Quantum Algorithms & Complexity

Umesh Vazirani U.C. Berkeley

One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)

One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)

Quantum computers are the only known model of Computation that violate the Extended Church-Turing thesis.

• Find exponential speedups for a range of naturalcomputational problems.

• Establish the limits of quantum algorithms.

• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.

Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of naturalcomputational problems.

• Establish the limits of quantum algorithms.

• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.

Goals of Quantum Algorithms/Complexity

Far reaching implications for cryptography, computational complexity, physics, … Each of thesegives its own unique flavor to the questions.

Quantum resistant cryptography

• Quantum computers break much of modern cryptography. RSA (factoring), Diffie-Helman (discrete log), Elliptic curve crypto, Buchmann-Williams (Pell eqn)…

• Suppose we had a classical cryptosystem that was

as efficient and convenient as RSA, but was provably

not breakable even on a quantum computer.

• Then there would be an incentive to switch to the

new cryptosystem, well before a large scale quantum

computer were experimentally realized.

• Suppose we had a very efficient classical

cryptosystem that we believed was quantum resistant.

What kind of evidence could we present to “prove” it?

(Don’t have a working quantum computer to run heuristics)

• The answer relies crucially on our understanding of

the power and limitations of quantum computers.

Hidden Subgroup Problem

G finite group. H subgroup of G. Given black box that evaluates f: G -> S:

f is constant on cosets of H.Determine H.

• G abelian: lens = fourier transform over G. polynomial time quantum algorithm.

Shor: factoring. G = ZN. Period finding. discrete log. G = Zp x Zp

[Hallgren] Pell’s equation[van Dam, Hallgren, Ip] Hidden shift problems, Breaking homomorphic encryption[van Dam, Seroussi] Gauss sums

G:

Quantum Algorithm for Abelian HSP

G:

Hhi ghH

gH1

Random coset state: use f to set up state

gH =

FT + measurement gives uniformly random element of H

Think of this as a random linear constraint on H …

FT over G:

H

FT over G

Graph Isomorphism

SN Symmetric group

Finding short vector not easy!

Short vector in Lattice:

DN Dihedral group

Non-abelian hidden subgroup problem

Lens = (non-abelian) fourier transform over G.

[Regev]

• Finding short lattice vectors closely related to Dihedral HSP.

• Random coset state preparation + Fourier samplinggives sufficient info to reconstruct subgroup.

• But classically reconstructing subgroup appears to be very difficult. Related to subset sum.

• Kuperberg’s quantum reconstruction algorithm.

Lattice Problems

)(2 nO

Public-key cryptosystems based on Quantum hardness of Shortest Lattice Vector.

[Ajtai-Dwork] cryptosystem.

[Regev]

• Improved efficiency based on assumption that finding short lattice vectors is hard for quantum algorithms.

• New cryptosystem resembles hardness of solving noisy

linear equations mod p.

• Worst-case to average case reduction.

Learning with errors

Linear equations in n variables over Zp for p prime,where n2 < p < 2n2

m noisy equations:

where

and is gaussian with mean 0 and standarddeviation n1.5

npm Zaa ,,1

iii bsae ,

ii bsa ,

Theorem [Regev]: LWE is as hard as approximatingthe shortest vector in a lattice to within n1.5

Worst-case to average-case reduction

• LWE specifies an average-case problem. Inputs sampled from a fixed distribution.

• Quantum reduction showing that an arbitrary lattice problem (worst-case) can be mapped to LWE.

• Example of the quantum method. Prove a purely classical statement by quantum methods. [Kerenidis, deWolf] lower bounds for locally

decodable codes.

LWE and Lattices

• Lattice L = {integer linear combinations of u1, …, un }

• Dual lattice L* = {v: <v,u> integer for all u in L}

• L* is the fourier transform of L.

LWE and Lattices

• Lattice L = {integer linear combinations of u1, …, un }

• Dual lattice L* = {v: <v,u> integer for all u in L}

• L* is the fourier transform of L.

DLD*

L

DL D*L

• Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector.

