Jekyll2019-10-04T20:37:27+00:00https://unnatural-proofs.github.io/feed.xmlin search of unnatural proofscomplexity theory and moreTwo Open Problems: Hybrid Quantum Attacks on Crypto2019-10-04T00:00:00+00:002019-10-04T00:00:00+00:00https://unnatural-proofs.github.io/2019/two-open-problems-hybrid-quantum-attacks-on-crypto<p>Today, I want to mention two open problems that I have been thinking about. These are off-shoots of my work with Matt Coudron on the power of quantum depth (<a href="https://arxiv.org/abs/1909.10503">arXiv:1909.10503</a>; see, also, <a href="https://arxiv.org/abs/1909.10303">arXiv:1909.10303</a>).</p>
<p>There does not seem to be a clear metric in quantum cryptanalysis. For example, we say that the security level of AES-256 is 256 bits, and the quantum security level of AES-256 is 256/2 = 128 bits. But, that number 128 does not capture the hardness of the attack. The classical attack can be trivially parallelized, but the quantum attack (which uses Grover’s algorithm) cannot be parallelized well. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf">NIST (2016)</a> tries to account for this in their PQC competition by introducing a variable MAXDEPTH, corresponding to the maximum depth of the quantum circuit in the attack, set to a value between $2^{40}$ and $2^{96}$. But, this might still understate the security of the schemes (think of memory-intensive quantum algorithms). <a href="https://ia.cr/2019/103">Jaques and Schanck (2019)</a> solve this problem with their <em>DW-cost metric</em> (depth of the circuit times the width of the circuit). I like the DW-cost metric because it makes more sense from a <em>quantum-native</em> perspective. But, this raises new a problem, what about hybrid attacks? It turns out that this can be easily remedied by using the DW-cost for the quantum part and the traditional number of ops cost for the classical part.</p>
<p>The setting is the following, the MAXDEPTH is set to be $2^{32}$ (say each layer (depth-1 circuit) takes $1000$ nanoseconds to apply<sup id="fnref:time"><a href="#fn:time" class="footnote">1</a></sup>, and we can run a computation for an hour) and MAXWIDTH is set to $2^{32}$ (that is about 4 giga(qu)bits). From this setting it is obvious that you cannot do a purely quantum attack, you need a hybrid attack (and that is my intention.) Just to be clear, a <em>hybrid quantum attack</em> is a classical circuit with embedded quantum circuits with depth at most MAXDEPTH and width at most MAXWIDTH, and the output of a quantum circuit is a classical bit string (or, to be more precise, a probability distribution.) Let’s define the <em>hybrid-DW-cost</em> as the sum of the DW-costs of the embedded quantum circuits and the number of gates in the classical circuit.</p>
<h3 id="question-1-hybrid-generic-pre-image-attacks-on-aes">Question 1: Hybrid Generic Pre-Image Attacks on AES?</h3>
<p><strong>Question.</strong> Is there a non-trivial hybrid generic pre-image attack on AES?</p>
<p><strong>Conjecture.</strong> The security level of AES-256, under hybrid quantum attacks in the hybrid-DW-cost model, is essentially the same as the its classical security level.</p>
<p>A good starting point: <a href="https://arxiv.org/abs/1512.04965">arXiv:1512.04965</a>, <a href="https://ia.cr/2019/854">2019/854</a>, and <a href="https://ia.cr/2019/1146">2019/1146</a>.</p>
<h3 id="question-2-hybrid-generic-claw-finding-attacks-on-sike">Question 2: Hybrid Generic Claw-Finding Attacks on SIKE?</h3>
<p><strong>Question.</strong> <a href="https://arxiv.org/abs/0708.2584">Tani’s (2007)</a> algorithm, which is used for generic claw-finding attacks, is based on quantum walks which seem to have the same parallelization difficulties as Grover’s algorithm. (See Section 5.6 in <a href="https://ia.cr/2019/103">Jaques and Schanck (2019)</a>.) Is there a non-trivial hybrid generic claw-finding attack on SIKE?</p>
<p><strong>Conjecture.</strong> The security level of SIKE-(503|610|751), under hybrid quantum attacks in the hybrid-DW-cost model, is essentially the same as the its classical security level.</p>
<p>A good starting point: <a href="https://arxiv.org/abs/0708.2584">arXiv:0708.2584</a> and <a href="https://ia.cr/2019/103">2019/103</a>.</p>
<h3 id="why-these-questions">Why These Questions?</h3>
<ol>
<li>They force one to think about hybrid attacks.</li>
<li>They seem to model near-term attacks.</li>
<li>They don’t seem too hard. Question 1 might even be easy because we know explicit bounds on how Grover parallelizes.</li>
<li>They are fun math problems. :-)</li>
</ol>
<hr />
<div class="footnotes">
<ol>
<li id="fn:time">
