On Basing One-way Permutations on NP-hard Problems under Quantum Reductions

A fundamental pursuit in complexity theory concerns reducing worst-case problems to average-case problems. There exist complexity classes such as PSPACE that admit worst-case to average-case reductions. Many other classes such as NP, however, the evidence so far is typically negative, in the sense that the existence of such reductions would cause collapses of the polynomial hierarchy. Basing cryptography, e.g., the average-case hardness of inverting one-way permutations, on NP-completeness is a particularly intriguing instance. We initiate a study of the quantum analogues of these questions and show that if NP-complete problems reduce to inverting one-way permutations using certain types of quantum reductions, then coNP $\subseteq$ QIP(2).


Introduction
A fundamental question in complexity theory is whether or not worst-case problems have reductions to average-case problems. A special case, random-self-reductions, concerns reducing worst-case problems to average-case problems of the same type. Random-self-reductions exist for complete sets of some classes such as PSPACE, EXP and #P. Such reductions are not known to exist for NP-complete problems. Fortnow and Feigenbaum [FF93] showed that sets which are complete for any level of the polynomial hierarchy are not (non-adaptively) random-self-reducible unless the polynomial hierarchy collapses, giving negative evidence for this possibility.
More broadly, one can ask when the worst-case instances of one problem can be reduced to random instances of a different problem, including basing cryptographic primitives on NP-complete problems. Namely, can we reduce NP-complete problems to breaking the security of cryptosystems? It has been shown that approximating several worst-case lattice problems reduce to averagecase lattice problems [Ajt96,Mic04,MR07]. Additionally, Regev [Reg04a,Reg05] and Ajtai and Dwork [AD97] propose cryptosystems, where breaking these cryptosystems on average is as hard as solving some worst-case lattice problems. However, the worst-case lattice problems mentioned above are in NP∩coNP, which are believed not NP-complete.
The pursuit of basing cryptographic primitives on NP-hardness has largely ended up negative. For instance, if one can reduce NP-complete problems to inverting one-way permutations [Bra79], size-verifiable one-way functions [AGGM06,BB15], single-server single-round private information verifier in a quantum interactive proof system [Ros09,KW00]. There are two QIP(2) protocols for other problems. The first is for testing the separability of a bipartite state generated by a quantum circuit [HMW14]. The second studies a generalized version of public coins to the quantum setting, where instead of coins, EPR pairs are used [KLGN15]. The definitions of the problems in [HMW14,KLGN15] ask whether the output of a given quantum circuit is close to the totally mixed state [KLGN15] or close to any separable state [HMW14]. These definitions give a way to build QIP(2) protocols by applying Ulhmann's theorem. Due to the way our problem is defined, one cannot build a QIP(2) protocol by directly following Ulhmann's theorem.
The definitions of the problems in [HMW14,KLGN15] ask whether the output of a given quantum circuit is close to the totally mixed state [KLGN15] or close There are several open questions. Do adaptive and/or non-smooth-computable quantum reductions from NP-complete problems to inverting one-way permutations exist? For cryptographic primitives which security are not based on NP-complete problems under classical reductions, can NP-complete problems reduce to them if quantum reductions are allowed? Is it possible to rule out a quantum reduction from NP-complete problems to average-case problems in NP? Since we know very little about QIP(2), can we show that QIP(2) = QMA, QIP(2) = AM, or coNP QIP(2)?

Preliminaries
For a finite set X, |X| denotes the size of X. We use x ← X to mean that x is drawn uniformly at random from X. poly(·) denotes an unspecified polynomial, and negl(n) denotes a negligible function in n. A function ǫ(n) is negligible if for all polynomials p(n), ǫ(n) < 1/p(n) for large enough n. Classical efficient computation is described by probabilistic polynomial time (PPT) algorithms.
We assume basic familiarity with quantum information formalism. In this paper, quantum register represents a collection of qubits that we view as a single unit. We typically use capital letters to denote a register and the Hilbert space associated with it. A quantum channel Φ describes any physically admissible transformation of quantum states, which is mathematically a completely positive, trace-preserving linear map.
We recall the definitions of quantum interactive proofs (QIP) and one-way permutations.
Definition 2.1 (QIP(m)). A promise problem A = (A yes , A no ) is in the complexity class QIP(m) if there exists a polynomial-time quantum verifier which exchanges quantum messages with a prover and has the properties: • (Completeness) For x ∈ A yes , there exists a prover who can convince the verifier to accept x with probability at least 2/3 by exchanging at most m messages.
• (Soundness) For x ∈ A no , no prover can convince the verifier with probability greater than 1/3 by exchanging at most m messages.
The length of the messages exchanged between the verifier and the prover are O(poly(|x|)).
Without loss of generality, the behaviors of the prover and the verifier can always be described as unitaries. It has been shown that QIP(m)=QIP(3)=PSPACE for m > 3 [ KW00,JJUW11]. In this work, we focus on the class QIP(2). It is known that completeness and soundness can be reduced to negligibly small [JUW09].
We denote the task of inverting a one-way permutation as Inv-OWP.

