# Quantum Lower Bounds for Approximate Counting via Laurent Polynomials

This paper proves new limitations on the power of quantum computers to solve approximate counting -- that is, multiplicatively estimating the size of a nonempty set S⊆ [N]. Given only a membership oracle for S, it is well known that approximate counting takes Θ(√(N/|S|)) quantum queries. But what if a quantum algorithm is also given "QSamples"---i.e., copies of the state |S〉 = ∑_i∈ S|i〉---or even the ability to apply reflections about |S〉? Our first main result is that, even then, the algorithm needs either Θ(√(N/|S|)) queries or else Θ({|S|^1/3,√(N/|S|)}) reflections or samples. We also give matching upper bounds. We prove the lower bound using a novel generalization of the polynomial method of Beals et al. to Laurent polynomials, which can have negative exponents. We lower-bound Laurent polynomial degree using two methods: a new "explosion argument" and a new formulation of the dual polynomials method. Our second main result rules out the possibility of a black-box Quantum Merlin-Arthur (or QMA) protocol for proving that a set is large. We show that, even if Arthur can make T quantum queries to the set S, and also receives an m-qubit quantum witness from Merlin in support of S being large, we have Tm=Ω({|S|,√(N/|S|)}). This resolves the open problem of giving an oracle separation between SBP and QMA. Note that QMA is "stronger" than the queries+QSamples model in that Merlin's witness can be anything, rather than just the specific state |S〉, but also "weaker" in that Merlin's witness cannot be trusted. Intriguingly, Laurent polynomials also play a crucial role in our QMA lower bound, but in a completely different manner than in the queries+QSamples lower bound. This suggests that the "Laurent polynomial method" might be broadly useful in complexity theory.

## Authors

• 17 publications
• 12 publications
• 7 publications
• 10 publications
• ### Quantum Lower Bound for Approximate Counting Via Laurent Polynomials

We consider the following problem: estimate the size of a nonempty set S...
08/07/2018 ∙ by Scott Aaronson, et al. ∙ 0

• ### QMA Lower Bounds for Approximate Counting

We prove a query complexity lower bound for QMA protocols that solve app...
02/06/2019 ∙ by William Kretschmer, et al. ∙ 0

• ### Lower Bounds for Function Inversion with Quantum Advice

Function inversion is that given a random function f: [M] → [N], we want...
11/20/2019 ∙ by Kai-Min Chung, et al. ∙ 0

• ### Lower Bounds for Parallel Quantum Counting

We prove a generalization of the parallel adversary method to multi-valu...
10/08/2019 ∙ by Paul Burchard, et al. ∙ 0

• ### Quantum Lower Bounds for 2D-Grid and Dyck Language

We show quantum lower bounds for two problems. First, we consider the pr...
11/28/2019 ∙ by Andris Ambainis, et al. ∙ 0

• ### Quantum Approximate Counting, Simplified

In 1998, Brassard, Hoyer, Mosca, and Tapp (BHMT) gave a quantum algorith...
08/28/2019 ∙ by Scott Aaronson, et al. ∙ 0

• ### Lower Bounding the AND-OR Tree via Symmetrization

We prove a nearly tight lower bound on the approximate degree of the two...
07/15/2019 ∙ by William Kretschmer, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

The quantum query complexity of approximate counting was one of the first topics studied in quantum algorithms.  Given a nonempty finite set (here and throughout, ), suppose we want to estimate its cardinality, , to within some multiplicative accuracy .  Approximate counting is a fundamental task with a rich history in classical computer science, including the work of Stockmeyer [Sto85], who showed that approximate counting is in the polynomial hierarchy, and Sinclair and Jerrum [SJ89]

, who showed the equivalence between approximate counting and approximate sampling that enabled the development of new algorithms using Markov chains.

In the query model (see [BdW02]), we assume we are given a membership oracle for : one that, for any , returns whether .  How many queries must we make, as a function of both  and

, to solve approximate counting with high probability?

For classical randomized algorithms, one can show that  membership queries are necessary and sufficient, for approximate counting to within some constant accuracy .  Moreover, any accuracy  is achievable at the cost of a  multiplicative overhead.  Intuitively, in the worst case, we might need  queries just to find any elements from , but once we do, estimating their frequency is just a standard statistics problem.  Furthermore, for the estimation strategy to work, we don’t need to suppose (circularly) that  is approximately known in advance, but can decide when to halt dynamically, depending on when the first element in is found.

