Classical zero-knowledge arguments for quantum computations

We show that every language in QMA admits a classical-verifier, quantum-prover zero-knowledge argument system which is sound against quantum polynomial-time provers and zero-knowledge for classical (and quantum) polynomial-time verifiers. The protocol builds upon two recent results: a computational zero-knowledge proof system for languages in QMA, with a quantum verifier, introduced by Broadbent et al. (FOCS 2016), and an argument system for languages in QMA, with a classical verifier, introduced by Mahadev (FOCS 2018).


Introduction
The paradigm of the interactive proof system is a versatile tool in complexity theory. Although traditional complexity classes are usually defined in terms of a single Turing machine-NP, for example, can be defined as the class of languages which a non-deterministic Turing machine is able to decide-many have reformulations in the language of interactive proofs, and such reformulations often inspire natural and fruitful variants on the traditional classes upon which they are based. (The class MA, for example, can be considered a natural extension of NP under the interactive-proof paradigm.) Intuitively speaking, an interactive proof system is a model of computation involving two entities, a verifier and a prover, the former of whom is computationally efficient, and the latter of whom is unbounded and untrusted. The verifier and the prover exchange messages, and the prover attempts to 'convince' the verifier that a certain problem instance is a yes-instance. We can define some particular complexity class as the set of languages for which there exists an interactive proof system that 1) is complete, 2) is sound, and 3) has certain other properties which vary depending on the class in question. Completeness means, in this case, that for any problem instance in the language, there is an interactive proof involving r messages in total that the prover can offer the verifier which will cause it to accept with at least some probability p; and soundness means that, for any problem instance not in the language, no prover can cause the verifier to accept, except with some small probability q. For instance, if we require that the verifier is a deterministic polynomial-time Turing machine, and set r = 1, p = 1, and q = 0, the class that we obtain is of course the class NP. If we allow the verifier to be a probabilistic polynomial-time machine, and set r = 1, p = 2 3 , q = 1 3 , we have MA. Furthermore, if we allow the verifier to be an efficient quantum machine, and we allow the prover to communicate with it quantumly, but we retain the parameter settings from MA, we obtain the class QMA. Finally, if we allow r to be any polynomial in n, where n is the size of the problem instance, but otherwise preserve the parameter settings from MA, we obtain the class IP.
For every complexity class thus defined, there are two natural subclasses which consist of the languages that admit, respectively, a statistical and a computational zero-knowledge interactive proof system with otherwise the same properties. The notion of a zero-knowledge proof system was first considered by Goldwasser, Micali and Rackoff in [GMR89], and formalises the surprising but powerful idea that the prover may be able to prove statements to the verifier in such a way that the verifier learns nothing except that the statements are true. Informally, an interactive proof system is statistical zero-knowledge if an arbitrary malicious verifier is able to learn from an honest prover that a problem instance is a yes-instance, but can extract only negligible amounts of information from it otherwise; and the computational variant provides the same guarantee only for malicious polynomial-time verifiers. For IP in particular, the subclass of languages which admit a statistical zero-knowledge proof system that otherwise shares the same properties had by proof systems for languages in IP is known as SZK. Its computational sibling, meanwhile, is known as CZK. It is well-known that, contingent upon the existence of one-way functions, NP ⊆ CZK: computational zero-knowledge proof systems have been known to exist for every language in NP since the early 1990s ( [GMW91]). However, because these proof systems often relied upon intractability assumptions or techniques (e.g. 'rewinding') that failed in quantum settings, it was not obvious until recently how to obtain an analogous result for QMA. One design for a zero-knowledge proof system for languages in QMA was introduced by Broadbent, Ji, Song and Watrous in [BJSW16]. Their work establishes that, provided that a quantum computationally concealing, unconditionally binding commitment scheme exists, QMA ⊆ QCZK.
There are, of course, a myriad more variations on the theme of interactive proofs in the quantum setting, each of which defines another complexity class. For example, motivated partly by practical applications, one might also consider the class of languages which can be decided by an interactive proof system involving a classical verifier and a quantum prover communicating classically, in which the soundness condition still holds against arbitrary provers, but the honest prover can be implemented in quantum polynomial time.
(For simplicity, we denote this class by IP BQP .) The motivation for this specific set of criteria is as follows: large-scale quantum devices are no longer so distant a dream as they seemed only a decade ago. If and when we have such devices, how will we verify, using our current generation of classical devices, that our new quantum computers can indeed decide problems in BQP? This problem-namely, the problem of showing that BQP ⊆ IP BQP -is known informally as the problem of quantum verification.
The problem of quantum verification has not yet seen a solution, but in recent years a number of strides have been made toward producing one. As of the time of writing, protocols are known for the following three variants on the problem: 1. It was shown in [ABE10,ABOEM17] and [BFK09,FK17] that a classical verifier holding a singlequbit quantum register can decide languages in BQP by communicating quantumly with a single BQP prover. The protocol presented for this purpose is sound against arbitrary provers.
in the form of ground states of an associated local Hamiltonian.) In this work, we show that the protocol which [Mah18] introduces for this purpose can be combined with the zero-knowledge proof system for QMA presented in [BJSW16] in order to obtain a zero-knowledge argument system for QMA. It follows naturally that, if the LWE assumption holds, and quantum computationally hiding, unconditionally binding commitment schemes exist, QMA ⊆ CZK-QPIP 0 , where the latter refers to the class of languages for which there exists a computational zero-knowledge interactive argument system involving a classical verifier and a quantum polynomial-time prover. Zero-knowledge protocols for languages in NP are an essential component of many cryptographic constructions, such as identification schemes, and are often used in general protocol design (for example, one can force a party to follow a prescribed protocol by requiring it to produce a zeroknowledge proof that it did so). Our result opens the door for the use of zero-knowledge proofs in protocols involving classical and quantum parties which interact classically in order to decide languages defined in terms of quantum information (for instance, to verify that one of the parties possesses a quantum state having certain properties).
We now briefly describe our approach to the problem. The proof system for languages in QMA presented in [BJSW16] is almost classical, in the sense that the only quantum action which the honest verifier performs is to measure a quantum state after applying Clifford gates to it. The key contribution which [Mah18] makes to the problem of verification is to introduce a measurement protocol which, intuitively, allows a classical verifier to obtain honest measurements of its prover's quantum state. The combining of the proof system from [BJSW16] and the measurement protocol from [Mah18] is therefore a fairly natural action.
That the proof system of [BJSW16] is complete for languages in QMA follows from the QMA-completeness of a problem which the authors term the 5-local Clifford Hamiltonian problem. However, the argument system which [Mah18] presents relies upon the QMA-completeness of the well-known 2-local XZ Hamiltonian problem (see Definition 2.1). For this reason, the two results cannot be composed directly. Our first step is to make some modifications to the protocol introduced in [BJSW16] so it can be used to verify that an XZ Hamiltonian is satisfied, instead of verifying that a Clifford Hamiltonian is satisfied. We then introduce a composite protocol which replaces the quantum measurement in the protocol from [BJSW16] with an execution of the measurement protocol from [Mah18]. With the eventual object in mind of proving that the result is sound and zero-knowledge, we introduce a trapdoor check step into our composite protocol, and split the coin-flipping protocol used in the proof system from [BJSW16] into two stages. We explain these decisions briefly here, after we present a summary of our protocol and its properties, and refer the reader to Sections 3, 4 and 5 for fuller expositions.
The protocol involves 1. A verifier, which runs in classical probabilistic polynomial time; 2. A prover, which runs in quantum polynomial time.
Inputs. The protocol requires the following primitives: • A perfectly binding, quantum computationally concealing commitment protocol.
• A zero-knowledge proof system for NP.
Apart from the above cryptographic primitives, we assume that the verifier and the prover also receive the following inputs.
promise problem is complete for QMA, any input to any decision problem in QMA can be reduced to an instance of the 2-local XZ Hamiltonian problem. 2. Input to the prover: the Hamiltonian H, the numbers a and b, and the quantum state ρ = σ ⊗m , where σ is a ground state of the Hamiltonian H. Protocol.
1. The prover applies an encoding process to ρ. Informally, the encoding can be thought of as a combination of an encryption scheme and an authentication scheme: it both hides the witness state ρ and ensures that the verifier cannot meaningfully tamper with the measurement results that it reports in step 5. Like most encryption and authentication schemes, this encoding scheme is keyed. For convenience, we refer to the encoding procedure determined by a particular encoding key K as E K . 1 2. The prover commits to the encoding key K from the previous step using a classical commitment protocol, and sends the resulting commitment string z to the verifier.
3. The verifier and the prover jointly decide which random terms from the Hamiltonian H the verifier will check by executing a coin-flipping protocol. ('Checking terms of H' means that the verifier obtains measurements of the state E K (ρ) and checks that the outcomes are distributed a particular way-or, alternatively, asks the prover to prove to it that they are.) However, because it is important that the prover does not know which terms will be checked before the verifier can check them, the two parties only execute the first half of the coin-flipping protocol at this stage. The verifier commits to its part of the random string, r v , and sends the resulting commitment string to the prover; the prover sends the verifier r p , its own part of the random string; and the verifier keeps the result of the protocol r = r v ⊕ r p secret for the time being. The random terms in the Hamiltonian which the verifier will check are determined by r.
4. The verifier and the prover execute the measurement protocol from [Mah18]. Informally, this allows the verifier to obtain honest measurements of the qubits of the prover's encoded witness state, so that it can check the Hamiltonian term determined by r. The soundness guarantee of the measurement protocol prevents the prover from cheating, even though the prover, rather than the verifier, is physically performing the measurements. This soundness guarantee relies on the security properties of a family of trapdoor one-way functions termed an ETCFF family in [Mah18]. Throughout the measurement protocol, the verifier holds trapdoors for these one-way functions, but the prover does not, and this asymmetry is what allows the (intrinsically weaker) verifier to ensure that the prover does not cheat.
5. The verifier opens its commitment to r v , and also sends the prover its measurement outcomes u and function trapdoors from the previous step.
6. The prover checks, firstly, that the verifier's trapdoors are valid, and that it did not tamper with the measurement outcomes u. (It can determine the latter by making use of the authentication-scheme-like properties of E K from step 1.) If both tests pass, it then proves the following statement to the verifier, using a zero-knowledge proof system for NP: There exists a string s p and an encoding key K such that z = commit(K, s p ) and Q(K, r, u) = 1.
The function Q is a predicate which, intuitively, takes the value 1 if and only if both the verifier and the prover were honest. In more specific (but still informal) terms, Q(K, r, u) takes the value 1 if u contains the outcomes of honest measurements of the state E K (ρ), where ρ is a state that passes the set of Hamiltonian energy tests determined by r.
Lemma 1.2 (soundness; informal). In a no-instance execution of Protocol 1.1, the probability that the verifier accepts is at most a constant negligibly close to 3 4 . Lemma 1.3 (zero-knowledge; informal). In a yes-instance execution of Protocol 1.1, and provided that Assumptions 3.1 hold, there exists a classical probabilistic polynomial-time (resp. quantum polynomial-time) simulator for any classical probabilistic (resp. quantum) polynomial-time verifier interacting with the honest prover such that the simulator's output is classical (resp. quantum) computationally indistinguishable from that of the verifier.
The reason we delay the verifier's reveal of r v (rather than completing the coin-flipping in one step, as is done in the protocol in [BJSW16]) is fairly easily explained. In our classical-verifier protocol, the prover cannot physically send the quantum state E K (ρ) to its verifier before the random string r is decided, as the prover of the protocol in [BJSW16] does. If we allow our prover to know r at the time when it performs measurements on the witness ρ, it will trivially be able to cheat.
The trapdoor check, meanwhile, is an addition which we make because we wish to construct a classical simulator for our protocol when we prove that it is zero-knowledge. Since our verifier is classical, we need to achieve a classical simulation of the protocol in order to prove that its execution (in yes-instances) does not impart to the verifier any knowledge it could not have generated itself. During the measurement protocol, however, the prover is required to perform quantum actions which no classical polynomial-time algorithm could simulate unless it had access to the verifier's function trapdoors. Naturally, we cannot ask the verifier to reveal its trapdoors before the measurement protocol takes place. As such, we ask the verifier to reveal them immediately afterwards instead, and show in Section 5 that this (combined with the encryptionscheme properties of the prover's encoding E K ) allows us to construct a classical simulator for Protocol 1.1 in yes-instances.
The organisation of the paper is as follows.
1. Section 2 ('Ingredients') outlines the other protocols which we use as building blocks.
3. Section 4 ('Soundness of protocol') proves that the argument system introduced in section 3 is sound against quantum polynomial-time provers.
4. Section 5 ('Zero-knowledge property of protocol') proves that the argument system is zero-knowledge (that yes-instance executions can be simulated classically).
Remark 1.4. As Broadbent et al. note in [BJSW16, Section 1.3], argument systems can often be made zeroknowledge by employing techniques from secure two-party computation (2PC). The essential idea of such an approach, applied to our particular problem, is as follows: the prover and the verifier would jointly simulate the classical verifier of the [Mah18] measurement protocol using a (classical) secure two-party computation protocol, and zero-knowledge would follow naturally from simulation security. (This technique is similar in spirit to those which are used in [BOGG + 88] to show that any classical-verifier interactive proof system can be made zero-knowledge.) An advantage of the 2PC approach is that it might be applicable not only to the [Mah18] measurement protocol but also generically to any classical-verifier, computationally sound protocol. However, the end result would likely be rather inefficient and very black-box. We believe that our approach is a more direct and transparent solution to the problem at hand, and that it moreover provides an early example of how two important results might be fruitfully combined. Given that this is so, we expect that our approach may more easily lead to extensions and efficiency improvements in the future.