Locally random reductions and worst-case to average-case reductions
We review classical definitions of worst-case to average-case reductions. The basic notion is a distributional problem. We denote P ′ an arbitrary decision problem, search problem or promise problem. We will only consider the case where P ′ corresponds to inverting one-way permutations.
Definition 2.3. Let P ′ be a problem and D a collection of distributions {D n } n∈N . The distributional problem (P ′ , D) is: given an instance x chosen randomly according to D n , compute P ′ (x).
We first adapt a notion of Feigenbaum and Fortnow [FF93].
We note that Definition 2.4 is equivalent to the Definition 2.1 in [FF93]. In Definition 2.4, we assume that all queries are drawn from the same distribution instead of different distributions. However, the assumption can be made without loss of generality since one can apply a random permutation to the queries before sending them to the oracle and undo the permutation before applying R. This way, the distributions of each query are the same.
If we only consider D to be the uniform distribution, then this reduction is a special case considered by Feigenbaum et al. in [FKN90]. One can also define adaptive locally random reductions by allowing the algorithm G in Definition 2.4 to generate queries depending on the previous queries and answers.
If P = P ′ , then the reduction is also called a random-self reduction [FF93]. It has been shown that the set of complete problems in PSPACE, EXP and #P are random-self reducible [FF93]. On the other hand, it has been shown that NP-complete problems are not non-adaptive random-self reducible unless the polynomial hierarchy collapses to the third level [FF93].
The definition of Feigenbaum and Fortnow assumes a perfect solver for the average-case problem. This restriction is weakened in a later work by Bogdanov and Trevisan [BT06].
Definition 2.5 (non-adaptive worst-case to average-case reduction). Let k and ℓ be variables polynomial in the input length n, and r is a random string chosen uniformly at random from {0, 1} ℓ . A decision problem P is non-adaptive worst-case to average-case reducible to (P ′ , D) with average hardness δ if there are polynomial-time algorithms R and G satisfying the properties that: For any n ∈ N • On all inputs x ∈ {0, 1} n , G(x, r) outputs y 1 , . . . , y k .
Similarly, an adaptive worst-case to average-case reduction is defined by including previous queries and answers to the arguments of G.
It has been shown that NP-complete problems are not non-adaptive worst-case to averagecase reducible to themselves, unless the polynomial hierarchy collapses to the third level [BT06]. In addition, the existence of a non-adaptive worst-case to average-case reduction from NP-hard problem to inverting a one-way function implies that the polynomial hierarchy collapses to the second level [AGGM06] and the existence of a worst-case to average-case reduction from an NPhard problem to inverting a size verifiable one-way function implies that the polynomial hierarchy collapses to the second level [AGGM06,BB15].
3 Locally quantum reductions and quantum worst-case to averagecase reductions In this section we define the quantum analogues of non-adaptive locally random reductions given in Definition 2.4 and non-adaptive worst-case to average-case reductions given in Definition 2.5, which are introduced in Section 2.1.
Definition 3.1 (non-adaptive locally quantum reduction (G, R)). A decision problem P is nonadaptive locally quantum reducible to a distributional problem (P ′ , D) if there are two polynomialtime implementable unitaries R and G such that for all n and x ∈ {0, 1} n • The generator G creates k superposition queries, with query amplitudes based on the distribution D: and d q is the probability that q is drawn from D n • R takes responses of the queries and decides whether or not P(x) is true: We introduce δ-close problems to define the generalized notion of worst-case to average-case reduction.
Definition 3.2. A problem P ′′ is δ-close to another problem P ′ with respect to D if for all n, Pr x∼Dn (P ′′ (x) = P ′ (x)) < δ. Definition 3.3 (non-adaptive quantum worst-case to average-case reduction). A decision problem P is non-adaptive quantum worst-case to average-case reducible to (P ′ , D) with average hardness δ if there are polynomial-time computable unitaries R and G such that for any n ∈ N and x • The generator G creates k superposition queries: where • R: for any P ′′ which is δ-close to P with respect to D, where p ≥ 2/3 and |Q H x,i = q∈Z m 2 c x,q,i |q, The variables m and k are polynomial in the input length n.
