The Collision Lower Bound After 12 Years Scott Aaronson (MIT) Lower bound for a collision problem.

The Collision Lower Bound After 12 Years

Scott Aaronson (MIT)

Lower bound for a collision problem

January 2002: As a grad student, I visit Israel for the first time, and give a talk at HUJI about the collision lower bound, which I’d proved a couple months prior.

Avi Wigderson urges me to get to the point faster

Plan of talk:

What is the collision lower bound?

What’s new in the last decade?

What open problems remain?

Black-Box Quantum Computation

Black-Box Quantum ComputationGiven a function f:[n][m], want to determine some property of f: e.g. is it periodic?

Crucial assumption: we can only learn about f by making “quantum queries”; no internal access

Between 2 queries, can apply arbitrary unitary

transformation independent of f

Models how many quantum algorithms

actually work

“Complexity” = Minimum number of queries used by optimal algorithm

that succeeds w.h.p. for every f

Some Well-Known Examples:

Grover search (is there an x such that f(x)=1?):(n) queries to f are necessary and sufficient

Periodicity of f:O(1) queries suffice

The Collision ProblemGiven a 2-to-1 function f:[n][n], find a collision (i.e., two inputs x,y such that f(x)=f(y))

Variant: Promised that f is either 2-to-1 or 1-to-1, decide which

Models the breaking of collision-resistant hash functions—a central problem in cryptanalysis

“Birthday Paradox”: Classically, (n) queries to f are necessary and sufficient to succeed with high probability

10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8Interesting

Brassard-Høyer-Tapp (1997): O(n1/3) quantum collision-finding algorithm

n1/3 f(x) values, queried classically, sorted for fast lookup

Grover’s algorithm over n2/3 f(x) values

Do I collide with any of the pink values?

“Almost!”

Could there be a quantum collision-finding algorithm that made only O(1) queries to f?

Measure 2nd register

“We’re not looking for a needle in a haystack—just for two identical pieces of hay!”

Observation: Every 1-to-1 function differs from every 2-to-1 function in at least n/2 places

So we can’t use, e.g., the optimality of Grover to rule out a fast quantum algorithm for the collision problem

So, how can we rule out a superfast quantum collision-finder?

What eventually worked was the polynomial method (Beals et al. 1998)

0

1

xpxpn

pnx

nx

0

0

max2

'maxdeg

Let

Lemma: If a quantum algorithm makes T queries to f, the probability p(f) that it accepts is a degree-2T polynomial in the (x,h)’s

otherwise0

if1,

hxfhx

fpEXkqfk functions 1-to-

Now let

be the expected acceptance probability on a random k-to-1 function

The Miracle:

q(k) is itself a polynomial in k, of degree at most 2T

which is a degree-d polynomial in k. That’s why.

Why?

krknknndkknn

dnrn

rk

n

k

n

k

ndkkk

nn

dnrn

rkn

kn

dk

k

nn

dnrn

nn

knnknk

dkkknnrkn

dnrn

k

nkn

n

dkk

dnrkn

rn

hxEX

r

hh

r

hh

r

hh

r

kn

r

hh

rkn

knr

hh

rkn

r

h

d

jjh

fk

h

1

1

1

/

1

/

/

1

/1 1,

functions 1-to-

11!!

!!

1111!!

!!

!/

!/

!

!

!!

!!

!!

!/!/!

!!!/!/

!!

!

!/

!!

!/

,

d3

d1d2

d

Technicality: What if k doesn’t divide n?

My way to resolve that technicality (+ Markov’s Inequality) led to an (n1/5) quantum lower bound

(n1/3) lower bound for Collision (n2/3) lower bound for Element Distinctness! (Why?)

(n2/3) is optimal, by Ambainis 2003

ImprovementsShi 2002: (n1/4) (n1/3) lower bound, but only for f:[n][m] where m>>n

Ambainis, Kutin: (n1/3) with no range restriction

Element Distinctness: Simply decide whether f has any collisions, with no promise

3 8 2 6 1 9 7 4 2 0 5

If we had a fast quantum algorithm for Collision, then we could easily solve GI! For example, by looking for collisions in

Application: Graph Isomorphism

1 ! 1 !, , , , ,n nG G H H

Zero-Knowledge protocol for verifying that f is 1-to-1:

Arthur picks x, computes f(x), sends it to Merlin, asks him what x was

Application: Quantum vs. Zero-Knowledge

Thus, collision lower bound shows that in a relativized world, quantum computers can’t efficiently solve all problems in Statistical Zero-Knowledge (SZK BQP)

Merlin Arthur

Given a 1-to-1 function f, the following map would be useful for a huge number of quantum algorithms!