In the quantum setting, we can query the membership oracle on superpositions of inputs.  Here Brassard et al. [BHT98a, BHMT02] gave an algorithm for approximate counting that makes only  queries, for any constant .  Moreover, they showed how to achieve any accuracy  with multiplicative overhead [BHMT02, Theorem 15].  To do so, one uses amplitude amplification, the basic primitive of Grover’s search algorithm [Gro96].  The original algorithm of Brassard et al. also used quantum phase estimation, in effect combining Grover’s algorithm with Shor’s period-finding algorithm.  However, it’s a folklore fact that one can remove the phase estimation, and adapt Grover search with an unknown number of marked items, to get an approximate count of the number of marked items as well.

On the lower bound side, it follows immediately from the optimality of Grover’s algorithm (i.e., the BBBV Theorem [BBBV97]) that even with a quantum computer,  queries are needed for approximate counting to any constant accuracy. Hence the classical and quantum complexity of approximate counting with membership queries is completely understood.

In this paper we study approximate counting in models of computation that go beyond membership queries. Before delving into the models, let us define a simple decision version of approximate counting that will be convenient to use throughout this paper.

###### Problem 1 (Approximate Counting).

In the problem, our goal is to decide whether a nonempty set satisfies (YES) or (NO), promised that one of these is the case.

### 1.1 Do quantum samples and reflections help?

##### Quantum samples.

In practice, when trying to estimate the size of a set , often we can do more than make membership queries to .  At the least, often we can efficiently generate nearly uniform samples from , for instance by using Markov Chain Monte Carlo techniques.  To give two examples, if is the set of perfect matchings in a bipartite graph, or the set of grid points in a high-dimensional convex body, then we can efficiently sample using the seminal algorithms of Jerrum, Sinclair, and Vigoda [JSV04] or of Dyer, Frieze, and Kannan [DFK91], respectively.

Sometimes we can even “QSample” —a term coined in 2003 by Aharonov and Ta-Shma [ATS03], and which simply means that we can approximately prepare the uniform superposition

 |S⟩:=1√|S|∑i∈S|i⟩ (1)

via a polynomial-time quantum algorithm (where “polynomial” here means ).  Because we need to uncompute any garbage, the ability to prepare as a coherent superposition is a more stringent requirement than the ability to sample .  Indeed, as Aharonov and Ta-Shma [ATS03] pointed out, the quantum lower bound for finding collisions [Aar02, AS04] has the corollary that, in the black-box setting, there are classes of sets  that can be efficiently sampled but not efficiently QSampled.

On the other hand, Aharonov and Ta-Shma [ATS03], and Grover and Rudolph [GR02], observed that many interesting sets  can be QSampled as well.  In particular, this holds for all sets  such that we can approximately count not only itself, but also the restrictions of obtained by fixing bits of its elements.  Or, what’s known to be equivalent [SJ89], it holds for all sets

such that we can efficiently sample not only the uniform distribution over

elements, but also the conditional distributions obtained by fixing bits.  So in particular, the set of perfect matchings in a bipartite graph, and the set of grid points in a convex body, can both be efficiently QSampled.  There are other sets that can be QSampled but not because of this reduction.  A simple example would be a set  such that : in that case we can efficiently prepare  using postselection, but approximately counting ’s restrictions might be hard.

##### Quantum reflections.

We can further generalize the setting above to allow not only QSamples, but also reflections about : that is, applications of the unitary transformation

 RS:=\mathbbold1−2|S⟩⟨S|, (2)

which has eigenvalue

for and eigenvalue for all states orthogonal to .  The ability to perform the unitary follows in a completely black-box way from the ability to prepare the state unitarily.  More concretely, let be the unitary that performs the map , for some canonical starting state .  Since we know the circuit , we can also implement , by reversing the order of all the gates and replacing all the gates with their adjoints. Then is simply

 RS=\mathbbold1−2|S⟩⟨S|=U(\mathbbold1−2|0⟩⟨0|)U†. (3)

Note that a priori, QSamples and reflections about could be incomparable resources; it is not obvious how to simulate either one using the other.  On the other hand, it is known how to apply a quantum channel that is -close to (in the diamond norm) using copies of  [LMR14, KLL17].

##### Results.

It is now natural to ask222We thank Paul Burchard (personal communication) for bringing this question to our attention. whether one could solve approximate counting efficiently, using any combination of queries, samples, and reflections.

In this work, we show emphatically that the answer is no:

###### Theorem 2.

Let be a quantum algorithm that makes queries to the membership oracle for , and uses a total of copies of and reflections about . If decides whether  or with high probability, promised that one of those is the case, then either

 T=Ω(√Nw)orR=Ω(min{w1/3,√Nw}). (4)

So if (for example) we set , then any quantum algorithm must either query , or use the state  or reflections about , at least  times.  This means that there’s at most a quadratic speedup compared to classical approximate counting.