Ingredients
The protocol we present in section 3 combines techniques which were introduced in prior works for the design of protocols to solve related problems. In this section, we outline these protocols in order to introduce notation and groundwork which will prove useful in the remainder of the paper.

Single-qubit-verifier proof system for QMA ([MF16])
Morimae and Fitzsimons ( [MF16]) present a proof system for languages in QMA whose verifier is classical except for a single-qubit quantum register, and which is sound against arbitrary quantum provers. The proof system relies on the QMA-completeness of the 2-local XZ Hamiltonian problem, which is defined as follows. Yes: There exists an n-qubit state σ such that σ, H ≤ a. 2 No: For every n-qubit state σ, it holds that σ, H ≥ b.
Remark 2.2. Given a Hamiltonian H, we call any state σ * which causes σ * , H to take its minimum possible value a ground state of H, and we refer to the value σ * , H as the ground energy of H.
The following theorem is proven by Biamonte and Love in [BL08, Theorem 2].
Theorem 2.3. The 2-local XZ Hamiltonian problem is complete for QMA.
We now describe an amplified version of the protocol presented in [MF16], and give a statement about its completeness and soundness which we will use. (See [MF16] for a more detailed presentation of the unamplified version of this protocol.) Protocol 2.4 (Amplified variant of the single-qubit-verifier proof system for QMA from [MF16]).
Notation. Let L be any language in QMA; let x ∈ {0, 1} * be an input; and let (H, a, b) be the instance of the 2-local XZ Hamiltonian problem to which x reduces.
2. if x / ∈ L, the ground energy of H is at least b.
Let H = S s=1 d s H s , as in Definition 2.1. Define Parties. The proof system involves 1. A verifier, who implements a classical probabilistic polynomial-time procedure with access to a onequbit quantum register; and 2. A prover, who is potentially unbounded, but whose honest behaviour in yes-instances can be implemented in quantum polynomial time.
The verifier and the prover communicate quantumly.

Inputs.
1. Input to the verifier: the Hamiltonian H and the numbers a and b.
2. Input to the prover: the Hamiltonian H, the numbers a and b, and the quantum state ρ = σ ⊗m , where σ is a ground state of the Hamiltonian H. Protocol.
3. The prover sends a state ρ to the verifier one qubit at a time. (The honest prover sends the state σ ⊗m that consists of m copies of the ground state of H.) 4. The verifier measures H s j for j = 1, . . . , m, taking advantage of the fact that-if the prover is honest-it is given m copies of σ. ('Measuring H s j ', in this case, entails performing at most two single-qubit measurements, in either the standard or the Hadamard basis, on qubits in ρ, and then computing the product of the two measurement outcomes.) 5. The verifier initialises a variable Count to 0. For each j ∈ {1, . . . , m}, if the jth product that it obtained in the previous step was equal to −sign(d j ), the verifier adds one to Count.
6. If Count m is closer to 1 2 − a s 2|ds| than to 1 2 − b s 2|ds| , the verifier accepts. Otherwise, it rejects. Claim 2.5. Given an instance x = (H, a, b) of the 2-local XZ Hamiltonian problem, there is a polynomial P (depending only on a and b) such that, for any m = Ω(P (|x|)), the following holds. In a yes-instance, the procedure of Protocol 2.4 accepts the state ρ = σ ⊗m with probability exponentially close (in |x|) to 1. In a no-instance, the probability that it accepts any state is exponentially small in |x|.
Proof. Consider the probability (over the choice of r j and the randomness arising from measurement) that the jth measurement from step 4 of Protocol 2.4, conditioned on previous measurement outcomes, yields −sign(d j ). Denote this probability by q j .
As shown in [MNS16, Section IV], it is not hard to verify that 1. when x ∈ L, if the prover sends the honest witness σ ⊗m , then q j ≥ 1 2 − a s 2|ds| , and 2. when x / ∈ L, for any witness that the prover sends, q j ≤ 1 2 − b s 2|ds| . The difference between the two cases is inverse polynomial in the size of the input to the 2-local XZ Hamiltonian problem. It is straightforward to show that, for an appropriate choice of m, this inverse polynomial gap can be amplified to an exponential one: see Appendix B.
Remark 2.6. It will be useful later to establish at this point that, if the string r from step 1 of Protocol 2.4 is fixed, it is simple to construct a state ρ r which will pass the challenge determined by r with probability 1. One possible procedure is as follows.
It is clear that the ρ r produced by this procedure is a tensor product of |0 , |1 , |+ and |− qubits.

Measurement protocol ([Mah18])
In [Mah18], Mahadev presents a measurement protocol between a quantum prover and a classical verifier which, intuitively, allows the verifier to obtain trustworthy standard and Hadamard basis measurements of the prover's quantum state from purely classical interactions with it. The soundness of the measurement protocol relies upon the security properties of functions that [Mah18] terms noisy trapdoor claw-free functions and trapdoor injective functions, of which Mahadev provides explicit constructions presuming upon the hardness of LWE. (A high-level summary of these constructions can be found in Appendix A.) Here, we summarise the steps of the protocol, and state the soundness property that it has which we will use.
Parties. The proof system involves 1. A verifier, which implements a classical probabilistic polynomial-time procedure; and 2. A prover, which implements a quantum polynomial-time procedure.
The verifier and the prover communicate classically.

