Exploring the Limits of the Efficiently Computable (Or: Assorted things I’ve worked on, prioritizing variety over intellectual coherence) Scott Aaronson (MIT) Papers & slides at
Quantum Mechanics in One Slide Quantum Mechanics: Linear transformations that conserve 2-norm of amplitude vectors: Unitary matrices Probability Theory: Linear transformations that conserve 1-norm of probability vectors: Stochastic matrices
A general entangled state of n qubits requires ~2 n amplitudes to specify: Quantum Computing Presents an obvious practical problem when using conventional computers to simulate quantum mechanics Feynman 1981: So then why not turn things around, and build computers that themselves exploit superposition? Could such a machine get any advantage over a classical computer with a random number generator? If so, it would have to come from interference between amplitudes
BQP (Bounded-Error Quantum Polynomial-Time): The class of problems solvable efficiently by a quantum computer, defined by Bernstein and Vazirani in 1993 Shor 1994: Factoring integers is in BQP NP NP-complete P Factoring BQP Interesting But factoring is not believed to be NP- complete! So, evidence for P≠BQP? Limits of BQP?
Suppose we just want a quantum system for which there’s good evidence that it’s hard to simulate classically—we don’t care what it’s useful for BosonSampling Our proposal: Identical single photons sent through network of interferometers, then measured at output modes A.-Arkhipov 2011, Bremner-Jozsa-Shepherd 2011: In that case, we can plausibly improve both the hardware requirements and the evidence for classical hardness, compared to Shor’s factoring algorithm We showed: if a fast, classical exact simulation of BosonSampling is possible, then the polynomial hierarchy collapses to the third level. Experimental demonstrations with 3-4 photons achieved (by groups in Oxford, Brisbane, Rome, Vienna)
Does this mean quantum optics lets us solve #P-complete problems efficiently? Sounds too good to be true… The probability of each output configuration has the form |Per(A)| 2, where A is a matrix of transition amplitudes and is the permanent, a well-known #P-complete function Nevertheless, the fact that complex permanents are #P- complete to approximate lets us indirectly prove hardness results even just for permanental sampling Key Idea
Can a quantum computer solve problems for which a classical computer can’t even efficiently verify the answers? Or better yet: that are still classically hard even if P=NP? BQP vs. the Polynomial Hierarchy BosonSampling: A candidate for such a problem. If it’s solvable anywhere in BPP PH, then PH collapses. A. 2009: Unconditionally, there’s a black-box sampling problem (Fourier Sampling) solvable in BQP but not in BPP PH Boils down to: are there problems in BQP but not in PH? Given a Boolean function output z {0,1} n with probability
The Quantum Black-Box Model The setting for much of what we know about the power of quantum algorithms i xixi An algorithm can make query transformations, which map as well as arbitrary unitary transformations that don’t depend on X (we won’t worry about their computational cost). (i=“query register,” a=“answer register,” w=“workspace”) Its goal is to learn some property f(X) (for example: is X 1-to-1?) X “Query complexity” of f: The minimum number of queries used by any algorithm that outputs f(X), with high probability, for every X of interest to us X=x 1 …x N
Example 3: The Collision Problem. Given a 2-to-1 sequence X(1),…,X(N), find a collision (i.e., two indices i,j such that X(i)=X(j)) Models the breaking of collision-resistant hash functions— a central problem in cryptanalysis Example 1: Grover search problem. Given X(1),…,X(N) {0,1}, find an i such that X(i)=1. A quantum computer can solve with O( N) queries, but no faster! Example 2: Period-finding (heart of Shor’s algorithm). Given a sequence X(1),…,X(N) that repeats with period r N, find the period. A quantum computer can do this with only O(1) queries—huge speedup over classical! “More structured than Grover search, but less structured than Shor’s period-finding problem”
Birthday Paradox: Classically, ~ N queries are necessary and sufficient to find a collision with high probability Brassard-Høyer-Tapp 1997: Quantumly, ~N 1/3 queries suffice Grover search on N 2/3 X(i)’s N 1/3 X(i) values queried classically A. 2002: First quantum lower bound for the collision problem (~N 1/5 queries are needed; no exponential speedup possible) Shi 2002: Improved lower bound of ~N 1/3. Brassard-Høyer- Tapp’s algorithm is the best possible
Symmetric Problems A.-Ambainis 2011: Massive generalization of collision lower bound. If f is any problem whatsoever that’s symmetric under permuting the inputs and outputs, and has sufficiently many outputs (like the collision problem), then f’s classical query complexity (f’s quantum query complexity) 7 Upshot: Need a “structured” promise if you want an exponential quantum speedup Compare to Beals et al. 1998: If f:{0,1} N {0,1} is a total Boolean function (like OR, AND, MAJORITY, etc.), f’s classical query complexity (f’s quantum query complexity) 6
What’s the largest possible quantum speedup? “Forrelation”: Given two Boolean functions f,g:{0,1} n {-1,1}, estimate how correlated g is with the Fourier transform of f: A.-Ambainis 2014: This problem is solvable using only 1 quantum query, but requires at least ~2 n/2 /n queries classically Furthermore, this separation is essentially the largest possible! Any N-bit problem that’s solvable with k quantum queries, is also solvable with ~N 1-1/2k classical queries Conjecture (A. 2009): Forrelation Polynomial Hierarchy
A complexity-theoretic argument against hidden variables? A. 2004: Suppose that in addition to the quantum state, there were also “hidden variables” recording the “true” locations of particles (as in Bohmian mechanics). Then if you could sample the hidden variables’ entire histories, you could solve the collision problem in O(1) queries—beyond what a “garden-variety” quantum computer can do! Measure 2 nd register
Computational Complexity and the Black-Hole Information Loss Problem Maybe the single most striking application so far of complexity to fundamental physics Hawking 1970s: Black holes radiate! The radiation seems thermal (uncorrelated with whatever fell in)—but if quantum mechanics is true, then it can’t be Susskind et al. 1990s: “Black-hole complementarity.” In string theory / quantum gravity, the Hawking radiation should just be a scrambled re-encoding of the same quantum states that are also inside the black hole
The Firewall Paradox [Almheiri et al. 2012] If the black hole interior is “built” out of the same qubits coming out as Hawking radiation, then why can’t we do something to those Hawking qubits (after waiting ~10 70 years for enough to come out), then dive into the black hole, and see that we’ve completely destroyed the spacetime geometry in the interior? Entanglement among Hawking photons detected!
Harlow-Hayden 2013: Sure, there’s some unitary transformation that Alice could apply to the Hawking radiation, that would generate a “firewall” inside the event horizon. But how long would it take her to apply it? Plausible answer: Exponential in the number of qubits inside the black hole! Or for an astrophysical black hole, years She wouldn’t have made a dent before the black hole had already evaporated anyway! So … problem solved? HH’s argument: If Alice could achieve (a plausible formalization of) her decoding task, then she could also efficiently solve the collision problem
My strengthening: Harlow-Hayden decoding is as hard as inverting an arbitrary one-way function B is maximally entangled with the last qubit of R. But in order to see that B and R are even classically correlated, one would need to learn x s (a “hardcore bit” of f), and therefore invert f With realistic dynamics, the decoding task seems like it should only be “harder” than in this model case (though unclear how to formalize that) Is the geometry of spacetime protected by an armor of computational complexity? R: “old” Hawking photons / B: photons just coming out / H: still in black hole
Quantum Money Idea: Quantum states that can be created by a bank, traded as currency, and verified as legitimate, but can’t be cloned by counterfeiters, because of quantum mechanics’ No-Cloning Theorem A.-Christiano 2012: First quantum money scheme where anyone can verify a bill, and whose security is based on a “conventional” crypto assumption Wiesner ca. 1970: First quantum money scheme, but only the bank could verify the bills. If anyone can verify a bill, then computational assumptions clearly needed, in addition to QM
Our Hidden Subspace Scheme Quantum money state: Corresponding “serial number” s: Somehow describes how to check membership in A and in A (the dual subspace of A), yet doesn’t reveal A or A Our proposal: Random low-degree polynomials p 1,…,p m and q 1,…,q m that vanish on A and A respectively Mint can easily choose a random A and prepare |A
Procedure to Verify Money State (assuming ability to decide membership in A and A ) AA A 1.Project onto A elements (reject if this fails) 2.Hadamard all n qubits to map |A to |A 3.Project onto A elements (reject if this fails) 4.Hadamard all n qubits to return state to |A Theorem: The above just implements a projection onto |A —i.e., it accepts | with probability | |A | 2
Security Theorem: There’s no efficient counterfeiting procedure, assuming there’s no an efficient quantum algorithm to learn a basis for A with 2 -O(n) probability, given p 1,…,p m and q 1,…,q m. [Recently: Attack on noiseless version of scheme] Theorem: If the A and A membership tests are black boxes, then any counterfeiting procedure requires Ω(2 n/2 ) queries to them.
Some Future Directions Quantum copy-protected software Complexity theory of quantum states and unitary transformations Classification of quantum gate sets Noisy BosonSampling The power of quantum proofs