Quantum Time-Space Tradeoffs by Recording Queries Yassine Hamoudi, - - PowerPoint PPT Presentation

Quantum Time-Space Tradeoffs by Recording Queries

Yassine Hamoudi, Frédéric Magniez

arXiv: 2002.08944

IRIF , Université de Paris

Simulation by Schrödinger-Feynman algorithm Simulation by Schrödinger algorithm Time ≈ 2.5 days Memory ≈ 250 Petabytes Time ≈ 10,000 years Memory ≈ 1 Petabyte Google Sycamore’s calculation Time ≈ 5 minutes Memory ≈ 53 qubits + few megabytes

1. Time and Space in the Query Model 2. The Collision Pairs Finding Problem 3. Lower Bounds by Recording Queries

Time and Space in the Query Model

1

5

Classical Query Model

Read Only Memory

x = (x1, …, xN) Input

Read-Write Memory

i xi Queries Computer

5

Classical Query Model

Read Only Memory

x = (x1, …, xN) Input

Read-Write Memory

i xi Queries Computer Time T = number of queries to the input Space S = number of bits in the computer’s memory

5

Classical Query Model

Read Only Memory

x = (x1, …, xN) Input

Read-Write Memory

i xi Queries Computer Time T = number of queries to the input Space S = number of bits in the computer’s memory

The number of queries is a lower bound on the actual computation time. If S = ∞ then T ≤ N is sufficient (load the entire input in the computer’s memory). We are interested in the case “T or S << N”.

6

Classical Query Model

Read Only Memory

Input

Read-Write Memory

i xi Queries Computer Time T = number of queries to the input Space S = number of bits in the computer’s memory

[Beame’91] Sorting N numbers requires time T and space S such that TS ≥ Ω(N2).

Time-Space Tradeoffs: x = (x1, …, xN)

6

Classical Query Model

Read Only Memory

Input

Read-Write Memory

i xi Queries Computer Time T = number of queries to the input Space S = number of bits in the computer’s memory

[Beame’91] Sorting N numbers requires time T and space S such that TS ≥ Ω(N2).

Time-Space Tradeoffs:

[Klauck et al.’07] Boolean Multiplication of two NxN matrices requires TS ≥ Ω(N3).

… x = (x1, …, xN)

7

Classical Query Model

S

x

⋮

T

Q Q Q i xi

• Initially, the memory is filled with S zeros.
• The “Query Operator” Q is:
• The computation alternates between T queries and T memory updates.

x

8

Quantum Query Model

⋮

Q Q Q |i⟩ (−1)xi|i⟩

• The quantum “Query Operator” Q is:

x

• The memory is made of S qubits, initially set to |0⟩.
• The computation alternates between T quantum queries and T unitary updates/

measurements of the memory.

x

|0⟩ |0⟩ |0⟩

(when )

xi ∈ {0,1}

9

Quantum Query Model x

⋮

Q Q

|0⟩ |0⟩ H T = O( N) S = log(N)

2H|0⟩⟨0|H −I 2H|0⟩⟨0|H −I

|0⟩

Example: Grover’s Search

10

Quantum Time-Space Tradeoffs

Our focus in this talk: quantum time-space tradeoff lower bounds. Very few existing results:

[Klauck et al.’07] Sorting N numbers requires T2S ≥ Ω(N3).

10

Quantum Time-Space Tradeoffs

Our focus in this talk: quantum time-space tradeoff lower bounds. Very few existing results:

[Klauck et al.’07] Sorting N numbers requires T2S ≥ Ω(N3). [Ambainis et al.’09] Evaluating Ax ≥ (t,…,t) requires T2S ≥ Ω(tN3) when S < N/t. [Klauck et al.’07] Boolean Matrix-Matrix Multiplication requires T2S ≥ Ω(N5). [Klauck et al.’07] Boolean Matrix-Vector Multiplication requires T2S ≥ Ω(N3). TS ≥ Ω(N2) when S > N/t.

