time $t(|x|)$ on input $(x,y,z)$ and

809: any group oracle $B$.

810: (Here, $x$, $y$, and $z$ are as in the definition of MA, i.e., $x$ corresponds

811: to the input, $y$ is a certificate, and $z$ is treated as a sequence of random

812: bits.)

813: As mentioned above, we are interested in the case where $x = (1,2)_n$ for some

814: $n$.

815: Write $m = |x|$ for such a choice of $x$, and for simplicity assume our

816: encoding of pairs of strings is such that $2n \leq m \leq 4n$.

817: At this point we will fix $n$ sufficiently large such that $8t(4n)^2<2^{n/2}$

818: (and thus $t(m)^2/p(n)<1/4$).

819: Let $B$ be an arbitrary group oracle, and for any $f\in\mathcal{F}$ let us

820: write $B_f$ to denote the new group oracle obtained by changing the behavior

821: of $B$ on elements of length $n$ to be in accordance with $f$, as described

822: above.

823: Finally, let $M(B_f,y,z)$ denote 1 if $M$ accepts $(x,y,z)$ given oracle

824: $B_f$, and let

825: $M(B_f,y,z)$ denote 0 otherwise.

826: We claim that the following inequality holds for every

827: $y\in\Sigma^{q(m)}$ and $z\in\Sigma^{r(m)}$:

828: \begin{equation}

829: \left|\left\{g\in\mathcal{F}_0\,|\,M(B_g,y,z)=1\right\}\right|

830: \:\geq\:\left(p-t(m)^2\right)\left|\left\{f\in\mathcal{F}_1\,|\,M(B_f,y,z)=1

831: \right\}\right|.

832: \label{eq:accept_count}

833: \end{equation}

834: The proof of this inequality is the main technical part of the proof of

835: Theorem~\ref{theorem:oracle}, and so we postpone this part

836: momentarily---for now assume that it is proved.

837:

838: Suppose now that for every $f\in\mathcal{F}_1$ there exists a certificate

839: $y\in\Sigma^{q(m)}$ such that $M(B_f,y,z) = 1$ for every $z\in\Sigma^{r(m)}$

840: (which must be the case if $M$ is really a valid machine for solving the Group

841: Non-Membership problem with respect to an arbitrary oracle).

842: Since there are only $2^{q(m)}$ possible certificates, we conclude that one of

843: the certificates must work for many different oracles, i.e., there exists some

844: fixed $y$ such that for at least $2^{-q(m)}|\mathcal{F}_1|$ choices of

845: $f\in\mathcal{F}_1$ we have $M(B_f,y,z) = 1$ for every $z\in\Sigma^{r(m)}$.

846: This implies

847: \[

848: \sum_{z\in\Sigma^{r(m)}}\left|\left\{f\in\mathcal{F}_1|M(B_f,y,z)=1\right\}

849: \right|

850: \:\geq\: 2^{-q(m)}\,|\mathcal{F}_1|\,2^{r(m)}.

851: \]

852: By (\ref{eq:accept_count}) we therefore have

853: \begin{eqnarray*}

854: \sum_{g\in\mathcal{F}_0}

855: \left|\left\{\left.z\in\Sigma^{r(m)}\,\right|\,M(B_g,y,z)=1\right\}\right|

856: & = & \sum_{z\in\Sigma^{r(m)}}\left|\left\{g\in\mathcal{F}_0\,|\,M(B_g,y,z)=1

857: \right\}\right|\\

858: & \geq & (p-t(m)^2)\,2^{-q(m)}\,|\mathcal{F}_1|\,2^{r(m)}.

859: \end{eqnarray*}

860: Therefore, there must exist $g\in\mathcal{F}_0$ such that

861: \begin{eqnarray*}

862: \left|\left\{\left.z\in\Sigma^{r(m)}\,\right|\,M(B_g,y,z)=1\right\}

863: \right|

864: & \geq & \frac{(p-t(m)^2)\,2^{-q(m)}\,|\mathcal{F}_1|\,2^{r(m)}}

865: {|\mathcal{F}_0|}\\

866: & > &  2^{-2q(m)}2^{r(m)}.

