Toward Separating QMA from QCMA with a Classical Oracle

Zhandry, Mark

doi:10.4230/LIPIcs.ITCS.2025.95

Toward Separating QMA from QCMA with a Classical Oracle

Mark Zhandry

NTT Research, Sunnyvale, CA, USA

Abstract

QMA is the class of languages that can be decided by an efficient quantum verifier given a quantum witness, whereas QCMA is the class of such languages where the efficient quantum verifier only is given a classical witness. A challenging fundamental goal in quantum query complexity is to find a classical oracle separation for these classes. In this work, we offer a new approach towards proving such a separation that is qualitatively different than prior work, and show that our approach is sound assuming a natural statistical conjecture which may have other applications to quantum query complexity lower bounds.

Keywords and phrases:

Quantum, Oracle Separations, QMA, QCMA

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Quantum complexity theory

Editors:

Raghu Meka

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Do quantum witnesses offer more power than classical witnesses? Slightly more precisely, there are two natural ways to generalize ${\sf NP}$ from the classical setting to the quantum setting: ${\sf QMA}$ (for Quantum Merlin-Arthur) is the set of languages decidable by efficient quantum algorithms with quantum witnesses, whereas ${\sf QCMA}$ (for Quantum Classical Merlin-Arthur) is the set of languages decidable by efficient quantum algorithms with classical witnesses. A long-standing fundamental question, first raised by [2], is whether or not these two generalizations of ${\sf NP}$ are the same.

As an unconditional separation between ${\sf QMA}$ and ${\sf QCMA}$ is out of reach given the state of complexity theory, the community has focused on proving oracle separations. The first such separation [1] gives a quantum oracle; that is, an oracle that implements a unitary operation and which can be queried on quantum states. A major open question has been whether there is a classical oracle separation; that is, an oracle that implements a classical function, but is accessible in superposition. Classical oracle separations are considered more standard in the community.

An early candidate classical oracle separation was given by [9], but no proof was given. More recently, there have been several results making progress towards this goal by proving separations under different restrictions on how the oracle is accessed. [5] show a separation assuming the classical oracle is an “in-place permutation oracle”, a non-standard modeling where the oracle irreversibly permutes the input state. [10] show a separation, assuming the witness is required to be independent of certain choices made in constructing the oracle. A very recent line of work has used quantum advantage relative to unstructured oracles [13] to separate ${\sf QMA}$ from ${\sf QCMA}$ : [8, 7] give a separation assuming the verifier can only make classical oracle queries, and more recently [3] give a separation which allows the verifier quantum queries, but assumes the adaptivity of the queries is sub-logarithmic. A standard classical oracle separation that makes no constraints on how the oracle is accessed or how the witness is created still remains open.

The central challenge in separating ${\sf QMA}$ from ${\sf QCMA}$ relative to a classical oracle seems to be the following. Consider a language in ${\sf QMA}\setminus{\sf QCMA}$ , and consider measuring the ${\sf QMA}$ witness in the computational basis. The resulting classical string must not be accepted by the ${\sf QMA}$ verifier, since otherwise we would then have a classical witness for the language, putting it in ${\sf QCMA}$ . Therefore, in some sense, the ${\sf QMA}$ verifier needs to verify that the witness is in superposition. In order to allow for such verification using only a classical oracle, existing approaches require highly structured oracles. But then to actually prove the language is outside of ${\sf QCMA}$ , we need a quantum query complexity lower-bound, and unfortunately the techniques we have are often not amenable to highly structured oracles. Additionally, any witness would naturally be treated as a form of oracle-dependent advice about the oracle, and most quantum query complexity techniques are not very good at distinguishing between quantum advice and classical advice. In other words, if a typical technique succeeded at proving a language is outside of ${\sf QCMA}$ , then if it cannot distinguish quantum vs classical advice, it would likely also show that the language is outside ${\sf QMA}$ as well, thus failing to give a separation.

Our Work

We give a new approach for separating ${\sf QMA}$ from ${\sf QCMA}$ relative to a classical oracle. Like prior work, we are unable to prove our oracle separation unconditionally. However, our separation appears much less structured than the prior work (though this is an intuitive statement rather than a formal one), and appears much more amenable to existing quantum query complexity techniques. In particular, we prove under a natural conjecture about $k$ -wise independent distributions that our separation indeed works. We believe our work adds to the evidence that ${\sf QMA}$ and ${\sf QCMA}$ are indeed distinct relative to classical oracles, and may offer a new path toward a proof.

1.1 Our Separating Oracles

Our basic idea is the following. An instance in our language will correspond to a subset $S\subseteq[N]$ where $N$ is exponentially-sized. $S$ will be chosen to only contain a negligible fraction of $[N]$ , but still be super-polynomial sized. We will provide a classical oracle (accessible in superposition) that decides membership in $S$ . We will often simply call this oracle $S$ .

Next, we choose a random state $|\psi\rangle=\sum_{y\in S}\alpha_{y}|y\rangle$ with support on the set $S$ . The state $|\psi\rangle$ will be our witness state for the ${\sf QCMA}$ instance. An incomplete verification for $|\psi\rangle$ proceeds by simply checking that $|\psi\rangle$ has support contained in $S$ . Essentially, $|\psi\rangle$ is acting as a ${\sf QMA}$ witness that $S$ is non-empty. But there is also a simple ${\sf QCMA}$ witness for this fact: any classical value $y\in S$ .

We will instead attempt to turn $|\psi\rangle$ into a witness that $S$ is super-polynomial sized. To do so, we will add a second oracle $U$ which essentially attests to $|\psi\rangle$ being a superposition over super-polynomially-many points. Intuitively, we want to show that $U$ can distinguish between $|\psi\rangle$ and any state whose support is only polynomial-sized.

To construct $U$ , let $|\hat{\psi}\rangle$ denote the quantum Fourier transform (QFT) of $|\psi\rangle$ . We observe that if $|\psi\rangle$ has support on a single point $y$ , then $|\hat{\psi}\rangle$ will have uniform amplitude on all points in $[N]$ (though with complex phases on these points). On the other hand, for random $|\psi\rangle$ with support on the large set $S$ , the amplitudes on different points will vary. Concretely, while the expected squared-amplitude on any point $z\in[N]$ is $1/N$ , there is a reasonable chance that it could be, say, smaller than $1/2N$ or larger than $2/N$ .

We will choose $U$ to be a subset of $[N]$ consisting of points where $|\hat{\psi}\rangle$ has squared-amplitude somewhat larger than $1/N$ . We can then have, say, the total squared-amplitude of $|\hat{\psi}\rangle$ on points in $U$ be roughly $3/4$ while $|U|/N$ is only roughly $1/2$ . In this case, the QFT of a classical string $y$ will have squared-amplitude on $U$ of only $1/2$ . Thus, $U$ enables distinguishing $|\psi\rangle$ from a classical input. We will therefore give out an oracle for deciding membership in $U$ . The verifier will first confirm that $|\psi\rangle$ has support only on $S$ using the oracle for $S$ . Then it will compute $|\hat{\psi}\rangle$ via the QFT, and check that the support is in $U$ . Overall the verifier accepts with probability $3/4$ . Instances not in the language will consist of $S, U$ pairs where $S$ is very small but non-empty. We show that, for a certain way of choosing $U$ , that there is no ${\sf QMA}$ witness in the case of such small $S$ . Thus, our language is in ${\sf QMA}$ relative to the oracles for $S, U$ .

1.2 ${\sf QCMA}$ hardness

We now need a way to argue that our language does not have ${\sf QCMA}$ witnesses. While we showed that a classical string $y\in S$ cannot serve as a witness, this alone does not preclude some more clever way of attesting to $S$ being large. In particular, the witness $w$ could contain several points in $S$ . Worse, perhaps queries to $U$ may reveal a significant amount of information about $S$ , which may help deciding if $S$ is large or small. We make progress toward showing ${\sf QCMA}$ hardness of our oracle problem, as we now describe.

Consider a hypothetical ${\sf QCMA}$ verifier $V$ which is given a classical witness $w$ and makes quantum queries to $S, U$ , and accepts in the case $S$ is large. We want to show that we can replace $S$ with a small set $S^{\prime}$ , and $V$ will still accept with too-high a probability, meaning it incorrectly claims that $(S^{\prime},U)$ is in the language, despite $S^{\prime}$ being small.

Toward that end, we will choose $S^{\prime}$ to be all points in $S$ that are also “heavy” among the queries $V$ makes to $S$ . That is, points $y\in S$ such that the query amplitude in $V$ ’s quantum queries to $S$ is above some inverse-polynomial threshold. As the total query amplitude of all points is just the number of queries of $V$ and hence polynomial, the number of heavy $y$ is polynomial. Hence, $S^{\prime}$ is small. We can also construct $S^{\prime}$ efficiently: for each heavy $y$ , running $V$ and measuring a random query will have an inverse polynomial chance of producing $y$ . By repeating this process a polynomial number of times, we can collect all heavy queries.

But why should $S$ and $S^{\prime}$ be indistinguishable to $V$ ? By standard quantum query analysis, if $V$ can distinguish $S$ from $S^{\prime}$ , then it’s queries must place significant amplitude on $S\setminus S^{\prime}$ . By measuring a random query, we therefore obtain with significant probability a $y\in S\setminus S^{\prime}$ . But since $y$ is not heavy, repeating this process many times will produce many different $y$ . This means that if $V$ can distinguish $S$ from $S^{\prime}$ , it must actually be able to generate essentially arbitrarily large (polynomial) numbers of $y\in S$ . Denote the number of $y$ by $L$ .

$𝑽$ that do not query $𝑼$

Let us first assume that $V$ makes no queries to $U$ . In this case, we can argue that any distinguishing $V$ actually violates known query complexity results for multiple Grover search. In particular, [6] show that an algorithm making polynomially-many queries to a random sparse $S$ cannot produce $L$ points in $S$ except with probability bounded by $2^{-L}$ (see Lemma 8 for precise statement). Now, this result assumes no advice is provided about $S$ , but the witness $w$ counts as advice. Fortunately, we can handle the advice using the strong exponential lower bound provided by [6]. Consider running the process above with a random $w^{\prime}$ instead of $w$ . In the event $w^{\prime}=w$ , the process will produce $L$ points in $S$ . Moreover, $w^{\prime}=w$ with probability $2^{-|w|}$ . By setting $L\gg|w|$ (recall that we can make $L$ an arbitrarily large polynomial), we therefore obtain an algorithm with no advice which produces $L$ points in $S$ with probability $2^{-|w|}\gg 2^{-L}$ , contradicting the hardness of multiple Grover search.

$\blacktriangleright$ Remark 1.

The above strategy inherently uses the fact that $w$ is classical. If $V$ had a quantum witness/advice, running it even once and measuring a random query to find a $y\in S$ would potentially destroy the witness, meaning further runs of $V$ are not guaranteed to produce any points in $S$ . This is the key place in the proof where we distinguish between classical and quantum witnesses, hopefully indicating a promising route toward proving a separation between ${\sf QMA}$ and ${\sf QCMA}$ .

$𝒌$ -wise independent $𝑼$

The above strategy does not work for handling queries to $U$ . The problem is that $U$ takes potentially $N$ bits (which is exponential) to describe, meaning treating $U$ as advice would require setting $L\gg N$ , at which point the bounds from [6] do not apply.

We will for now assume that $U$ is $k$ -wise independent for a super-polynomial $k$ , and return to justifying this assumption later. We will assume such $k$ -wise independence holds even conditioned on $S$ (but not conditioned on $|\psi\rangle$ , whose correlation with $U$ is crucial for the correctness of our ${\sf QMA}$ verifier). A result of [14] (formally described in Lemma 7) shows that a $k$ -wise independent $U$ is actually perfectly indistinguishable from a uniform $U$ , for all quantum query algorithms making at most $k/2$ queries. Since $k$ is super-polynomial, we thus obtain perfect indistinguishability against all polynomial-query algorithms, including our process above for generating points in $S$ . Consequently, the process above succeeds in generating $L$ points in $S$ even if $U$ is replaced by a uniformly random $U$ independent of $S$ . But such a uniform $U$ can be simulated without knowledge of $S$ at all, and hence the lower-bound of [6] actually applies to algorithms making queries to uniform $U$ . Thus under the assumption that $U$ is $k$ -wise independent, we can justify ${\sf QCMA}$ hardness.

Our $𝑼$ are “close” to $𝒌$ -wise independent

We show that, by choosing $U$ carefully in a probabilistic way, $U$ is “close” to $k$ -wise independent, even conditioned on $S$ . By “close”, we concretely mean that for every subset $T\subseteq[N]$ of size at most $k$ , that $2^{-|T|}\leq\Pr[T\cap U=\emptyset]\leq(1+\epsilon)\times 2^{-|T|}$ , for some very small $\epsilon$ which depends on $k,|S|,N$ . Note that true $k$ -wise independence is equivalent to $\Pr[T\cap U=\emptyset]=2^{-|T|}$ for all $T$ of size at most $k$ .

Is this “close” enough?

Unfortunately, we do not know how to prove that $U$ which are close to $k$ -wise independent are sufficient to make our approach work. The issue is that [14] only applies to perfect $k$ -wise independence, and there are counterexamples that show that the result does not hold when replaced with some approximate notions of $k$ -wise independence.

The good news is that our notion of closeness is quite different from the usual notion of “biased” or “almost” $k$ -wise independence used in the literature. Specifically, those notions allow for an additive error in any of the marginal probabilities, whereas we impose a strong multiplicative error bound. This gives us hope that our distribution of $U$ , despite not being truly $k$ -wise independent, may still be close enough to get a separation.