10

Quantum Time-Space Tradeoffs

Our focus in this talk: quantum time-space tradeoff lower bounds. Very few existing results:

[Klauck et al.’07] Sorting N numbers requires T2S ≥ Ω(N3). [Ambainis et al.’09] Evaluating Ax ≥ (t,…,t) requires T2S ≥ Ω(tN3) when S < N/t. [Klauck et al.’07] Boolean Matrix-Matrix Multiplication requires T2S ≥ Ω(N5). [Klauck et al.’07] Boolean Matrix-Vector Multiplication requires T2S ≥ Ω(N3). TS ≥ Ω(N2) when S > N/t.

Our contribution: a new tradeoff for the Collision Pairs Finding problem.

The Collision Pairs Finding Problem

2

12

Collision Pairs

Collision pair: xi = xj

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 2 x10 = 4 x11 = 4

13

Collision Pairs

Collision pair: xi = xj

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 2 x10 = 4 x11 = 4

14

Collision Pairs

Collision pair: xi = xj

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 2 x10 = 4 x11 = 4

15

Collision Pairs Finding

K-Collision Pairs

Find K collision pairs in a random input x1, …, xN ~ [N].

15

Collision Pairs Finding

K-Collision Pairs

Find K collision pairs in a random input x1, …, xN ~ [N].

→ A random input contains ~ Θ(N) collision pairs with high probability.

15

Collision Pairs Finding

• preimage attacks on hash functions
• meet-in-the-middle attacks
• computing discrete logarithms
• …

→ Finding collisions is an important problem in cryptanalysis:

← requires to find many collisions

K-Collision Pairs

Find K collision pairs in a random input x1, …, xN ~ [N].

→ A random input contains ~ Θ(N) collision pairs with high probability.

16

Birthday attack (K = 1)

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

17

Birthday attack (K = 1)

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 N elements x11 = 4

Birthday attack

18

Birthday attack (K = 1)

Birthday attack

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 N elements x11 = 4

18

Birthday attack (K = 1)

Birthday attack

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 N elements x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

19

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

20

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

20

Birthday attack (K = 1)

Birthday attack Birthday attack + Floyd’s cycle finding

T = O( N) S = O( N) T = O( N) S = O(log N) x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

21

Quantum BHT algorithm (K = 1)

Quantum BHT algorithm

x12 = 3 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x8 = 1 x9 = 6 x10 = 4 x11 = 4 N1/3 stored elements N − N1/3 elements

Grover’s search

22

Quantum BHT algorithm (K = 1)

Quantum BHT algorithm

x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x9 = 6 x10 = 4 x11 = 4 N1/3 stored elements N − N1/3 elements

Grover’s search

x12 = 3 x8 = 1

22

Quantum BHT algorithm (K = 1)

Quantum BHT algorithm

T = O(N1/3) S = O(N1/3) x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x9 = 6 x10 = 4 x11 = 4 N1/3 stored elements N − N1/3 elements

Grover’s search

x12 = 3 x8 = 1

23

Finding 1 collision pair

BHT algorithm

T = O(N1/3) S = O(N1/3)

Birthday attack + Floyd’s cycle finding

T = O( N) S = O(log N)

The quantum BHT algorithm has a better time complexity, but a worst time-space tradeoff!

vs

23

Finding 1 collision pair

BHT algorithm

T = O(N1/3) S = O(N1/3)

Birthday attack + Floyd’s cycle finding

T = O( N) S = O(log N)

The quantum BHT algorithm has a better time complexity, but a worst time-space tradeoff!

vs

A BHT attack on SHA3-256 would require S ≈ 2256/3 ≈ 285 qubits!

23

Finding 1 collision pair

BHT algorithm

T = O(N1/3) S = O(N1/3)

Birthday attack + Floyd’s cycle finding

T = O( N) S = O(log N)

The quantum BHT algorithm has a better time complexity, but a worst time-space tradeoff! Big open problem: Is there a quantum algorithm with and ?