Inputs.
1. Input to the prover: an n-qubit quantum state ρ, whose qubits the verifier will attempt to derive honest measurements of in the standard and Hadamard bases.
2. Input to the verifier: (a) A string h ∈ {0, 1} n , which represents the bases (standard or Hadamard) in which it will endeavour to measure the qubits of ρ. h i = 0 signifies that the verifier will attempt to obtain measurement outcomes of the ith qubit of ρ in the standard basis, and h i = 1 means that the verifier will attempt to obtain measurement outcomes of the ith qubit of ρ in the Hadamard basis. (b) An extended trapdoor claw-free function family (ETCFF family), as defined in Section 4 of [Mah18]. The description of an ETCFF family specifies a large number of algorithms, and we do not attempt to enumerate them. Instead, we proceed to describe the verifier's prescribed actions at a level of detail which we believe to be sufficient for our purposes, and refer the reader to [Mah18] for a finer exposition. Protocol.
1. For each i ∈ {1, . . . , n} (see 'Inputs' above for the definition of n), the verifier generates an ETCFF function key κ i using algorithms provided by the ETCFF family, along with a trapdoor τ κ i for each function, and sends all of the keys κ to the prover. It keeps the trapdoors τ to itself. If h i = 0, the ith key κ i is a key for a trapdoor injective (g) function, and if h i = 1, it is a key for a noisy trapdoor claw-free (f ) function. Intuitively, the g functions are one-to-one trapdoor one-way functions, and the f functions are two-to-one trapdoor collision-resistant hash functions. The keys for f functions and those for g functions are computationally indistinguishable. (For convenience, we will from now on refer to the function specified by κ i either as f κ i or as g κ i . Alternatively, we may refer to it as η κ i if we do not wish to designate its type. 3 ) A brief outline of how these properties are achieved using LWE is given in Appendix A.
We make two remarks about the functions η κ i which will become relevant later.
The outputs of both the f and the g functions should be thought of not as strings but as probability distributions. The trapdoor τ κ i inverts the function specified by κ i in the sense that, given a sample y from the distribution Y = η κ i (b x), along with the trapdoor τ κ i , it is possible to recover b x, as well as any other b x which also maps to Y under η κ i (should it exist).
which takes as input an b x ∈ {0, 1} × X and a randomness e ∈ E, for some well-defined finite set E, and returns a sample y e from the distribution Y = η κ i (b x).
Definition 2.9. Let η κ i be the function specified by κ i , with domain {0, 1} × X . Let y be a sample from one of the distributions Y ∈ Y, where Y is the range of η κ i . We call b x ∈ {0, 1}×X a preimage of y if y is in the support of the probability distribution η κ i (b x). (It is guaranteed that the distributions in the range of η κ i have compact support.) 2. The prover uses the function keys κ 1 , . . . , κ n to 'commit' to the quantum state of each of the n qubits of ρ, and sends n commitment strings y 1 , . . . , y n to the verifier. We direct the reader to Sections 2.2 and 5.1 of [Mah18] for a high-level, and then a more detailed, description of the commitment procedure, and explanations of how such a procedure will allow the verifier to extract trustworthy standard and Hadamard basis measurements of the qubits of ρ. For convenience, we summarise the procedure without justification here.
For each i, the prover concatenates to the qubit indexed by i (which we call, following [Mah18], the ith 'committed qubit', and whose state we denote by 4 |ψ i = γ i |0 + δ i |1 ) a register (the 'preimage register') containing a uniform superposition over all x ∈ X (where {0, 1} × X is the domain of the function η κ i ). It also concatenates to it a register containing a superposition over all e ∈ E, with E defined as it is in Definition 2.8. It then applies the function η * κ i (see Definition 2.8) in superposition to x |ψ i |x |e , and collects the outputs in a new register (the 'output register'), obtaining the quantum state Finally, the prover measures the output register, obtains a sample y i , and sends y i to the verifier as its ith commitment string.
3. The verifier then chooses at random to run either a test round or a Hadamard round. Each option is chosen with probability 1 2 . (a) If a test round is chosen, the verifier requests standard basis measurements of each committed qubit |ψ i and its associated preimage register (recall that, in the previous step, only the output registers were measured), and receives measurement results β i , x i for i ∈ {1, . . . , n} from the prover. It then checks, for each i ∈ {1, . . . , n}, whether the ith measurement result is a preimage of y i . (See Definition 2.9 for a definition of the phrase 'preimage of y'.) More precisely: if h i = 0, the verifier accepts iff y i is in the support of (b) If a Hadamard round is chosen, the verifier requests Hadamard basis measurements of each committed qubit and its associated preimage register, and receives β i , d i for i ∈ {1, . . . , n} from the prover. (We note, for future reference, that the distribution of the strings d i sent by the honest prover is the uniform distribution over {0, 1} w .) It then obtains the measurement results it desires using the procedure outlined in Section 2.2 of [Mah18]: i. If h i = 0, the verifier ignores the measurement results β i , d i , and uses the trapdoor τ κ i to invert y i . The inversion procedure outputs a preimage (m i , x m i ,y i ); the verifier stores m i as the standard-basis measurement outcome. (If the inverse does not exist, the verifier stores a random bit as m i and rejects. The specification that the verifier stores a random bit is made so that the n-bit string of measurement results, m, is well-defined even when the verifier rejects.) ii. If h i = 1, the verifier computes the two preimages x 0,i and x 1,i to y i under f κ i using the trapdoor τ κ i . It then stores The soundness property of this measurement protocol (Claim 7.1 in [Mah18]) is stated below. Before we state it, we briefly introduce the notation used in [Mah18]. (For a more detailed exposition, we refer the reader to Section 5.3 of [Mah18].) D P,h refers to the distribution over measurement results m ∈ {0, 1} n that the verifier obtains when it executes a Hadamard round with the prover labelled P on the basis choice h. D C P,h is the same distribution, but conditioned on the verifier accepting (in a Hadamard round). D ξ,h is the distribution over measurement outcomes in {0, 1} n that would result from directly measuring the quantum state ξ in the bases determined by h. p h,T and p h,H are defined so that the verifier's probability of accepting (on basis choice h) in a test and a Hadamard round, respectively, are 1−p h,T and 1−p h,H . · T V denotes the total variation norm, and A ≈ c B indicates that two distributions A and B are (quantum) computationally indistinguishable.
Claim 2.10. Assume that the Learning With Errors problem (with the same choices of parameters as those made in [Mah18, Section 9]) is quantum computationally intractable. Then, for any arbitrary quantum polynomial-time prover P who executes the measurement protocol (Protocol 2.7) with the honest verifier V , there exists a quantum state ξ, a prover P and a negligible function µ such that

Zero-knowledge proof system for QMA ([BJSW16])
In [BJSW16], Broadbent, Ji, Song and Watrous describe a protocol involving a quantum polynomial-time verifier and an unbounded prover, interacting quantumly, which constitutes a zero-knowledge proof system for languages in QMA. (Although it is sound against arbitrary provers, the system in fact only requires an honest prover to perform quantum polynomial-time computations.) We summarise the steps of their protocol below. For details and fuller explanations, we refer the reader to [BJSW16, Section 3].
Notation. Let L be any language in QMA. For a definition of the k-local Clifford Hamiltonian problem, see [BJSW16, Section 2]. The k-local Clifford Hamiltonian problem is QMA-complete for k = 5; therefore, for all possible inputs x, there exists a 5-local Clifford Hamiltonian H (which can be computed efficiently from x) whose terms are all operators of the form C * |0 k 0 k | C for some Clifford operator C, and such that 2. if x / ∈ L, the ground energy of H is ≥ 1 q , for some positive integers p and q.
Parties. The proof system involves 1. A verifier, who implements a quantum polynomial-time procedure; 2. A prover, who is unbounded, but who is only required by the protocol to implement a quantum polynomial-time procedure.
The verifier and the prover communicate quantumly. Inputs.
1. Input to the verifier: (a) The Hamiltonian H.
(c) A proof system for NP sound against arbitrary quantum provers.
2. Input to the prover: (a) The Hamiltonian H.
(b) The n-qubit quantum state ρ, where ρ is a ground state of the Hamiltonian H.
(d) A proof system for NP sound against arbitrary quantum provers. Protocol.
1. The prover's encoding step. The prover firstly applies a concatenated Steane code (which maps every one qubit to N qubits) to each qubit in ρ. (For details on the concatenated Steane code, see [BJSW16,Appendix A.6]. It will be important to Broadbent et al.'s purposes-and ours, in Section 3-that this code admits transversal applications of Clifford operations.) It then executes the following steps: (a) Concatenate N trap qubits to the end of each logical qubit (alternatively, to the end of each N -qubit block) in the result of applying the concatenated Steane code to ρ. Each trap qubit is initialised uniformly at random to one of |0 , |+ , |+ y . 5 Denote the string that records the choices of trap qubits for all n logical qubits by t = t 1 , . . . , t n .
(b) Permute each 2N -tuple of qubits in the result of (a) according to a uniformly random permutation π ∈ S 2N . (Note that the same permutation π is applied to every 2N -tuple.) (c) Apply a Pauli one-time pad X a Z b , for uniformly random a, b ∈ {0, 1} 2nN , to the entire 2nN -qubit state.
5 |+y here refers to the state 1 Remark 2.12. The number N functions as a security parameter, both for this protocol and for the protocol that we construct in section 3. Accordingly, we assume that N is polynomial in the size of the verifier's input.
The prover's encoding applied to ρ is denoted by E(ρ), and the procedure E is fully determined by the encoding key (t, π, a, b) which the prover chose to use. At this point, the prover sends the state E(ρ) to the verifier, along with a commitment (using some perfectly binding, computationally concealing classical commitment protocol) to the tuple (π, a, b). (A commitment to the sequence of trap qubits t is unnecessary because, in a sense, the trap qubits exist only to check the verifier.) Let the prover's commitment string be denoted z.
2. Coin-flipping protocol. The prover and the verifier execute a coin-flipping protocol, choosing a string r of fixed length uniformly at random. This random string r determines a local Hamiltonian term H r = C * r |0 k 0 k | C r that is to be tested. (This step can be implemented, of course, using the same classical commitment protocol that the prover employed in the previous step.) 3. Verifier's challenge. The verifier applies the Clifford C r transversally to the qubits on which the k-local Hamiltonian term H r acts nontrivially, and measures them in the standard basis. It then sends the measurement results u i 1 , . . . , u i k which it obtained to the prover. (Each u i is a 2N -bit string, and i 1 , . . . , i k are the indices of the logical qubits on which the term H r acts nontrivially.) 4. Prover's response. The prover receives the verifier's measurement results u, and firstly checks whether they cause a predicate Q(t, π, a, b, r, u) to be satisfied. (We will explain the predicate Q in more detail shortly. Intuitively, Q is satisfied if and only if both verifier and prover behaved honestly.) If Q is not satisfied, the prover aborts, causing the verifier to reject. If Q is satisfied, then the prover proves to the verifier, using an NP zero-knowledge protocol, that there exists randomness s p and an encoding key (t, π, a, b) such that z = commit((π, a, b), s p ) and Q(t, π, a, b, r, u) = 1.
We now describe the predicate Q in precise terms. For convenience, Broadbent et al. define a predicate R r , which represents the prover's check after it reverses the effects on u of the one-time pad X a Z b , and then proceed to define Q in terms of R r . Since we will shortly have cause to alter the definition of R r , we quote the definition of R r used in [BJSW16] for comparison. (Note that we have altered their notation slightly: the strings that they call y i we have called q i , to avoid a conflict.) Definition 2.13. Definition of R r .
Let u i 1 , . . . , u i k be the measurement results that the verifier sent to the prover in step 3. For each The predicate R r (t, π, u) takes the value 1 if and only if the following two conditions are met: N is the set of all valid classical N -bit codewords of the concatenated Steane code. We note, as an aside, that D 0 N and D 1 N are both sets of size 8 t , where t is an even positive integer such that 7 t = N ; as such, D N is polynomially sized.) Now we define the predicate Q(t, π, a, b, r, u) in terms of R r : Definition 2.14. Definition of Q.
Let c 1 , . . . , c n , d 1 , . . . , d n ∈ {0, 1} 2N be the unique strings such that (It is possible to efficiently compute c = c 1 , . . . , c n and d = d 1 , . . . , d n given a, b and C r .) The predicate Q is then defined by

Replacing Clifford verification with XZ verification in Protocol 2.11
The authors of [BJSW16] introduce a zero-knowledge proof system which allows the verifier to determine whether the prover holds a state that has sufficiently low energy with respect to a k-local Clifford Hamiltonian (see Section 2 of [BJSW16]). In this section, we modify their proof system so that it applies to an input encoded as an instance of the XZ local Hamiltonian problem (Definition 2.1) rather than as an instance of the Clifford Hamiltonian problem.
Before we introduce our modifications, we explain why it is necessary in the first place to alter the proof system presented in [BJSW16]. Modulo the encoding E which the prover applies to its state in Protocol 2.11, the quantum verifier from the same protocol is required to perform a projective measurement of the form {Π = C * |0 k 0 k | C, Id −Π} of the state that the prover sends it (where C is a Clifford unitary acting on k qubits) and reject if it obtains the first of the two possible outcomes. Due to the properties of Clifford unitaries, this action is equivalent to measuring k commuting k-qubit Pauli observables C * Z i C for i ∈ {1, . . . , k} (where Z i is a Pauli σ Z observable acting on the ith qubit), and rejecting if all of said measurements result in the outcome +1.
Our goal is to replace the quantum component of the verifier's actions in Protocol 2.11-a component which, fortunately, consists entirely of performing the projective measurement just described-with the measurement protocol introduced in [Mah18] (summarized as Protocol 2.7). Unfortunately, the latter protocol 1. only allows for standard and Hadamard basis measurements, and 2. does not accommodate a verifier who wishes to perform multiple successive measurements on the same qubit: for each qubit that the verifier wants to measure, it must decide on a measurement basis (standard or Hadamard) prior to the execution of the protocol, and once made its choices are fixed for the duration of its interaction with the prover. This allows the verifier to, for example, obtain the outcome of a measurement of the observable C * Z i C for some particular i, by requesting measurement outcomes of all k qubits in the appropriate basis and taking the product of the outcomes obtained. However, it is not obvious how the same verifier could request the outcome of measuring a k-tuple of commuting Pauli observables which all act on the same k qubits.
To circumvent this technical issue, we replace the Clifford Hamiltonian problem used in [BJSW16] with the QMA-complete XZ Hamiltonian problem. The advantage of this modification is that it becomes straightforward to implement the required energy measurements using the measurement protocol from [Mah18]. Unfortunately, in order to make the change, we sacrifice the perfect completeness which is a property of the proof system in [BJSW16], and also require that the verifier's measurements act on a linear, rather than a constant, number of qubits with respect to the size of the problem input.
A different potentially viable modification to the proof system of [BJSW16] is as follows. Instead of replacing Clifford Hamiltonian verification with XZ Hamiltonian verification, we could also repeat the original Clifford-Hamiltonian-based protocol a polynomial number of times. In such a scheme, the honest prover would hold m copies of the witness state (as it does in Protocol 2.4). The verifier, meanwhile, would firstly choose a random term C * r |0 k 0 k | C r from the Clifford Hamiltonian, and then select m random Pauli observables of the form C * r Z i C r -where C r is the particular C r which it picked-to measure. (For each repetition, i would be chosen independently and uniformly at random from the set {1, . . . , k}.) The verifier would accept if and only if the number of times it obtains −1 from said Pauli measurements is at least m 2k . This approach is very similar to the approach we take for XZ Hamiltonians (which we explain below), and in particular also fails to preserve the perfect completeness of the original protocol in [BJSW16]. For simplicity, we choose the XZ approach. We now introduce the alterations which are necessary in order to make it viable.
Firstly, we require that the honest prover possesses polynomially many copies of the witness state σ, instead of one. We do this because we want the honest verifier to accept the honest prover with probability exponentially close to 1, which is not naturally true in the verification procedure for 2-local XZ Hamiltonians presented by Morimae and Fitzsimons in [MF16], but which is true in our amplified variant, Protocol 2.4. Secondly, we need to modify the verifier's conditions for acceptance. In [BJSW16], as we have mentioned, these conditions are represented by a predicate Q (that in turn evaluates a predicate R r ; see Definitions 2.13 and 2.14).
We now describe our alternative proof system for QMA, and claim that it is zero-knowledge. Because the protocol is very similar to the protocol from [BJSW16], this can be seen by following the proof of zeroknowledge in [BJSW16], and noting where our deviations require modifications to the reasoning. On the other hand, we do not argue that the proof system is complete and sound, as we do not need to make explicit use of these properties. (Intuitively, however, the completeness and the soundness of the proof system follow from those of Protocol 2.4, and the soundness of the latter is a property which we will use.) Protocol 2.15 (Alternative proof system for QMA).
Notation. Refer to notation section of Protocol 2.4.
Parties. The proof system involves 1. A verifier, who implements a quantum polynomial-time procedure; 2. A prover, who is unbounded, but who is only required by the protocol to implement a quantum polynomial-time procedure.
The verifier and the prover communicate quantumly.

Inputs.
1. Input to the verifier: (a) The Hamiltonian H, and the numbers a and b.
(c) A proof system for NP sound against arbitrary quantum provers.
2. Input to the prover: (c) A quantum computationally concealing, perfectly binding (classical) commitment protocol.
(d) A proof system for NP sound against arbitrary quantum provers.

Protocol.
1. Prover's encoding step: The same as the prover's encoding step in Protocol 2.11, except that t ∈ {0, +} N rather than {0, +, + y } N . (This change will be justified in the proof of Lemma 2.18.) 2. Coin flipping protocol: Unmodified from Protocol 2.11, except that r = (r 1 , . . . , r m ) represents the choice of m terms from the 2-local XZ Hamiltonian H (with the choices being made as described in step 2 of Protocol 2.4) instead of a random Clifford. Note that r determines the indices of the 2m logical qubits which the verifier will measure in step 3.
3. Verifier's challenge: The same as the verifier's challenge in Protocol 2.11, except that the verifier now applies U r transversally instead of C r .
4. Prover's response: The same as Protocol 2.11 (but note that the predicate Q, which the prover checks and then proves is satisfied, is the Q described in Definition 2.17 below).
Definition 2.16 (Redefinition of R r ). Let i 1 , . . . , i 2m be the indices of the logical qubits which were chosen for measurement in step 2 of Protocol 2.15, ordered by their corresponding js (so that i 1 and i 2 are the qubits that were measured in order to determine whether H s 1 was satisfied, and so on). Let u i 1 , . . . , u i 2m be the 2N -bit strings which the verifier claims are the classical states that remained after said measurements were performed, and for each i ∈ {i 1 , . . . , i 2m }, define N -bit strings q i , z i such that π(q i ||z i ) = u i (alternatively: π −1 (u i ) = q i ||z i ). In Protocol 2.15, the predicate R r (t, π, u) takes the value 1 if and only if the following conditions are met: 1. q i ∈ D N for every i ∈ {i 1 , . . . , i 2m }. (b) For each j ∈ {1, . . . , m}: Suppose that H s j = d j P 1 P 2 , for some P 1 , P 2 ∈ {σ X , σ Z }. The tuple (P 1 , u 2j−1 , P 2 , u 2j ) determines a 'logical' measurement result that could equally have been obtained by measuring H r j σ, where σ is the unencoded witness state. We denote this measurement result by λ. If λ = −sign(d j ), add one to Count.