Application: Index Erasure

A. 2002: By generalizing collision lower bound, showed this requires (n1/7) queries to f

Midrijanis 2004: Improved to

Ambainis et al. 2010: By harder, representation-theoretic argument, improved to optimal (n)

Observation (A. 2004): In theories like Bohmian mechanics, if you could see the whole trajectory of a hidden variable at once, you could solve the collision problem in O(1) steps

Application: Hidden-Variable Theories

Conclusion: Not even a QC could efficiently sample hidden-variable trajectories!

A “hidden-variable QC” could also do Grover search in ~n1/3 steps—but not faster!

Almost the only model of computation I know that’s “slightly” more powerful than QC

Goldreich, Goldwasser, Micali 1986: Famous way to get a pseudorandom function, fs:{0,1}n{0,1}n, starting from a pseudorandom generator

Application: Quantum-Secure PRFs

But GGM’s security argument breaks down in the presence of quantum adversaries, which can look at all fs values in superposition!Zhandry 2012: New quantum-secure GGM security proof

Core of Zhandry’s argument (in retrospect): A fast quantum algorithm to distinguish fs from a random function could be used to violate the collision lower bound!

Violates monogamy of entanglement!

The AMPS Firewall Paradox

B = Interior of “Old”

Black Hole

R = Faraway Hawking Radiation

H = Near-Horizon and Horizon Modes

Near-maximal entanglement

Also near-maximal entanglement

Harlow-Hayden 2013: Striking argument that Alice’s decoding task would require exponential timeComplexity theory to the rescue of quantum field theory??

Abstraction of Alice’s computational problem: Given a “pseudorandom” n-qubit pure state |BHR produced by a known, poly-size quantum circuit. Decide whether, by acting only on R (the “Hawking radiation”), it’s possible to distill EPR pairs between R and B (the “black hole interior”)

Alice’s task is QSZK-complete. And by the collision lower bound, QSZK is “unlikely” to equal BQP!

Arbitrary Symmetric Problems

Conjecture (Watrous 2002): Randomized and quantum query complexities are polynomially related for all symmetric problems

Theorem (A.-Ambainis 2011): Watrous’s conjecture holds! R = O(Q9 polylog Q)

Still open whether this holds with and no …

Symmetric:Collision, element

distinctness, Grover search…

Not Symmetric:Simon and Shor problems,

AND/OR trees…

Permutation Testing Problem: Given f:[n][n], decide whether f is a permutation or -far from any permutation, promised that one is the case

Generalizes collision, so certainly requires (n1/3) quantum queries

A. 2011: even given a w-qubit quantum witness in support of f being a permutation, still needquantum queries to verify the witness

Implies an oracle relative to which SZKQMA

Open to extend to the original collision problem!

Short Quantum Proofs of Collision-Freeness?

Given oracle access to permutations 1,…,k :[n][n] (where, say, k=polylog(n)), as well as their inverses. Decide whether

(i) 1,…,k are uniformly random, or

(ii) there’s a partition [n]=AB, |A|=|B| such that the i’s map A to A and B to B but are otherwise random.

Separate Components Problem (SCP)(Introduced by Lutomirski 2011, motivated by quantum money)

QMA witness for case (ii):

I.e., show that any classical proof of case (ii) must either have n(1) bits, or require n(1) quantum queries to verify

Challenge: Prove SCPQCMA

Would imply the first oracle separation between QCMA and QMA, and probably also BQP/poly and BQP/qpoly. “Quantum proofs and advice are good for something!”

A-Kuperberg 2007: Quantum oracle separations

Note that SCP Index Erasure! Suggests we might need far-reaching generalization of collision lower bound

Conjecture: Any quantum algorithm for the collision problem needs n1/2-o(1) queries, if restricted to no(1) qubits of memory

(I.e., many qubits were needed in the BHT algorithm)

Currently, we only know quantum time-space tradeoffs for problems with many output bits!

(E.g., T2S=(n3) for sorting—Klauck, Špalek, de Wolf 2004)

Challenge: Time-Space Tradeoff

Ambainis 2000: Quantum adversary method

Most versatile quantum lower bound method known (more “quantum” than polynomial method; handles much wider range of problems)

Reichardt 2010: “Negative-weight” generalization of adversary method is tight for all problems

Belovs 2012: Explicit (n2/3) adversary lower bound for element distinctness

There must be an explicit (n1/3) adversary lower bound for collision. So, find it!

Challenge: Adversary Proof of Collision Lower Bound

STRUCTU

REConcluding Thoughts

Grover search

Each advance we’ve made, in figuring out which types of structure quantum computers can and can’t exploit, has led to unexpected conceptual lessons

For the “young people” here: Open problems beckon!

Non-abelian group problems

Abelian group problems

Collision problem

No exponential quantum speedup

Exponential quantum speedup