1 / 27

Quantum Algorithms & Complexity

Quantum Algorithms & Complexity. Umesh Vazirani U.C. Berkeley. One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988). One does not, by knowing all the physical laws as we know

judah-santana
Download Presentation

Quantum Algorithms & Complexity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantum Algorithms & Complexity Umesh Vazirani U.C. Berkeley

  2. One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988)

  3. One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988) Quantum computers are the only known model of Computation that violate the Extended Church-Turing thesis.

  4. Goals of Quantum Algorithms/Complexity • Find exponential speedups for a range of natural • computational problems. • Establish the limits of quantum algorithms. • Relate quantum complexity classes, such as BQP and • QMA, to classical complexity classes, such as • BPP, MA, PH.

  5. Goals of Quantum Algorithms/Complexity • Find exponential speedups for a range of natural • computational problems. • Establish the limits of quantum algorithms. • Relate quantum complexity classes, such as BQP and • QMA, to classical complexity classes, such as • BPP, MA, PH. Far reaching implications for cryptography, computational complexity, physics, … Each of these gives its own unique flavor to the questions.

  6. Quantum resistant cryptography • Quantum computers break much of modern cryptography. • RSA (factoring), Diffie-Helman (discrete log), • Elliptic curve crypto, Buchmann-Williams (Pell eqn)… • Suppose we had a classical cryptosystem that was • as efficient and convenient as RSA, but was provably • not breakable even on a quantum computer. • Then there would be an incentive to switch to the • new cryptosystem, well before a large scale quantum • computer were experimentally realized.

  7. Suppose we had a very efficient classical • cryptosystem that we believed was quantum resistant. • What kind of evidence could we present to “prove” it? • (Don’t have a working quantum computer to run heuristics) • The answer relies crucially on our understanding of • the power and limitations of quantum computers.

  8. Hidden Subgroup Problem G finite group. H subgroup of G. Given black box that evaluates f: G -> S: f is constant on cosets of H. Determine H. G: • G abelian: lens = fourier transform over G. • polynomial time quantum algorithm. • Shor: factoring. G = ZN. Period finding. • discrete log. G = Zp x Zp • [Hallgren] Pell’s equation • [van Dam, Hallgren, Ip] Hidden shift problems, • Breaking homomorphic encryption • [van Dam, Seroussi] Gauss sums

  9. Quantum Algorithm for Abelian HSP Random coset state: use f to set up state G: gH = FT over G FT over G: FT + measurement gives uniformly random element of Think of this as a random linear constraint on H …

  10. Graph Isomorphism SN Symmetric group Non-abelian hidden subgroup problem Lens = (non-abelian) fourier transform over G. Short vector in Lattice: Finding short vector not easy! DNDihedral group [Regev]

  11. Lattice Problems • Finding short lattice vectors closely related to • Dihedral HSP. • Random coset state preparation + Fourier sampling • gives sufficient info to reconstruct subgroup. • But classically reconstructing subgroup appears to be • very difficult. Related to subset sum. • Kuperberg’s quantum reconstruction algorithm.

  12. Public-key cryptosystems based on Quantum hardness of Shortest Lattice Vector. • [Ajtai-Dwork] cryptosystem. • [Regev] • Improved efficiency based on assumption that finding • short lattice vectors is hard for quantum algorithms. • New cryptosystem resembles hardness of solving noisy • linear equations mod p. • Worst-case to average case reduction.

  13. Learning with errors Linear equations in n variables over Zp for p prime, where n2 < p < 2n2 m noisy equations: where and is gaussian with mean 0 and standard deviation n1.5 Theorem [Regev]: LWE is as hard as approximating the shortest vector in a lattice to within n1.5

  14. Worst-case to average-case reduction • LWE specifies an average-case problem. Inputs • sampled from a fixed distribution. • Quantum reduction showing that an arbitrary lattice • problem (worst-case) can be mapped to LWE. • Example of the quantum method. Prove a purely • classical statement by quantum methods. • [Kerenidis, deWolf] lower bounds for locally • decodable codes.

  15. LWE and Lattices • Lattice L = {integer linear combinations of u1, …, un } • Dual lattice L* = {v: <v,u> integer for all u in L} • L* is the fourier transform of L.

  16. LWE and Lattices • Lattice L = {integer linear combinations of u1, …, un } • Dual lattice L* = {v: <v,u> integer for all u in L} • L* is the fourier transform of L. D*L DL

  17. D*L DL • Sampling from DL with small width Gaussian implies • good approximation of shortest lattice vector. • Polynomially large samples from DL yield an unbiased • estimator for D*L . If the width of the Gaussian • is large, this gives a way of, given x, approximating • the closest lattice vector to x in L*. • Quantum reduction, given algorithm for approximating • closest vector in L*, to sampling from DL .

  18. D*L DL • Sampling from DL with small width Gaussian implies good approximation • of shortest lattice vector. • Polynomially large samples from DL yield an unbiased estimator for D*L . • If the width of the Gaussian is large, this gives a way of, given z, • approximating the closest lattice to z. • Quantum reduction, given algorithm for approximating • closest vector in L*, to sampling from DL . To erase x, compute x given z=x+y:

  19. Improving the Efficiency • Based on cyclic lattices: • Lattices where the basis consists of vector v, and • all its cyclic shifts. • Much more succinct. Key size n2 -> n • Faster computation – use Fourier transforms. • [Piekart, Rosen] collision resistant hash functions. • [Gentry] Homomorphic encryption.

  20. Open Questions • Is there a quantum algorithm to find a short • vector in a cyclic lattice? • Does the van Dam, Hallgren, Ip quantum algorithm for • breaking homomorphic encryption extend to • Gentry’s scheme? • Is it possible to speed up Kuperberg’s quantum • reconstruction algorithm for the dihedral HSP? • Is it possible to design a public-key cryptosystem • based on cyclic lattices?

  21. Greater Security? [Hallgren, Moore, Roettler, Russell, Sen 06] provide very strong evidence of quantum hardness: Hg1 Hg2 Hgk k < poly(n) implies exponentially many measurements For sufficiently non-abelian groups. Eg Sn, GLn in particular: graph isomorphism. Sufficiently non-abelian ~ exponential sized irreps + … Can one base public-key cryptography on these stronger impossibility results? [Moore, Russell, V] One-way function, related to McEliese Cryptosystem, based on hardness of HSP over

  22. Goals of Quantum Algorithms/Complexity • Find exponential speedups for a range of natural • computational problems. • Establish the limits of quantum algorithms. • Relate quantum complexity classes, such as BQP and • QMA, to classical complexity classes, such as • BPP, MA, PH.

  23. An Old Question in Quantum Complexity Theory • Is BQP C PH? • [Bernstein, V ‘93] There is an oracle A: BQPA C MAA • Conjectured that same holds for PH – that recursive • fourier sampling is in BQP but not in PH. • [Aaronson ‘09] Conjecture: Fourier checking is in • BQP, but not in PH. • Proof that this is true under the generalized Linial-Nisan • conjecture. • The original Linial-Nisan conjecture states that • logn-wise independent distributions fool AC0 circuits. • Resolved by Braverman. Generalized = almost logn-wise.

  24. Hamiltonian Complexity Computational complexity <--> condensed matter physics • H = H1 + … + Hm , each Hi k-local. • [Kitaev] Computing ground energy of H is QMA-hard. • [Aharonov, et. al.] Adiabatic quantum computation is • universal. • [Hastings] Area law for 1-D local Hamiltonians. • Efficient simulation of gapped Hamiltonians. • [Aharonov, Gottesman, Irani, Kempe] Computing • ground states of 1-D local Hamiltonians QMA-hard.

  25. Quantum PCP theorem? • Given a promise that k-local hamiltonian H has • either ground energy 0 or cm for constant c, • determine which. • Classical PCP theorem is a cornerstone of classical • complexity theory. • Theory of inapproximability, room temperature QC • [Aharonov, Arad, Landau, V] quantum gap amplification.

  26. How do you verify a theory where you require • exponential resources to calculate the predicted • outcome of the experiment? • One-way function. Start with P, Q primes. • Multiply N = PQ. See if quantum computer can • Factor. • How do you verify the claims of a company • New-Wave, that claims to have built a quantum • Computer? • [Aharonov, et. Al.], [Broadbent, et. Al.] • Quantum interactive proofs.

  27. Conclusions Quantum algorithms and complexity theory explore fundamental questions with profound implications: • Quantum resistant cryptography. • Probabilistic method <--> quantum method • Quantum complexity <--> classical complexity • quantum complexity theory <--> condensed matter physics • Verifying quantum computations.

More Related