Quantum Algorithms & Complexity Umesh Vazirani U.C. Berkeley
One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)
One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988) Quantum computers are the only known model of Computation that violate the Extended Church-Turing thesis.
Goals of Quantum Algorithms/Complexity Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.
Goals of Quantum Algorithms/Complexity Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH. Far reaching implications for cryptography, computational complexity, physics, … Each of these gives its own unique flavor to the questions.
Quantum resistant cryptography Quantum computers break much of modern cryptography. RSA (factoring), Diffie-Helman (discrete log), Elliptic curve crypto, Buchmann-Williams (Pell eqn)… Suppose we had a classical cryptosystem that was as efficient and convenient as RSA, but was provably not breakable even on a quantum computer. Then there would be an incentive to switch to the new cryptosystem, well before a large scale quantum computer were experimentally realized.
Suppose we had a very efficient classical cryptosystem that we believed was quantum resistant. What kind of evidence could we present to “prove” it? (Don’t have a working quantum computer to run heuristics) The answer relies crucially on our understanding of the power and limitations of quantum computers.
Hidden Subgroup Problem G finite group. H subgroup of G. Given black box that evaluates f: G -> S: f is constant on cosets of H. Determine H. G: G abelian: lens = fourier transform over G. polynomial time quantum algorithm. Shor: factoring. G = ZN. Period finding. discrete log. G = Zp x Zp [Hallgren] Pell’s equation [van Dam, Hallgren, Ip] Hidden shift problems, Breaking homomorphic encryption [van Dam, Seroussi] Gauss sums
Quantum Algorithm for Abelian HSP Random coset state: use f to set up state G: gH = FT over G FT over G: FT + measurement gives uniformly random element of Think of this as a random linear constraint on H …
Non-abelian hidden subgroup problem Lens = (non-abelian) fourier transform over G. Graph Isomorphism SN Symmetric group Short vector in Lattice: Finding short vector not easy! [Regev] DN Dihedral group
Lattice Problems Finding short lattice vectors closely related to Dihedral HSP. Random coset state preparation + Fourier sampling gives sufficient info to reconstruct subgroup. But classically reconstructing subgroup appears to be very difficult. Related to subset sum. Kuperberg’s quantum reconstruction algorithm.
Public-key cryptosystems based on Quantum hardness of Shortest Lattice Vector. [Ajtai-Dwork] cryptosystem. [Regev] Improved efficiency based on assumption that finding short lattice vectors is hard for quantum algorithms. New cryptosystem resembles hardness of solving noisy linear equations mod p. Worst-case to average case reduction.
Learning with errors Linear equations in n variables over Zp for p prime, where n2 < p < 2n2 m noisy equations: where and is gaussian with mean 0 and standard deviation n1.5 Theorem [Regev]: LWE is as hard as approximating the shortest vector in a lattice to within n1.5
Worst-case to average-case reduction LWE specifies an average-case problem. Inputs sampled from a fixed distribution. Quantum reduction showing that an arbitrary lattice problem (worst-case) can be mapped to LWE. Example of the quantum method. Prove a purely classical statement by quantum methods. [Kerenidis, deWolf] lower bounds for locally decodable codes.
LWE and Lattices Lattice L = {integer linear combinations of u1, …, un } Dual lattice L* = {v: <v,u> integer for all u in L} L* is the fourier transform of L.
LWE and Lattices Lattice L = {integer linear combinations of u1, …, un } Dual lattice L* = {v: <v,u> integer for all u in L} L* is the fourier transform of L. D*L DL
DL D*L Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector. Polynomially large samples from DL yield an unbiased estimator for D*L . If the width of the Gaussian is large, this gives a way of, given x, approximating the closest lattice vector to x in L*. Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .
Quantum reduction, given algorithm for approximating DL D*L Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector. Polynomially large samples from DL yield an unbiased estimator for D*L . If the width of the Gaussian is large, this gives a way of, given z, approximating the closest lattice to z. Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL . To erase x, compute x given z=x+y:
Improving the Efficiency Based on cyclic lattices: Lattices where the basis consists of vector v, and all its cyclic shifts. Much more succinct. Key size n2 -> n Faster computation – use Fourier transforms. [Piekart, Rosen] collision resistant hash functions. [Gentry] Homomorphic encryption.
Open Questions Is there a quantum algorithm to find a short vector in a cyclic lattice? Does the van Dam, Hallgren, Ip quantum algorithm for breaking homomorphic encryption extend to Gentry’s scheme? Is it possible to speed up Kuperberg’s quantum reconstruction algorithm for the dihedral HSP? Is it possible to design a public-key cryptosystem based on cyclic lattices?
Greater Security? [Hallgren, Moore, Roettler, Russell, Sen 06] provide very strong evidence of quantum hardness: Hg1 Hg2 Hgk k < poly(n) implies exponentially many measurements For sufficiently non-abelian groups. Eg Sn, GLn in particular: graph isomorphism. Sufficiently non-abelian ~ exponential sized irreps + … Can one base public-key cryptography on these stronger impossibility results? [Moore, Russell, V] One-way function, related to McEliese Cryptosystem, based on hardness of HSP over
Goals of Quantum Algorithms/Complexity Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.
An Old Question in Quantum Complexity Theory Is BQP C PH? [Bernstein, V ‘93] There is an oracle A: BQPA C MAA Conjectured that same holds for PH – that recursive fourier sampling is in BQP but not in PH. [Aaronson ‘09] Conjecture: Fourier checking is in BQP, but not in PH. Proof that this is true under the generalized Linial-Nisan conjecture. The original Linial-Nisan conjecture states that logn-wise independent distributions fool AC0 circuits. Resolved by Braverman. Generalized = almost logn-wise.
Hamiltonian Complexity Computational complexity <--> condensed matter physics H = H1 + … + Hm , each Hi k-local. [Kitaev] Computing ground energy of H is QMA-hard. [Aharonov, et. al.] Adiabatic quantum computation is universal. [Hastings] Area law for 1-D local Hamiltonians. Efficient simulation of gapped Hamiltonians. [Aharonov, Gottesman, Irani, Kempe] Computing ground states of 1-D local Hamiltonians QMA-hard.
Quantum PCP theorem? Given a promise that k-local hamiltonian H has either ground energy 0 or cm for constant c, determine which. Classical PCP theorem is a cornerstone of classical complexity theory. Theory of inapproximability, room temperature QC [Aharonov, Arad, Landau, V] quantum gap amplification.
How do you verify a theory where you require exponential resources to calculate the predicted outcome of the experiment? One-way function. Start with P, Q primes. Multiply N = PQ. See if quantum computer can Factor. How do you verify the claims of a company New-Wave, that claims to have built a quantum Computer? [Aharonov, et. Al.], [Broadbent, et. Al.] Quantum interactive proofs.
Conclusions Quantum algorithms and complexity theory explore fundamental questions with profound implications: Quantum resistant cryptography. Probabilistic method <--> quantum method Quantum complexity <--> classical complexity quantum complexity theory <--> condensed matter physics Verifying quantum computations.