We make progress toward justifying this claim. We make a conjecture that any distribution over $U$ which is “close” to $k$ -wise independent (in our sense) can be turned into a distribution $U^{\prime}$ that is truly $k$ -wise independent. Importantly, $U$ and $U^{\prime}$ will agree on almost all points. More precisely, for any $z$ , the probability that $U$ and $U^{\prime}$ differ on $z$ is negligible. See Conjecture 10 for the formal statement of this conjecture. Observe that this conjecture is simply a statement about distributions, and has nothing on the surface to do with quantum query complexity.

Under this conjecture, we complete the full oracle separation between ${\sf QMA}$ and ${\sf QCMA}$ . Instead of giving out the oracle $U$ , we simply give out the oracle $U^{\prime}$ , and prove ${\sf QCMA}$ hardness following the above approach. Our statistical conjecture is then used to show that replacing $U$ with $U^{\prime}$ does not break our ${\sf QMA}$ verifier. Concretely, by standard query complexity arguments, we show that if our verifier works on $U$ , then it must also work (with negligibly larger error) on $U^{\prime}$ .

$\blacktriangleright$ Remark 2.

Our statistical conjecture gives one way to prove an oracle separation between ${\sf QMA}$ and ${\sf QCMA}$ following our approach. Our conjecture could of course turn out to be false. Even in this case, our oracles still seem likely to give a separation, and there may be many other paths toward proving it. Perhaps if the general conjecture is false, our particular $U$ can still be converted into $U^{\prime}$ as needed. Or maybe being “close” to $k$ -wise independent is directly sufficient for a separation and can be proven via quantum query complexity arguments. Possibly there is a different distribution over $|\psi\rangle$ and associated $U$ where $U$ actually is perfectly $k$ -wise independent. Thus, independent of our particular statistical conjecture, we believe our new approach at a separation gives a promising new approach toward separating ${\sf QMA}$ from ${\sf QCMA}$ relative to classical oracles.

2 Preliminaries and notation

A function $f(n)\leq n^{O(1)}$ is polynomial and $f(n)\geq n^{-O(1)}$ is inverse polynomial. Functions $f(n)\geq n^{\omega(1)}$ are superpolynomial and $f(n)\leq n^{-\omega(1)}$ are negligible.

Let ${\sf Bernoulli}_{p}$ denote the distribution over $\{0,1\}$ which outputs $1$ with probability $p$ . Let ${\sf Bernoulli}_{p}^{N}$ denote the distribution over $\{0,1\}^{N}$ consisting of $N$ iid samples from ${\sf Bernoulli}_{p}$ . We will associate $\{0,1\}^{N}$ with subsets of $[N]$ , where $S\subseteq[N]$ is associated with the vector ${\mathbf{v}}$ such that $v_{x}=1$ if $x\in S$ . We will also associate $\{0,1\}^{N}$ (and hence also subsets of $[N]$ ) with functions from $[N]$ to $\{0,1\}$ , where $S$ is associated with its indicator function $f$ , where $f(x)$ is 1 if and only if $x\in S$ .

A joint distribution $X_{1},\cdots X_{n}$ is $k$ -wise independent if, for each subset $T$ of size at most $k$ , $(X_{i})_{i\in T}$ are independent random variables. $X_{1},\cdots,X_{n}$ is $k$ -wise uniform independent if each $(X_{i})_{i\in T}$ are independent uniform random variables over their respective domains.

Complex Normal Distribution

Let ${\mathcal{N}}^{\mathbb{C}}_{\mu,\sigma}$ denote complex normal distribution with width $\sigma$ . The probability density function of this distribution is given by $\Pr[x\leftarrow{\mathcal{N}}^{\mathbb{C}}_{\mu,\sigma}]=\frac{1}{\pi\sigma^{2}% }e^{-|x-\mu|^{2}/\sigma^{2}}$ .

Two basic identities that will be useful when computing integrals involving complex normal distributions are the following. Let ${\mathbf{v}}$ is a vector of $n$ complex numbers, ${\mathbf{M}}$ is a complex $n\times n$ matrix, and $\int_{\mathbb{C}}d{\mathbf{v}}$ means to integrate over all complex vectors ${\mathbf{v}}$ . Then

\displaystyle\int_{\mathbb{C}}e^{-{\mathbf{v}}^{\dagger}{\mathbf{M}}{\mathbf{v% }}}d{\mathbf{v}}

\displaystyle=\frac{\pi}{\det({\mathbf{M}})}

\displaystyle\int_{\mathbb{C}}|v_{1}|^{2}|v_{2}|^{2}e^{-{\mathbf{v}}^{\dagger}% {\mathbf{M}}{\mathbf{v}}}d{\mathbf{v}}

\displaystyle=\frac{\pi^{2}{\sf Tr}({\mathbf{M}})^{2}}{4\det({\mathbf{M}})^{3}% }\text{ for }n=2

Quantum Computation

We assume the reader is familiar with the basics of quantum computation and quantum query models. Recall that in the standard model for making quantum queries to a classical oracle ${\mathcal{O}}$ , the algorithm submits a state $\sum_{x,y,z}\alpha_{x,y,z}|x,y,z\rangle$ , and receives back $\sum_{x,y,z}\alpha_{x,y,z}|x,y\oplus{\mathcal{O}}(x),z\rangle$ . We will make use of the quantum Fourier tranform, denoted ${\sf QFT}_{N}$ , defined on computational basis states as $|y\rangle\mapsto\frac{1}{\sqrt{N}}\sum_{z\in\mathbb{Z}_{N}}e^{i2\pi yz/N}|z\rangle$ for $y\in\mathbb{Z}_{N}$ . We will usually drop the subscript $N$ as it will be clear from context. For a quantum state $|\psi\rangle$ , we will typically let $|\hat{\psi}\rangle$ be shorthand for ${\sf QFT}|\psi\rangle$ .

2.1 Defining QMA and QCMA relative to Oracles

We can consider two types of oracle versions of complexity classes, and in particular QMA/QCMA. The first, and most common, is to specify an infinite oracle ${\mathcal{O}}:\{0,1\}^{*}\rightarrow\{0,1\}$ , and define the classes QMA/QCMA relative to ${\mathcal{O}}$ . The second version, which is typically easier to work with, is to consider a variant of QMA/QCMA where the instance itself is an exponentially-sized oracle ${\mathcal{X}}:\{0,1\}^{n}\rightarrow\{0,1\}$ . Fortunately, we show that a QMA/QCMA separation for one variant immediately gives such a separation for the other variant. Thus, it suffices to prove a separation for whichever variant is most convenient.

Definition 3 (Oracle-Aided QMA/QCMA).

For a function ${\mathcal{O}}:\{0,1\}^{*}\rightarrow\{0,1\}$ , an oracle decision problem is a subset ${\sf L}^{\mathcal{O}}\subseteq\{0,1\}^{*}$ which depends on ${\mathcal{O}}$ . We say that ${\sf L}^{\mathcal{O}}$ is in ${\sf QMA}^{\mathcal{O}}$ if there exists a polynomial-time oracle-aided quantum algorithm $V^{\mathcal{O}}$ and polynomial $p$ such that:

$\blacksquare$

For every $x\in{\sf L}^{\mathcal{O}}$ of length $n$ , there exists a state $|\psi\rangle$ on $p(n)$ qubits such that $\Pr[V^{\mathcal{O}}(x,|\psi\rangle)=1]\geq 2/3$ . In this case, we say that $V^{\mathcal{O}}$ accepts $x$ .
$\blacksquare$

For every $x\notin{\sf L}^{\mathcal{O}}$ of length $n$ , and for any state $|\psi\rangle$ on $p(n)$ qubits, $\Pr[V^{\mathcal{O}}(x,|\psi\rangle)=1]\leq 1/3$ . In this case, we say that $V^{\mathcal{O}}$ rejects $x$ .

${\sf QCMA}^{\mathcal{O}}$ is defined analogously, except that the states $|\psi\rangle$ are required to be classical.

Definition 4 (Oracle-Input QMA/QCMA).

Let ${\mathcal{U}}=\{{\mathcal{U}}_{n}\}_{n\in\mathbb{Z}^{+}}$ where ${\mathcal{U}}_{n}$ are sets of strings ${\mathcal{X}}$ of length $2^{n^{\Theta(1)}}$ , interpreted as functions from ${\mathcal{X}}:[n^{\Theta(1)}]\rightarrow\{0,1\}$ . An oracle-input promise language is a subset ${\sf OI\text{-}L}\subseteq{\mathcal{U}}$ . An oracle-input promise language ${\sf OI\text{-}L}\subseteq{\mathcal{U}}$ is in ${\sf OI\text{-}QMA}$ if there exists a polynomial-time oracle-aided quantum algorithm $V$ and polynomial $p$ such that:

$\blacksquare$

For every ${\mathcal{X}}\in{\sf OI\text{-}L}\cap{\mathcal{U}}_{n}$ , there exists a $|\psi\rangle$ on $p(n)$ qubits such that $\Pr[V^{\mathcal{X}}(|\psi\rangle)=1]\geq 2/3$ .
$\blacksquare$

For every ${\mathcal{X}}\in{\mathcal{U}}_{n}\setminus{\sf OI\text{-}L}$ , and for any state $|\psi\rangle$ on $p(n)$ qubits, $\Pr[V^{\mathcal{X}}(|\psi\rangle)=1]\leq 1/3$ .

${\sf OI\text{-}QCMA}$ is defined analogously, except that the states $|\psi\rangle$ are required to be classical.

Note that the constants $1/3,2/3$ in Definitions 3 and 4 are arbitrary, and can be replaced with $a, b$ for any $a, b$ such that $a\geq 2^{-{\sf poly}(n)},b\leq 1-2^{-{\sf poly}(n)},$ and $b-a\geq 1/{\sf poly}(n)$ .

Given any countable collection of oracles ${\mathcal{O}}_{1},{\mathcal{O}}_{2},\cdots$ which may have finite or infinite domains, we can construct a single oracle ${\mathcal{O}}:\{0,1\}^{*}\rightarrow\{0,1\}$ by setting ${\mathcal{O}}(j,x)={\mathcal{O}}_{i}(x)$ , where $(j,x)$ is some encoding of pairs $(j,x)\in\{0,1\}^{*}\times\{0,1\}^{*}$ into strings in $\{0,1\}^{*}$ . We can likewise convert ${\mathcal{O}}$ back into ${\mathcal{O}}_{1},{\mathcal{O}}_{2},\cdots$ . Therefore, we will take the definitions of ${\sf QMA},{\sf QCMA},{\sf OI\text{-}QMA},{\sf OI\text{-}QCMA}$ to allow for verifiers making queries to countable collections of oracles.

This next theorem is proved in Section 4 following a standard diagonalization argument, and shows that is suffices to give a separation for either variant of ${\sf QMA},{\sf QCMA}$ .

Theorem 5.

There exists a classical oracle ${\mathcal{O}}$ such that ${\sf QCMA}^{\mathcal{O}}\neq{\sf QMA}^{\mathcal{O}}$ if and only if ${\sf OI\text{-}QCMA}\neq{\sf OI\text{-}QMA}$ .

The style of oracle separation between ${\sf QMA}$ and ${\sf QCMA}$ given in [1] follows that of Definition 3, except that they use a quantum oracle instead of a classical oracle. They do not define the oracle-input versions of ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ or a general result like Theorem 5, but their proof implicitly uses similar concepts. In particular, they first define a universe of quantum oracles: namely, those that are either the identity or reflect around a Haar random state. They then show that the two cases can be efficiently distinguished via a quantum witness, but not a classical witness. This is effectively showing a separation between ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ , except using quantum oracles instead of classical oracles. They then extend this to give a quantum oracle ${\mathcal{Q}}$ separating ${\sf QMA}^{\mathcal{Q}}$ from ${\sf QCMA}^{\mathcal{Q}}$ . This can be seen as roughly corresponding to a transformation like what we prove in Theorem 5.

One slight non-triviality in generalizing their techniques to give a general equivalence is that a separation between ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ only needs to show that, for any potential ${\sf QCMA}$ verifier, there is some instance that the verifier answers incorrectly. This is indeed how our separation is constructed. In contrast, [1] show that almost all instances will fool any ${\sf QCMA}$ verifier. This stronger separation is crucially used when constructing the oracle ${\mathcal{Q}}$ separating ${\sf QMA}^{\mathcal{Q}}$ from ${\sf QCMA}^{\mathcal{Q}}$ , as they can basically choose ${\mathcal{Q}}$ to be random from the appropriate universe of oracles. In order to get a general equivalence for arbitrary separations, including those like ours where the instance depends on the verifier, we have to work a bit harder and incorporate a diagonalization argument. Fortunately, this is standard.

2.2 Some Useful Quantum Lemmas

For an oracle algorithm $A$ making queries to an oracle $O$ and an oracle input $r$ , let the state $\sum_{x,y,z}\alpha_{x,y,z}^{(i)}|x,y,z\rangle$ denote the $i$ th oracle query, and let $M_{x}(i)=\sum_{y,z}|\alpha_{x,y,z}^{(i)}|^{2}$ , which we will call the query mass of $x$ in the $i$ -th query. Let $M_{x}=\sum_{i}M_{x}(i)$ , the total query mass of $x$ over all $q$ queries, and for a subset $V$ let $M_{V}=\sum_{x\in V}M_{x}$ be the total query mass of points in $V$ .

Lemma 6 ([4] Theorem 3.1+3.3).

Let $A$ be a quantum algorithm running making $q$ queries to an oracle $O$ . Let $\epsilon>0$ and let $V$ be a set of inputs. If we modify $O$ into an oracle $O^{\prime}$ which is identical to $O$ except possibly on inputs in $V$ , then $|\Pr[A^{O}()=1]-\Pr[A^{O^{\prime}}()=1]|\leq 4\sqrt{qM_{V}}$ .