T ≤ o( N) S = O(log N)

vs

A BHT attack on SHA3-256 would require S ≈ 2256/3 ≈ 285 qubits!

Classical Tradeoff Quantum Tradeoff

Upper bound

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K)

Parallel Collision Search [van Oorschot and Wiener’99]

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K2/3N1/3)

Adaptation of the BHT algorithm

Lower bound

T2S ≥ Ω ̃ (K2N)

[Dinur’20]

T3S ≥ Ω ̃ (K3N)

Our result

24

Finding K collision pairs

Classical Tradeoff Quantum Tradeoff

Upper bound

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K)

Parallel Collision Search [van Oorschot and Wiener’99]

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K2/3N1/3)

Adaptation of the BHT algorithm

Lower bound

T2S ≥ Ω ̃ (K2N)

[Dinur’20]

T3S ≥ Ω ̃ (K3N)

Our result

24

Finding K collision pairs

Classical Tradeoff Quantum Tradeoff

Upper bound

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K)

Parallel Collision Search [van Oorschot and Wiener’99]

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K2/3N1/3)

Adaptation of the BHT algorithm

Lower bound

T2S ≥ Ω ̃ (K2N)

[Dinur’20]

T3S ≥ Ω ̃ (K3N)

Our result

24

Finding K collision pairs

Classical Tradeoff Quantum Tradeoff

Upper bound

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K)

Parallel Collision Search [van Oorschot and Wiener’99]

T2S ≤ Õ(K2N) when Ω ̃ (log N) ≤ S ≤ Õ(K2/3N1/3)

Adaptation of the BHT algorithm

Lower bound

T2S ≥ Ω ̃ (K2N)

[Dinur’20]

T3S ≥ Ω ̃ (K3N)

Our result

24

Finding K collision pairs

We conjecture: T2S ≥ Ω

̃ (K2N)

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• Our result is non-trivial when K ≥ ω(1):

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• Our result is non-trivial when K ≥ ω(1):

→ For K = 1 and S = log(N) it gives T ≥ Ω ̃ (N1/3), which is the same as the time-

• nly lower bound [Aaronson and Shi’04].

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• Our result is non-trivial when K ≥ ω(1):

→ For K = 1 and S = log(N) it gives T ≥ Ω ̃ (N1/3), which is the same as the time-

• nly lower bound [Aaronson and Shi’04].

→ For K ≥ ω(1) and S = log(N) it gives T ≥ Ω ̃ (KN1/3), whereas we prove that the best time-only lower bound is T = Θ ̃ (K2/3N1/3).

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• The conjecture T2S ≥ Ω

̃ (N3) for K = Θ ̃ (N) is particularly interesting:

• Our result is non-trivial when K ≥ ω(1):

→ For K = 1 and S = log(N) it gives T ≥ Ω ̃ (N1/3), which is the same as the time-

• nly lower bound [Aaronson and Shi’04].

→ For K ≥ ω(1) and S = log(N) it gives T ≥ Ω ̃ (KN1/3), whereas we prove that the best time-only lower bound is T = Θ ̃ (K2/3N1/3).

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• The conjecture T2S ≥ Ω

̃ (N3) for K = Θ ̃ (N) is particularly interesting:

→ Time-space tradeoffs are generally easier to prove when the output is large.

• Our result is non-trivial when K ≥ ω(1):

→ For K = 1 and S = log(N) it gives T ≥ Ω ̃ (N1/3), which is the same as the time-

• nly lower bound [Aaronson and Shi’04].

→ For K ≥ ω(1) and S = log(N) it gives T ≥ Ω ̃ (KN1/3), whereas we prove that the best time-only lower bound is T = Θ ̃ (K2/3N1/3).

25

Finding K collision pairs

Our result: T3S ≥ Ω ̃ (K3N) Conjecture: T2S ≥ Ω ̃ (K2N)

• The conjecture T2S ≥ Ω

̃ (N3) for K = Θ ̃ (N) is particularly interesting:

→ If true, we show that it would implies T2S ≥ Ω ̃ (N2) for Element Distinctness. → Time-space tradeoffs are generally easier to prove when the output is large.