The number
(c) Let U r be the circuit obtained from the following procedure: i. For each j ∈ {1, . . . , m}, replace any σ X s in the term H s j with H (Hadamard) gates, and replace any σ Z s in H s j with I. (For example, if H r j = π j σ X, 1 σ Z, 2 , where the second subscript denotes the index of the qubit on which the observable in question acts, then U j = H 1 I 2 , where the subscripts 1 and 2 once again the denote the indices of the qubits on which the gates H and I act.) ii. Apply U j to the qubits indexed (j − 1)n + 1 through jn. It must then be the case that z i 1 · · · z i 2m | U ⊗N r |t i 1 · · · t i 2m = 0 (where each t i is an N -bit string that represents the pattern of trap qubits which was concatenated to the ith logical qubit during step 1 of Protocol 2.15).
Lemma 2.18. The modified proof system for QMA in Protocol 2.15 is computationally zero-knowledge for quantum polynomial-time verifiers.
Proof. We follow the argument from [BJSW16, Section 5]. Steps 1 to 3 only make use of the security of the coin-flipping protocol, the security of the commitment scheme, and the zero-knowledge properties of the NP proof system, none of which we have modified.
Step 4 replaces the real witness state ρ with a simulated witness ρ r that is guaranteed to pass the challenge indexed by r; this we can do also (see Remark 2.6).
Step 5 uses the Pauli one-time-pad to twirl the cheating verifier, presuming that the honest verifier would have applied a Clifford term indexed by r before measuring. We note that, since U r is a Clifford, the same reasoning applies to our modified proof system.
Finally, using the fact that the Pauli twirl of step 5 restricts the cheating verifier to XOR attacks, step 6 from [BJSW16, Section 5] proves the following statement: if the difference |p 0 − p 1 | is negligible (where p 0 and p 1 are the probabilities that ρ and ρ r respectively pass the verifier's test in an honest prover-verifier interaction indexed by r), then the channels Ψ 0 and Ψ 1 implemented by the cheating verifier in each case are also quantum computationally indistinguishable. It follows from this statement that the protocol is zero-knowledge, since, in an honest verifier-prover interaction indexed by r, ρ r would pass with probability 1, and ρ would pass with probability 1 − negl(N ). (This latter statement is true both in their original and in our modified protocol.) The argument presented in [BJSW16] considers two exclusive cases: the case when |v| 1 < K, where v is the string that the cheating verifier XORs to the measurement results, |v| 1 is the Hamming weight of that string, and K is the minimum Hamming weight of a nonzero codeword in D N ; and the case when |v| 1 ≥ K. The analysis in the former case translates to Protocol 2.15 without modification, but in the latter case it needs slight adjustment.
In order to address the case when |v| 1 ≥ K, Broadbent et al. use a lemma which-informally-states that the action of a Clifford on k qubits, each of which is initialised uniformly at random to one of |0 , |+ , or |+ y , has at least a 3 −k chance of leaving at least one out of k qubits in a standard basis state. We may hesitate to replicate their reasoning directly, because our k (the number of qubits on which our Hamiltonian acts) is not a constant. While it is possible that a mild modification suffices to overcome this problem, we note that in our case there is a simpler argument for an analogous conclusion: since U r is a tensor product of only H gates and I gates, it is straightforward to see that, if each of the 2m qubits on which it acts is initialised either to |0 or to |+ , then 1) each of the 2m qubits has exactly a 50% chance of being left in a standard basis state, and 2) the states of these 2m qubits are independent. Now we consider the situation where a string v = v 1 v 2 · · · v 2m , of length 4mN and of Hamming weight at least K, is permuted ('permuted', here, means that π ∈ S 2N is applied to each v i individually) and then XORed to the result of measuring 4mN qubits (2m blocks of 2N qubits each) in the standard basis after U r has been transversally applied to those qubits. It is straightforward to see, by an application of the pigeonhole principle, that there must be at least one v i whose Hamming weight is ≥ K 2m . Consider the result of XORing this v i to its corresponding block of measured qubits. Half of the 2N qubits in that block would originally have been encoding qubits, and half would have been trap qubits; half again of the latter, then, would have been trap qubits left in a standard basis state by the transversal action of U r . As such, the probability that none of the 1-bits of v i are permuted into positions which are occupied by the latter kind of qubit is ( 3 4 ) − K 2m , which is negligibly small as long as K is made to be a higher-order polynomial in N than 2m is. The remainder of the argument in [BJSW16, Section 5] follows directly.

The protocol
In this section, we present our construction of a zero-knowledge argument system for QMA. Our argument system allows a classical probabilistic polynomial-time verifier and a quantum polynomial-time prover to verify that any problem instance x belongs to any particular language L ∈ QMA, provided that the prover has access to polynomially many copies of a valid quantum witness for an instance of the 2-local XZ local Hamiltonian problem to which x is mapped by the reduction implicit in Theorem 2.3. The argument system is sound (against quantum polynomial-time provers) under the following assumptions: Assumptions 3.1.

The Learning With Errors problem (LWE) [Reg09] is quantum computationally intractable. (Specifi-
cally, we make the same asssumption about the hardness of LWE that is made in [Mah18, Section 9] in order to prove the soundness of the measurement protocol.) 2. There exists a commitment scheme (gen, initiate, commit, reveal, verify) of the form described in Appendix C that is unconditionally binding and quantum computationally concealing. (This assumption is necessary to the soundness of the proof system presented in [BJSW16].) The following exposition of our protocol relies on definitions from Section 2, and we encourage the reader to read that section prior to approaching this one. We also direct the reader to Figures 1 and 2 for diagrams that chart the protocol's structure.
Notation. Let L be any language in QMA, and let (H = S s=1 d s H s , a, b) be an instance of the 2-local XZ Hamiltonian problem to which L can be reduced (see Definition 2.1 and Theorem 2.3). Define Following [BJSW16], we take the security parameter for this protocol to be N , the number of qubits in which the concatenated Steane code used during the encoding step of the protocol (step 1) encodes each logical qubit. We assume, accordingly, that N is polynomial in the size of the problem instance x.

Parties.
The protocol involves 1. A verifier, which runs in classical probabilistic polynomial time; 2. A prover, which runs in quantum polynomial time.
Inputs. The protocol requires the following primitives: • A perfectly binding, quantum computationally concealing commitment protocol (gen, initiate, commit, reveal, verify) (which will be used twice: once for the prover's commitment in step 2, and then again for the coin-flipping protocol in step 3). We assume that this commitment protocol is of the form described in Appendix C.
• A zero-knowledge proof system for NP.
• An extended trapdoor claw-free function family (ETCFF family), as defined in [Mah18]. (Note that we fall short of using the ETCFF family as a black box: for the trapdoor check of step 8, we rely on the specific properties of the LWE-based construction of an ETCFF family that [Mah18] provides. See Appendix A for details.) Apart from the above cryptographic primitives, we assume that the verifier and the prover also receive the following inputs.
1. Input to the verifier: the Hamiltonian H and the numbers a and b.
2. Input to the prover: the Hamiltonian H, the numbers a and b, and the quantum state ρ = σ ⊗m , where σ is a ground state of the Hamiltonian H. Protocol.
1. The prover encodes the witness. The prover encodes the quantum witness ρ by applying the following steps: The encoding process here is the same as that from step 1 of Protocol 2.15; we direct the reader to Protocol 2.15, and the Protocol 2.11 to which it refers, for a more detailed explanation of the steps. Denote the application of the prover's encoding to the state ρ by E(ρ).

2.
The prover commits to its encoding keys. The prover commits to the strings (π, a, b) from the previous step, using randomness s p . Call the prover's commitment string z, so that z = commit((π, a, b), s p ).
3. The verifier and the prover execute the first half of a two-stage coin-flipping protocol. 6 The verifier commits to r v , its part of the random string that will be used to determine which random terms in the Hamiltonian H it will check in subsequent stages of the protocol. Let c = commit(r v , s v ). The prover sends the verifier r p , which is its own part of the random string. The random terms will be determined by r = r v ⊕ r p . (r is used to determine these terms in the same way that r is used in Protocol 2.4.) 4. The verifier initiates the measurement protocol. (Refer to Protocol 2.7 for an outline of the steps in said measurement protocol.) The verifier chooses the measurement bases h = h 1 · · · h 2nN in which it wishes to measure the state E(ρ). 2kN out of the 2nN bits of h-corresponding to k logical qubitsare chosen so that the verifier can determine whether σ satisfies the Hamiltonian terms specified by r = r v ⊕ r p . In our particular case, k = 2m, where m is the number of Hamiltonian terms that the verifier will check are satisfied. For the remaining qubits i, the verifier sets h i to 0. The verifier sends the function keys κ = κ 1 , . . . , κ 2nN to the prover.

5.
The prover commits to its encoded witness state, as per the measurement protocol. The prover commits to the quantum state E(ρ) by concatenating a preimage register to each qubit in E(ρ), applying the functions specified by κ 1 , . . . , κ 2nN in superposition as Protocol 2.7 describes, measuring the resulting output superpositions, and sending the outcomes y 1 , . . . , y 2nN to the verifier. 7. The verifier opens its commitment, and sends the prover its measurement outcomes and function trapdoors. If a test round was chosen in the previous step, the verifier now accepts the prover directly, provided that the preimage test was satisfied for all i. (If not all the preimage tests passed, the verifier directly rejects the prover.) If a Hadamard round was chosen, and the verifier instead opens its commitment to r v and sends its measurement outcomes m = m 1 , . . . , m 2nN to the prover, along with its trapdoors τ κ 1 , . . . , τ κ 2nN .
8. The prover checks that the verifier's measurement outcomes and trapdoors were consistent; it then proves that the verifier's measurement outcomes were consistent. The prover checks that τ κ 1 , . . . , τ κ 2nN are indeed trapdoors for the functions specified by κ 1 , . . . , κ 2nN , by checking that, for each y i , the trapdoor τ κ i returns all the preimages to y i under the function specified by κ i , and no others 7 . (See Definition 2.9 for a definition of the phrase 'preimages to y'.) It also defines u = u i 1 · · · u i 2m (each u i is 2N bits long) = m 1 · · · m 4mN , where 1 , . . . , 4mN are the indices of the qubits on which U ⊗2N r acts nontrivially, and checks that u causes the predicate Q(t, π, a, b, r, u) to be satisfied. (The Q we refer to here is the Q of Definition 2.17. We define U r in the same way that U r was defined in Definition 2.16.) If either of these tests fails, the prover aborts. If both tests pass, then the prover proves, using an NP zero-knowledge proof system, 8 that the verifier's outcomes are consistent in the following sense: The verifier's outcomes u are consistent if there exists a string s p and an encoding key (t, π, a, b) such that z = commit ((π, a, b), s p ) and Q(t, π, a, b, r, u) = 1.  The cheating verifier V * may take some (classical) auxiliary input Z 0 , store auxiliary information (represented by Z 1 and Z 2 ), and produce a final output Z 3 that deviates from that specified by the protocol.