Lemma 7 ([14] Theorem 3.1).

Let $A$ be a quantum algorithm making $q$ queries to an oracle $O$ . For any output $z$ , the probability $A$ outputs $z$ when $O$ is $2q$ -wise independent is identical to the probability $A$ outputs $z$ when $O$ is uniformly random.

Lemma 8 ([6] Theorem 5.5).

Let $p\in[0,1]$ . There is a constant $C\leq 48e$ such that the following is true. The success probability of finding $K$ marked items in a random function $S:[N]\rightarrow\{0,1\}$ where $S(x)=1$ with probability $p$ for each $x\in[N]$ is at most $(Cp(Q/K)^{2})^{K}$ for any algorithm making $Q\geq K$ quantum queries to $S$ .

3 Our Oracle Separation

Here, we give our conjectured oracle separation between ${\sf QMA}$ and ${\sf QCMA}$ . Following Theorem 5, it suffices to focus on the oracle-input variants of ${\sf QMA}$ and ${\sf QCMA}$ . We first define our new statistical conjecture. Then we will define a certain “nice” type of distribution, which we call Fourier Independent (FI). We show that our statistical conjecture leads to the existence of such a FI distribution. Finally, we show that an FI distribution gives a separation between ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ , and hence an oracle ${\mathcal{O}}$ such that ${\sf QCMA}^{\mathcal{O}}\neq{\sf QMA}^{\mathcal{O}}$ (via Theorem 5).

3.1 Our Statistical Conjecture

Definition 9 (Substitution Distance).

Consider two distributions $X_{0},X_{1}$ over $\Sigma^{\ell}$ for some alphabet $\Sigma$ . The substitution distance between $X_{0}$ and $X_{1}$ , denoted $\|X_{0}-X_{1}\|_{\sf sub}$ , is the minimum value of $\epsilon\geq 0$ such that there is a joint distribution $(Z_{0},Z_{1})$ over $(\Sigma^{\ell})^{2}$ where:

$\blacksquare$

The marginal distribution $Z_{0}$ is equal to $X_{0}$ and the marginal distribution $Z_{1}$ is equal to $X_{1}$ .
$\blacksquare$

For each $i\in[\ell]$ , $\Pr[Z_{0,i}\neq Z_{1,i}]\leq\epsilon$ , where $Z_{b,i}$ means the $i$ th entry of $Z_{b}$ .

Intuitively, a small $\|X_{0}-X_{1}\|_{\sf sub}$ means that, by changing a few positions $X_{0}$ – and each position with tiny probability – we can turn $X_{0}$ into $X_{1}$ .

Conjecture 10.

There exist functions $r(N),k(N),\zeta(N),\eta(N)$ subject to the constraints $k(N)\geq(\log N)^{\omega(1)}$ , $\eta(N)\leq(\log N)^{-\omega(1)}$ , and $N\zeta(N)^{3}/r(N)^{6}\geq(\log N)^{\omega(1)}$ such that the following is true. Suppose $X_{0}$ is a distribution over $\{0,1\}^{N}$ such that for all sets $T\subseteq[N]$ of size of size at most $r(N)$ , $2^{-|T|}\leq\Pr_{{\mathbf{x}}\leftarrow X_{0}}[x_{i}=0\forall i\in T]\leq(1+% \zeta(N))\times 2^{-|T|}$ . Then there exists a $k(N)$ -wise uniform independent distribution $X_{1}$ such that $\|X_{0}-X_{1}\|_{\sf sub}\leq\eta(N)$ .

Think of $\log N$ as the instance size, so that $N$ is exponential. Conjecture 10 starts with a distribution $X_{0}$ that is in some sense very close to $r$ -wise uniform independent, and concludes that $X_{0}$ must be negligibly-close in substitution error to an actual $k$ -wise uniform independent distribution, for $k$ that may be different than $r$ but is still super-polynomial. Note that without the constraint $N\zeta(N)^{3}/r(N)^{6}\geq(\log N)^{\omega(1)}$ , the conjecture is trivially true by setting $\zeta=0$ and $X_{0}=X_{1}$ . The exact constraint we stipulate makes the conjecture non-trivial, and arises for technical reasons in our separation.

3.2 Fourier Independent Distributions

Definition 11.

Let $N\in\mathbb{Z}^{+}$ and $S\subseteq[N]$ . We say that a distribution ${\mathcal{D}}_{S}$ over pairs $(|\psi\rangle,U)$ is $(k,\delta,\gamma)$ -Fourier-Independent (FI) if the following hold:

$\blacksquare$

$|\psi\rangle$ is a normalized superposition $\sum_{y\in S}\alpha_{y}|y\rangle$ over elements $y\in S$ .
$\blacksquare$

$U\subseteq[N]$ , and the marginal distribution of $U$ is $k$ -wise uniform independent.
$\blacksquare$

Let $|\hat{\psi}\rangle={\sf QFT}|\psi\rangle$ be the quantum Fourier transform of $|\psi\rangle$ . Then except with probability $\delta$ over the choice of $|\psi\rangle$ , $\langle\hat{\psi}|\Pi_{U}|\hat{\psi}\rangle\geq\frac{1}{2}+\gamma$ , where $\Pi_{U}$ is the projection operator $\sum_{z\in U}|z\rangle\langle z|$ .

We want $k$ to be large (say super-polynomial in $\log N$ ), $\delta$ to be small (say negligible in $\log N$ ), and $\gamma$ to be not-too-small (non-negligible in $\log N$ ). Then a Fourier Independent distribution is one where (1) $|\psi\rangle$ has support on $S$ , (2) $U$ looks like a random set to query-bounded quantum algorithms (by Lemma 7), but (3) $|\hat{\psi}\rangle$ is biased toward elements in $U$ .

We now show the existence of a FI distribution for certain $k,\delta,\gamma$ , assuming Conjecture 10.

Theorem 12.

Suppose Conjecture 10 holds. Then there exists functions $p,\epsilon,\delta,\gamma:\mathbb{Z}^{+}\rightarrow[0,1]$ and functions $N,k:\mathbb{Z}^{+}\rightarrow\mathbb{Z}^{+}$ such that (1) $p(n),\epsilon(n),\delta(n)\leq n^{-\omega(1)}$ , (2) $N(n)\leq 2^{n^{O(1)}}$ (3) $k(n)\geq n^{\omega(1)}$ , (4) $\gamma\geq n^{-O(1)}$ , and (5) except with probability $\epsilon(n)$ over the choice of $S\leftarrow{\sf Bernoulli}_{p(n)}^{N(n)}$ , there exists a distribution ${\mathcal{D}}_{S}$ that is $(k,\delta,\gamma)$ -Fourier-Independent.

Proof.

Let $N,\ell\in\mathbb{Z}^{+}$ be positive integers. For a subset $S\subseteq\mathbb{Z}_{N}$ of size $\ell$ , let ${\mathcal{D}}_{S}^{\prime}$ be the distribution over pairs $(|\psi\rangle,U^{\prime})$ where $|\psi\rangle$ is a quantum state and $U^{\prime}\subseteq\mathbb{Z}_{N}$ , obtained as follows:

$\blacksquare$

For each $y\in S$ , sample a complex number $\alpha_{y}\leftarrow{\mathcal{N}}^{\mathbb{C}}(0,\sigma)$ where $\sigma=1/\sqrt{\ell}$ . Let $|\psi\rangle=\sum_{y\in S}\alpha_{y}|y\rangle$
$\blacksquare$

For each $z\in\mathbb{Z}_{N}$ , let $\beta_{z}=\sum_{y\in S}e^{i2\pi yz/N}\alpha_{y}$ .
$\blacksquare$

For each $z\in\mathbb{Z}_{N}$ , place $z$ into the output set $U^{\prime}$ with independent probability $1-e^{-|\beta_{z}|^{2}}$ .

Intuition

By choosing $\sigma=1/\sqrt{\ell}$ , we will show that $|\psi\rangle$ is approximately normalized, so we can think of $|\psi\rangle$ as being essentially a random state with support on $S$ . Let $|\hat{\psi}\rangle={\sf QFT}|\psi\rangle$ be the QFT applied to $|\psi\rangle$ . Then $|\hat{\psi}\rangle=\sum_{z\in\mathbb{Z}_{N}}(\beta_{z}/\sqrt{N})|z\rangle$ . Thus, the set $U^{\prime}$ will be biased toward containing the points $z$ where $\beta_{z}$ is large. We will also show that $U^{\prime}$ is close to $k$ -wise independent in substitution distance, for an appropriate $k$ . Via Conjecture 10, this allows us to replace $U^{\prime}$ with an appropriate $U$ , giving a distribution ${\mathcal{D}}_{S}$ that is truly Fourier Independent.

We state some useful lemmas about ${\mathcal{D}}_{S}^{\prime}$ ; the proofs will be given in Section 4. Define $\tau^{S}_{T}:=\Pr_{U^{\prime}\leftarrow{\mathcal{D}}_{S}}[T\cap U^{\prime}=\emptyset]$ , or equivalently, the probability $U^{\prime}(z)=0$ for all $z\in T$ , once $S$ is chosen.

Lemma 13.

For any subsets $S, T$ , $1+|T|\leq(\tau^{S}_{T})^{-1}\leq 2^{|T|}$

Lemma 13 holds for any $S, T$ . In particular, for $|T|=1$ , we have that $\tau^{S}_{T}=1/2$ . This means each $z$ is placed in $U$ with probability $1/2$ ; by linearity of expectation, $\mathop{\mathbb{E}}[|U^{\prime}|]=N/2$ . We can also get a tighter lower-bound for larger $T$ with high probability over the choice of $S$ :

Lemma 14.

For any $\epsilon>0$ , except with probability at most $2N^{2}e^{-\epsilon^{2}\ell/2}$ over the choice of random subset $S$ of size $\ell$ , for all subsets $T$ , $(\tau^{S}_{T})^{-1}\geq 2^{|T|}(1-|T|^{2}\epsilon)$ . In this event, as long as $|T|^{2}\epsilon\leq 1/2$ , we can bound $\tau^{S}_{T}\leq 2^{-|T|}(1+2|T|^{2}\epsilon)$ .

Now we bound $\|\;|\psi\rangle\;\|^{2}$ , showing that $|\psi\rangle$ is approximately normalized.

Lemma 15.

Fix any set $S$ of size $\ell$ and $\epsilon\in(0,1)$ . Then except with probability $2e^{-\epsilon^{2}\ell/8}$ , $\|\;|\psi\rangle\;\|^{2}\in[1-\epsilon,1+\epsilon]$ , where $|\psi\rangle$ is generated as in ${\mathcal{D}}^{\prime}_{S}$ .

Now, we bound the probability that (the normalization of) $|\hat{\psi}\rangle$ is accepted by $U^{\prime}$ . Note that $|\;|\psi\rangle\;|^{2}=|\;|\hat{\psi}\rangle\;|^{2}$ .

Lemma 16.

Except with probability at most $3(N^{-1}+\ell^{2}N^{-2})\epsilon^{-2}+4N^{2}e^{-\ell\epsilon^{2}/32}$ over the choice of $S,U^{\prime}$ , we have $\left|\frac{\langle\hat{\psi}|\Pi_{U^{\prime}}|\hat{\psi}\rangle}{\|\;|\psi% \rangle\;\|^{2}}-3/4\right|\leq\epsilon$ . Recall $\Pi_{U^{\prime}}$ is the projection operator $\sum_{z\in U^{\prime}}|z\rangle\langle z|$ .

We now return to the proof of Theorem 12. ${\mathcal{D}}_{S}^{\prime}$ is almost Fourier Independent, except that the distributions over $U^{\prime}$ are not $k$ -wise uniform independent. However, Lemmas 13 and 14 show, in some sense, that $U^{\prime}$ is very close to being $k$ -wide uniform independent, for somewhat large $k$ . We will then invoke the assumed Conjecture 10 to replace $U^{\prime}$ with a distribution over $U$ that is actually $k$ -wise uniform independent, for a sufficiently large $k$ , and is close in substitution error to $U^{\prime}$ . We then show that the small substitution error between $U$ and $U^{\prime}$ implies that the statements of Lemma 16 still approximately holds, even for $U$ .

In more detail, let $X_{0}$ be the distribution over $U^{\prime}$ stemming from ${\mathcal{D}}_{S}^{\prime}$ . Let $r(N)$ , $k(N)$ , $\zeta(N)$ , $\eta(N)$ be the functions guaranteed by Conjecture 10. Define $N=\Theta(2^{n})$ and let $p=r(N)^{4}\zeta(N)^{-2}N^{-1}\log^{2}N$ . By the conditions Conjecture 10 places on $r(N),k(N),\zeta(N),\eta(N)$ , we therefore have that $p\leq n^{-\omega(1)}\log^{2}N\leq n^{-\omega(1)}$ . By standard concentration inequalities, the size $\ell$ of $S$ sampled from ${\sf Bernoulli}_{p}^{N}$ is very close to $pN=r(N)^{4}\zeta(N)^{-2}\log^{2}N$ , except with negligible probability. Then set $\epsilon=\zeta(N)/r(N)^{2}$ , which by the conditions of Conjecture 10 gives that $N^{-1}\epsilon^{-2}$ , $\ell^{2}N^{-2}\epsilon^{-2}$ , and $N^{2}e^{-\ell\epsilon^{2}/32}$ are all negligible. By Lemma 13 and by invoking Lemma 14 with $\epsilon=\zeta(N)/r(N)^{2}$ , we have except with negligible probability over the choice of $S$ , that $2^{-|T|}\leq\tau_{S}^{T}\leq 2^{-|T|}(1+\zeta)$ for all sets $T$ of size at most $r(N)$ . Conjecture 10 then implies for “good” $S$ where the bounds on $\tau_{S}^{T}$ hold, there is a distribution $X_{1}$ that is $k(N)$ -wise uniform independent and such that $\|X_{0}-X_{1}\|_{\sf sub}\leq\eta(N)$ , with $k(N),1/\eta(N)\geq(\log N)^{\omega(1)}=n^{\omega(1)}$ .

