Exploring the Limits of the Efficiently Computable

(Or: Assorted things I’ve worked on, prioritizing variety over intellectual coherence)

Scott Aaronson (MIT) Papers & slides at www.scottaaronson.com

Quantum Mechanics in One Slide

Probability Theory:

s

11   

s n

1   

s

 1

n s nn

      

p



p n

1           

q



q n

1     

p i

 0 ,

i n

  1

p i

 1 Linear transformations that conserve 1-norm of probability vectors:

Stochastic matrices

Quantum Mechanics:

u

11   

u n

1    

i

 C ,

u

1

n



u nn

         

n

1       1     

n

 

i n

  1 

i

2  1 Linear transformations that conserve 2-norm of amplitude vectors:

Unitary matrices

Quantum Computing

A general entangled state of n qubits requires ~2 n to specify:    

x x x

  

n

amplitudes Presents an obvious practical problem when using conventional computers to

simulate

quantum mechanics

Feynman 1981:

So then why not turn things around, and build computers that

themselves

exploit superposition?

Could such a machine get any advantage over a classical computer with a random number generator? If so, it would have to come from

interference

between amplitudes

BQP (Bounded-Error Quantum Polynomial-Time):

The class defined by Bernstein and Vazirani in 1993

Shor 1994:

Factoring integers is in

BQP NP-complete BQP NP P

Factoring But factoring is not believed to be

NP

complete!

So, evidence for

P

≠

BQP

?

Limits of

BQP

?

BosonSampling

Suppose we just want a quantum system for which there’s good evidence that it’s hard to simulate classically—we don’t care what it’s useful for

A.-Arkhipov 2011, Bremner-Jozsa-Shepherd 2011:

In that case, we can plausibly improve both the hardware exact simulation of Experimental demonstrations with 3-4 BosonSampling is possible, Our proposal: collapses to the third level.

photons sent photons achieved (by groups in Oxford, Brisbane, Rome, Vienna) through network of interferometers, then measured at output modes

Key Idea

The probability of each output configuration has the form |Per(A)| 2 , where A is a matrix of transition amplitudes and Per     

S n i n

1

a i

,  is the permanent, a well-known

#P

-complete function Does this mean quantum optics lets us solve

#P

-complete problems efficiently? Sounds too good to be true… Nevertheless, the fact that complex permanents are

#P

complete to approximate lets us indirectly prove hardness results even just for permanental

sampling

BQP

vs. the Polynomial Hierarchy

Can a quantum computer solve problems for which a classical computer can’t even efficiently

verify

the answers? Or better yet: that are still classically hard even if

P

=

NP

?

Boils down to: are there problems in

BQP

but not in

PH

? BosonSampling: A candidate for such a problem. If it’s solvable anywhere in

BPP PH

, then

PH

collapses.

A. 2009: Unconditionally, there’s a black-box sampling problem (Fourier Sampling) solvable in

BQP

but not in

BPP PH

Given a Boolean function output z  {0,1} n

f

: with probability  

n f

ˆ   2 

f

ˆ :  1 2

n

1 , 1 

x

  

n

 

x



z f

The Quantum Black-Box Model

The setting for much of what we know about the power of quantum algorithms

X=x 1 …x N i

X

x i

“Query complexity” of f:

The minimum  

i

, number of queries used by any

a

,

w i

,

a

,

w

  

i

,

a

,

w i

,

a



x

,

w

as well as

arbitrary

unitary transformations that don’t depend on X (we won’t worry about their computational cost).

Its goal is to learn some

property

f(X)

(for example: is X 1-to-1?)

Example 1: Grover search problem.

Given X(1),…,X(N)  {0,1}, find an i such that X(i)=1. A quantum computer can solve with O(  N) queries, but no faster!

Example 2: Period-finding (heart of Shor’s algorithm).

Given a sequence X(1),…,X(N) that repeats with period r  N, find the period. A quantum computer can do this with only O(1) queries—huge speedup over classical!

Example 3: The Collision Problem.

sequence X(1),…,X(N), find a indices i,j such that X(i)=X(j)) Given a 2-to-1

collision

(i.e., two

10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8

Models the breaking of collision-resistant hash functions— a central problem in cryptanalysis

Birthday Paradox:

Classically, ~  N queries are necessary and sufficient to find a collision with high probability

Brassard-Høyer-Tapp 1997:

Quantumly, ~N 1/3 queries suffice Grover search on N 2/3 X(i)’s N 1/3 X(i) values queried classically

A. 2002:

First quantum lower bound for the collision problem (~N 1/5 queries are needed; no exponential speedup possible)

Shi 2002:

Improved lower bound of ~N 1/3 . Brassard-Høyer Tapp’s algorithm is the best possible

Symmetric Problems

A.-Ambainis 2011:

Massive generalization of collision lower bound. If f is any problem whatsoever that’s

symmetric

under permuting the inputs and outputs, and has sufficiently many outputs (like the collision problem), then f’s classical query complexity  (f’s quantum query complexity) 7 Compare to

Beals et al. 1998:

If f:{0,1} N  {0,1} is a total Boolean function (like OR, AND, MAJORITY, etc.), f’s classical query complexity  (f’s quantum query complexity) 6

Upshot:

Need a “structured” promise if you want an exponential quantum speedup

What’s the largest possible quantum speedup?

“Forrelation”:

Given two Boolean functions f,g:{0,1} n  {-1,1}, estimate how correlated g is with the Fourier transform of f: 1 2 3

n

/ 2  0 .

01 ?

 0 .

6 ?

x

, 

y

  

n f

A.-Ambainis 2014:

This problem is solvable using only 1 quantum query, but requires at least ~2 n/2 /n queries classically Furthermore, this separation is essentially the largest possible!

Any

N-bit problem that’s solvable with k quantum queries, is also solvable with ~N 1-1/2k classical queries

Conjecture (A. 2009):

Forrelation  Polynomial Hierarchy

A complexity-theoretic argument against hidden variables?

A. 2004:

Suppose that in addition to the quantum state, there were also “hidden variables” recording the “true” locations of particles (as in Bohmian mechanics). Then if you could sample the hidden variables’ entire histories, you could solve the collision problem in O(1) queries—beyond what a “garden-variety” quantum computer can do!

1

N x N

  1

x f

Measure 2 nd register

x



y

2

f

Computational Complexity and the Black-Hole Information Loss Problem

Maybe the single most striking application so far of complexity to fundamental physics

Hawking 1970s: Black holes radiate!

The radiation seems thermal (uncorrelated with whatever fell in)—but if quantum mechanics is true, then it can’t be Susskind et al. 1990s: “Black-hole complementarity.” In string theory / quantum gravity, the Hawking radiation should just be a scrambled re-encoding of the same quantum states that are also inside the black hole

The Firewall Paradox [Almheiri et al. 2012]

If the black hole interior is “built” out of the same qubits coming out as Hawking radiation, then why can’t we

do something

to those Hawking qubits (after waiting ~10 70 years for enough to come out), then dive into the black hole, and see that we’ve completely destroyed the spacetime geometry in the interior?

Entanglement among Hawking photons detected!

Harlow-Hayden 2013:

Sure, there’s some unitary transformation that Alice could apply to the Hawking radiation, that would generate a “firewall” inside the event horizon. But how long would it take her to apply it?

Plausible answer:

Exponential in the number of qubits inside the black hole! Or for an astrophysical black hole, ~ 2 10 70 years She wouldn’t have made a dent before the black hole had already evaporated anyway! So … problem solved?

HH’s argument:

If Alice could achieve (a plausible formalization of) her decoding task, then she could also efficiently solve the collision problem

My strengthening: Harlow-Hayden decoding is as hard as inverting an arbitrary one-way function



RBH

 1 2 2

n

 1

x

, 

s

  

n

,

a



f

  ,

s

,

a

, 1

R x s



a B x

,

s H

R: “old” Hawking photons / B: photons just coming out / H: still in black hole B is maximally entangled with the last qubit of R. But in order to see that B and R are even

classically correlated

, one would need to learn x  s (a “hardcore bit” of f), and therefore invert f With realistic dynamics, the decoding task seems like it should only be “harder” than in this model case (though unclear how to formalize that) Is the geometry of spacetime protected by an armor of computational complexity?

Quantum Money

Idea:

Quantum states that can be created by a bank, traded as currency, and verified as legitimate, but can’t be cloned by counterfeiters, because of quantum mechanics’ No-Cloning Theorem   

Wiesner ca. 1970:

First quantum money scheme, but only the bank could verify the bills.

If anyone can verify a bill, then computational assumptions clearly needed, in addition to QM A.-Christiano 2012:

First quantum money scheme where anyone can verify a bill, and whose security is based on a “conventional” crypto assumption

Our Hidden Subspace Scheme Quantum money state:

A

:  1 2

n

/ 4

x

 

A x A



R GF

 

n

dim 

n

2 Mint can easily choose a random A and prepare |A 

Corresponding “serial number” s:

Somehow describes how to check membership in A

and

in A  subspace of A), yet doesn’t reveal A or A  (the dual

Our proposal:

and q 1 ,…,q m Random low-degree polynomials p 1 ,…,p m that vanish on A and A  respectively

Procedure to Verify Money State

(assuming ability to decide membership in A and A



)

A



A

1. Project onto A elements

(reject if this fails)

2. Hadamard all n qubits to map |A  to |A   3. Project onto A  elements

(reject if this fails)

4. Hadamard all n qubits to return state to |A 

Theorem:

The above just implements a projection onto |A  —i.e., it accepts |  with probability |  |A  | 2

Security

Theorem:

There’s no efficient counterfeiting procedure, assuming there’s no an efficient quantum algorithm to learn a basis for A with 2 -O(n) probability, given p 1 ,…,p m and q 1 ,…,q m . [Recently: Attack on noiseless version of scheme]

Theorem:

If the A and A membership tests are black boxes, then any counterfeiting procedure requires Ω(2 n/2 ) queries to them.

Some Future Directions

Quantum copy-protected software Complexity theory of quantum states and unitary transformations Classification of quantum gate sets Noisy BosonSampling The power of quantum proofs