867: \end{eqnarray*}

868:

869: From this we conclude that for any polynomial time oracle Turing machine $M$

870: and group oracle $B$, there exists an integer $n$ such that by modifying $B$

871: only on elements of length $n$ it is possible to make $M$ an invalid machine

872: for the GNM problem; either there exists $f\in\mathcal{F}_1(n)$ such that

873: no certificate causes $M$ to accept $(1,2)_n$ given group oracle $B_f$ with

874: certainty, or there exists $g\in\mathcal{F}_0(n)$ such that some certificate

875: causes $M$ to accept $(1,2)_n$ given group oracle $B_g$ with too high a

876: probability.

877:

878: Now it is routine to prove there exists $B$ as in the statement of the theorem

879: by a diagonalization argument.

880: Let $(M_1,q_1,r_1),\:(M_2,q_2,r_2),\:\ldots$, be an enumeration of all

881: triples consisting of a polynomial-time deterministic oracle Turing machine

882: and a pair of strictly increasing polynomials.

883: Let $t_1,\:t_2,\:\ldots$ be a sequence of polynomials such that $M_i$ runs

884: in time $t_i(|x|)$ on each input $(x,y,z)$ and any group oracle $B$, assuming

885: $|y|=q_i(|x|)$ and $|z|=r_i(|x|)$, for each $i$.

886: Without loss of generality we may assume $t_{i+1}(m) > t_i(m)$ for all $i$ and

887: $m$.

888: We define $B$ using a stage construction as follows:

889:

890: \begin{list}{}{\setlength{\leftmargin}{0.2in}\setlength{\rightmargin}{0.0cm}

891: 	\setlength{\labelsep}{0.2in}\setlength{\labelwidth}{0in}

892: 	\setlength{\itemindent}{0in}

893: 	\setlength{\itemsep}{0cm}}

894: \item[{\makebox[0mm][l]{Stage 0:}}] $\;$

895:

896: Set $B^{(0)}$ to be an arbitrarily chosen group oracle, and set

897: $n_0=4$.

898:

899: \item[{\makebox[0mm][l]{Stage $i\geq 1$:}}] $\;$

900:

901: Choose $n_i$ be the smallest integer satisfying $2n_i > t_{i-1}(4n_{i-1})$ and

902: $8t_i(4n_i)^2<2^{n_i/2}$, and let $m_i$ be the length of the encoding of the

903: pair $(1,2)_{n_i}$.

904:

905: If there exists $f\in\mathcal{F}_1(n_i)$ such that for all

906: $y\in\Sigma^{q_i(m_i)}$ we have

907: \[

908: \left|\left\{\left.z\in\Sigma^{r(m_i)}\,\right|\,M_i(B^{(i-1)}_f,y,z)=1\right\}

909: \right| \:<\: 2^{r(m_i)}

910: \]

911: then let $B^{(i)} = B^{(i-1)}_f$ for any such $f$.

912: Otherwise, as proved previously, there exists $g\in\mathcal{F}_0(n_i)$

913: and $y\in\Sigma^{q_i(m_i)}$ such that

914: \[

915: \left|\left\{\left.z\in\Sigma^{r(m_i)}\,\right|\,

916: M_i(B^{(i-1)}_g,y,z)=1\right\}\right| \:>\: 2^{-2q(m_i)}2^{r(m_i)}.

917: \]

918: Set $B^{(i)} = B^{(i-1)}_g$ for any such $g$.

919: \end{list}

920: %

921: Finally, let $B$ be the group oracle that, for each $i$, agrees with $B^{(i)}$

922: on all queries regarding elements of length less than $n_{i+1}$.

923: (This group oracle is well-defined, since all changes to the oracle on

924: stages subsequent to stage $i$ involve only elements of length at least

925: $n_{i+1}$.)

926: It is now straightforward to verify that $\op{GNM}(B)\not\in\op{MA}^B$ by the

927: construction of $B$, since no triple $(M_i,q_i,r_i)$ can be valid according

928: to Definition~\ref{def:MA}.

929:

930: It remains to prove the inequality (\ref{eq:accept_count}).

931: Define an equivalence relation $\sim_{y,z}$ on $\mathcal{F}\times\mathcal{F}$

932: for each $y\in\Sigma^{q(m)}$ and $z\in\Sigma^{r(m)}$ as follows:

933: $f\sim_{y,z}g$ if and only if $f$ and $g$ induce identical executions of $M$

934: for $x = (1,2)_n$, certificate $y$, and random bits $z$ (i.e., on input

935: $((1,2)_n,y,z)$).