Let $S$ be a good set. Now consider the following distribution ${\mathcal{D}}_{S}$ . It first uses the fact that $\|X_{0}-X_{1}\|_{\sf sub}\leq n^{-\omega(1)}$ to derive a joint distribution $(Z_{0},Z_{1})$ with the marginal $Z_{0}$ being equivalent to $X_{0}$ and $Z_{1}$ being $k$ -wise uniform independent for $k\geq n^{\omega(1)}$ . Then we sample $(|\psi\rangle,U^{\prime})\leftarrow{\mathcal{D}}_{S}^{\prime}$ and sample $U$ from the distribution $Z_{1}$ conditioned on $Z_{0}=U^{\prime}$ . Let $|\psi^{\prime}\rangle=|\psi\rangle/\|\;|\psi\rangle\;\|$ . Output $(|\psi^{\prime}\rangle,U)$ . We then have that $U$ is distributed according to $Z_{1}$ , and is therefore $k$ -wise uniform independent. We also have by Lemma 16 that except with negligible probability, $\langle\hat{\psi}^{\prime}|\Pi_{U^{\prime}}|\hat{\psi}^{\prime}\rangle\geq 2/3$ . In order to justify Fourier Independence, we just need to show that, e.g. $\langle\hat{\psi}^{\prime}|\Pi_{U}|\hat{\psi}^{\prime}\rangle\geq 7/12$ .

Toward that end, write $|\hat{\psi}^{\prime}\rangle=\frac{1}{\sqrt{N}}\sum_{z\in\mathbb{Z}_{N}}\beta_{% z}^{\prime}|z\rangle$ where $\sum_{z}|\beta_{z}^{\prime}|^{2}=1$ . Then deinfe

E:=\langle\hat{\psi}^{\prime}|\Pi_{U^{\prime}}|\hat{\psi}^{\prime}\rangle-\hat% {\psi}^{\prime}|\Pi_{U}|\hat{\psi}^{\prime}\rangle=\sum_{z\in U^{\prime}}|% \beta_{z}^{\prime}|^{2}-\sum_{z\in U}|\beta_{z}^{\prime}|^{2}\leq\sum_{z\in U^% {\prime}\setminus U}|\beta_{z}^{\prime}|^{2}

Now let $\xi_{z}$ denote the variable that is 1 if $z\notin U^{\prime}\setminus U$ and is 0 otherwise. Then $E\leq\sum_{z}\xi_{z}|\beta_{z}^{\prime}|^{2}$ . Each $\xi_{z}$ is a 0/1 random variable with negligible expectation. Therefore, since $\sum_{z}|\beta_{z}^{\prime}|^{2}=1$ , we have that $\mathop{\mathbb{E}}[E]$ is negligible. Then by Markov’s inequality, we have that $\Pr[E\geq\sqrt{\mathop{\mathbb{E}}[E]}]\leq\sqrt{\mathop{\mathbb{E}}[E]}$ . Therefore, since $\mathop{\mathbb{E}}[E]$ and hence $\sqrt{\mathop{\mathbb{E}}[E]}$ are negligible, we have that $E$ is negligible except with negligible probability. This means in particular that $\langle\hat{\psi}^{\prime}|\Pi_{U}|\hat{\psi}^{\prime}\rangle\geq 7/12$ , except with negligible probability. Thus ${\mathcal{D}}_{S}$ is $(k,\delta,\gamma)$ -Fourier-Independent, thereby proving Theorem 12. $\hfill\blacktriangleleft$

3.3 From FI Distributions to An Oracle Separation

We now show that FI distributions as guaranteed by Theorem 12 give a separation between ${\sf OI\text{-}QCMA}$ and ${\sf OI\text{-}QMA}$ .

Theorem 17.

Suppose Conjecture 10 holds. Then ${\sf OI\text{-}QCMA}\neq{\sf OI\text{-}QMA}$ .

Proof.

We first invoke Theorem 12 to obtain distributions ${\mathcal{D}}_{S}$ satisfying properties (1) through (5) in the statement of Theorem 12. We now use this to construct our separation. We will invoke the definition of ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ with $a=1/2+\gamma(n)/2$ and $b=1/2+\gamma(n)$ . Since $b-a=\gamma(n)/2$ is inverse polynomial, this is equivalent to the standard definition of ${\sf OI\text{-}QMA}$ and ${\sf OI\text{-}QCMA}$ . Thus, a valid verifier will accept YES instances of size $n$ (given a correct witness) with probability at least $1/2+\gamma(n)$ , and accept NO instances with probability at most $1/2+\gamma(n)/2$ .

An instance will be a pair of oracles $(S,U)$ where $S,U\subseteq[N(n)]$ . Our verifier $V^{S,U}(|\psi\rangle)$ will do the following: $V$ will make a query to $S$ on the witness state $|\psi\rangle$ and measuring the output. If it accepts, then $V$ will apply the ${\sf QFT}$ to the witness state (which may have changed due to the measurement), and make a query to $U$ , measuring the output. If both queries accept, then $V$ will output 1; if either measurement rejects, then $V$ will output 0.

We define the universe ${\mathcal{U}}$ as the set of pairs $(S,U)$ for which either (1) there exists a state $|\psi\rangle$ such that $\Pr[V^{S,U}(|\psi\rangle)=1]\geq 1/2+\gamma(n)$ , or (2) for all states $|\psi\rangle$ , $\Pr[V^{S,U}(|\psi\rangle)=1]<1/2+\gamma(n)/2$ . Then ${\sf OI\text{-}L}\subseteq{\mathcal{U}}$ is the set such that $\Pr[V^{S,U}(|\psi\rangle)=1]\geq 1/2+\gamma(n)$ . By definition, ${\sf OI\text{-}L}\in{\sf OI\text{-}QMA}$ .

We now show that ${\sf OI\text{-}L}\notin{\sf OI\text{-}QCMA}$ . We can always assume without loss of generality that there is, say, a fixed quadratic running time $t$ such that the running time of any ${\sf OI\text{-}QCMA}$ verifier is bounded by $t(|x|+|w|)$ where $|x|$ is the instance length and $|w|$ is the witness length. This is accomplished by padding the witness length with 0’s that just get ignored by the verifier.

Now let $q=q(n)$ be a sufficiently small super-polynomial function, which we will take as an upper bound on witness length. Let $Q(n)=q(n)^{2}$ , which we take to be an upper bound on the number of queries when the witness length is at most $q(n)$ . Let $v=v(n)$ be another super-polynomial. We will need the following constraints on $q, Q, v$ :

	$\displaystyle Q$	$\displaystyle\ll\gamma p^{-1/2}$	$\displaystyle v$	$\displaystyle\gg qQ^{4}\gamma^{-4}$
	$\displaystyle v$	$\displaystyle\ll\gamma N^{1/12}$	$\displaystyle Qk/v$	$\displaystyle\leq n^{-\omega(1)}$

These can be satisfied for a sufficiently-small super-polynomial $q, v$ and for sufficiently large $n$ .

Suppose toward contradiction that there is a ${\sf OI\text{-}QCMA}$ verifier $V_{*}$ . Sample $S\leftarrow{\sf Bernoulli}_{p(n)}^{N(n)}$ and $(|\psi\rangle,U)\leftarrow{\mathcal{D}}_{S}$ , where ${\mathcal{D}}_{S}$ is $(k(n),\delta(n),\gamma(n))$ -Fourier-Independent. Then we have that with overwhelming probability over the choice of $S,U,|\psi\rangle$ , $\Pr[V^{S,U}(|\psi\rangle)=1]\geq 1/2+\gamma(n)$ . Hence $(S,U)\in{\sf OI\text{-}L}$ . Therefore, under the assumption that $V_{*}$ is a verifier for ${\sf OI\text{-}L}$ , $V_{*}$ must accept $(S,U)$ , meaning there is a classical witness $w$ such that $\Pr[V_{*}^{S,U}(w)=1]\geq 1/2+\gamma(n)$ .

We will now construct a different instance $S^{\prime},U$ , where $S^{\prime}$ is constructed from the following algorithm ${\sf GenSmallSet}^{S,U}(w)$ : initialize $S^{\prime}=\{\}$ , and then repeat the following loop for $i=1,...,v$ :

$\blacksquare$

Run $V_{*}^{S,U}(w)$ until a randomly chosen query to $S$ , and measure the query, obtaining a string $y_{i}\in[N]$ .
$\blacksquare$

If $y_{i}\in S\setminus S^{\prime}$ , add $y_{i}$ to $S^{\prime}$ .

The following is proved in Section 4:

Lemma 18.

If $U$ is sampled from a $k^{\prime}$ -wise uniform independent function and $S^{\prime}$ is potentially correlated to $U$ but has size at most $v$ , then except with probability $2N^{2}\left(\frac{\sqrt{ek^{\prime}}}{\epsilon\sqrt{N}}\right)^{k^{\prime}}$ over the choice of $U,S^{\prime}$ , it holds that, for any normalized state $|\phi\rangle$ with support on $S^{\prime}$ , $\langle\hat{\phi}|\Pi_{U}|\hat{\phi}\rangle\leq 1/2+v\epsilon$ , where $|\hat{\phi}\rangle={\sf QFT}|\phi\rangle$ .

Corollary 19.

Except with negligible probability over the choice of $S,U,S^{\prime}$ , $(S^{\prime},U)\in{\mathcal{U}}\setminus{\sf OI\text{-}L}$ .

Proof.

Set $\epsilon=\gamma/3v$ , and set $G:=2N^{2}\left(\frac{3v\sqrt{ek^{\prime}}}{\gamma\sqrt{N}}\right)^{k^{\prime}}$ for a yet-unspecified $k^{\prime}$ . By Lemma 18, except with probability at most $G$ , $\Pr[V^{S^{\prime},U}(|\phi\rangle)=1]\leq 1/2+\gamma/3<1/2+\gamma/2$ for any state $|\phi\rangle$ . In this case, $(S^{\prime},U^{\prime})\in{\mathcal{U}}\setminus{\sf OI\text{-}L}$ . This event holds regardless of what $S^{\prime}$ is, just using the fact that it consists of at most $v$ elements. Setting $k^{\prime}=5$ and using that $v\leq\gamma N^{1/12}$ we have that $G=O(N^{1/12})$ , which is negligible. $\hfill\blacktriangleleft$

We now show, however, that $V^{*}$ fails to reject $S^{\prime},U$ :

Lemma 20.

Except with negligible probability over the choice of $S,U,w,S^{\prime}$ , $\Pr[V_{*}^{S^{\prime},U}(w)=1]>1/2+\gamma(n)/2$

Proof.

Observe that the process ${\sf GenSmallSet}^{S,U}(w)$ for constructing $S^{\prime}$ always generates $S^{\prime}\subseteq S$ . Now consider running $S^{\prime}\leftarrow{\sf GenSmallSet}^{S,U^{\prime}}(w^{\prime})$ , where $w^{\prime}$ is a random string and $U^{\prime}$ is a random boolean function, with both $w^{\prime},U^{\prime}$ independent of $S$ . This is an algorithm which makes $v Q$ queries to $S$ (and also to $U^{\prime}$ , but $U^{\prime}$ us simulatable on its own since it is independent of $S$ ). $S$ in turn sampled from ${\sf Bernoulli}_{p}^{N}$ . Finally, the algorithm outputs some subset $S^{\prime}$ of $S$ . By Lemma 8, there is a universal constant $C$ such that

\Pr[|S^{\prime}|\geq K:w^{\prime},U^{\prime}\text{ are uniform and independent% of }S]\leq(Cp(vQ/K)^{2})^{K}.

Now consider running $S^{\prime}\leftarrow{\sf GenSmallSet}^{S,U}(w^{\prime})$ , replacing $U^{\prime}$ with $U$ . Recall that $U$ is $k$ -wise independent even conditioned on $S$ , for $k\geq 2vQ$ where $v Q$ is the number of queries made by ${\sf GenSmallSet}$ . By Lemma 7, the output distribution of ${\sf GenSmallSet}^{S,U}(w^{\prime})$ is identical to that of ${\sf GenSmallSet}^{S,U^{\prime}}(w^{\prime})$ . Thus, we still have

\Pr[|S^{\prime}|\geq K:U^{\prime}=U,\text{ while }w^{\prime}\text{ is uniform % and independent of }S]\leq(Cp(vQ/K)^{2})^{K}.

Finally, consider running $S^{\prime}\leftarrow{\sf GenSmallSet}^{S,U}(w)$ . Since $\Pr[w^{\prime}=w]=2^{-q}$ , this means that with probability $2^{-q}$ , ${\sf GenSmallSet}^{S,U}(w^{\prime})$ is actually running ${\sf GenSmallSet}^{S,U}(w)$ . Therefore,

\Pr[|S^{\prime}|\geq K:U^{\prime}=U,w^{\prime}=w]\leq(Cp(vQ/K)^{2})^{K}\times 2% ^{q}.

We now set $K=vQ\sqrt{2Cp}+q+\log_{2}(v)$ . Then we have that $\Pr[|S^{\prime}|\geq K:U^{\prime}=U,w^{\prime}=w]\leq 1/v$ . Then in particular since $|S^{\prime}|\leq v$ always, we have that $\mathop{\mathbb{E}}[|S^{\prime}|]\leq(K-1)\Pr[|S^{\prime}|<K]+v\Pr[|S^{\prime}% |\geq K]\leq(K-1)+1\leq K$ .

Let $e_{j}$ be the probability that ${\sf GenSmallSet}$ adds an element $y_{i}$ to $S^{\prime}$ in the $i$ th iteration. Then $\sum_{j=1}^{v}e_{j}=\mathop{\mathbb{E}}[|S^{\prime}|]\leq K$ . We also have that the $e_{j}$ are monotonically decreasing since the $y_{i}$ are identically distributed and thus the probability mass outside of the growing $S^{\prime}$ can only shrink. Thus $e_{v}\leq K/v$ .

For an input $y\in S$ , let $M_{y}$ denote the total magnitude squared of $y$ in all queries made by $V_{*}^{S,U}(w)$ to oracle $S$ . Then measuring a random choice of the $\leq Q$ queries by $V_{*}$ , we will obtain $y$ with probability at least $M_{y}/Q$ . Since $e_{v}\leq K/v$ , this means that by the end of the loop, the expected total query weight of all points in $S$ but not in $S^{\prime}$ is at most $QK/v$ . By Markov’s inequality, we therefore have that the query weight of points in $S\setminus S^{\prime}$ is at most $\sqrt{QK/v}$ , except with probability at most $\sqrt{QK/v}$ . Recall that $\sqrt{QK/v}$ is negligible. Therefore, since this probability is negligible, we will therefore assume the total query weight of points in $S\setminus S^{\prime}$ is at most $\sqrt{QK/v}$ .

Lemma 6 shows that the difference in acceptance probability between $V_{*}^{S,U}(w)$ and $V_{*}^{S^{\prime},U}(w))$ is at most $4\sqrt{Q\times\sqrt{QK/v}}=4\sqrt[4]{Q^{3}K/v}$ . Observe that $Q^{3}K/v=Q^{4}\sqrt{2Cp}+Q^{3}(q+\log_{2}(v))/v$ . Using that $Q\ll\gamma p^{-1/2}$ and $v\gg qQ^{4}/\gamma^{4}$ , we therefore have that $Q^{3}K/v\leq\gamma^{4}/(12)^{4}$ . Hence the difference in acceptance probability is at most $\gamma/3$ , and hence $\Pr[V_{*}^{S^{\prime},U}(w))=1]>1/2+\gamma/2$ . $\hfill\blacktriangleleft$

Corollary 19 and Lemma 20 shows that $V_{*}$ fails to decide ${\sf OI\text{-}L}$ , contradicting it being a ${\sf QCMA}$ verifier. Hence, ${\sf OI\text{-}L}\notin{\sf QCMA}$ . This completes the proof of Theorem 17 $\hfill\blacktriangleleft$

4 Missing Proofs

We now prove Lemmas 13, 14, 15, and 16 as well as Theorem 5. To do so, we introduce some extra notation. For a subset $S\subseteq\mathbb{Z}_{N}$ , let ${\mathbf{M}}^{S}$ be the $N\times N$ matrix defined as ${\sf QFT}^{\dagger}\circ\Pi_{S}\circ{\sf QFT}$ . Define $\tau^{S}_{T}:=\Pr_{U^{\prime}\leftarrow{\mathcal{D}}^{\prime}_{S}}[T\cap U=\emptyset]$ , or equivalently, the probability $U^{\prime}(z)=0$ for all $z\in T$ , once $S$ is chosen. Let ${\mathcal{M}}^{S}_{T}$ be the $|T|\times|T|$ sub-matrix of ${\mathbf{M}}^{S}$ consisting of rows and columns columns whose indices are in $T$ . The following lemmas will be useful.

Lemma 21.

For any $\epsilon>0$ , except with probability at most $2N^{2}e^{-\epsilon^{2}N^{2}/8\ell}$ over the choice of random $S$ of size $\ell$ , $\max_{z\neq z^{\prime}}|{\mathbf{M}}^{S}_{z,z^{\prime}}|\leq\epsilon$

Proof.

Fix any $z\neq z^{\prime}$ , and consider the random variable $M^{S}_{z,z^{\prime}}$ where $S$ is a random set of size $\ell$ . We write:

M^{S}_{z,z^{\prime}}=\frac{1}{N}\sum_{y\in S}e^{i2\pi(z-z^{\prime})y/N}=\frac{% 1}{N}\sum_{j=1}^{\ell}e^{i2\pi(z-z^{\prime})y_{j}/N}

where $y_{1}\cdots,y_{\ell}$ range over the elements of $S$ , and are therefore random distinct values in $\mathbb{Z}_{N}$ .

We first look at the real part of ${\mathbf{M}}^{S}_{z,z^{\prime}}$ , namely $\frac{1}{N}\sum_{i=1}^{\ell}Y_{i}$ where $Y_{i}=\cos(2\pi(z-z^{\prime})y_{i}/N)$ . For the moment, imagine the $y_{i}$ being uniform without the distinctness requirement, in which case since $z-z^{\prime}\neq 0$ the $Y_{i}$ all become independent random variables bounded to the range $[-1,1]$ . Moreover, the means are zero since $z-z^{\prime}\neq 0\bmod N$ . Then by Hoeffding’s inequality, we have

\Pr\left[\left|\sum_{i=1}^{\ell}Y_{i}\right|\geq t\right]\leq 2e^{-t^{2}/4\ell}

We then observe that switching to distinct $y_{i}$ cannot make the inequality worse. This is because Hoeffding’s inequality still holds when sampling is performed without replacement; in fact even better bounds are possible [11].

We now look at the imaginary part $\frac{1}{N}\sum_{i=1}^{\ell}Y_{i}^{\prime}$ where $Y_{i}^{\prime}=\sin(2\pi(z-z^{\prime})y_{i}/N)$ . By identical logic, we have that

\Pr\left[\left|\sum_{i=1}^{\ell}Y_{i}^{\prime}\right|\geq t\right]\leq 2e^{-t^% {2}/4\ell}

Combining the two inequalities with the fact that the real and imaginary parts are orthogonal gives $\Pr[|M^{S}_{z,z^{\prime}}|\geq\sqrt{2}t/N]\leq 4e^{-t^{2}/4\ell}$ . Setting $t=\epsilon N/\sqrt{2}$ gives that

\Pr\left[\left|M^{S}_{z,z^{\prime}}\right|\geq\epsilon\right]\leq 4e^{-% \epsilon^{2}N^{2}/8\ell}

Taking a union bound over all $\binom{N}{2}$ off-diagonal terms¹¹1Since $M^{S}$ is Hermitian, we only need to bound, say, the terms above the diagonal. we obtain the lemma. $\hfill\blacktriangleleft$

Lemma 22.

Fix subsets $S, T$ with $|S|=\ell$ . Then

\tau^{S}_{T}=\frac{1}{\det({\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{S}^{T})}=% \frac{1}{\det({\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S})}

Proof.

Recall that $U^{\prime}$ is sampled by first sampling the state $|\psi\rangle$ with support on $S$ where each coefficient $\alpha_{y}$ is Gaussian distributed from ${\mathcal{N}}^{\mathbb{C}}(0,\sigma)$ . Then each $z$ is excluded from $U^{\prime}$ with probability $e^{-|\beta_{z}|^{2}}$ , where $\beta_{z}/\sqrt{N}$ is the Fourier coefficient of $z$ in $|\psi\rangle$ . Thus, the probability that $T\cap U^{\prime}=\emptyset$ , conditioned on $|\psi\rangle$ is just

\Pr[T\cap U^{\prime}=\emptyset|\;|\psi\rangle]=e^{-\sum_{z\in T}|\beta_{z}|^{2% }}=e^{-N\langle\psi|{\sf QFT}^{\dagger}\Pi_{T}{\sf QFT}|\psi\rangle}=e^{-N% \langle\psi|{\mathbf{M}}^{T}|\psi\rangle}

Now let ${\mathbf{v}}$ be the vector of the $\alpha_{y}$ as $y$ varies in $S$ . Then $|\psi\rangle$ is just ${\mathbf{v}}$ with zeros inserted in each position outside of $S$ . Then we can write

\Pr[T\cap U^{\prime}=\emptyset|\;|\psi\rangle]=e^{-N{\mathbf{v}}^{\dagger}{% \mathbf{M}}^{T}_{S}{\mathbf{v}}}

We now average over the choice of ${\mathbf{v}}$ , which is simply distributed as ${\mathcal{N}}^{\mathbb{C}}(0,\sigma)^{\ell}$ . This gives us

	$\displaystyle\tau^{S}_{T}$	$\displaystyle=\int_{\mathbb{C}^{\ell}}\Pr[{\mathbf{v}}]e^{-N{\mathbf{v}}^{% \dagger}{\mathbf{M}}^{T}_{S}{\mathbf{v}}}d{\mathbf{v}}$
		$\displaystyle=\frac{1}{(\pi\sigma^{2})^{\ell}}\int_{\mathbb{C}^{\ell}}e^{-% \frac{\|{\mathbf{v}}\|^{2}}{\sigma^{2}}-N{\mathbf{v}}^{\dagger}{\mathbf{M}}^{T}_% {S}{\mathbf{v}}}d{\mathbf{v}}$
		$\displaystyle=\frac{1}{(\pi\sigma^{2})^{\ell}}\int_{\mathbb{C}^{\ell}}e^{-{% \mathbf{v}}^{\dagger}(\sigma^{-2}{\mathbf{I}}+N{\mathbf{M}}^{T}_{S}){\mathbf{v% }}}d{\mathbf{v}}$
		$\displaystyle=\frac{1}{(\sigma^{2})^{\ell}\det(\sigma^{-2}{\mathbf{I}}+N{% \mathbf{M}}^{T}_{S})}=\frac{1}{\det({\mathbf{I}}+N\sigma^{2}{\mathbf{M}}^{T}_{% S})}=\frac{1}{\det({\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{T}_{S})}$

where in the last inequality we plugged in $\sigma=\sqrt{1/\ell}$ . This gives us the first part of Lemma 22. Now, we observe that ${\mathbf{M}}^{T}_{S}=A^{\dagger}A$ , where $A$ is the $|T|\times\ell$ sub-matrix of ${\sf QFT}$ restricted to column indices in $S$ and row indices in $T$ . Then by the Weinstein–Aronszajn identity, $\det({\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{T}_{S})=\det({\mathbf{I}}+\frac{% N}{\ell}A^{\dagger}A)=\det({\mathbf{I}}+\frac{N}{\ell}AA^{\dagger})=\det({% \mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{S}_{T})$ . This gives the second part of Lemma 22. $\hfill\blacktriangleleft$ Going forward, we will use $\overline{\tau}^{S}_{T}$ as shorthand for $\det({\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S})$ . Lemma 22 says that $\tau^{S}_{T}=(\overline{\tau}^{S}_{T})^{-1}$ .

We can now prove Lemmas 13, 14, 15, and 16.

4.1 Proof of Lemma 13

Lemma 23.

For any subsets $S, T$ , $1+|T|\leq\overline{\tau}^{S}_{T}\leq 2^{|T|}$

Proof.

We first observe that the diagonal entries in ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{S}$ are exactly $2$ . Indeed, the $z$ th diagonal entry is $1+(N/\ell)\left(\frac{1}{N}\sum_{x\in S}e^{i2\pi zx}e^{-i2\pi zx}\right)=2$ . Moreover, $\frac{N}{\ell}{\mathbf{M}}^{S}$ and hence ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{S}$ is PSD. Since ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S}$ is just a principle minor of ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}^{S}$ , it is also PSD with diagonal entries also equal to 2. The determinant is then bounded by the product of the diagonal entries, giving the upper bound.

For the lower bound, we have that the eigenvalues of ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S}$ sum to $2|T|$ , and each of the $|T|$ eigenvalues is at least 1. The determinant is the product of the eigenvalues, which is minimized when one of the eigenvalues is $|T|+1$ and the remaining $|T|-1$ eigenvalues are $1$ . This gives the lower bound. $\hfill\blacktriangleleft$

4.2 Proof of Lemma 14

Lemma 24.

For any $\epsilon>0$ , except with probability at most $2N^{2}e^{-\epsilon^{2}\ell/2}$ over the choice of $S$ , for all subsets $T$ , $\overline{\tau}^{S}_{T}\geq 2^{|T|}(1-|T|^{2}\epsilon)$ . In this event, as long as $|T|^{2}\epsilon\leq 1/2$ , we can bound $\tau^{S}_{T}\leq 2^{-|T|}(1+2|T|^{2}\epsilon)$ .

Proof.

Assume all the off-diagonal entries of $M^{S}$ are bounded by $2\epsilon\ell/N$ , which by Lemma 21 holds except with probability $2N^{2}e^{-\epsilon^{2}\ell/2}$ . We have already seen that the diagonal entries of ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S}$ are exactly 2. The off-diagonal entries of ${\mathbf{I}}+\frac{N}{\ell}{\mathbf{M}}_{T}^{S}$ are off-diagonal entries from ${\mathbf{M}}^{S}$ but scaled by $N/\ell$ , and are therefore bounded by $2\epsilon$ . By Gershgorin’s circle theorem, the eigenvalues are therefore lower-bounded by $2(1-|T|\epsilon)$ . The determinant is therefore lower-bounded by this quantity raised to the $|T|$ . We obtain the lemma by bounding $(1-|T|\epsilon)^{|T|}\geq(1-|T|^{2}\epsilon)$ . $\hfill\blacktriangleleft$

4.3 Proof of Lemma 15

Lemma 25.

Fix any set $S$ of size $\ell$ and $\epsilon\in(0,1)$ . Then except with probability $2e^{-\epsilon^{2}\ell/8}$ , $|\;|\psi\rangle\;|^{2}\in[1-\epsilon,1+\epsilon]$ , where $|\psi\rangle$ is generated as in ${\mathcal{D}}^{\prime}_{S}$ .

Proof.

First, $\mathop{\mathbb{E}}[|\;|\psi\rangle\;|^{2}]=\sum_{y\in S}\mathop{\mathbb{E}}[|% \alpha_{y}|^{2}]$ . Since $\alpha_{y}\leftarrow{\mathcal{N}}^{\mathcal{C}}(0,1/\sqrt{\ell})$ , the real and imaginary parts are mean-0 normal variables with variance $1/2\ell$ . $|\alpha_{y}|^{2}$ is therefore distributed as the Chi-squared distribution with two degrees of freedom, scaled by $1/2\ell$ , which therefore has expectation $1/\ell$ . Summing over all $y\in S$ gives $\mathop{\mathbb{E}}[|\;|\psi\rangle\;|^{2}]=1$ . We also see that $|\;|\psi\rangle\;|^{2}$ is distributed as a Chi-squared distribution with $2\ell$ degrees of freedom, scaled by $1/2\ell$ . Via concentration inequalities for Chi-squared, we have that

\Pr\left[\left|\;|\;|\psi\rangle\;|^{2}-1\;\right|\geq 4\sqrt{x/2\ell}\right]% \leq 2e^{-x}

Setting $\epsilon=4\sqrt{x/2\ell}$ gives the lemma. $\hfill\blacktriangleleft$

4.4 Proof of Lemma 16

Lemma 26.

Except with probability at most $3(N^{-1}+\ell^{2}N^{-2})\epsilon^{-2}+4N^{2}e^{-\ell\epsilon^{2}/32}$ over the choice of $S,U^{\prime}$ , we have $\left|\frac{\langle\hat{\psi}|\Pi_{U^{\prime}}|\hat{\psi}\rangle}{|\;|\psi% \rangle\;|^{2}}-3/4\right|\leq\epsilon$ . Recall $\Pi_{U^{\prime}}$ is the projection operator $\sum_{z\in U^{\prime}}|z\rangle\langle z|$ .

Proof.

Fix $|\psi\rangle$ . We first compute the expectation of $\langle\hat{\psi}|\Pi_{U^{\prime}}|\hat{\psi}\rangle$ (as $U$ varies) given $|\psi\rangle$ . We will actually compute the complement $\langle\hat{\psi}|({\mathbf{I}}-\Pi_{U^{\prime}})|\hat{\psi}\rangle$

	$\displaystyle\mathop{\mathbb{E}}[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle]$	$\displaystyle=\frac{1}{N}\mathop{\mathbb{E}}[\sum_{z\notin U^{\prime}}\|\beta_{% z}\|^{2}]$
		$\displaystyle=\frac{1}{N}\sum_{z\in\mathbb{Z}_{N}}\Pr[z\notin U^{\prime}]\|% \beta_{z}\|^{2}$
		$\displaystyle=\frac{1}{N}\sum_{z\in\mathbb{Z}_{N}}\|\beta_{z}\|^{2}e^{-\|\beta_{z% }\|^{2}}$

Now we include the expectation as we vary $|\psi\rangle$ , giving:

\mathop{\mathbb{E}}[\langle\hat{\psi}|({\mathbf{I}}-\Pi_{U^{\prime}})|\hat{% \psi}\rangle]=\frac{1}{N}\sum_{z\in\mathbb{Z}_{N}}\mathop{\mathbb{E}}[|\beta_{% z}|^{2}e^{-|\beta_{z}|^{2}}]

Next, we bound $\mathop{\mathbb{E}}[|\beta_{z}|^{2}e^{-|\beta_{z}|^{2}}]$ . Since the distribution of $\alpha_{y}$ are invariant under phase change, we see that $\beta_{z}$ is just the sum of $\ell$ iid variables distributed as ${\mathcal{N}}^{\mathcal{C}}(0,1/\sqrt{\ell})$ . This means each $\beta_{z}$ is distributed as ${\mathcal{N}}^{\mathcal{C}}(0,1)$ . Breaking out the real and imaginary parts lets us write

	$\displaystyle\mathop{\mathbb{E}}[\|\beta_{z}\|^{2}e^{-\|\beta_{z}\|^{2}}]$	$\displaystyle=\int_{\mathbb{C}}\|\beta\|^{2}e^{-\|\beta\|^{2}}\times\frac{1}{\pi}e% ^{-\|\beta\|^{2}}d\beta$
		$\displaystyle=\frac{1}{\pi}\int_{\mathbb{C}}\|\beta\|^{2}e^{-2\|\beta\|^{2}}d\beta% =\frac{1}{\pi}\int_{-\infty}^{\infty}\int_{-\infty}^{\infty}(x^{2}+y^{2})e^{-2% (x^{2}+y^{2})}dxdy=\frac{1}{4}$

Thus, we have that $\mathop{\mathbb{E}}[\langle\hat{\psi}|({\mathbf{I}}-\Pi_{U^{\prime}})|\hat{% \psi}\rangle]=1/4$ . Now we bound the variance. By carrying out a similar calculation as before, we have:

	$\displaystyle\mathop{\mathbb{E}}[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle^{2}]$	$\displaystyle=\frac{1}{N^{2}}\mathop{\mathbb{E}}[\left(\sum_{z\notin{U^{\prime% }}}\|\beta_{z}\|^{2}\right)]$
		$\displaystyle=\frac{1}{N^{2}}\sum_{z,z^{\prime}\in\mathbb{Z}_{N}}\Pr[z,z^{% \prime}\notin U^{\prime}]\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}$
		$\displaystyle=\frac{1}{N^{2}}\left(\sum_{z}\Pr[z\notin U^{\prime}]\|\beta_{z}\|^% {4}+\sum_{z\neq z^{\prime}}\Pr[z\notin U^{\prime}]\Pr[z^{\prime}\in U^{\prime}% ]\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}\right)$
		$\displaystyle=\frac{1}{N^{2}}\left(\sum_{z}\|\beta_{z}\|^{4}e^{-\|\beta_{z}\|^{2}}% +\sum_{z\neq z^{\prime}}\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}e^{-\|\beta_{z}\|% ^{2}-\|\beta_{z^{\prime}}\|^{2}}\right)$

We include the expectation as we vary $|\psi\rangle$ . The expectation of $|\beta_{z}|^{4}e^{-|\beta_{z}|^{2}}$ becomes

\displaystyle\mathop{\mathbb{E}}\left[|\beta_{z}|^{4}e^{-|\beta_{z}|^{2}}\right]

\displaystyle=\int_{\mathbb{C}}|\beta|^{4}e^{-|\beta|^{2}}\times\frac{1}{\pi}e% ^{-|\beta|^{2}}=\frac{3}{4}

Meanwhile, to compute the expectation of $|\beta_{z}|^{2}|\beta_{z^{\prime}}|^{2}e^{-|\beta_{z}|^{2}-|\beta_{z^{\prime}}% |^{2}}$ , we use that the co-variance matrix of $\beta_{z},\beta_{z^{\prime}}$ is exactly ${\mathbf{M}}^{S}_{\{z,z^{\prime}\}}$ . Thus

	$\displaystyle\mathop{\mathbb{E}}\left[\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}e% ^{-\|\beta_{z}\|^{2}-\|\beta_{z^{\prime}}\|^{2}}\right]$
	$\displaystyle\;\;\;\;\;\;=\int_{\mathbb{C}}\int_{\mathbb{C}}\frac{\|\beta\|^{2}\|% \beta^{\prime}\|^{2}e^{-\|\beta\|^{2}-\|\beta^{\prime}\|^{2}}}{\pi^{2}\det({\mathbf% {M}}^{S}_{\{z,z^{\prime}\}})^{2}}\times e^{-\left(\begin{array}[]{cc}\beta^{}% &(\beta^{\prime})^{}\end{array}\right)\cdot\left({\mathbf{M}}^{S}_{\{z,z^{% \prime}\}}\right)^{-1}\cdot\left(\begin{array}[]{c}\beta\\ \beta^{\prime}\end{array}\right)}d\beta d\beta^{\prime}$
	$\displaystyle\;\;\;\;\;\;=\frac{1}{\pi^{2}\det({\mathbf{M}}^{S}_{\{z,z^{\prime% }\}})^{2}}\int_{\mathbb{C}}\int_{\mathbb{C}}\|\beta\|^{2}\|\beta^{\prime}\|^{2}e^{% -\left(\begin{array}[]{cc}\beta^{}&(\beta^{\prime})^{}\end{array}\right)% \cdot\left[{\mathbf{I}}+\left({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}\right)^{-1}% \right]\cdot\left(\begin{array}[]{c}\beta\\ \beta^{\prime}\end{array}\right)}d\beta d\beta^{\prime}$
	$\displaystyle\;\;\;\;\;\;=\frac{1}{\pi^{2}\det({\mathbf{M}}^{S}_{\{z,z^{\prime% }\}})^{2}}\times\frac{\pi^{2}{\sf Tr}({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{% \prime}\}})^{-1})^{2}}{4\det({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}% )^{-1})^{3}}$
	$\displaystyle\;\;\;\;\;\;=\frac{\det({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}){\sf Tr% }({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{\prime}\}})^{-1})^{2}}{4\det({\mathbf% {I}}+{\mathcal{M}}^{S}_{\{z,z^{\prime}\}})^{3}}$

Now write ${\mathbf{M}}^{S}_{\{z,z^{\prime}\}}=\left(\begin{array}[]{cc}1&\epsilon_{z,z^{% \prime}}\\ \epsilon_{z,z^{\prime}}&1\end{array}\right)$ . By Lemma 21, we can now bound $|\epsilon_{z,z^{\prime}}|$ by $\ell/4N<1/2$ , except with probability $2N^{2}e^{-\ell/32}$ . Then we have that

\mathop{\mathbb{E}}[|\beta_{z}|^{2}|\beta_{z^{\prime}}|^{2}e^{-|\beta_{z}|^{2}% -|\beta_{z^{\prime}}|^{2}}]=\frac{\left(2-|\epsilon_{z,z^{\prime}}|^{2}\right)% ^{2}}{\left(1-|\epsilon_{z,z^{\prime}}|^{2}\right)\left(4-|\epsilon_{z,z^{% \prime}}|^{2}\right)^{3}}\leq\frac{1}{16}(1+|\epsilon_{z,z^{\prime}}|^{2})

where the last inequality used that $|\epsilon_{z,z^{\prime}}|\leq 1/2$ .

We therefore have that $\mathop{\mathbb{E}}[\langle\hat{\psi}|({\mathbf{I}}-\Pi_{U^{\prime}})|\hat{% \psi}\rangle^{2}]\leq\frac{3}{4N}+\frac{1}{16}+\frac{1}{16N^{2}}\sum_{z\neq z^% {\prime}}|\epsilon_{z,z^{\prime}}|$ . Since the mean is $1/4$ , the variance is therefore at most $\frac{3}{4N}+\frac{1}{16N^{2}}\sum_{z\neq z^{\prime}}|\epsilon_{z,z^{\prime}}|% ^{2}\leq\frac{3}{4N}+\frac{1}{16N^{2}}\sum_{z\neq z^{\prime}}\left(\frac{\ell}% {4N}\right)^{2}\leq\frac{3}{4N}+\frac{\ell^{2}}{256N^{2}}$ . We now apply Chebyshev’s inequality, to get that

\Pr[|\langle\hat{\psi}|({\mathbf{I}}-\Pi_{U^{\prime}})|\hat{\psi}\rangle-1/4|% \geq\epsilon/2]\leq\frac{\frac{3}{4N}+\frac{\ell^{2}}{64N^{2}}}{(\epsilon/2)^{% 2}}+2N^{2}e^{-\ell/32}

Now we have that

	$\displaystyle\Pr\left[\left\|\frac{\langle\hat{\psi}\|\Pi_{U^{\prime}}\|\hat{\psi% }\rangle}{\|\;\|\psi\rangle\;\|^{2}}-3/4\right\|\geq\epsilon\right]$	$\displaystyle=\Pr\left[\left\|\frac{\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle}{\|\;\|\psi\rangle\;\|^{2}}-1/4\right\|\geq\epsilon\right]$
		$\displaystyle=\Pr\left[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{\prime}})\|\hat{% \psi}\rangle\notin\|\;\|\psi\rangle\;\|^{2}\times\left[\frac{1}{4}-\epsilon,\frac% {1}{4}+\epsilon\right]\right]$
		$\displaystyle\leq\Pr\left[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{\prime}})\|% \hat{\psi}\rangle\notin\left[\frac{1}{4}-\epsilon/2,\frac{1}{4}+\epsilon/2% \right]\right]$
		$\displaystyle\;\;\;\;\;\;\;\;\;+\Pr[\|\;\|\psi\rangle\;\|^{2}\notin[1-\epsilon/2,% 1+\epsilon/2]]$
		$\displaystyle\leq\left(\frac{\frac{3}{4N}+\frac{\ell^{2}}{64N^{2}}}{(\epsilon/% 2)^{2}}+2N^{2}e^{-\ell/32}\right)+2e^{-\ell\epsilon^{2}/32}$
		$\displaystyle\leq 3(N^{-1}+\ell^{2}N^{-2})\epsilon^{-2}+4N^{2}e^{-\ell\epsilon% ^{2}/32}\$

$\hfill\blacktriangleleft$

4.5 Proof of Lemma 18

Lemma 27.

If $U^{\prime}$ is sampled from a $k^{\prime}$ -wise uniform independent function and $S^{\prime}$ is potentially correlated to $U^{\prime}$ but has size at most $v$ , then except with probability $2N^{2}\left(\frac{\sqrt{ek^{\prime}}}{\epsilon\sqrt{N}}\right)^{k^{\prime}}$ over the choice of $U^{\prime},S^{\prime}$ , it holds that, for any normalized state $|\phi\rangle$ with support on $S^{\prime}$ , $\langle\hat{\phi}|\Pi_{U^{\prime}}|\hat{\phi}\rangle\leq 1/2+v\epsilon$ , where $|\hat{\phi}\rangle={\sf QFT}|\phi\rangle$ .

Proof.

For a set $U^{\prime}$ , let ${\mathbf{M}}^{U^{\prime}}={\sf QFT}^{\dagger}\Pi_{U^{\prime}}{\sf QFT}$ . Then $({\mathbf{M}}^{U^{\prime}})_{z,z^{\prime}}=\frac{1}{N}\sum_{y\in\mathbb{Z}_{N}% }e^{i2\pi(z-z^{\prime})y/N}\xi_{y}$ , where $\xi_{y}$ is the boolean value that is 1 if $y\in U^{\prime}$ . Then we have that $({\mathbf{M}}^{U^{\prime}})_{z,z}=|U^{\prime}|/N$ . In expectation, $|U^{\prime}|/N$ is $1/2$ . We now bound how far $|U^{\prime}|/N$ can deviate from $1/2$ . Recall that $|U^{\prime}|/N=\frac{1}{N}\sum_{y\in\mathbb{Z}_{N}}\xi_{y}$ . The $\xi_{y}$ are not truly independent so we cannot use standard concentration inequalities such as Hoeffding. However, we can use the following somewhat standard bound (e.g. [12]) for the $[-1,1]$ -weighted sum of $k^{\prime}$ -wise independent boolean random variables:

\Pr\left[\left|\frac{1}{N}\sum_{y\in\mathbb{Z}_{N}}\xi_{y}-\frac{1}{2}\right|% \geq\epsilon/\sqrt{2}\right]\leq 2\left(\frac{\sqrt{ek^{\prime}}}{\epsilon% \sqrt{N}}\right)^{k^{\prime}}

On the other hand, for $z^{\prime}\neq z^{\prime}$ , taking the expectation over $U^{\prime}$ , we see that $\mathop{\mathbb{E}}_{U^{\prime}}[({\mathbf{M}}^{U^{\prime}})_{z,z}]=0$ . We now try to bound the deviation from the expectation, by bounding the real and imaginary parts separately. We see that $\Re[({\mathbf{M}}^{U^{\prime}})_{z,z^{\prime}}]=\frac{1}{N}\sum_{y\in\mathbb{Z% }_{N}}\cos(2\pi(z-z^{\prime})y/N)\xi_{y}$ , which is the weighted sum of boolean random variables $\xi_{y}$ , where the weights are all in $[-1,1]$ . Using the $[-1,1]$ -weighted sum of $k^{\prime}$ -wise independent boolean random variables again, we have:

\Pr[\frac{1}{N}\sum_{y\in\mathbb{Z}_{N}}\cos(2\pi(z-z^{\prime})y/N)\xi_{y}\geq% \epsilon/\sqrt{2}]\leq 2\left(\frac{\sqrt{ek^{\prime}}}{\epsilon\sqrt{N}}% \right)^{k^{\prime}}

Combining with an identical bound on the imaginary part of $({\mathbf{M}}^{U})_{z,z^{\prime}}$ , we have that

\Pr[|({\mathbf{M}}^{U^{\prime}})_{z,z^{\prime}}|\geq\epsilon]\leq 4\left(\frac% {\sqrt{ek^{\prime}}}{\epsilon\sqrt{N}}\right)^{k^{\prime}}

By union-bounding over all entries of ${\mathbf{M}}^{U}$ (which only needs to count entries on the diagonal and above since ${\mathbf{M}}$ is Hermitian), we have except for probability at most $2N^{2}\left(\frac{\sqrt{ek^{\prime}}}{\epsilon\sqrt{N}}\right)^{k^{\prime}}$ , both (1) for all $z$ that $({\mathbf{M}}^{U})_{z,z}\in[1/2-\epsilon,1/2+\epsilon]$ and (2) for all $z\neq z^{\prime}$ that $|({\mathbf{M}}^{U})_{z,z^{\prime}}|\leq\epsilon$ .

Now suppose (1) and (2) hold. Now consider a supposed set $S^{\prime}$ of size $v$ . Let ${\mathbf{M}}^{U^{\prime}}_{S^{\prime}}$ be the $v\times v$ sub-matrix whose row and column indices are in $S^{\prime}$ . Then by the Gershgorin circle theorem, all eigenvalues of ${\mathbf{M}}^{U^{\prime}}_{S^{\prime}}$ are bounded from above by $1/2+v\epsilon$ . $\hfill\blacktriangleleft$

4.6 Proof of Theorem 5

Theorem 5.

There exists a classical oracle ${\mathcal{O}}$ such that ${\sf QCMA}^{\mathcal{O}}\neq{\sf QMA}^{\mathcal{O}}$ if and only if ${\sf OI\text{-}QCMA}\neq{\sf OI\text{-}QMA}$

Proof.

In one direction, assume a classical oracle ${\mathcal{O}}$ such that ${\sf QCMA}^{\mathcal{O}}\neq{\sf QMA}^{\mathcal{O}}$ . Let ${\sf L}^{\mathcal{O}}$ be the separating language, and $V$ a verifier for ${\sf L}^{\mathcal{O}}$ .

We construct a language ${\sf OI\text{-}L}$ as follows. Let $Q(n)$ be a (polynomial) upper bound on the length of queries that $V$ makes to ${\mathcal{O}}$ when given an instance $x$ of length $n$ . Let ${\mathcal{O}}_{n}$ be the portion of ${\mathcal{O}}$ corresponding to queries of length at most $Q(n)$ . Then $|{\mathcal{O}}_{n}|\leq 2^{n^{\Theta(1)}}$ .

Let ${\mathcal{U}}_{n}$ consist of strings of the form $(x,{\mathcal{O}}_{n})$ where $x$ has size $n$ , and let ${\sf OI\text{-}L}$ be the set of $(x,{\mathcal{O}}_{n})$ where $x\in{\sf L}^{\mathcal{O}}$ . We can decide membership in ${\sf OI\text{-}L}$ as follows: given a witness state $|\psi\rangle$ , first recover $x$ by making $n$ queries to $(x,{\mathcal{O}}_{n})$ . Then run $V^{{\mathcal{O}}_{n}}(x,|\psi\rangle)$ . By our choice of ${\mathcal{O}}_{n}$ containing all of ${\mathcal{O}}$ that gets queried by $V$ , we therefore have that $V^{{\mathcal{O}}_{n}}(x,|\psi\rangle)$ is identical to $V^{\mathcal{O}}(x,|\psi\rangle)$ . As such, if $V$ correctly decides if $x\in{\sf L}^{\mathcal{O}}$ , then our verifier correctly decides in $(x,{\mathcal{O}}_{n})\in{\sf OI\text{-}L}$ . Thus, ${\sf OI\text{-}L}\in{\sf OI\text{-}QMA}$ .

On the other hand, suppose there is a ${\sf OI\text{-}QCMA}$ verifier $V_{*}$ that decides ${\sf OI\text{-}L}$ . We can then readily obtain a ${\sf QCMA}$ verifier for ${\sf L}^{\mathcal{O}}$ . On input instance $x$ and witness $w$ , simulate $V_{*}^{(x,{\mathcal{O}}_{n})}(w)$ by answering queries to $x$ with the bits of $x$ , and queries to ${\mathcal{O}}_{n}$ by forwarding the queries to ${\mathcal{O}}$ . If $V_{*}$ decides membership in ${\sf OI\text{-}L}$ , this exactly decides if $x\in{\sf L}^{\mathcal{O}}$ .

We now turn to the other direction in the statement of Theorem 5. Assume that ${\sf OI\text{-}QCMA}\neq{\sf OI\text{-}QMA}$ . Let ${\mathcal{U}}$ be the universe and ${\sf OI\text{-}L}\subseteq{\mathcal{U}}$ be the separating language, and $V$ the ${\sf OI\text{-}QMA}$ verifier for ${\sf OI\text{-}L}$ .

We construct our oracle ${\mathcal{O}}$ and associated language $L^{\mathcal{O}}$ as follows. ${\mathcal{O}}$ will be interpreted as a countably-infinite family of oracles $({\mathcal{X}}_{n_{i}})_{i\in\mathbb{Z}^{+}}$ for integers $n_{i}\in\mathbb{Z}^{+}$ . Let ${\mathcal{O}}_{j}=({\mathcal{X}}_{n_{i}})_{i\leq j}$ . By padding the witness with 0’s size appropriately, we can assume that any potential ${\sf QCMA}$ verifier runs in quadratic time. Let $T_{1},T_{2},\cdots$ be an enumeration over all oracle-aided quadratic-time quantum algorithms. ${\mathcal{O}}$ and ${\sf L}^{\mathcal{O}}$ will be constructed by constructing ${\mathcal{X}}_{n_{i}}$ for $i=1,2,\cdots$ as follows: Consider the ${\sf OI\text{-}QCMA}$ verifier $V_{i}^{\mathcal{X}}(w)$ which has ${\mathcal{O}}_{i-1}$ hard-coded, and runs $T_{i}^{{\mathcal{O}}_{i-1},{\mathcal{X}}}(w)$ . Since ${\mathcal{O}}_{i-1}$ is constant-sized, $V_{i}^{\mathcal{X}}(w)$ runs in quadratic time (though with a large constant overhead coming from ${\mathcal{O}}_{i-1}$ ). Let $n_{i}$ be an integer and ${\mathcal{X}}_{n_{i}}\in{\mathcal{U}}_{n_{i}}$ be an instance such that both:

$\blacksquare$

$V_{i}$ incorrectly decides ${\mathcal{X}}_{n_{i}}$ given classical witnesses/inputs. That is, either ${\mathcal{X}}_{n_{i}}\in{\sf OI\text{-}L}$ and $V_{i}^{{\mathcal{X}}_{n_{i}}}(w)$ rejects for all $w$ , or ${\mathcal{X}}_{n_{i}}\notin{\sf OI\text{-}L}$ and there exists a $w$ such that $V_{i}^{{\mathcal{X}}_{n_{i}}}(w)$ accepts.
$\blacksquare$

$n_{i}$ is large enough so that the inputs to the function ${\mathcal{X}}_{n_{i}}$ are longer than the running time of $T_{j}^{{\mathcal{O}}_{j}}$ on inputs of length $n_{j}$ for all $j<i$ , meaning $T_{j}^{{\mathcal{O}}_{j}}$ , and hence $V_{j}$ , on inputs of length $n_{j},j<i$ never query any input that is an input to ${\mathcal{X}}_{n_{i}}$ .

Such an ${\mathcal{X}}_{n_{i}}$ is guaranteed to exist: that some $n_{i},{\mathcal{X}}_{n_{i}}$ exist satisfying the first criteria follows immediately from the fact that ${\sf OI\text{-}L}\notin{\sf OI\text{-}QCMA}$ . Suppose that there is no $n_{i},{\mathcal{X}}_{n_{i}}$ satisfying the second criteria. This means there are only a finite number of ${\mathcal{X}}$ where $V_{i}$ fails to correctly decide. But by hard-coding these bad instances along with the correct solutions, we can obtain a new verifier $V_{i}^{\prime}$ which correctly decides ${\sf OI\text{-}L}$ , contradicting that ${\sf OI\text{-}L}\notin{\sf QCMA}$ .

We then let ${\sf L}^{\mathcal{O}}$ consist of the strings $0^{n_{i}}$ such that ${\mathcal{X}}_{n_{i}}\in{\sf OI\text{-}L}$ . We immediately see that ${\sf L}^{\mathcal{O}}\in{\sf QMA}^{\mathcal{O}}$ : by making appropriate queries to ${\mathcal{O}}$ , we can simulate the ${\sf OI\text{-}QMA}$ verifier $V^{{\mathcal{X}}_{n_{i}}}$ , thereby deciding membership of $0^{n_{i}}$ in ${\sf OI\text{-}L}$ .