• Our result is non-trivial when K ≥ ω(1):

→ For K = 1 and S = log(N) it gives T ≥ Ω ̃ (N1/3), which is the same as the time-

• nly lower bound [Aaronson and Shi’04].

→ For K ≥ ω(1) and S = log(N) it gives T ≥ Ω ̃ (KN1/3), whereas we prove that the best time-only lower bound is T = Θ ̃ (K2/3N1/3).

Lower Bounds by Recording Queries

3

27

Time-Space Lower Bounds from Time Lower Bounds

[Borodin et al.’81] : a general method to convert Time-only lower bounds directly into Time-Space lower bounds.

27

Time-Space Lower Bounds from Time Lower Bounds

[Borodin et al.’81] : a general method to convert Time-only lower bounds directly into Time-Space lower bounds. → The problem must have a large output (≠ decision problem). → The time lower bound is in the exponentially small success probability regime.

27

Time-Space Lower Bounds from Time Lower Bounds

[Borodin et al.’81] : a general method to convert Time-only lower bounds directly into Time-Space lower bounds. → The problem must have a large output (≠ decision problem). → The time lower bound is in the exponentially small success probability regime.

Finding K ones in with success probability at least 2-O(K) requires time

.

x ∈ {0,1}N, |x| = K

T ≥ Ω( NK)

K-Search

⇒

All existing quantum time-space tradeoffs

[Klauck et al.’07, Ambainis’10, …]

27

Time-Space Lower Bounds from Time Lower Bounds

[Borodin et al.’81] : a general method to convert Time-only lower bounds directly into Time-Space lower bounds. → The problem must have a large output (≠ decision problem). → The time lower bound is in the exponentially small success probability regime.

Finding K ones in with success probability at least 2-O(K) requires time

.

x ∈ {0,1}N, |x| = K

T ≥ Ω( NK)

K-Search

Finding K collisions in with success probability at least 2-O(K) requires time

.

x ∼ [N]N T ≥ Ω(K2/3N1/3)

K Collisions

⇒

All existing quantum time-space tradeoffs

⇒

T3S ≥ ˜ Ω(K3N)

for K-Collision Pairs Finding

[Klauck et al.’07, Ambainis’10, …]

28

Time Lower Bounds

Two main methods for proving quantum query lower bounds:

28

Time Lower Bounds

Two main methods for proving quantum query lower bounds:

Polynomial Method

The acceptance probability of a T-query algorithm is a polynomial in x of degree at most 2T.

28

Time Lower Bounds

Two main methods for proving quantum query lower bounds:

Polynomial Method

The acceptance probability of a T-query algorithm is a polynomial in x of degree at most 2T.

Adversary Method

x

⋮

Q …

|0⟩ |0⟩ |0⟩

|ψT

x ⟩ Bound the progress Wt = ∑x,y wx,y⟨ψt

x|ψt y⟩ .

28

Time Lower Bounds

Two main methods for proving quantum query lower bounds:

Polynomial Method

The acceptance probability of a T-query algorithm is a polynomial in x of degree at most 2T.

Adversary Method

x

⋮

Q …

|0⟩ |0⟩ |0⟩

|ψT

x ⟩ Bound the progress Wt = ∑x,y wx,y⟨ψt

x|ψt y⟩ .

Both methods are often difficult to use in practice: K-Search in [Klauck et al.’07] K-Search in [Ambainis’10]

Coppersmith-Rivlin’s bound + Extremal properties of Chebyshev polynomials. Analysis of the eigenspaces of the Johnson Association Scheme.

28

Time Lower Bounds

Two main methods for proving quantum query lower bounds:

Polynomial Method

The acceptance probability of a T-query algorithm is a polynomial in x of degree at most 2T.