936:

937: Let $f\in\mathcal{F}_1$, and consider the computation of $M$ on input

938: $((1,2)_n,y,z)$ given a group oracle specified by $f$ on length $n$ elements.

939: During this computation, there will be some number $k$ of queries to the

940: oracle regarding length $n$ elements, which we may express as

941: \begin{eqnarray}

942: u_1 \pm v_1 & = & w_1,\nonumber\\

943: & \vdots & \label{eq:equations}\\

944: u_k \pm v_k & = & w_k\nonumber

945: \end{eqnarray}

946: (that is, the $i$-th query asks for $u_i+v_i$ or $u_i-v_i$, and the answer

947: given by the oracle is $w_i$).

948: Let $L$ denote the set $\{u_1,v_1,w_1,\ldots,u_k,v_k,w_k\}$ (i.e., the

949: distinct length-$n$ labels of group elements that either appear in

950: a query or a response), and let $l$ denote the size of $L$.

951: Without loss of generality assume the labels 1 and 2 are in $L$.

952: The above equations specify a $k\times l$ matrix $A$ with entries in

953: $\{-1,0,1\}$ in the following straightforward way: the columns of $A$ are

954: indexed by the labels in the set $L$, and for each $i = 1,\ldots,k$, the

955: $i$-th row of $A$ only has nonzero entries corresponding to labels $u_i$,

956: $v_i$, and $w_i$.

957: In case the $i$th query was $u_i + v_i = w_i$, the entries for the columns

958: indexed by $u_i$, $v_i$, and $w_i$ will be $1$, $1$, and $-1$, respectively,

959: and in case the $i$th query was $u_i - v_i = w_i$, the entries will be

960: $1$, $-1$, and $-1$, respectively.

961:

962: At this point it will be convenient to view $\mathbb{Z}_p\times\mathbb{Z}_p$

963: as being the additive group of the field $\mathbb{F} = GF(p^2)$ in order to

964: easily apply well-known theorems from linear algebra to our analysis.

965: (Here the specific correspondence between $\mathbb{Z}_p\times\mathbb{Z}_p$

966: and $\mathbb{F}$ is arbitrary, so long as the additive group

967: structure is preserved.)

968: Note that for any $g$ satisfying \mbox{$f\sim_{y,z} g$}, we must have that the

969: values $g$ assigns to the labels in $L$ form a vector in the nullspace of $A$

970: (viewing $A$ as a matrix over $\mathbb{F}$).

971:

972: Let $d$ be the dimension of the nullspace of $A$.

973: We claim that

974: \begin{equation}

975: \left|\left\{g\in\mathcal{F}_0\,|\,f\sim_{y,z}g\right\}\right|

976: \:\geq\: \left(p-1-\binom{l}{2}\right)

977: \left(p^{2d-4} - \binom{l}{2}p^{2d-6}\right)(p^2-l)! \label{eq:equiv1}

978: \end{equation}

979: and

980: \begin{equation}

981: \left|\left\{g\in\mathcal{F}_1\,\left|\,f\sim_{y,z}g\right.\right\}\right|

982: \leq p^{2d-4}(p^2-l)!.

983: \label{eq:equiv2}

984: \end{equation}

985: This suffices to prove (\ref{eq:accept_count}), since by (\ref{eq:equiv1}) and

986: (\ref{eq:equiv2}) we determine that for all $f\in\mathcal{F}_1$ we have

987: \[

988: \left|\left\{g\in\mathcal{F}_0\,|\,f\sim_{y,z}g\right\}\right|

989: \:\geq\: (p-t(n)^2) \left|\left\{g\in\mathcal{F}_1\,\left|\,f\sim_{y,z}g

990: \right.\right\}\right|,

991: \]

992: and summing over those equivalence classes for which $M(B_f,y,z)=1$ yields

993: (\ref{eq:accept_count}).

994:

995: The inequality (\ref{eq:equiv2}) is immediate since the collection of vectors

996: in the nullspace of $A$ that assign values $(1,0)$ and $(0,1)$ to the labels

997: $1$ and $2$, respectively, is a hyperplane of dimension $d-2$, and each

998: vector in this hyperplane can be extended to yield at most $(p^2 - l)!$

999: distinct $g\in\mathcal{F}_1$ with $g\sim_{y,z}f$.

