Arthur, Merlin, and Black-Box Groups in Quantum Computing

Scott Aaronson (MIT)

Or, How Laci Did Quantum Stuff Without Knowing It

I’ll tell the story of a few of Laci’s brainchildren from the 80s—MA, AM, black-box groups—and how they came to play a major role in quantum computing theoryWhat should you conclude from this?(1)Laci works on the trendiest areas before they even exist(2)Quantum computing can’t be that scary(3)Beautiful mathematical structures (like finite

groups) do useful things in TCS (like giving natural examples where quantum computing seems to outperform classical) 2 / 17

Dramatis Personae: Merlin & Arthur

Babai’s probabilistic generalizations of NP:MA (Merlin-Arthur): Class of languages L for which, if the answer is “yes,” there’s a polynomial-size proof that Arthur can check in probabilistic polynomial-timeAM (Arthur-Merlin): Same, except that now Arthur can also submit a random challenge to Merlin

All-knowing prover Polynomial-time verifier

Witness w{0,1}p(n)

Input x{0,1}n Is xL?

3 / 17

[Klivans-van Melkebeek ‘99] Under plausible complexity assumptions, AM=MA=NP

Example: Suppose Merlin wants to convince Arthur that

But in the black-box setting, these classes can be extremely different!

is one-to-one rather than two-to-one

In NP or MA, he can’t!But in AM, Arthur can pick a random input x{0,1}n, then compute f(x), send it to Merlin and ask what x was

4 / 17

Quantum Mechanics In One SlideState of n “qubits” is a unit vector in :

You can multiply the vector of x’s (amplitudes) by a 2n2n unitary matrix U (matrix that maps unit vectors to unit vectors)

If you measure the state |, you see outcome |x with probability |x|2. Also, the state collapses to |x

2n orthogonal basis vectors: |0…0, …, |1…1Usual initial state: |0…0

(you get used to the asymmetric brackets with time)

Central phenomenon that QC exploits: interference between positive and negative amplitudes 5 / 17

Quantum Analogues of NPQMA (Quantum Merlin-Arthur): Class of problems for which, if the answer is “yes,” there’s a quantum proof | with poly(n) qubits, which can be checked by a polynomial-time quantum verifier

FUNDAMENTAL QUESTIONDoes QMA = QCMA?

Intuitively: Can a quantum proof be exponentially more compact than its shortest classical counterpart?

QCMA (Quantum Classical Merlin-Arthur): Same as QMA, except now the proof needs to be classical

6 / 17

PBPP

BQPNP

MA

AM

QCMA

QMA

P#P

QAM

PHBestiary

7 / 17

Black-Box Groups

Quantum analogue:

Input: Meaningless strings that label

elements of G

Output: Labels of gh or g-1

We’re given: Generators g1,…,gk of G; ability to recognize the identity element e

Unknown finite group G, of order 2poly(n)

Important point: In the quantum case, every element of G must have a unique label!

From now on, we’ll abuse notation and identify an

element gG with its label

8 / 17

The Group Membership Problem

Membership in H can be proved in NP [Babai-Szemerédi’84]But what about proving non-membership in H?

Given: Black-box group G, subgroup HG (specified by generators), element xGProblem: Is xH?

H

Gx

Fact: For some groups G (even abelian groups), there’s no small NP proof (or even MA proof) for non-membership(Non-membership can always be proved in AM, using protocols for approximate counting)

9 / 17

There is always a QMA witness of non-membership! [Watrous 2000]

where |Hx is an equal superposition over the elements of the right coset Hx

Merlin’s “quantum proof” for xH (in the honest case):

Given this proof, Arthur prepares

(equal superposition over elements of H)

Note: |H might be exponentially hard to prepare!Sampling a random element of H isn’t enough

Then he applies the Hadamard transformto the first qubit and measures that qubit

10 / 17

First suppose xH. Then |H=|Hx

Ah, but how does Arthur check that Merlin’s witness | is really |H, and not some other state?Step 1: Use a random walk [Babai’91] to generate nearly-random elements gG and hHStep 2: Check that | behaves like |H on all gG and hH that are tested

Next suppose xH. Then |H and |Hx are orthogonal

HADAMARD

HADAMARD

so |0 is observed with probability 1

so |0 and |1 are equally likely to be observed

11 / 17

So, can Group Non-Membership be used to prove an oracle separation between

QMA and QCMA?

Theorem [A.-Kuperberg 2007]: Group Non-Membership has polynomial-size classical proofs, which can be verified using poly(n) quantum queries to the group oracle

(and possibly exponential post-computation—though even that can be removed under plausible group-

theoretic conjectures)

Alas, no.

12 / 17

Idea of proof: “Pull the group out of the black box”

Explicit group Black-box group G

Isomorphism f claimed by

Merlin

To check that f is (close to) a homomorphism, Arthur uses a classical homomorphism tester of [Blum-Luby-Rubinfeld]

Assuming f is a homomorphism, f is 1-to-1 Ker f is trivial This yields an instance of the Hidden Subgroup Problem!

[Ettinger-Høyer-Knill ‘97] show that for any group G, HSP is solvable with poly(n) quantum queries to the group oracle

13 / 17

Communication Complexity ChallengeGroup theorists in the audience: please pay attention

Finite group G known to both players

Subgroup HG Element xG

Best deterministic protocol: Alice sends Bob log2|G| bits (the generators of H)

Best quantum protocol: Alice sends Bob log|G| qubits,

Then Bob runs the Watrous protocol to decide if xH

1-WAY message mH

Is xH?

14 / 17

$50 Challenge: Does there exist a family of groups {Gn}, for which any classical randomized protocol needs (log|Gn|) bits? (Ideally (log2|Gn|)?)

[A., Le Gall, Russell, Tani 2009]: If G is abelian—or if G has constant-dimensional irreps, or if is a normal subgroup—then there’s a classical randomized protocol that uses only O(log|G|) communication

15 / 17

Would yield the first asymptotic gap between 1-way randomized and 1-way quantum communication

complexities, for a total Boolean function

Conclusion: Why Do Quantum Computing and Finite Groups Mesh So Well?

Finite groups are “rigid” objectsAny two right-cosets of HG are either identical or disjointAny two distinct subgroups differ on a constant fraction of elements

And we want that “rigidity” in quantum algorithms and protocols, to create interesting interference patternsAlso, the fact that elements have unique inverses means that we can apply group operations reversibly Still, understanding the interplay of quantum computing with (badly) nonabelian groups remains a challenge

Most famous example of that, which I only touched on: the Nonabelian Hidden Subgroup Problem 16 / 17

More Open ProblemsIs there a QMA protocol to prove that a black-box function f:{0,1}n{0,1}n is one-to-one rather than two-to-one?

In 2002, I showed this problem is not in BQP; indeed any quantum algorithm needs (2n/3) time [A.-Shi 2002]

It’s still open to prove an oracle separation between QMA and QCMA!

[A.-Kuperberg 2007] proved a “quantum oracle separation”

Can we give an oracle relative to which BQPAM?[A. 2010]: The “Generalized Linial-Nisan Conjecture” would imply an oracle relative to which BQPPH Original Linial-Nisan Conjecture: Proved by [Braverman 2009]

Laci actually thought of it before Linial-Nisan 17 / 17