Quantum algorithms for the hidden shift problem of Boolean functions - - PowerPoint PPT Presentation
Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of Waterloo, IQC and NEC Labs Joint work with: Martin R otteler (NEC Labs) (NEC Labs) J er emie Roland Andrew Childs (University of
University of Waterloo, IQC and NEC Labs
Joint work with: Martin R¨
(NEC Labs) J´ er´ emie Roland (NEC Labs) Andrew Childs (University of Waterloo, IQC)
arXiv:1103.2774 Quantum rejection sampling arXiv:1103.3017 Quantum algorithm for the Boolean hidden shift problem 19/09/2011 Dagstuhl 1
19/09/2011 Dagstuhl 2
Dihedral group Symmetric group
◗ ◗ ◗ ◗ ❦ Legendre symbol
[van Dam et al., 2003]
? New algorithms ❄ ? Attacks on cryptosystems ✑✑✑ ✑ ✸ Factoring
[Shor, 1994]
✘✘ ✘ ✿ Discrete logarithm
[Shor, 1994]
❳❳ ❳ ③ Pell’s equation
[Hallgren, 2002]
❩❩ ❩ ⑦ ? Lattice problems
[Regev, 2002]
❄ ? Graph isomorphism
◮ Given: Complete knowledge of f : Zn 2 → Z2 and access to a
◮ Determine: The hidden shift s
19/09/2011 Dagstuhl 3
◮ Given: Complete knowledge of f : Zn 2 → Z2 and access to a
◮ Determine: The hidden shift s
◮ f(x) := δx,x0 1 0n 1n f(x) x0
19/09/2011 Dagstuhl 3
◮ Given: Complete knowledge of f : Zn 2 → Z2 and access to a
◮ Determine: The hidden shift s
◮ f(x) := δx,x0 1 0n 1n x0 x0 + s fs(x) s
19/09/2011 Dagstuhl 3
◮ Given: Complete knowledge of f : Zn 2 → Z2 and access to a
◮ Determine: The hidden shift s
◮ f(x) := δx,x0 ◮ Equivalent to Grover’s search: Θ(
1 0n 1n x0 x0 + s fs(x) s
19/09/2011 Dagstuhl 3
◮ F(x) := 1 √ 2n (−1)f(x)
19/09/2011 Dagstuhl 4
◮ F(x) := 1 √ 2n (−1)f(x)
◮ ˆ
19/09/2011 Dagstuhl 4 H :=
1 √ 2
1 1 −1
◮ F(x) := 1 √ 2n (−1)f(x)
◮ ˆ
1 √ 2n
2 (−1)w·xF(x) 19/09/2011 Dagstuhl 4 H :=
1 √ 2
1 1 −1
◮ F(x) := 1 √ 2n (−1)f(x)
◮ ˆ
1 √ 2n
2 (−1)w·xF(x)
1 √ 2n
19/09/2011 Dagstuhl 4 H :=
1 √ 2
1 1 −1
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
19/09/2011 Dagstuhl 5
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
|0⊗n |Φ(s) H⊗n H⊗n Ofs
◮ |Φ(s) := w∈Zn
2 (−1)s·w ˆ
19/09/2011 Dagstuhl 5
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
|0⊗n |Φ(s) H⊗n H⊗n Ofs
◮ |Φ(s) := w∈Zn
2 (−1)s·w ˆ
◮ Prepare |Φ(s)
19/09/2011 Dagstuhl 5
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
|0⊗n |Φ(s) H⊗n H⊗n Ofs
◮ |Φ(s) := w∈Zn
2 (−1)s·w ˆ
◮ Prepare |Φ(s) ◮ D|Φ(s) = w∈Zn
2 (−1)s·w| ˆ
| ˆ
F(w)| ˆ F(w)
19/09/2011 Dagstuhl 5
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
|0⊗n |Φ(s) H⊗n H⊗n Ofs
◮ |Φ(s) := w∈Zn
2 (−1)s·w ˆ
◮ Prepare |Φ(s) ◮ D|Φ(s) = w∈Zn
2 (−1)s·w| ˆ
| ˆ
F(w)| ˆ F(w)
◮ If f is bent then H⊗nD|Φ(s) = |s
19/09/2011 Dagstuhl 5
◮ Phase oracle Ofs : |x → (−1)fs(x)|x
|0⊗n |Φ(s) H⊗n H⊗n Ofs
◮ |Φ(s) := w∈Zn
2 (−1)s·w ˆ
◮ Prepare |Φ(s) ◮ D|Φ(s) = w∈Zn
2 (−1)s·w| ˆ
| ˆ
F(w)| ˆ F(w)
◮ If f is bent then H⊗nD|Φ(s) = |s ◮ Complexity: Θ(1)
19/09/2011 Dagstuhl 5
19/09/2011 Dagstuhl 6
19/09/2011 Dagstuhl 6
19/09/2011 Dagstuhl 6
19/09/2011 Dagstuhl 6
19/09/2011 Dagstuhl 6
19/09/2011 Dagstuhl 6
2
2
