PseudorandomGeneratorsand
theBQPvs PHProblem
BillFefferman(Caltech)
JointwithChrisUmans
9November2016
QIP2011
1
How(classically)powerfularequantum
computers?
• BQP – Classoflanguagesthatcanbedecided
efficientlybyaquantumcomputer
• WhereisBQPrelativetoNP?
– Isthereaproblemthatcanbesolvedwitha
quantumcomputerthatcan’tbeverified
classically(BQP ⊄ NP?)
– Canwegiveevidence?
• Oracleseparations
9November2016
QIP2011
2
IsBQP ⊄ PH?
• History:Towardsstrongeroracleseparations
– [Bernstein&Vazirani ‘93]
PSPACE
• RecursiveFourierSampling?
PH
– [Aaronson‘09]
• Conjecture:“FourierChecking”notinPH
AM/MA/NP
– AssumingGLN
– [Aaronson‘10](counterexample!)
• GLNfalse(depth3)
• Whyisitsohard?
– Cannotrelyoncrudeargumentsaboutlowdegree
approximatingpolynomials(bothclasseshavesuch
approximations…see[RS’87],[Beals etal’01])
9November2016
QIP2011
3
Today:Anewapproach
• Showoracleseparationwouldfollowfrom
questionstudiedin“pseudorandomness”
literature[BSW’03]
• Underconjecture,quantumcomputerscan
breakinstantiationofthefamous“NisanWigderson” generator[NW’94]
• Unconditionally,givesanotherexampleof
exponentialquantumspeedupover
randomizedclassicalcomputation
9November2016
QIP2011
4
O
Whatcan’tPH
do?
• Essentiallyequivalentto:whatcan’tAC0 do?
– AC0 isconstantdepth,AND-OR-NOTcircuitsof
(polynomialsize)andunboundedfanin
– Idea:Incircuit,∃becomesOR,∀becomesAND
andoraclestringaninputofexponentiallength
_
Onewireperwitness
9
1 8 2 , ..., Qk k
VLO (x,
1,
2 , ...,
k)
=1
Depthk
9November2016
QIP2011
_
^ ^
5
EquivalentSetup
• want a function f:{0,1}N ! {0,1}
– in BQLOGTIME
• O(log N) quantum steps
• random access to N-bit input: |i〉|z〉 ! |i〉|z ⊕ f(i)
〉
• accept with high probability iff f(input) = 1
– but not in AC0
9November2016
QIP2011
6
EquivalentSetup
• More general (and transformable to
previous setting):
– two distributions on N bit strings D1, D2
– BQLOGTIME algorithm that distinguishes
them
– proof that AC0 cannot distinguish them
– we will always take D2 to be uniform
9November2016
QIP2011
7
Whatcan’tAC0 do?
• PARITYandMAJORITYnotinAC0 [FSS’84]
• AC0 circuitscan’tdistinguish:
1. Bitsdistributeduniformly
2. Bitsdrawnfrom“Nisan-Wigderson”distribution
derivedfrom:
1. functionhard(onaverage)forAC0 tocompute
2. Nearly-disjoint“subsetsystem”
– Ourresult:Thereexistsaspecificchoiceofthese
subsets,forwhichtheresultingdistribution
generatedbytheMAJORITYfunctioncanbe
distinguished(fromuniform)quantumly!
9November2016
QIP2011
8
Formal:Nisan-Wigderson PRG
• S1,S2,…,SM Ì [N] is an (N’, p)-design if
– for all i, |Si| = N’
– for all i ≠ j, |Si Ç Sj| ≤ p
[N]
S2
S1
9November2016
QIP2011
S3
9
Nisan-Wigderson PRG
• f:{0,1}N’→ {0,1} is a hard function (e.g.,
MAJORITY)
• S1,…,SM Ì [N] is an (N’, p)-design
G(x)=x◦f(x|S1)◦f(x|S2)◦…◦f(x|SM)
truth table of f:
010100101111101010111001010
Seed x∈{0,1}N
9November2016
QIP2011
10
ProofofClassicalHardness:
Indistinguishability
• Proof by contradiction:
– assume circuit C distinguishes from uniform:
|Pr[C(UN+M) = 1] – Pr[C(G(UN)) = 1]| > ε
lossfromhybridargument!
– transform C into a predictor circuit P
Prx~U[P(G(x)1…i-1) = G(x)i] > ½ + ε/M
– derive similar sized circuit approximating hard
function (using properties of subset system)
– Contradiction (assuming hard function cannot be
approximated this well)
9November2016
QIP2011
11
Distributionsdistinguishablefrom
Uniformwithaquantumcomputer
Notethatproperties(1-2)giveusclassicalhardness,(3-4)
DA =(x,y):pickxuniformly from {1,-1}N,setyi =sgn((Ax)i)
• quantumalgorithm
Goal:MatrixAwithrowsthat
1.
2.
3.
4.
Havelargesupport
Havesupportswithsmallpairwiseintersection(formsome
(N’,p)-design)
Arepairwiseorthogonal
Shouldbeanefficientquantumcircuit(productofpolylog(N)
localunitaries)
+1
- 1
+1
=
designS
9November2016
A
x = (Ax)
QIP2011
signsareoutputof
NWS,MAJORITY
12
QuantumAlgorithm
• We claim there is a quantum algorithm to
distinguish DA from U2N
• Quantum algorithm:
1.
2.
3.
4.
5.
enteruniformsuperpositionoverlogNqubits
queryxandmultiplyintophases: ∑i xi |i>
applyA:
∑i (Ax)i |i>
queryyandmultiplyintophases: ∑i yi(Ax)i |i>
measureinHadamard basis,acceptiff (0,0,…,0)
• Crucially, after step 4 we are back to all positive
amplitudes in case oracle is DA
• But in case oracle is U2N with high prob. we have
random mix of signs (low weight on |0….0> after
final Hadamard)
9November2016
QIP2011
13
ConstructingAusing“Paired-Lines”
• Willdescribepairwise-orthogonal
N/2
vectorsin {0, ±1}N
p ⇥ Fp
F
• Identifywiththeaffineplane
N
N
N
B 1 , B2
• Letbeanequipartition
ofFpN
: B1 ! B2
• Takesome(anarbitrary
bijection).Thenthevectorsare:
8
< 1 y = ax + b
+1 y = ax + (b)
va,b [x, y] =
:
0
otherwise
9November2016
QIP2011
14
Construction
• Each row will be va,b (supported on two
parallel, “paired-lines” with slope a)
p ⇥ Fp
F
• Identify columns with affine plane N
N
-1 +1
+ + +
+
- - + - +
+ + +
- - +
-
- - +
-
+
p
• pN parallel line classes
• N lines in each class
• N/2 rows
-
affineplane
A
9November2016
QIP2011
15
Construction
• Each row will be va,b (supported on two
parallel, “paired-lines” with slope a)
p ⇥ Fp
F
• Identify columns with affine plane N
N
-1 +1
+ + +
+
- - + - +
+ + +
- - +
-
- - +
-
+
Note•that
support ofline
each
row has at
N parallel
classes
most 4 intersections with any other,
• N lines in each class
and these
contribute 0 to the inner
2
• N(and
/2 rows
product
thus orthogonal)
-
affineplane
A
9November2016
QIP2011
16
Puttingitalltogether
• “TechnicalCore”:Weconstructanefficientquantum
circuitrealizedbyunitarywhose(un-normalized)rows
arevectorsfromapaired-linesconstructionwrt a
specificbijection
– NxN
– Halfoftherowswillcorrespondtothepaired-linesvectors
• Notethatwehaveaquantumalgorithm,asdescribed
before,thatusesthisunitaryAtodistinguishbetween
DA andU2N
• ButdistinguishingshouldbehardforAC0 sinceAxis
instantiationofNWgenerator!
9November2016
QIP2011
17
Butwhyaren’twefinished?
• Distribution on (3/2)N bits that is the NW
generator w.r.t. MAJORITY on N1/2 bits,
with output length N/2
• Suppose AC0 can distinguish from uniform
with constant gap ε
– proof: distinguisher to predictor, and then
circuit for majority w/ success ½ + ε/(N/2)
– but already possible w/ success ½ + W(1/N1/4)
… no contradiction
9November2016
QIP2011
18
OurConjecture
• Distribution on (3/2)N bits that is the NW
generator w.r.t. MAJORITY on N1/2 bits,
with output length N/2
• Can AC0 can distinguish from uniform with
constant gap ε?
Conjecture: No.
9November2016
QIP2011
19
Recentnewwork[withShaltiel,
Umans &Viola]
• (Non-trivial) simplification of conjecture:
– Take M completely disjoint subsets
– Distinguish:
1. All bits distributed uniformly
2. First half bits are uniform, second are majorities
over disjoint subsets of first half
– This is indeed hard for AC0!
9November2016
QIP2011
20
Conclusions
• Assumingconjecture,givesaquantum
algorithmthatcan“break”aPRG
• Unitaries usedarenovelanddon’tseemto
resemblethoseusedinotherquantum
algorithms
• Conjectureimpliesoraclerelativetowhich
BQP isnotinPH
9November2016
QIP2011
21