An efficient quantum parallel repetition theorem and applications

We prove a tight parallel repetition theorem for $3$-message computationally-secure quantum interactive protocols between an efficient challenger and an efficient adversary. We also prove under plausible assumptions that the security of $4$-message computationally secure protocols does not generally decrease under parallel repetition. These mirror the classical results of Bellare, Impagliazzo, and Naor [BIN97]. Finally, we prove that all quantum argument systems can be generically compiled to an equivalent $3$-message argument system, mirroring the transformation for quantum proof systems [KW00, KKMV07]. As immediate applications, we show how to derive hardness amplification theorems for quantum bit commitment schemes (answering a question of Yan [Yan22]), EFI pairs (answering a question of Brakerski, Canetti, and Qian [BCQ23]), public-key quantum money schemes (answering a question of Aaronson and Christiano [AC13]), and quantum zero-knowledge argument systems. We also derive an XOR lemma [Yao82] for quantum predicates as a corollary.


INTRODUCTION
In this work we study one of the most fundamental questions in theoretical cryptography: can we transform a "weakly" secure construction of a primitive into one that is "truly" secure?A common strategy for such a transformation is parallel repetition: if the adversary's success probability against the original construction is bounded away from 1, then the adversary's success probability against the repeated construction should tend to zero with the number of repetitions.In classical cryptography this question is well-studied, beginning with the seminal work of Yao [19,28,40] and leading to a long sequence of works [3,4,10,13,14,21,22,33]. Hardness ampli cation is also an essential tool for bootstrapping circuit lower bounds (see [36] and the references therein).
Our focus in this work is on hardness ampli cation for quantum cryptographic primitives; in particular we focus on the following class of quantum interactive protocols between an e cient challenger (speci ed as part of the protocol) and an e cient adversary indexed by a security parameter : • 3-message: The adversary sends the rst message, the challenger the second, and the adversary the third.After the protocol ends, the challenger decides to accept or reject.All messages may be quantum.• Weakly computationally secure: No e cient (poly( )-size) adversary can cause the challenger to accept with probability greater than (say) 1 − 1 poly( ) .The security of many quantum cryptographic primitives -including quantum (non-interactive) commitments, quantum money and 3-message quantum arguments -can be naturally formulated in terms of the a quantum 3-message protocol associated with the primitive like above.This quantum protocol is often called a security game.
Similarly to the classical setting one would like a generic method for amplifying the security of quantum cryptographic primitives.A natural approach is to repeat the construction in parallel; the security of the repeated construction usually corresponds to the parallel-repeated security game.Ideally, one would want the adversary's maximum success probability in a repeated security game to decrease exponentially with the number of repetitions.
Our rst result is a tight parallel repetition theorem for all 3message quantum protocols.
We prove Theorem 1 by identifying the key high level approach used in proving both the classical Yao's XOR lemma [19,28,40] and classical tight 3-message parallel repetition theorem of Canetti, Halevi, and Steiner [10], and then instantiating this high level approach by designing quantum components that work with an arbitrary quantum adversary.As one would expect, handling quantum protocols and adversaries is much more challenging than classical: (1) the classical reduction involves cloning of the adversary's internal state during protocol execution, which may be computationally infeasible or even information-theoretically impossible (due to entanglement with the challenger); and (2) the classical analysis relies on conditional distributions which breaks down in the quantum setting due to non-commutativity.To resolve these challenges, we combine techniques from recent works on quantum rewinding [12] and quantum algorithmic techniques such as the quantum singular value transform [18], as well as additional new ideas to make them compatible with our setting.We explain these in more detail in Section 2.
We stress that our reduction is uniform in the strongest possible sense: if an adversary uses quantum advice |aux⟩ then the reduction uses quantum advice |aux⟩ ⊗ for some polynomial .Furthermore, = 1 is possible for any A as long as |aux⟩ is an appropriate eigenstate.See Remark 10 for details.
On tightness of the reduction.We remark that + negl( ) is likely the best general bound that one could hope for.The term is inherent since if the best attack on the original protocol has success probability , then simply running this attack on each repetition independently yields an attack achieving success probability .The negligible term also cannot be eliminated under reasonable assumptions.In particular, the classical 2-message counterexample by Dodis, Jain, Moran, and Wichs [16] generalizes to the postquantum setting, thus the negligible term is inherent assuming existence of exponentially hard post-quantum extended secondpreimage resistant hash functions.