1000:

1001: To prove (\ref{eq:equiv1}), let us define

1002: \[

1003: H_a\: =\:\{h\in\mathbb{F}^{\,l}\,|\,Ah = 0,\,h[1] = (1,0),\;\mbox{and}

1004: \;h[2]=(a,0)\}

1005: \]

1006: for each $a\in\{2,\ldots,p-1\}$, and define

1007: \[

1008: T \:=\: \{h\in\mathbb{F}^{\,l}\,|\,h[i]\not=h[j]\;\mbox{for}\;i\not=j\}.

1009: \]

1010: We will prove that there are at least $p-1-\binom{l}{2}$ values of $a$

1011: for which $H_a\cap T$ contains at least $p^{2d-4}-\binom{l}{2}p^{2d-6}$

1012: elements.

1013: As each $h\in H_a\cap T$ may be extended to yield $(p^2 - l)!$ distinct

1014: $g\in\mathcal{F}_0$ with $g\sim_{y,z}f$, we will have proved

1015: (\ref{eq:equiv1}).

1016:

1017: Suppose $H_a\cap T$ is nonempty for $a\in\{2,\ldots,p-1\}$.

1018: Then of course $H_a$ is nonempty, and is therefore a hyperplane of dimension

1019: $d-2$.

1020: We may also conclude that for each pair $i\not=j\in L$, the intersection of

1021: $H_a$ with the subspace $J_{i,j} = \{h\in\mathbb{F}^{\,l}\,|\,h[i] = h[j]\}$ is

1022: properly contained in $H_a$, and is therefore a hyperplane of dimension at

1023: most $d-3$.

1024: Since $T = \mathbb{F}^{\,l}\,\backslash\left(\bigcup_{i\not=j}J_{i,j}\right)$,

1025: there must therefore be at least $p^{2(d-2)}-\binom{l}{2}p^{2(d-3)}$

1026: elements in $H_a\cap T$ as required.

1027:

1028: Thus, it remains to prove that $H_a\cap T$ is nonempty for at least

1029: $p - 1 - \binom{l}{2}$ values of \linebreak

1030: $a\in\{2,\ldots,p-1\}$.

1031: In order to prove this, define a mapping $\varphi_a:\mathbb{Z}_p\times

1032: \mathbb{Z}_p\rightarrow\mathbb{Z}_p\times\mathbb{Z}_p$ for each

1033: $a\in\{2,\ldots,p-1\}$ as $\varphi_a(\alpha,\beta) = (\alpha + a\beta,0)$.

1034: Let $h_f\in\mathbb{F}^{\,l}$ denote the vector corresponding to the values

1035: assigned to the labels in $L$ by $f$, and let $\varphi_a(h_f)$ denote the

1036: vector obtained by applying $\varphi_a$ to each entry of $h_f$ individually.

1037: Following from the fact that each $\varphi_a$ is a homomorphism, we must have

1038: that $\varphi_a(h_f)$ is in the nullspace of $A$, and therefore

1039: $\varphi_a(h_f) \in H_a$.

1040: Write $h_f[i] = (\alpha_i,\beta_i)$ for each $i$, and suppose we have

1041: $\varphi_a(h_f[i])=\varphi_a(h_f[j])$ for some pair $i\not=j$.

1042: Then $\alpha_i + a\beta_i \equiv \alpha_j + a\beta_j\;(\bmod\,p)$, and so

1043: $a(\beta_i-\beta_j) \equiv \alpha_j -\alpha_i\;(\bmod\,p)$.

1044: Since $h_f[i]\not=h_f[j]$ (as $f$ assigns distinct values to each label), it

1045: is impossible that $\beta_i=\beta_j$, and so

1046: $a\equiv(\beta_i-\beta_j)^{-1}(\alpha_j -\alpha_i)\;(\bmod\,p)$.

1047: It follows that there are at most $\binom{l}{2}$ nonzero values of $a$ such

1048: that $\varphi_a(h_f)\not\in H_a\cap T$, which completes the proof.

1049: \qed

1050:

1051: Finally, we consider a restricted case of the Group Non-Membership problem

1052: where there are only two input group elements (i.e., $k=1$ in the statement of

1053: the GNM problem).