We also prove that the lower bounds in Theorem 2 are optimal.  As mentioned before, Brassard et al. [BHT98a] gave a quantum algorithm to solve the problem using  queries alone, which proves the optimality of the lower bound on the number of queries.

On the other hand, it’s easy to solve the problem using  copies of alone, by simply measuring each copy of  in the computational basis and then searching for birthday collisions.  Alternately, we can solve the problem using  copies of alone, by projecting onto the state or its orthogonal complement.  This measurement succeeds with probability , so we can approximate by simply counting how many measurements succeed.

In Section 3.2 we improve on these algorithms by using samples and reflections, and thereby establish that Theorem 2 is tight.

###### Theorem 3.

There is a quantum algorithm that solves with high probability using copies of and reflections about , where .

##### The Laurent polynomial method.

In our view, at least as interesting as Theorem 2 is the technique used to achieve it.  In 1998, Beals et al. [BBC01] famously observed that, if a quantum algorithm  makes queries to an input , then ’s acceptance probability can be written as a real multilinear polynomial in the bits of , of degree at most .  And thus, crucially, if we want to rule out a fast quantum algorithm to compute some function , then it suffices to show that any real polynomial  that approximates  pointwise must have high degree.  This general transformation, from questions about quantum algorithms to questions about polynomials, has been used to prove many results that were not known otherwise at the time, including the quantum lower bound for the collision problem [Aar02, AS04] and the first direct product theorems for quantum search [Aar05a, KŠdW07].

In our case, even in the simpler model with only queries and samples (and no reflections), the difficulty is that the quantum algorithm starts with many copies of the state .  As a consequence of this—and specifically, of the  normalizing factor in —when we write the average acceptance probability of our algorithm as a function of , we find that we get a Laurent polynomial: a polynomial that can contain both positive and negative integer powers of .  The degree of this polynomial (the highest power of ) encodes the sum of the number of queries, the number of copies of , and the number of uses of , while the “anti-degree” (the highest power of ) encodes the sum of the number of copies of and uses of .  We’re thus faced with the task of lower-bounding the degree and the anti-degree of a Laurent polynomial that’s bounded in at integer points and that encodes the approximate counting problem.

We then lower bound the degree of Laurent polynomials that approximate , showing that degree is necessary.  We show this using two very different arguments.  The first approach, which we call the “explosion argument,” is shorter but yields suboptimal lower bounds, whereas the second approach using “dual polynomials” yields the optimal lower bound.

Before describing these techniques at a high level, observe that there are rational functions333A rational function of degree is of the form , where and are both real polynomials of degree at most . of degree that approximate .  This follows, for example, from Aaronson’s theorem [Aar05b], or alternately from the classical result of Newman [N64] that shows for any , there is a rational polynomial of degree that pointwise approximates the sign function on domain to error .  Thus, our proof relies on the fact that Laurent polynomials are an extremely special kind of rational function.

##### Overview of the explosion argument.

Our first proof uses an “explosion argument” that, as far as we know, is new in quantum query complexity.  We separate out the purely positive degree444Throughout this paper we allow any “purely positive degree” Laurent polynomial and any “purely negative degree” Laurent polynomial to include a constant (degree zero) term. and purely negative degree parts of our Laurent polynomial as , where and are ordinary polynomials.  We then show that, if and both have low enough degree, namely and , then we get “unbounded growth” in their values.  That is: for approximation theory reasons, either or must attain large values, far outside of , at some integer values of .  But that means that, for itself to be bounded in  (and thus represent a probability), the other polynomial must also attain large values.  And that, in turn, will force the first polynomial to attain even larger values, and so on forever—thereby proving that these polynomials could not have existed.

##### Overview of the method of dual polynomials.

Our second argument obtains the (optimal) lower bound stated in Theorem 2, via a novel adaptation of the so-called method of dual polynomials.

With this method, to lower-bound the approximate degree of a Boolean function , one exhibits an explicit dual polynomial for

, which is a dual solution to a certain linear program. Roughly speaking, a dual polynomial

is a function mapping the domain of to that is (a) uncorrelated with any polynomial of degree at most , and (b) well-correlated with .

Approximating a univariate function via low-degree Laurent polynomials is also captured by a linear program, but the linear program is more complicated because Laurent polynomials can have negative-degree terms.  We analyze the value of this linear program in two steps.

In Step 1, we transform the linear program so that it refers only to ordinary polynomials rather than Laurent polynomials.  Although simple, this transformation is crucial, as it lets us bring techniques developed for ordinary polynomials to bear on our goal of proving Laurent polynomial degree lower bounds.