Applications of 3-Message Hardness Ampli cation
Theorem 1 immediately implies hardness ampli cation for several quantum cryptographic primitives.
Quantum commitments.Bit commitments are a fundamental cryptographic primitive where a sender can commit to a bit without revealing it at rst (this is the hiding property), and later can reveal the bit but without the ability to change the bit (this is the binding property).Recently our understanding of commitment schemes in the quantum setting has considerably advanced.In particular, there is a robust existential equivalence between commitments and many quantum cryptographic primitives including EFI pairs, which are pairs of e cient mixed states that can only be inefciently distinguished [9].Therefore, it is likely that commitments and EFI pairs play a similar "minimal assumption" role (analogous to one-way functions classically) to quantum cryptography.
An important question that has remained open is whether the computational security of quantum commitments (and friends) can be ampli ed.In other words, given an arbitrary quantum commitment scheme where either the hiding or binding property holds with weak (computational) security, can we generically transform it into another quantum commitment scheme where hiding and binding hold with strong security?This question was explicitly raised by Yan [39].
Our parallel repetition theorem for computationally secure protocols directly implies hardness ampli cation for quantum bit commitments, and thus showing robustness of the existence of commitments from a new angle.

Corollary 2 (Hardness ampli cation for commitments).
There is a quantum commitment scheme but only with computational weak hiding (or binding) security, if and only if there is a strong quantum commitment scheme.
We argue this as follows: without loss of generality it su ces to consider noninteractive commitment schemes using Yan's compiler [39].The binding security of the noninteractive scheme can be formulated in terms of the success probability of any e cient adversary in a 2-message security game; correspondingly the security of the repeated scheme can be formulated in terms of any e cient adversary's success probability in the parallel repeated security game, which by Theorem 1 decays to negligible at an exponential rate.Ampli cation of hiding can be achieved via avor-switching [20,23,39].We also show how this can be used to drastically simplify constructing commitments from hardness of decoding black hole radiation, originally proven by Brakerski [8], in the full version.Quantum Yao's XOR lemma.By the equivalence of quantum commitments and EFI pairs, we also obtain hardness ampli cation for EFI pairs, answering an open question of Brakerski, Canetti, and Qian [9].In fact, we can even use it to show polarization for EFI pairs.Corollary 3 (XOR lemma for EFI pairs).If there exists (an ensemble of) weak EFI pairs ( 0 , 1 ) that are statistically far but cannot be distinguished with advantage better than , then the -fold XOR of ( 0 , 1 ) cannot be distinguished with advantage better than /2 + negl( ).In particular, this gives a (strong) EFI pair if is negligible.
We point out that from this and leveraging an equivalence between quantum state distinguishing and quantum predicates, we can immediately derive a quantum analogue of Yao's XOR lemma [40], which states that weak computational unpredictability of Boolean predicates (over some distribution of inputs) is ampli ed when the results of several independent instances are XOR-ed together.A quantum predicate can be de ned as two orthogonal average-case inputs + (YES), − (NO) with + − = 0, and the goal of the predictor is to correctly predict the sign with advantage .This question was previously asked by Brakerski [8] (private communication) and Colisson [15].Corollary 4 (Quantum Yao's XOR lemma).The -fold XOR of an -unpredictable quantum predicate for + , − is ( /2 + negl)unpredictable.
To see a circuit lower bound application of this, we can naturally de ne "projection complexity classes", a quantum-input analogue of decision complexity classes.Then we have that for any such class C that is closed under composition with a polynomial fan-in XOR (like the analogue for PSPACE), C is strongly hard-on-average against BQP machines if and only if C is weakly hard-on-average against them.
Quantum money.A public-key quantum money scheme consists of quantum states (called quantum banknotes) that can be publicly veri ed by anyone with the public-key, yet remain computationally infeasible to clone.A major goal of quantum cryptography research has been to construct public-key quantum money schemes with security based on well-understood assumptions.Aaronson and Christiano [1] proved a per-key ampli cation for a special class of schemes called projective money schemes, and asked whether strong hardness ampli cation is possible for quantum money schemes.We prove a general ampli cation that applies to any public-key quantum money scheme: Corollary 5 (Hardness ampli cation for quantum money).Publickey quantum money schemes satisfying weak uncloneability exist, if and only if there exists a public-key quantum money scheme (satisfying strong unclonability).
