Aspects of Certified Randomness from Quantum Supremacy 1101000011010011110110110011001100010100100110100011111011110100 Scott Aaronson (UT Austin) A farm somewhere outside Santa Barbara, CA May 16, 2019
Three Views of Quantum Supremacy (1) The “useful application” is to refute the QC skeptics! (2) We need to pick real applications—ML, finance, optimization– then find big quantum speedups for them (3) Let’s start with what would refute the QC skeptics, and then see whether it’s useful for anything Risk of Ewinization
The Randomness Protocol “Born from complexity theory The Randomness Protocol “Born from complexity theory. Somehow became first planned application for Bristlecone / Sycamore…” SEED CHALLENGES Goal: By interacting with a NISQ QC remotely, force it to generate fresh random bits, which no one (not even the QC) knew beforehand. Place no trust in the QC! “Proof of Sampling.” Modest quantum speedups, not for their own sake, but as proof of some other property
Possible Sycamore Use Case Public, trusted random bits—e.g. for proof-of-stake cryptocurrencies, such as future-Ethereum Problem: Who picks the challenges to send Sycamore—and why should everyone else trust the challenger? Ideas: Challenges could come from a distributed cryptographic protocol involving a pseudorandom function, a blockchain, the NYSE, the weather… If the challenges are unpredictable, then why not just use them to generate the random bits, and skip the QC part? One answer: “forward secrecy”
Other Possible Use Cases Secret random bits … if you own the QC yourself! Or, as long as you trust Google to try to generate your keys randomly, Google could use my protocol to convince you that its RNG hardware isn’t malfunctioning or backdoored by someone else Or, you could give Google a tamper-resistant “Hardware Security Module” that acts as the challenger for you With thanks to Jimmy Chau
Mostly, I now have time to explain the parts that I skipped last year… I spoke on exactly the same topic at this conference exactly a year ago. What’s changed since then? Mostly, I now have time to explain the parts that I skipped last year…
So what was I doing all year? Gentle measurement and differential privacy (A.-Rothblum, arXiv:1904.08747) New QFT-free quantum approximate counting algorithm Quantum lower bounds for approximate counting using Laurent polynomials (AKKT, arXiv:1904.08914) Oracle relative to which NPBQP but PH is infinite Teaching, faculty recruiting, travel, kids…
The Protocol 1. The classical client generates n-qubit quantum circuits C1,…,CT pseudorandomly (mimicking a random ensemble) 2. For each t, the client sends Ct to the server, then demands a response St within a very short time In the “honest” case, the response is a list of k samples from the output distribution of Ct|0n 3. The client picks a few random iterations t, and for each one, applies a “HOG” (Heavy Output Generation) test 4. If the tests pass, then the client feeds S=S1,…,ST into a classical randomness extractor, such as GUV (Guruswami-Umans-Vadhan), to get nearly pure random bits
The HOG Test (Similar in spirit to Google’s cross-entropy test) Given an n-qubit quantum circuit C, parameters b(1,2) and k{1,2,…}, and purported distinct samples s1,…,sk from C’s output distribution, HOGb,k(C) checks whether Note: To perform the HOG test, we need a brute-force (~2n-time) classical computation! If n=53 this is doable…
Porter-Thomas Speckle Behavior For large k and s1,…,sk sampled by an ideal QC, “Just like the Bell inequality” For s1,…,sk sampled uniformly at random,
Proving Porter-Thomasness! Unfortunately, not yet for “natural” ensembles of random quantum circuits, but for the “Idaho ensemble” “Re-randomization”: a Haar-random unitary on the leftmost O(log(n)) qubits Random quantum circuit of size ~n23—proven to be an approximate t-design (t>>n2) by Brandão, Harrow, Horodecki 2012 |0|0|0|0|0 n qubits
Why must there be any entropy in the server’s responses? Suppose to the contrary that S=f(C), for some determinstic function fBQP, with S=s1,…,sk typically passing HOG. We claim this would imply strange computational powers… Long List Quantum Supremacy Verification (LLQSV) You’re given a giant list of quantum circuits C1,…,CM, as well as strings s1,…,sM. You’re asked: were the si’s sampled uniformly at random, or was each si sampled from the output distribution of Ci? Seems hard … even for a QC!
Key Claim: If a fast QC could pass HOG deterministically, then there would be a QCAM protocol for LLQSV QCAM: Arthur-Merlin where Arthur can send a classical random challenge to Merlin, get back a classical response, then verify it quantumly Proof: The whole problem boils down to approximate counting—how many i’s are there in our long list such that f(Ci)=si? C1 C2 C3 C4 C5 C6 C7 C8 s1 s2 s3 s4 s5 s6 s7 s8 Arthur sends Merlin a random hash function g, then Merlin sends back an i such that f(Ci)=si and g(i)=0…0 Note: If the Ci’s were classical, there would be an AM protocol!
Min-Entropy More relevant than Shannon entropy for randomness extraction protocols Typically enough to be -close in variation distance to a distribution with high min-entropy
Boosting from (1) to (n) bits of min-entropy per round Claim: Suppose that a BQP machine M samples S=s1,…,sk from a probability distribution that has: - Mass q on samples that pass HOGb,k(C) - Mass p on samples with probability 2-H And suppose b(p+q-1) >> p. Then there’s an AM protocol for LLQSV with a quantum verifier running in ~2H/2 time (and a small advice string) Intuition: Merlin can point Arthur to Ci’s for which M outputs si with probability 2-H. Then Arthur can use Grover search, taking ~2H/2 time, to check Merlin’s claims
Parameterology with Noisy QCs Guaranteed min-entropy per round: b = HOG threshold parameter q = QC’s success probability on HOGb,k L = log(assumed LLQSV hardness) n/2 Only positive when bq > 1 Danger: Noisier hardware lower q need larger b to get bq>1 q decreases even more, etc. Escape route: Set b1+ where is the QC’s fidelity, and k1/2 where k is the number of samples per round. Then q1 and bq>1 by the Law of Large Numbers
Fernando Brandão’s calculation Assuming best current simulation algorithms, min-entropy per round is approximately Plugging in target Sycamore fidelity of 510-3, we could get 10 certified random bits from a round with k 25 million samples. This would take a few seconds. Bit rate improves enormously with better fidelity…
Generating the challenge circuits Suppose the client generates the challenges C1,C2,… using a pseudorandom function (PRF). Then obviously, we’ll want a PRF secure against quantum attack But more than that: we need to show that if our protocol fails (and if LLQSV is hard), then the PRF can be broken Problem: Our protocol “failing” could be extremely hard to notice—it just looks like the distribution over output bits being far from uniform Solution: Assume a PRF secure against the class QSZK (Quantum Statistical Zero Knowledge). There are many plausible candidates!
Randomness Accumulation Most involved part of our analysis: show that, if the protocol continues for T rounds, then the client gets (Tn) total bits of min-entropy What if each round produced (n) random bits individually, but they were maliciously correlated, reusing the same entropy? Challenge: Show that, if there are many rounds where little randomness gets produced, conditioned on the outcomes of the previous rounds, then we can exploit that to get an AM protocol for LLQSV Solution idea: Simulate the protocol up to a random round. Then plug the state of the QC at that round (described using quantum advice) into the LLQSV AM protocol
The Bushy Path Lemma (with thanks to Ron Peled) Consider a tree where each edge is either red or blue. Suppose that on almost every path from the root to a leaf, at least 90% of the edges are red Let a “bushy path” be a path together with all edges incident to it. Then on almost every bushy path, at least 89% of the edges are red
Randomness with a random oracle In the random oracle model, our randomness protocol can be made provably, unconditionally secure Admittedly, it doesn’t sound impressive to produce random bits in a world with a random oracle! But remember that these have to be fresh random bits—unpredictable even given the random oracle! In the random oracle model, both of our assumptions—the one about LLQSV and the one about the PRF—become theorems, which follow from the BBBV Theorem (the optimality of Grover’s algorithm)
Open Problems Can we get polynomial-time classical verification and NISQ implementability at the same time? Can we get more and more certified randomness by sampling with the same circuit C over and over? Would make the protocol much more efficient and practical Can we prove our scheme sound under less boutique complexity assumptions? Can we prove our scheme sound even against adversaries that are entangled with the QC? Are there better cryptographic solutions to the problem of “who trusts the challenger”?