In Step 2, we explicitly construct an optimal dual witness to the transformed linear program from Step 1.  We do so by first identifying two weaker dual witnesses: , which witnesses that ordinary (i.e., purely positive degree) polynomials encoding approximate counting require degree at least , and , which witnesses that purely negative degree polynomials encoding approximate counting require degree .  The first witness is derived from prior work of Bun and Thaler [BT13], while the second builds on a non-constructive argument of Zhandry [Zha12].

Finally, we show how to “glue together”  and , to get a dual witness showing that any general Laurent polynomial that encodes approximate counting must have either positive degree or negative degree .

##### Overview of the upper bound.

To recap, Theorem 2 shows that any quantum algorithm for needs either queries or samples and reflections.  Since we know from the work of Brassard, Høyer, Tapp [BHT98a] that the problem can be solved with queries alone, it remains only to show the matching upper bound using samples and reflections.

First we describe a simple algorithm that uses samples and reflections. If we take one copy of , and perform a projective measurement onto or its orthogonal complement, the measurement will succeed with probability .  We can now use amplitude amplification [BHMT02] to distinguish the probabilities and , and this will cost repetitions.  Note that amplitude amplification requires reflecting about the initial state, , so we use reflections about and one copy of .

Our second algorithm solves the problem with reflections and samples and is based on the quantum collision-finding algorithm [BHT98b].  We first use copies of to learn distinct elements in .  We now know a fraction of elements in , and this fraction is either or .  We then use amplitude amplification (or quantum counting) to distinguish these two cases, which costs repetitions, where each repetition uses a reflection about .

### 1.2 Do quantum witnesses help?

We have shown that copies of and reflections about do not help solve approximate counting efficiently.  This raises a question: what about other quantum states, besides ?

In the commonly-studied Merlin-Arthur setting, a skeptical verifier (Arthur) receives a quantum witness state from an all-powerful but untrustworthy prover (Merlin), in support of some predetermined conclusion such as being large.  Arthur then needs to verify , via some algorithm that satisfies the twin properties of completeness and soundness.  That is, if the answer to the instance is YES, then there must exist some  that causes Arthur to accept with high probability, while if the answer is NO, then every  must cause Arthur to reject with high probability.  We call such a protocol a (Quantum Merlin-Arthur) protocol.

There are two resources to consider: the length of the quantum witness and the number of queries Arthur makes to the membership oracle for .  A protocol for is efficient if both are .  Does such an efficient protocol exist?  Our second main result answers this question in the negative:

###### Theorem 4.

Consider a protocol that solves . If the protocol receives a quantum witness of length , and makes queries to the membership oracle for , then

 m⋅T=Ω(min{w,√N/w}). (5)
##### QMA lower bounds.

In certain special cases, it is trivial to lower-bound  query complexity: for example, the standard BBBV Theorem [BBBV97] immediately implies the existence of an oracle relative to which , and directly related to that, it is easy to show that the complement of  is not in  (i.e., that there are no short  witnesses proving that a set is small).  Outside of those cases, though, lower-bounding query complexity is challenging.  Essentially all lower bounds in the literature have exploited the containment , where  is a complexity class that models quantum algorithms with tiny acceptance and rejection probabilities.

We say that a function has query complexity at most if there exists a -query quantum algorithm that

• outputs with probability  when , and

• outputs with probability  when ,

for any that the algorithm chooses in advance.  Note that when , we recover standard quantum query complexity.  But could be also be exponentially small, which makes algorithms very powerful.

Nevertheless, one can establish significant limitations on algorithms, by using a variation of the polynomial method of Beals et al. [BBC01].  If a function can be evaluated by an algorithm with queries, then there exists a real polynomial of degree such that whenever and whenever .  The minimum degree of such a polynomial is sometimes called “one-sided approximate degree” [BT15, Tha16].

The relationship between and protocols is very simple: if has a protocol that receives an -qubit witness and makes queries, then it also has an algorithm that makes queries.  This was essentially observed by Marriott and Watrous [MW05, Remark 3.9] and used by Aaronson [Aar12] to show an oracle relative to which ; we also state it for completeness as Lemma 16.

Thus, an obvious route to ruling out a protocol for would be to rule out an algorithm.  Unfortunately, this cannot work, since does have an algorithm: namely, the algorithm that simply picks an  uniformly at random, and accepts if and only if .  So clearly we need a different strategy.

##### Proof overview.

To get around the issue of  being in , we use a clever strategy that was previously used by Göös et al. [GLM16], and that was suggested to us by Thomas Watson (personal communication).

Our strategy exploits the fact that  is closed under intersection, but (at least relative to oracles, and as we’ll show)  is not.

More precisely, given a function , let be the AND of two copies of on separate inputs.  Then if has small query complexity, it’s not hard to see that does as well: Merlin simply sends witnesses corresponding to both inputs; then Arthur checks both of them independently.  While it’s not completely obvious, one can verify that a dishonest Merlin would gain nothing by entangling the two witness states.  Hence if had an efficient protocol, then so would , with the witness size and query complexity increasing by only a constant factor.

By contrast, even though does have an efficient algorithm, we will show that does not.  This is the technical core of our proof.

In more detail, suppose by way of contradiction that had an efficient protocol.  Then as we said above, would have an efficient  protocol as well—which means that the latter function would also have an efficient  algorithm.  But by using the polynomial method, we will show that  does not have a query-efficient  algorithm, thereby yielding the desired contradiction.

###### Theorem 5.

Consider an algorithm for that makes queries to membership oracles for the two instances of . Then .

Note that Theorem 5 is quantitatively optimal, as we’ll exhibit matching upper bounds as well.  Combined with Lemma 16 (the connection between and ), Theorem 5 immediately implies Theorem 4.

At a high level, the proof of Theorem 5 assumes that there’s an efficient algorithm for .  This assumption yields a low-degree one-sided approximating polynomial for the problem in Boolean variables, where variables come from each  instance.  We then symmetrize the polynomial (using the standard Minsky–Papert symmetrization argument [MP88]) to obtain a bivariate polynomial in two variables and that represent the Hamming weight of the original instances.  This yields a polynomial that for integer pairs (also called lattice points) satisfies when either and , or (symmetrically) and .  If both and , then . This polynomial is depicted in Figure 1.

One difficulty is that we have a guarantee on the behavior of at lattice points only, whereas the rest of our proof requires better control over the polynomial, even at non-integer points.  To obtain better control over our polynomial at non-integer points, we use a newer symmetrization argument due to Servedio, Tan, and Thaler [STT12] that we call “erase all subscripts” symmetrization (see Lemma 12).555It is possible to obtain a suboptimal lower bound without using erase-all-subscripts symmetrization. See arXiv:1902.02398 for details. This symmetrization yields a polynomial of the same degree as . Both types of symmetrization play an important role in our analysis, as we use to bound when the polynomials have degree , using tools from approximation theory and Chernoff bounds.

The second difficulty is that we want to lower-bound the degree of a bivariate polynomial, but almost all known lower bound techniques apply only to univariate polynomials. To reduce the number of variables (from to ) in a degree-preserving way, we pass a hyperbola through the plane (see Figure 1) and consider the polynomial restricted to the hyperbola. Doing so gives us a new univariate Laurent polynomial , whose positive and negative degree is at most .  This Laurent polynomial has an additional symmetry, which stems from the fact that is the of two identical problems (namely, ).  We leverage this symmetry to view , a Laurent polynomial in , as an ordinary univariate polynomial in of degree .  Finally, we appeal to classical results in approximation theory to argue that this univariate polynomial must have degree .

There are two aspects of this that we find surprising: first, that Laurent polynomials appear at all, and second, that they seem to appear in a completely different way than they did in the proof of Theorem 2, despite the close connection between the two statements.  For Theorem 2, Laurent polynomials were fundamentally needed just to describe the quantum algorithm’s acceptance probability, whereas for Theorem 5, ordinary polynomials sufficed; Laurent polynomials appeared only when we restricted a bivariate polynomial to a hyperbola in the plane.  In any case, our results suggest that the “Laurent polynomial method” might be useful for other problems as well.

##### Complexity-theoretic perspective.

The complexity class , which is sandwiched between (Merlin-Arthur) and  (Arthur-Merlin), is captured by the following complete problem: given a polynomial-time computable Boolean function and an integer , decide whether the number of inputs that accepts is less than or greater than , promised that one of these is the case.  The class (discussed above, following Theorem 4), first defined by Kuperberg [Kup15], is a quantum analogue of that contains both and .

By the usual connection between oracle separations and query complexity lower bounds, Theorem 4 implies the first oracle separation between and —i.e., there exists an oracle such that .  Prior to our work, it was known that there exist oracles such that  [BGM06] and [Ver92], but the relation between  and  remained elusive.666It is interesting to note that in the non-relativized world, under plausible derandomization assumptions [MV99], we have . In this scenario, all these classes are equal, and all are contained in . Figure 2 shows the known inclusion relations among these classes (all of which hold relative to all oracles).

Previous oracle separation techniques failed because they either used lower-bound techniques specific to , or they established lower bounds against , which contains (see Figure 2) .

Now the reason that (our new result) is much harder to establish than (from [BGM06]) is the following: We know lower bound methods for that do not also apply to .  In particular, is contained in , which is not known to contain , and Böhler et al. exploit this relationship to prove the oracle separation .  However, the primary method for proving lower bounds is exploit the fact that and to show lower bounds on .  Unfortunately, also contains , and hence can solve approximate counting efficiently.