Similar to amplifying commitments, this also follows directly from the observation that the security of a public-key quantum money scheme can be formulated in terms of a 2-message security game, thus it immediately generalizes to e.g.quantum lightning and private-key quantum money.
Ampli cation of post-quantum security.We remark that, if the original protocol is classical, then the repeated protocol is also classical.Hence Theorem 1 also implies a parallel repetition theorem for general 3-message post-quantum protocols; this was not previously known.

Barrier for Parallel Repetition Beyond 3-message Protocols
We also show that our 3-message parallel repetition theorem (Theorem 1) cannot extend to 4-message protocols under reasonable cryptographic assumptions, even if we are restricted to the postquantum setting.This is a (post-)quantum analogue of the classical result by Bellare, Impagliazzo and Naor [3, Section 3.3]1 .
Theorem 6 (Impossibility of parallel repetition, informal).If there is a post-quantum -message concurrent-secure many-to-many nonmalleable commitment scheme, then for every polynomial there is a For the special case of non-interactive commitments ( = 2), we would get a 4-message impossibility.We note that while there are no known post-quantum secure non-interactive non-malleable commitments, "pre-quantum" non-interactive non-malleable commitments can be constructed from various subexponential hardness assumptions [6,17,25], and so we view this assumption as plausible.Note that a weaker post-quantum one-to-one secure constant-round non-malleable commitment scheme is known to exist assuming post-quantum one-way functions [29], and this su ces for a special case of = 2.
We note that classically, stronger impossibilities are known: there is a 4-message protocol whose -fold computational security cannot be shown to decrease with black-box reductions for any polynomial [3, Section 3.4], and there is an 8-message protocol whose -fold computational security is at least constant, regardless of proof techniques [34].These might also generalize to the postquantum setting, assuming strong but reasonable assumptions like post-quantum CCA-secure non-interactive commitments and postquantum constant-round universal arguments.We consider this su cient evidence to conjecture that parallel repetition does not amplify 4-message (post-)quantum protocols, but we leave improving the impossibility for future work.

Round Compression for Quantum Argument Systems
An interactive argument is a form of interactive proof where the completeness and soundness conditions hold with respect to computationally e cient provers.An important complexity measure of interactive arguments (and interactive proofs in general) is the round complexity.One surprising result in the theory of quantum interactive proofs, due to Kitaev and Watrous [26], is that all (single-prover) quantum interactive proof systems (where soundness holds against computationally unbounded adversaries) can be compressed to just three messages.We show the analogous statement for quantum interactive arguments via the round compression technique of Kempe, Kobayashi, Matsumoto, and Vidick [24].Our technical contribution is to make the reduction e cient.
To counteract the worse soundness error, we can again apply Theorem 1 to the compressed protocol to obtain a 3-message interactive argument for with negligible soundness error.Combining these two results, we obtain a general round-preserving soundness ampli cation theorem for quantum arguments: Corollary 8 (Round-preserving ampli cation for arguments).Let be a language with an -message quantum interactive argument with completeness 1 − negl (resp., 1) and soundness error 1 − 1/poly.
We remark that the crucial aspect of Theorem 7 and Corollary 8 is that they preserve the communication complexity and the veri er complexity of the original protocol.(Indeed, a trivial round compression for argument systems that is not complexity-preserving can be obtained by having the prover forward its input to the veri er.)We are not aware of any classical analogue of this round compression result.
We note that similar techniques allow us to further compile any quantum argument into to a (quantum communication) Σ-protocol [31], and thus starting from an honest-veri er zero knowledge protocol, we can get a 3-message malicious-veri er zero knowledge protocol, albeit the soundness becomes worse.We further discuss how to get back negligible soundness in the full version.

Corollary 9 (Round compression of zero-knowledge protocols).
For any language that admits an honest-veri er quantum statistical (resp.computational) zero-knowledge protocol and computational (resp.statistical) soundness, also admits a malicious-veri er publiccoin statistical (resp.computational) zero knowledge protocol with 3 messages, and 1 − 1/poly computational (resp.statistical) soundness, and similar complexity.

