Download Another version - Scott Aaronson

Exploring the Limits of the
Efficiently Computable
(Or: Assorted things I’ve worked on, prioritizing variety
over intellectual coherence)
Scott Aaronson (MIT)
Papers & slides at www.scottaaronson.com
Quantum Mechanics in One Slide
Probability Theory:
Quantum Mechanics:
 s11  s1n   p1   q1 

   
          
s  s  p  q 
nn   n 
 n1
 n
 u11  u1n  1   1 

   
          
 u  u      
nn   n 
 n1
 n
pi  0,
n
p
i 1
i
1
Linear transformations
that conserve 1-norm of
probability vectors:
Stochastic matrices
 i  C,
n

i 1
2
i
1
Linear transformations
that conserve 2-norm of
amplitude vectors:
Unitary matrices
Quantum Computing
A general entangled state of n qubits requires ~2n amplitudes
to specify:
x
x0,1n
 

x
Presents an obvious practical problem when using
conventional computers to simulate quantum mechanics
Feynman 1981: So then why not turn things around, and
build computers that themselves exploit superposition?
Could such a machine get any advantage over a classical
computer with a random number generator? If so, it would
have to come from interference between amplitudes
BQP (Bounded-Error Quantum Polynomial-Time): The class
of problems solvable efficiently by aInteresting
quantum computer,
defined by Bernstein and Vazirani in 1993
Shor 1994: Factoring integers is in BQP
NP-complete
NP
BQP
Factoring
P
But factoring is not
believed to be NPcomplete!
So, evidence for P≠BQP?
Limits of BQP?
BosonSampling
Suppose we just want a quantum system for which there’s
good evidence that it’s hard to simulate classically—we don’t
care what it’s useful for
A.-Arkhipov 2011, Bremner-Jozsa-Shepherd 2011: In that
case, we can plausibly improve both the hardware
We showed: if a fast, classical
requirements and the evidence for classicalExperimental
hardness,
exact
of algorithm
demonstrations with 3-4
compared
to simulation
Shor’s factoring
BosonSampling is possible,
photons achieved (by
Ourhierarchy
proposal:
then the polynomial
groups in Oxford,
Identical
single Brisbane, Rome, Vienna)
collapses to the third
level.
photons sent
through network of
interferometers,
then measured at
output modes
Key Idea
The probability of each output configuration has the
form |Per(A)|2, where A is a matrix of transition
n
amplitudes and
Per A 
a  


S n i 1
i,
i
is the permanent, a well-known #P-complete function
Does this mean quantum optics lets us solve #P-complete
problems efficiently? Sounds too good to be true…
Nevertheless, the fact that complex permanents are #Pcomplete to approximate lets us indirectly prove
hardness results even just for permanental sampling
BQP vs. the Polynomial Hierarchy
Can a quantum computer solve problems for which a classical
computer can’t even efficiently verify the answers? Or better
yet: that are still classically hard even if P=NP?
Boils down to: are there problems in BQP but not in PH?
BosonSampling: A candidate for such a problem. If it’s
solvable anywhere in BPPPH, then PH collapses.
A. 2009: Unconditionally, there’s a black-box sampling
problem (Fourier Sampling) solvable in BQP but not in BPPPH
Given a Boolean function
output
z{0,1}n
f : 0,1   1,1
n
2
ˆ
with probability f  z  
 fˆ z  : 1
n

2

  1
x z
x0 ,1n

f  x 


The Quantum Black-Box Model
The setting for much of what we know about the power of
quantum algorithms
i
X=x1…xN
xi
X
“Query complexity” of f: The minimum
number of queries used by any
i ,a,w i, athat
, w outputs
 if(X),
, a high
xi , w
algorithm
, a , w iwith
probability,
every a=“answer
X of interest
to us
(i=“queryfor
register,”
register,”
w=“workspace”)
An algorithm can make query transformations, which map