Compared to locally quantum reductions, quantum worst-case to average-case reductions do not require the queries to be drawn from a certain distribution. Instead, we consider an oracle for P ′ that can err sometimes, which is captured by δ-close problems P ′′ .
1 − p is called the error of the reduction. The choice of p = 2/3 is arbitrary, since it can be reduced effectively.
3.1 Discussion of the definitions: special cases Classical queries. If G outputs classical queries, then we can already derive a negative result, analogous to a classical result by Brassard [Bra79].
Theorem 3.4. If there is a non-adaptive quantum reduction L ≤ R,G Inv-OWP where G produces classical queries, then L ∈ QIP(2) with classical interactions.
Proof. The protocol is as follows: The verifier first applies G to generate queries and sends these queries to the prover. Then, the prover simulates the oracle for Inv-OWP and sends the responses back. Finally, the verifier checks if the responses are correct by computing the permutation. If the prover is not cheating, the verifier applies R and accepts if R accepts. Otherwise, the verifier rejects. Note that the prover can only give the correct answer for Inv-OWP. Otherwise, the verifier rejects.
The proof for Theorem 3.4 above is similar to the proof in [Bra79] except that the verifier who applies quantum reduction needs to send the queries by itself. The reason is that the randomness of a quantum circuit is from the nature of quantum mechanism. So, the verifier cannot make its randomness to be public. In addition, we do not know if the theorem above is correct when the quantum reduction is adaptive.
EPR queries. As another special case, we consider that w x,i (q) is the identity function in Definition 3.1. Namely G generates k identical copies of |Ψ ⊗m = q |q |q , where Ψ = 1 √ 2 (|00 + |11 ) is an EPR-pair. Then half of the EPR-pairs are submitted as queries to the solver of the average-case problem. Note the reduced density of each query is totally mixed, and this looks a natural generalization of classical uniform queries. Nonetheless, we show that this is too strong a constraint that trivializes the study of worst-to-average reductions, as far as OWP is concerned.
Proof. The key (and simple) observation is that a uniform superposition over a set is invariant under an arbitrary permutation. This means that a quantum reduction could create the correct state that otherwise would require invoking an inverting oracle I of the OWP f . Namely applying I on an EPR query gives us This can be created without help of I as follows: Remark 1. Consequently, it is necessary that the query states maintain more sophisticated correlations between the query register and the work register of the reduction. We note the same phenomenon also occur classically. Namely, although the marginal distribution of each query is uniformly random, it is important that the internal state of the reduction should not be independent of the queries. Otherwise, existence of such a reduction will trivialize the language under consideration to fall in BPP.
4 Uniform one-query locally quantum reduction to Inv-OWP In this section we consider quantum reductions that make one-query only. It demonstrates the main idea of our general result with a cleaner analysis. Section 5 will handle multiple non-adaptive queries. Let f be a one-way permutation on {0, 1} n , and let U f be a unitary quantum circuit computing it. That is, A uniform one-query locally quantum reduction for L works as follows: where ∈ L is the probability the reduction accepts. The main theorem we are going to prove in this section is Theorem 4.1. Suppose there exists a one-query uniform locally quantum reduction with exponentially small error ǫ from a worst-case decision problem L to the task of inverting a polynomial-time computable permutation. Then there exists a QIP (2) protocol with completeness 1− ǫ/2 and soundness 1/2 + 2 √ ǫ for L To prove Theorem 4.1, we are going to give a QIP(2) protocol for L by using the reduction.

