Download Arthur-Merlin and Black-Box Groups in Quantum

Arthur, Merlin, and Black-Box
Groups in Quantum Computing
Or, How Laci Did Quantum Stuff Without Knowing It
Scott Aaronson (MIT)
I’ll tell the story of a few of Laci’s brainchildren
from the 80s—MA, AM, black-box groups—and
how they came to play a major role in quantum
computing theory
What should you conclude from this?
(1) Laci works on the trendiest areas before they
even exist
(2) Quantum computing can’t be that scary
(3) Beautiful mathematical structures (like finite
groups) do useful things in TCS (like giving natural
examples where quantum computing seems to outperform
classical)
2 / 17
Dramatis Personae: Merlin & Arthur
Input x{0,1}n
Is xL?
Witness w{0,1}p(n)
All-knowing prover
Polynomial-time verifier
Babai’s probabilistic generalizations of NP:
MA (Merlin-Arthur): Class of languages L for which, if
the answer is “yes,” there’s a polynomial-size proof that
Arthur can check in probabilistic polynomial-time
AM (Arthur-Merlin): Same, except that now Arthur can
also submit a random challenge to Merlin
3 / 17
[Klivans-van Melkebeek ‘99] Under plausible complexity
assumptions, AM=MA=NP
But in the black-box setting, these classes can be
extremely different!
Example: Suppose Merlin wants to convince Arthur that
is one-to-one rather than two-to-one
In NP or MA, he can’t!
But in AM, Arthur can pick a random input x{0,1}n,
then compute f(x), send it to Merlin and ask what x was
4 / 17
Quantum Mechanics In One Slide
State of n “qubits” is a unit vector in
:
(you get used to the asymmetric
brackets with time)
2n orthogonal basis vectors: |0…0, …, |1…1
Usual initial state: |0…0
You can multiply the vector of x’s (amplitudes) by a 2n2n
unitary matrix U (matrix that maps unit vectors to unit vectors)
If you measure the state |, you see outcome |x with
probability |x|2. Also, the state collapses to |x
Central phenomenon that QC exploits: interference
between positive and negative amplitudes
5 / 17
Quantum Analogues of NP
QMA (Quantum Merlin-Arthur): Class of problems for
which, if the answer is “yes,” there’s a quantum proof
| with poly(n) qubits, which can be checked by a
polynomial-time quantum verifier
QCMA (Quantum Classical Merlin-Arthur): Same as
QMA, except now the proof needs to be classical
FUNDAMENTAL QUESTION
Does QMA = QCMA?
Intuitively: Can a quantum proof be exponentially more
compact than its shortest classical counterpart?
6 / 17
Bestiary
PH
P#P
QAM
AM
QMA
NP
P
MA
BPP
QCMA
BQP
7 / 17
Black-Box Groups
Unknown finite group G, of order 2poly(n)
Input: MeaninglessFrom now on, we’ll abuse
Output: Labels of
notation
and
identify
an
strings that label
-1
gh
or
g
element gG with its label
elements of G
We’re given: Generators g1,…,gk of G; ability to
recognize the identity element e
Quantum analogue:
Important point: In the quantum case, every element
of G must have a unique label!
8 / 17
The Group Membership Problem
Given: Black-box group G, subgroup HG
(specified by generators), element xG
Problem: Is xH?
x
G
H
Membership in H can be proved in NP [Babai-Szemerédi’84]
But what about proving non-membership in H?
Fact: For some groups G (even abelian groups), there’s no
small NP proof (or even MA proof) for non-membership
(Non-membership can always be proved in AM, using
protocols for approximate counting)
9 / 17
There is always a QMA witness of
non-membership! [Watrous 2000]
Merlin’s “quantum proof” for xH (in the honest case):
(equal superposition over elements of H)
Note: |H might be exponentially hard to prepare!
Sampling a random element of H isn’t enough
Given this proof, Arthur prepares
where |Hx is an equal superposition over the elements
of the right coset Hx
Then he applies the Hadamard transform
to the first qubit and measures that qubit
10 / 17
First suppose xH. Then |H=|Hx
HADAMARD
so |0 is observed with probability 1
Next suppose xH. Then |H and |Hx are orthogonal
HADAMARD
so |0 and |1 are equally likely to be observed
Ah, but how does Arthur check that Merlin’s witness
| is really |H, and not some other state?
Step 1: Use a random walk [Babai’91] to generate
nearly-random elements gG and hH
Step 2: Check that | behaves like |H on all gG and
11 / 17
hH that are tested
So, can Group Non-Membership be used
to prove an oracle separation between
QMA and QCMA?
Alas, no.
Theorem [A.-Kuperberg 2007]: Group Non-Membership
has polynomial-size classical proofs, which can be verified
using poly(n) quantum queries to the group oracle
(and possibly exponential post-computation—though
even that can be removed under plausible grouptheoretic conjectures)
12 / 17
Idea of proof: “Pull the group out of the black box”
Isomorphism f
claimed by
Merlin
Explicit group 
Black-box group G
To check that f is (close to) a homomorphism, Arthur uses a
classical homomorphism tester of [Blum-Luby-Rubinfeld]
Assuming f is a homomorphism, f is 1-to-1  Ker f is trivial
This yields an instance of the Hidden Subgroup Problem!
[Ettinger-Høyer-Knill ‘97] show that for any group G, HSP is
solvable with poly(n) quantum queries to the group oracle
13 / 17
Communication Complexity Challenge
Group theorists in the audience: please pay attention
G
Finite group
known to both players
Subgroup HG
1-WAY message mH
Is xH?
Element xG
Best deterministic protocol: Alice sends Bob log2|G|
bits (the generators of H)
Best quantum protocol: Alice sends Bob log|G| qubits,
Then Bob runs the Watrous protocol to decide if xH
14 / 17
$50 Challenge: Does there exist a family of groups {Gn},
for which any classical randomized protocol needs
(log|Gn|) bits? (Ideally (log2|Gn|)?)
Would yield the first asymptotic gap between 1-way
randomized and 1-way quantum communication
complexities, for a total Boolean function
[A., Le Gall, Russell, Tani 2009]: If G is abelian—or if G
has constant-dimensional irreps, or if
is a normal
subgroup—then there’s a classical randomized protocol
that uses only O(log|G|) communication
15 / 17
Conclusion: Why Do Quantum Computing
and Finite Groups Mesh So Well?
Finite groups are “rigid” objects
Any two right-cosets of HG are either identical or disjoint
Any two distinct subgroups differ on a constant fraction of elements
And we want that “rigidity” in quantum algorithms and
protocols, to create interesting interference patterns
Also, the fact that elements have unique inverses means
that we can apply group operations reversibly
Still, understanding the interplay of quantum computing
with (badly) nonabelian groups remains a challenge
Most famous example of that, which I only touched on: the
Nonabelian Hidden Subgroup Problem
16 / 17
More Open Problems
Is there a QMA protocol to prove that a black-box
function f:{0,1}n{0,1}n is one-to-one rather than
two-to-one?
In 2002, I showed this problem is not in BQP; indeed any
quantum algorithm needs (2n/3) time [A.-Shi 2002]
It’s still open to prove an oracle separation between
QMA and QCMA!
[A.-Kuperberg 2007] proved a “quantum oracle separation”
Can we give an oracle relative to which BQPAM?
[A. 2010]: The “Generalized Linial-Nisan Conjecture” would
imply an oracle relative to which BQPPH
Original Linial-Nisan Conjecture: Proved by [Braverman 2009]
Laci actually thought of it before Linial-Nisan
17 / 17