As described in the proof overview above, we resolve this by using a difference in structural properties of the involved complexity classes.  While is easily seen to be closed under intersection, is not obviously closed under intersection, and in fact our results also show the existence of an oracle relative to which is not closed under intersection.  Hence we separate and by taking a complete problem for and considering the of two copies of the problem, which we then show is not in in the black-box setting.

## 2 Preliminaries

In this section we introduce some definitions and known facts about polynomials and complexity classes.

### 2.1 Approximation theory

We will use several results from approximation theory, each of which has previously been used (in some form) in other applications of the polynomial method to quantum lower bounds.  We start with the basic inequality of A.A. Markov [Mar90].

###### Lemma 6 (Markov).

Let  be a real polynomial, and suppose that

 maxx,y∈[a,b]|p(x)−p(y)|≤H. (6)

Then for all , we have

We’ll also need a bound that was explicitly stated by Paturi [Pat92], and which amounts to the folklore fact that, among all degree- polynomials that are bounded within a given range, the Chebyshev polynomials have the fastest growth outside that range.

###### Lemma 7 (Paturi).

Let  be a real polynomial, and suppose that  for all .  Then for all , we have

 |p(x)|≤exp(2deg(p)√2μ+μ2). (8)

We now state a useful corollary of Lemma 7, which says (in effect) that slightly shrinking the domain of a low-degree real polynomial can only modestly shrink its range.

###### Corollary 8.

Let  be a real polynomial of degree , and suppose that

 maxx,y∈[a,b]|p(x)−p(y)|≥H. (9)

Let  and .  Then

 maxx,y∈[a′,b]|p(x)−p(y)|≥H2. (10)
###### Proof.

 |p(x)−p(y)|

for all .  By affine shifts, we can assume without loss of generality that  for all .  Then by Lemma 7, for all  we have

 |p(x)|

But this violates the hypothesis. ∎

We will also need a bound that relates the range of a low-degree polynomial on a discrete set of points to its range on a continuous interval.  The following lemma generalizes a result due to Ehlich and Zeller [EZ64] and Rivlin and Cheney [RC66], who were interested only in the case where the discrete points are evenly spaced.

###### Lemma 9.

Let  be a real polynomial of degree at most , and let  be a list of points such that  for all (the simplest example being the integers ).  Suppose that

 maxx,y∈[0,k]|p(x)−p(y)|≥H. (13)

Then

 maxi,j∣∣p(zi)−p(zj)∣∣≥H2. (14)
###### Proof.

 ∣∣p(zi)−p(zj)∣∣

for all .  By affine shifts, we can assume without loss of generality that  for all .  Let

 c:=maxx∈[0,k]|p(x)|H/4. (16)

If , then the hypothesis clearly fails, so assume .  Suppose that the maximum, , is achieved between  and .  Then by basic calculus, there exists an  such that

 ∣∣p′(x∗)∣∣>2(c−1)zi+1−zi⋅H4≥(c−1)H2. (17)

So by Lemma 6,

 (c−1)H2

Solving for , we find

 c<2k2k−deg(p)2≤2. (19)

But if , then , which violates the hypothesis. ∎

We also use a related inequality due to Coppersmith and Rivlin [CR92] that bounds a polynomial on a continuous interval in terms of a bound on a discrete set of points, but now with the weaker assumption that the degree is at most , rather than .  This gives a substantially weaker bound.

###### Lemma 10 (Coppersmith and Rivlin).

Let be a real polynomial of degree at most , and suppose that for all integers .  Then there exist universal constants such that for all , we have

 |p(x)|≤a⋅exp(bdeg(p)2/k). (20)

### 2.2 Symmetric polynomials

##### Univariate symmetrizations.

Our starting point is the well-known symmetrization lemma of Minsky and Papert [MP88] (see also Beals et al. [BBC01] for its application to quantum query complexity), by which we can often reduce questions about multivariate polynomials to questions about univariate ones.

###### Lemma 11 (Minsky–Papert symmetrization).

Let  be a real multilinear polynomial of degree , and let be defined as

 q(k):=E|X|=k[p(X)]. (21)

Then can be written as a real polynomial in of degree at most .

We now introduce a different, lesser known notion of symmetrization, due to Servedio, Tan, and Thaler [STT12], which we call the erase-all-subscripts symmetrization for reasons to be explained shortly.

###### Lemma 12 (Erase-all-subscripts symmetrization).

Let  be a real multilinear polynomial of degree , and for any real number , let denote the distribution over , wherein each coordinate is selected independently to be 1 with probability . Let be defined as

 q(k):=EMk[p(X)]. (22)

Then can be written as a real polynomial in of degree at most .

