Title: The Computer Science Picture of Reality
1 Quantum Algorithms Complexity
Umesh Vazirani U.C. Berkeley
2One does not, by knowing all the physical laws as
we know them today, immediately obtain an
understanding of anything much. (Richard
Feynman, 1918-1988)
3One does not, by knowing all the physical laws as
we know them today, immediately obtain an
understanding of anything much. (Richard
Feynman, 1918-1988)
Quantum computers are the only known model of
Computation that violate the Extended
Church-Turing thesis.
4Goals of Quantum Algorithms/Complexity
- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP
and - QMA, to classical complexity classes, such as
- BPP, MA, PH.
5Goals of Quantum Algorithms/Complexity
- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP
and - QMA, to classical complexity classes, such as
- BPP, MA, PH.
Far reaching implications for cryptography,
computational complexity, physics, Each of
these gives its own unique flavor to the
questions.
6Quantum resistant cryptography
- Quantum computers break much of modern
cryptography. - RSA (factoring), Diffie-Helman (discrete log),
- Elliptic curve crypto, Buchmann-Williams (Pell
eqn) - Suppose we had a classical cryptosystem that was
- as efficient and convenient as RSA, but was
provably - not breakable even on a quantum computer.
- Then there would be an incentive to switch to
the - new cryptosystem, well before a large scale
quantum - computer were experimentally realized.
7- Suppose we had a very efficient classical
- cryptosystem that we believed was quantum
resistant. - What kind of evidence could we present to prove
it? - (Dont have a working quantum computer to run
heuristics)
- The answer relies crucially on our
understanding of - the power and limitations of quantum computers.
8Hidden Subgroup Problem
G finite group. H subgroup of G. Given black box
that evaluates f G -gt S f is constant on
cosets of H. Determine H.
G
- G abelian lens fourier transform over G.
- polynomial time quantum algorithm.
- Shor factoring. G ZN. Period finding.
- discrete log. G Zp x Zp
- Hallgren Pells equation
- van Dam, Hallgren, Ip Hidden shift problems,
- Breaking homomorphic encryption
- van Dam, Seroussi Gauss sums
-
9Quantum Algorithm for Abelian HSP
Random coset state use f to set up state
G
gH
FT over G
FT over G
FT measurement gives uniformly random element
of
Think of this as a random linear constraint on H
10Non-abelian hidden subgroup problem
Lens (non-abelian) fourier transform over G.
Short vector in Lattice
Finding short vector not easy!
DN Dihedral group
Regev
11Lattice Problems
- Finding short lattice vectors closely related
to - Dihedral HSP.
- Random coset state preparation Fourier
sampling - gives sufficient info to reconstruct subgroup.
- But classically reconstructing subgroup appears
to be - very difficult. Related to subset sum.
- Kuperbergs quantum reconstruction
algorithm. -
12Public-key cryptosystems based on Quantum
hardness of Shortest Lattice Vector.
- Ajtai-Dwork cryptosystem.
- Regev
- Improved efficiency based on assumption that
finding -
- short lattice vectors is hard for quantum
algorithms. - New cryptosystem resembles hardness of solving
noisy - linear equations mod p.
- Worst-case to average case reduction.
13Learning with errors
Linear equations in n variables over Zp for p
prime, where n2 lt p lt 2n2 m noisy
equations where and
is gaussian with mean 0 and standard deviatio
n n1.5
Theorem Regev LWE is as hard as
approximating the shortest vector in a lattice to
within n1.5
14Worst-case to average-case reduction
- LWE specifies an average-case problem. Inputs
- sampled from a fixed distribution.
- Quantum reduction showing that an arbitrary
lattice - problem (worst-case) can be mapped to LWE.
- Example of the quantum method. Prove a purely
- classical statement by quantum methods.
- Kerenidis, deWolf lower bounds for locally
- decodable codes.
15LWE and Lattices
- Lattice L integer linear combinations of u1,
, un - Dual lattice L v ltv,ugt integer for all u in
L - L is the fourier transform of L.
16LWE and Lattices
- Lattice L integer linear combinations of u1,
, un - Dual lattice L v ltv,ugt integer for all u in
L - L is the fourier transform of L.
DL
DL
17DL
DL
- Sampling from DL with small width Gaussian
implies - good approximation of shortest lattice vector.
- Polynomially large samples from DL yield an
unbiased - estimator for DL . If the width of the Gaussian
- is large, this gives a way of, given x,
approximating - the closest lattice vector to x in L.
- Quantum reduction, given algorithm for
approximating - closest vector in L, to sampling from DL .
18DL
DL
- Sampling from DL with small width Gaussian
implies good approximation - of shortest lattice vector.
- Polynomially large samples from DL yield an
unbiased estimator for DL . - If the width of the Gaussian is large, this
gives a way of, given z, - approximating the closest lattice to z.
- Quantum reduction, given algorithm for
approximating - closest vector in L, to sampling from DL .
To erase x, compute x given zxy
19Improving the Efficiency
- Based on cyclic lattices
- Lattices where the basis consists of vector v,
and - all its cyclic shifts.
- Much more succinct. Key size n2 -gt n
- Faster computation use Fourier transforms.
- Piekart, Rosen collision resistant hash
functions. - Gentry Homomorphic encryption.
20Open Questions
- Is there a quantum algorithm to find a short
- vector in a cyclic lattice?
- Does the van Dam, Hallgren, Ip quantum
algorithm for - breaking homomorphic encryption extend to
- Gentrys scheme?
- Is it possible to speed up Kuperbergs quantum
- reconstruction algorithm for the dihedral HSP?
- Is it possible to design a public-key
cryptosystem - based on cyclic lattices?
21Greater Security?
Hallgren, Moore, Roettler, Russell, Sen
06 provide very strong evidence of
quantum hardness
Hg1
Hg2
Hgk
k lt poly(n) implies exponentially many
measurements
For sufficiently non-abelian groups. Eg Sn,
GLn in particular graph isomorphism.
Sufficiently non-abelian exponential sized
irreps
Can one base public-key cryptography on these
stronger impossibility results? Moore, Russell,
V One-way function, related to
McEliese Cryptosystem, based on hardness of HSP
over
22Goals of Quantum Algorithms/Complexity
- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP
and - QMA, to classical complexity classes, such as
- BPP, MA, PH.
23An Old Question in Quantum Complexity Theory
- Is BQP C PH?
- Bernstein, V 93 There is an oracle A BQPA
C MAA - Conjectured that same holds for PH that
recursive - fourier sampling is in BQP but not in PH.
- Aaronson 09 Conjecture Fourier checking is
in - BQP, but not in PH.
- Proof that this is true under the generalized
Linial-Nisan - conjecture.
- The original Linial-Nisan conjecture states that
- logn-wise independent distributions fool AC0
circuits. - Resolved by Braverman. Generalized almost
logn-wise.
24Hamiltonian Complexity
Computational complexity lt--gt condensed matter
physics
- H H1 Hm , each Hi k-local.
- Kitaev Computing ground energy of H is
QMA-hard. - Aharonov, et. al. Adiabatic quantum
computation is - universal.
- Hastings Area law for 1-D local Hamiltonians.
- Efficient simulation of gapped Hamiltonians.
- Aharonov, Gottesman, Irani, Kempe Computing
- ground states of 1-D local Hamiltonians QMA-hard.
25Quantum PCP theorem?
- Given a promise that k-local hamiltonian H has
- either ground energy 0 or cm for constant c,
- determine which.
- Classical PCP theorem is a cornerstone of
classical -
- complexity theory.
- Theory of inapproximability, room temperature
QC - Aharonov, Arad, Landau, V quantum gap
amplification.
26- How do you verify a theory where you require
- exponential resources to calculate the predicted
- outcome of the experiment?
- One-way function. Start with P, Q primes.
- Multiply N PQ. See if quantum computer can
- Factor.
- How do you verify the claims of a company
- New-Wave, that claims to have built a quantum
- Computer?
- Aharonov, et. Al., Broadbent, et. Al.
- Quantum interactive proofs.
27Conclusions
Quantum algorithms and complexity theory explore
fundamental questions with profound implications
- Quantum resistant cryptography.
- Probabilistic method lt--gt quantum method
- Quantum complexity lt--gt classical complexity
- quantum complexity theory lt--gt condensed matter
physics - Verifying quantum computations.