The Limits of Quantum Computers(or: What We Can’t Do With Computers We Don’t Have)
Scott AaronsonUniversity of Waterloo
BQP
NP-complete
SZK
So then why can’t we just ignore quantum computing, and get back to real work?
Because the universe isn’t classical
My picture of reality, as an eleven-year-old messing around with QBASIC:
+ detailsFancier version: Extended Church-Turing Thesis
(Also Stephen Wolfram’s current picture of reality)
Shor’s factoring algorithm presents us with a choice
1. the Extended Church-Turing Thesis is false,
2. textbook quantum mechanics is false, or
3. there’s an efficient classical factoring algorithm.
All three seem like crackpot speculations.
At least one of them is true!
That’s why YOU
should care about quantum
computing
Either
My Spiel In One Slide1. Ignoring quantum mechanics won’t make it go away
2. Quantum computing is not a panacea—and that makes it more interesting rather than less!
3. On our current understanding, quantum computers could “merely” break RSA, simulate quantum physics, etc.—not solve generic search problems exponentially faster
4. So then why do I worry about quantum computing? Because I’m interested in fundamental limits on what can efficiently be computed in the physical world. That makes me professionally obligated to care!
Where Do I Come In?My work, over the last seven years, has deepened our understanding of the limitations of quantum computers.
Solved some of the field’s notorious open problems:
- Lower bound for finding collisions in hash functions
- “Direct product theorem” for quantum search
Made unexpected connections:
- Classical lower bounds proved by quantum arguments
- Quantum-state learning algorithm from a lower bound
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
What Quantum Mechanics Says
If we observe, we see |0 with probability ||2
|1 with probability ||2
Also, the object collapses to whichever outcome we see
If an object can be in two distinguishable states |0 or |1, then it can also be in a superposition
|0 + |1
0
10 1
2
Here and are complex amplitudes satisfying ||2+||2=1
To modify a state
1
n
ii
i
2
1
1n
ii
we can multiply vector of amplitudes by a unitary matrix—one that preserves
1 1 112 2 2
1 1 0 1
2 2 2
0
10 1
2
0 1
2
1 1 102 2 2
1 1 1 1
2 2 2
We’re seeing interference of amplitudes—the source of all “quantum weirdness”
A quantum state of n “qubits” takes 2n complex numbers to describe:
0,1n
x
x
x
Quantum Computing
The goal of quantum computing is to exploit this exponentiality in our description of the world
Idea: Get paths leading to incorrect answers to interfere destructively and cancel each other out
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
fx f(x)
In this talk, I’ll only care about the number of queries to a black box, not any other computational steps
Example: Given a function f:{0,1}n{0,1}, suppose we want to decide if there’s an x such that f(x)=1
Classically, ~2n queries to f are needed
Grover gave a quantum algorithm that uses only ~2n/2 queries
[BBBV 1997]: Grover’s algorithm is optimal
Yields “black-box evidence” that quantum computers can’t solve NP-complete problems efficiently
The Quantum Black-Box Model
But why do black-box results tell us
anything about the real world? Remember
IP=PSPACE?
You gotta start somewhere
Almost all known quantum
algorithms are black-box(no quantum
IP=PSPACE yet)
The proof of the pudding is in the
proving
Algorithm’s state:
,,
,x wx w
x w x: location to queryw: “workspace” qubits
After a query transformation:
,,
,x wx w
x w f x Between two queries, we can apply an arbitrary unitary matrix that doesn’t depend on f
Complexity = minimum number of queries needed to achieve 2
,,
corresponding toright answer
2
3x wx w
for all oracles f
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
Problem: Find 2 numbers that are the same (each number appears twice)
28 12 18 76 96 82 94 99 21 78 88 93 39 44 64 32 99 70 18 94 66 92 64 95 46 53 16 35 42 72 31 66 75 33 93 32 47 17 70 37 78 79 36 63 40 69 92 71 28 85 41 80 10 73 63 95 57 43 84 67 57 31 62 39 65 74 24 90 26 83 60 91 27 96 35 20 26 52 88 89 38 97 54 30 62 79 71 84 50 38 49 20 47 24 54 48 98 23 41 16 40 75 82 13 58 56 81 34 14 61 52 21 44 22 34 14 51 74 76 83 37 90 58 13 10 25 29 11 56 68 12 61 51 23 77 68 72 43 69 46 87 97 45 59 73 30 19 81 86 49 60 85 80 50 11 59 65 67 89 29 86 48 22 15 17 55 36 27 42 55 77 19 45 15 53 98 91 87 25 33
By “birthday paradox”, a randomized algorithm must
examine N of the N numbers
[Brassard-Høyer-Tapp 1997] Quantum
algorithm based on Grover that uses only
N1/3 queries
Is that optimal? Proving a lower
bound better than constant was open
for 5 years
Motivation for the Collision Problem
Graph Isomorphism:find a collision in
1 ! 1 !, , , , ,n nG G H H
Statistical Zero Knowledge (SZK) protocols
?
Cryptographic Hash Functions
What makes the problem so hard?
2
yx
N
x
xfxN 1
1
Basically, that a quantum computer can almost find a collision after one query!
Measure 2nd register
Or: if only we could see the whole trajectory of a “hidden variable” coursing through the quantum system![A., Phys. Rev. A 2005]
xf
“If only we could now measure twice!”
Previous techniques weren’t sensitive to the fact that quantum mechanics doesn’t allow these things
[A., STOC’02] N1/5 lower bound on quantum query complexity of the collision problem
[Shi, FOCS’02][A.-Shi, J. ACM 2004]
Improved to N1/3; also N2/3 lower bound for element distinctness
[Kutin 2003][Ambainis 2003][Midrijanis 2003]
Simplifications and generalizations
Cartoon Version of ProofT-query quantum algorithm that
finds collisions in 2-to-1 functions
T-query quantum algorithm that distinguishes 1-to-1 from 2-to-1 functions
Let p(f) = probability algorithm says f is 2-to-1
Let q(k) = average of p(f) over all k-to-1 functions f
[Beals et al. 1998] p(f) is a multilinear polynomial, of degree at most 2T, in Boolean indicator variables (f(x),y)
Suppose it exists by way of contradiction…
Trivial yet crucial facts:q(k) [0,1] for all k=1,2,3,…q(1) 1/3q(2) 2/3
That’s why
The magic step: q(k) itself is a univariate polynomial in k, of degree at most 2T
Why?
q(k)0
1
1 2 3 . . . . .
k. . . . . N2/5
Large derivative
Bounded in [0,1] at integer points
[A. A. Markov, 1889]:
xq
dxxdqNq
Nx
Nx
5/2
5/2
0
0
5/2
max2
/maxdeg
Hence the original quantum algorithm must have made (N1/5) queries
5/1N
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
Could there be a quantum state | left over from the Big Bang, such that given any 3SAT instance of size 1,000,000, we could quickly solve it by just measuring | in an appropriate basis?
[A., CCC 2004] In the black-box model, no: there cannot exist any “golden state” for solving
NP-complete problems in polynomial time
The Hunt for the Golden State
Efficient quantum algorithm to solve SAT using an m-qubit golden state
Efficient quantum algorithm to solve (say) m3 SAT instances, reusing the same golden state
Algorithm to solve m3 SAT instances with probability 2-m
Guess the golden state! Replace it by the maximally mixed state, i.e. a random m-bit string
Suppose it exists by way of contradiction…
To get a contradiction, I now need to prove a direct-product theorem for quantum search:
“If a quantum algorithm doesn’t even have time to solve one search problem w.h.p., then the probability of its solving k search problems decreases exponentially with k”
How do I prove the direct-product theorem?
Again using the polynomial method
But this time I need a generalization of A. A. Markov’s inequality due to [V. A. Markov 1892], which takes into account not just the first derivative but all higher derivatives
[Klauck-Špalek-deWolf, FOCS’04] tightened my direct product theorem, and also used it to prove the first quantum time-space tradeoffs
0
1
0 1 2 . . . . . . . . 2nm3
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
Problem: We’re given black-box access to a function f:{0,1}nZ
We want to find a local minimum of f, evaluating f as few times as possible
5
4
4
3
2
[Aldous 1983] Randomized algorithm making 2n/2n queries[A., STOC’04] Quantum algorithm making 2n/3n1/6 queries
[Aldous 1983] Any randomized alg needs 2n/2-o(n) queries[A., STOC’04] Any quantum alg needs 2n/4/n queries
My lower-bound proof uses Ambainis’s quantum adversary method, which upper-bounds how much the entanglement between algorithm and oracle can increase via a single query
Quantum Generosity … Giving back because we careTM
Surprising part: “Quantum-inspired” argument also yields a better classical lower bound: 2n/2/n2
Also yields the first randomized or quantum lower bounds for local search on constant-dimensional grid graphs
Subsequent improvements: [Santha-Szegedy, STOC’04]
[Zhang, STOC’06] [Verhoeven, 2006] [Sun-Yao, FOCS’06]
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
[ANTV 1999]: | must have (n) qubits—no asymptotic savings over classical
(Surprisingly, an n-qubit quantum state has no more “independently accessible degrees of freedom” than an n-bit classical string)
The Lemon
|n-bit string,
x1…xn
Any one bit xi of our choice, with high probability
Quantum random access coding
Upper bound on the sample complexity of “PAC” (Probably Approximately Correctly) learning a quantum state
Informally: Can predict approximate expectation values of most measurements on an n-qubit state, after a number of sample measurements that increases only linearly with n
The Lemonade
| “Quantum Occam’s Razor Theorem”[A. 2006]
By contrast, traditional quantum state tomography requires ~4n measurementsRecord so far: n=8Prohibitive for much larger n
Plan of TalkThe Gospel According to Shor
Three Limitations of Quantum Computers
- Finding collisions in hash functions
- Solving NP-complete problems with advice
- Finding local optima
Turning Lemons into Lemonade
- Approximately learning quantum states
Summary of Contributions
Solved several notorious open problems about the limitations of quantum computers
Gave evidence that collision-resistant hash functions can still exist in a quantum world
Proved the first direct product theorem for quantum search
Gave evidence against “golden states” for NP-complete problems
Solved open problems about classical local optimization using quantum techniques
Used a quantum coding lower bound to propose a new learning algorithm, with possible experimental implications
Summary of Contributions
Ten Research Directions I Didn’t Tell You About Today
Addressing skepticism of quantum computing
[A., STOC 2004]
Grover search with finite speed of light
[A.-Ambainis, FOCS 2003]
Quantum versus classical proofs
[A.-Kuperberg, CCC 2007] Need to “uncompute garbage” in quantum algorithms
[A., QIC 2003]
Practical simulation of stabilizer quantum circuits[A.-Gottesman, Phys Rev A 2004]
Quantum software copy-protection
[A., in preparation]
Quantum computers with anthropic postselection
[A., Proc. Roy. Soc. 2005]
Quantum computers with closed timelike curves[A.-Watrous, in preparation]
Provably-nonrelativizing circuit lower bounds
[A., CCC 2006]
Complexity of Bayesian agreement protocols
[A., STOC 2005]
www.scottaaronson.com/papers