We now show that ${\sf L}^{\mathcal{O}}\notin{\sf QCMA}^{\mathcal{O}}$ . Consider a supposed ${\sf QCMA}$ verifier $V_{*}$ . This corresponds to some $T_{i}$ according to our enumeration. Then we argue that $V_{*}$ incorrectly decides membership for $0^{n_{i}}$ . Indeed, we know that $T_{i}^{\mathcal{O}}$ in instance $0^{n_{i}}$ never queries on ${\mathcal{X}}_{n_{j}}$ for $j>i$ , by our choice of $n_{j}$ . Hence, it can be simulated as $T_{i}^{{\mathcal{O}}_{i}}$ , or equivalently $T_{i}^{{\mathcal{O}}_{i-1},{\mathcal{X}}_{n_{i}}}$ . Thus, $V_{*}$ corresponds exactly to the verifier $V_{i}$ . But we know that $V_{i}$ incorrectly decides membership for ${\mathcal{X}}_{n_{i}}$ . Hence, $V_{*}$ is not a valid ${\sf QCMA}$ verifier. $\hfill\blacktriangleleft$

References

[1] Scott Aaronson and Greg Kuperberg. Quantum versus classical proofs and advice. In Twenty-Second Annual IEEE Conference on Computational Complexity (CCC’07), pages 115–128, 2007. doi:10.1109/CCC.2007.27.
[2] Dorit Aharonov and Tomer Naveh. Quantum NP – A survey, 2002.
[3] Shalev Ben-David and Srijita Kundu. Oracle separation of QMA and QCMA with bounded adaptivity, 2024.
[4] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM J. Comput., 26(5):1510–1523, October 1997. doi:10.1137/S0097539796300933.
[5] Bill Fefferman and Shelby Kimmel. Quantum vs. classical proofs and subset verification. In 43rd International Symposium on Mathematical Foundations of Computer Science (MFCS 2018), 2018. doi:10.4230/LIPIcs.MFCS.2018.22.
[6] Yassine Hamoudi and Frédéric Magniez. Quantum time-space tradeoff for finding multiple collision pairs. ACM Trans. Comput. Theory, April 2023. doi:10.1145/3589986.
[7] Xingjian Li, Qipeng Liu, Angelos Pelecanos, and Takashi Yamakawa. Classical vs quantum advice and proofs under classically-accessible oracle. In Venkatesan Guruswami, editor, ITCS 2024, volume 287, pages 72:1–72:19. LIPIcs, January / February 2024. doi:10.4230/LIPIcs.ITCS.2024.72.
[8] Qipeng Liu. Non-uniformity and quantum advice in the quantum random oracle model. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part I, volume 14004 of LNCS, pages 117–143. Springer, Cham, April 2023. doi:10.1007/978-3-031-30545-0_5.
[9] Andrew Lutomirski. Component mixers and a hardness result for counterfeiting quantum money, 2011.
[10] Anand Natarajan and Chinmay Nirkhe. A distribution testing oracle separating qma and qcma. In Proceedings of the Conference on Proceedings of the 38th Computational Complexity Conference, CCC ’23, Dagstuhl, DEU, 2023. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.CCC.2023.22.
[11] R. J. Serfling. Probability Inequalities for the Sum in Sampling without Replacement. The Annals of Statistics, 2(1):39–48, 1974. doi:10.1214/aos/1176342611.
[12] Terry Tao. 254a, notes 1: Concentration of measure. https://terrytao.wordpress.com/2010/01/03/254a-notes-1-concentration-of-measure/, 2010.
[13] Takashi Yamakawa and Mark Zhandry. Verifiable quantum advantage without structure. In 63rd FOCS, pages 69–74. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00014.
[14] Mark Zhandry. Secure identity-based encryption in the quantum random oracle model. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 758–775. Springer, Berlin, Heidelberg, August 2012. doi:10.1007/978-3-642-32009-5_44.

[bib.bib1] [1] Scott Aaronson and Greg Kuperberg. Quantum versus classical proofs and advice. In Twenty-Second Annual IEEE Conference on Computational Complexity (CCC’07), pages 115–128, 2007. doi:10.1109/CCC.2007.27.

[bib.bib2] [2] Dorit Aharonov and Tomer Naveh. Quantum NP – A survey, 2002.

[bib.bib3] [3] Shalev Ben-David and Srijita Kundu. Oracle separation of QMA and QCMA with bounded adaptivity, 2024.

[bib.bib4] [4] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM J. Comput., 26(5):1510–1523, October 1997. doi:10.1137/S0097539796300933.

[bib.bib5] [5] Bill Fefferman and Shelby Kimmel. Quantum vs. classical proofs and subset verification. In 43rd International Symposium on Mathematical Foundations of Computer Science (MFCS 2018), 2018. doi:10.4230/LIPIcs.MFCS.2018.22.

[bib.bib6] [6] Yassine Hamoudi and Frédéric Magniez. Quantum time-space tradeoff for finding multiple collision pairs. ACM Trans. Comput. Theory, April 2023. doi:10.1145/3589986.

[bib.bib7] [7] Xingjian Li, Qipeng Liu, Angelos Pelecanos, and Takashi Yamakawa. Classical vs quantum advice and proofs under classically-accessible oracle. In Venkatesan Guruswami, editor, ITCS 2024, volume 287, pages 72:1–72:19. LIPIcs, January / February 2024. doi:10.4230/LIPIcs.ITCS.2024.72.

[bib.bib8] [8] Qipeng Liu. Non-uniformity and quantum advice in the quantum random oracle model. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part I, volume 14004 of LNCS, pages 117–143. Springer, Cham, April 2023. doi:10.1007/978-3-031-30545-0_5.

[bib.bib9] [9] Andrew Lutomirski. Component mixers and a hardness result for counterfeiting quantum money, 2011.

[bib.bib10] [10] Anand Natarajan and Chinmay Nirkhe. A distribution testing oracle separating qma and qcma. In Proceedings of the Conference on Proceedings of the 38th Computational Complexity Conference, CCC ’23, Dagstuhl, DEU, 2023. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.CCC.2023.22.

[bib.bib11] [11] R. J. Serfling. Probability Inequalities for the Sum in Sampling without Replacement. The Annals of Statistics, 2(1):39–48, 1974. doi:10.1214/aos/1176342611.

[bib.bib12] [12] Terry Tao. 254a, notes 1: Concentration of measure. https://terrytao.wordpress.com/2010/01/03/254a-notes-1-concentration-of-measure/, 2010.

[bib.bib13] [13] Takashi Yamakawa and Mark Zhandry. Verifiable quantum advantage without structure. In 63rd FOCS, pages 69–74. IEEE Computer Society Press, October / November 2022. doi:10.1109/FOCS54457.2022.00014.

[bib.bib14] [14] Mark Zhandry. Secure identity-based encryption in the quantum random oracle model. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 758–775. Springer, Berlin, Heidelberg, August 2012. doi:10.1007/978-3-642-32009-5_44.

	$\displaystyle\mathop{\mathbb{E}}[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle]$	$\displaystyle=\frac{1}{N}\mathop{\mathbb{E}}[\sum_{z\notin U^{\prime}}\|\beta_{% z}\|^{2}]$
		$\displaystyle=\frac{1}{N}\sum_{z\in\mathbb{Z}_{N}}\Pr[z\notin U^{\prime}]\|% \beta_{z}\|^{2}$
		$\displaystyle=\frac{1}{N}\sum_{z\in\mathbb{Z}_{N}}\|\beta_{z}\|^{2}e^{-\|\beta_{z% }\|^{2}}$

	$\displaystyle\mathop{\mathbb{E}}[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle^{2}]$	$\displaystyle=\frac{1}{N^{2}}\mathop{\mathbb{E}}[\left(\sum_{z\notin{U^{\prime% }}}\|\beta_{z}\|^{2}\right)]$
		$\displaystyle=\frac{1}{N^{2}}\sum_{z,z^{\prime}\in\mathbb{Z}_{N}}\Pr[z,z^{% \prime}\notin U^{\prime}]\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}$
		$\displaystyle=\frac{1}{N^{2}}\left(\sum_{z}\Pr[z\notin U^{\prime}]\|\beta_{z}\|^% {4}+\sum_{z\neq z^{\prime}}\Pr[z\notin U^{\prime}]\Pr[z^{\prime}\in U^{\prime}% ]\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}\right)$
		$\displaystyle=\frac{1}{N^{2}}\left(\sum_{z}\|\beta_{z}\|^{4}e^{-\|\beta_{z}\|^{2}}% +\sum_{z\neq z^{\prime}}\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}e^{-\|\beta_{z}\|% ^{2}-\|\beta_{z^{\prime}}\|^{2}}\right)$

	$\displaystyle\mathop{\mathbb{E}}\left[\|\beta_{z}\|^{2}\|\beta_{z^{\prime}}\|^{2}e% ^{-\|\beta_{z}\|^{2}-\|\beta_{z^{\prime}}\|^{2}}\right]$
	$\displaystyle\;\;\;\;\;\;=\int_{\mathbb{C}}\int_{\mathbb{C}}\frac{\|\beta\|^{2}\|% \beta^{\prime}\|^{2}e^{-\|\beta\|^{2}-\|\beta^{\prime}\|^{2}}}{\pi^{2}\det({\mathbf% {M}}^{S}_{\{z,z^{\prime}\}})^{2}}\times e^{-\left(\begin{array}[]{cc}\beta^{}% &(\beta^{\prime})^{}\end{array}\right)\cdot\left({\mathbf{M}}^{S}_{\{z,z^{% \prime}\}}\right)^{-1}\cdot\left(\begin{array}[]{c}\beta\\ \beta^{\prime}\end{array}\right)}d\beta d\beta^{\prime}$
	$\displaystyle\;\;\;\;\;\;=\frac{1}{\pi^{2}\det({\mathbf{M}}^{S}_{\{z,z^{\prime% }\}})^{2}}\int_{\mathbb{C}}\int_{\mathbb{C}}\|\beta\|^{2}\|\beta^{\prime}\|^{2}e^{% -\left(\begin{array}[]{cc}\beta^{}&(\beta^{\prime})^{}\end{array}\right)% \cdot\left[{\mathbf{I}}+\left({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}\right)^{-1}% \right]\cdot\left(\begin{array}[]{c}\beta\\ \beta^{\prime}\end{array}\right)}d\beta d\beta^{\prime}$
	$\displaystyle\;\;\;\;\;\;=\frac{1}{\pi^{2}\det({\mathbf{M}}^{S}_{\{z,z^{\prime% }\}})^{2}}\times\frac{\pi^{2}{\sf Tr}({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{% \prime}\}})^{-1})^{2}}{4\det({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}% )^{-1})^{3}}$
	$\displaystyle\;\;\;\;\;\;=\frac{\det({\mathbf{M}}^{S}_{\{z,z^{\prime}\}}){\sf Tr% }({\mathbf{I}}+({\mathbf{M}}^{S}_{\{z,z^{\prime}\}})^{-1})^{2}}{4\det({\mathbf% {I}}+{\mathcal{M}}^{S}_{\{z,z^{\prime}\}})^{3}}$

	$\displaystyle\Pr\left[\left\|\frac{\langle\hat{\psi}\|\Pi_{U^{\prime}}\|\hat{\psi% }\rangle}{\|\;\|\psi\rangle\;\|^{2}}-3/4\right\|\geq\epsilon\right]$	$\displaystyle=\Pr\left[\left\|\frac{\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{% \prime}})\|\hat{\psi}\rangle}{\|\;\|\psi\rangle\;\|^{2}}-1/4\right\|\geq\epsilon\right]$
		$\displaystyle=\Pr\left[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{\prime}})\|\hat{% \psi}\rangle\notin\|\;\|\psi\rangle\;\|^{2}\times\left[\frac{1}{4}-\epsilon,\frac% {1}{4}+\epsilon\right]\right]$
		$\displaystyle\leq\Pr\left[\langle\hat{\psi}\|({\mathbf{I}}-\Pi_{U^{\prime}})\|% \hat{\psi}\rangle\notin\left[\frac{1}{4}-\epsilon/2,\frac{1}{4}+\epsilon/2% \right]\right]$
		$\displaystyle\;\;\;\;\;\;\;\;\;+\Pr[\|\;\|\psi\rangle\;\|^{2}\notin[1-\epsilon/2,% 1+\epsilon/2]]$
		$\displaystyle\leq\left(\frac{\frac{3}{4N}+\frac{\ell^{2}}{64N^{2}}}{(\epsilon/% 2)^{2}}+2N^{2}e^{-\ell/32}\right)+2e^{-\ell\epsilon^{2}/32}$
		$\displaystyle\leq 3(N^{-1}+\ell^{2}N^{-2})\epsilon^{-2}+4N^{2}e^{-\ell\epsilon% ^{2}/32}\$

Toward Separating QMA from QCMA with a Classical Oracle

Abstract

Keywords and phrases:

Copyright and License:

2012 ACM Subject Classification:

Related Version:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

Our Work

1.1 Our Separating Oracles

1.2 𝗤𝗖𝗠𝗔 hardness

𝑽 that do not query 𝑼

▶ Remark 1.

𝒌-wise independent 𝑼

Our 𝑼 are “close” to 𝒌-wise independent

Is this “close” enough?

▶ Remark 2.

2 Preliminaries and notation

Complex Normal Distribution

Quantum Computation

2.1 Defining QMA and QCMA relative to Oracles

Definition 3 (Oracle-Aided QMA/QCMA).

Definition 4 (Oracle-Input QMA/QCMA).

Theorem 5.

2.2 Some Useful Quantum Lemmas

Lemma 6 ([4] Theorem 3.1+3.3).

Lemma 7 ([14] Theorem 3.1).

Lemma 8 ([6] Theorem 5.5).

3 Our Oracle Separation

3.1 Our Statistical Conjecture

Definition 9 (Substitution Distance).

Conjecture 10.

3.2 Fourier Independent Distributions

Definition 11.

Theorem 12.

Proof.

Intuition

Lemma 13.

Lemma 14.

Lemma 15.

Lemma 16.

3.3 From FI Distributions to An Oracle Separation

Theorem 17.

Proof.

Lemma 18.

Corollary 19.

Proof.

Lemma 20.

Proof.

4 Missing Proofs

Lemma 21.

Proof.

Lemma 22.

Proof.

4.1 Proof of Lemma 13

Lemma 23.

Proof.

4.2 Proof of Lemma 14

Lemma 24.

Proof.

4.3 Proof of Lemma 15

Lemma 25.

Proof.

4.4 Proof of Lemma 16

Lemma 26.

Proof.

4.5 Proof of Lemma 18

Lemma 27.

Proof.

4.6 Proof of Theorem 5

Theorem 5.

Proof.

References

1.2 ${\sf QCMA}$ hardness

$𝑽$ that do not query $𝑼$

$\blacktriangleright$ Remark 1.

$𝒌$ -wise independent $𝑼$

Our $𝑼$ are “close” to $𝒌$ -wise independent

$\blacktriangleright$ Remark 2.