Soundness of protocol
Let the honest verifier of the argument system in Protocol 3.2 be denoted V , and let an arbitrary quantum polynomial-time prover with which V interacts be denoted P. For this section, we will require notation from Section 5.3 of [Mah18], the proof of Theorem 8.6 of the same paper, and Section 4 of [BJSW16]. We will by and large introduce this notation as we proceed (and some of it has been introduced already in Sections 2.2 and 2.3, the sections containing outlines of the measurement protocol from [Mah18] and the zero-knowledge proof system from [BJSW16]), but the reader should refer to the above works if clarification is necessary.
We begin by making some preliminary definitions and proving a claim, from which the soundness of Protocol 3.2 (Lemma 4.6) will naturally follow. Firstly, we introduce some notation from Section 4 of [BJSW16]: Definition 4.1 (Projection operators Π 0 and Π 1 ). Define N as it is defined in Protocol 3.2. Let D 0 N be the set of all the classical codewords in the concatenated Steane code of Protocol 2.11 (or of Protocol 3.2) which are encodings of 0, and let D 1 N likewise be the set of classical codewords in the concatenated Steane code which encode 1. (See Definition 2.13, and Section A.6 of [BJSW16], for details about the concatenated Steane code. The first condition in Definition 2.13 will provide some motivation for the following definitions of Π 0 and Π 1 .) Define Definition 4.2 (Projection operators ∆ 0 and ∆ 1 ). Define N as it is defined in Protocol 3.2. Let ∆ 0 and ∆ 1 be the following projection operators: ∆ 0 is the projection onto the space spanned by all even-parity computational basis states, and ∆ 1 is its equivalent for odd-parity basis states. Note that, since all the codewords in D 0 have even parity, and all the codewords in D 1 have odd parity, it holds that Π 0 ≤ ∆ 0 and that Π 1 ≤ ∆ 1 .
Definition 4.3 (The quantum channel Ξ). Define a quantum channel mapping N qubits to one qubit as follows: Loosely, Ξ N can be thought of as a simplification of the decoding operator to the concatenated Steane code that the honest prover applies to its quantum witness in Protocol 2.11 (or in Protocol 3.2). Its adjoint is specified by and has the property that a property which we will shortly use.
Let z be prover P's commitment string from step 2 of Protocol 3.2. Because the commitment protocol is perfectly binding, there exists a unique, well-defined tuple (π, a, b) and a string s p such that z = commit((π, a, b), s p ).
Definition 4.4. For notational convenience, we define a quantum procedure M on a 2nN -qubit state ρ as follows: 1. Apply X a Z b to ρ, to obtain a state ρ .
2. Apply π −1 to each 2N -qubit block in the state ρ , to obtain a state ρ .
3. Discard the last N qubits of each 2N -qubit block in ρ , to obtain a state ρ .

4.
To each N -qubit block in ρ , apply the map Ξ N .
We also define the procedureM as the application of the first four steps in M , again for notational convenience.
Intuitively, we think of M as an inverse to the prover's encoding procedure E. M may not actually invert the prover's encoding procedure, if the prover lied about the encoding key that it used when it sent the verifier z = commit((π, a, b), s p ); however, this is immaterial.
We now prove a claim from which the soundness of Protocol 3.2 will follow. Before we do so, however, we make a remark about notation for clarity. When we write 'V accepts the distribution D ξ,h with probability p' (or similar phrases), we mean that, in [Mah18]'s notation from section 8.2, Here, h represents the verifier's choice of measurement bases, as before; v h is the probability that the honest verifier will select the basis choice h, and 1 −p h (D) is defined, for any distribution D over measurement outcomes m ∈ {0, 1} 2nN , as the probability that the honest verifier will accept a string drawn from D on basis choice h. (When we refer to the latter probability, we assume, following [BJSW16, Section 4], that the prover behaves optimally-in terms of maximising the verifier's eventual probability of acceptance-after the verifier sends it measurement outcomes at the end of step 6 in Protocol 3.2. For the purposes of the present soundness analysis, therefore, we can imagine that the verifier checks the predicate Q itself after step 6, instead of relying on the prover to prove to it during step 8 that Q is satisfied.) Claim 4.5. Suppose there exists a quantum state ξ such that the honest verifier V accepts the distribution D ξ,h with probability p. Then the state M (ξ) is accepted by the verifier of Protocol 2.4 with probability at least p.
Proof. Fix a choice of r (see step 3 of Protocol 3.2 for a definition of r). Let Z r be the subset of {0, 1} n such that the verifier of Protocol 2.4 accepts if and only if the n-bit string that results from concatenating the measurement results it obtains in step 4 of said protocol is a member of Z r . It is unimportant to the analysis what Z r actually is; it matters only that it is well-defined.
For this choice of r, we can express the probability that the verifier of Protocol 2.4 accepts a state τ as z∈Zr U * r |z 1 , . . . , z n z 1 , . . . , z n | U r , τ .
(Though only 2m of the n qubits in τ are relevant to U r , we assume here for notational simplicity that U r is a gate on n qubits, and that the verifier measures all n qubits of U r τ and ignores those measurement results which are irrelevant.) For the same choice of r, we can express the probability that the verifier V from Protocol 3.2 will eventually accept the distribution D ξ,h as Following [BJSW16], we note that . . , z n z 1 , . . . , z n | (U r ) ⊗N ,M (ξ) = z∈Zr U * r |z 1 , . . . , z n z 1 , . . . , z n | U r , M (ξ) .
We conclude that, if the distribution D ξ,h is accepted by V with probability where v r is the probability that a given r will be chosen, and the second expression is simply a formulation in alternative notation of the first), the state M (ξ) is accepted by the verifier of Protocol 2.4 with probability at least p.
Now we turn to arguing that Protocol 3.2 has a soundness parameter s which is negligibly close to 3 4 .
Lemma 4.6. Suppose that the instance x = (H, a, b) of the 2-local XZ Hamiltonian problem that is provided as input to the verifier and prover in Protocol 3.2 is a no-instance, i.e. the ground energy of H is larger than b. Then, provided that Assumptions 3.1 hold, the probability that the honest verifier V accepts in Protocol 3.2 after an interaction with any quantum polynomial-time prover P is at most 3 4 + negl(|x|).
Proof. Claim 7.1 of [Mah18] guarantees that, for any arbitrary quantum polynomial-time prover P who executes the measurement protocol with V , there exists a state ξ, a prover P and a negligible function µ such that (See the paragraph immediately above Claim 2.10 for relevant notation.) It follows from (1) that, if V accepts the distribution D P ,h with probability p, it must accept the distribution D ξ,h with probability p − negl(N ), because the two are computationally indistinguishable and the verifier V is efficient. Therefore (using Claim 4.5), if V accepts D P ,h with probability p, the verifier of Protocol 8.3 from [Mah18] accepts the state M (ξ) with probability at least p − negl(N ). By the soundness of Protocol 2.4 (Claim 2.5), we conclude that p = negl(N ) when the problem Hamiltonian is a no-instance.
We now apply a similar argument to that which is used in Section 8.2 of [Mah18] in order to establish an upper bound on the probability φ that V accepts P in a no-instance. Let E H P,h denote the event that the verifier V does not reject the prover labelled P in a Hadamard round indexed by h during the measurement protocol phase of Protocol 3.2. Let E T P,h denote the analogous event in a test round. Furthermore, let E P,h denote the event that the verifier accepts the prover P in the last step of Protocol 3.2. The total probability that V accepts P is the average, over all possible basis choices h, of the probability that V accepts P after a test round indexed by h, plus the probability that V accepts P after a Hadamard round indexed by h. As such, Since Lemma 3.1 and Claim 7.1 of [Mah18] taken together yield the inequalitỹ We conclude that Protocol 3.2 has a soundness parameter s which is negligibly close to 3 4 .

Zero-knowledge property of protocol
In this section, we establish that Protocol 3.2 is zero-knowledge against arbitrary classical probabilistic polynomial time (CPPT) verifiers. Specifically, we show the following: Lemma 5.1. Suppose that the instance x = (H, a, b) of the 2-local XZ Hamiltonian problem that is provided as input to the verifier and prover in Protocol 3.2 is a yes-instance, i.e. the ground energy of H is smaller than a. Then (provided that Assumptions 3.1 hold), for any arbitrary CPPT verifier V * , there exists a simulator S which can be implemented in CPPT such that the distribution of V * 's final output after its interaction with the honest prover P in Protocol 3.2 is (classical) computationally indistinguishable from S's output distribution.
Remark 5.2. Lemma 5.1 formulates the zero-knowledge property in terms of classical verifiers and computational indistinguishability against classical distinguishers, because this is the most natural setting for a protocol in which verifier and interaction are classical. However, the same proof can be adapted to show that, for any quantum polynomial-time verifier executing Protocol 3.2, there exists a quantum polynomial-time simulator whose output is QPT indistinguishable in yes-instances from that of the verifier. (In particular, the latter follows from the fact that the second item in Assumptions 3.1 implies an NP proof system which is zero-knowledge against quantum polynomial-time verifiers, an implication shown to be true in [Wat09].) We show that Protocol 3.2 is zero-knowledge by replacing the components of the honest prover with components of a simulator one at a time, and demonstrating that, when the input is a yes-instance, the dishonest verifier's output after each replacement is made is at the least computationally indistinguishable from its output before. The argument proceeds in two stages. In the first, we show that the honest prover can be replaced by a quantum polynomial-time simulator that does not have access to the witness ρ. In the second, we de-quantise the simulator to show that the entire execution can be simulated by a classical simulator who likewise does not have access to ρ. (The latter is desirable because the verifier is a classical entity.) We begin with the protocol execution between the honest prover P and an arbitrary cheating verifier V * , the latter of whom may take some (classical) auxiliary input Z 0 , store information (represented by Z 1 and Z 2 ), and produce an arbitrary final output Z 3 . A diagram representing the interaction between V * and P can be found in Figure 2.

