On the Computational Complexity of Decoding

Download Report

Transcript On the Computational Complexity of Decoding 

The Cryptographic Hardness of
Decoding Hawking Radiation
Scott Aaronson (MIT)
Black Holes and Computational
Complexity??
QAM
AM
QSZK
SZK
BQP
BPP
YES!
Amazing connection made last year by Harlow & Hayden
But first, let’s review 40 years of black hole history
Bekenstein, Hawking 1970s: Black holes have entropy and
temperature! They emit radiation
The Information Loss Problem: Calculations suggest that
Hawking radiation is thermal—uncorrelated with whatever
fell in. So, is infalling information lost forever? Would violate
the unitarity / reversibility of QM
OK then, assume the information somehow gets out!
The Xeroxing Problem: How could the same qubit | fall
inexorably toward the singularity, and emerge in Hawking
radiation? Would violate the No-Cloning Theorem
Black Hole Complementarity (Susskind, ‘t Hooft): An external
observer can describe everything unitarily without including
the interior at all! Interior should be seen as “just a
scrambled re-encoding” of the exterior degrees of freedom
The Firewall Paradox (AMPS 2012)
R = Faraway Hawking Radiation
H = Just-Emitted Hawking Radiation
Near-maximal
entanglement
B = Interior
of “Old”
Black Hole
Also near-maximal
entanglement
Violates monogamy of entanglement! The same
qubit can’t be maximally entangled with 2 things
Harlow-Hayden 2013 (arXiv:1301.4504): Striking argument
that Alice’s first task, decoding the entanglement
between R and H, would require exponential time
Complexity theory to the rescue of quantum field
theory??
Two obvious questions:
(1) Who cares if this is true?
(2) Is it true? Does the decoding task require exponential
time?
Caveats of Complexity Arguments
1. Asymptotic
E.g., 88 chess takes O(1) time! Only for nn chess can we
give evidence of hardness. But for black holes, n1070…
2. (Usually) Conjectural
Right now, we can’t even prove P≠NP! To get where we
want, we almost always need to make assumptions.
Question is, which assumptions?
3. Worst-Case
We can argue that a natural formalization of Alice’s
decoding task is “generically” hard. We can’t rule out that
a future quantum gravity theory would make her task easy,
for deep reasons not captured by our formalization.
Quantum Circuits
The HH Decoding Problem
Given a description of a quantum circuit C, such that
C0
n

BHR
Promised that, by acting only on R (the “Hawking
radiation part”), it’s possible to distill an EPR pair
0 0 1 1
2
between R and H
Problem: Distill such an EPR pair, by applying a unitary
transformation UR to the qubits in R
Isn’t the Decoding Task Trivial?
Just invert C!
Problem: That would require waiting until the black
hole was fully evaporated ( no more firewall problem)
When the BH is “merely” >50% evaporated, we know
from Page’s argument that “generically,” there will exist
a UR that distills an EPR pair between R and B
But interestingly, Page’s argument doesn’t suggest any
efficient procedure to find UR or apply it!
The HH Hardness Result
Set Equality: Given two efficiently-computable injective
functions f,g:{0,1}n{0,1}p(n). Promised that Range(f) and
Range(g) are either equal or disjoint. Decide which.
In the “black-box” setting, this problem requires at least
~2n/3 steps, even with a QC (A. 2002  Zhandry 2013).
For explicit f,g, we can’t prove unconditional hardness,
but solving it would give Graph Isomorphism, SZK…
Theorem (Harlow-Hayden): Suppose there’s a
polynomial-time quantum algorithm for HH decoding.
Then there’s also a polynomial-time quantum algorithm
for Set Equality (and indeed, QSZK=BQP)
The HH Construction

RHB

1
2n1
  x,0
x0,1n
R
0
H
f x  B  x,1 R 1 H g x 
B

(easy to prepare in poly(n) time given f,g)
Intuition: If Range(f) and Range(g) are disjoint, then the B
register decoheres all entanglement between R and H,
leaving only classical correlation
If, on the other hand, Range(f)=Range(g), then there’s
some permutation of the |x,1R states that puts the last
qubit of R into an EPR pair with H
Thus, if we had a reliable way to distill EPR pairs whenever
possible, then we could also decide Set Equality
My Alternative Hardness Result
One-Way Function (OWF): A collection of functions
f:{0,1}n{0,1}p(n) (one for each n) such that:
1. f(x) is computable in poly(n) time
2. For all polynomial-time adversaries A,
1
Pr n  f  A f x   f x  
x0,1
polyn 
“Standard workhorses” of modern cryptography. Widely
believed that there exist OWFs secure even against QCs
Theorem (A. 2013): Suppose there’s a poly-time quantum
algorithm for the HH decoding problem. Then there’s also a
poly-time quantum algorithm to invert any injective OWF

RHB

1
2n1
My Construction
p  n  n

x
0
,0 0 H  f x ,1 R 1 H  x B

R
x0,1n
(again, easy to prepare in poly(n) time given f)
Suppose applying UR to R decodes an EPR pair between R
and H. Then for some states {|x}x, we must have
p  n  n
U R x0
,0   x 0 , U R f  x ,1   x 1
So from UR, we can get unitaries V,W such that
V x0
p  n  n
 x ,
W f x    x
 V W f x   x0
1
p  n  n
Generalization to Arbitrary OWFs
Known Classical Fact: Given any OWF f, it’s possible to
produce another OWF g that, with probability at least
~1/n, is injective on at least a ~1/n fraction of its range
 1
 n1
 2

x0,1
n
 x0
p  n  n
,0
R
0
H
 g x ,1 R 1 H


x B

 cn
Now H is many qubits, not just one
But a more complicated argument shows that, if we
can distill even 1 EPR pair between R and H, we must
be able to invert g, and hence f
Comparison of Arguments
Advantages of my argument:
Existence of OWFs is a “safer” assumption than
hardness of finding collisions
Works even against “nonuniform” algorithms (which
spend exponential preparation time before the black
hole is formed)
Advantage of HH argument:
Works even if Alice gets access to H as well as R
Concluding Remarks
There’s good evidence that decoding Hawking radiation
requires an exponentially-long quantum computation
Admittedly, “real” black holes won’t produce states that
look anything like

RHB

1
2
n 1

 x0  
p n n
x0,1
n
,0
R
0
H

 f x ,1 R 1 H x
But intuitively, greater genericity seems like it should
only make Alice’s decoding task harder! Would be great
to formalize this (connections to quantum money?)
Would also be great if computational considerations
could give any clues about the black hole interior…
B
A Curious Open Problem
We’ve seen what computational powers are
necessary for Alice to solve the HH decoding problem
(inverting one-way functions, solving Set Equality)
What computational powers would suffice to let her
solve it in quantum polynomial time?
(Not obvious how to do it even if given, say, an oracle for the
halting problem…)