The protocol for L
We are given the uniform one-query locally quantum reduction (G, R). We enlarge the size of register V and define a unitary C which performs a CNOT on the first register of M into the second register of V : |q, The whole protocol takes place in the space H P ⊗H M ⊗H V ⊗H Π where P is the private register of the prover, M is the register exchanged between the prover and the verifier, V and Π are registers which are private to the verifier.
We describe some states that are crucial in the protocol.
• The verifier prepares the state without the extra copy of q in the register V is the query state generated from G as in Equation 3, and is the trap state, which will be used to catch a cheating prover.
• The honest prover replies The state |Q H without the extra copy of q in register V is the state the actual reduction R gets after querying the oracle as in Equation 4. The state |T H can be mapped to |0 M V efficiently as shown below. This gives the verifier an efficient way to check if |T H is changed significantly.
We do the following to map Here U f is applied from the second register of M into the first, and F is applied to the second register of M . The last two steps use the property that f can be evaluated efficiently and f is a permutation. Given the reduction (G, R), we can get a QIP(2) protocol for L by answering the same as R and a protocol for L by flipping R's answer. The QIP(2) protocol for L is described in Protocol 1.

Lemmas for proving Theorem 4.1
In this section, we prove Lemma 4.2, Lemma 4.4 and Claim 4.3, which we use to prove Theorem 4.1.
Lemma 4.2 is an immediate consequence of the fact two purifications of the same state are related by an isometry. In fact, this exactly explains why the entanglement fidelity is well defined [Sch96].
Lemma 4.2. Let ρ A be a state in some Hilbert space. Let |φ AB and |ψ AB be two purifications of ρ A , i.e., Proof. Observe that (e.g., by Schmidt decomposition) there is a unitary U B operating only on B Protocol 1 QIP(2) protocol for L using a one-query locally quantum reduction.
The protocol takes place in the space H P ⊗ H M ⊗ H V ⊗ H Π where P is the private register of the prover, M is the register exchanged between the prover and the verifier, and V and Π are registers which are private to the verifier.
The message register M is sent to the prover, and the verifier keeps V and Π. This is generated by conditioning on the register Π, which is initialized in |+ . If Π = 0, G is applied and then q is copied to the second part of the verifier's internal register V , which produces |Q M V . If Π = 1, compute the Fourier transform followed by CNOT to create |T M V , a trap state we use to catch a cheating prover.
2. The prover's response. The prover applies some unitary U P M on register M and its private register P and sends the message register back to the verifier.
3. The verifier's verification. The verifier applies C to erase q in V . The verifier then measures Π to obtain b ∈ {0, 1}, and does the following: • (Computation verification) If b = 0, apply R on M V and measure the output qubit. Accept if the outcome is 0.
, if the reduction rejects).
such that I A ⊗ U B |ψ AB = |φ AB . Then . Equation 10 is correct due to the property that (A ⊗ B)(C ⊗ D) = (AC) ⊗ (BD).
Without loss of generality, we can always represent the prover's operator U P M as U ′ P M O f −1 where U ′ P M is an arbitrary unitary the cheating prover may apply. Let and . The following claim shows that for any unitaries the prover applies, the change on |T H is as much as the change on |Q H . , and let σ U ′ Q and σ U ′ T be as above.
Proof. We represent the prover's behavior U ′ P M on the state |Q H and |T H as a noisy channel Ψ U ′ M operating on register M , which is formally defined as follows: Therefore, Given a state |φ and a projector Π S , Lemma 4.4 is shows that the state ρ which maximizes the quantity Tr(Π S ρ) + φ|ρ|φ is the bijection of |φ and its projection on Π S . Lemma 4.4. Let S ⊆ H be a subspace and Π S be the projection operator on S. Let |φ be a state such that φ|Π S |φ = sin 2 θ, for some θ ∈ [0, π/2]. Then for any density operator ρ ∈ D(H), Tr(Π S ρ) + φ|ρ|φ ≤ 1 + sin θ.

Proof of Theorem 4.1
The intuition behind the soundness proof is that the two branches (conditioning on register Π) of verifier's verification are competing and the prover cannot cheat one without also changing the other. When the input x / ∈ L, a cheating prover must apply an operation far from O f −1 on |Q to make R accept. We will show that when it applies such an operation, it must move the trap state |T far from the correct state |T H which will be detected by the verifier. Now, we can finish the proof by showing the completeness and soundness of the protocol.
Proof of Theorem 4.1. We introduce some notation first. Let the state of the entire system after the prover's action be 1 If the prover is honest, then |ψ 0 = |0 P |Q H , |ψ 1 = |0 P |T H . If the prover is dishonest, we can always assume that O f −1 is applied honestly, followed by an arbitrary unitaryŨ on its work register P and message register M . In this case For ease of notation, define ρ 0 := Tr P (|ψ 0 ψ 0 | P M V ) and ρ 1 := Tr P (|ψ 1 ψ 1 | P M V ). Let Π R be the projection to the acceptance subspace S acc ⊆ H M ⊗ H V induced by R. Observe that the verifier accepts with probability p succ := 1 2 (p 0 + p 1 ) , where p 0 = Tr(Π R ρ 0 ) , p 1 = T H |ρ 1 |T H .
Completeness. If x ∈L, then ρ 0 = |Q H Q H | and ρ 1 = |T H T H |. Therefore, p 0 = Tr(Π R ρ 0 ) ≥ 1 − ε by our hypothesis on the reduction. Meanwhile p 1 = T H |ρ 1 |T H = 1. Therefore p succ = 1 2 (p 0 + p 1 ) ≥ 1 − ε/2. Soundness. Suppose that x / ∈L. By Claim 4.3, we have that p 1 = T H |ρ 1 |T H = Q H |ρ 0 |Q H . Therefore , |Q H is almost orthogonal to the acceptance subspace S acc . Then from the prover's perspective, to maximize the verifier's accepting probability, it needs to find a state whose projection on |Q H and S acc combined is maximized. By Lemma 4.4, the maximum is achieved by a state bisecting |Q H and its projection on S acc , and we conclude that p succ = 1 2 (Tr( Corollary 4.5. If there exists a uniform one-query locally quantum reduction from a worst-case NP-hard decision problem to inverting a one-way permutation, then coNP ⊆ QIP(2).
Proof. Suppose L is NP-hard, and it reduces to Inv-OWP via a uniform one-query quantum locally random reduction. By Theorem 4.1, L ∈ QIP (2), hence coN P ⊆ QIP (2).
Corollary 4.6. If there exists a uniform one-query locally quantum reduction from a worst-case promise problem which is QMA-hard to inverting a one-way permutation, then coQMA ⊆ QIP (2) Proof. Suppose L is QMA-hard and there exists a uniform one-query quantum locally random reduction from L to Inv-OWP. By Theorem 4.1, L ∈ QIP (2). This implies coQM A ⊆ QIP (2).

Uniform non-adaptive locally quantum reduction to Inv-OWP
In Section 4, we concern the special case of locally quantum reduction with only one query and negligible error. In this section, we are going to generalize Theorem 4.1 such that the existence of a uniform non-adaptive (multiple-queries) locally quantum reduction with constant error implies coNP⊆QIP(2).
Let f be a one-way permutation, and let U f be a circuit computing it. A uniform non-adaptive locally quantum reduction (G, R) from a decision problem to the task of inverting f is defined as: where |a 1 | 2 ≥ 2/3 if x ∈ L and |a 1 | 2 ≤ 1/3 if x / ∈ L is the probability the reduction accepts.
Theorem 5.1. Suppose there exists a uniform non-adaptive locally quantum reduction (G, R) from a worst-case decision problem L to Inv-OWP. Then, there exists a QIP (2) protocol with completeness 1 − ǫ/2 and soundness 1/2 + 2 √ ǫ for L, where ǫ is negligible.

Main theorem
Before giving the main theorem, we first show that the error of locally quantum reductions and quantum worst-case to average-case reductions can be reduced by parallel repetition.
Lemma 5.2 (Error reduction). The error of locally quantum reductions and quantum worst-case to average-case reductions can be reduced to an exponential small parameter ǫ in polynomial time and polynomial number of queries.
Proof. The error of both reductions can be reduced by parallel repetition. The new reduction (R ′ , G ′ ) is described as follows: 1. G ′ operates G t times to generate t copies of |Q x,1 ⊗ · · · ⊗ |Q x,k and send all copies to the oracle in parallel, where t is polynomial in the input length n.
2. After getting all t responses |Q H x,1 , . . . , Q H x,k from the oracle, R ′ operates R t times and make the majority vote. If more than t/2 copies are accepted, R ′ accepts; otherwise, R ′ rejects.
For completeness, the probability that (G ′ , R ′ ) rejects is u< t 2 t u 2 3 We are going to show that such reduction does not exist unless coNP ⊆ QIP(2).
Proof. The error can be reduced to an exponentially small parameter ǫ by applying Lemma 5.2. The idea of the protocol for multiple queries is the same as the protocol in Protocol 1 for one query. The verifier generates a superposition of the query state and the trap state and sends part of the state to the prover. In the following, we will give a QIP(2) protocol which is similar to the protocol in Protocol 1 for L. By Lemma 5.2, the error of a quantum locally random (G, R) can be reduced to an exponentially small parameter ǫ by parallel repetition, where we suppose G is operated t times and each time it generates k queries. We denote the new reduction as (G ′ , R ′ ). Now, we introduce the new query state and the trap state the verifier generates. By applying G ′ and C, the verifier generates Note that i indicates the i-th copy generated from the parallel repetition in Lemma 5.2. Also, the verifier generates |T ⊗tk , where |T is defined in Equation 6. Then, we rearrange the qubits such that the first two registers of all |Q i,j and |T are moved to the beginning in sequence as follows: and whereq = [q 1,1 , . . . , q 1,k , . . . , q t,1 , . . . , q t,k ] and w x (q) = [w x,1 (q 1,1 ), . . . , w x,k (q t,k )]. For example, given a state of two queries q,q ′ |q, 0 |w x,1 (q), q |q ′ , 0 |w x,2 (q), q ′ , following the rearrangement, we represent it as q,q ′ |qq ′ , 0 |w x,1 (q)w x,2 (q ′ ), qq ′ . Similarly, we define 1 (q 1,1 ), . . . , f −1 (q t,k )).
Protocol 2 QIP(2) protocol for L using a non-adaptive locally quantum reduction.
The protocol takes place in the space H P ⊗ H M ⊗ H V ⊗ H Π where P is the private register of the prover, M is the register exchanged between the prover and the verifier, and V and Π are registers which are private to the verifier.
1. The verifier's query. The verifier prepares the state below. The message register M is sent to the prover.
2. The prover's response. The prover applies some unitary U P M on register M and its private register P and sends the message register back to the verifier.
