Loading in 5 sec....

Quantum Algorithms & ComplexityPowerPoint Presentation

Quantum Algorithms & Complexity

- 106 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Quantum Algorithms & Complexity' - judah-santana

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

One does not, by knowing all the physical laws as we know

them today, immediately obtain an understanding of anything

much. (Richard Feynman, 1918-1988)

One does not, by knowing all the physical laws as we know

them today, immediately obtain an understanding of anything

much. (Richard Feynman, 1918-1988)

Quantum computers are the only known model of

Computation that violate the Extended Church-Turing

thesis.

Goals of Quantum Algorithms/Complexity

- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP and
- QMA, to classical complexity classes, such as
- BPP, MA, PH.

Goals of Quantum Algorithms/Complexity

- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP and
- QMA, to classical complexity classes, such as
- BPP, MA, PH.

Far reaching implications for cryptography,

computational complexity, physics, … Each of these

gives its own unique flavor to the questions.

Quantum resistant cryptography

- Quantum computers break much of modern cryptography.
- RSA (factoring), Diffie-Helman (discrete log),
- Elliptic curve crypto, Buchmann-Williams (Pell eqn)…
- Suppose we had a classical cryptosystem that was
- as efficient and convenient as RSA, but was provably
- not breakable even on a quantum computer.
- Then there would be an incentive to switch to the
- new cryptosystem, well before a large scale quantum
- computer were experimentally realized.

- Suppose we had a very efficient classical
- cryptosystem that we believed was quantum resistant.
- What kind of evidence could we present to “prove” it?
- (Don’t have a working quantum computer to run heuristics)

- The answer relies crucially on our understanding of
- the power and limitations of quantum computers.

G finite group. H subgroup of G.

Given black box that evaluates f: G -> S:

f is constant on cosets of H.

Determine H.

G:

- G abelian: lens = fourier transform over G.
- polynomial time quantum algorithm.
- Shor: factoring. G = ZN. Period finding.
- discrete log. G = Zp x Zp
- [Hallgren] Pell’s equation
- [van Dam, Hallgren, Ip] Hidden shift problems,
- Breaking homomorphic encryption
- [van Dam, Seroussi] Gauss sums

Quantum Algorithm for Abelian HSP

Random coset state: use f to set up state

G:

gH

=

FT over G

FT over G:

FT + measurement gives uniformly random element of

Think of this as a random linear constraint on H …

SN Symmetric group

Non-abelian hidden subgroup problemLens = (non-abelian) fourier transform over G.

Short vector in Lattice:

Finding short vector not easy!

DNDihedral group

[Regev]

- Finding short lattice vectors closely related to
- Dihedral HSP.
- Random coset state preparation + Fourier sampling
- gives sufficient info to reconstruct subgroup.
- But classically reconstructing subgroup appears to be
- very difficult. Related to subset sum.
- Kuperberg’s quantum reconstruction algorithm.

Public-key cryptosystems based on Quantum

hardness of Shortest Lattice Vector.

- [Ajtai-Dwork] cryptosystem.
- [Regev]
- Improved efficiency based on assumption that finding
- short lattice vectors is hard for quantum algorithms.
- New cryptosystem resembles hardness of solving noisy
- linear equations mod p.
- Worst-case to average case reduction.

Linear equations in n variables over Zp for p prime,

where n2 < p < 2n2

m noisy equations:

where

and is gaussian with mean 0 and standard

deviation n1.5

Theorem [Regev]: LWE is as hard as approximating

the shortest vector in a lattice to within n1.5

Worst-case to average-case reduction

- LWE specifies an average-case problem. Inputs
- sampled from a fixed distribution.
- Quantum reduction showing that an arbitrary lattice
- problem (worst-case) can be mapped to LWE.
- Example of the quantum method. Prove a purely
- classical statement by quantum methods.
- [Kerenidis, deWolf] lower bounds for locally
- decodable codes.

- Lattice L = {integer linear combinations of u1, …, un }
- Dual lattice L* = {v: <v,u> integer for all u in L}
- L* is the fourier transform of L.

- Lattice L = {integer linear combinations of u1, …, un }
- Dual lattice L* = {v: <v,u> integer for all u in L}
- L* is the fourier transform of L.

D*L

DL

D*L

DL

- Sampling from DL with small width Gaussian implies
- good approximation of shortest lattice vector.
- Polynomially large samples from DL yield an unbiased
- estimator for D*L . If the width of the Gaussian
- is large, this gives a way of, given x, approximating
- the closest lattice vector to x in L*.
- Quantum reduction, given algorithm for approximating
- closest vector in L*, to sampling from DL .

D*L

DL

- Sampling from DL with small width Gaussian implies good approximation
- of shortest lattice vector.
- Polynomially large samples from DL yield an unbiased estimator for D*L .
- If the width of the Gaussian is large, this gives a way of, given z,
- approximating the closest lattice to z.
- Quantum reduction, given algorithm for approximating
- closest vector in L*, to sampling from DL .

To erase x, compute x given z=x+y:

- Based on cyclic lattices:
- Lattices where the basis consists of vector v, and
- all its cyclic shifts.
- Much more succinct. Key size n2 -> n
- Faster computation – use Fourier transforms.
- [Piekart, Rosen] collision resistant hash functions.
- [Gentry] Homomorphic encryption.

- Is there a quantum algorithm to find a short
- vector in a cyclic lattice?
- Does the van Dam, Hallgren, Ip quantum algorithm for
- breaking homomorphic encryption extend to
- Gentry’s scheme?
- Is it possible to speed up Kuperberg’s quantum
- reconstruction algorithm for the dihedral HSP?
- Is it possible to design a public-key cryptosystem
- based on cyclic lattices?

[Hallgren, Moore, Roettler, Russell, Sen 06] provide

very strong evidence of quantum hardness:

Hg1

Hg2

Hgk

k < poly(n) implies exponentially many measurements

For sufficiently non-abelian groups. Eg Sn, GLn

in particular: graph isomorphism.

Sufficiently non-abelian ~ exponential sized irreps + …

Can one base public-key cryptography on these stronger

impossibility results?

[Moore, Russell, V] One-way function, related to McEliese

Cryptosystem, based on hardness of HSP over

Goals of Quantum Algorithms/Complexity

- Find exponential speedups for a range of natural
- computational problems.
- Establish the limits of quantum algorithms.
- Relate quantum complexity classes, such as BQP and
- QMA, to classical complexity classes, such as
- BPP, MA, PH.

An Old Question in Quantum Complexity Theory

- Is BQP C PH?
- [Bernstein, V ‘93] There is an oracle A: BQPA C MAA
- Conjectured that same holds for PH – that recursive
- fourier sampling is in BQP but not in PH.
- [Aaronson ‘09] Conjecture: Fourier checking is in
- BQP, but not in PH.
- Proof that this is true under the generalized Linial-Nisan
- conjecture.
- The original Linial-Nisan conjecture states that
- logn-wise independent distributions fool AC0 circuits.
- Resolved by Braverman. Generalized = almost logn-wise.

Computational complexity <--> condensed matter physics

- H = H1 + … + Hm , each Hi k-local.
- [Kitaev] Computing ground energy of H is QMA-hard.
- [Aharonov, et. al.] Adiabatic quantum computation is
- universal.
- [Hastings] Area law for 1-D local Hamiltonians.
- Efficient simulation of gapped Hamiltonians.
- [Aharonov, Gottesman, Irani, Kempe] Computing
- ground states of 1-D local Hamiltonians QMA-hard.

- Given a promise that k-local hamiltonian H has
- either ground energy 0 or cm for constant c,
- determine which.
- Classical PCP theorem is a cornerstone of classical
- complexity theory.
- Theory of inapproximability, room temperature QC
- [Aharonov, Arad, Landau, V] quantum gap amplification.

- How do you verify a theory where you require
- exponential resources to calculate the predicted
- outcome of the experiment?
- One-way function. Start with P, Q primes.
- Multiply N = PQ. See if quantum computer can
- Factor.
- How do you verify the claims of a company
- New-Wave, that claims to have built a quantum
- Computer?
- [Aharonov, et. Al.], [Broadbent, et. Al.]
- Quantum interactive proofs.

Quantum algorithms and complexity theory explore

fundamental questions with profound implications:

- Quantum resistant cryptography.
- Probabilistic method <--> quantum method
- Quantum complexity <--> classical complexity
- quantum complexity theory <--> condensed matter physics
- Verifying quantum computations.

Download Presentation

Connecting to Server..