19/09/2011 Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
19/09/2011 Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
◮ Apply Rε : |w|0 → |w 1 ˆ F(w)
» ˆ
w|0 + εw|1
Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
◮ Apply Rε : |w|0 → |w 1 ˆ F(w)
» ˆ
w|0 + εw|1
2 and the post-measurement state would be
2
19/09/2011 Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
◮ Apply Rε : |w|0 → |w 1 ˆ F(w)
» ˆ
w|0 + εw|1
2 and the post-measurement state would be
2
◮ Instead of measuring, amplify the amplitude on |1
19/09/2011 Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
◮ Apply Rε : |w|0 → |w 1 ˆ F(w)
» ˆ
w|0 + εw|1
2 and the post-measurement state would be
2
◮ Instead of measuring, amplify the amplitude on |1 ◮ Complexity: O(1/ε2)
19/09/2011 Dagstuhl 7
2
2
◮ Pick ε ∈ R2n such that ∀w : 0 ≤ εw ≤ | ˆ
◮ Apply Rε : |w|0 → |w 1 ˆ F(w)
» ˆ
w|0 + εw|1
2 and the post-measurement state would be
2
◮ Instead of measuring, amplify the amplitude on |1 ◮ Complexity: O(1/ε2) ◮ Take εw = ˆ
Ä
1 √ 2n ˆ Fmin
ä
19/09/2011 Dagstuhl 7
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
19/09/2011 Dagstuhl 8
◮ Delta functions: O(
◮ Bent functions: O(1)
◮ What if ˆ
◮ Undetectable anti-shifts: f(x + s) = f(x) + 1
19/09/2011 Dagstuhl 9
19/09/2011 Dagstuhl 10
◮ Instead of the flat state
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state ◮ Fix success probability p
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state ◮ Fix success probability p ◮ Optimal choice of ε is given by the “water filling” vector εp
1 √ 2n
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state ◮ Fix success probability p ◮ Optimal choice of ε is given by the “water filling” vector εp
1 √ 2n
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state ◮ Fix success probability p ◮ Optimal choice of ε is given by the “water filling” vector εp
1 √ 2n
19/09/2011 Dagstuhl 10
◮ Instead of the flat state aim for approximately flat state ◮ Fix success probability p ◮ Optimal choice of ε is given by the “water filling” vector εp
1 √ 2n ◮ Queries: O(1/εp2)
19/09/2011 Dagstuhl 10
t 1st stage 2nd stage
|0⊗n |0⊗n |0⊗n |0⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n . . . . . . . . . Ofs Ofs Ofs Ofs . . . . . . . . . . . . . . . . . . . . . . . . ... ... 19/09/2011 Dagstuhl 11
t 1st stage 2nd stage
|0⊗n |0⊗n |0⊗n |0⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n . . . . . . . . . Ofs Ofs Ofs Ofs . . . . . . . . . . . . . . . . . . . . . . . . ... ...
Ä
w∈Zn
2 (−1)s·w ˆ
ä⊗t
19/09/2011 Dagstuhl 11
t 1st stage 2nd stage
|0⊗n |0⊗n |0⊗n |0⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n . . . . . . . . . Ofs Ofs Ofs Ofs . . . . . . . . . . . . . . . . . . . . . . . . ... ...
Ä
w∈Zn
2 (−1)s·w ˆ
ä⊗t
w∈Zn
2 (−1)s·w|Ft
w|w
19/09/2011 Dagstuhl 11
t 1st stage 2nd stage
|0⊗n |0⊗n |0⊗n |0⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n . . . . . . . . . Ofs Ofs Ofs Ofs . . . . . . . . . . . . . . . . . . . . . . . . ... ...
