Interactive Proofs with Polynomial-Time Quantum Prover for Computing the Order of Solvable Groups

05/09/2018
by   François Le Gall, et al.
0

In this paper we consider what can be computed by a user interacting with a potentially malicious server, when the server performs polynomial-time quantum computation but the user can only perform polynomial-time classical (i.e., non-quantum) computation. Understanding the computational power of this model, which corresponds to polynomial-time quantum computation that can be efficiently verified classically, is a well-known open problem in quantum computing. Our result shows that computing the order of a solvable group, which is one of the most general problems for which quantum computing exhibits an exponential speed-up with respect to classical computing, can be realized in this model.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

12/10/2018

Impossibility of blind quantum sampling for classical client

Blind quantum computing enables a client, who can only generate or measu...
05/22/2018

PDQP/qpoly = ALL

We show that combining two different hypothetical enhancements to quantu...
03/27/2018

Quantum speedup in stoquastic adiabatic quantum computation

Quantum computation provides exponential speedup for solving certain mat...
05/07/2020

Faster classical Boson Sampling

Since its introduction Boson Sampling has been the subject of intense st...
01/30/2020

The Hidden Subgroup Problem for Universal Algebras

The Hidden Subgroup Problem (HSP) is a computational problem which inclu...
03/22/2020

The Power of a Single Qubit: Two-way Quantum Finite Automata and the Word Problem

The two-way finite automaton with quantum and classical states (2QCFA), ...
08/16/2021

Interactive Proofs for Synthesizing Quantum States and Unitaries

Whereas quantum complexity theory has traditionally been concerned with ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

First-generation quantum computers will be implemented in the “cloud” style, since only few groups, such as governments or huge companies, will be able to possess such expensive and high-maintenance machines. In fact, IBM has recently opened their 16-qubit machine for a cloud service

[34]. In a future when many companies provide their own quantum cloud computing services, a malicious company might emerge who is trying to palm a user off with a wrong result forged from their fake quantum computer. In addition, even if a fortunate user is interacting with a honest server, some noises in the server’s gate operations might change the result. How can a user verify the correctness of the server’s quantum computation? If the user has his/her own quantum computer, the user can of course check the server’s result, but in this case the user may not need the cloud service in the first place. If the solution of the problem is easily verifiable (e.g., integer factoring), the user can naturally verify the correctness of the server’s result, but many problems considered in quantum computing are not believed to have this property. Verifying classically and efficiently a server’s quantum computation is indeed in general highly nontrivial.

It is known that if at least two servers, who are entangled but not communicating with each other, are allowed, then any problem solvable in quantum polynomial time can be verified by a classical polynomial-time user who exchanges classical messages with the servers [20, 24, 27]. However, the assumption that servers are not communicating with each other is somehow unrealistic: how can the user guarantee that remote servers are not communicating with each other?

Whether the number of the servers can be reduced to one is a well-known open problem [4]. For certain computational problems solvable in quantum polynomial time, it is known that this can be done. Simon’s problem [31] and factoring [30] are trivial examples, since the answer can be directly checked in classical polynomial time. It is known that recursive Fourier sampling [10], which was the first problem that separates efficient quantum and classical computing, can be verified by a polynomial number of message exchanges with a single quantum server [23]. Moreover, it was shown that certain promise problems related to quantum circuits in the second level of the Fourier hierarchy [29] are verifiable by a classical polynomial-time user interacting with a single quantum server who sends only a single message to the user [12, 26].

Our results. In this paper we consider the problem of computing the order, i.e., the number of elements, of a finite group given as a black-box group (the concept of black-box groups is defined in Section 2). This problem is central in computational group theory, especially since the ability of computing the order makes possible to decide membership in subgroups. This problem has also been the subject of several investigations in computational complexity [1, 6, 7, 9, 32, 33]. The seminal result by Babai [6], especially, which put this problem in the complexity class AM, has been one of the fundamental motivations behind the concept of interactive proofs. Note that this is clearly a hard problem for classical computation: it is easy to show that no polynomial-time classical algorithm exists in the black-box setting, even if the input is an abelian group [9].

Most of the known quantum algorithms that achieve exponential speedups with respect to the best known classical algorithms are for group-theoretic problems, and especially problems over abelian groups. Shor’s algorithm for factoring [30], for instance, actually computes the order of a cyclic black-box group. Watrous has shown that the group order problem can be solved in quantum polynomial time when the input group is solvable [33]. Since the class of solvable groups, defined in Section 2, is a large111It is known (see for instance [11]) that

where denotes the number of finite groups of order at most and denotes the number of finite solvable groups of order at most . It is even conjectured that the quotient goes to  when goes to infinity, i.e., most finite groups are solvable. class of finite groups that includes all abelian groups, this result significantly generalized Shor’s algorithm. Watrous’ algorithm can actually be seen as one of the most general results achieving an exponential speedup with respect to classical computation.

In this paper we show that the group order problem over solvable groups is also verifiable with a single server. More formally, in Section 2, where we introduce the relevant model of interactive protocols, we will introduce the notation to denote the class of computational problems that are verifiable by a classical polynomial-time user interacting in messages with a server who works in quantum polynomial time. Our main result is as follows. The solvable group order problem is in the complexity class . Moreover, if the set of prime factors of the order is also given as input, then the solvable group order problem is in . This result shows that for this important computational problem, the number of servers can be reduced to one as well, using a small number of messages. Note that assuming, in the second part of Theorem 1, that the set of prime factors of the order is known corresponds to several practical situations. An important example is computing the order of -groups222A (finite) -group, where is a prime, is a group of order for some integer . A basic result from group theory shows that any -group is solvable. with  known, which cannot be done in polynomial time in the classical setting [9]. The main open question is whether the number of messages can also be reduced to 2 without any assumption on the prime factors.

Other related works. In addition to the introduction of multiple servers mentioned above, there are other approaches considered in the literature for constructing verification systems for quantum computation.

First, if the user is allowed to be “slightly quantum”, any problem solvable in quantum polynomial time can be efficiently verified with a single quantum server. For example, Refs. [2, 14] assume that the user can generate randomly-rotated single-qubit states, and Refs. [13, 16, 25] assume that the user can measure single-qubit states.

Second, since the class BQP (the class of decision problems that can be solved in quantum polynomial-time) is trivially in PSPACE and [21, 28], any problem in BQP can be classically verified using generic interactive proof protocols for PSPACE. In such protocols, however, the server has unbounded computational power. A tempting approach is to try to specialize these generic protocols to the class BQP, with the hope that the server’s necessary computational power may be reduced. Ref. [3] made an significant first step in this direction.

Finally, it has been shown very recently that assuming that the learning with errors problem is intractable for polynomial-time quantum computation, any problem solvable in quantum polynomial time can be efficiently verified with a single quantum server and a single classical user [22].

2 Preliminaries

In this paper we assume that the reader is familiar with the standard notions of group theory (we refer to, e.g., [18] for a good introduction). All the groups considered will be finite. Given a group , we use to denote its order (i.e., the number of elements in ), and use to denote its identity element. Given elements , we denote the subgroup of generated by .

Black-box groups. We now describe the model of black-box groups. This concept, in which each group element is represented by a string and each group operation is implemented using an oracle, was first introduced by Babai and Szemerédi [9] to describe group-theoretic algorithms in the most general way, without having to concretely specify how the elements are represented and how groups operations are implemented. Indeed, any efficient algorithm in the black-box group model gives rise to an efficient concrete algorithm whenever the oracle operations can be replaced by efficient procedures. Especially, performing group operations can be done directly on the elements in polynomial time for many natural groups, including permutation groups and matrix groups where the group elements are represented by permutations and matrices, respectively. In the quantum setting, black-box groups have first been considered by Ivanyos et al. [19] and Watrous [32, 33].

A black-box group is a representation of a group where each element of is uniquely encoded by a binary string of a fixed length , which is called the encoding length. The encoding length is known. In order to be able to express the complexity of black-box group algorithms in terms of the group order , and not in terms of the encoding length, we make the standard assumption that . Oracles are available to perform group operations. More precisely, two oracles are available. A first oracle performs the group product: given two strings representing two group elements and , the oracle outputs the string representing . The second oracle performs inversion: given a string representing an element , the oracle outputs the string representing the element . Note that the two oracles may behave arbitrarily on strings not corresponding to elements in ; this is not a problem since our protocols will never use the oracles on such strings. We say that a group  is input as a black-box if a set of strings representing generators of  with is given as input and queries to the oracles can be done at cost 1.333The assumption is standard. Indeed, every group  has a generating set of size . Additionally, a set of generators of any size can be converted efficiently into a set of generators of size by taking random products of elements [5]. The input length is thus .

To be able to take advantage of the power of quantum computation when dealing with black-box groups, the oracles performing the group operations have to be able to deal with quantum superpositions. Concretely, this is done as follows (see [19, 32, 33]). Let denote the encoding of elements as binary strings. We assume that a quantum oracle is available, such that for any two elements , and behaving in an arbitrary way on other inputs (i.e., strings not in ). Another quantum oracle is also available, such that for any and again behaving in an arbitrary way on other inputs.

Approximate sampling in black-box groups. Babai [5] proved the following result for general groups, which shows that elements of a black-box group can be efficiently sampled nearly uniformly. ([5]) Let be a black-box group. For any , there exists a classical randomized algorithm running in time polynomial in and that outputs an element of such that each

is output with probability in range

.

Solvable groups. Before discussing solvable groups, let us introduce the following concept of polycyclic generating sequences (see [17] for details). Let be a group. A polycyclic generating sequence of is a sequence of elements from , for some integer , such that:

  1. ;

  2. for each , the subgroup is normal in .

There are many equivalent definitions of solvable groups in the literature (see, e.g., [17] for a thorough discussion). In this paper we will use the following characterization: a finite group is solvable if and only if it has a polycyclic generating sequence. This characterization, which was already used by Watrous [33], is the most convenient for our purpose. As discussed in [33], for any finite solvable group given as a black box, a polycyclic generating sequence with can be computed classically in polynomial time with high probability using for instance the randomized algorithm by Babai et al. [8].

Watrous showed that the order of a solvable black-box group can be computed in polynomial time in the quantum setting. We state this result in the following theorem.

([33]) Let be a solvable group given as a black-box group. There exists a quantum algorithm running in time that outputs with probability at least .

Let be a solvable group and be a polycyclic generating sequence of . In the following we will write for each , and for convenience write . Since is obtained from by adding one generator, the factor group is cyclic. Let us write its order . Note that the order of is thus the product . A fundamental (and easy to show) property of polycyclic generating sequences is the following: For any , any element can be written, in a unique way, as with integers for . We call this sequence the decomposition of over . Watrous [33] showed that the decomposition of any element can be computed efficiently in the quantum setting, which immediately leads to an efficient algorithm for membership testing in the subgroups . We state these two results, separately, in the following theorem.

([33]) Let be a solvable group given as a black-box group and let be a polycyclic generating sequence of with . There exist two quantum algorithms and running in time polynomial in as follows.

  • Algorithm receives an integer and an element , and outputs with probability at least the decomposition of over .

  • Algorithm receives an integer and an element , and decides whether or not. The decision is correct with probability at least .

Interactive proofs with efficient quantum prover. Interactive proof systems are typically described as protocols for decision problems. In this paper it will be more convenient to consider interactive proofs for computing functions, since we are interesting in computing the order of the input group.444In order to be completely rigorous, we should actually define this concept for functional problems where the input is represented using oracles (since we are dealing with black-box groups where the group operation is represented by oracles). We nevertheless omit this purely technical point in the exposition. The definition we give below is inspired by [15].

Let be a function, where is a finite set. We consider protocols between a prover and a verifier, who both receives as input an element and can exchange classical messages of polynomial length. At the end of the protocol, the verifier outputs either some or one special element . We say that the function has a -message polynomial-time interactive proof if there exists a -message protocol in which the verifier works in classical polynomial time, such that the following properties hold:

  1. (completeness) there is a prover such that the verifier’s output satisfies with probability at least when interacting with ;

  2. (soundness) for any prover , the verifier’s output satisfies with probability at least when interacting with .

The prover in the completeness condition is called the honest prover.

The above definition makes no assumption on the computational powers of the provers. Our main definition is obtained by restricting the computational power of the honest prover, i.e., the prover in the completeness condition. A function is in the class if it has a -message polynomial-time interactive proof where the honest prover works in quantum polynomial time. The notation comes from its definition as a -message interactive protocol with a prover working in quantum polynomial time (when honest). We stress that in Definition 2 there is no assumption on the computational power of for the soundness.

3 2-Message Protocol with Known Prime Factors

In this section we assume that the prime factors of the order of the black-box group are known. We present a 2-message protocol in this case, which proves the second part of Theorem 1.

3.1 Preliminaries

We will need the following result in our protocol.

Let be a solvable group given as a black-box group. Let denote the prime factors of and assume that the set is also given as input. There exists a classical algorithm running in time polynomial in that outputs elements , with , and prime numbers such that, with probability at least , the following conditions hold:

  • is a polycyclic generating sequence of ;

  • the order of is either 1 or for each , where we denote for and .

Before proving Theorem 3.1, let us discuss the main idea of the algorithm in this theorem. The approach is to start with an arbitrary polycyclic generating sequence and refine it by replacing each element by decreasing powers of it. Consider for instance the cyclic group of order 12, for which we have , , and . Assume that we start with the polycyclic generating sequence consisting of a unique element of order 12. We refine this sequence as with , and . This is a polycyclic generating sequence with , and . The difficulty is that naturally we do not know the order . Remember nevertheless that we know the encoding length of the black-box group, which is an upper bound on . This means that the quantity is a multiple of the order , and thus we can use the same approach, working with instead of when refining the original polycyclic generating sequence.

Proof of Theorem 3.1.

Let us consider the function such that

for any . Now consider the sequence

(1)

consisting of integers (the integers in the sequence are strictly decreasing). Define the function such that is the -th integer in Sequence (1). Note that for any .

We now describe our algorithm that computes the claimed generating sequence.

We first compute a polycyclic generating sequence of with using the randomized polynomial-time algorithm from [8], already mentioned in Section 2, which succeeds with probability at least . Let us write for each , and .

We now show how to refine the polycyclic generating sequence. For each , we replace by the sequence of elements , which gives a new sequence

(2)

of elements. Sequence (2) is a polycyclic generating sequence of since is a polycyclic generating sequence of and . For any , observe that

(3)

for any . Similarly for any we have

(4)

Let us rename the elements of Sequence (2) as , with . Note that . Let us write for and . For each , the order of is either 1 or , where can be determined from Equations (3) and (4). More concretely, is of the form for some (which can be immediately computed from ) when corresponds to the case of Equation (3), and when corresponds to the case of Equation (4). Note that in both cases we have , from the property mentioned before. ∎

3.2 The protocol

Let denote the set of prime factors of , which is given as an additional input. The protocol is given in Figure 1. The main idea is that the verifier can, using Theorem 3.1, compute by itself a polycyclic generating sequence and prime numbers such that for each . This is done at Step 1 of the protocol. Note that . The purpose of Steps 2-5 is to decide whether or , for each , by interacting with the prover. More precisely, the verifier interacts with the prover to test, for each , whether or . This requires testing non-membership in a solvable group with a polynomial-time quantum prover, which is achieved by sending (at Step 3) to the prover the element for a random bit and a random element , and asking the prover to find the chosen bit . These tests enable the verifier to decide which of the two cases holds (at Steps 5.1 and 5.2), and then to compute at Step 6, or to detect cheating (at Step 5.3).

Input: a black-box solvable group with generators Input:aa the set of prime factors of The verifier uses the algorithm of Theorem 3.1 to compute elements and prime numbers . Let us write for each and . For each , the verifier takes a bit uniformly at random and takes a random element using the algorithm of Theorem 2 with (where represents the encoding length of the black-box group). The verifier sends to the prover the elements and, for each , the element . The prover sends to the verifier bits and integers for and . For each the verifier does the following: If then set ; If and then set ; If neither of these two conditions holds, then abort the protocol and output . The verifier outputs the product of the ’s.

Figure 1: Our 2-message protocol computing the order of a solvable group when the prime factors of the order are known.

3.3 Analysis of the protocol

We now analyze the protocol of Figure 1. Let be the group elements and be the prime numbers computed at Step 1. The analysis below is done under the assumption that is a polycyclic generating sequence of and for all , which is true with probability at least from Theorem 3.1.

Let us first consider the correctness, i.e., showing that there exists a prover (working in quantum polynomial time) who makes the verifier able to compute with high probability. This prover acts as follows. For each , the prover checks if the element received at Step 3 is in the subgroup , using Algorithm of Theorem 2. If the prover learns that this element is in then the prover applies Algorithm of Theorem 2 to obtain a decomposition of over , and sends to the verifier the bit and these values . If the prover learns that this element is not in , then the prover sends to the verifier the bit and arbitrary values .

Let us analyze the verifier’s output when interacting with the above prover. If then we have and thus whatever the value of is. With probability at least , the prover’s message is thus and corresponding to the decomposition of over , and then the verifier sets . If then we have and thus if and only if . With probability at least , the bit sent by the prover satisfies , and thus the verifier sets (since the second part of the message cannot correspond to the decomposition of over ). In conclusion, with probability at least the output at Step 6 is

Let us now consider the soundness, i.e., showing that for any prover the verifier outputs either or with high probability. It is clear that if , then the prover cannot convince the verifier to set , since there is no set of integers such that . On the other hand, if then the prover cannot convince the verifier to set unless the prover is able to decide whether or from the element received, which cannot be done with probability larger than , where

represents the variational distance between the two probability distributions

and (seen as distributions over ). We have

where the second inequality follows from Theorem 2 and the third inequality follows from our choice of and the upper bound . Thus, for any fixed such that , the prover cannot convince the verifier to set with probability greater than . Let us now bound the probability that the verifier’s output is either or . This corresponds to the probability that the verifier does not output an integer different from the order of . Note that the verifier can output an integer not equal to the order only if the prover forces the verifier to set for at least one index . From the above analysis, we know that this can happen with probability at most , i.e., such a cheating is detected by the verifier at Step 5.3 with probability at least , in which case the verifier immediately aborts the protocol and outputs . Thus the overall probability that the verifier’s output is either or is at least . Note finally that this probability can be amplified to reach the soundness threshold of used in Definition 2 by repeating the protocol of Figure 1 a constant number of times in parallel and deciding the output based on a standard threshold argument.

4 General 3-Message Protocol

In this section we show that when the prime factors of the order of are not known, we can design a 3-message protocol, which proves the first part of Theorem 1.

4.1 The protocol

Our 3-message protocol, described in Figure 2, is obtained by modifying the protocol of the previous section. More precisely, Step 1 in the protocol of the previous section is replaced by two steps (Steps 0 and 1 in Figure 2): instead of having the verifier compute a polycyclic generating sequence using Theorem 3.1, which requires the knowledge of the set of factors of , in the new protocol the prover computes by itself this sequence and sends it at Step 0 to the verifier, who then checks that the sequence is really correct at Step 1. All the other steps 2-6 are exactly the same as for the protocol in Figure 1 (one small exception is Step 3, which is slightly rewritten since the polycyclic generating sequence does not need to be sent to the prover anymore).

Input: a black-box solvable group with generators The prover sends to the verifier the following: a list of elements , for some ;555Naturally, this is binary strings corresponding to the elements (i.e., the oracle representations of these elements) that are actually sent, not the elements themselves. Note also that, to simplify the exposition, we are assuming that these strings do correspond to elements of . To deal with a cheating prover that may send strings not corresponding to group elements, we can simply ask the prover to send a certificate of membership in for each string (such a certificate can be computed in quantum polynomial time using the algorithms of Theorem 2). a list of prime numbers ; a list of integers , for and ; a list of integers , for and ; a list of integers , for and . Let us write for each and . The verifier checks that the following equalities hold: for all ; for all and ; for all and all . If any of these equalities fails, then the verifier aborts the protocol and outputs . For each , the verifier takes a bit uniformly at random and takes a random element using the algorithm of Theorem 2 with . The verifier sends, for each , the element . The prover sends to the verifier bits and integers for and . For each the verifier does the following: If then set ; If and then set ; If neither of these two conditions holds, then abort the protocol and output . The verifier outputs the product of the ’s.

Figure 2: Our 3-message protocol computing the order of a solvable group.

4.2 Analysis of the protocol

Let us consider the correctness. In that case the prover first uses the algorithm of Theorem 2 to compute the order , then factorizes it using Shor’s algorithm [30] and collects the prime factors in a set . The prover then uses the algorithm of Theorem 3.1 using the set  as input to obtain group elements and a list of integers such that with probability at least the following two conditions hold:

  1. is a polycyclic generating sequence of , with ,

  2. the order of is either 1 or for each ,

where as usual we use the notation for any and the convention . These two conditions are equivalent to the following:

  1. , i.e., for each ;

  2. for each ;

  3. is normal in for any , i.e., for any .

Thus, with probability at least , the prover can compute the following decompositions in quantum polynomial time using Algorithm of Theorem 2:

  • a decomposition of over , for each ;

  • a decomposition of over , for each ;

  • a decomposition of over , for each and each .

At Step 0, the prover sends all these integers, along with the elements and the primes . All the tests performed by the verifier at Step 1 then pass. The analysis of the second part of the protocol (Steps 2-6) is then exactly the same as the analysis of the protocol of Section 3.

The soundness follows by observing that passing the tests performed by the verifier at Step 1 guarantees that Conditions (a)-(c) of the previous paragraph hold. This guarantees that Conditions (i)-(ii) hold as well, and thus the soundness analysis for the second part of the protocol (Steps 2-6) is exactly the same as the analysis of the protocol of Section 3.

Acknowledgments

FLG was partially supported by the JSPS KAKENHI grants No. 15H01677, No. 16H01705 and No. 16H05853. TM is supported by JST PRESTO No. JPMJPR176A, and the Grant-in-Aid for Young Scientists (B) No. JP17K12637 of JSPS. HN was partially supported by the JSPS KAKENHI grants No. 26247016, No. 16H01705 and No. 16K00015. YT is supported by the Program for Leading Graduate Schools: Interactive Materials Science Cadet Program.

References