Adversary Method

x

⋮

Q …

|0⟩ |0⟩ |0⟩

|ψT

x ⟩ Bound the progress Wt = ∑x,y wx,y⟨ψt

x|ψt y⟩ .

Both methods are often difficult to use in practice: K-Search in [Klauck et al.’07] K-Search in [Ambainis’10]

Coppersmith-Rivlin’s bound + Extremal properties of Chebyshev polynomials. Analysis of the eigenspaces of the Johnson Association Scheme.

A simpler and more intuitive method?

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N.

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Strategy: sample each entry only when it is queried, and record its value.

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1?

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1?

x = ( 1 , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1? x1 = 1

x = ( 1 , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1? x1 = 1

x = ( 1 , 0 , ⊥ , ⊥ )

⋮

x2? x2 = 0

x = ( 1 , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1? x1 = 1

x = ( 1 , 0 , ⊥ , ⊥ ) Probability to have recorded at least K/2 ones after T queries

≤ ( T K/2)( K N )

K/2

⋮

x2? x2 = 0

x = ( 1 , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1? x1 = 1

x = ( 1 , 0 , ⊥ , ⊥ ) Probability to have recorded at least K/2 ones after T queries

≤ ( T K/2)( K N )

K/2

⋮

when T ≤ O(N)

≤ 2−Ω(K)

x2? x2 = 0

x = ( 1 , 0 , ⊥ , ⊥ )

29

Classical Lower Bound for K-Search

Input: x = (x1, …, xN) where xi = 1 with probability K/N. Algorithm Input Strategy: sample each entry only when it is queried, and record its value. x = ( ⊥ , ⊥ , ⊥ , ⊥ )

x2?

x = ( ⊥ , 0 , ⊥ , ⊥ )

x2 = 0 x1? x1 = 1

x = ( 1 , 0 , ⊥ , ⊥ ) Probability to have recorded at least K/2 ones after T queries

≤ ( T K/2)( K N )

K/2

(The un-recorded positions can only be guessed, with success ).

≤ (K/N)K/2 ≤ 2−Ω(K)

⋮

when T ≤ O(N)

≤ 2−Ω(K)

x2? x2 = 0

x = ( 1 , 0 , ⊥ , ⊥ )

30

Recording of Quantum Queries

Can we record quantum queries similarly?

30

Recording of Quantum Queries

Can we record quantum queries similarly?

[Zhandry’19]: • A quantum “recording technique” that works when the input x1, …, xN is sampled from the uniform distribution on [M]N.

• Motivations: security proofs in the quantum random oracle model.

30

Recording of Quantum Queries

Can we record quantum queries similarly?

[Zhandry’19]: • A quantum “recording technique” that works when the input x1, …, xN is sampled from the uniform distribution on [M]N. Our contribution: • We generalize Zhandry’s technique to the case where x1, …, xN is sampled from any product distribution D1⊗…⊗DN on [M]N.

• We simplify the framework and the analysis of the method.
• Motivations: security proofs in the quantum random oracle model.

31

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩ |0⟩

1 − K/N |0⟩ + K/N |1⟩ 1 − K/N |0⟩ + K/N |1⟩ 1 − K/N |0⟩ + K/N |1⟩

Query Operator

x1 : x2 : xN :

Q

|i⟩ (−1)xi|i⟩

xi

⋮

R R R

32

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩ |0⟩

⋮

Q

|i⟩ (−1)xi|i⟩

xi

Query Operator

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN :

? ? ?

R R R

32

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩ |0⟩

⋮

S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩

Q

|i⟩ (−1)xi|i⟩

xi

Query Operator

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN :

? ? ?

R R R

32

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩ |0⟩

⋮

S S S

Recording Query Operator

S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩

Q

|i⟩ (−1)xi|i⟩

xi

Query Operator

Q

|i⟩

xi

S S†

R

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN :

(where )

(−1)⊥ = 1

R R R

32

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩ |0⟩

⋮

S S S

Recording Query Operator

S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩

Q

|i⟩ (−1)xi|i⟩

xi

Query Operator

Q

|i⟩

xi

S S†

R

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN :

We show that it makes no difference for the algorithm.