<p>At first glance, this number might seem absurd—surely we can apply a gate in less than $1000$ nanoseconds, but I am trying to account for the lost nearest neighbor property. For now, it seems easier to make this number larger than to impose a nearest neighbor constraint. (Also, I am trying to be architecture agnostic.) <a href="#fnref:time" class="reversefootnote">↩</a></p>
</li>
</ol>
</div>sankethToday, I want to mention two open problems that I have been thinking about. These are off-shoots of my work with Matt Coudron on the power of quantum depth (arXiv:1909.10503; see, also, arXiv:1909.10303).What Is a Stochastic Process?2019-09-02T00:00:00+00:002019-09-02T00:00:00+00:00https://unnatural-proofs.github.io/2019/what-is-a-stochastic-process<div style="display:none;">
$$
\newcommand{\F}{\mathcal{F}}
\newcommand{\I}{\mathcal{I}}
$$
</div>
<p>Recently I have discovered the awesome world of stochastic processes. Firstly, “stochastic process” is a horrible name, it does not have anything to do with “process.” If you have never heard of this term, brace yourself because this is gonna sound insanely familiar. So, a <em>stochastic process</em> is an indexed list of random variables. That’s it. If you have ever worked with randomized algorithms, this is what you call an algorithm, it takes an input and the output is modeled by a random variable.</p>
<p>I am going to give a slightly more formal definition now that we know what it means.</p>
<p><strong>Definition.</strong> Fix a probability space $(\Omega, \F, P)$ and a measurable space $(S, \Sigma)$. A <em>stochastic process</em> is a collection
\[
\{X(i) : i \in \I\}
\]
of $S$-valued random variables indexed by a set $\I$.</p>
<p>In many applications, the index set $\I$ is the positive real numbers and represents time. More generally, it is common to assume that $\I$ is ordered. This adds a lot of structure and allows one to talk about <em>increments</em> (how much $X(i)$ differs from $X(i+j)$) and stuff like that.</p>
<p>Also, if you have done some advanced probability, you can observe that stochastic processes generalize <em>Markov chains</em>, <em>random walks</em>, and <em>martingales</em>.</p>
<p>I’m going to end this short post by answering a burning question: how can you use stochastic processes to prove theorems? By leveraging <a href="https://en.wikipedia.org/wiki/Stochastic_calculus">stochastic calculus</a>.</p>
<h2 id="further-reading">Further Reading</h2>
<ul>
<li>Gregory F. Lawler’s “Stochastic Calculus: An Introduction with Applications” looks great. I have been meaning to read it for a while now.</li>
<li>Xinyu Wu’s “A stochastic calculus approach to the oracle separation of BQP and PH” simplifies the breakthrough oracle separation of Raz and Tal. [<a href="https://eccc.weizmann.ac.il/report/2018/202/">ECCC</a>]</li>
<li>If you want to apply stochastic calculus to TCS, chapter 11 of Ryan O’Donnell’s Analysis of Boolean Functions might be a good place to start. [<a href="http://www.contrib.andrew.cmu.edu/~ryanod/">book website</a>] Also take a look at Ronen Eldan’s “
A two-sided estimate for the Gaussian noise stability deficit” which simplifies a theorem due Guy Kindler and Ryan O’Donnell. [<a href="https://arxiv.org/abs/1307.2781">arXiv</a>] [<a href="https://www.cs.cmu.edu/~odonnell/papers/gaussian-noise-sensitivity.pdf">Kindler and O’Donnell paper</a>]</li>
</ul>sanketh$$ \newcommand{\F}{\mathcal{F}} \newcommand{\I}{\mathcal{I}} $$In Defense of Random Oracles2019-05-23T00:00:00+00:002019-05-23T00:00:00+00:00https://unnatural-proofs.github.io/2019/in-defense-of-random-oracles<div style="display:none;">
$$
\newcommand{\QSZK}{\textsf{QSZK}}
\newcommand{\SZK}{\textsf{SZK}}
\newcommand{\NP}{\textsf{NP}}
\newcommand{\P}{\textsf{P}}
\newcommand{\coNP}{\textsf{coNP}}
\newcommand{\UP}{\textsf{UP}}
\newcommand{\coUP}{\textsf{coUP}}
\newcommand{\BQP}{\textsf{BQP}}
\newcommand{\BPP}{\textsf{BPP}}
\newcommand{\PSPACE}{\textsf{PSPACE}}
\newcommand{\IP}{\textsf{IP}}
$$
$$
\newcommand{\N}{\mathbb{N}}
$$
$$
\newcommand{\A}{\mathcal{A}}
\newcommand{\poly}{\text{poly}}
\newcommand{\polylog}{\text{polylog}}
$$
$$
\newcommand{\ket}[1]{\lvert #1 \rangle}
\newcommand{\bra}[1]{\langle #1 \rvert}
\newcommand{\coloneqq}{\mathrel{:=}}
\newcommand{\dim}{\text{dim}}
$$
</div>
<p>A few days ago, I read<sup id="fnref:1"><a href="#fn:1" class="footnote">1</a></sup></p>
<blockquote>
<p><em>The Random Oracle Model: A Twenty-Year Retrospective</em><br />
Neal Koblitz and Alfred Menezes<br />
Crypto ePrint <a href="https://eprint.iacr.org/2015/140">2015/140</a></p>
</blockquote>