Related Works
Prior works have derived quantum direct product theorems or quantum XOR lemmas in the query-e cient (or communicatione cient) setting [2,27,37].Morally these are 2-message (postquantum) parallel repetitions.However, the query-e cient setting is usually weaker than our time-e cient setting and uses drastically di erent (non-algorithmic) techniques.For the rest of the discussion we focus on time-e cient hardness ampli cation.
In [7] a parallel repetition theorem for quantum canonical form commitments was proved, but it only handled classical side information and furthermore only achieved a polynomial rate of decay of the success probability in the repeated protocol.As a consequence, we also improve their Theorem 6.8 such that any inverse polynomial delity (or any error that is inverse polynomially bounded away from 1) su ces.
In the classical setting, parallel repetition for three-message arguments (or "weakly-veri able puzzles") was studied by [3,10], with the latter showing an optimal exponential soundness amplication.Our three-message parallel repetition result also follows the high-level proof strategy of [10] while borrowing insights from proofs of XOR lemma [19,28,40].Recent works have observed that in some cases, the [10] ampli cation result can be applied essentially without modi cation in the quantum setting.Radian and Sattath [35] point out that [10] generalizes to handle 2-message post-quantum (classical communication) protocols.
Morimae and Yamakawa [32] extend this argument further, adapting [10] to give a parallel repetition theorem for 2-message quantum protocols of the following special form: (0) Both parties a priori agree on a parameter .
(1) The challenger generates a classical veri cation key , then uses to generate copies of a quantum "puzzle" state |puz⟩, which it sends to the adversary.
(2) The adversary returns a classical answer ′ .
(3) The challenger accepts or rejects based on , ′ .They use this result to argue that weak one-way state generators (OWSGs) imply OWSGs, analogous to Yao's ampli cation of oneway functions.Due to the restriction on the behavior of the challenger -essentially, that its secret state is classical -this result does not su ce for parallel repetition of general 2-message quantum protocols, and does not extend to 3-message protocols even with classical communication.Furthermore, it always requires many copies of the adversary's auxiliary input whereas our reduction can be advice preserving for eigenstates.
In addition, neither commitments nor quantum money fall within the scope of their result.In the commitment case, this is because both messages in the security game are quantum, and furthermore a general quantum commitment does not have a classical veri cation key; indeed, the information required to verify the commitment is typically entangled with the state sent to the adversary.For quantum money, the issue is instead that the [32] reduction shows only that given an adversary for the parallel repetition of a -copy protocol, we obtain an adversary for a single repetition of the corresponding ′ -copy protocol for some ′ = • poly( ).This corresponds to giving the adversary multiple copies of the money state, which of course makes the cloning task trivial.
Our reductions share many techniques with prior works in quantum cryptographic reductions, especially in the area of quantum rewinding [11,12,30,38].Like the cited works, we make extensive use of Jordan's lemma and alternating sequences of projective measurements.
In recent work by Lombardi, Ma, and Spooner [30], they achieved expected polynomial time quantum rewinding, in part by accelerating certain components of [12] using the quantum singular value transform (QSVT).In this work, we also make use of the QSVT, but for a quite di erent purpose: coherent post-selection.Unlike in [30], we crucially rely on the ability of the QSVT to manipulate singular vectors while maintaining coherence between subspaces; see Section 2.1 for more details.

TECHNICAL OVERVIEW 2.1 2-message Non-uniform Parallel Repetition
In this section, we give an informal proof sketch for the special case of taking a 2-fold parallel repetition of a 2-message quantum protocol.This special case is easier to understand and cannot be immediately handled by easy changes to [10].It turns out that the proof for this special case also contains most of the main ideas in the proof for the general non-uniform reduction.
We begin with some notation.A challenger in a 2-message protocol is identi ed with a pair ( , ), for a unitary and a projector, and an adversary in a 2-message protocol is identi ed with a pair ( , |aux⟩), for a unitary and |aux⟩ a quantum input.There are three registers: A, M, C, being the adversary's register, the message register, and the challenger's register respectively.We can write the protocol as follows: • (Challenge) The challenger initializes both M, C to |0⟩, and applies the unitary to registers MC. • (Response) The adversary applies some unitary to registers AM, where A initially contains some "advice" state |aux⟩.
