Or, How Laci Did Quantum Stuff Without Knowing It
Scott Aaronson (MIT)

I’ll tell the story of a few of Laci’s brainchildren from the 80s— MA , AM , black-box groups—and how they came to play a major role in quantum computing theory
What should you conclude from this?
(1) Laci works on the trendiest areas before they even exist
(2) Quantum computing can’t be that scary
(3) Beautiful mathematical structures
(like finite groups) do useful things in TCS
(like giving natural examples where quantum computing seems to outperform classical)
2 / 17

Input x

{0,1} n
Is x

L?
All-knowing prover
Witness w

{0,1} p(n)
Polynomial-time verifier
Babai’s probabilistic generalizations of NP :
MA (Merlin-Arthur): Class of languages L for which, if the answer is “yes,” there’s a polynomial-size proof that
Arthur can check in probabilistic polynomial-time
AM (Arthur-Merlin): Same, except that now Arthur can also submit a random challenge to Merlin
3 / 17

[Klivans-van Melkebeek ‘99] Under plausible complexity assumptions, AM = MA = NP
But in the black-box setting , these classes can be extremely different!
Example: Suppose Merlin wants to convince Arthur that is one-to-one rather than two-to-one
In NP or MA , he can’t!
But in AM , Arthur can pick a random input x

{0,1} n , then compute f(x), send it to Merlin and ask what x was
4 / 17

State of n “qubits” is a unit vector in :
(you get used to the asymmetric brackets with time)
2 n orthogonal basis vectors: |0…0

, …, |1…1

Usual initial state: |0…0

You can multiply the vector of
 x
’s ( amplitudes ) by a 2 n

2 n unitary matrix U (matrix that maps unit vectors to unit vectors)
If you measure the state |

, you see outcome |x
 with probability |
 x
| 2 . Also, the state collapses to |x

Central phenomenon that QC exploits: interference between positive and negative amplitudes
5 / 17

NP
QMA (Quantum Merlin-Arthur): Class of problems for which, if the answer is “yes,” there’s a quantum proof
|
 with poly(n) qubits, which can be checked by a polynomial-time quantum verifier
QCMA (Quantum Classical Merlin-Arthur): Same as
QMA , except now the proof needs to be classical
Does QMA = QCMA ?
Intuitively: Can a quantum proof be exponentially more compact than its shortest classical counterpart?
6 / 17

NP
P
PH
AM
MA
P #P
QAM
QMA
QCMA
BQP
BPP
7 / 17

Unknown finite group G, of order 2 poly(n)
Input: Meaningless strings that label elements of G notation and identify an element g
Output:

G with its label
Labels of g
 h or g -1
We’re given: Generators g
1
,…,g k recognize the identity element e of G; ability to
Quantum analogue:
Important point: In the quantum case, every element of G must have a unique label!
8 / 17

Given: Black-box group G, subgroup H

G
(specified by generators), element x

G
Problem: Is x

H?
x
G
H
Membership in H can be proved in NP [Babai-Szemerédi’84]
But what about proving non -membership in H?
Fact: For some groups G (even abelian groups), there’s no small NP proof (or even MA proof) for non-membership
(Non-membership can always be proved in AM , using protocols for approximate counting)
9 / 17

is
QMA
Merlin’s “quantum proof” for x

H (in the honest case) :
(equal superposition over elements of H)
Note: |H
 might be exponentially hard to prepare!
Sampling a random element of H isn’t enough
Given this proof, Arthur prepares where |Hx
 is an equal superposition over the elements of the right coset Hx
Then he applies the Hadamard transform to the first qubit and measures that qubit
10 / 17

First suppose x

H. Then |H

=|Hx

HADAMARD so |0
 is observed with probability 1
Next suppose x

H. Then |H
 and |Hx
 are orthogonal
HADAMARD so |0
 and |1
 are equally likely to be observed
Ah, but how does Arthur check that Merlin’s witness
|
 is really |H

, and not some other state?
Step 1: Use a random walk [Babai’91] to generate nearly-random elements g

G and h

H
Step 2: Check that |
 behaves like |H
 on all g

G and h

H that are tested
11 / 17

QMA
QCMA
Alas, no.
Theorem [A.-Kuperberg 2007] : Group Non-Membership has polynomial-size classical proofs, which can be verified using poly(n) quantum queries to the group oracle
(and possibly exponential post-computation—though even that can be removed under plausible grouptheoretic conjectures)
12 / 17

Idea of proof: “Pull the group out of the black box”
Isomorphism f claimed by
Merlin
Explicit group

Black-box group G
To check that f is (close to) a homomorphism, Arthur uses a classical homomorphism tester of [Blum-Luby-Rubinfeld]
Assuming f is a homomorphism, f is 1-to-1

Ker f is trivial
This yields an instance of the Hidden Subgroup Problem !
[Ettinger-Høyer-Knill ‘97] show that for any group G, HSP is solvable with poly(n) quantum queries to the group oracle
13 / 17

Group theorists in the audience: please pay attention
Finite group
G known to both players
Is x

H?
1-WAY message m
H
Subgroup H

G Element x

G
Best deterministic protocol: Alice sends Bob log 2 |G| bits (the generators of H)
Best quantum protocol: Alice sends Bob log|G| qubits,
Then Bob runs the Watrous protocol to decide if x

H
14 / 17

$50 Challenge: Does there exist a family of groups {G n
}, for which any classical randomized protocol needs

(log|G n
|) bits? (Ideally

(log 2 |G n
|)?)
Would yield the first asymptotic gap between 1-way randomized and 1-way quantum communication complexities, for a total Boolean function
[A., Le Gall, Russell, Tani 2009]: If G is abelian—or if G has constant-dimensional irreps, or if is a normal subgroup—then there’s a classical randomized protocol that uses only O(log|G|) communication
15 / 17

Finite groups are “rigid” objects
Any two right-cosets of H

G are either identical or disjoint
Any two distinct subgroups differ on a constant fraction of elements
And we want that “rigidity” in quantum algorithms and protocols, to create interesting interference patterns
Also, the fact that elements have unique inverses means that we can apply group operations reversibly
Still, understanding the interplay of quantum computing with (badly) nonabelian groups remains a challenge
Most famous example of that, which I only touched on: the
Nonabelian Hidden Subgroup Problem
16 / 17

Is there a QMA protocol to prove that a black-box function f:{0,1} n  {0,1} n is one-to-one rather than two-to-one?
In 2002, I showed this problem is not in BQP ; indeed any quantum algorithm needs

(2 n/3 ) time [A.-Shi 2002]
It’s still open to prove an oracle separation between
QMA and QCMA !
[A.-Kuperberg 2007] proved a “quantum oracle separation”
Can we give an oracle relative to which BQP

AM ?
[A. 2010]: The “Generalized Linial-Nisan Conjecture” would imply an oracle relative to which BQP

PH
Original Linial-Nisan Conjecture: Proved by [Braverman 2009]
Laci actually thought of it before Linial-Nisan
17 / 17