3. The verifier's verification. The verifier applies C to eraseq in V . The verifier then measures Π to obtain b ∈ {0, 1}, and does the following: • (Computation verification) If b = 0, apply R ′ on M V and measure the output qubit. Accept if the outcome is 0.
• (Trap verification) If b = 1, apply V T on each |T in M V and measure M V . Accept if the outcome is the all 0 string.
The QIP(2) protocol for L is shown in Protocol 2. Note that the prover's behavior U P M can be represented as U ′ P M O f −1 where U ′ P M is an arbitrary unitary a cheating prover may apply. In the following, we show that the protocol in Protocol 2 is a QIP(2) protocol for L .
For the completeness condition, when x ∈ L, the verifier accepts with probability ≥ 1 − ǫ/2 via the same calculation in Section 4.
For the soundness condition, assume x / ∈ L. Let Since |T H and |Q H are two purifications of the mixed state Tr V (|Q H Q H |) on register M , by Lemma 4.2. Then, we do a similar calculation as in the proof of soundness for Theorem 4.1, which gives an upper bound 1/2 + √ ǫ on the probability that the verifier accepts.
The following two corollaries follow from Theorem 5.1, which proofs are the same as the proof for Corollary 4.5 and Corollary 4.6.
Corollary 5.3. If there exists a uniform non-adaptive quantum locally random reduction from a worst-case decision problem which is NP-hard to the task of inverting a one-way permutation, then coNP ⊆ QIP(2).
Corollary 5.4. If there exists a uniform non-adaptive quantum locally random reduction from a worst-case promise problem which is QMA-hard to the task of inverting a one-way permutation, then coQMA ⊆ QIP(2).

Smooth locally quantum reductions to Inv-OWP
In this section, we study non-adaptive quantum reductions which generate queries according to smooth-computable distributions. We show that the existence of such reductions also imply coN P ⊆ QIP (2).
The difficulty to apply Protocol 1 and Protocol 2 to non-uniform distributions is that we do not know how to construct a trap state that can be mapped to |0 efficiently and has the state in the message register be indistinguishable from the actual query state. Here we show that if the distribution is smooth-computable, then the verifier can use the same trap state by applying quantum rejection sampling [ORR13] to prevent the prover from cheating.
Definition 6.1 (Smooth-computable distributions). A distribution D = {D n : n ∈ N} is said to be smooth-computable if it satisfies the following properties. Let d q = Pr[q ∼ D n ], d min,n = min q∈{0,1} n d q and d max,n = max q∈{0,1} n d q .
1. For n ∈ N, for all q where |q| = n, the function f n : f n (q) = d q is polynomial-time computable.
2. For n ∈ N, 2 n d min,n ≥ 1 poly(n) and 2 n d max,n ≤ poly(n). Loosely speaking, smooth-computable distributions are point-wise close to the uniform distribution. It is worth noting that Protocol 2 can handle those that have negligible statistical distance to the uniform distribution. However, there exists some smooth-computable distribution that has inverse-polynomial distance from the uniform distribution. In such cases, it is unclear if soundness still holds in Protocol 2.
Again, we start with the special case of one-query reductions with negligible error. Generalizing to multiple non-adaptive queries is similar to the case of uniform distributions before.
Let f be a one-way permutation on {0, 1} n , and let U f be a quantum circuit computing it. A smooth one-query locally quantum reduction according to a smooth-computable distribution D = {D n : n ∈ N} proceeds as follows: where |a 1 | 2 ≥ 1 − ǫ if x ∈ L and |a 1 | 2 ≤ ǫ if x / ∈ L is the probability the reduction accepts and d q is the probability that q is drawn from D n for n = |q|. We can show the following theorem.
Theorem 6.2. Suppose there exists a one-query smooth locally quantum reduction with exponentially small error ǫ from a worst-case decision problem L to the task of inverting a polynomial-time computable permutation. Then there exists a QIP (2) protocol with completeness 1− ǫ/2 and soundness 1/2 + 2 √ ǫ for L