<p>and it reaffirmed my longstanding belief that oracle results are useful. There is a counter example to the “Random Oracle Hypothesis” (one can <a href="https://doi.org/10.1016/S0022-0000(05)80084-4">show</a> that relative to a random oracle $\IP \neq \PSPACE$; it is exactly what you’d expect) but if used correctly, they are a very powerful tool to reason about the real world. There are similar counterexamples in the crypto world, perhaps the most famous one is Shafi Goldwasser and Yael Tauman’s <a href="https://eprint.iacr.org/2003/034">proof</a> of the insecurity of the <em>Fiat-Shamir transform</em>.<sup id="fnref:2"><a href="#fn:2" class="footnote">2</a></sup> I don’t want take up more of your time—read the paper.</p>
<p>Some people might call me a hypocrite for liking Koblitz’s view about random oracles but not liking <a href="https://www.ams.org/notices/200708/tx070800972p.pdf">his views</a> towards the foundations of cryptography. To them, I say that it is more nuanced than that. Trashing random oracles because of a few synthetic counterexamples is just as bad as trashing an entire field based on a few anecdotes. (Contrary to the expectations of most people, I never claimed or will claim that, “foundations of crypto—or any other subfield of theoretical computer science—is immediately useful.” Also, I agree with Koblitz that “nontightness” in reductions is a huge problem, especially in lattice crypto where people keep throwing around “our scheme is secure based on the worst-case hardness of approximating lattice problems.” Sanjit Chatterjee, Neal Koblitz, Alfred Menezes, and Palash Sarkar have a <a href="https://eprint.iacr.org/2016/360">beautiful paper</a> emphasizing this issue.)</p>
<p>On another side note, the bandwagon effect that Koblitz describes with regard to crypto in the 1990s is exactly what is happening right now with blockchain and machine learning (and to a smaller extent, even quantum computing.)</p>
<div class="footnotes">
<ol>
<li id="fn:1">
<p>(on the bus) <a href="#fnref:1" class="reversefootnote">↩</a></p>
</li>
<li id="fn:2">
<p>Remind me to write a blog post on this. <a href="#fnref:2" class="reversefootnote">↩</a></p>
</li>
</ol>
</div>sanketh$$ \newcommand{\QSZK}{\textsf{QSZK}} \newcommand{\SZK}{\textsf{SZK}} \newcommand{\NP}{\textsf{NP}} \newcommand{\P}{\textsf{P}} \newcommand{\coNP}{\textsf{coNP}} \newcommand{\UP}{\textsf{UP}} \newcommand{\coUP}{\textsf{coUP}} \newcommand{\BQP}{\textsf{BQP}} \newcommand{\BPP}{\textsf{BPP}} \newcommand{\PSPACE}{\textsf{PSPACE}} \newcommand{\IP}{\textsf{IP}} $$ $$ \newcommand{\N}{\mathbb{N}} $$ $$ \newcommand{\A}{\mathcal{A}} \newcommand{\poly}{\text{poly}} \newcommand{\polylog}{\text{polylog}} $$ $$ \newcommand{\ket}[1]{\lvert #1 \rangle} \newcommand{\bra}[1]{\langle #1 \rvert} \newcommand{\coloneqq}{\mathrel{:=}} \newcommand{\dim}{\text{dim}} $$More Tweets: Quantum Economics2019-05-11T00:00:00+00:002019-05-11T00:00:00+00:00https://unnatural-proofs.github.io/2019/more-tweets-quantum-economics<p>This post is essentially a reference to my tweets. I will write a coherent blog post sometime in the future.</p>
<blockquote class="twitter-tweet tw-align-center" data-lang="en"><p lang="en" dir="ltr">From page 5 of the referenced paper (<a href="https://t.co/Yw3rwCGZET">https://t.co/Yw3rwCGZET</a>). <a href="https://t.co/ZSIe9Y31Oi">pic.twitter.com/ZSIe9Y31Oi</a></p>— Sanketh Menda (@sgmenda) <a href="https://twitter.com/sgmenda/status/1127289744046600192?ref_src=twsrc%5Etfw">May 11, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<p>See, also, <a href="https://twitter.com/sgmenda/status/1126907682626125824">this thread</a>.</p>
<p><strong>Edit (26/05):</strong> See, also,</p>
<blockquote class="twitter-tweet tw-align-center" data-lang="en"><p lang="en" dir="ltr">"Money or currency is believed by some to have a quantum nature. As we move towards a cashless economy and as digital- and crypto-currencies are on the rise, their diffusion will have commonality on which quantum physics operates." <br /> <a href="https://t.co/P0GcSg9TU4">https://t.co/P0GcSg9TU4</a></p>— Jonathan P. Dowling (@jpdowling) <a href="https://twitter.com/jpdowling/status/1132462366950600704?ref_src=twsrc%5Etfw">May 26, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>sankethThis post is essentially a reference to my tweets. I will write a coherent blog post sometime in the future.Quantum Computers Could Not Have Prevented 2008!!!2019-04-09T00:00:00+00:002019-04-09T00:00:00+00:00https://unnatural-proofs.github.io/2019/quantum-computers-could-not-have-prevented-2008<p>This post is essentially a reference to my month-old tweets.</p>
