Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantum Algorithms & Complexity

Published byPrudence Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Quantum Algorithms & Complexity"— Presentation transcript:

1 Quantum Algorithms & Complexity
Umesh Vazirani U.C. Berkeley

2 One does not, by knowing all the physical laws as we know
them today, immediately obtain an understanding of anything much. (Richard Feynman, )

3 One does not, by knowing all the physical laws as we know
them today, immediately obtain an understanding of anything much. (Richard Feynman, ) Quantum computers are the only known model of Computation that violate the Extended Church-Turing thesis.

4 Goals of Quantum Algorithms/Complexity
Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.

5 Goals of Quantum Algorithms/Complexity
Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH. Far reaching implications for cryptography, computational complexity, physics, … Each of these gives its own unique flavor to the questions.

6 Quantum resistant cryptography
Quantum computers break much of modern cryptography. RSA (factoring), Diffie-Helman (discrete log), Elliptic curve crypto, Buchmann-Williams (Pell eqn)… Suppose we had a classical cryptosystem that was as efficient and convenient as RSA, but was provably not breakable even on a quantum computer. Then there would be an incentive to switch to the new cryptosystem, well before a large scale quantum computer were experimentally realized.

7 Suppose we had a very efficient classical
cryptosystem that we believed was quantum resistant. What kind of evidence could we present to “prove” it? (Don’t have a working quantum computer to run heuristics) The answer relies crucially on our understanding of the power and limitations of quantum computers.

8 Hidden Subgroup Problem
G finite group. H subgroup of G. Given black box that evaluates f: G -> S: f is constant on cosets of H. Determine H. G: G abelian: lens = fourier transform over G. polynomial time quantum algorithm. Shor: factoring. G = ZN. Period finding. discrete log. G = Zp x Zp [Hallgren] Pell’s equation [van Dam, Hallgren, Ip] Hidden shift problems, Breaking homomorphic encryption [van Dam, Seroussi] Gauss sums

9 Quantum Algorithm for Abelian HSP
Random coset state: use f to set up state G: gH = FT over G FT over G: FT + measurement gives uniformly random element of Think of this as a random linear constraint on H …

10 Non-abelian hidden subgroup problem
Lens = (non-abelian) fourier transform over G. Graph Isomorphism SN Symmetric group Short vector in Lattice: Finding short vector not easy! [Regev] DN Dihedral group

11 Lattice Problems Finding short lattice vectors closely related to
Dihedral HSP. Random coset state preparation + Fourier sampling gives sufficient info to reconstruct subgroup. But classically reconstructing subgroup appears to be very difficult. Related to subset sum. Kuperberg’s quantum reconstruction algorithm.

12 Public-key cryptosystems based on Quantum
hardness of Shortest Lattice Vector. [Ajtai-Dwork] cryptosystem. [Regev] Improved efficiency based on assumption that finding short lattice vectors is hard for quantum algorithms. New cryptosystem resembles hardness of solving noisy linear equations mod p. Worst-case to average case reduction.

13 Learning with errors Linear equations in n variables over Zp for p prime, where n2 < p < 2n2 m noisy equations: where and is gaussian with mean 0 and standard deviation n1.5 Theorem [Regev]: LWE is as hard as approximating the shortest vector in a lattice to within n1.5

14 Worst-case to average-case reduction
LWE specifies an average-case problem. Inputs sampled from a fixed distribution. Quantum reduction showing that an arbitrary lattice problem (worst-case) can be mapped to LWE. Example of the quantum method. Prove a purely classical statement by quantum methods. [Kerenidis, deWolf] lower bounds for locally decodable codes.

15 LWE and Lattices Lattice L = {integer linear combinations of u1, …, un } Dual lattice L* = {v: <v,u> integer for all u in L} L* is the fourier transform of L.

16 LWE and Lattices Lattice L = {integer linear combinations of u1, …, un } Dual lattice L* = {v: <v,u> integer for all u in L} L* is the fourier transform of L. D*L DL

17 DL D*L Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector. Polynomially large samples from DL yield an unbiased estimator for D*L . If the width of the Gaussian is large, this gives a way of, given x, approximating the closest lattice vector to x in L*. Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .

18 Quantum reduction, given algorithm for approximating
DL D*L Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector. Polynomially large samples from DL yield an unbiased estimator for D*L . If the width of the Gaussian is large, this gives a way of, given z, approximating the closest lattice to z. Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL . To erase x, compute x given z=x+y:

19 Improving the Efficiency
Based on cyclic lattices: Lattices where the basis consists of vector v, and all its cyclic shifts. Much more succinct. Key size n2 -> n Faster computation – use Fourier transforms. [Piekart, Rosen] collision resistant hash functions. [Gentry] Homomorphic encryption.

20 Open Questions Is there a quantum algorithm to find a short
vector in a cyclic lattice? Does the van Dam, Hallgren, Ip quantum algorithm for breaking homomorphic encryption extend to Gentry’s scheme? Is it possible to speed up Kuperberg’s quantum reconstruction algorithm for the dihedral HSP? Is it possible to design a public-key cryptosystem based on cyclic lattices?

21 Greater Security? [Hallgren, Moore, Roettler, Russell, Sen 06] provide
very strong evidence of quantum hardness: Hg1 Hg2 Hgk k < poly(n) implies exponentially many measurements For sufficiently non-abelian groups. Eg Sn, GLn in particular: graph isomorphism. Sufficiently non-abelian ~ exponential sized irreps + … Can one base public-key cryptography on these stronger impossibility results? [Moore, Russell, V] One-way function, related to McEliese Cryptosystem, based on hardness of HSP over

22 Goals of Quantum Algorithms/Complexity
Find exponential speedups for a range of natural computational problems. Establish the limits of quantum algorithms. Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.

23 An Old Question in Quantum Complexity Theory
Is BQP C PH? [Bernstein, V ‘93] There is an oracle A: BQPA C MAA Conjectured that same holds for PH – that recursive fourier sampling is in BQP but not in PH. [Aaronson ‘09] Conjecture: Fourier checking is in BQP, but not in PH. Proof that this is true under the generalized Linial-Nisan conjecture. The original Linial-Nisan conjecture states that logn-wise independent distributions fool AC0 circuits. Resolved by Braverman. Generalized = almost logn-wise.

24 Hamiltonian Complexity
Computational complexity <--> condensed matter physics H = H1 + … + Hm , each Hi k-local. [Kitaev] Computing ground energy of H is QMA-hard. [Aharonov, et. al.] Adiabatic quantum computation is universal. [Hastings] Area law for 1-D local Hamiltonians. Efficient simulation of gapped Hamiltonians. [Aharonov, Gottesman, Irani, Kempe] Computing ground states of 1-D local Hamiltonians QMA-hard.

25 Quantum PCP theorem? Given a promise that k-local hamiltonian H has either ground energy 0 or cm for constant c, determine which. Classical PCP theorem is a cornerstone of classical complexity theory. Theory of inapproximability, room temperature QC [Aharonov, Arad, Landau, V] quantum gap amplification.

26 How do you verify a theory where you require
exponential resources to calculate the predicted outcome of the experiment? One-way function. Start with P, Q primes. Multiply N = PQ. See if quantum computer can Factor. How do you verify the claims of a company New-Wave, that claims to have built a quantum Computer? [Aharonov, et. Al.], [Broadbent, et. Al.] Quantum interactive proofs.

27 Conclusions Quantum algorithms and complexity theory explore
fundamental questions with profound implications: Quantum resistant cryptography. Probabilistic method <--> quantum method Quantum complexity <--> classical complexity quantum complexity theory <--> condensed matter physics Verifying quantum computations.

Download ppt "Quantum Algorithms & Complexity"

Similar presentations

Quantum Computing: Whats It Good For? Scott Aaronson Computer Science Department, UC Berkeley January 10, 2002 www.cs.berkeley.edu/~aaronson.

Quantum Computing: Whats It Good For? Scott Aaronson Computer Science Department, UC Berkeley January 10,
Computation, Quantum Theory, and You Scott Aaronson, UC Berkeley Qualifying Exam May 13, 2002.

Computation, Quantum Theory, and You Scott Aaronson, UC Berkeley Qualifying Exam May 13, 2002.
Quantum Lower Bounds You probably Havent Seen Before (which doesnt imply that you dont know OF them) Scott Aaronson, UC Berkeley 9/24/2002.

Quantum Lower Bounds You probably Havent Seen Before (which doesnt imply that you dont know OF them) Scott Aaronson, UC Berkeley 9/24/2002.
Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/0111102 I was born at the Big Bang. Cool! We have the same birthday.

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |

How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |
Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Multilinear Formulas and Skepticism of Quantum Computing Scott Aaronson UC Berkeley IAS.

Multilinear Formulas and Skepticism of Quantum Computing Scott Aaronson UC Berkeley IAS.
Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.

Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.
An Invitation to Quantum Complexity Theory The Study of What We Cant Do With Computers We Dont Have Scott Aaronson (MIT) QIP08, New Delhi BQP NP- complete.

An Invitation to Quantum Complexity Theory The Study of What We Cant Do With Computers We Dont Have Scott Aaronson (MIT) QIP08, New Delhi BQP NP- complete.
New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.

New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.
How to Solve Longstanding Open Problems In Quantum Computing Using Only Fourier Analysis Scott Aaronson (MIT) For those who hate quantum: The open problems.

How to Solve Longstanding Open Problems In Quantum Computing Using Only Fourier Analysis Scott Aaronson (MIT) For those who hate quantum: The open problems.
Arthur, Merlin, and Black-Box Groups in Quantum Computing Scott Aaronson (MIT) Or, How Laci Did Quantum Stuff Without Knowing It.

Arthur, Merlin, and Black-Box Groups in Quantum Computing Scott Aaronson (MIT) Or, How Laci Did Quantum Stuff Without Knowing It.
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
The Computational Complexity of Linear Optics Scott Aaronson and Alex Arkhipov MIT vs.

The Computational Complexity of Linear Optics Scott Aaronson and Alex Arkhipov MIT vs.
Scott Aaronson (MIT) BQP and PH A tale of two strong-willed complexity classes… A 16-year-old quest to find an oracle that separates them… A solution at.

Scott Aaronson (MIT) BQP and PH A tale of two strong-willed complexity classes… A 16-year-old quest to find an oracle that separates them… A solution at.
Quantum Computing with Noninteracting Bosons

Quantum Computing with Noninteracting Bosons
Solving Hard Problems With Light Scott Aaronson (Assoc. Prof., EECS) Joint work with Alex Arkhipov vs.

Solving Hard Problems With Light Scott Aaronson (Assoc. Prof., EECS) Joint work with Alex Arkhipov vs.
Local Hamiltonians in Quantum Computation Funding: Slovak Research and Development Agency, contract No. APVV- 0673-07, European Project QAP 2004-IST- FETPI-15848,

Local Hamiltonians in Quantum Computation Funding: Slovak Research and Development Agency, contract No. APVV , European Project QAP 2004-IST- FETPI-15848,

Similar presentations

Ads by Google