When Exactly Do Quantum Computers Provide A Speedup? Scott Aaronson MIT “It’s been 20 years since Shor’s factoring algorithm. Where are all the amazing new quantum algorithms we were promised?” Quantum simulation Factoring Grover search Adiabatic alg / quantum walks + A few other things… …Is that all? What else is there? Who promised you more quantum algorithms? Not me! The Parallelism Fallacy Fueling the belief that countless more quantum algorithms should exist (or that are not finding them is a failure), seems to be the idea that a quantum computer could just “try every possible answer in parallel” (modulo some technical details) But we’ve understood since the early 90s that that’s not how quantum algorithms work! You need to choreograph an interference pattern, where the unwanted paths cancel The miracle, I’d say, is that this trick yields a speedup for any classical problems, not that it doesn’t work for more of them Underappreciated challenge of quantum algorithms research: beating 60 years of classical algorithms research An Inconvenient Truth If we set aside NP-complete problems, there just aren’t that many compelling candidates left for exponential quantum speedups! (And for many of those, we do have exponential speedups, and for many of the rest we have polynomial ones) 3SAT NP-hard NP-complete NP BQP (Quantum P) P P≠BQP, NPBQP: Plausible conjectures, which we have no hope of proving given the current state of complexity theory Rest of the Talk I. Survey of the main families of quantum algorithms that have been discovered (and their limitations) II. Results in the black-box model, which aim toward a general theory of when quantum speedups are possible Quantum Simulation “What a QC does in its sleep” The “original” application of QCs! My personal view: still the most important one Major applications (high-Tc superconductivity, protein folding, nanofabrication, photovoltaics…) High confidence in possibility of a quantum speedup Can plausibly realize even before universal QCs are available BosonSampling Suppose we just want a quantum system for which there’s good complexity-theoretic evidence that it’s hard to simulate classically—we don’t care what it’s useful for A.-Arkhipov 2011, Bremner-Jozsa-Shepherd 2011: In that case, we can plausibly improve both the hardware We showed: if a fast, classical requirements and the evidence for classicalExperimental hardness, exact of algorithm demonstrations with 3-4 compared to simulation Shor’s factoring BosonSampling is possible, photons achieved (by Ourhierarchy proposal: then the polynomial groups in Oxford, Identical single Brisbane, Rome, Vienna) collapses to the third level. photons sent through network of interferometers, then measured at output modes Shor-like Algorithms “The magic of the Interesting Fourier transform” In BQP: Pretty much anything you can think of that reduces to finding hidden structure in abelian groups Factoring, discrete log, elliptic curve problems, Pell’s equation, unit groups, class groups, Simon’s problem… Breaks almost all public-key cryptosystems used today But theoretical public-key systems exist that are unaffected Attempt to go further: Hidden Subgroup Framework Can Shor’s algorithm be generalized to nonabelian groups? Hidden Subgroup Problem Given: A finite group G, a function f:GZ such that f(x)=f(y) iff x,y belong to the same coset of a “hidden subgroup” H≤G Problem: Find generators for H Classically, this problem could require ~ G queries to f Ettinger-Høyer-Knill 1997: Quantumly, logO(1)(|G|) queries always suffice But if G is nonabelian, “interpreting the results” of those queries could still be extremely hard! Example Application: Graph Isomorphism ≤ HSP over the symmetric group Alas, nonabelian HSP has been the Afghanistan of quantum algorithms! Grover-like Algorithms Quadratic speedup for any problem involving searching an unordered list, provided the list elements can be queried in superposition Implies subquadratic speedups for many other basic problems Bennett et al. 1997: For black-box searching, the squareroot speedup of Grover’s algorithm is the best possible Quantum Walk Algorithms Childs et al. 2003: Quantum walks can achieve provable exponential speedups over any classical algorithm (in query complexity), but for extremely “fine-tuned” graphs Also lots of polynomial speedups—e.g., Element Distinctness in O(N2/3) time (Ambainis 2003) THE GLUED TREES Quantum Adiabatic Algorithm (Farhi et al. 2000) Hi Hamiltonian with easilyprepared ground state Hf Ground state encodes solution to NP-complete problem Problem: “Eigenvalue gap” can be exponentially small Landscapeology Adiabatic algorithm can find global minimum exponentially faster than simulated annealing (though maybe other classical algorithms do better) Simulated annealing can find global minimum exponentially faster than adiabatic algorithm (!) Simulated annealing and adiabatic algorithm both need exponential time to find global minimum Quantum Machine Learning Algorithms ‘Exponential quantum speedups’ for solving linear systems, support vector machines, Google PageRank, computing Betti numbers… THE FINE PRINT: 1. Don’t get solution vector explicitly, but only as vector of amplitudes. Need to measure to learn anything! 2. Dependence on condition number could kill exponential speedup 3. Need a way of loading huge amounts of data into quantum state (which, again, could kill exponential speedup) 4. Not ruled out that there are fast randomized algorithms for the same problems (even just considering query complexity) “But you just listed a bunch of examples where you know a quantum speedup, and other examples where you don’t! What you guys need is a theory, which would tell you from first principles when quantum speedups are possible.” The Quantum Black-Box Model The setting for much of what we know about the power of quantum algorithms x f f(x) “Query complexity” of F: The minimum An algorithm can make query transformations, which map number of queries used by any x, w x,aalgorithm outputs x,a,wF(f), x, awith fhigh , w x, a, wthat probability, everya=“answer f of interest to w=“workspace”) us (x=“queryfor register,” register,” as well as arbitrary unitary transformations that don’t depend on f (we won’t worry about their computational cost). Its goal is to learn some property F(f) (for example: is f 1-to-1?) Total Boolean Functions F : 0,1 0,1 N D(F): Deterministic query complexity of F R(F): Randomized query complexity Q(F): Quantum query complexity Example: DORN RORN N , QORN ~ N Theorem (Beals et al. 1998): For all Boolean functions F, DF O QF 6 How to reconcile with the exponential speedup of Shor’s algorithm? Totality. Longstanding Open Problem: Is there any Boolean function with a quantum quantum/classical gap better than quadratic? Almost-Total Functions? Conjecture (A.-Ambainis 2011): Let Q be any quantum algorithm that makes T queries to an input X{0,1}N. Then there’s a classical randomized that makes poly(T,1/,1/) queries to X, and that approximates Pr[Q accepts X] to within on a ≥1- fraction of X’s Theorem (A.-Ambainis): This would follow from an extremely natural conjecture in discrete Fourier analysis (“every bounded low-degree polynomial p:{0,1}N[0,1] has a highly influential variable”) The Collision Problem Given a 2-to-1 function f:{1,…,N}{1,…,N}, find a collision (i.e., two inputs x,y such that f(x)=f(y)) 10 4 1 8 7 9 11 5 6 4 2 10 3 2 7 9 11 5 1 6 3 8 Interesting Variant: Promised that f is either 2-to-1 or 1-to-1, decide which Models the breaking of collision-resistant hash functions—a central problem in cryptanalysis “More structured than Grover search, but less structured than Shor’s period-finding problem” Birthday Paradox: Classically, ~N queries are necessary and sufficient to find a collision with high probability Brassard-Høyer-Tapp 1997: Quantumly, ~N1/3 queries suffice Grover on N2/3 f(x) values N1/3 f(x) values queried classically A. 2002: First quantum lower bound for the collision problem (~N1/5 queries are needed; no exponential speedup possible) Shi 2002: Improved lower bound of ~N1/3. Brassard-HøyerTapp’s algorithm is the best possible Symmetric Problems A.-Ambainis 2011: Massive generalization of collision lower bound. If F is any function whatsoever that’s symmetric under permuting the inputs and outputs, and has sufficiently many outputs (like collision, element distinctness, etc.), then RF O QF polylogQF 7 New Results (Ben-David 2014): If F:SN{0,1} is any Boolean function of permutations, then D(F)=O(Q(F)12). If F is any function with a symmetric promise, and at most M possible results of each query, then R(F)=O(Q(F)12(M-1)). Upshot: Need a “structured” promise if you want an exponential quantum speedup What’s the largest possible quantum speedup? Period-finding: O(1) quantum queries, ~N1/4 classical queries Simon’s problem, the glued-trees problem: O(log N) quantum queries, ~N classical queries Can we do even better? Forrelation (A. 2009): Given two Boolean functions f,g:{0,1}n{-1,1}, estimate how correlated g is with the Fourier transform of f: 1 2 3n / 2 f x 1 x y x , y0 ,1n gy 1/ 3? 2 / 3? f(0000)=-1 f(0001)=+1 f(0010)=+1 f(0011)=+1 f(0100)=-1 f(0101)=+1 f(0110)=+1 f(0111)=-1 f(1000)=+1 f(1001)=-1 f(1010)=+1 f(1011)=-1 f(1100)=+1 f(1101)=-1 f(1110)=-1 f(1111)=+1 Example g(0000)=+1 g(0001)=+1 g(0010)=-1 g(0011)=-1 g(0100)=+1 g(0101)=+1 g(0110)=-1 g(0111)=-1 g(1000)=+1 g(1001)=-1 g(1010)=-1 g(1011)=-1 g(1100)=+1 g(1101)=-1 g(1110)=-1 g(1111)=+1 Trivial 2-query quantum algorithm for Forrelation! |0 H |0 H |0 H H f H H H g H H (Can even improve to 1 query using standard tricks) A.-Ambainis 2014: By contrast, any classical randomized algorithm to solve Forrelation needs at least N / logN queries Furthermore, this separation is optimal: any problem solvable with k quantum queries, is also solvable with ~N1-1/2k classical randomized queries Our Conjecture: The above is tight for all k. A generalization of Forrelation involving k Boolean functions achieves it. Summary Exponential quantum speedups depend on structure For example, abelian group structure, glued-trees structure, forrelational structure… Sometimes we can even find such structure in real, non-blackbox problems of practical interest (e.g., factoring) After 20 years of quantum algorithms research, we know a lot about which kinds of structure suffice The black-box model lets us make formal statements about what kinds of structure don’t suffice for exponential speedups In both cases, of course, many open problems remain Single most important application of QC (in my opinion): Disproving the people who said QC was impossible!