Eliminating the coin-flipping protocol
Our first step in constructing a simulator is to eliminate the coin-flipping protocol, which is designed to produce a trusted random string r, and replace it with the generation of a truly random string. (This step is entirely analogous to step 1 of Section 5 in [BJSW16], and we omit the analysis.) The new diagram is shown below. In this diagram, coins represents a trusted procedure that samples a uniformly random string r of the appropriate length.

Introducing an intermediary
Our next step is to introduce an intermediary, denoted by I, which pretends-to the cheating verifier of Protocol 3.2-to be its prover P , while simultaneously playing the role of verifier to the prover from the zero-knowledge proof system of Protocol 2.15 9 . (We denote the honest prover and honest verifier for the proof system of Protocol 2.15 by P and V, respectively, to distinguish them from the prover(s) P and verifier(s) V of the classical-verifier protocol currently under consideration.) We remark, for clarity, that I is a quantum polynomial-time procedure. The essential idea of this section is that I will behave so it is impossible for the classical verifier V to tell whether it is interacting with the intermediary or with its honest prover. (We achieve this simply by making I output exactly the same things that P would.) Given that this is so, the map that V implements from its input to its output, including its auxiliary registers, cannot possibly be different in the previous section as compared to this section. Figure 3: The intermediary interacting with the honest prover from the proof system of Protocol 2.15, denoted by P, and also with the cheating classical verifier V * . I 1 receives the encoded quantum witness, which we have denoted by Y , from P, in addition to P's commitment z. It then sends z to V * 1 , along with Z 1 , the auxiliary input that V * 1 is supposed to receive, and r, the random string generated by coins. I 2 passes on any output V * 1 produces to V * 2 , performs itself the procedure for committing to a quantum state from [Mah18], and executes the measurement protocol with V * 2 . I 3 receives the measurement outcomes u and the trapdoors τ from V * 2 , and checks whether the trapdoors are valid. If they are invalid, it aborts directly; if they are valid, it sends u on to P 3 and passes Z 2 to V * 3 , so that P 3 and V * 3 can execute the NP zero-knowledge proof protocol. (Each part of I should also send everything it knows to its successor, but we have omitted these communications for the sake of cleanliness, as we omitted the communication between parts of the prover in previous diagrams.)

Simulating the protocol with a quantum simulator
We now note that Figure 3 looks exactly like Figure 4 from [BJSW16], if we consider the intermediary I and the cheating classical verifier V * taken together to be a cheating verifier V for the proof system of Protocol 2.15.  [BJSW16]. Note that S 1 includes the behaviour of an arbitrary V 1 ; the reason it is called S 1 and not V 1 is because V 1 obtains r from a coin-flipping protocol, while S 1 generates r using coins. In all other respects, S 1 is the same as V 1 .
Using similar reasoning as in [BJSW16] (and recalling that, by Lemma 2.18, it still works when the Hamiltonian being verified is an XZ Hamiltonian), therefore, we conclude that we can replace ρ in Figure 4 with ρ r -where ρ r is a quantum state specifically designed to pass the challenge indexed by r-without affecting the verifier's output distribution (to within computational indistinguishability). See Remark 2.6 for a procedure that explicitly constructs ρ r . Note that, if our objective was to achieve a quantum simulation without knowing the witness state ρ, our task would already be finished at this step. However, our verifier is classical; therefore, in order to prove that our classical verifier's interaction with its prover does not impart to it any knowledge (apart from the fact that the problem instance is a yes-instance) that it could not have generated itself, we need to achieve a classical simulation of the argument system.

5.4
Simulating the protocol with a classical simulator 5.4.1 Replacing P 0 and I 1 If we want to simulate the situation in Figure 4 classically, then we need to de-quantise P 0 , I 1 and I 2 . (I 3 and P 3 are already classical.) Our first step is to replace P 0 and I 1 with a single classical entity, I 1 .
I 1 simply chooses encoding keys (t, π, a, b) and generates z, a commitment to the encoding keys (π, a, b). It then sends z, r and Z 1 to V * 1 , as I 1 would have. Because I 1 has exactly the same output as I 1 , the verifier's output in Figure 5 is the same as its output in Figure 4. (We assume that the still-quantum I 2 now generates ρ r for itself.) Following [BJSW16], we make some alterations to Figure 5 that will allow us to eventually de-quantise I 2 . The alterations are as follows: 1. Replace V * 3 and P 3 with an efficient simulation S 3 . (An efficient simulation of the NP proof protocol execution between V * 3 and P 3 is guaranteed to exist because the NP proof protocol is zero-knowledge.) Recall that the statement P 3 is meant to prove to V * 3 in a zero-knowledge way is as follows: 'There exists a string s p and an encoding key (t, π, a, b) such that z = commit((π, a, b), s p ) and Q(t, π, a, b, r, u) = 1.' The zero-knowledge property of the NP proof system guarantees that, for yes-instances, the output of S 3 is indistinguishable from the output of the protocol execution between V * 3 and P 3 . In our case, I 1 always holds s p and (π, a, b) such that z = commit((π, a, b), s p ), and the honest prover will abort the protocol if Q(t, π, a, b, r, u) = 0. Therefore, whenever the prover does not abort, the output of S 3 is computationally indistinguishable from that of V * 3 and P 3 . We assume, following [BJSW16], that S 3 also behaves as V * 3 would when the prover aborts. If it does, then Figure 6 is computationally indistinguishable from Figure 5. Figure 6: V * 3 and P 3 have been replaced by S 3 . Note that S 3 does not require access to the witness (s p , t, π, a, b), and so s p can be discarded immediately after I 1 is run.
2. Replace the generation of the genuine commitment z with the generation of a commitment z = commit((π 0 , a 0 , b 0 ), s p ), where π 0 , a 0 and b 0 are fixed strings independent of the encoding key (t, π, a, b) that I 1 chooses. Because the commitment protocol is (computationally) concealing, and the commitment is never opened (recall that s p is discarded after I 1 is run), V * 1 should not be able to tell (computationally speaking) that z has been replaced by z .
The genuine encoding key is still used to evaluate the predicate Q. Note that, because z has been replaced with z , the statement for which S 3 must simulate the execution of a zero-knowledge proof between V * 3 and P 3 is now as follows: 'There exists a string s p and an encoding key (t, π, a, b) such that z = commit((π, a, b), s p ) and Q(t, π, a, b, r, u) = 1.' This statement is, in general, no longer true, because the commitment protocol is perfectly binding. However, if the predicate Q is still satisfied for the encoding key (t, π, a, b) that I 3 sent, then S 3 will proceed to generate a transcript for the no-instance that is computationally indistinguishable from a transcript for a yes-instance. If Q is no longer satisfied, then S 3 will abort, as before. In effect, therefore, the cheating verifier V * will not be able to tell (up to computational indistinguishability) that z has been replaced by z , and that the NP statement being 'proven' to it is no longer true.