<blockquote class="twitter-tweet tw-align-center" data-lang="en"><p lang="en" dir="ltr">1. Nature ≠ NPJQI<br />2. Risk measures like VaR were partly responsible for 2008. (<a href="https://t.co/t2T67Kas4m">https://t.co/t2T67Kas4m</a>)<br />3. Quadratic speedups for monte carlo are boring.</p>— Sanketh Menda (@sgmenda) <a href="https://twitter.com/sgmenda/status/1102208126986739715?ref_src=twsrc%5Etfw">March 3, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<blockquote class="twitter-tweet tw-align-center" data-conversation="none" data-lang="en"><p lang="en" dir="ltr">Academics have been warning us about the dangers of VaR since 1995: (<a href="https://t.co/1NhdjgxRb2">https://t.co/1NhdjgxRb2</a>) (<a href="https://t.co/1NhdjgxRb2">https://t.co/1NhdjgxRb2</a>). If you want a more extreme take on it, see Taleb: (<a href="https://t.co/rTlJNBIXLw">https://t.co/rTlJNBIXLw</a>). The basic idea is that VaR is extremely sensitive to model specification.</p>— Sanketh Menda (@sgmenda) <a href="https://twitter.com/sgmenda/status/1115624921714044929?ref_src=twsrc%5Etfw">April 9, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<p>After 2008, Taleb also <a href="http://nassimtaleb.org/2010/06/nassim-taleb-speaks-to-congress-value-at-risk-var/">spoke</a> to Congress about the risks of using VaR. (Ignore the description under the video.) You can see the full hearing <a href="https://youtu.be/40Gkp0wJplU">here</a>. More generally, see the <a href="https://en.wikipedia.org/wiki/Value_at_risk#Criticism">Criticism section</a> on VaR’s Wikipedia page.</p>sankethThis post is essentially a reference to my month-old tweets.Edmonds in 19672019-04-07T00:00:00+00:002019-04-07T00:00:00+00:00https://unnatural-proofs.github.io/2019/edmonds-in-1967<div style="display:none;">
$$
\newcommand{\P}{\text{P}}
\newcommand{\EdmondsP}{\text{EdmondsP}}
\newcommand{\NP}{\text{NP}}
\newcommand{\coNP}{\text{coNP}}
\newcommand{\BQP}{\text{BQP}}
$$
</div>
<blockquote>
<p>
I conjecture that there is no good algorithm for the traveling salesman problem. My reasons are the same as for any mathematical conjecture: (1) It is a legitimate mathematical possibility, and (2) I do not know.
</p><br />
<cite>Jack Edmonds, <a href="https://nvlpubs.nist.gov/nistpubs/jres/71b/jresv71bn4p233_a1b.pdf">Optimum Branchings</a>, J. Res. Natl. Bur. Stand. 71B, 233-240 (1967). </cite>
</blockquote>
<p>I have seen this quote many times (it appears in Papadimitriou and Arora and Barak) but I haven’t read the source till today. I highly recommend anything by Edmonds, he is awesome. If you want to read just one paper: check out <a href="https://doi.org/10.4153/CJM-1965-045-4">Paths, Trees, and Flowers</a>.</p>
<p>If you are wondering, I still don’t believe that $\P = \NP \cap \coNP$. On the other hand, I wouldn’t be surprised if every combinatorial problem that is currently in $\NP \cap \coNP$—you could call this class $\EdmondsP$—turns out to be in $\P$. $\EdmondsP$, for instance, would include graph isomorphism, which I strongly believe is in $\P$. Also, if you are wondering, why this does not imply $\P = \NP \cap \coNP$—after all, if all combinatorial problems in $\NP$ are in $\P$, then $\P=\NP$—it is because we don’t believe that $\NP \cap \coNP$ has complete problems (Sipster <a href="https://doi.org/10.1007/BFb0012797">constructed</a> a relativized world where this holds.)</p>
<p><strong>Added on May 11, 2019:</strong> I heard Jack Edmonds talk about this at the <a href="http://www.fields.utoronto.ca/activities/18-19/NP50">CookSymposium</a>. I admire him a lot more now. On a side note, a debate between Edmonds and Sipser broke out at the conference about the progress towards proving $\P \neq \NP$; you can see it for yourself <a href="http://www.fields.utoronto.ca/talks/Adventures-Complexity">here</a> (the debate starts at 10:00.) I used be in Sipster’s camp, but now I am squarely in Edmonds’s camp: the point of complexity theory is to inform real world decisions. It doesn’t matter whether $\P = \NP$ or not if we have an efficient (in the real world) algorithm for SAT.</p>sanketh$$ \newcommand{\P}{\text{P}} \newcommand{\EdmondsP}{\text{EdmondsP}} \newcommand{\NP}{\text{NP}} \newcommand{\coNP}{\text{coNP}} \newcommand{\BQP}{\text{BQP}} $$Mulmuley’s PRAM2019-03-17T00:00:00+00:002019-03-17T00:00:00+00:00https://unnatural-proofs.github.io/2019/Mulmuleys-PRAM<div style="display:none;">
$$
\newcommand{\P}{\text{P}}
\newcommand{\NC}{\text{NC}}
\newcommand{\NP}{\text{NP}}
\newcommand{\BQP}{\text{BQP}}
\newcommand{\BPP}{\text{BPP}}
\newcommand{\PSPACE}{\text{PSPACE}}
\newcommand{\SP}{\text{#P}}
\newcommand{\BQNC}{\text{BQNC}}
$$
$$
\newcommand{\CC}{\mathbb{C}}
\newcommand{\ZZ}{\mathbb{Z}}
\newcommand{\NN}{\mathbb{N}}
$$
$$
\newcommand{\A}{\mathcal{A}}
\newcommand{\poly}{\text{poly}}
\newcommand{\polylog}{\text{polylog}}
$$
$$
\newcommand{\ket}[1]{\lvert #1 \rangle}
\newcommand{\bra}[1]{\langle #1 \rvert}
\newcommand{\coloneqq}{\mathrel{:=}}
\newcommand{\dim}{\text{dim}}
$$
</div>
<p>Today, I will talk about one of my favorite models of computation—Mulmuley’s PRAM. To keep this post short, avoid embarrassing myself, and not fail any of my assignments, I will stick to just the model. In a later post, I will talk more generally about GCT.</p>
<p>This post is based on my notes which in turn are based on Joshua Grochow’s <a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture7-1.pdf">lec</a><a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture7-2.pdf">tur</a><a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture8.pdf">es</a> for CSC 2429 and Mulmuley’s <a href="http://gct.cs.uchicago.edu/">GCT papers</a>.</p>
<p>But, first, why should you care about models others than Turing machines (or uniform circuits!)? Because you can <em>prove</em> stuff. Remember that time, more than a decade ago, when STOC papers had actual unconditional proofs? That kind of proofs. ;-p</p>
<p>Here is the punchline:</p>
<p><strong>Theorem 1</strong> (Mulmuley (1997, 1999))<strong>.</strong> In the PRAM model without bit operations (Mulmuley’s PRAM), $\P \neq \NC$.</p>
<p>If you have never seen $\NC$ before, don’t worry, we will see a definition soon. For now, think of it as problems that admit really fast ($\polylog$ time) parallel algorithms.</p>
<p>One of the reasons we care about $\P$ vs. $\NC$ is the existence of fast parallel algorithms for combinatorial optimization problems like <a href="https://en.wikipedia.org/wiki/Maximum_flow_problem">max-flow</a> which are $\P$-Complete. If $\P \neq \NC$, then there is no fast parallel algorithm for max-flow. Max-flow is a particularly nice problem because it has a strongly-polynomial time algorithm; that is, the running time is polynomial in the number of input parameters, not on the input bitlength. We don’t know if this property holds for all $\P$ problems (where it makes sense to ask this question!), a major open problem in TCS is to determine if linear programming has a strongly-polynomial algorithm.</p>
<p>For algebraic problems like max-flow, it makes sense to ask if there is a parallel algorithm that does not use bit operations. Theorem 1 unconditionally rules out this possibility. Notice that Theorem 1 is a formal implication of $\P \neq \NC$—I later argue that it is very strong evidence in favor of it.</p>
<p><strong>What is a bit operation?</strong> An operation that acts on the individual bits of the input/data like $\vee$, $\wedge$, <code class="highlighter-rouge">extract-bit</code>, <code class="highlighter-rouge">modify-bit</code>,… For this to make sense, think of the input as an array of integers.</p>
<h3 id="pram-model-without-bit-operations-aka-mulmuleys-pram">PRAM Model Without Bit Operations aka Mulmuley’s PRAM</h3>
<p>This model was introduced in Mulmuley (1993). Informally, it is hybrid between algebraic models and restricted circuit models. The input is a bunch of integers. Like algebraic models, you can add and multiply these integers at unit cost. But—unlike algebraic models—the runtime and the number of processors is allowed to depend on <em>both</em> the number of inputs and their bitlength (don’t worry, this will become more clear in a second). Because of these weird characteristics, this model can do almost everything parallel algorithms can do. For example, it can do</p>
<ul>
<li>Neff’s <a href="https://doi.org/10.1016/S0022-0000(05)80061-3">specified precision polynomial root isolation</a></li>
<li>Csanky’s <a href="https://doi.org/10.1137/0205040">matrix inversion</a></li>
<li>Ben-Or et al.’s <a href="https://epubs.siam.org/doi/10.1137/0217069">determination of all roots of a polynomial with real roots</a></li>
<li>Karger and Motwani’s <a href="https://www.cs.bu.edu/faculty/gacs/courses/cs535/papers/p497-karger.pdf">min-cuts</a></li>
</ul>
<p>I don’t quite understand these results, so don’t ask me about them…</p>
<p><strong>Definition</strong> (Algebraic RAM Program over $\ZZ$)<strong>.</strong> First, think of your garden-variety RAM machine with 1 processor and infinite memory locations (the addresses start at <code class="highlighter-rouge">0x1</code> and go to infinity). Here, each memory location can store an integer (instead of a bit). As usual, the memory is split between input, output and workspace. There are constant number of unique instructions and each is of the form:</p>
<ol>
<li>$w = u \circ v$ where
<ul>
<li>$\circ \in {+, -, \times}$</li>
<li>$w$ is a memory location</li>
<li>$u,v$ are memory locations or constants.</li>
</ul>
</li>
<li><code class="highlighter-rouge">goto</code> $\ell$ where $\ell$ is an instruction label.</li>
<li>conditioned on $u \square 0$, <code class="highlighter-rouge">branch</code> to $\ell$, where
<ul>
<li>$\square \in {<, \leq, =}$</li>
<li>$u$ is a memory location</li>
<li>$\ell$ is an instruction label</li>
</ul>
</li>
<li>copy $u$ to $v$, where $u,v$ are memory locations.</li>
<li>dereference $*u$; that is, interpret the value of $v$ as a memory location and read from there.</li>
<li>address of $\&u$; that is, get address of $u$.</li>
<li><code class="highlighter-rouge">return</code></li>
</ol>
<p>If you have taken a computer architecture course, then the above definition should look familiar. Yes, there are some gaps in my definition; if you care, try to fill them as an exercise. One important thing to note is that—unlike real processors—here, we are assuming that all these instructions take unit time (“unit cost model”). This assumption only makes our claim stronger as we are only going to talk about lower bounds.</p>
<p><strong>Definition</strong> (Nonuniform Algebraic RAM over $\ZZ$)<strong>.</strong> This is similar to a nonuniform family of circuits. A sequence
\begin{equation}
\A = \{A_{n,N} : n,N \in \NN \}
\end{equation}
of algebraic RAM programs over $\ZZ$. For an input of $n$ integers and total bitlength at most $N$ we use $A_{n,N}$.</p>
<p><strong>Definition</strong> (Algebraic PRAM Program over $\ZZ$)<strong>.</strong> The P in PRAM stands for parallel. Here, the number of processors is $\poly(n,N)$. Every processor has private memory and can communicate with other processors using shared memory. As usual, we have EREW, CREW, and CRCW modes (if you don’t know about these modes, forget that I mentioned them.).</p>
<h3 id="mulmuleys-lower-bound">Mulmuley’s Lower Bound</h3>
<p>As I mentioned above, I am not going to explain this result. (I don’t quite understand it myself!) But I want to state it a little more formally.</p>
<p><strong>Theorem 1</strong> (Mulmuley (1997, 1999))<strong>.</strong> Max-flow problem for $n$ nodes, where every edge-capacity is a nonnegative integer of bitlength at most $O(n^2)$, cannot be solved $\Omega(\sqrt{n})$ time with $2^{\Omega(\sqrt{n})}$ processors.</p>
<p>Here we are considering the decision version of the max-flow problem. The input also has a parameter $f_0$ and you want to decide if the max flow exceeds $f_0$.</p>
<p>Mulmuley’s result also holds for the constant-additive-error approximation version. Mulmuley’s also extends to <em>PRAM with limited bit operations</em> where parity, left shift (by 1) and right shift (by 1) are allowed. I will elaborate on this in a forthcoming GCT post but it is super cool how you can make this model “more boolean” without fucking everything up. Roughly speaking, this is why GCT has the potential to prove boolean $\P \neq \NP$.</p>
<h3 id="random-and-quantum-pram">Random and Quantum PRAM</h3>
<p>Let us start by talking about Randomized PRAM. This turns out to be not that hard, just add an instruction</p>
<ol>
<li><code class="highlighter-rouge">random-branch</code> $\ell$ which flips a fair coin and branches to label $\ell$ if coin returns 1.</li>
</ol>
<p>Defining quantum PRAM is equally easy, add the instruction</p>
<ol>
<li><code class="highlighter-rouge">quantum-branch</code> $\ell$ $\theta$ which
<ul>
<li>continues with amplitude $\sin(\theta)$, and</li>
<li>branches with amplitude $i\cos(\theta)$.</li>
</ul>
</li>
</ol>
<p>This gate is inspired by <a href="https://doi.org/10.1098/rspa.1989.0099">Deutsch’s (1989)</a> construction of a universal quantum gate. I am not going to get into it here, but for our purposes, it suffices to have this gate only for a fixed constant number of values of $\theta$. (For a far better definition of quantum PRAM, see <a href="https://doi.org/10.1098/rspa.2012.0686">Beals et al. (2013)</a>.)</p>
<p><strong>Claim.</strong> Quantum PRAM corresponds to $\BQNC$.</p>
<p>Now, here is my conjecture (which I think I can prove):</p>
<p><strong>Conjecture 1.</strong> In the PRAM model without bit operations, $\P \neq \BQNC$.</p>
<p>The reason this conjecture might be interesting is concerning the power of $\P^\BQNC$ which kinda models the power of near-term quantum computers. Hit me up if you want to chat about this.</p>
<h3 id="references">References</h3>
<p>Mulmuley, Ketan. “A Lower Bound for Solvability of Polynomial Equations.” In Foundations of Software Technology and Theoretical Computer Science, 13th Conference, Bombay, India, December 15-17, 1993, Proceedings, 268–83, 1993. DOI: <a href="https://doi.org/10.1007/3-540-57529-4_60">10.1007/3-540-57529-4_60</a>.</p>
<p>—. “Lower Bounds for Parallel Linear Programming and Other Problems.” In Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, 23-25 May 1994, Montréal, Québec, Canada, 603–14, 1994. DOI: <a href="https://doi.org/10.1145/195058.195413">10.1145/195058.195413</a>.</p>
<p>—. “Is There an Algebraic Proof for P != NC? (Extended Abstract).” In Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 4-6, 1997, 210–19, 1997. DOI: <a href="https://doi.org/10.1145/258533.258586">10.1145/258533.258586</a>.</p>
<p>—. “Lower Bounds in a Parallel Model without Bit Operations.” SIAM J. Comput. 28, no. 4 (1999): 1460–1509. DOI: <a href="https://doi.org/10.1137/S0097539794282930">10.1137/S0097539794282930</a>.</p>sanketh$$ \newcommand{\P}{\text{P}} \newcommand{\NC}{\text{NC}} \newcommand{\NP}{\text{NP}} \newcommand{\BQP}{\text{BQP}} \newcommand{\BPP}{\text{BPP}} \newcommand{\PSPACE}{\text{PSPACE}} \newcommand{\SP}{\text{#P}} \newcommand{\BQNC}{\text{BQNC}} $$ $$ \newcommand{\CC}{\mathbb{C}} \newcommand{\ZZ}{\mathbb{Z}} \newcommand{\NN}{\mathbb{N}} $$ $$ \newcommand{\A}{\mathcal{A}} \newcommand{\poly}{\text{poly}} \newcommand{\polylog}{\text{polylog}} $$ $$ \newcommand{\ket}[1]{\lvert #1 \rangle} \newcommand{\bra}[1]{\langle #1 \rvert} \newcommand{\coloneqq}{\mathrel{:=}} \newcommand{\dim}{\text{dim}} $$What Does It Mean to Simulate a Quantum Computer?2018-12-01T00:00:00+00:002018-12-01T00:00:00+00:00https://unnatural-proofs.github.io/2018/what-does-it-mean-to-simulate-a-quantum-computer<p><a href="https://scholar.google.com/citations?user=GqpgudUAAAAJ&hl=en">Hakop Pashayan</a> of The University of Sydney gave an excellent talk on classical simulation of quantum circuits at the Institute for Quantum Computing yesterday. The talk was based on the following paper:</p>
<blockquote>
<p><em>From estimation of quantum probabilities to simulation of quantum circuits</em><br />
Hakop Pashayan, Stephen D. Bartlett, and David Gross<br />
<a href="https://arxiv.org/abs/1712.02806">arXiv:1712.02806 [quant-ph]</a></p>
</blockquote>
<p>The big takeaway for me was the new perspective on classical simulation (of quantum computation).</p>
<p>Normally, when we talk about classical simulation we talk about efficient algorithms for outputting an approximation to the answer; that is, if the original circuit accepts the input with high probability, then the simulation should accept the input with high probability. A self-contained paper that I really like in this direction is <a href="https://arxiv.org/abs/quant-ph/0406196v5">Aaronson and Gottesman (2004)</a>.</p>
<p>But, the metric we <em>really</em> care about is <em>computational indistinguishability</em>. If we cannot tell the difference between a quantum computer and the simulator in polynomial time, it doesn’t matter which one we have. Of course, the simulator should be able to do everything in $\text{NP} \cap \text{BQP}$ but when we are talking about sampling problems (like simulating restricted quantum systems) outside $\text{NP}$ this distinction matters. Also, most restricted quantum systems cannot do stuff like factoring which puts $\text{NP} \cap \text{BQP}$ outside $\text{P}$.</p>
<p>So, lemme define a simulator as follows. A classical algorithm $A$ is a <em>(classical) simulator</em> of a quantum system $\mathcal{Q}$ if there does not exist a polynomially-bounded classical verifier $V$ such that $V$ can tell the difference between $A$ and $\mathcal{Q}$ given oracle access.</p>
<p>Now that we have this definition. A natural question is if we can construct such simulators for near-term models like noisy IQP circuits (see <a href="https://arxiv.org/abs/1610.01808">Bremner, Montanaro, and Shepherd (2017)</a>) and noisy boson sampling circuits (see <a href="https://arxiv.org/abs/1801.06166">Oszmaniec and Brod (2018)</a>).</p>
<p>Also, now that we got interactive proofs in the picture, what about zero-knowledge proofs? Can we construct a protocol such that a quantum computer/simulator can prove its “quantumness” without “leaking” any further information?</p>
<p>Also, one can ask about the power of adaptive queries in this setting. Do there exist simulators that are indistinguishable from a quantum system in the parallel query model but are easy distinguished once we allow adaptive queries.</p>
<p>A question that I have been interested in for quite sometime is lower bounds on the simulation of quantum computation. Maybe this is the right model to ask these questions.</p>
<p>Finally, although these problems seem super theoretical, I strongly believe that they are of practical interest.</p>sankethHakop Pashayan of The University of Sydney gave an excellent talk on classical simulation of quantum circuits at the Institute for Quantum Computing yesterday. The talk was based on the following paper: From estimation of quantum probabilities to simulation of quantum circuits Hakop Pashayan, Stephen D. Bartlett, and David Gross arXiv:1712.02806 [quant-ph]Shannon in 19772018-11-15T00:00:00+00:002018-11-15T00:00:00+00:00https://unnatural-proofs.github.io/2018/shannon-in-1977<blockquote>
<p>Well, back in '42 ... computers were just emerging, so to speak. They had things like the ENIAC down at University of Pennsylvania. ... Now they were slow, they were very cumbersome and huge and all, there were computers that would fill a couple rooms this size and they would have about the ability of one of the little calculators that you can buy now for $10. But nevertheless we could see the potential of this, the thing that happened here if things ever got cheaper and we could ever make the up-time better, sort of keep the machines working for more than ten minutes, things like that. It was really very exciting.</p><br />
<p>We had dreams, Turing and I used to talk about the possibility of simulating entirely the human brain, could we really get a computer which would be the equivalent of the human brain or even a lot better? And it seemed easier then than it does now maybe. We both thought that this should be possible in not very long. in ten or 15 years. Such was not the case, it hasn't been done in thirty years.</p><br />
<cite>Shannon, 1977; as cited in Soni, Jimmy, and Rob Goodman. A mind at play: How Claude Shannon invented the information age. Simon and Schuster, 2017. p. 106</cite>
</blockquote>
<p><a href="https://books.google.ca/books?id=gygsDwAAQBAJ&lpg=PA107&ots=YKtABbgVEM&dq=shannon%201977%20now%20they%20were%20slow%2C%20they%20were%20cumbersome%20and%20huge%20and%20all%2C%20they%20were%20computers&pg=PA107#v=onepage&q&f=false">Here</a> is the page in Google books.</p>
<p>Also, since you are here, check out <a href="https://twitter.com/dabacon/status/1063163663815663616">this twitter thread</a> by <a href="https://twitter.com/dabacon">@dabacon</a>. The cited <a href="https://spectrum.ieee.org/computing/hardware/the-case-against-quantum-computing">article</a> is infuriating; for example, look at this:</p>
<blockquote>
<p>Indeed, all of the assumptions that theorists make about the preparation of qubits into a given state, the operation of the quantum gates, the reliability of the measurements, and so forth, cannot be fulfilled exactly. They can only be approached with some limited precision. So, the real question is: What precision is required? With what exactitude must, say, the square root of 2 (an irrational number that enters into many of the relevant quantum operations) be experimentally realized? Should it be approximated as 1.41 or as 1.41421356237? Or is even more precision needed? Amazingly, not only are there no clear answers to these crucial questions, but they were never even discussed!</p>
</blockquote>sankethWell, back in '42 ... computers were just emerging, so to speak. They had things like the ENIAC down at University of Pennsylvania. ... Now they were slow, they were very cumbersome and huge and all, there were computers that would fill a couple rooms this size and they would have about the ability of one of the little calculators that you can buy now for $10. But nevertheless we could see the potential of this, the thing that happened here if things ever got cheaper and we could ever make the up-time better, sort of keep the machines working for more than ten minutes, things like that. It was really very exciting.What is the power of a BPP verifier with a QMA prover?2018-10-28T00:00:00+00:002018-10-28T00:00:00+00:00https://unnatural-proofs.github.io/2018/what-is-the-power-of<p>I dunno.</p>
<p>I think that it is at least BQP. Dorit Aharonov and Ayal Green <a href="https://arxiv.org/abs/1710.09078">showed</a> that PostBQP is contained in IP[BPP, PostBQP] (interactive protocol with a BPP verifier and a PostBQP verifier.)</p>
<p>Before someone points it out, I know that if I assume LWE (or technically speaking, the existence of an <em>extended trapdoor claw-free
family</em>) then this follows from Urmila Mahadev’s <a href="https://arxiv.org/abs/1804.01082">breakthrough result</a> from earlier this year but I don’t want to assume anything.</p>
<p>My current approach is to show that an additive approximation to the Jones polynomial is contained in this class. But I don’t know how to make it work. (I only spent half a day on it so maybe it is obvious and I just missed it.)</p>
<p>We know how to do this for easier problems; for instance, François Le Gall, Tomoyuki Morimae, Harumichi Nishimura, and Yuki Takeuchi <a href="https://arxiv.org/abs/1805.03385">showed</a> that computing orders of solvable groups (which John Watrous <a href="https://cs.uwaterloo.ca/~watrous/Papers/QuantumAlgorithmsSolvableGroups.pdf">put</a> in BQP) is in IP[BPP, BQP].</p>
<p>While trying to write up a different result (which is what I should be doing), I stumbled upon <a href="https://lance.fortnow.com/papers/files/thesis.pdf">Lance Fortnow’s thesis</a> and it is awesome! (I should prolly get back to writing…)</p>sankethI dunno.