###### Proof.

(Appears in [STT12, Proof of Theorem 3]). Given the multivariate polynomial expansion of , we can obtain easily just by “erasing all the subscripts in each variable”. For example, if , we replace every with to obtain . This follows from linearity of expectation along with the fact that is defined to be the product distribution wherein each coordinate has expected value . ∎

We highlight the following key difference between Minsky–Papert symmetrization and the erase-all-subscripts symmetrization. Let be a real multivariate polynomial whose evaluations at Boolean inputs are in , i.e., for all , we have . If is the the erase-all-subscripts symmetrization of , then takes values in at all real-valued inputs in : for all . If is the Minsky–Papert symmetrization of , then it is only guaranteed to take values in at integer-valued inputs in , i.e., is only guaranteed to hold at . This is the main reason we use erase-all-subscripts symmetrization in this work.

##### Bivariate symmetrizations.

In this paper, it will be convenient to consider bivariate versions of both Minsky–Papert and erase-all-subscripts symmetrization, and their applications to oracle separations. To this end, define , the “characteristic string” of the set , by  if  and  otherwise.  Let denote the unitary that performs a membership query to , defined as

 OS|i⟩|b⟩=(1−2bxi)|i⟩|b⟩ (23)

for any index and bit .

Because we study oracle intersection problems, it is often convenient to think of an algorithm as having access to two oracles, wherein the first bit in the oracle register selects the choice of oracle.  As a consequence, we need a slight generalization of a now well-established fact in quantum complexity: that the acceptance probability of a quantum algorithm with an oracle can be expressed as a polynomial in the bits of the oracle string.

###### Lemma 13 (Symmetrization with two oracles).

Let be a quantum algorithm that makes queries to a pair of membership oracles for sets .  Let denote the distribution over subsets of wherein each element is selected independently with probability .  Then there exist bivariate real polynomials and of degree at most satisfying:

 for all real numbers s,t∈[0,N], q(s,t)=ES0∼Ds,S1∼Dt[Pr[QOS0,OS1 accepts]], and for all integers x,y∈{0,1,…,N}, p(x,y)=E|S0|=x,|S1|=y[Pr[QOS0,OS1 accepts]].
###### Proof.

Take to be the concatenation of the characteristic strings of the two oracles, and let be such that is the characteristic string of . Then, Lemma 4.2 of Beals et al. [BBC01] tells us that there is a real multilinear polynomial of degree at most in the bits of such that .

Observe that has a meaningful probabilistic interpretation over arbitrary inputs in

. A vector

of probabilities corresponds to a distribution over

wherein each bit is chosen from a Bernoulli distribution with the corresponding probability. Because

is multilinear, in fact computes the expectation of the acceptance probability over this distribution. In particular, the polynomial

 q(s,t)=r(sN,…,sNN times,tN,…,tNN times)=ES0∼Ds,S1∼Dt[Pr[QOS0,OS1 accepts]] (24)

corresponds to selecting and . The total degree of is obviously at most the degree of , by the same reasoning as in the proof of Lemma 12.

To construct , we apply the symmetrization lemma of Minsky and Papert [MP88] to symmetrize , first with respect to , then with respect to :

 (25)
 p(x,y)=E|S1|=yp0(x,X1)=E|S0|=x,|S1|=y[Pr[QOS0,OS1 accepts]] (26)

The degree of is at most the degree of , due to Lemma 11. ∎

We remark that, as a consequence of their definitions in Lemma 13, and satisfy:

 q(s,t)=E[p(X,Y)], (27)

where and are drawn from

-trial binomial distributions with means

and , respectively.

##### Symmetric Laurent polynomials.

Finally, we state a useful fact about Laurent polynomials:

###### Lemma 14 (Symmetric Laurent polynomials).

Let be a real Laurent polynomial of positive and negative degree that satisfies .  Then there exists a (ordinary) real polynomial of degree such that .

###### Proof.

implies that the coefficients of the and terms are equal for all , as otherwise would not equal the zero polynomial. Thus, we may write for some coefficients . So, it suffices to show that can be expressed as a polynomial in for all .

We prove by induction on . The case corresponds to constant polynomials. For , by the binomial theorem, observe that where is a degree real Laurent polynomial satisfying . By the induction assumption, can be expressed as a polynomial in , so we have is expressed as a polynomial in . ∎

### 2.3 Complexity classes

Though and can be defined in terms of counting complexity functions, for our purposes it is easier to work with the following equivalent definitions (see Böhler et al. [BGM06]):

###### Definition 15.

The complexity class consists of the languages for which there exists a probabilistic polynomial time algorithm and a polynomial with the following properties:

1. If , then .

2. If , then .

The complexity class is defined analogously, wherein the classical algorithm is replaced with a quantum algorithm.

