Download The Learnability of Quantum States

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
Quantum Money from
Hidden Subspaces
A
A
Scott Aaronson (MIT)
Joint work with Paul Christiano
Ever since there’s been money, there’ve been people
trying to counterfeit it
Previous work on the physics of money:
In his capacity as Master of the Mint, Isaac Newton
worked on making English coins harder to counterfeit
(He also personally oversaw hangings of counterfeiters)
Today: Holograms, embedded
strips, “microprinting,” special
inks…
Leads to an arms race with no
obvious winner
Problem: From a CS perspective, uncopyable cash
seems impossible for trivial reasons
Any printing technology the good guys can
build, bad guys can in principle build also
x  (x,x) is a polynomial-time operation
What’s done in practice: Have a trusted third party
authorize every transaction
(BitCoin: “Trusted third party” is
distributed over the Internet)
OK, but sometimes you want cash, and that seems
impossible to secure, at least in classical physics…
The No-Cloning Theorem

 
No physical procedure can take an unknown
quantum state and output two copies of it
(or even a close approximation thereof)
First Idea in the History of Quantum Info
Wiesner 1969: Money that’s information-theoretically
impossible to counterfeit, assuming quantum mechanics
Each banknote contains
n qubits, secretly
prepared
(Recent) Theorem:
A in one of the 4
states |0,|1,|+,|-
counterfeiter who doesn’t
know
the state can copy it with
In a giant database, the bank remembers how it prepared
n
probability
at most
every qubit on
every banknote
(3/4)
Want to verify a banknote? Take it to the bank. Bank uses
its knowledge to measure each qubit in the right basis:
OR
Drawbacks of Wiesner’s Scheme
1. Banknotes could decohere in microseconds in your
wallet—the “Schrödinger’s money problem”!
The reason why quantum money isn’t yet practical, in
contrast to (say) quantum key distribution
2. Bank needs a big database describing every banknote
Solution (Bennett et al. ‘82): Pseudorandom functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank
“Modern” Goal: Public-Key Quantum Money
Easy to prepare, hard to copy, verifiable by anyone
kprivate
KeyGen
kpublic
Mint
|$1,|$2…
Ver
Formally, a public-key quantum money scheme S consists of
three polynomial-time quantum algorithms:
KeyGen(0n): Generates key pair (kprivate, kpublic)
Mint(kprivate): Generates quantum banknote $
Ver(kpublic, ¢): Accepts or rejects claimed banknote ¢
S has completeness error  if for all kpublic and valid $,


Pr Ver k public,$ accepts  1   .
Private-key quantum money scheme:
S has soundness error  if for all polynomial-time
Same except that k to r>q
=kbanknotes,
public
counterfeiters C mapping q banknotesprivate


Pr Count k public, C k public,$1 ,,$ q   q  
where Count returns the number of C’s output registers
¢1,…,¢r that Ver accepts
Basic Observations
Not obvious that public-key quantum money is possible!
If it is, will certainly require computational assumptions,
in addition to quantum mechanics
Yet totally unclear which computational assumptions!
Copying |$ need not involve learning a classical secret
Without loss of generality, quantum money is reusable.
If the completeness error is , then it’s possible to verify
banknotes in a way that damages the valid ones by at
most  in trace distance ( reusable 1/ times)
Can amplify completeness error to 1/exp(n) by
repetition, without much harming the soundness error
Previous Work on Public-Key Quantum Money
A., CCC’2009
Defined the concept
Secure construction using a quantum
oracle (but security proof never published)
Explicit candidate scheme based on
random stabilizer states—broken by
Lutomirski et al. 2010
Farhi et al. 2010:
Attack on large class
of public-key quantum
money schemes
(to foil, use highlyentangled banknotes!)
Farhi et al., ITCS’2012: “Quantum money from knots”
Important, original proposal, but little known about security
Not even known which states | the verifier accepts
Lutomirski 2011: “Abstract” version of knot scheme using a
classical oracle (but proving its security still wide open; seems hard)
Our work: A new public-key quantum
money scheme, based on hidden subspaces
Verifier just projects onto
Much
simpler

A
valid money states, by
than previous
measuring in two
schemes
Same construction yields thecomplementary
first private-keybases
scheme that’s provably “interactively secure”
For the first time,A
can base security on an assumption
(about multivariate polynomial cryptography) that
has nothing to do with quantum money
Also for first time, can prove “abstract” version of scheme
(involving a classical oracle) is unconditionally secure
Overview of Our Construction
Public-Key Quantum Money Scheme
“Mini-Scheme”
Mint prints a single banknote
(s,s) s.t. copying s is hard
Signature Scheme
Secure against
nonadaptive quantum
chosen-message attacks
From Rompel 1990
OWF
Secure against quantum
attacks
“Standard Construction” of Quantum
Money from Mini-Schemes + Signatures
(Introduced by Lutomirski et al.; analyzed by us)
$ : s,  s , Sign k private, s 
To verify the banknote $=(s,s,w):
1. Check that (s,s) is valid
2. Check that w is a valid digital signature of s
Theorem: If you can create counterfeit banknotes $, then
either you can copy s’s, or else you can forge signatures
The Hidden Subspace Mini-Scheme
Quantum money state:
A :
1
2
n/4

xA
x
A  R GF 2 
n
n
dim  A 
2
Mint can easily choose a random A and prepare |A
Corresponding “serial number” s: Somehow
describes how to check membership in A and in A
(the dual subspace of A), yet doesn’t reveal A or A
Procedure to Verify Money State
(assuming ability to decide membership in A and A)
1. Project onto A elements
A
(reject if this fails)
2. Hadamard all n qubits to
map |A to |A
3. Project onto A elements
A
(reject if this fails)
4. Hadamard all n qubits to
return state to |A
Theorem: The above just implements a projection onto
|AA|—i.e., it accepts | with probability ||A|2
Security of the Black-Box Scheme
Valid Banknotes: A,A Membership Oracles:
s1 , A1

1
O1 ,O
s2 , A2

2
O2 ,O
Intuitively, what can the counterfeiter do?
Measure |Ai  just yields one Ai or Ai element
Query Oi or Oi to learn a basis for Ai  takes (2n/4)
queries, by the BBBV Theorem (optimality of Grover search)
Need to show: 2(n) quantum queries to Oi and
Oi are needed, even just to map |Ai to |Ai2
Common
generalization
of No-Cloning
Theorem and
BBBV Theorem
|$1,000,000
Idea: Look at Inner Products
A,A’: “neighboring”
n/2-dimensional
subspaces in GF(2)n
A'
A'
A
A A'
2
1

2
2
A
A
2
A'
2 2
2
1

4
Use Ambainis’s quantum adversary method to show that
the inner product between |A and |A’ can decrease by at
most ~2-n/4, as the result of a single query to OA or OA
Problem: A query can decrease the inner product by (1) for
some |A,|A’ pairs! But we show that it can’t for most pairs
The same construction immediately yields the first…
Private-Key Quantum Money (with no oracle)
Secure Against Interactive Attack
s1 , A1
s2 , A2
Verification Requests
s1 , A1
s2 , A2

Suppose |Ai could be copied using poly(n)
verification requests to the bank
Then |Ai could also be copied in our publickey scheme, using poly(n) oracle queries!

But if we want public-key money, we still
have to face an interesting, purely-classical…
Obfuscation Challenge: “Instantiate” the
oracles OA and OA, without revealing A
Our Proposal: Use Multivariate Polynomials
For each money state |A, mint publishes (as |A’s “serial
number”) uniformly-random degree-d polynomials
p1 ,, p2n , q1 ,, q2n : GF 2  GF 2,
n
such that all pi’s vanish on A and all qi’s vanish on A.
The pi’s and qi’s can be generated in nO(d) time: generate them
assuming A=span(x1,…,xn/2); then apply a linear transformation
Verifying |A is simple! With overwhelming probability,
x  A  p1 x     p2 n x   0
x  A  q1 x     q2 n x   0

But given only the pi’s and qi’s, not clear how to find any
nonzero A or A elements in poly-time (even quantumly)
Closely related to multivariate polynomial cryptography,
and to the polynomial isomorphism problem
Our scheme is breakable when d=1 (trivially) or d=2 (using
theory of quadratic forms). And there’s nontrivial structure
when d=3 (Bouillaguet et al. 2011). So we recommend d4
For more(?) security, can let an  fraction of pi’s and qi’s be “decoys”
Security Reduction
Direct Product Assumption: Given the polynomials p1,…,p2n
and q1,…,q2n, no polynomial-time quantum algorithm can
find a generating set for A with (2-n/2) success probability
Theorem: Assuming the DPA, our money scheme is secure
Proof Sketch: Suppose there’s a counterfeiter C that maps
|A to |A2. Then to violate the DPA:
1. Prepare a uniform superposition over all xGF(2)n
2. Project onto A elements (yields |A with probability 2-n/2)
3. If step 2 works, run C repeatedly to get ~n copies of |A
4. Measure each copy of |A in the standard basis
(with high probability, yields n/2 independent A elements)
Concluding Thoughts
Why worry about quantum money, if it might be even
further from practicality than scalable QC?
Niels Bohr: Uncertainty Principle should change
our conception of science itself. Even given
complete knowledge of the laws of physics,
physical systems can always “surprise” us, due
to our inability to know their initial states.
Quantum money provides a wonderful playground
for testing Bohr’s claim, while also highlighting the
role of computational complexity
Even if it decohered in seconds, public-key
quantum money could still have applications!
Example: Non-Interactive Uncloneable Signatures

Open Problems

Break our scheme! Or get stronger evidence for security
Find other ways of hiding (complementary) subspaces
Are there secure public-key quantum money schemes
relative to a random oracle?
Does private-key quantum money require either a giant
database or a cryptographic assumption?
“Practicality”
Future Direction: Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal: Quantum state |f that lets you compute an
unknown function f, but doesn’t let you efficiently
create more states with which f can be computed
Relative to a classical oracle, we have a candidate
construction based on hidden subspaces. But its
security rests on a still-unproved conjecture:
Given oracle access to OA and OA, any quantum
algorithm needs 2(n) queries to find nonzero
elements xA, yA with (2-n/2) success probability
Related documents
Quantum mechanical model
Quantum mechanical model
David Williams (University of Cambridge)
David Williams (University of Cambridge)
Project suggestion as part of the course 203-1-3431 November 7 , 2011
Project suggestion as part of the course 203-1-3431 November 7 , 2011
An Introduction to Quantum Computing
An Introduction to Quantum Computing
Prof. Bertrand Reulet, Université de Sherbrooke, Canada Talk: 23. May 2014
Prof. Bertrand Reulet, Université de Sherbrooke, Canada Talk: 23. May 2014
Outline Summary
Outline Summary
Probing contextuality with superconducting quantum circuits Talk 27. Oct. 2015 ABSTRACT:
Probing contextuality with superconducting quantum circuits Talk 27. Oct. 2015 ABSTRACT:
Chapter 3- Atomic Structure (light interaction with e-)
Chapter 3- Atomic Structure (light interaction with e-)
Linear Circuit Analysis with Reactive Components
Linear Circuit Analysis with Reactive Components
`12
`12
Abstract
Abstract
Quantum Computing And the Future of Copyright
Quantum Computing And the Future of Copyright