1054: \begin{center}

1055: \underline{2-Element Group Non-Membership (2-GNM)}\\[2mm]

1056: \begin{tabular}{ll}

1057: Instance: & Group elements $g$ and $h$ in some group $G$.\\

1058: Question: & Is $h$ outside the group generated by $g$ (i.e., is

1059: $h\not\in\langle g\rangle$)?

1060: \end{tabular}

1061: \end{center}

1062: We note that this problem can be solved in BQP for any group oracle $B$

1063: using Shor's algorithm.

1064: \begin{prop}

1065: $\op{2-GNM}(B)\in\op{BQP}^B$ for any group oracle $B$.

1066: \end{prop}

1067: As this problem is not contained in (classical) MA relative to the group

1068: oracle $B$ constructed in the proof of Theorem~\ref{theorem:oracle}, we

1069: have obtained the relation $\op{BQP}^B\not\subseteq\op{MA}^B$.

1070:

1071: \begin{cor}

1072: There exists an oracle $B$ such that $\op{BQP}^B\not\subseteq\op{MA}^B$.

1073: \end{cor}

1074:

1075: %=============================================================================%

1076:

1077: \section{Other problems having succinct quantum proofs}

1078: \label{sec:other}

1079:

1080: \noindent

1081: Quantum certificates for group non-membership may be used in conjunction

1082: with classical certificates for other group properties to obtain succinct

1083: quantum certificates for various problems regarding finite groups.

1084: A few examples are given in this section.

1085:

1086: Consider the following problems:

1087:

1088: \begin{center}

1089: \underline{Proper Subgroup}\\[2mm]

1090: \begin{tabular}{ll}

1091: Instance: & Elements $g_1,\,\ldots,\,g_k$ and $h_1,\,\ldots,\,h_l$ in

1092: some group $G$.\\

1093: Question: & Is $\,\langle h_1,\:\ldots,\:h_l\rangle\,$ a proper subgroup of

1094: $\langle g_1,\ldots,g_k\rangle$?

1095: \end{tabular}

1096: \end{center}

1097:

1098: \begin{center}

1099: \underline{Divisor of Order}\\[2mm]

1100: \begin{tabular}{ll}

1101: Instance: & Elements $g_1,\ldots,g_k$ in some group $G$ and an integer

1102: $N$.\\

1103: Question: & Does $N$ divide the order of $\langle g_1,\ldots,g_k\rangle$?

1104: \end{tabular}

1105: \end{center}

1106:

1107: \begin{center}

1108: \underline{Simple Group}\\[2mm]

1109: \begin{tabular}{ll}

1110: Instance: & Elements $g_1,\ldots,g_k$ in some group $G$.\\

1111: Question: & Is $\langle g_1,\ldots,g_k\rangle$ a simple group?

1112: \end{tabular}

1113: \end{center}

1114:

1115: \begin{center}

1116: \underline{Intersection}\\[2mm]

1117: \begin{tabular}{@{}ll}

1118: Instance: & Elements $g_1,\:\ldots,\:g_k$, $h_1,\:\ldots,\:h_l$, and

1119: $a_1,\ldots,a_t$ in some group $G$.\\

1120: Question: & Is $\langle a_1,\ldots,a_t\rangle$ equal to the intersection

1121: of $\langle g_1,\ldots,g_k\rangle$ and $\langle h_1,\ldots,h_l\rangle$?

1122: \end{tabular}

1123: \end{center}

1124:

1125: \begin{center}

1126: \underline{Centralizer}\\[2mm]

1127: \begin{tabular}{ll}

1128: Instance: & Elements $g_1,\ldots,g_k$, $h_1,\ldots,h_l$ and $a$ in some

1129: group $G$.\\

1130: Question: & Is $\langle h_1,\ldots,h_l\rangle$ equal to the centralizer of

1131: $a$ in $\langle g_1,\ldots,g_k\rangle$?

1132: \end{tabular}

1133: \end{center}

1134:

1135: \begin{center}

1136: \underline{Maximal Normal Subgroup}\\[2mm]

1137: \begin{tabular}{ll}

1138: Instance: & Elements $g_1,\,\ldots,\,g_k$ and $h_1,\,\ldots,\,h_l$ in some

1139: group $G$.\\

1140: Question: & Is $\langle h_1,\ldots,h_l\rangle$ a maximal normal subgroup of

1141: $\langle g_1,\ldots,g_k\rangle$?