Ä
w∈Zn
2 (−1)s·w ˆ
ä⊗t
w∈Zn
2 (−1)s·w|Ft
w|w
s := 1 √ 2n
2 (−1)s·w
|Ft
w
|Ft
w2 |w 19/09/2011 Dagstuhl 11
t 1st stage 2nd stage
|0⊗n |0⊗n |0⊗n |0⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n H⊗n . . . . . . . . . Ofs Ofs Ofs Ofs . . . . . . . . . . . . . . . . . . . . . . . . ... ...
Ä
w∈Zn
2 (−1)s·w ˆ
ä⊗t
w∈Zn
2 (−1)s·w|Ft
w|w
s := 1 √ 2n
2 (−1)s·w
|Ft
w
|Ft
w2 |w
s := 1 √ 2n
2 (−1)s·w ˆ
F(w) | ˆ F(w)||w
19/09/2011 Dagstuhl 11
◮ States: |Φt(s) := w∈Zn
2 (−1)s·w|Ft
w|w
19/09/2011 Dagstuhl 12
◮ States: |Φt(s) := w∈Zn
2 (−1)s·w|Ft
w|w
w2 2 =
î ˆ
1 √ 2n ⁄
19/09/2011 Dagstuhl 12
◮ States: |Φt(s) := w∈Zn
2 (−1)s·w|Ft
w|w
w2 2 =
î ˆ
1 √ 2n ⁄
◮ Convolution: (F ∗ F)(w) = x∈Zn
2 F(x)F(w − x) 19/09/2011 Dagstuhl 12
◮ States: |Φt(s) := w∈Zn
2 (−1)s·w|Ft
w|w
w2 2 =
î ˆ
1 √ 2n ⁄
◮ Convolution: (F ∗ F)(w) = x∈Zn
2 F(x)F(w − x) 19/09/2011 Dagstuhl 12
◮ States: |Φt(s) := w∈Zn
2 (−1)s·w|Ft
w|w
w2 2 =
î ˆ
1 √ 2n ⁄
◮ Convolution: (F ∗ F)(w) = x∈Zn
2 F(x)F(w − x) 19/09/2011 Dagstuhl 12
1 √ 2n ⁄
◮ Bent functions: O(1) ◮ Random functions: O(1) ◮ No issues with undetectable anti-shifts
◮ Delta functions: O(2n), no speedup
◮ For some t ≤ n there will be no zero amplitudes!
19/09/2011 Dagstuhl 13
◮ Oracle Ofks : |k|w → (−1)f(x+ks)|k|w
|0 |0⊗n H H H⊗n H⊗n Ofks k
2
19/09/2011 Dagstuhl 14
◮ Oracle Ofks : |k|w → (−1)f(x+ks)|k|w
|0 |0⊗n H H H⊗n H⊗n Ofks k
2
◮ Complexity: O(n/
19/09/2011 Dagstuhl 14
◮ Oracle Ofks : |k|w → (−1)f(x+ks)|k|w
|0 |0⊗n H H H⊗n H⊗n Ofks k
2
◮ Complexity: O(n/
◮ Where If(w) is the influence of w ∈ Zn 2 on f:
x
î
ó
19/09/2011 Dagstuhl 14
19/09/2011 Dagstuhl 15
◮ What is the best quantum algorithm for solving BHSP?
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound?
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
◮ Verification of s: O1/If
Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
◮ Verification of s: O1/If
F(w)
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
◮ Verification of s: O1/If
F(w)
◮ What is the classical query complexity of this problem?
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
◮ Verification of s: O1/If
F(w)
◮ What is the classical query complexity of this problem? ◮ Generalize from Z2 to Zd
19/09/2011 Dagstuhl 16
◮ What is the best quantum algorithm for solving BHSP? ◮ Quantum query lower bound? ◮ Related problems:
◮ Verification of s: O1/If
F(w)
◮ What is the classical query complexity of this problem? ◮ Generalize from Z2 to Zd ◮ Applications
19/09/2011 Dagstuhl 16
19/09/2011 Dagstuhl 17
◮ Given: Ability to sample from distribution p ◮ Task: Sample from distribution q
P ξ(k) k A ξ(k) accept/reject k
19/09/2011 Dagstuhl 18
◮ Given: Oracle O : |0 → n k=1 πk|ξk|k ◮ Task: Perform transformation n
n
◮ Note: Amplitudes πk and σk are known, but states |ξk are
19/09/2011 Dagstuhl 19