The Computer Science Picture of Reality

1
Quantum Algorithms Complexity
Umesh Vazirani U.C. Berkeley
2
One does not, by knowing all the physical laws as
we know them today, immediately obtain an
understanding of anything much. (Richard
Feynman, 1918-1988)
3
One does not, by knowing all the physical laws as
we know them today, immediately obtain an
understanding of anything much. (Richard
Feynman, 1918-1988)
Quantum computers are the only known model of
Computation that violate the Extended
Church-Turing thesis.
4
Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP
  and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

5
Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP
  and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

Far reaching implications for cryptography,
computational complexity, physics, Each of
these gives its own unique flavor to the
questions.
6
Quantum resistant cryptography

• Quantum computers break much of modern
  cryptography.
• RSA (factoring), Diffie-Helman (discrete log),
• Elliptic curve crypto, Buchmann-Williams (Pell
  eqn)
• Suppose we had a classical cryptosystem that was
  
• as efficient and convenient as RSA, but was
  provably
• not breakable even on a quantum computer.
• Then there would be an incentive to switch to
  the
• new cryptosystem, well before a large scale
  quantum
• computer were experimentally realized.

7

• Suppose we had a very efficient classical
• cryptosystem that we believed was quantum
  resistant.
• What kind of evidence could we present to prove
  it?
• (Dont have a working quantum computer to run
  heuristics)

• The answer relies crucially on our
  understanding of
• the power and limitations of quantum computers.

8
Hidden Subgroup Problem
G finite group. H subgroup of G. Given black box
that evaluates f G -gt S f is constant on
cosets of H. Determine H.
G

• G abelian lens fourier transform over G.
• polynomial time quantum algorithm.
• Shor factoring. G ZN. Period finding.
• discrete log. G Zp x Zp
• Hallgren Pells equation
• van Dam, Hallgren, Ip Hidden shift problems,
• Breaking homomorphic encryption
• van Dam, Seroussi Gauss sums

9
Quantum Algorithm for Abelian HSP
Random coset state use f to set up state
G
gH

FT over G
FT over G
FT measurement gives uniformly random element
of
Think of this as a random linear constraint on H
10
Non-abelian hidden subgroup problem
Lens (non-abelian) fourier transform over G.
Short vector in Lattice
Finding short vector not easy!
DN Dihedral group
Regev
11
Lattice Problems

• Finding short lattice vectors closely related
  to
• Dihedral HSP.
• Random coset state preparation Fourier
  sampling
• gives sufficient info to reconstruct subgroup.
• But classically reconstructing subgroup appears
  to be
• very difficult. Related to subset sum.
• Kuperbergs quantum reconstruction
  algorithm.

12
Public-key cryptosystems based on Quantum
hardness of Shortest Lattice Vector.

• Ajtai-Dwork cryptosystem.
• Regev
• Improved efficiency based on assumption that
  finding
• short lattice vectors is hard for quantum
  algorithms.
• New cryptosystem resembles hardness of solving
  noisy
• linear equations mod p.
• Worst-case to average case reduction.

13
Learning with errors
Linear equations in n variables over Zp for p
prime, where n2 lt p lt 2n2 m noisy
equations where and
is gaussian with mean 0 and standard deviatio
n n1.5
Theorem Regev LWE is as hard as
approximating the shortest vector in a lattice to
within n1.5
14
Worst-case to average-case reduction

• LWE specifies an average-case problem. Inputs
• sampled from a fixed distribution.
• Quantum reduction showing that an arbitrary
  lattice
• problem (worst-case) can be mapped to LWE.
• Example of the quantum method. Prove a purely
• classical statement by quantum methods.
• Kerenidis, deWolf lower bounds for locally
• decodable codes.

15
LWE and Lattices

• Lattice L integer linear combinations of u1,
  , un
• Dual lattice L v ltv,ugt integer for all u in
  L
• L is the fourier transform of L.

16
LWE and Lattices

• Lattice L integer linear combinations of u1,
  , un
• Dual lattice L v ltv,ugt integer for all u in
  L
• L is the fourier transform of L.

DL
DL
17
DL
DL

• Sampling from DL with small width Gaussian
  implies
• good approximation of shortest lattice vector.
• Polynomially large samples from DL yield an
  unbiased
• estimator for DL . If the width of the Gaussian
  
• is large, this gives a way of, given x,
  approximating
• the closest lattice vector to x in L.
• Quantum reduction, given algorithm for
  approximating
• closest vector in L, to sampling from DL .

18
DL
DL

• Sampling from DL with small width Gaussian
  implies good approximation
• of shortest lattice vector.
• Polynomially large samples from DL yield an
  unbiased estimator for DL .
• If the width of the Gaussian is large, this
  gives a way of, given z,
• approximating the closest lattice to z.
• Quantum reduction, given algorithm for
  approximating
• closest vector in L, to sampling from DL .

To erase x, compute x given zxy
19
Improving the Efficiency

• Based on cyclic lattices
• Lattices where the basis consists of vector v,
  and
• all its cyclic shifts.
• Much more succinct. Key size n2 -gt n
• Faster computation use Fourier transforms.
• Piekart, Rosen collision resistant hash
  functions.
• Gentry Homomorphic encryption.

20
Open Questions

• Is there a quantum algorithm to find a short
• vector in a cyclic lattice?
• Does the van Dam, Hallgren, Ip quantum
  algorithm for
• breaking homomorphic encryption extend to
• Gentrys scheme?
• Is it possible to speed up Kuperbergs quantum
• reconstruction algorithm for the dihedral HSP?
• Is it possible to design a public-key
  cryptosystem
• based on cyclic lattices?

21
Greater Security?
Hallgren, Moore, Roettler, Russell, Sen
06 provide very strong evidence of
quantum hardness
Hg1
Hg2
Hgk
k lt poly(n) implies exponentially many
measurements
For sufficiently non-abelian groups. Eg Sn,
GLn in particular graph isomorphism.
Sufficiently non-abelian exponential sized
irreps
Can one base public-key cryptography on these
stronger impossibility results? Moore, Russell,
V One-way function, related to
McEliese Cryptosystem, based on hardness of HSP
over
22
Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP
  and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

23
An Old Question in Quantum Complexity Theory

• Is BQP C PH?
• Bernstein, V 93 There is an oracle A BQPA
  C MAA
• Conjectured that same holds for PH that
  recursive
• fourier sampling is in BQP but not in PH.
• Aaronson 09 Conjecture Fourier checking is
  in
• BQP, but not in PH.
• Proof that this is true under the generalized
  Linial-Nisan
• conjecture.
• The original Linial-Nisan conjecture states that
• logn-wise independent distributions fool AC0
  circuits.
• Resolved by Braverman. Generalized almost
  logn-wise.

24
Hamiltonian Complexity
Computational complexity lt--gt condensed matter
physics

• H H1 Hm , each Hi k-local.
• Kitaev Computing ground energy of H is
  QMA-hard.
• Aharonov, et. al. Adiabatic quantum
  computation is
• universal.
• Hastings Area law for 1-D local Hamiltonians.
  
• Efficient simulation of gapped Hamiltonians.
• Aharonov, Gottesman, Irani, Kempe Computing
• ground states of 1-D local Hamiltonians QMA-hard.

25
Quantum PCP theorem?

• Given a promise that k-local hamiltonian H has
• either ground energy 0 or cm for constant c,
• determine which.
• Classical PCP theorem is a cornerstone of
  classical
• complexity theory.
• Theory of inapproximability, room temperature
  QC
• Aharonov, Arad, Landau, V quantum gap
  amplification.

26

• How do you verify a theory where you require
• exponential resources to calculate the predicted
• outcome of the experiment?
• One-way function. Start with P, Q primes.
• Multiply N PQ. See if quantum computer can
• Factor.
• How do you verify the claims of a company
• New-Wave, that claims to have built a quantum
• Computer?
• Aharonov, et. Al., Broadbent, et. Al.
• Quantum interactive proofs.

27
Conclusions
Quantum algorithms and complexity theory explore
fundamental questions with profound implications

• Quantum resistant cryptography.
• Probabilistic method lt--gt quantum method
• Quantum complexity lt--gt classical complexity
• quantum complexity theory lt--gt condensed matter
  physics
• Verifying quantum computations.