1142: \end{tabular}

1143: \end{center}

1144: \vspace{1mm}

1145:

1146: The first two problems, Proper Subgroup and Divisor of Order, are in

1147: $\op{QMA}^B$ for any group oracle $B$, while neither is in $\op{MA}^B$ for

1148: appropriate choice of $B$.

1149: Quantum certificates for these problems may be obtained by combining quantum

1150: certificates for non-membership with classical certificates for other

1151: properties.

1152:

1153: In the case of Proper Subgroup this is straightforward: a quantum proof that

1154: $\langle h_1,\ldots,h_l\rangle$ is properly contained in

1155: $\langle g_1,\ldots,g_k\rangle$ may consist of a classical portion that

1156: certifies that each $h_i$ may be generated from $g_1,\ldots,g_k$ and

1157: identifies an element $a\in\langle g_1,\ldots,g_k\rangle$ that purportedly

1158: lies outside of $\langle h_1,\ldots,h_l\rangle$, while the quantum

1159: portion certifies that $a\not\in\langle h_1,\ldots,h_l\rangle$.

1160:

1161: In the case of Divisor of Order, the quantum proof is slightly more

1162: complicated: for each prime power $p^l$ dividing $N$, the quantum proof

1163: identifies a tower of $p$-subgroups

1164: \[

1165: \langle h_1\rangle \:\leq\: \langle h_1,h_2\rangle \:\leq\: \cdots\:\leq\:

1166: \langle h_1,\ldots,h_l\rangle

1167: \]

1168: of $\langle g_1,\ldots,g_k\rangle$ having the property

1169: $h_i\not\in\langle h_1,\ldots,h_{i-1}\rangle$ for each $i$ (so that

1170: $\langle h_1,\ldots,h_l\rangle$ has order at least $p^l$).

1171: The $p$-subgroup property may be certified classically \cite{BabaiS84},

1172: while each $h_i\not\in\langle h_1,\ldots,h_{i-1}\rangle$ may be certified

1173: with a quantum proof of non-membership.

1174:

1175: The remaining four problems, Simple Group, Intersection, Centralizer,

1176: and Maximal Normal Subgroup, are in $\op{co-QMA}^B$ for any group oracle $B$.

1177: For the complements of each of these problems, quantum proofs may be

1178: obtained from quantum proofs for non-membership along with classical proofs

1179: for various properties as above.

1180: For the case of Simple Group and Maximal Normal Subgroup, we rely on the

1181: fact that there exist classical certificates for the property of one group

1182: being normal in another \cite{Babai92}.

1183: We leave the details for the reader.

1184:

1185: %=============================================================================%

1186:

1187: \section{Open Problems}

1188: \label{sec:conclusion}

1189:

1190: \noindent

1191: We conclude by mentioning some open problems relating to quantum proofs and

1192: the class QMA.

1193:

1194: \begin{itemize}

1195: \item Is Graph Non-Isomorphism in QMA?

1196:

1197: \item Is Group Order in QMA?

1198: (That is, given group elements $g_1,\ldots,g_k$ and an integer $N$, are there

1199: succinct quantum proofs for the property $N=|\langle g_1,\ldots,g_k\rangle|$?)

1200:

1201: \item Is co-NP contained in QMA?

1202: Do unexpected consequences result from such a containment?

1203:

1204: \item We have claimed that $\op{QMA}\subseteq\op{PP}$; can a better

1205: upper-bound be placed on the power of QMA?

1206: What other relations among QMA and other classes can be proved?

1207:

1208: \end{itemize}

1209:

1210: %=============================================================================%

1211:

1212: %\nocite{BernsteinV97}

1213:

1214: \bibliographystyle{plain}

1215: %\bibliography{quantum}

1216:

1217: %=============================================================================%

1218:

1219: \begin{thebibliography}{10}

1220:

1221: \bibitem{AdlemanD+97}

1222: L.~Adleman, J.~DeMarrais, and M.~Huang.

1223: \newblock Quantum computability.

1224: \newblock {\em SIAM Journal on Computing}, 26(5):1524--1540, 1997.

1225:

1226: \bibitem{AharonovK+98}

1227: D.~Aharonov, A.~Kitaev, and N.~Nisan.

1228: \newblock Quantum circuits with mixed states.

1229: \newblock In {\em Proceedings of the Thirtieth Annual ACM Symposium on Theory

1230:   of Computing}, pages 20--30, 1998.

1231:

1232: \bibitem{ArvindV97}

1233: V.~Arvind and N.~V. Vinodchandran.

1234: \newblock Solvable black-box group problems are low for {PP}.

1235: \newblock {\em Theoretical Computer Science}, 180(1--2):17--45, 1997.

1236:

1237: \bibitem{Babai85}

1238: L.~Babai.

1239: \newblock Trading group theory for randomness.

1240: \newblock In {\em Proceedings of the Seventeenth Annual ACM Symposium on Theory

1241:   of Computing}, pages 421--429, 1985.

1242:

1243: \bibitem{Babai91}

1244: L.~Babai.

1245: \newblock Local expansion of vertex-transitive graphs and random generation in

1246:   finite groups.

1247: \newblock In {\em Proceedings of the Twenty-Third Annual ACM Symposium on

1248:   Theory of Computing}, pages 164--174, 1991.

1249:

1250: \bibitem{Babai92}

1251: L.~Babai.

1252: \newblock Bounded round interactive proofs in finite groups.

1253: \newblock {\em SIAM Journal on Discrete Math}, 5(1):88--111, 1992.

1254:

1255: \bibitem{Babai97}

1256: L.~Babai.

1257: \newblock Randomization in group algorithms: conceptual questions.

1258: \newblock In {\em Groups and Computation, {II}}, volume~28 of {\em DIMACS Ser.

1259:   Discrete Math. Theoret. Comput. Sci.}, pages 1--17. American Mathematical

1260:   Society, 1997.

1261:

1262: \bibitem{BabaiB99}

1263: L.~Babai and R.~Beals.

1264: \newblock A polynomial-time theory of black box groups {I}.

1265: \newblock In {\em Groups St. Andrews 1997 in Bath}, volume 260 of {\em London

1266:   Math. Soc. Lecture Note Ser.} Cambridge University Press, 1999.

1267:

1268: \bibitem{BabaiM88}

1269: L.~Babai and S.~Moran.

1270: \newblock {A}rthur-{M}erlin games: a randomized proof system, and a hierarchy

1271:   of complexity classes.

1272: \newblock {\em Journal of Computer and System Sciences}, 36(2):254--276, 1988.

1273:

1274: \bibitem{BabaiS84}

1275: L.~Babai and E.~Szemer\'edi.

1276: \newblock On the complexity of matrix group problems {I}.

1277: \newblock In {\em Proceedings of the 25th Annual Symposium on Foundations of

1278:   Computer Science}, pages 229--240, 1984.

1279:

1280: \bibitem{BalcazarG+88}

1281: J.~Balc\'{a}zar, J.~D\'{i}az, and J.~Gabarr\'{o}.

1282: \newblock {\em Structural Complexity I}.

1283: \newblock Springer-Verlag, 1988.

1284:

1285: \bibitem{BalcazarG+90}

1286: J.~Balc\'{a}zar, J.~D\'{i}az, and J.~Gabarr\'{o}.

1287: \newblock {\em Structural Complexity II}.

1288: \newblock Springer-Verlag, 1990.

1289:

1290: \bibitem{BernsteinV93}

1291: E.~Bernstein and U.~Vazirani.

1292: \newblock Quantum complexity theory (preliminary abstract).

1293: \newblock In {\em Proceedings of the Twenty-Fifth Annual ACM Symposium on

1294:   Theory of Computing}, pages 11--20, 1993.

1295:

1296: \bibitem{BernsteinV97}

1297: E.~Bernstein and U.~Vazirani.

1298: \newblock Quantum complexity theory.

1299: \newblock {\em SIAM Journal on Computing}, 26(5):1411--1473, 1997.

1300:

1301: \bibitem{Berthiaume97}

1302: A.~Berthiaume.

1303: \newblock Quantum computation.

1304: \newblock In L.~Hemaspaandra and A.~Selman, editors, {\em Complexity Theory

1305:   Retrospective II}, pages 23--50. Springer, 1997.

1306:

1307: \bibitem{BoykinM+99}

1308: P.~Boykin, T.~Mor, M.~Pulver, V.~Roychowdhury, and F.~Vatan.

1309: \newblock On universal and fault-tolerant quantum computing: a novel basis and

1310:   a new constructive proof of universality for {Shor's} basis.

1311: \newblock In {\em Proceedings of the 40th Annual Symposium on Foundations of

1312:   Computer Science}, pages 486--494, 1999.

1313:

1314: \bibitem{Cleve99}

1315: R.~Cleve.

1316: \newblock An introduction to quantum complexity theory.

1317: \newblock Manuscript, 1999.

1318: \newblock Available at http://www.cpsc.ucalgary.ca/\raisebox{3pt}%

1319:   {\tiny$\sim$}cleve/papers.html.

1320: %\newblock To appear in C.~Macchiavello, G.~Palma, and A.~Zeilinger, editors,

1321: % {\em Collected Papers on Quantum Computation and Quantum Information Theory}.

1322: %  World Scientific.

1323:

1324: \bibitem{FennerG+99}

1325: S.~Fenner, F.~Green, S.~Homer, and R.~Pruim.

1326: \newblock Determining acceptance possibility for a quantum computation is hard

1327:   for the polynomial hierarchy.

1328: \newblock {\em Proceedings of the Royal Society, London A}, 455:3953--3966,

1329:   1999.

1330:

1331: \bibitem{FortnowR99}

1332: L.~Fortnow and J.~Rogers.

1333: \newblock Complexity limitations on quantum computation.

1334: \newblock {\em Journal of Computer and System Sciences}, 59(2):240--252, 1999.

1335:

1336: \bibitem{Isaacs94}

1337: I.~M. Isaacs.

1338: \newblock {\em Algebra: a Graduate Course}.

1339: \newblock Brooks/Cole, 1994.

1340:

1341: \bibitem{Kitaev97}

1342: A.~Kitaev.

1343: \newblock Quantum computations: algorithms and error correction.

1344: \newblock {\em Russian Mathematical Surveys}, 52(6):1191--1249, 1997.

1345:

1346: \bibitem{Kitaev99}

1347: A.~Kitaev.

1348: \newblock ``{Q}uantum {NP}''.

1349: \newblock Talk at AQIP'99: Second Workshop on Algorithms in Quantum Information

1350:   Processing, DePaul University, January 1999.

1351:

1352: \bibitem{KitaevW00}

1353: A.~Kitaev and J.~Watrous.

1354: \newblock Parallelization, amplification, and exponential time simulation of

1355:   quantum interactive proof system.

1356: \newblock In {\em Proceedings of the 32nd ACM Symposium on Theory of

1357:   Computing}, pages 608--617, 2000.

1358:

1359: \bibitem{Knill96}

1360: E.~Knill.

1361: \newblock Quantum randomness and nondeterminism.

1362: \newblock Technical Report LAUR-96-2186, Los Alamos National Laboratory, 1996.

1363: \newblock Available from the Los Alamos Preprint Archive, quant-ph/9610012.

1364:

1365: \bibitem{RosserS62}

1366: J.~B. Rosser and L.~Schoenfeld.

1367: \newblock Approximate formulas for some functions of prime numbers.

1368: \newblock {\em Illinois Journal of Mathematics}, 6:64--94, 1962.

1369:

1370: \bibitem{Sims70}

1371: C.~Sims.

1372: \newblock Computational methods in the study of permutation groups.

1373: \newblock In J.~Leech, editor, {\em Computational Problems in Abstract

1374:   Algebra}, pages 169--183. Pergamon Press, 1970.

1375:

1376: \bibitem{Watrous99-qip-focs}

1377: J.~Watrous.

1378: \newblock {PSPACE} has constant-round quantum interactive proof systems.

1379: \newblock In {\em Proceedings of the 40th Annual Symposium on Foundations of

1380:   Computer Science}, pages 112--119, 1999.

1381:

1382: \bibitem{deWolf00}

1383: R.~de~Wolf.

1384: \newblock Characterization of non-deterministic quantum query and quantum

1385:   communication complexity.

1386: \newblock In {\em Proceedings of the 15th Annual IEEE Conference on

1387:   Computational Complexity}, pages 271--278, 2000.

1388:

1389: \bibitem{Zachos88}

1390: S.~Zachos.

1391: \newblock Probabilistic quantifiers and games.

1392: \newblock {\em Journal of Computer and System Sciences}, 36:433--451, 1988.

1393:

1394: \end{thebibliography}

1395:

1396:

1397: \end{document}

1398: