Upload
prudence-matthews
View
215
Download
0
Embed Size (px)
Citation preview
Quantum Algorithms & Complexity
Umesh Vazirani U.C. Berkeley
One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)
One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)
Quantum computers are the only known model of Computation that violate the Extended Church-Turing thesis.
• Find exponential speedups for a range of naturalcomputational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.
Goals of Quantum Algorithms/Complexity
• Find exponential speedups for a range of naturalcomputational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.
Goals of Quantum Algorithms/Complexity
Far reaching implications for cryptography, computational complexity, physics, … Each of thesegives its own unique flavor to the questions.
Quantum resistant cryptography
• Quantum computers break much of modern cryptography. RSA (factoring), Diffie-Helman (discrete log), Elliptic curve crypto, Buchmann-Williams (Pell eqn)…
• Suppose we had a classical cryptosystem that was
as efficient and convenient as RSA, but was provably
not breakable even on a quantum computer.
• Then there would be an incentive to switch to the
new cryptosystem, well before a large scale quantum
computer were experimentally realized.
• Suppose we had a very efficient classical
cryptosystem that we believed was quantum resistant.
What kind of evidence could we present to “prove” it?
(Don’t have a working quantum computer to run heuristics)
• The answer relies crucially on our understanding of
the power and limitations of quantum computers.
Hidden Subgroup Problem
G finite group. H subgroup of G. Given black box that evaluates f: G -> S:
f is constant on cosets of H.Determine H.
• G abelian: lens = fourier transform over G. polynomial time quantum algorithm.
Shor: factoring. G = ZN. Period finding. discrete log. G = Zp x Zp
[Hallgren] Pell’s equation[van Dam, Hallgren, Ip] Hidden shift problems, Breaking homomorphic encryption[van Dam, Seroussi] Gauss sums
G:
Quantum Algorithm for Abelian HSP
G:
Hhi ghH
gH1
Random coset state: use f to set up state
gH =
FT + measurement gives uniformly random element of H
Think of this as a random linear constraint on H …
FT over G:
H
FT over G
Graph Isomorphism
SN Symmetric group
Finding short vector not easy!
Short vector in Lattice:
DN Dihedral group
Non-abelian hidden subgroup problem
Lens = (non-abelian) fourier transform over G.
[Regev]
• Finding short lattice vectors closely related to Dihedral HSP.
• Random coset state preparation + Fourier samplinggives sufficient info to reconstruct subgroup.
• But classically reconstructing subgroup appears to be very difficult. Related to subset sum.
• Kuperberg’s quantum reconstruction algorithm.
Lattice Problems
)(2 nO
Public-key cryptosystems based on Quantum hardness of Shortest Lattice Vector.
[Ajtai-Dwork] cryptosystem.
[Regev]
• Improved efficiency based on assumption that finding short lattice vectors is hard for quantum algorithms.
• New cryptosystem resembles hardness of solving noisy
linear equations mod p.
• Worst-case to average case reduction.
Learning with errors
Linear equations in n variables over Zp for p prime,where n2 < p < 2n2
m noisy equations:
where
and is gaussian with mean 0 and standarddeviation n1.5
npm Zaa ,,1
iii bsae ,
ii bsa ,
Theorem [Regev]: LWE is as hard as approximatingthe shortest vector in a lattice to within n1.5
Worst-case to average-case reduction
• LWE specifies an average-case problem. Inputs sampled from a fixed distribution.
• Quantum reduction showing that an arbitrary lattice problem (worst-case) can be mapped to LWE.
• Example of the quantum method. Prove a purely classical statement by quantum methods. [Kerenidis, deWolf] lower bounds for locally
decodable codes.
LWE and Lattices
• Lattice L = {integer linear combinations of u1, …, un }
• Dual lattice L* = {v: <v,u> integer for all u in L}
• L* is the fourier transform of L.
LWE and Lattices
• Lattice L = {integer linear combinations of u1, …, un }
• Dual lattice L* = {v: <v,u> integer for all u in L}
• L* is the fourier transform of L.
DLD*
L
DL D*L
• Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector.
• Polynomially large samples from DL yield an unbiased estimator for D*
L . If the width of the Gaussian is large, this gives a way of, given x, approximating the closest lattice vector to x in L*.
• Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .
DL D*L
• Sampling from DL with small width Gaussian implies good approximation of shortest lattice vector.
• Polynomially large samples from DL yield an unbiased estimator for D*L .
If the width of the Gaussian is large, this gives a way of, given z, approximating the closest lattice to z.
• Quantum reduction, given algorithm for approximating closest vector in L*, to sampling from DL .
yxe
yxexyex
y
wy
Lx
y
wy
Lxy
wy
Lx
/
//
2
22
0To erase x, compute x given z=x+y:
Based on cyclic lattices:
• Lattices where the basis consists of vector v, and all its cyclic shifts.
• Much more succinct. Key size n2 -> n
• Faster computation – use Fourier transforms.
• [Piekart, Rosen] collision resistant hash functions.
• [Gentry] Homomorphic encryption.
Improving the Efficiency
Open Questions
• Is there a quantum algorithm to find a short vector in a cyclic lattice?
• Does the van Dam, Hallgren, Ip quantum algorithm for breaking homomorphic encryption extend to Gentry’s scheme?
• Is it possible to speed up Kuperberg’s quantum reconstruction algorithm for the dihedral HSP?
• Is it possible to design a public-key cryptosystem based on cyclic lattices?
For sufficiently non-abelian groups. Eg Sn, GLn
in particular: graph isomorphism. Sufficiently non-abelian ~ exponential sized irreps + …
Greater Security?
Hg1 Hg2 Hgk
k < poly(n) implies exponentially many measurements
[Hallgren, Moore, Roettler, Russell, Sen 06] provide very strong evidence of quantum hardness:
Can one base public-key cryptography on these strongerimpossibility results?[Moore, Russell, V] One-way function, related to McElieseCryptosystem, based on hardness of HSP over 2ZGLn
• Find exponential speedups for a range of naturalcomputational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and QMA, to classical complexity classes, such as BPP, MA, PH.
Goals of Quantum Algorithms/Complexity
An Old Question in Quantum Complexity Theory
• Is BQP C PH?
• [Bernstein, V ‘93] There is an oracle A: BQPA C MAA
Conjectured that same holds for PH – that recursive fourier sampling is in BQP but not in PH.
• [Aaronson ‘09] Conjecture: Fourier checking is in BQP, but not in PH.
Proof that this is true under the generalized Linial-Nisanconjecture.
The original Linial-Nisan conjecture states that logn-wise independent distributions fool AC0 circuits. Resolved by Braverman. Generalized = almost logn-wise.
Hamiltonian Complexity
• H = H1 + … + Hm , each Hi k-local.
• [Kitaev] Computing ground energy of H is QMA-hard.
• [Aharonov, et. al.] Adiabatic quantum computation is universal.
• [Hastings] Area law for 1-D local Hamiltonians. Efficient simulation of gapped Hamiltonians.
• [Aharonov, Gottesman, Irani, Kempe] Computing ground states of 1-D local Hamiltonians QMA-hard.
Computational complexity <--> condensed matter physics
Quantum PCP theorem?
• Given a promise that k-local hamiltonian H has
either ground energy 0 or cm for constant c,
determine which.
• Classical PCP theorem is a cornerstone of classical
complexity theory.
• Theory of inapproximability, room temperature QC
• [Aharonov, Arad, Landau, V] quantum gap amplification.
• How do you verify a theory where you require exponential resources to calculate the predictedoutcome of the experiment?
One-way function. Start with P, Q primes. Multiply N = PQ. See if quantum computer canFactor.
• How do you verify the claims of a companyNew-Wave, that claims to have built a quantum Computer?
[Aharonov, et. Al.], [Broadbent, et. Al.] Quantum interactive proofs.
Conclusions
• Quantum resistant cryptography.
• Probabilistic method <--> quantum method
Quantum complexity <--> classical complexity
• quantum complexity theory <--> condensed matter physics
• Verifying quantum computations.
Quantum algorithms and complexity theory explore fundamental questions with profound implications: