Quantum Time-Space Tradeoffs by Recording Queries

02/20/2020 ∙ by Yassine Hamoudi, et al. ∙ 0

We use the recording queries technique of Zhandry [Zha19] to prove lower bounds in the exponentially small success probability regime, with applications to time-space tradeoffs. We first extend the recording technique to the case of non-uniform input distributions and we describe a new simple framework for using it. Then, as an application, we prove strong direct product theorems for K-Search under a natural product distribution not considered in previous works, and for finding K distinct collisions in a uniform random function. Finally, we use the latter result to obtain the first quantum time-space tradeoff that is not based on a reduction to K-Search. Namely, we demonstrate that any T-query algorithm using S qubits of memory must satisfy a tradeoff of T^3 S ≥Ω(N^4) for finding Θ(N) collisions in a random function. We conjecture that this result can be improved to T^2 S ≥Ω(N^3), and we show that it would imply a T^2 S ≥Ω̃(N^2) tradeoff for Element Distinctness.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Quantum query complexity [BW02] is a cornerstone of the theory of quantum algorithms. It measures the number of times an algorithm needs to access (or “query”) its input in order to solve a given problem. Although it does not characterize other resources of computation that can be more prohibitive (number of quantum gates, number of qubits, communication delay, etc.), it is often a good measure of how difficult a problem is to solve. Some of the great achievements of quantum query complexity are Grover [Gro97] and Shor [Sho97] algorithms, which can solve Search and Factoring by using less queries than any known classical algorithm.

One important question is how low can the quantum query complexity of a given problem be? The two main techniques for proving lower bounds in the quantum query model are the polynomial [BBC01] and the adversary [Amb02] methods. Although they have led to great successes, these methods often need arguments that are much less intuitive than what is used for deterministic or randomized query complexity. Thus, it is a major challenge to discover alternative ways of analyzing the quantum query complexity. Recently, Zhandry [Zha19] took a step in this direction by giving a new proof technique for “recording” quantum queries. The original motivation for Zhandry’s work was to find new security proofs in the quantum random oracle model. He tried to adapt a classical method based on recording the queries made by an attacker and responding with on-the-fly simulation of the oracle. At first sight, such a recording seems impossible to achieve in the quantum model since measuring queries could perturbate the attacker’s state significantly. Yet, Zhandry showed that under certain conditions one can record in superposition the queries made by a quantum attacker. This method has since been used to give new security proofs in the quantum random oracle model [AMRS18, HI19, LZ19b, CMSZ19, BHH19, Cha19, CMS19]. More important to us is that it provides a new method for proving quantum query complexity lower bounds. Zhandry has illustraded its use for the Grover Search, Collision and -Sum problems [Zha19]. Later, Liu and Zhandry [LZ19a] have applied it to Multi-Collisions Finding. The purpose of the present work is to generalize this method further, and to give new applications to strong direct product theorems and time-space tradeoffs. We present below our contributions.

Recording Query Model.

We first present the main ideas in Zhandry’s recording technique [Zha19]. In the (standard) model of query complexity, an algorithm is given access to an input through a unitary operator , where is an -th root of unity. The state of an algorithm after queries to corresponds to the result of alternating with some fixed unitaries , that is . This framework allows an adversary oracle to run an algorithm over a distribution of inputs to obtain the state . Zhandry’s main idea is to restrict itself to the uniform distribution and to look at the evolution of in the Fourier domain. The initial state corresponds to in the Fourier domain. The first unitary operator maps this state to some superposition . The crucial observation is that, in the Fourier domain, the query maps the -th register of to , letting the other registers unchanged. In other words, in the Fourier domain, the adversary oracle has recorded into her own register that a query was made on the -th value. Similarly, each subsequent query on a state will add (modulo ) the phase multiplier with the content of the -th value in the Fourier domain.

What if we try to record queries directly into the standard domain, without applying the Fourier transformation? First, the initial state

is replaced with , where is a new symbol representing the absence of record on the corresponding coordinate. Then, we may expect a query on the -th coordinate to change the -th oracle’s register by and when . This would correspond to the classical recording technique, where a value is sampled only upon request. This transformation is obviously not reversible. Nevertheless, by going back and forth in the Fourier domain, Zhandry’s method [Zha19, HI19] shows that the algorithm’s state obtained with this operator differs only negligibly from the actual state after polynomially many queries.

In Section 2.2, we improve Zhandry’s recording technique by generalizing it to any product distribution . We formalize a general framework for recording quantum queries by the use of a “recording query operator” that depends on the distribution (Lemma 2.2). Our proof simplifies some of the arguments used in the original work of Zhandry. In particular, we do not go back and forth in the Fourier domain for our analysis. As an application, we study the recording operator corresponding to the product of Bernoulli distributions of parameter . In Lemma 3.2, we show that implements the mapping , , up to a small error term when . We also recover the analysis for the uniform distribution in Lemma 4.2. There has been other independent work on extending Zhandry’s recording technique [HI19, CMSZ19, CMS19]. These papers focus more on security properties of cryptographic schemes.

Strong Direct Product Theorems.

A Strong Direct Product Theorem (SDPT) states that the success probability of solving instances of a problem with less than times the resources needed for one instance is exponentially small in . A series of work [Amb10, AŠW09, Špa08, AMRR11, LR13] based on the (multiplicative) adversary method has culminated into a proof that quantum query complexity satisfies a SDPT for all functions. Our focus in this paper (Sections 3 and 4.1) is on two specific problems that exhibit similar behaviors to that of SDPTs. These results will serve in the proof of a time-space tradeoff in Section 4.2.

-Search. Our first SDPT-like result (Section 3) is for the -Search problem, where the goal is to find ones in an

-size vector. It has been shown many times

[KŠW07, Amb10, Špa08, Zha19] that the success probability must drop to when the number of quantum queries is . Yet, these results show disparities in the input distributions they consider, and in the decrease rate of in term of . For instance, Ambainis [Amb10] proved that over the uniform distribution on the -bit vectors with exactly ones. On the other hand, Zhandry’s original technique [Zha19] gives for a uniformly random input in . In this paper, we study the -Search problem on an input distribution that has not been considered before, namely the product distribution on that sets with probability for all independently. Our proof is the first one to illustrate the use of the recording query model on a non-uniform distribution. It is also simpler and more intuitive than previous bounds for -Search to our opinion. We show that, similarly to the classical setting where a query can reveal a one with probability , the amplitude on the basis states that record a new one increases by a factor of after each query (Proposition 3.4). Thus, the amplitude of the basis states that have recorded at least ones after queries is at most . This implies that any algorithm with queries must likely output at least ones at positions that have not been recorded. These outputs can only be correct with probability , thus the overall success probability is at most (Proposition 3.5).

Theorem 3.1. Let be the distribution on that is defined by setting with probability independently for each . Then, any -query quantum algorithm for the -Search problem on must succeed with probability satisfying .

Many-Collisions. Our second SDPT-like result (Section 4.1) is for the problem of finding distinct collisions in an input drawn from the uniform distribution . Two collisions and are said to be distinct if their images are different, i.e. . This problem has been extensively studied in the case where it is known [AS04, Zha15] that queries are required to succeed with constant probability. For arbitrary , we are only aware of a previous result by Liu and Zhandry [LZ19a] analyzing a progress measure in the recording query model that hints at a success probability of . We build on this result to give a precise statement on . As in the -Search analysis, we show that the amplitude on the basis states that record a new distinct collision increases by a factor of after each query (Proposition 4.3). This is related to the probability that a new random value collides with one of the (at most) previous recorded queries. Thus, the amplitude of the basis states that have recorded at least distinct collisions after queries is at most . Consequently, any algorithm making queries must likely output at least collisions at positions that have not been recorded. These outputs will be correct with exponentially small probability (Proposition 4.4).

Theorem 4.1. Any -query quantum algorithm finding distinct collisions on inputs drawn from must succeed with probability satisfying .

In particular, any algorithm making queries can only succeed with probability for the problem of finding distinct collisions in a random input. This bound is tight as can be shown by a simple adaptation of the BHT algorithm [BHT98].

Time-Space Tradeoffs.

Memory is a critical resource in many algorithmic methods. The Noisy Intermediate-Scale Quantum (NISQ) era illustrates further the interest of algorithms using as few qubits as possible. Time-Space tradeoffs investigate how large the time (or query) complexity must be when only (qu)bits of memory are available. For instance, the task of sorting numbers requires on a classical computer [Bea91] and on a quantum one [KŠW07]. The few other time-space tradeoffs known in the quantum setting are for Boolean Matrix-Vector and Matrix-Matrix Multiplication [KŠW07] and Evaluating Solutions to Systems of Linear Inequalities [AŠW09]. These results are all based on the SDPT for Quantum Search, and thus can be reproved using Theorem 3.1. In Section 4.2, we propose the first quantum time-space tradeoff based instead on the SDPT for many-collisions finding proved in Section 4.1.

Corollary 4.6. Any quantum algorithm finding distinct collisions with success probability on inputs drawn from must satisfy a time-space tradeoff of .

In particular, this result implies that finding distinct collisions with a quantum algorithm that uses qubits of memory requires111The notation is used to denote the presence of hidden polynomial factors in or . queries, whereas the best unlimited-memory algorithm makes queries. As in most of the previous (classical or quantum) tradeoffs for multi-output problems [BFK81, KŠW07], our proof relies on showing that no algorithm can produce more than parts (here: collisions) of its outputs with probability larger than when is small. It is a major open problem, both in the classical and quantum setting, to obtain tight methods that would also apply to single-output problems. The most studied candidate in this direction is the Element Distinctness problem , that consists in deciding whether numbers are all distinct or not. In the classical setting, a nearly tight tradeoff of has been established for the restricted comparison-based query model [Yao94]. There is also partial progress in the unrestricted case [BSSV03], but no result is known in the quantum setting. In Section 4.2 we give a new argument to bypass the single-output limitation of Element Distinctness. We explain in Proposition 4.7 how collisions can be found in an input in time and space , where is the complexity of any algorithm solving Element Distinctness on inputs of size . This reduction allows us to convert any time-space tradeoff for finding distinct collisions into one for Element Distinctness.

Corollary 4.8. If any algorithm finding distinct collisions on inputs drawn from satisfies a time-space tradeoff of for some constants then any algorithm solving satisfies a time-space tradeoff of .

We further conjecture that our current tradeoff for finding collisions can be improved to , which would imply for Element Distinctness (Corollary 4.9).

2 Quantum Query Model

We first present the standard model of quantum query complexity (Section 2.1). Next, we define the recording model used in this paper (Section 2.2).

2.1 Standard Model

The (standard) model of quantum query complexity [BW02] measures the number of quantum queries an algorithm needs to make on an input to find an output satisfying some predetermined relation . We present this model in more details below.

Quantum Query Algorithm.

A -query quantum algorithm is specified by a sequence of unitary transformations acting on the algorithm’s memory. The state of the algorithm is made of three registers , , where the query register holds , the phase register holds and the working register holds some value . We represent a basis state in the corresponding Hilbert space as . We may drop the subscript when it is clear from the context. The state of the algorithm after queries to some input is defined to be

where the oracle acts only on register and encodes the input as follows

The output of the algorithm is encoded into a subtstring of the working register . The success probability of the quantum algorithm on is the probability that the output value obtained by measuring the working register of satisfies the relation . In other words, if we let be the projector whose support consists of all basis states such that the output substring of satisfies , then .

Oracle’s Register.

Here, we describe the variant used in the adversary method [Amb02]. It is represented as an interaction between an algorithm that aims at finding , and a superposition of oracle’s inputs that respond to the queries from the algorithm.

The memory of the oracle is made of an input register holding . This register can be subdivided into registers where holds . The basis states in the corresponding Hilbert space are . Given an input distribution on , the oracle’s initial state is the state .

The query operator is a unitary transformation acting on the memory of the algorithm and the oracle. Its action is defined on each basis state by

The joint state of the algorithm and the oracle after queries is , where the unitaries have been extended to act as the identity on . The success probability of a quantum algorithm on an input distribution is the probability that the output value and the input obtained by measuring the working and input registers of satisfy the relation .

2.2 Recording Model

The recording quantum query model is a modification of the standard model that is unnoticeable by the algorithm, but that will allow us to track more easily the progress made toward solving the relational problem . The original recording quantum query model was formulated by Zhandry in [Zha19]. Here, we propose a simplified and more general version of this framework adapted to the goal of proving query complexity lower bounds. Our framework requires the initial state to be a product state .

Construction.

The input register of the oracle can now contain , where will represent the absence of knowledge from the algorithm about the -th coordinate of the input. Unlike in the above model, the oracle’s initial state is independent from the relational problem to be solved and is fixed to be (the algorithm knows nothing at the beginning). We extend the query operator defined in the standard query model by setting

Then, we define our new “recording” query operator as follows.

Definition 2.1.

Let acting on respectively and satisfying . Then the recording query operator with respect to is the query operator obtained by composing with the unitary defined as follows

where act as the identity on the unspecified registers.

Indistinguishability.

The joint state of the algorithm and the oracle after queries in the recording query model is . Notice that the query operator can only change the -th coordinate of when it is applied to . Consequently, must be a linear combination of basis states with at most entries in different from . These entries represent what the oracle has learnt (or “recorded”) from the algorithm’s queries so far. In the next lemma, we show that is related to the state (defined in Section 2.1) by . The change of query operator is unnoticeable by the algorithm since each acts as the identity on the algorithm’s memory.

Lemma 2.2.

Let be a -query quantum algorithm. Consider an oracle’s initial state in the standard query model and choose the unitaries in the recording query model to be any transformations satisfying

Then, the states

obtained after queries in the standard and recording query models respectively are related by

Proof.

We start by introducing the intermediate operator . We first claim that . Indeed, the query operator acts as the identity on all the registers of a basis state , except . Thus, the actions of and for cancel out in and . Since and act the same way on registers , we obtain that .

We further observe that and commute for all since they act as non-identities on disjoint registers. Consequently, we have that

by definition of
since

3 Application to Quantum Search

We use the recording query model to prove a strong direct product theorem for quantum search. The relational problem that we consider here is the -Search problem: given , find distinct indices such that . We prove the following result.

Theorem 3.1.

Let be the distribution on that is defined by setting with probability independently for each . Then, any -query quantum algorithm for the -Search problem on must succeed with probability satisfying

We define in Section 3.1 the unitary operators associated with the input distribution , and we describe how the recording query operator acts on basis states (Lemma 3.2). In Section 3.2, we study the measure of progress corresponding to the probability that the oracle’s memory contains at least ones after queries in the recording query model. We prove that this quantity is exponentially small in when (Proposition 3.4). Finally, in Section 3.3, we relate the progress measure to the success probability of solving -Search on the input distribution in the standard query model (Proposition 3.5). We conclude that must be exponentially small in after queries (Theorem 3.1).

3.1 The Recording Query Operator

In the standard query model, the oracle’s initial state corresponding to the chosen input distribution is . Consequently, in the recording query model, we define the unitary transformations to be

where , and , . These unitaries verify where , as required by Lemma 2.2. The recording query operator is since . The next lemma shows how is acting on the basis states. The proof is an elementary calculation that is given in Appendix A.

Lemma 3.2.

If the recording query operator is applied on a basis state where then the register is mapped to

and the other registers are unchanged. If then none of the registers are changed.

Since , the above lemma shows that implements the mapping , , up to a small error. This is analogous to a “lazy” classical oracle that would sample the -th entry of the input only if it is queried. This property is central to the recording query model.

3.2 The Progress Measure

The measure of progress is based on the number of ones contained in the oracle’s memory. We first give some projectors related to this quantity.

Definition 3.3.

We define the following projectors by giving the basis states on which they project:

  • , and : all basis states such that contains respectively at most, exactly or at least coordinates equal to .

  • , and : all basis states such that (1) contains exactly coordinates equal to one, (2) the phase multiplier is and (3) , or respectively.

We can now define the measure of progress for queries and ones as

where is the state after queries in the recording query model. The main result of this section is the following bound on the growth of .

Proposition 3.4.

For all , we have that .

Proof.

First, and for all since the initial state is . We prove that satisfies the following recurrence relation

(1)

From this result, it is trivial to conclude that . In order to prove Equation 1, we first observe that on a basis state the query operator acts as the identity on the registers for . Consequently, the basis states in that may contribute to must have either at least ones in , or exactly ones in with and . This implies that

We first bound the term . Consider any basis state in the support of . Then, by Lemma 3.2, . Thus, . Similarly, for the other term, . Thus,

3.3 Connecting the Progress to the Success Probability

We connect the success probability in the standard query model to the final progress in the recording query model after queries. We show that if the algorithm has made no significant progress for then it needs to “guess” that for about positions where the register does not contain . The probability to correctly guess all the ones is at most since has amplitude in , and amplitude in . This intuition is formalized in the next proposition.

Proposition 3.5.

For any state , we have .

Proof.

Let be any basis state in the support of . The output value is a substring of made of distinct indices indicating positions where the input is supposed to contain ones. By definition of , we have for at least indices . For each such index , after applying , the amplitude of is (if ) or (if ). Consequently,

Let us now consider any state and denote . For any two basis states and with output values respectively, if

then must be orthogonal to . Moreover, there are choices for once we set the values of . By the Cauchy-Schwarz inequality, . ∎

We can now conclude the proof of the main result.

Proof of Theorem 3.1.

The joint state of the algorithm and the oracle after queries in the standard query model is (Lemma 2.2). Thus, by the triangle inequality, satisfies , where we have used Propositions 3.5 and 3.4. ∎

4 Application to Many-Collisions Finding

We present a second application of the recording query model to the problem of finding many collisions in a random input . A collision is a pair of indices such that . Two collisions and are said to be distinct if their images are different, i.e. . In this section we study the problem of finding distinct collisions in an input drawn from the uniform distribution on , denoted by .

We first give a strong direct product theorem for this problem by using the recording query model (Theorem 4.1). Next, we prove that it can be converted into a tradeoff (Theorem 4.5). Finally, we describe a reduction from the problem of finding collisions to solving Element Distinctness (Proposition 4.7), and we show how it connects to proving a time-space tradeoff for Element Distinctness (Corollary 4.8).

4.1 Strong Direct Product Theorem

In this section, we prove the following strong direct product theorem for finding distinct collisions on inputs drawn uniformly at random from .

Theorem 4.1.

Any -query quantum algorithm finding distinct collisions on inputs drawn from must succeed with probability satisfying

The structure of the proof is similar to that of the -Search problem. We first define the unitaries used in the recording query model. The initial state representing in the standard query model is . Consequently, we choose

As in Lemma 3.2, we describe below the action of the recording query operator on each basis state. We observe that it corresponds to the mapping and (when ) up to a small error. The precise calculation is given in Appendix A.

Lemma 4.2.

If the recording query operator is applied on a basis state where then the register is mapped to

and the other registers are unchanged. If then none of the registers are changed.

The projector (and its variations) given in Definition 3.3 is modified to count the number of distinct collisions contained in the input register . The measure of progress is . We prove the following bound on the growth of .

Proposition 4.3.

For all , we have that .

Proof.

For , we define the projector whose support consists of all basis states such that (1) contains exactly distinct collisions, (2) does not belong to any of these collisions, (3) the phase multiplier is and (4) . Note that these states are the only one that may move from the support of to the support of after one query. Consequently,

We first bound the term . Consider any basis state in the support of . We assume further that contains at most entries different from , since it is the case for all basis states occurring in . By Lemma 4.2, we have . Since there are at most entries in that can collide with , we have . Thus, .

We now consider the term for . Again, we consider any basis state in the support of with at most entries different from . Using Lemma 4.2, we have . Since at most terms in this sum can be nonzero, we have . Thus, .

We conclude that . ∎

We obtain directly from Proposition 4.3 that . It remains to connect this quantity to the success probability . This step is a bit more involved than for the -Search problem since the input takes a larger range of values.

Proposition 4.4.

For any state , we have .

Proof.

We assume that the output in the collisions finding problem is represented as a list of disjoint triples . The output is correct if the input (in the standard query model) satisfies for all .

We define a new family of projectors , where , whose supports consist of all basis states satisfying the following conditions:

  • the output substring of is made of disjoint triples .

  • there are exactly indices such that .

  • there are exactly indices such that and , where is the “collision value” in the triple of containing .

For any such state, we claim that . Indeed, the action of on the register is if , and otherwise. The projector only keeps the term in these sums.

Next, for any list of disjoint triples , there are different ways to choose