Quantum Algorithms &amp; Complexity

1 / 27

# Quantum Algorithms &amp; Complexity - PowerPoint PPT Presentation

Quantum Algorithms &amp; Complexity. Umesh Vazirani U.C. Berkeley. One does not, by knowing all the physical laws as we know them today, immediately obtain an understanding of anything much. (Richard Feynman, 1918-1988) . One does not, by knowing all the physical laws as we know

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Quantum Algorithms &amp; Complexity' - lahela

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Quantum Algorithms & Complexity

Umesh Vazirani

U.C. Berkeley

One does not, by knowing all the physical laws as we know

them today, immediately obtain an understanding of anything

much. (Richard Feynman, 1918-1988)

One does not, by knowing all the physical laws as we know

them today, immediately obtain an understanding of anything

much. (Richard Feynman, 1918-1988)

Quantum computers are the only known model of

Computation that violate the Extended Church-Turing

thesis.

Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

Far reaching implications for cryptography,

computational complexity, physics, … Each of these

gives its own unique flavor to the questions.

Quantum resistant cryptography

• Quantum computers break much of modern cryptography.
• RSA (factoring), Diffie-Helman (discrete log),
• Elliptic curve crypto, Buchmann-Williams (Pell eqn)…
• Suppose we had a classical cryptosystem that was
• as efficient and convenient as RSA, but was provably
• not breakable even on a quantum computer.
• Then there would be an incentive to switch to the
• new cryptosystem, well before a large scale quantum
• computer were experimentally realized.

Suppose we had a very efficient classical

• cryptosystem that we believed was quantum resistant.
• What kind of evidence could we present to “prove” it?
• (Don’t have a working quantum computer to run heuristics)
• The answer relies crucially on our understanding of
• the power and limitations of quantum computers.

Hidden Subgroup Problem

G finite group. H subgroup of G.

Given black box that evaluates f: G -> S:

f is constant on cosets of H.

Determine H.

G:

• G abelian: lens = fourier transform over G.
• polynomial time quantum algorithm.
• Shor: factoring. G = ZN. Period finding.
• discrete log. G = Zp x Zp
• [Hallgren] Pell’s equation
• [van Dam, Hallgren, Ip] Hidden shift problems,
• Breaking homomorphic encryption
• [van Dam, Seroussi] Gauss sums
Quantum Algorithm for Abelian HSP

Random coset state: use f to set up state

G:

gH

=

FT over G

FT over G:

FT + measurement gives uniformly random element of

Think of this as a random linear constraint on H …

Graph Isomorphism

SN Symmetric group

Non-abelian hidden subgroup problem

Lens = (non-abelian) fourier transform over G.

Short vector in Lattice:

Finding short vector not easy!

DNDihedral group

[Regev]

Lattice Problems

• Finding short lattice vectors closely related to
• Dihedral HSP.
• Random coset state preparation + Fourier sampling
• gives sufficient info to reconstruct subgroup.
• But classically reconstructing subgroup appears to be
• very difficult. Related to subset sum.
• Kuperberg’s quantum reconstruction algorithm.

Public-key cryptosystems based on Quantum

hardness of Shortest Lattice Vector.

• [Ajtai-Dwork] cryptosystem.
• [Regev]
• Improved efficiency based on assumption that finding
• short lattice vectors is hard for quantum algorithms.
• New cryptosystem resembles hardness of solving noisy
• linear equations mod p.
• Worst-case to average case reduction.

Learning with errors

Linear equations in n variables over Zp for p prime,

where n2 < p < 2n2

m noisy equations:

where

and is gaussian with mean 0 and standard

deviation n1.5

Theorem [Regev]: LWE is as hard as approximating

the shortest vector in a lattice to within n1.5

Worst-case to average-case reduction

• LWE specifies an average-case problem. Inputs
• sampled from a fixed distribution.
• Quantum reduction showing that an arbitrary lattice
• problem (worst-case) can be mapped to LWE.
• Example of the quantum method. Prove a purely
• classical statement by quantum methods.
• [Kerenidis, deWolf] lower bounds for locally
• decodable codes.

LWE and Lattices

• Lattice L = {integer linear combinations of u1, …, un }
• Dual lattice L* = {v: <v,u> integer for all u in L}
• L* is the fourier transform of L.

LWE and Lattices

• Lattice L = {integer linear combinations of u1, …, un }
• Dual lattice L* = {v: <v,u> integer for all u in L}
• L* is the fourier transform of L.

D*L

DL

D*L

DL

• Sampling from DL with small width Gaussian implies
• good approximation of shortest lattice vector.
• Polynomially large samples from DL yield an unbiased
• estimator for D*L . If the width of the Gaussian
• is large, this gives a way of, given x, approximating
• the closest lattice vector to x in L*.
• Quantum reduction, given algorithm for approximating
• closest vector in L*, to sampling from DL .

D*L

DL

• Sampling from DL with small width Gaussian implies good approximation
• of shortest lattice vector.
• Polynomially large samples from DL yield an unbiased estimator for D*L .
• If the width of the Gaussian is large, this gives a way of, given z,
• approximating the closest lattice to z.
• Quantum reduction, given algorithm for approximating
• closest vector in L*, to sampling from DL .

To erase x, compute x given z=x+y:

Improving the Efficiency

• Based on cyclic lattices:
• Lattices where the basis consists of vector v, and
• all its cyclic shifts.
• Much more succinct. Key size n2 -> n
• Faster computation – use Fourier transforms.
• [Piekart, Rosen] collision resistant hash functions.
• [Gentry] Homomorphic encryption.

Open Questions

• Is there a quantum algorithm to find a short
• vector in a cyclic lattice?
• Does the van Dam, Hallgren, Ip quantum algorithm for
• breaking homomorphic encryption extend to
• Gentry’s scheme?
• Is it possible to speed up Kuperberg’s quantum
• reconstruction algorithm for the dihedral HSP?
• Is it possible to design a public-key cryptosystem
• based on cyclic lattices?

Greater Security?

[Hallgren, Moore, Roettler, Russell, Sen 06] provide

very strong evidence of quantum hardness:

Hg1

Hg2

Hgk

k < poly(n) implies exponentially many measurements

For sufficiently non-abelian groups. Eg Sn, GLn

in particular: graph isomorphism.

Sufficiently non-abelian ~ exponential sized irreps + …

Can one base public-key cryptography on these stronger

impossibility results?

[Moore, Russell, V] One-way function, related to McEliese

Cryptosystem, based on hardness of HSP over

Goals of Quantum Algorithms/Complexity

• Find exponential speedups for a range of natural
• computational problems.
• Establish the limits of quantum algorithms.
• Relate quantum complexity classes, such as BQP and
• QMA, to classical complexity classes, such as
• BPP, MA, PH.

An Old Question in Quantum Complexity Theory

• Is BQP C PH?
• [Bernstein, V ‘93] There is an oracle A: BQPA C MAA
• Conjectured that same holds for PH – that recursive
• fourier sampling is in BQP but not in PH.
• [Aaronson ‘09] Conjecture: Fourier checking is in
• BQP, but not in PH.
• Proof that this is true under the generalized Linial-Nisan
• conjecture.
• The original Linial-Nisan conjecture states that
• logn-wise independent distributions fool AC0 circuits.
• Resolved by Braverman. Generalized = almost logn-wise.

Hamiltonian Complexity

Computational complexity <--> condensed matter physics

• H = H1 + … + Hm , each Hi k-local.
• [Kitaev] Computing ground energy of H is QMA-hard.
• [Aharonov, et. al.] Adiabatic quantum computation is
• universal.
• [Hastings] Area law for 1-D local Hamiltonians.
• Efficient simulation of gapped Hamiltonians.
• [Aharonov, Gottesman, Irani, Kempe] Computing
• ground states of 1-D local Hamiltonians QMA-hard.

Quantum PCP theorem?

• Given a promise that k-local hamiltonian H has
• either ground energy 0 or cm for constant c,
• determine which.
• Classical PCP theorem is a cornerstone of classical
• complexity theory.
• Theory of inapproximability, room temperature QC
• [Aharonov, Arad, Landau, V] quantum gap amplification.

How do you verify a theory where you require

• exponential resources to calculate the predicted
• outcome of the experiment?
• Multiply N = PQ. See if quantum computer can
• Factor.
• How do you verify the claims of a company
• New-Wave, that claims to have built a quantum
• Computer?
• [Aharonov, et. Al.], [Broadbent, et. Al.]
• Quantum interactive proofs.

Conclusions

Quantum algorithms and complexity theory explore

fundamental questions with profound implications:

• Quantum resistant cryptography.
• Probabilistic method <--> quantum method
• Quantum complexity <--> classical complexity
• quantum complexity theory <--> condensed matter physics
• Verifying quantum computations.