Quantum Lower Bound for the Collision Problem
description
Transcript of Quantum Lower Bound for the Collision Problem
![Page 1: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/1.jpg)
Quantum Lower Bound for the Collision Problem
Scott Aaronson 1/10/2002
quant-ph/0111102
I was born atthe Big Bang.
Cool! We havethe samebirthday.
![Page 2: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/2.jpg)
Collision Problem• Given 1 : 1, , 1, ,nX x x n n
• Promised:(1) X is one-to-one (permutation) or
(2) X is two-to-one
• Problem: Decide which w.h.p., using few queries to the xi
• Randomized alg: (n)
![Page 3: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/3.jpg)
One-to-One Two-to-One
![Page 4: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/4.jpg)
Result• Any quantum algorithm for the
collision problem uses (n1/5) queries
• Previously no lower bound better than (1)
• Shi improved to (n1/4)(n1/3) when |range| >> n
![Page 5: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/5.jpg)
Implications
1. No polytime blackbox algorithms for– graph isomorphism
– nonabelian hidden subgroup
– breaking cryptographic hash functions
![Page 6: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/6.jpg)
Implications
2. “Dynamical quantum theories” can’t be simulated in BQP, relative to oracle
Define joint distribution over values of observable at times t1, t2, etc.
(I.e. classical history)
Given polytime quantum algorithm and set of “sampling points,” how hard to sample from this distribution?
![Page 7: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/7.jpg)
How to Find a Collision in O(1) Queries If Your Memory Is Perfect1. Prepare and observe 2nd register
If X is 2-1, obtain (|i+|j)/2 with xi=xj
1
1 n
ii
i xn
2. Sample
3. Hadamard every bit, and sample again
4. Hadamard every bit again (returning to (|i+|j)/2), and sample again
Which basis state (|i or |j) were you “in” after Step 2? After Step 4?
![Page 8: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/8.jpg)
Implications
3. |x|f(x) oracles (Kashefi et al. 2001) more powerful than |x|x|f(x)
Requires (n1/7) lower bound for set comparison problem: given sequences x1…xn and y1…yn, decide whether {x1,…,xn}={y1,…,yn} or |{x1,…,xn,y1,…,yn}|>1.1n
Can improve to (n1/6) using ideas of Shi
![Page 9: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/9.jpg)
Quantum Query Model• State after
t queries:: workbits i: index to query z: output
, , ,, ,
, ,t i zi z
i z
•Query: |,i,z |xi,i,z
•Arbitrary unitaries that don’t depend on X
2
, , ,1,
1( ) , ( )10T i
i
P X P X f X
•By end:
![Page 10: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/10.jpg)
Brassard-Høyer-Tapp (1998)(n1/3) quantum alg for collision problem
n1/3 xi’s, queried classically,sorted for fast lookup
Grover’s algorithm over n2/3 xi’s
Do I collide with any of the pink xi’s?
![Page 11: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/11.jpg)
Lower Bound: Main Ideas• P(X)[0,1], even for g-1 inputs X with g>2.
Surprisingly strong constraint.
•Take uniform dist. over g-1 inputs
•P becomes poly in g of deg 2T. Algebraic magic!
•Use approximation theory to show T large
![Page 12: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/12.jpg)
Lemma (follows Beals et al. 1998): Let (xi,h)=1 if xi=h, 0 otherwise. Then P(X) is poly of deg 2T over the (xi,h).
, , , ,1
, .t X h i z ih n
x h
Proof: Let t,X,,i,z = amplitude of |,i,z after t queries. t,X,,i,z is poly of degt, by induction.
Base case (t=0) trivial. Unitaries can’t increase degree.
Query replaces t,X,,i,z by
![Page 13: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/13.jpg)
Input Distribution• D(g): Uniform distribution over g-1 inputs
•Technicality: g might not divide n
But assume for simplicity that it does
X D gP g EX P X•Let
![Page 14: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/14.jpg)
Monomials of P(X)
• I(X) = product of r variables (xi,h)
, .X D gI g EX I X •Let
: 2
, .II r T
P g I g
•Then for some I,
• Claim: If T=O(n) then P(g) is a polynomial of degree 2T in g for integers 1gn.
![Page 15: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/15.jpg)
Calculating (I,g): #1•“Range” of I: Y. w=|Y|.
(I,g) = 0 unless YS (“range” of X)
2 .n nS T rg n
/Pr
/
n wn g w
Y Snn g
•So
since
![Page 16: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/16.jpg)
Calculating (I,g): #2• Given an S containing Y,
# of g-1 inputs of size n: n!/(g!)n/g
•Let {y1,…,yw} be distinct values in Y–ri = # of times yi appears in Y
–r1 + … + rw = r
/
1
!
! !w
n g wi
i
n r
g g r
•# of g-1 inputs X with range S s.t. I(X)=1:
![Page 17: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/17.jpg)
Becomes ~polynomial(g)
11
20 1 1
! !,
!
irw w
i i j
n w n rI g n gi g j
n
Polynomial in g of degree
w + (r-w) = r 2T
![Page 18: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/18.jpg)
Markov’s InequalityLet P(x) be a poly with b1P(x)b2 for all
a1xa2 and |dP(x*)/dx|c for some a1x*a2. Then
2 1
2 1
deg .c a a
Pb b
Long
Short
Large derivative
![Page 19: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/19.jpg)
Lower Bound• 0 P(g) 1 for all 0 g n
• P(1) 1/10 and P(2) 9/10So dP/dg 4/5 somewhere
(n1/4) lower bound would follow if g always divided n
![Page 20: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/20.jpg)
How to Handle n mod g 0: Sketch
• Choose N slightly larger than n such that g divides N
• Choose g-1 function on {1,…,N} u.a.r, then subfunction of size n
• Acceptance prob. close to bivariate polynomial in g,N for all g|N s.t.
1110
n N nT
![Page 21: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/21.jpg)
(continued)• Restrict g’s range to [1,G]; then (g,N) points
with g|N are plentiful, so P is bounded
• P has large derivative somewhere in either the g or N directions
• Lower bound obtained when G=n2/5:
1/5min , nG nTG
![Page 22: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/22.jpg)
0
0.5
1
1.5
2
P
1 2 3 4 5 6 750
54
g
N
Largederivativebetween1-1 and
2-1
Lots of points at which g|N so P is bounded
![Page 23: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/23.jpg)
Shi’s Improvement to (n1/4)• Choose Nn s.t. g divides N, instead of Nn• If basis state | queries an undefined xi, | “drops out of the universe”
• Result: Final state vector has norm in [0,1] Still OK!
• P(g,N) is exactly polynomial in (g,N); so g’s range need not be restricted to [1,n2/5]
![Page 24: Quantum Lower Bound for the Collision Problem](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675e550346895ddc2e0e/html5/thumbnails/24.jpg)
Shi’s Improvement to (n1/3)• For functions with range {1,…,3n/2}
• Uses Paturi’s inequality:
if 0p(x)1 for 0xn and p’()=(1)
deg 1 1p n