• Polynomially large samples from DL yield an unbiased estimator for D*

L . If the width of the Gaussian is large, this gives a way of, given x, approximating the closest lattice vector to x in L*.

• Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .

DL D*L

• Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector.

• Polynomially large samples from DL yield an unbiased estimator for D*L .

If the width of the Gaussian is large, this gives a way of, given z, approximating the closest lattice to z.

• Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .

yxe

yxexyex

y

wy

Lx

y

wy

Lxy

wy

Lx

/

//

2

22

0To erase x, compute x given z=x+y:

Based on cyclic lattices:

• Lattices where the basis consists of vector v, and all its cyclic shifts.

• Much more succinct. Key size n2 -> n

• Faster computation – use Fourier transforms.

• [Piekart, Rosen] collision resistant hash functions.

• [Gentry] Homomorphic encryption.

Improving the Efficiency

Open Questions

• Is there a quantum algorithm to find a short vector in a cyclic lattice?

• Does the van Dam, Hallgren, Ip quantum algorithm for breaking homomorphic encryption extend to Gentry’s scheme?

• Is it possible to speed up Kuperberg’s quantum reconstruction algorithm for the dihedral HSP?

• Is it possible to design a public-key cryptosystem based on cyclic lattices?

For sufficiently non-abelian groups. Eg Sn, GLn

in particular: graph isomorphism. Sufficiently non-abelian ~ exponential sized irreps + …

Greater Security?

Hg1 Hg2 Hgk

k < poly(n) implies exponentially many measurements

[Hallgren, Moore, Roettler, Russell, Sen 06] provide very strong evidence of quantum hardness:

Can one base public-key cryptography on these strongerimpossibility results?[Moore, Russell, V] One-way function, related to McElieseCryptosystem, based on hardness of HSP over 2ZGLn

• Find exponential speedups for a range of naturalcomputational problems.

• Establish the limits of quantum algorithms.

• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.

Goals of Quantum Algorithms/Complexity

An Old Question in Quantum Complexity Theory

• Is BQP C PH?

• [Bernstein, V ‘93] There is an oracle A: BQPA C MAA

Conjectured that same holds for PH – that recursive fourier sampling is in BQP but not in PH.

• [Aaronson ‘09] Conjecture: Fourier checking is in BQP, but not in PH.

Proof that this is true under the generalized Linial-Nisanconjecture.

The original Linial-Nisan conjecture states that logn-wise independent distributions fool AC0 circuits. Resolved by Braverman. Generalized = almost logn-wise.

Hamiltonian Complexity

• H = H1 + … + Hm , each Hi k-local.

• [Kitaev] Computing ground energy of H is QMA-hard.

• [Aharonov, et. al.] Adiabatic quantum computation is universal.

• [Hastings] Area law for 1-D local Hamiltonians. Efficient simulation of gapped Hamiltonians.

• [Aharonov, Gottesman, Irani, Kempe] Computing ground states of 1-D local Hamiltonians QMA-hard.

Computational complexity <--> condensed matter physics

Quantum PCP theorem?

• Given a promise that k-local hamiltonian H has

either ground energy 0 or cm for constant c,

determine which.

• Classical PCP theorem is a cornerstone of classical

complexity theory.

• Theory of inapproximability, room temperature QC

• [Aharonov, Arad, Landau, V] quantum gap amplification.

• How do you verify a theory where you require exponential resources to calculate the predictedoutcome of the experiment?

One-way function. Start with P, Q primes. Multiply N = PQ. See if quantum computer canFactor.

• How do you verify the claims of a companyNew-Wave, that claims to have built a quantum Computer?

[Aharonov, et. Al.], [Broadbent, et. Al.] Quantum interactive proofs.

Conclusions

• Quantum resistant cryptography.

• Probabilistic method <--> quantum method

Quantum complexity <--> classical complexity

• quantum complexity theory <--> condensed matter physics

• Verifying quantum computations.

Quantum algorithms and complexity theory explore fundamental questions with profound implications: