Transcript The Learnability of Quantum States

The Collision Lower Bound After
12 Years
Lower bound for a
collision problem
Scott Aaronson (MIT)
January 2002: As a grad student, I visit
Israel for the first time, and give a talk at
HUJI about the collision lower bound,
which I’d proved a couple months prior.
Avi Wigderson urges me to get to the
point faster
Plan of talk:
What is the collision lower bound?
What’s new in the last decade?
What open problems remain?
Black-Box Quantum Computation
Black-Box Quantum Computation
Given a function f:[n][m], want to determine some
property of f: e.g. is it periodic?
Crucial assumption:
can only learn
about f by
Somewe
Well-Known
Examples:
making “quantum queries”; no internal access
Grover search (is there an x such that f(x)=1?):
how many
(n) queries to f are necessary Models
and sufficient
quantum algorithms
Periodicity of f:
actually work
O(1) queries suffice
Between 2 queries, can
apply arbitrary unitary
transformation
independent of f
“Complexity” = Minimum number of
queries used by optimal algorithm
that succeeds w.h.p. for every f
The Collision Problem
Given a 2-to-1 function f:[n][n], find a collision
(i.e., two inputs x,y such that f(x)=f(y))
10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8
Interesting
Variant: Promised that f is either 2-to-1 or 1-to-1,
decide which
Models the breaking of collision-resistant hash
functions—a central problem in cryptanalysis
“Birthday Paradox”: Classically, (n) queries to
f are necessary and sufficient to succeed with
high probability
Brassard-Høyer-Tapp (1997): O(n1/3)
quantum collision-finding algorithm
Grover’s algorithm
over n2/3 f(x) values
Do I collide with any
of the pink values?
n1/3 f(x) values, queried
classically, sorted for fast lookup
Could there be a quantum collision-finding
algorithm that made only O(1) queries to f?
“Almost!”
Measure 2nd
register
“We’re not looking for a needle in a haystack—just for
two identical pieces of hay!”
Observation: Every 1-to-1 function differs from every
2-to-1 function in at least n/2 places
So we can’t use, e.g., the optimality of Grover to rule
out a fast quantum algorithm for the collision problem
So, how can we rule out a superfast
quantum collision-finder?
What eventually worked was the polynomial method
(Beals et al. 1998)
deg  p  
n max p '  x 
0 x  n
2 max p  x 
0 x  n
1
0
Let
1 if f x   h
x, h   
0 otherwise
Lemma: If a quantum algorithm makes T queries to f,
the probability p(f) that it accepts is a degree-2T
polynomial in the (x,h)’s
Now let
qk  

p f 
k - to-1 functions f
EX
be the expected acceptance probability on a random
k-to-1 function
The Miracle:
q(k) is itself a polynomial in k, of
degree at most 2T
Why?
 nr 

n  d !
 r dh
  n / k  r 
EX
  xh , j , h  
r
k - to-1 functions f
n
/
k

r
h

1
j

1

 k!
 k  d h !
 n 

n!
n / k 
k!n / k
h 1
n/k


n  r !n  d !
k! n / k !n  n / k !


r
n!n!
n / k r
n / k ifr !kn doesn’t


 n / k !k! divide
k

d
!
Technicality: What
n?

h
d1
h 1
d2
r






n (+
n

r
!
n

d
!
k
!
/ k ! Markov’s
My waydto resolve
that technicality

 r

3
n / k  r !
n!n!
1/5


k

d
!

h
Inequality) led to an (n ) quantum lower bound
n  r !n  d ! 

d
n!n!
 n  n   n





k
k

1

k

d

1


1


r

1

 
h

 k  k   k
 

 h 1
 
n  r !n  d ! 

n!n!
h 1
r





k

1

k

d

1
nn  k  n  rk  k 
h

r
 h 1

which is a degree-d polynomial in k. That’s why.
Improvements
Shi 2002: (n1/4)  (n1/3) lower bound, but only for
f:[n][m] where m>>n
Ambainis, Kutin: (n1/3) with no range restriction
Element Distinctness: Simply decide whether f has
any collisions, with no promise
3 8 2 6 1 9 7 4 2 0 5
(n1/3) lower bound for Collision  (n2/3) lower
bound for Element Distinctness! (Why?)
(n2/3) is optimal, by Ambainis 2003
Application: Graph Isomorphism

If we had a fast quantum algorithm for Collision,
then we could easily solve GI! For example, by
looking for collisions in
 1  G  , ,  n !  G  ,  1  H  , ,  n!  H 
Application: Quantum vs. Zero-Knowledge
Merlin
Arthur
Zero-Knowledge protocol for verifying that f is 1-to-1:
Arthur picks x, computes f(x), sends it to Merlin,
asks him what x was
Thus, collision lower bound shows that in a relativized
world, quantum computers can’t efficiently solve all
problems in Statistical Zero-Knowledge (SZK  BQP)
Application: Index Erasure
Given a 1-to-1 function f, the following map would be
useful for a huge number of quantum algorithms!
A. 2002: By generalizing collision lower bound,
showed this requires (n1/7) queries to f
Midrijanis 2004: Improved to
Ambainis et al. 2010: By harder, representationtheoretic argument, improved to optimal (n)
Application: Hidden-Variable Theories
Observation (A. 2004): In theories like Bohmian mechanics,
if you could see the whole trajectory of a hidden variable at
once, you could solve the collision problem in O(1) steps
A “hidden-variable QC” could also do Grover
search in ~n1/3 steps—but not faster!
Almost the only model of computation I know
that’s “slightly” more powerful than QC
Conclusion: Not even a QC could efficiently sample
hidden-variable trajectories!
Application: Quantum-Secure PRFs
Goldreich, Goldwasser, Micali 1986:
Famous way to get a pseudorandom
function, fs:{0,1}n{0,1}n, starting from
a pseudorandom generator
But GGM’s security argument breaks down in
the presence of quantum adversaries, which
can look at all fs values in superposition!
Zhandry 2012: New quantum-secure GGM security proof
Core of Zhandry’s argument (in retrospect): A fast
quantum algorithm to distinguish fs from a random
function could be used to violate the collision lower bound!
The AMPS Firewall Paradox
R = Faraway Hawking Radiation
H = Near-Horizon and Horizon Modes
Near-maximal
entanglement
B = Interior
of “Old”
Black Hole
Also near-maximal
entanglement
Violates monogamy
of entanglement!
Harlow-Hayden 2013: Striking argument that Alice’s
decoding task would require exponential time
Complexity theory to the rescue of quantum field theory??
Abstraction of Alice’s computational problem:
Given a “pseudorandom” n-qubit pure state |BHR
produced by a known, poly-size quantum circuit. Decide
whether, by acting only on R (the “Hawking radiation”),
it’s possible to distill EPR pairs between R and B (the
“black hole interior”)
Alice’s task is QSZK-complete. And by the collision lower
bound, QSZK is “unlikely” to equal BQP!
Arbitrary Symmetric Problems
Symmetric:
Not Symmetric:
Collision, element
Simon and Shor problems,
distinctness, Grover search…
AND/OR trees…
Conjecture (Watrous 2002): Randomized and quantum
query complexities are polynomially related for all
symmetric problems
Theorem (A.-Ambainis 2011): Watrous’s conjecture
holds! R = O(Q9 polylog Q)
Still open whether this holds with  and no …
Short Quantum Proofs of Collision-Freeness?
Permutation Testing Problem: Given f:[n][n], decide
whether f is a permutation or -far from any permutation,
promised that one is the case
Generalizes collision, so certainly requires (n1/3)
quantum queries
A. 2011: even given a w-qubit quantum witness in
support of f being a permutation, still need
quantum queries to verify the witness
Implies an oracle relative to which SZKQMA
Open to extend to the original collision problem!
Separate Components Problem (SCP)
(Introduced by Lutomirski 2011, motivated by quantum money)
Given oracle access to permutations 1,…,k :[n][n]
(where, say, k=polylog(n)), as well as their inverses.
Decide whether
(i) 1,…,k are uniformly random, or
(ii) there’s a partition [n]=AB, |A|=|B| such that the
i’s map A to A and B to B but are otherwise random.
QMA witness for case (ii):
Challenge: Prove SCPQCMA
I.e., show that any classical proof of case (ii) must either
have n(1) bits, or require n(1) quantum queries to verify
Would imply the first oracle separation between QCMA
and QMA, and probably also BQP/poly and BQP/qpoly.
“Quantum proofs and advice are good for something!”
A-Kuperberg 2007: Quantum oracle separations
Note that SCP  Index Erasure! Suggests we might need
far-reaching generalization of collision lower bound
Challenge: Time-Space Tradeoff
Conjecture: Any quantum algorithm for the collision
problem needs n1/2-o(1) queries, if restricted to no(1)
qubits of memory
(I.e., many qubits were needed in the BHT algorithm)
Currently, we only know quantum time-space
tradeoffs for problems with many output bits!
(E.g., T2S=(n3) for sorting—Klauck, Špalek, de Wolf
2004)
Challenge: Adversary Proof of
Collision Lower Bound
Ambainis 2000: Quantum adversary method
Most versatile quantum lower bound method known (more
“quantum” than polynomial method; handles much wider
range of problems)
Reichardt 2010: “Negative-weight” generalization of
adversary method is tight for all problems
Belovs 2012: Explicit (n2/3) adversary lower bound for
element distinctness
There must be an explicit (n1/3) adversary lower bound
for collision. So, find it!
Concluding Thoughts
No exponential quantum speedup
Abelian group problems
STRUCTURE
Grover search
Collision problem
Non-abelian group problems
Exponential quantum speedup
Each advance we’ve made, in figuring out which types of
structure quantum computers can and can’t exploit, has
led to unexpected conceptual lessons
For the “young people” here: Open problems beckon!