• (Decision) The challenger applies a projective measurement { , id − } to registers MC, and accepts if and only if he gets outcome .
Without loss of generality, we assume all operations are unitaries or projective measurements since we can expand the private registers C and A appropriately.A 2-fold parallel repetition of ( , ) is simply For ∈ {1, 2}, we write to denote the unitary that applies on registers M , C ; to denote the projective measurement on registers M , C .Suppose ( , ) has computational soundness + negl, and we would like to prove that ( ⊗2 , ⊗2 ) has computational soundness 2 + negl.Assume for the sake of contradiction that there is a 2fold adversary ( , |aux⟩) that achieves an inverse polynomial (for simplicity) advantage over 2 .That is, the adversary is accepted with probability 2 , where − is inverse polynomial.Our goal is to construct an 1-fold adversary that is accepted by the original challenger with probability close to .
We rst give a uni ed high level approach of the classical proof for both tight parallel repetition [10] and the XOR lemma [40] (or Levin's isolation lemma [19,28]).Later we will extend this high level approach to the quantum setting.The main idea behind all these proofs is similar, we construct a 1-fold adversary by simulating a second challenger with a suitable challenge.Consider the following two cases.
(i) There exists a xed challenge 2 such that running the 2-fold adversary on ( , 2 ) outputs a response that is accepted by the rst repetition with probability ≥ .(ii) For every challenge in the second repetition, the adversary is accepted by the rst repetition with probability ≤ .
If we are in case (i), then we can construct a non-uniform adversary by giving the 1-fold adversary 2 as advice.On the other hand, if we are in case (ii), then the 2-fold adversary is accepted by the second repetition with probability ≥ whenever it breaks the rst repetition.To see why this is the case, let 1 ( ), 2 ( ) be the events that the adversary is accepted by the rst/second repetition on a random challenge respectively.Then by Bayes' rule, implying that E 2 [Pr[ 2 | 1 ]] ≥ .Thus the algorithm for the 1-fold adversary is to simulate the 2-fold protocol, with a real challenger sampling 1 for the rst repetition and the challenge in the second repetition until the rst repetition accepts, and then return the response to the second challenger.We now attempt to generalize this to the quantum setting.As a rst attempt, a natural quantum analogue of case (i) could be the condition which says that there is some message | ⟩ we can insert into the second repetition so the adversary wins the rst repetition with probability at least .The reduction for this case is straightforward: put the real challenge in M 1 , run the adversary , then output M 1 ; this succeeds with probability by equation ( 2).We will see soon that case (ii) requires a slightly di erent condition, but for now we will proceed with equation (2) as stated.Equation (1) suggests the following natural reduction for case (ii): (1) Initialize |0⟩ M 1 C 1 and simulate the challenger in the rst repetition by running 1 .(2) Put the real challenge in M 2 .
As a seasoned reader might expect at this point, naïve rejection sampling does not immediately generalize to the quantum setting.This is because measuring 1 disturbs M 2 , and it is not in general possible to clone the state on M 2 ; worse, it may be that this state is entangled with the challenger's private register C 2 .Indeed, for canonical form commitment schemes, M 2 and C 2 are highly entangled, and the challenger will later check for the presence of entanglement.
Attempt: Alternating projectors.Classical rejection sampling can be thought of as a form of rewinding.Hence a natural rst attempt is to try to apply recent quantum rewinding techniques [11,12,30,38].Following these works, we can implement a form of post-selection without cloning by alternating 1 (the rst repetition accepting) with the projective measurement 1 := ( 1 ) |0⟩⟨0| M 1 C 1 ( 1 ) † (the rst repetition being initialized correctly) until 1 accepts.
There are a few issues with this attempt.Alternating projector algorithms can be analyzed via the Jordan (singular value) decomposition of 1 1 = | ⟩⟨ |.Before the post-selection step, the state is clearly in 1 , and so it can be written as 1 2 |aux⟩ |0⟩ = | ⟩.For simplicity assume for now that we are able to rotate all the singular vectors and the singular values are all non-zero, then the output state of the alternating projectors will be where | ˜ ⟩ is the alternating projection history register that only depends on the singular value (which may be subnormalized).The presence of the history register is problematic since tracing it out amounts to measuring the singular value .Since this measurement is unlikely to commute with 2 , we cannot argue that the success probability is at least as above.To avoid this problem, we would need to uncompute the history register, which we do not know how to do.
Even if we ignore this issue, and assume we can somehow uncompute the history to obtain the state we still would not be able to say that the adversary is accepted with high probability.Recall that our "target" state is The best bound we can get (via the triangle inequality and equation ( 3)) is which may be trivial (e.g. if ≈ 1 for ≪ √ ).Note that this last term can be shown to be non-negative in the classical case, but this could fail quantumly due to the possibility of destructive interference with respect to 2 .Therefore, we cannot hope to simply improve the bound on the probability without changing the state | ⟩ itself.
Solution: QSVT.To summarize, the alternating projectors approach su ers from two issues: (a) loss of coherence due to explicit computation of , and (b) incorrect weighting of di erent singular vectors.To solve both of these issues, we make use of a more sophisticated quantum algorithmic tool, the quantum singular value transformation (QSVT) [18].Roughly, the QSVT enables e cient, coherent transformations of the form for low-degree real polynomials with | ( )| ≤ 1 when | | ≤ 1.We observe that our post-selection task corresponds to ( ) = / √ .Then Gilyen et al. [18,Theorem 17] show how to construct a lowdegree function which does satisfy the boundedness conditions, and which approximates / √ on the range [0, √ ].Applying the QSVT with respect to this achieves the necessary post-selection, provided the spectral norm (maximum singular value) of 1 1 is bounded by √ .Furthermore, the reduction goes through as long as the approximation error is ≪ − .Now we want a promise that all of the singular values of 1 1 are at most √ in order to satisfy the necessary boundedness conditions.To achieve this, we simply change the the condition for case (ii) to be that the singular values of 1 1 are bounded by √ , and thus in this case we can safely apply QSVT to approximately postselect.However, we note that the negation of this condition is no longer equation (2), as 1 1 might have a large singular value corresponding to a state that does not come from a state of the form Nevertheless, we can " x" case 1 by taking advantage of nonuniformity.Suppose that 1 1 has some singular value larger than √ , and let That is, in case (i) the adversary ( , | ⟩) achieves success probability , which completes the proof in the non-uniform case.Note that, unlike in the classical case, | ⟩ may be entangled across A and M 2 .
Extension to -fold repetition.In the classical setting for general , we have cases as follows.Let be the event that the adversary wins the -th repetition of the protocol, and suppose that Pr[ ] ≥ .It is straightforward to generalize the above to see that there exists some ∈ [ ] and +1 , ..., such that , +1 , ..., ] ≥ , and we can follow the same rejection sampling strategy as above.
In the quantum setting, we similarly generalize the projector 1 from the 2-fold case as and de ne ≤ := 1 . . . .By assumption, , and so in particular the spectral norm of ≤ ≤ is at least .It follows that there is some Therefore, given as non-uniform advice a state | ⟩ with , by applying the QSVT with respect to < < as in case 2 above we obtain an adversary with success probability .

Uniform Reduction
In the previous section, we made crucial use of non-uniformity to provide the adversary with an index satisfying equation ( 5) and a vector | ⟩ with ≤ ≤ | ⟩ ≥ √ .In this section, we will describe how to e ciently prepare , | ⟩ from (polynomially many copies of) the adversary's initial state |aux⟩.
We will need to start by relaxing equation ( 5), as we cannot in general e ciently check the spectral norm of an operator.We address this by observing that our spectral norm condition for postselection via the QSVT can be substantially weakened: it su ces for the input state to have small (≪ ) amplitude on (right) singular vectors | ⟩ of < < with singular value > √ −1 .Our task then becomes, formally: nd an index and state . This is in fact a quantum analogue of a main algorithmic task in the preprocessing phase of [10].In more detail, the analogous classical task is to nd and a sequence of challenges +1 , . . ., such that, (i) after xing challenges +1 , . . ., in repetitions +1, . . ., , the residual probability of winning the rst repetitions is at least , and (ii) with probability ≫ 1 − over , after xing , . . ., in repetitions , . . ., , the probability of winning the rst − 1 repetitions is at most −1 .Let us suppose for now that we have access to the binary projective "singular value threshold" measurement Π ( ) = , ( ) > √ | ( ) ⟩⟨ ( ) |, for each . 2 We do not know how to realize this measurement e ciently, but it can be approximated in some sense [12,18].This will introduce a number of technical complications that we address later; for now, we assume access to the exact measurement.Observe that we can write condition (ii) equivalently as Our rst attempt at a uniform reduction is as follows.We apply (Π ( −1) , − Π ( −1) ) to ≫ 1/ copies of | ⟩.If we ever see the outcome Π ( −1) , the post-measurement state | −1 ⟩ is in Π ( −1) , and so Unfortunately, this approach only works for constant .To see why, notice that to prepare a single copy of | −1 ⟩ we may need 1/ copies of | ⟩.Unlike in the classical setting, we cannot in general clone | ⟩.Hence the number of copies of | ⟩ required (and the running time of the algorithm) scales as Ω(1/ 2 ), which may be superpolynomial for = (1).
Second attempt.To resolve this issue, we note that in order for the non-uniform reduction to work, it su ces to simply produce along with any state in Π ( ) with a small enough overlap with Π ( −1) , therefore in the case we measure − Π ( −1) , it su ces to recover a state from Π ( ) instead of recovering exactly | ⟩.This is reminiscent of the "state repair" problem encountered in quantum rewinding [12]; our algorithm will follow that template.In more detail, the reduction works as follows.
Using Jordan's lemma, and via similar reasoning to [12], it is possible to show that (i) because at the beginning of the -th loop iteration, the state is in Π ( ) , the number of measurements performed in step 2b is ( ) in expectation; and (ii) if we never see 1) in step 2a then with high probability the state | ⟩ output by the algorithm on termination satis es Π ( −1) | ⟩ Adapting to approximate POVMs.The algorithm described above is correct assuming access to the projectors Π ( ) .In reality, we can only approximate them using (e.g.) Marriott-Watrous [31].Furthermore, this approximate implementation is not a projection but a POVM; equivalently, it is a projection Π( ) acting on the register A and an auxiliary register W that is initially set to |0⟩.
This approach almost works but for a subtle technical issue.Even though W −1 and W will be initialized to |0⟩, after applying the rst two projections in step 2a, we no longer have any guarantees about the ancilla registers.Therefore, even if we measure that Π accepts, it does not imply that we have a state close to Π since it could be that the ancilla registers were malformed.
As a starting point, let us rst look at how well the previous algorithm works if we simply plug in Π( ) 's (we omit the zero projector on the ancillas to keep the notations simple).Since the ancillary issue only arises after we perform two projections Π( −1) and Π( ) , we observe: (1) If Π( −1) accepts in the rst iteration, we must still (approximately) have a vector in Π ( −1) as the ancilla is initialized to zero at the beginning.(2) Furthermore, the alternating projections can still estimate the singular value.If we, instead of going to − 1 whenever Π ( −1) accepts, estimate the singular value and only declare we are in case when we are below some minuscule threshold, it turns out to still work.This is because as long as the threshold is small enough, when we are below the threshold, by gentle measurement, it must be the case that the auxiliaries are not too far from zero.Thus a small singular vector between Π's is also a relatively small singular vector between Π's.
(3) Now it remains to handle the last case where the rst measurement rejects but the estimated singular value is still higher than the threshold.The nal observation is that in fact the probability that we reach the last case is in fact bounded away from 1 for any starting state: intuitively if the starting state has a large overlap with Π ( −1) then the rst clause catches it with noticeable probability, otherwise the second clause catches it with noticeable probability.Therefore, when we reach the last case, we can simply recover any state in Π ( ) again so that we can restart from the beginning.Since the algorithm succeeds for any starting state with some probability, even if in each iteration the starting state is di erent, we will still eventually reach one of the two good cases with a su ciently large number of trials.
Leveraging these three observations, we solve this nal issue by modifying the loop (step 2) with a more careful algorithm as follows: An additional key change is that we are now alternating Π( ) ⊗ |0⟩⟨0| W −1 and ( − Π( −1) ) ⊗ |0⟩⟨0| W .We also use state repair again to recover a new state for the next iteration.We remark that in order for the algorithm to work we also need to slightly shift the singular value threshold in each iteration, but we refer the readers to the full proof for these technical details.
We now formalize the observations above to analyze this new algorithm.Note that if the rst application of ( − Π( −1) ) ⊗ |0⟩⟨0| W rejects, it must be that the post-measurement state is in Π( −1) because W is initialized to |0⟩; this is not true for subsequent applications because the measurement may have rejected due to a malformed ancilla.
To argue correctness, we consider two cases.The rst case is when, in some iteration of the inner loop, the estimate is above the threshold 1 − .In this case we must show that the postmeasurement state = Tr W (| ⟩⟨ |) on A is (almost completely) in Π ( ) and has very small overlap with Π ( −1) .
Otherwise, if is always below 1 − , then in each iteration of the inner loop, we will terminate in step (a)(i) with probability at least .It follows that, since ≫ 1/ , with overwhelming probability the loop will terminate in one of these two cases.
Remark 10 (Advice preservation).We note that, while our reduction preserves uniformity, it is not strictly advice-preserving (or constructive [5]), as it requires many copies of the adversary's advice state.This is inherent for any quantum reduction whose success probability ought to be higher than that of the adversary.Indeed, this is true even classically for randomized advice (and hence also for quantum advice via puri cation): given an adversary which succeeds with probability over the advice distribution, a black-box reduction given only one sample from the advice distribution cannot succeed with probability greater than in general.
We remark that the only reason for requiring many copies of the advice is in order to obtain a state in Π ( ) in step 1.Thus, if the advice state is already in Π ( ) , one copy su ces.

Round Compression
We analyze the soundness of the round compression transformation of Kempe et al. [24] when applied to argument systems.At a high level, their transformation works by recursively converting an ( + 1)-message protocol into an ( /2+1)-message compressed protocol.In an honest execution, the prover begins by simulating the original ( + 1)-message protocol until the /2-th message, and sends the original uncompressed veri er's private registers to the challenger in the compressed protocol.From there, the veri er ips a coin, deciding whether to continue by running the original protocol forwards or backwards in time.
If the veri er decides to execute the protocol backwards in time, the honest prover and veri er apply the inverse of uncompressed protocol, and at the end the veri er measures whether their private register returns to the state |0⟩.On the other hand, if the veri er decides to execute the protocol forwards, the honest prover and veri er execute the remainder of the uncompressed protocol and the veri er checks the same predicate that the uncompressed veri er does at the end of the uncompressed protocol.
Completeness is straightforward: the honest prover simply simulates the protocol using the original prover and veri er up to the midpoint, and then cooperate with the veri er to compute the protocol either in the forward or the backward direction.To show (computational) soundness, we demonstrate an e cient reduction from an adversary for the compressed protocol to an adversary for the uncompressed protocol.In particular, the adversary for the uncompressed protocol simulates an interaction between the compressed adversary and the compressed veri er, conditioned on the veri er executing the protocol backwards.The adversary can then measure the simulated veri er's register, and conditioned that measurement accepting, the adversary now has a good initial state for the uncompressed protocol, and the state of the simulated veri er's register is |0⟩, so it can be discarded.
From there, the adversary sends their rst message and continues by applying the inverse of the compressed adversary until round /2.After round /2, they apply the same unitaries as the compressed adversary, conditioned on the compressed veri er executing the protocol forward in time.Assuming that the compressed adversary was accepted with probability (1 − ), we show that the state after simulating either the forwards or backwards protocol is (1 − 4 )close in squared Bures distance to a state that is accepted by the challenger in both cases.Using the weak triangle inequality for the squared Bures distance, we nd that the state of the veri er at the end of the protocol is (1 − 16 )-close in squared Bures distance to a state that is accepted by the challenger, implying that the challenger accepts with probability 1 − 16 .The use of squared Bures distance, instead of the more commonly-used trace distance, avoids a blowup from to √ in this step.
This process halves the number of rounds at a cost of mapping 1 − soundness to 1 − /16.Iterating this protocol log times, where is the number of messages in the original protocol, we arrive at a 3-message protocol with soundness 1 − / 4 .
To see this, observe that by gentle measurement the state | ⟩ is √ -close to a state of the form | ⟩ A |0⟩ W .The state | ⟩ then has the property that