as well as arbitrary unitary transformations that don’t depend
on X (we won’t worry about their computational cost).
Its goal is to learn some property f(X) (for example: is X 1-to-1?)
Example 1: Grover search problem. Given
X(1),…,X(N){0,1}, find an i such that X(i)=1. A quantum
computer can solve with O(N) queries, but no faster!
Example 2: Period-finding (heart of Shor’s algorithm).
Given a sequence X(1),…,X(N) that repeats with period
rN, find the period. A quantum computer can do this
with only O(1) queries—huge speedup over classical!
Example 3: The Collision Problem. Given a 2-to-1
sequence X(1),…,X(N), find a collision (i.e., two
indices i,j such that X(i)=X(j))
10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8
“More
structured
than Grover search,
less
Models the
breaking
of collision-resistant
hash but
functions—
than
Shor’s period-finding problem”
a centralstructured
problem in
cryptanalysis
Birthday Paradox: Classically, ~N queries are necessary
and sufficient to find a collision with high probability
Brassard-Høyer-Tapp 1997: Quantumly, ~N1/3 queries suffice
Grover search on N2/3
X(i)’s
N1/3 X(i) values queried classically
A. 2002: First quantum lower bound for the collision problem
(~N1/5 queries are needed; no exponential speedup possible)
Shi 2002: Improved lower bound of ~N1/3. Brassard-HøyerTapp’s algorithm is the best possible
Symmetric Problems
A.-Ambainis 2011: Massive generalization of collision lower
bound. If f is any problem whatsoever that’s symmetric under
permuting the inputs and outputs, and has sufficiently many
outputs (like the collision problem), then
f’s classical query complexity  (f’s quantum query complexity)7
Compare to Beals et al. 1998: If f:{0,1}N{0,1} is a total
Boolean function (like OR, AND, MAJORITY, etc.),
f’s classical query complexity  (f’s quantum query complexity)6
Upshot: Need a “structured” promise if you want an
exponential quantum speedup
What’s the largest possible
quantum speedup?
“Forrelation”: Given two Boolean functions f,g:{0,1}n{-1,1},
estimate how correlated g is with the Fourier transform of f:
1
2
3n / 2
 f x  1
x y
x , y0 ,1n
gy
 0.01?
 0.6 ?
A.-Ambainis 2014: This problem is solvable using only 1
quantum query, but requires at least ~2n/2/n queries classically
Furthermore, this separation is essentially the largest
possible! Any N-bit problem that’s solvable with k quantum
queries, is also solvable with ~N1-1/2k classical queries
Conjecture (A. 2009): Forrelation  Polynomial Hierarchy
A complexity-theoretic argument
against hidden variables?
A. 2004: Suppose that in addition to the quantum state,
there were also “hidden variables” recording the “true”
locations of particles (as in Bohmian mechanics). Then if
you could sample the hidden variables’ entire histories, you
could solve the collision problem in O(1) queries—beyond
what a “garden-variety” quantum computer can do!
1
N
x  y
N
 x f x 
x 1
2nd
Measure
register
2
f x 
Computational Complexity and the
Black-Hole Information Loss Problem
Maybe the single most striking application so far of
complexity to fundamental physics
Hawking 1970s: Black holes radiate!
The radiation seems thermal (uncorrelated with whatever
fell in)—but if quantum mechanics is true, then it can’t be
Susskind et al. 1990s: “Black-hole complementarity.” In
string theory / quantum gravity, the Hawking radiation
should just be a scrambled re-encoding of the same
quantum states that are also inside the black hole
The Firewall Paradox [Almheiri et al. 2012]
If the black hole interior is “built”
out of the same qubits coming out as
Hawking radiation, then why can’t
we do something to those Hawking
qubits (after waiting ~1070 years for
enough to come out), then dive into
the black hole, and see that we’ve
completely destroyed the spacetime
geometry in the interior?
Entanglement among
Hawking photons detected!
Harlow-Hayden 2013: Sure, there’s some unitary
transformation that Alice could apply to the Hawking
radiation, that would generate a “firewall” inside the event
horizon. But how long would it take her to apply it?
Plausible answer: Exponential in the number of qubits
inside the black hole! Or for an astrophysical black hole,
1070
years
She wouldn’t have made a dent before the black hole had
already evaporated anyway! So … problem solved?
~2
HH’s argument: If Alice could achieve (a plausible formalization of) her
decoding task, then she could also efficiently solve the
collision problem
My strengthening: Harlow-Hayden decoding is as
hard as inverting an arbitrary one-way function

RBH

1
2
2 n 1
 f x, s, a x  s   a
x , s0,1 , a0,1
n
R
B
x, s
H
R: “old” Hawking photons / B: photons just coming out / H: still in black hole
B is maximally entangled with the last qubit of R. But in order to
see that B and R are even classically correlated, one would need to
learn xs (a “hardcore bit” of f), and therefore invert f
With realistic dynamics, the decoding task seems like it should only
be “harder” than in this model case (though unclear how to
formalize that)
Is the geometry of spacetime protected by
an armor of computational complexity?
Quantum Money
Idea: Quantum states that can be created
by a bank, traded as currency, and
verified as legitimate, but can’t be cloned
by counterfeiters, because of quantum
mechanics’ No-Cloning Theorem

 
Wiesner ca. 1970: First quantum money scheme, but only
the bank could verify the bills. If anyone can verify a bill, then
computational assumptions clearly needed, in addition to QM
A.-Christiano 2012: First quantum money scheme where
anyone can verify a bill, and whose security is based on a
“conventional” crypto assumption
Our Hidden Subspace Scheme
Quantum money state:
A :
1
2
n/4
x
xA
A  R GF 2 
n
n
dim  A 
2
Mint can easily choose a random A and prepare |A
Corresponding “serial number” s: Somehow describes
how to check membership in A and in A (the dual
subspace of A), yet doesn’t reveal A or A
Our proposal: Random low-degree polynomials p1,…,pm
and q1,…,qm that vanish on A and A respectively
Procedure to Verify Money State
(assuming ability to decide membership in A and A)
1. Project onto A elements
A
(reject if this fails)
2. Hadamard all n qubits to
map |A to |A
3. Project onto A elements
A
(reject if this fails)
4. Hadamard all n qubits to
return state to |A
Theorem: The above just implements a projection onto
|A—i.e., it accepts | with probability ||A|2
Security
Theorem: There’s no efficient counterfeiting procedure,
assuming there’s no an efficient quantum algorithm to
learn a basis for A with 2-O(n) probability, given p1,…,pm
and q1,…,qm. [Recently: Attack on noiseless version of scheme]
Theorem: If the A and A membership tests are black
boxes, then any counterfeiting procedure requires Ω(2n/2)
queries to them.
Some Future Directions
Quantum copy-protected software
Complexity theory of quantum states and unitary
transformations
Classification of quantum gate sets
Noisy BosonSampling
The power of quantum proofs