A classical (respectively, quantum) algorithm that satisfies the above promise for a particular language will be referred to as an (respectively, ) algorithm throughout.  Using this definition, a query complexity relation between protocols and algorithms follows from the procedure of Marriott and Watrous [MW05], which shows that one can exponentially improve the soundness and completeness errors of a protocol without increasing the witness size.  See Aaronson [Aar12, Lemma 5] for a proof of the following lemma:

###### Lemma 16 (Guessing lemma).

Suppose there is a protocol for some problem that makes queries and receives an -qubit witness.  Then there is an algorithm for the same problem that makes queries.

## 3 Approximate counting with quantum samples and reflections

### 3.1 The Laurent polynomial method

By using Minsky–Papert symmetrization (Lemma 11), we now prove the key fact that relates quantum algorithms, of the type we’re considering, to real Laurent polynomials in one variable.  The following lemma generalizes the connection between quantum algorithms and real polynomials established by Beals et al. [BBC01].

###### Lemma 17.

Let be a quantum algorithm that makes queries to , uses copies of , and makes uses of the unitary .  Let . For , let

 q(k):=E|S|=k[Pr[QOS,RS(|S⟩⊗R1) accepts]]. (28)

Then can be written a univariate Laurent polynomial, with maximum exponent at most  and minimum exponent at least .

###### Proof.

Let denote the initial state of the algorithm, which we can write as

 |ψinitial⟩ =|S⟩⊗R1=(1√|S|∑i∈S|i⟩)R1=⎛⎝1√|S|∑i∈[N]xi|i⟩⎞⎠R1 =1|S|R1/2∑i1,…,iR1∈[N]xi1⋯xiR1∣∣i1,…,iR1⟩.

Thus, each amplitude is a complex multilinear polynomial in of degree , divided by .

Throughout the algorithm, each amplitude will remain a complex multilinear polynomial in divided by some power of . Since  for all , we can always maintain multilinearity without loss of generality.

Like Beals et al. [BBC01], we now consider how the polynomial degree of each amplitude and the power of in the denominator change as the algorithm progresses. We have to handle 3 different kinds of unitaries that the quantum circuit may use: the membership query oracle , unitaries independent of the input, and the reflection unitary .

The first two cases are handled as in Beals et al. Since is a unitary whose entries are degree-1 polynomials in , each use of this unitary increases a particular amplitude’s degree as a polynomial by and does not change the power of in the denominator.  Second, input-independent unitary transformations only take linear combinations of existing polynomials and hence do not increase the degree of the amplitudes or the power of in the denominator. Finally, we consider the reflection unitary . The entry of this operator is . Since , this is a degree-2 polynomial divided by . Hence applying this unitary will increase the degree of the amplitudes by and increase the power of in the denominator by .

In conclusion, we start with each amplitude being a polynomial of degree divided by . queries to the membership oracle will increase the degree of each amplitude by at most and leave the power of in the denominator unchanged. uses of the reflection unitary will increase the degree by at most and the power of in the denominator by . It follows that ’s final state has the form

 (29)

where each  is a complex multilinear polynomial in of degree at most , divided by .  Since itself is real-valued, it follows that the real and imaginary parts of , considered individually, are real multilinear polynomials in  of degree at most  divided by .

Hence, if we let

 p(X):=Pr[QOS,RS(|S⟩⊗R1) accepts], (30)

then

 p(X)=∑accepting z|αz(X)|2=∑accepting z(Re2αz(X)+Im2αz(X)) (31)

is a real multilinear polynomial in of degree at most , divided through (in every monomial) by .

Now consider

 q(k):=E|X|=k[p(X)]. (32)

By Lemma 11, this is a real univariate polynomial in of degree at most , divided through (in every monomial) by .  Or said another way, it’s a real Laurent polynomial in , with maximum exponent at most  and minimum exponent at least . ∎

### 3.2 Upper bounds

Before proving our lower bounds on the degree of Laurent polynomials approximating , we establish some simpler upper bounds. We show upper bounds on Laurent polynomial degree and in the queries, samples, and reflections model.

##### Laurent polynomial degree of approximate counting.

We now describe a purely negative degree Laurent polynomial of degree for approximate counting.  This upper bound will serve as an important source of intuition when we prove the (matching) lower bound of Theorem 2 (see Section 3.4.3). We are thankful to user “fedja” on MathOverflow for describing this construction.

###### Lemma 18 (fedja).

For all , there is a real polynomial  such that for all , and  while , and .

###### Proof.

Assuming for simplicity that is a perfect cube, consider

 u(x):=(1−x)(1−2x)⋯(1−w1/3x). (33)

Notice that  and for all .  Furthermore, we have  for all , and also  for all .  Now, let