# The Collision Lower Bound After 12 Years Scott Aaronson (MIT) Lower bound for a collision problem.

## Presentation on theme: "The Collision Lower Bound After 12 Years Scott Aaronson (MIT) Lower bound for a collision problem."— Presentation transcript:

The Collision Lower Bound After 12 Years Scott Aaronson (MIT) Lower bound for a collision problem

January 2002: As a grad student, I visit Israel for the first time, and give a talk at HUJI about the collision lower bound, which Id proved a couple months prior. Avi Wigderson urges me to get to the point faster Plan of talk: What is the collision lower bound? Whats new in the last decade? What open problems remain?

Black-Box Quantum Computation

Given a function f:[n] [m], want to determine some property of f: e.g. is it periodic? Crucial assumption: we can only learn about f by making quantum queries; no internal access Between 2 queries, can apply arbitrary unitary transformation independent of f Models how many quantum algorithms actually work Complexity = Minimum number of queries used by optimal algorithm that succeeds w.h.p. for every f Some Well-Known Examples: Grover search (is there an x such that f(x)=1?): ( n) queries to f are necessary and sufficient Periodicity of f: O(1) queries suffice

The Collision Problem Given a 2-to-1 function f:[n] [n], find a collision (i.e., two inputs x,y such that f(x)=f(y)) Variant: Promised that f is either 2-to-1 or 1-to-1, decide which Models the breaking of collision-resistant hash functionsa central problem in cryptanalysis Birthday Paradox: Classically, ( n) queries to f are necessary and sufficient to succeed with high probability 10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8 Interesting

Brassard-Høyer-Tapp (1997): O(n 1/3 ) quantum collision-finding algorithm n 1/3 f(x) values, queried classically, sorted for fast lookup Grovers algorithm over n 2/3 f(x) values Do I collide with any of the pink values?

Almost! Could there be a quantum collision-finding algorithm that made only O(1) queries to f? Measure 2 nd register Were not looking for a needle in a haystackjust for two identical pieces of hay! Observation: Every 1-to-1 function differs from every 2-to-1 function in at least n/2 places So we cant use, e.g., the optimality of Grover to rule out a fast quantum algorithm for the collision problem

So, how can we rule out a superfast quantum collision-finder? What eventually worked was the polynomial method (Beals et al. 1998) 0 1

Let Lemma: If a quantum algorithm makes T queries to f, the probability p(f) that it accepts is a degree-2T polynomial in the (x,h)s Now let be the expected acceptance probability on a random k-to-1 function

The Miracle: q(k) is itself a polynomial in k, of degree at most 2T

which is a degree-d polynomial in k. Thats why. Why? d3d3 d1d1 d2d2 d Technicality: What if k doesnt divide n? My way to resolve that technicality (+ Markovs Inequality) led to an (n 1/5 ) quantum lower bound

(n 1/3 ) lower bound for Collision (n 2/3 ) lower bound for Element Distinctness! (Why?) (n 2/3 ) is optimal, by Ambainis 2003 Improvements Shi 2002: (n 1/4 ) (n 1/3 ) lower bound, but only for f:[n] [m] where m>>n Ambainis, Kutin: (n 1/3 ) with no range restriction Element Distinctness: Simply decide whether f has any collisions, with no promise 3 8 2 6 1 9 7 4 2 0 5

If we had a fast quantum algorithm for Collision, then we could easily solve GI! For example, by looking for collisions in Application: Graph Isomorphism

Zero-Knowledge protocol for verifying that f is 1-to-1: Arthur picks x, computes f(x), sends it to Merlin, asks him what x was Application: Quantum vs. Zero-Knowledge Thus, collision lower bound shows that in a relativized world, quantum computers cant efficiently solve all problems in Statistical Zero-Knowledge (SZK BQP) MerlinArthur

Given a 1-to-1 function f, the following map would be useful for a huge number of quantum algorithms! Application: Index Erasure A. 2002: By generalizing collision lower bound, showed this requires (n 1/7 ) queries to f Midrijanis 2004: Improved to Ambainis et al. 2010: By harder, representation- theoretic argument, improved to optimal ( n)

Observation (A. 2004): In theories like Bohmian mechanics, if you could see the whole trajectory of a hidden variable at once, you could solve the collision problem in O(1) steps Application: Hidden-Variable Theories Conclusion: Not even a QC could efficiently sample hidden-variable trajectories! A hidden-variable QC could also do Grover search in ~n 1/3 stepsbut not faster! Almost the only model of computation I know thats slightly more powerful than QC

Goldreich, Goldwasser, Micali 1986: Famous way to get a pseudorandom function, f s :{0,1} n {0,1} n, starting from a pseudorandom generator Application: Quantum-Secure PRFs But GGMs security argument breaks down in the presence of quantum adversaries, which can look at all f s values in superposition! Zhandry 2012: New quantum-secure GGM security proof Core of Zhandrys argument (in retrospect): A fast quantum algorithm to distinguish f s from a random function could be used to violate the collision lower bound!

Violates monogamy of entanglement! The AMPS Firewall Paradox B = Interior of Old Black Hole R = Faraway Hawking Radiation H = Near-Horizon and Horizon Modes Near-maximal entanglement Also near-maximal entanglement

Harlow-Hayden 2013: Striking argument that Alices decoding task would require exponential time Complexity theory to the rescue of quantum field theory?? Abstraction of Alices computational problem: Given a pseudorandom n-qubit pure state | BHR produced by a known, poly-size quantum circuit. Decide whether, by acting only on R (the Hawking radiation), its possible to distill EPR pairs between R and B (the black hole interior) Alices task is QSZK-complete. And by the collision lower bound, QSZK is unlikely to equal BQP!

Arbitrary Symmetric Problems Conjecture (Watrous 2002): Randomized and quantum query complexities are polynomially related for all symmetric problems Theorem (A.-Ambainis 2011): Watrouss conjecture holds! R = O(Q 9 polylog Q) Still open whether this holds with and no … Symmetric: Collision, element distinctness, Grover search… Not Symmetric: Simon and Shor problems, AND/OR trees…

Permutation Testing Problem: Given f:[n] [n], decide whether f is a permutation or -far from any permutation, promised that one is the case Generalizes collision, so certainly requires (n 1/3 ) quantum queries A. 2011: even given a w-qubit quantum witness in support of f being a permutation, still need quantum queries to verify the witness Implies an oracle relative to which SZK QMA Open to extend to the original collision problem! Short Quantum Proofs of Collision-Freeness?

Given oracle access to permutations 1,…, k :[n] [n] (where, say, k=polylog(n)), as well as their inverses. Decide whether (i) 1,…, k are uniformly random, or (ii) theres a partition [n]=A B, |A|=|B| such that the i s map A to A and B to B but are otherwise random. Separate Components Problem (SCP) (Introduced by Lutomirski 2011, motivated by quantum money) QMA witness for case (ii):

I.e., show that any classical proof of case (ii) must either have n (1) bits, or require n (1) quantum queries to verify Challenge: Prove SCP QCMA Would imply the first oracle separation between QCMA and QMA, and probably also BQP/poly and BQP/qpoly. Quantum proofs and advice are good for something! A-Kuperberg 2007: Quantum oracle separations Note that SCP Index Erasure! Suggests we might need far-reaching generalization of collision lower bound

Conjecture: Any quantum algorithm for the collision problem needs n 1/2-o(1) queries, if restricted to n o(1) qubits of memory (I.e., many qubits were needed in the BHT algorithm) Currently, we only know quantum time-space tradeoffs for problems with many output bits! (E.g., T 2 S= (n 3 ) for sortingKlauck, Špalek, de Wolf 2004) Challenge: Time-Space Tradeoff

Ambainis 2000: Quantum adversary method Most versatile quantum lower bound method known (more quantum than polynomial method; handles much wider range of problems) Reichardt 2010: Negative-weight generalization of adversary method is tight for all problems Belovs 2012: Explicit (n 2/3 ) adversary lower bound for element distinctness There must be an explicit (n 1/3 ) adversary lower bound for collision. So, find it! Challenge: Adversary Proof of Collision Lower Bound

STRUCTURE Concluding Thoughts Grover search Each advance weve made, in figuring out which types of structure quantum computers can and cant exploit, has led to unexpected conceptual lessons For the young people here: Open problems beckon! Non-abelian group problems Abelian group problems Collision problem No exponential quantum speedup Exponential quantum speedup

Download ppt "The Collision Lower Bound After 12 Years Scott Aaronson (MIT) Lower bound for a collision problem."

Similar presentations