The Future (and Past) of Quantum Lower Bounds by Polynomials

Scott Aaronson

UC Berkeley

1. The quantum query model

2. Quantum lower bounds for collision and set comparison problems

3. Open problems

Outline

Quantum Query Model

Count only number of queries, not number of computational steps

Let X=xi…xn be input

In quantum algorithm, each basis state has form |i,z, where

i = index to query z = workspace

Query transformation O maps each |i,z to |i,zxi

(i.e. XOR’s xi into workspace)

Quantum Query Model (con’t)

Algorithm consists of interleaved queries and unitaries:

U0 O U1 … UT-1 O UT

Ut: arbitrary unitary that doesn’t depend on xi’s

(we don’t care how hard it is to implement)

At the end we measure to obtain a basis state |i,z, then output (say) first bit of z

Quantum Query Complexity

Let f(X) be the function we’re trying to compute

Algorithm computes f if it outputs f(X) with probability at least 2/3 for every X

Q(f) = minimum # of queries made by quantum algorithm that computes f

Immediate: Q(f) R(f) D(f)

R(f) = randomized query complexity

D(f) = deterministic query complexity

• Because we can prove things

Why Is This Model Interesting?

Search for car keys here

Quantum lower bounds for collision and set

comparison problems

Collision Problem• Given 1 : 1, , 1, ,nX x x n n

• Promised:

(1) X is one-to-one (permutation) or

(2) X is two-to-one

• Problem: Decide which w.h.p., using few queries to the xi

• Randomized alg: (n)

Result• Any quantum algorithm for the

collision problem uses (n1/5) queries (A, STOC’2002)

• Previously no lower bound better than (1). Open since 1997

• Shi improved to (n1/4)

(n1/3) when |range| 3n/2

Implications

• Oracle A for which SZKA BQPA

– SZK: Statistical Zero Knowledge

• No “trivial” polytime quantum algorithms for

– graph isomorphism

– nonabelian hidden subgroup

– breaking cryptographic hash functions

Brassard-Høyer-Tapp (1997)(n1/3) quantum alg for collision problem

n1/3 xi’s, queried classically,

sorted for fast lookup

Grover’s algorithm over n2/3 xi’s

Do I collide with any of the pink xi’s?

Previous Lower Bound Techniques

• Block sensitivity (Beals et al. 1998):Q(f) = (bs(f))

• Quantum adversary method (Ambainis 2000)

• Problem: Every 1-1 input differs in at least n/2 places from every 2-1 input

P(X) = acceptance probability on input X

Proposition (follows Beals et al. 1998):

P(X) is a polynomial of degree 2T over the (xi,h) 1,

0i

i

if x hx h

otherwise

, , ,i z h ih

x h

Proof: Initially, amplitude i,z of each |i,z is a degree-0 polynomial over the (xi,h).

A query replaces each i,z by

increasing its degree by 1. The Ut’s can’t increase degree.

At the end, squaring amplitudes doubles degree.

Input Distribution• D(g): Uniform distribution over g-to-1 inputs

•Technicality: g might not divide n

But assume for simplicity that it does

X D gP g EX P X•Let

• Problem: Show that, if T=O(n), then P(g) is a univariate polynomial of degree 2T for integers 1gn

Monomials of P(X)

• I(X) = product of r variables (xi,h)

, .X D gI g EX I X •Let

: 2

, .II r T

P g I g

•Then for some I,

Calculating (I,g): #1

•“Range” of I: Y. w=|Y|.

(I,g) = 0 unless YS (“range” of X)

2 .n n

S T rg n

/Pr

/

n w

n g wY S

n

n g

•So

since

Calculating (I,g): #2

• Given an S containing Y,

# of g-to-1 inputs of size n: n!/(g!)n/g

•Let {y1,…,yw} be distinct values in Y

–ri = # of times yi appears in Y

–r1 + … + rw = r

/

1

!

! !w

n g w

ii

n r

g g r

•# of g-to-1 inputs X with range S s.t. I(X)=1:

Becomes ~polynomial(g)

11

20 1 1

! !,

!

irw w

i i j

n w n rI g n gi g j

n

Polynomial in g of degree

w + (r-w) = r 2T

Markov’s InequalityLet p be a polynomial bounded in [0,b] in the

interval [0,a], that has derivative at least c somewhere in that interval. Then

deg .ac

pb

a

b

c

Lower Bound• 0 P(g) 1 for all 0 g n

• P(1) 1/10 and P(2) 9/10

So dP/dg 4/5 somewhere

(n1/4) lower bound would follow if g always divided n

• Can fix to obtain an (n1/5) bound

Shi found a better way to fix

Set Comparison• What the SZKA BQPA result actually uses

• Input: f,g : {1,…,2n} {1,…,n}

• Promise: Either

(1) Range(f) = Range(g) or

(2) |Range(f) Range(g)| > 1.1n

• Problem: Decide which w.h.p.

• Result: (n1/7) quantum lower bound

Idea• Take the total range from which X and Y are drawn to have size 2n/g

• Draw X and Y individually from sub-ranges of size n/(g), where

so (1)=(2)=1, yet n/(g) 2n/g for g > 2

• Again acceptance prob. is a polynomial in g

• That grows quadratically weakens the bound from (n1/5) to (n1/7)

24 12 9g g g

Open Problems

Other ‘Collisionoid’ Functions• Set equality: Suppose either

(1) Range(f) = Range(g) or

(2) Range(f) Range(g) =

The best quantum lower bound is still (1)!

• Element distinctness: Decide whether there exist ij such that xi=xj

– Quantum upper bound: O(n3/4) (Buhrman et al. ‘01)

– Quantum lower bound: (n2/3) (Shi ‘02)

• Conjecture (Watrous): R(f) and Q(f) are polynomially related for every symmetric function

Trees!OR

AND AND

n

n n

2-level game tree

Ambainis’ adversary method yields (n)

But best known polynomial lower bound is ((n log n)1/4) (Shi ‘01)

1 1,2, ,

0

if x y zE x y z

otherwise

E

E E E

Is Q(f) = O(deg(f)) for every f?

Conjecture: No

3log 2deg f n

In the collision problem, suppose f:{0,1}n{0,1}n is 1-to-1 rather than 2-to-1.

Can you give me a polynomial-size quantum certificate, by which I can verify that fact in polynomial time?

Is SZK QMA Relative to an Oracle?

• Instead of a polynomial P(X), have a positive semidefinite matrix (X)

• Every entry of (X) is a polynomial in X of degree 2T

• For all X, all eigenvalues of (X) must lie in [0,1]

• Acceptance probability = maximum eigenvalue

• is 2m2m, where m = size of certificate

• Can we show collision function is not represented by a low-degree “matrix polynomial”?

Generalizing the Polynomial Method

Randomized Certificate Complexity RC(f)

RC(f) = maxXRCX(f)

RCX(f) = min # of randomized queries needed to distinguish X from any Y s.t. f(Y)f(X) with ½

prob.

Quantum Certificate Complexity QC(f)

Example: For f=MAJ(x1,…,xn), letting X=00…0,

RCX(MAJ) = 1

A 2002: QCX(f) = (RCX(f)) (uses adversary method)

Can this be shown using polynomial method?