(where )

(−1)⊥ = 1

R R R

32

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩ |0⟩

⋮

S S S

Recording Query Operator

S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩

Q

|i⟩ (−1)xi|i⟩

xi

Query Operator

Q

|i⟩

xi

S S†

R

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN :

We show that it makes no difference for the algorithm. We show that it “records” the 1’s.

(where )

(−1)⊥ = 1

1 − K/N |0⟩ + K/N |1⟩ 1 − K/N |0⟩ + K/N |1⟩ 1 − K/N |0⟩ + K/N |1⟩

x1 : x2 : xN :

⋮

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩ |0⟩

S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩ |0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩ |0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

S† S† S†

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

S† S† S†

S S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

S† S† S† S† S†

S

S†

S S S S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

Recording Query Operator

Q

|i⟩

x1

⋮

xN xi

⋮

S S S S† S† S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

S† S† S† S† S†

S

S†

S S S S S

33

Quantum Recording for K-Search

⋮

Q Q Q

…

|0⟩ |0⟩

S† S†

S

Recording Query Operator

Q

|i⟩

xi

S S†

R

If xj is not queried it stays unchanged.

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

S†

S S

S† S† S† S† S†

S

S†

S S S S S

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

If xj is not queried it stays unchanged.

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

|i⟩

| ⊥ ⟩

|i⟩

|0⟩

R

|i⟩

|1⟩

R R

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

|i⟩

| ⊥ ⟩

≈ | ⊥ ⟩ − K/N |1⟩

|i⟩ |i⟩

|0⟩

R

|i⟩

|1⟩

R R

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

|i⟩

| ⊥ ⟩

≈ | ⊥ ⟩ − K/N |1⟩

|i⟩ |i⟩

|0⟩

≈ |0⟩ + K/N |1⟩

|i⟩

R

|i⟩

|1⟩

R R

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

|i⟩

| ⊥ ⟩

≈ | ⊥ ⟩ − K/N |1⟩

|i⟩ |i⟩

|0⟩

≈ |0⟩ + K/N |1⟩

|i⟩

R

|i⟩

|1⟩

≈ − |1⟩ + K/N(|0⟩ − | ⊥ ⟩)

|i⟩

R R

33

Quantum Recording for K-Search

⋮ …

|0⟩ |0⟩

Recording Query Operator

Q

|i⟩

xi

S S†

R

|0⟩

⋮

| ⊥ ⟩ | ⊥ ⟩ | ⊥ ⟩

x1 : x2 : xN : S| ⊥ ⟩ = 1 − K/N |0⟩ + K/N |1⟩ S S S

R R R

|i⟩

| ⊥ ⟩

≈ | ⊥ ⟩ − K/N |1⟩

|i⟩

Record a new 1

|i⟩

|0⟩

≈ |0⟩ + K/N |1⟩

|i⟩

R

|i⟩

|1⟩

≈ − |1⟩ + K/N(|0⟩ − | ⊥ ⟩)

|i⟩

R R

Classical Recording Quantum Recording

K-Search

Probability to have recorded at least K/2 ones Amplitude of the states that have recorded at least K/2 ones

K-Collision Pairs

Probability to have recorded at least K/2 (disjoint) collisions Amplitude of the states that have recorded at least K/2 (disjoint) collisions

34

Quantum Recording

≤ ( T K/2)( K N )

K/2

≤ ( T K/2)(4 K N )

K/2

≤ ( T K/2)( T N )

K/2

≤ ( T K/2)(4 T N )

K/2

Classical Recording Quantum Recording

K-Search

Probability to have recorded at least K/2 ones Amplitude of the states that have recorded at least K/2 ones

K-Collision Pairs

Probability to have recorded at least K/2 (disjoint) collisions Amplitude of the states that have recorded at least K/2 (disjoint) collisions

34

Quantum Recording

≤ ( T K/2)( K N )

