The Future (and Past) of Quantum Lower Bounds by Polynomials

Download Report

Transcript The Future (and Past) of Quantum Lower Bounds by Polynomials 

(and Past) of Quantum
Lower Bounds by Polynomials
The Future
Scott Aaronson
UC Berkeley
Outline
1. The quantum query model
2. Quantum lower bounds for collision and set
comparison problems
3. Open problems
Quantum Query Model
Count only number of queries, not number of
computational steps
Let X=xi…xn be input
In quantum algorithm, each basis state has
form |i,z, where
i = index to query
z = workspace
Query transformation O maps each |i,z to
|i,zxi
(i.e. XOR’s xi into workspace)
Quantum Query Model (con’t)
Algorithm consists of interleaved queries and
unitaries:
U0  O  U1  …  UT-1  O  UT
Ut: arbitrary unitary that doesn’t depend on xi’s
(we don’t care how hard it is to implement)
At the end we measure to obtain a basis state
|i,z, then output (say) first bit of z
Quantum Query Complexity
Let f(X) be the function we’re trying to compute
Algorithm computes f if it outputs f(X) with
probability at least 2/3 for every X
Q(f) = minimum # of queries made by quantum
algorithm that computes f
Immediate: Q(f)  R(f)  D(f)
R(f) = randomized query complexity
D(f) = deterministic query complexity
Why Is This Model Interesting?
• Because we can prove things
Search for car
keys here
Quantum lower bounds for
collision and set
comparison problems
Collision Problem
• Given
X  x1
xn : 1,
, n  1,
, n
• Promised:
(1) X is one-to-one (permutation) or
(2) X is two-to-one
• Problem: Decide which w.h.p., using few
queries to the xi
• Randomized alg: (n)
Result
• Any quantum algorithm for the
collision problem uses (n1/5)
queries (A, STOC’2002)
• Shi improved to (n1/4)
(n1/3) when |range|  3n/2
• Previously no lower bound better
than (1). Open since 1997
Implications
•
Oracle A for which SZKA  BQPA
– SZK: Statistical Zero Knowledge
•
No “trivial” polytime quantum algorithms for
– graph isomorphism
– nonabelian hidden subgroup
– breaking cryptographic hash functions
Brassard-Høyer-Tapp (1997)
(n1/3) quantum alg for collision problem
Grover’s algorithm
over n2/3 xi’s
Do I collide with
any of the pink xi’s?
n1/3 xi’s, queried classically,
sorted for fast lookup
Previous Lower Bound Techniques
• Block sensitivity (Beals et al. 1998):
Q(f) = (bs(f))
• Quantum adversary method
(Ambainis 2000)
• Problem: Every 1-1 input differs in
at least n/2 places from every 2-1
input
P(X) = acceptance probability on input X
1 if xi  h 
  xi , h   

0 otherwise 
Proposition (follows Beals et al. 1998):
P(X) is a polynomial of degree  2T over
the (xi,h)
Proof: Initially, amplitude i,z of each |i,z is a
degree-0 polynomial over the (xi,h).
A query replaces each i,z by

i , z h
  xi , h ,
h
increasing its degree by 1. The Ut’s can’t
increase degree.
At the end, squaring amplitudes doubles
degree.
Input Distribution
• D(g): Uniform distribution over g-to-1
inputs
• Technicality: g might not divide n
But assume for simplicity that it does
• Let
P  g   EX X D g  P  X 
• Problem: Show that, if T=O(n), then
P(g) is a univariate polynomial of
degree  2T for integers 1gn
Monomials of P(X)
• I(X) = product of r variables (xi,h)
• Let
  I , g   EX X D g  I  X  .
• Then for some I, P  g  

I :r  2T
 I   I , g .
Calculating (I,g): #1
• “Range” of I: Y.
w=|Y|.
• (I,g) = 0 unless YS (“range” of X)
• So
since
 nw 


n
/
g

w

Pr Y  S   
 n 


n/ g
n
n
S  
 2T  r.
g
n
Calculating (I,g): #2
• Given an S containing Y,
# of g-to-1 inputs of size n: n!/(g!)n/g
• Let {y1,…,yw} be distinct values in Y
–ri = # of times yi appears in Y
–r1 + … + rw = r
• # of g-to-1 inputs X with range S s.t. I(X)=1:
 n  r !
 g !
n / g w
w
  g  r !
i 1
i
Becomes ~polynomial(g)
w r 1
n  w  ! n  r  ! w1

 I, g 
 n  gi   g  j 

2
i 0
i 1 j 1
 n !
i
Polynomial in g of degree
w + (r-w) = r  2T
Markov’s Inequality
Let p be a polynomial bounded in [0,b] in the
interval [0,a], that has derivative at least c
somewhere in that interval. Then
c
ac
deg  p  
.
b
b
a
Lower Bound
• 0  P(g)  1 for all 0  g  n
• P(1)  1/10 and P(2)  9/10
So dP/dg  4/5 somewhere
• (n1/4) lower bound would follow if g
always divided n
• Can fix to obtain an (n1/5) bound
Shi found a better way to fix
Set Comparison
• What the SZKA  BQPA result actually uses
• Input: f,g : {1,…,2n}  {1,…,n}
• Promise: Either
(1) Range(f) = Range(g) or
(2) |Range(f)  Range(g)| > 1.1n
• Problem: Decide which w.h.p.
• Result: (n1/7) quantum lower bound
Idea
• Take the total range from which X and Y are
drawn to have size 2n/g
• Draw X and Y individually from sub-ranges of
size n/(g), where
  g   4g 12g  9
2
so (1)=(2)=1, yet n/(g)  2n/g for g > 2
• Again acceptance prob. is a polynomial in g
• That  grows quadratically weakens the bound
from (n1/5) to (n1/7)
Open Problems
Other ‘Collisionoid’ Functions
• Set equality: Suppose either
(1) Range(f) = Range(g)
or
(2) Range(f)  Range(g) = 
The best quantum lower bound is still (1)!
• Element distinctness: Decide whether there exist ij
such that xi=xj
– Quantum upper bound: O(n3/4) (Buhrman et al. ‘01)
– Quantum lower bound: (n2/3) (Shi ‘02)
• Conjecture (Watrous): R(f) and Q(f) are polynomially
related for every symmetric function
Trees!
n
Is Q(f) = O(deg(f)) for
every f?
AND
Conjecture: No
OR
AND
n
n
2-level game tree
Ambainis’ adversary
method yields (n)
But best known
polynomial lower bound
is ((n log n)1/4) (Shi ‘01)
1 if x  y  z  1, 2 
E  x, y, z   

0 otherwise

E
E
E
E
deg  f   n
log3 2
Is SZK  QMA Relative to an Oracle?
In the collision problem, suppose
f:{0,1}n{0,1}n is 1-to-1 rather
than 2-to-1.
Can you give me a polynomialsize quantum certificate, by
which I can verify that fact in
polynomial time?
Generalizing the Polynomial Method
• Instead of a polynomial P(X), have a positive
semidefinite matrix (X)
• Every entry of (X) is a polynomial in X of degree 
2T
• For all X, all eigenvalues of (X) must lie in [0,1]
• Acceptance probability = maximum eigenvalue
•  is 2m2m, where m = size of certificate
• Can we show collision function is not
represented by a low-degree “matrix polynomial”?
Randomized Certificate Complexity RC(f)
RC(f) = maxXRCX(f)
RCX(f) = min # of randomized queries needed to
distinguish X from any Y s.t. f(Y)f(X) with ½ prob.
Quantum Certificate Complexity QC(f)
Example: For f=MAJ(x1,…,xn), letting X=00…0,
RCX(MAJ) = 1
A 2002: QCX(f) = (RCX(f)) (uses adversary method)
Can this be shown using polynomial method?