Quantum Rejection Sampling
The proof of Theorem 6.2 relies on the quantum rejection sampling technique in [ORR13]. We give the definition of the quantum rejection sampling problem and we adapt their tool in the Lemma 6.4. Note that γ and γ ′ are polynomial in n when D is smooth according to Definition 6.1.
Proof. We first show the sample complexity. It has been shown in [ORR13] that Step 2 in Algorithm 3 can be viewed as a control rotation on the first and the third register.
By Solovay-Kitaev theorem, any known one-qubit unitary V can be approximated by V ′ which is implemented by polynomial number of gates from a finite universal gate set with an exponentially small error δ = max |ψ (V − V ′ )|ψ . Since D and U are polynomial-time computable as in Definition 6.1, we can approximate S in polynomial time. This completes the proof. The analysis for the case where D = U is the same.

The new protocol for L using quantum rejection sampling
Here we describe some states which are used in the protocol.
Algorithm 3 QRSampling(D → D ′ ) 4: Measure the first qubit, which gives 2 n i=1 d ′ i |ξ i |i with probability 1 β . 5: By repeating steps 2 to 4 Θ(β 2 ) times, one can prepare the where |Q D M V without the copy of q in V is the query state generated from G as in Equation 17.
where |Q H D without the extra copy q in register V is the state the actual reduction R gets after querying the oracle as in Equation 18.
By applying QRSampling(D → U ), one can prepare the state |Q from |Q D M V such that D(|Q , |Q ) ≤ δ, where δ is an exponentially small error. We also define |Q H : We give Protocol 4 for L with non-adaptive smooth locally quantum reductions. Its analysis and proof of Theorem 6.2 are deferred in Section 6.3.

Proof of Theorem 6.2
Proof of Theorem 6.2. Let the state of the entire system after the prover's action be To simplify the notation, we let where F (|Q H , |Q H ) ≥ 1 − δ according to Lemma 6.4. If the prover is dishonest, we can always assume that the prover first applies O f −1 honestly and then applies an arbitrary unitaryŨ on its work register P and message register M . In this case |ψ =Ũ P M ⊗ I V (|0 P |Q H ⊗ · · · ⊗ |Q H ), |φ =Ũ P M ⊗ I V (|T H ⊗ · · · ⊗ |T H ) .

This gives
We can also get an upper bound on F (|Q H ⊗γ ′ ,ρ 0 ) as follows: By triangular inequality, We can conclude that for c a small constant. Therefore By Lemma 4.4, we can give an upper bound on p succ as follows.
By the same proof as in Section 5, we can generalize Theorem 6.2 to Theorem 6.5.
Theorem 6.5. Suppose there exists a one-query smooth locally quantum reduction with constant error from a worst-case decision problem L to Inv-OWP. Then there exists a QIP (2) protocol with completeness 1 − ǫ/2 and soundness 1/2 + 2 √ ǫ for L, where ǫ is negligible.
7 Non-adaptive quantum worst-case to average-case reduction to Inv-OWP Here, we consider the non-adaptive quantum worst-case to average-case reduction defined in Definition 3.3. We show that if the queries are generated arbitrarily according to known smoothcomputable distributions, i.e., the distributions of each query can be different but are smoothcomputable and known, then the existence of such reductions also implies coNP⊆ QIP(2). We call this reduction known smooth non-adaptive quantum worst-case to average-case reduction.
Theorem 7.1. Suppose there exists a known smooth non-adaptive quantum worst-case to averagecase reduction with average hardness δ (G, R) from a worst-case decision problem L to Inv-OWP.
Then, there exists a QIP(2) protocol with completeness 1 − ǫ/2 and soundness 1/2 + 2 √ ǫ for L Proof. Suppose (G, R) is the reduction and G generates k uniform queries. Given any function g which is δ-close to f −1 as Definition 3.2. Then, the smooth non-adaptive worst-case to average-case reduction is as follows: where p ≥ 2/3 and d i,q are the probability that q is drawn from a smooth-computable distribution D |q| for i = j. The error of the reduction can be reduced to an exponentially small parameter ǫ by Lemma 5.2.
Given such a reduction from L to Inv-OWP, Protocol 4 decides L. It is worth noting that since the distribution of each query is known and smooth-computable, one can apply quantum resampling for uniform distribution as in Protocol 4. For completeness, the honest prover always simulates O f −1 , which is the same honest prover considered in Theorem 6.2. Hence, the verifier accepts with probability at least 1 − ǫ 2 . For soundness, if the prover's operation is δ-close to O f −1 , then the verifier accepts with probability ≤ (1 + ǫ)/2. Else if it chooses an operation U ′ P M which is not close to any δ-close oracle for O f −1 , then the modified trap state must be far from the original trap state. By the calculation in Section 6, we get the same upper bound on the soundness.
The following two corollaries follow from Theorem 7.1.
Corollary 7.2. If there exists a known smooth non-adaptive quantum worst-case to average-case reduction from a worst-case decision problem which is NP-hard to Inv-OWP, then coNP ⊆ QIP(2) Corollary 7.3. If there exists a known smooth non-adaptive quantum worst-case to average-case reduction from a worst-case promise problem which is QMA-hard to Inv-OWP, then coQMA ⊆ QIP(2)

Separation examples
We give two examples demonstrating the distinct landscapes of classical and quantum worst-case to average-case reductions. Namely, relative to some oracle and under reasonable computational assumptions, there exist problems (a worst-case problem and an average-case problem) where there are no classical reductions, but they admit an efficient quantum reduction. In fact, the quantum reduction issues non-adaptive classical queries only. This makes the separation examples strong.
The idea behind the examples is simple. We design the average-case problem in such a way that to make a meaningful query to a solver for this average-case problem, one has to solve a problem that is (assumed to be) hard for classical algorithms but easy on a quantum computer. Our first example is based on a oracle problem provably hard classically (Simon's Problem), and the quantum reduction needs quantum access to the oracle. The second example needs to assume the existence of problem in BQP that is outside BPP (e.g., factorization). In return, we remove the need of quantum access to the oracle.
Both constructions rely on the following assumption.
Assumption 1. There exists language L / ∈ BQP (hence L / ∈ BPP too) that admits a random self-reduction L ≤ (R,G) (L, D) for some distribution D.
A candidate is the PSPACE-complete problem TQBF, which is known to have a non-adaptive random self-reduction [FF93]. Assumption 1 will follow, if BQP PSPACE holds. Hereafter we treat G as non-adaptive in Assumption 1 for simplicity.
O : |i, x, y, z → |i, x, y ⊕ f i (x), z ; where We assume that all s i , i ∈ [N ] are chose uniformly at random. As an immediate corollary of Simon's result. We have that Construction 1. We construct our first separation example.
•L O 1 := {x = (i, s, φ) : s = s i and φ is true}. We associateL O 1 a distributionD 1 , which is uniform on N × {0, 1} n and samples a formula according to D (the distribution in Assumption 1). Proof. Let A be an algorithm that solves the average-case problem (L O 1 ,D 1 ). For simplicity, we assume that A is a perfect decider, i.e., for a random input x = (i, s, φ) ←D 1 , A(i, s, φ) = 1 iff. s = s i and φ = 1. Any classical reduction is unable to find s i in polynomial time, hence the solver A is useless. Formally speaking, if there were such a reduction L O 1 ≤ (L O 1 ,D 1 ), one can turn it into an efficient solver for Simon's problem or an efficient decider for L. This violates Lemma 8.1 or Assumption 1.
For the second part, we construct a quantum reduction (R Q 1 , G Q 1 ) as follows. Recall that there is a random self-reduction L ≤ (R,G) (L, D). Given a worst-case input φ, G Q 1 (φ) runs G(φ) to get random {φ j } k j=1 . Then for j = 1, . . . k, G Q 1 generates random i j ← [N ], and runs Simon's algorithm to find s i j efficiently. Then the queries to A are {i j , s i j , φ j } k j=1 , which are correctly distributed according toD 1 . Therefore A will respond correctly with {φ j ? = 1}. Then R Q 1 runs the decision procedure R, which correctly decides φ.
Remark 2. We have designed O to encode exponentially many instances of Simon's problem for the technicality of non-uniform reductions. Because otherwise, a classical reduction could hardwire the solution s and make use of an average-case solver.
Construction 2. We give another separation example. It is still in the oracle setting, and we need to make an additional assumption. What we gain is that the quantum reduction does not need quantum access to the oracle, as opposed to Example 1 where we need to run Simon's algorithm with quantum access to the oracle.