K/2

≤ ( T K/2)(4 K N )

K/2

≤ ( T K/2)( T N )

K/2

≤ ( T K/2)(4 T N )

K/2

Classical Recording Quantum Recording

K-Search

Probability to have recorded at least K/2 ones Amplitude of the states that have recorded at least K/2 ones

K-Collision Pairs

Probability to have recorded at least K/2 (disjoint) collisions Amplitude of the states that have recorded at least K/2 (disjoint) collisions

34

Quantum Recording

≤ ( T K/2)( K N )

K/2

≤ ( T K/2)(4 K N )

K/2

≤ ( T K/2)( T N )

K/2

≤ ( T K/2)(4 T N )

K/2

Classical Recording Quantum Recording

K-Search

Probability to have recorded at least K/2 ones Amplitude of the states that have recorded at least K/2 ones

K-Collision Pairs

Probability to have recorded at least K/2 (disjoint) collisions Amplitude of the states that have recorded at least K/2 (disjoint) collisions

34

Quantum Recording

≤ ( T K/2)( K N )

K/2

≤ ( T K/2)(4 K N )

K/2

≤ ( T K/2)( T N )

K/2

≤ ( T K/2)(4 T N )

K/2

Classical Recording Quantum Recording

K-Search

Probability to have recorded at least K/2 ones Amplitude of the states that have recorded at least K/2 ones

K-Collision Pairs

Probability to have recorded at least K/2 (disjoint) collisions Amplitude of the states that have recorded at least K/2 (disjoint) collisions

35

Quantum Recording

≤ 2−Ω(K) when T ≤ O(N) ≤ 2−Ω(K) when T ≤ O( NK) ≤ 2−Ω(K) when T ≤ O(K2/3N1/3) ≤ 2−Ω(K) when T ≤ O( NK)

Conclusion

• New lower bounds by recording queries? Triangles Finding?

arXiv: 2002.08944

Open Problems:

• Extend the quantum recording technique to non-product distributions?

Example: uniform distribution over the symmetric group.

• Improve the tradeoff for finding Θ

̃ (N) Collision Pairs to T2S ≥ Ω(N3),

• r find a quantum algorithm with T3S ≤ O(N4)?

Supplementary slides

39

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

39

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

40

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

41

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

42

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

43

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

→ Sometimes, there is no collision to find.

44

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

→ Sometimes, there is no collision to find. → We cannot control which collision ED is going to output.

45

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

→ Sometimes, there is no collision to find. → We cannot control which collision ED is going to output. → We can output the same collision many times (but it only counts as one collision).

46

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

Repeat O(N) times: sample elements and find a collision among them with ED.

N

→ We can output the same collision many times (but it only counts as one collision). → Sometimes, there is no collision to find. → We cannot control which collision ED is going to output. → We need to store the sampled indices ⇒ 4-wise independent sampling

N

47

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

(T,S)-Algorithm for Element Distinctness on inputs of size

N

(NT,S)-Algorithm for finding Θ ̃ (N) Collision Pairs on inputs of size N

⟹

47

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

(T,S)-Algorithm for Element Distinctness on inputs of size

N

(NT,S)-Algorithm for finding Θ ̃ (N) Collision Pairs on inputs of size N

⟹

(NT)2S ≥ ˜ Ω(N3)

47

Reducing Θ ̃ (N)-Collision Pairs to Element Distinctness

x8 = 1 x4 = 2 x6 = 8 x7 = 2 x2 = 4 x5 = 7 x1 = 3 x3 = 6 x12 = 3 x9 = 6 x10 = 4 x11 = 4

How to find Θ ̃ (N) Collision Pairs by using an algorithm for Element Distinctness

(T,S)-Algorithm for Element Distinctness on inputs of size

N

(NT,S)-Algorithm for finding Θ ̃ (N) Collision Pairs on inputs of size N

⟹ ⟸

T2S ≥ ˜ Ω( N

2

)

(NT)2S ≥ ˜ Ω(N3)