De-quantising I 2
We now replace I 2 with a classical entity I 2 . In the process, we require modifications to the behaviour of I 3 .
Knowing r, I 2 can calculate for itself what ρ r should be, though it cannot physically produce this state. As we noted in Remark 2.6, ρ r is a simple state: it is merely the tensor product of |0 , |1 , |+ and |− qubits. Applying the concatenated Steane code to ρ r will then result in a tensor product of N -qubit states that look like after appropriate normalisation.
A brief argument will suffice to establish that it is possible to classically simulate standard or Hadamard basis measurements on the qubits in E(ρ r ). Each qubit of E(ρ r ) is either an encoding qubit or a trap qubit, up to the application of a random single-qubit Pauli operator. Simulating standard-basis measurements of encoding qubits is classically feasible, because D 0 N and D 1 N are polynomially sized, and the expressions in (2) only involve superpositions over those sets with equal-magnitude coefficients. Simulating standard-basis measurements of trap qubits, which are always initialised either to |0 or |+ , is trivially feasible.
To simulate a Hadamard basis measurement, we can take advantage of the transversal properties of the encoding scheme, and apply H before we apply the concatenated Steane code. Denote the application of the concatenated Steane code to ρ r by S(ρ r ). We have that Note that the distribution over (b i , β i , d i ) which one would obtain by measuring |ψ i in the Hadamard basis, choosing d i and b i uniformly at random, and letting is equivalent to the one that one would obtain choosing a uniformly random s i , measuring |ψ i in the Hadamard basis, calculating and finally setting β i = s i,1 , d i = s i,2 · · · s i,w+1 . The former set of actions is equivalent to the set of actions that I 2 performs. The latter set of actions is (as we will shortly show) classically feasible provided that we have the verifier's trapdoors. Note that I 2 only needs to send the verifier s i , and can rely on its successor I 3 , who will have access to the verifier's trapdoors, to calculate the bits b i retroactively. It follows that, given that I 3 can produce correct bits b i (we will shortly show that it can), the distribution of strings reported by I is identical to the distribution of outcomes reported by I.
Having established that I 2 and I 2 are the same from V * 2 's perspective (meaning that it must have the same behaviour that it did in Figure 5 after I 2 is replaced with I 2 ), it remains to ensure that the choice of the one-time pad Z-key b is consistent with the s i that I 2 picked. We relegate the task of making this choice to I 3 , our new version of I 3 , because it has access to the verifier's trapdoors τ . If any of the trapdoors that it receives from the verifier are invalid, I 3 aborts, as specified in Protocol 3.2. ('Validity', here, means what we defined it to mean in step 8 of Protocol 3.2: that, for each y i , the trapdoor τ κ i returns all the preimages to y i under the function specified by κ i , and no others. See Definition 2.9 for a definition of the phrase 'preimages to y'.) Presuming upon valid trapdoors, I 3 then deduces the verifier's choices of measurement basis, h, from τ . Given that the trapdoors are valid, I 3 can be confident that its deductions in this regard will lead it to behave in the same way that the honest prover would: because the trapdoors return all the preimages to y i under κ i and no others, I 3 knows exactly which superpositions the honest prover would have obtained during the measurement protocol after following the verifier's instructions.
I 3 subsequently executes the following procedure for all i such that h i = 1: 1. Set d i to be the last w bits of s i , and compute d i · (x 0,i ⊕ x 1,i ) using the trapdoor τ κ i .
2. Simulate a standard basis measurement of HX a i |ψ * i . Denote the result by β i . (Here, a i refers to the ith bit of a, where a is taken from I 1 's initial choice of one-time pad keys. |ψ * i , meanwhile, denotes the ith qubit of the state obtained by applying the first three steps of E-but not the last-to ρ r .) 3. Set b i (the ith bit of b , the new Z-key for the one-time pad) to be equal to β i ⊕ s i,1 ⊕ d i · (x 0,i ⊕ x 1,i ) (where s i,1 refers to the first bit of s i ). This will cause the equation Meas(H |ψ i )⊕d i ·(x 0,i ⊕x 1,i ) = s i,1 to be satisfied: Having done this, I 3 then feeds (t, π, a, b ) into Q. In all other respects I 3 behaves the same way that I 3 did.
The final simulation will be as follows: Since all the entities in this simulation are classical and efficient, and none have access to information about the witness state ρ, it follows that the protocol is zero-knowledge.

A The trapdoor check can be implemented efficiently
For this proof sketch, we rely on the specific properties of the LWE-based ETCFF family that is used in [Mah18]. As such, we begin by briefly introducing at a high level how the instantiations of the keys κ and the trapdoors τ for noisy trapdoor claw-free (f ) and trapdoor injective (g) functions, whose properties we have relied upon in a black-box way for the rest of this work, are respectively achieved. For details, we refer the reader to Section 9 of [Mah18].
The key (κ 1 , κ 2 ) for an f (two-to-one) function is (A, As + e), where A is an LWE matrix and e is an error vector with small and bounded magnitude. The key for a g (injective) function is (A, u), where u is a random vector not of the form As + e for any e of small enough magnitude. (The distribution of u is uniform over all vectors that satisfy this latter requirement.) The trapdoor in both cases is the trapdoor for A proposed by [MP11]. Theorem 5.1 of [MP11] states that there exists a pair of efficient algorithms GenTrap and Invert which, respectively, generates a matrix A along with its trapdoor τ A , such that A is computationally indistinguishable from a uniformly random matrix of the correct dimensions; and, given As+e (with e of sufficiently small magnitude) and the trapdoor τ A for A, returns (s, e) with high probability.
The functions f κ and g κ both take as input a bit b and a vector x and output a probability distribution. Given a sample y from one such probability distribution Y , the trapdoor τ A can be used to recover the tuple(s) (b, x) which map to Y under the function specified by κ. The functions f κ and g κ can be defined (loosely, but the most intuitively) as follows: Definition A.1 (Informal definition of trapdoor claw-free and trapdoor injective functions).
What the above notation means, in a slightly more precise sense, is that one samples from the distribution determined by the input (b, x) and the function key κ = (κ 1 , κ 2 ) by sampling e 0 from the appropriate Gaussian and then computing κ 1 x+e 0 +b·(κ 2 ). It follows from hardness of the (decisional) LWE assumption that the keys for the f functions and the keys for the g functions are computationally indistinguishable. Now we state, and prove, a claim that bears upon the one we eventually want to make.
Claim A.2. Let A be an LWE matrix, let κ = (A, κ 2 ), and let the function η κ be defined by η κ (b, x) = Ax + e 0 + b · κ 2 . (The output of η κ is, as in Definition A.1, a probability distribution.) Suppose that the trapdoor τ A inverts the matrix A, in the sense that, given r = As + e for some e of sufficiently small magnitude, τ A can be used to recover the unique (s, e) such that As + e = r for all but a negligible fraction of possible r. Then one can use τ A to efficiently recover all the preimages to any distribution Y in the image of the function η κ (provided with a sample y from the distribution Y ), except with negligible probability.
Proof. Note, firstly, that κ 2 is either of the form As + e for some (s, e) (with e of small enough magnitude), or it is not; there are no other alternatives. We do not know a priori which of these is the case, but the procedure that we perform in order to recover the preimage(s) to Y , given y, is the same in both cases: 1. Use the trapdoor τ A to attempt to find (x 1 , e 1 ) such that Ax 1 + e 1 = y. If such an (x 1 , e 1 ) exists, record 0 x 1 as the first preimage.
2. Use the trapdoor τ A to attempt to find (x 2 , e 2 ) such that Ax 2 + e 2 = y − κ 2 . If such an (x 2 , e 2 ) exists, record 1 x 2 as the second preimage.
If κ 2 = As + e for some s and e, then this procedure will (except with negligible probability) return two preimages. In step 1, it will recover x such that y = Ax + e 0 for some small e 0 , because (by linearity) y is always of the form Ax + e 0 . In step 2, it will recover x = x − s, because x = x − s will satisfy the equation y − (As + e) = Ax + e for e = e 0 − e. We know that η κ has two preimages when κ 2 = As + e, so this is all of the preimages to Y under η κ and no others.
It can be seen by similar reasoning that, when κ 2 = u for u = As + e, this procedure will return (except with negligible probability) exactly one preimage, which is what we expect when κ 2 = u.
In the context of Protocol 3.2, the honest prover knows that η κ i has been evaluated correctly for all i, because the prover evaluated these functions for itself. Therefore, given Claim A.2, if our goal is to show that the honest prover can efficiently determine whether or not a purported trapdoor τ A i can be used to recover all the preimages to y i under η κ i , with κ i = (A i , κ 2,i ), it is sufficient to show that a procedure exists to efficiently determine whether or not τ A i truly 'inverts A i ', i.e. recovers (s, e) correctly from all but a negligible fraction of possible r = A i s + e. Given the instantiation of τ A presented in [MP11], this is simple to achieve: for example (using notation from Algorithm 1 of the same paper), the prover can request that the verifier sends itĀ, H and R-G is public-and check whether A = [Ā | HG −ĀR].

B Completeness and soundness of Protocol 2.4
For notational convenience, define α = a s 2|ds| and β = b s 2|ds| . Fix an arbitrary state ρ sent by the prover. For j = 1, . . . , m let X j be a Bernoulli random variable that is 1 if the j-th measurement from step 4 of Protocol 2.4 yields −sign(d j ) and 0 otherwise. Let X = m j=1 X j and B j = E[X|X j , . . . , X 1 ]. Then (B 1 , . . . , B m ) is a martingale. Applying Azuma's inequality, for any t ≥ 0 2m .
In the case of an instance x / ∈ L, as mentioned in the main text E[X j ] ≤ 1 2 − β. Choosing t = 1 2 m(β − α), it follows that in this case Since β − α is inverse polynomial, by [MNS16], the right-hand side can be made exponentially small by choosing m to be a sufficiently large constant times |x| (β−α) 2 . The soundness of Protocol 2.4 follows.
Completeness follows immediately from a similar computation using the Chernoff bound, since in this case we can assume that the witness provided by the prover is in tensor product form.

C Commitment scheme
We provide an informal description of a generic form for a particular (and commonly seen) kind of commitment scheme. The protocol for making a commitment under this scheme requires three messages in total between the party making the commitment, whom we refer to as the committer, and the party receiving the commitment, whom we call the recipient. The first message is an initial message i from the recipient to the committer; the second is the commitment which the committer sends to the recipient; and the third message is a reveal message from the committer to the recipient. The scheme consists of a tuple of algorithms (gen, initiate, commit, reveal, verify) defined as follows: • gen(1 ) takes as input a security parameter, and generates a public key pk.
• initiate(pk) takes as input a public key and generates an initial message i (which the recipient should send to the committer).
• commit(pk, i, m, s) takes as input a public key pk, an initial message i, a message m to which to commit, and a random string s, and produces a commitment string z.
• reveal(pk, i, z, m, s) outputs the inputs it is given.
• verify(pk, i, z, m, s) takes as argument an initial message i, along with a purported public key, commitment string, committed message and random string, evaluates commit(pk, i, m, s), and outputs 1 if and only if z = commit(pk, i, m, s).
For brevity, we sometimes omit the public key pk and the initial message i as arguments in the body of the paper. The commitment schemes which we assume to exist in the paper have the following security properties: • Perfectly binding: If commit(pk, i, m, s) = commit(pk, i, m , s ), then (m, s) = (m , s ).
• (Quantum) computationally concealing: For any public key pk ← gen(1 ), fixed initial message i, and any two messages m, m , the distributions over s of commit(pk, i, m, s) and commit(pk, i, m , s) are quantum computationally indistinguishable.
It has been stated informally ( [Son14], [Zha12]) that a commitment scheme with the above form and security properties can be obtained from a quantum-secure pseudorandom generator (the latter of which exists assuming the quantum hardness of LWE).