1 / 19

Scott Aaronson UT Austin (and Scientific Adviser to QC Ware)

Quantum Supremacy and its Applications (!). HELLO HILBERT SPACE. Scott Aaronson UT Austin (and Scientific Adviser to QC Ware) Q2B, Mountain View, CA, December 12, 2018 Papers and slides at www.scottaaronson.com. QUANTUM SUPREMACY. | .

stephencdavis
Télécharger la présentation

Scott Aaronson UT Austin (and Scientific Adviser to QC Ware)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantum Supremacy and its Applications (!) HELLO HILBERT SPACE Scott Aaronson UT Austin (and Scientific Adviser to QC Ware) Q2B, Mountain View, CA, December 12, 2018 Papers and slides at www.scottaaronson.com

  2. QUANTUM SUPREMACY |  #1 Application of quantum computing: Refute the QC skeptics! You heard yesterday from groups that are racing to achieve this with ~50-100 qubit systems. “Even if it’s useless, who cares?”

  3. “Sure, building 100 high-quality qubits is tough. But once you do, just throw them at any optimization or machine learning or other application problem you want, and clearly it’ll take 2100 steps to solve the same problem classically!” Kerenidis-Prakash 2016: Quantum algorithm for recommending products in Netflix-like systems in logarithmic time (given a QRAM and a suitable data structure)—exponentially faster than any classical algorithm known at the time Me, Preskill in last year’s Q2B: Can we show that any classical algorithm for this task needs polynomially many memory accesses, and hence that this speedup is real?

  4. Ewin Tang’s Breakthrough (2018) Fundamental obstruction to ruling out a fast classical algorithm for the Kerenidis-Prakash problem: There is such an algorithm (a “dequantization”)! Last month, was generalized to dequantize essentially all quantum ML algorithms based on low-rank linear algebra (though not HHL) Gilyen-Lloyd-Tang, Chia-Lin-Wang QC applications realizable with 0 qubits!

  5. What if we just want maximum confidence that we’re solving something that’s classically exponentially hard? Theoretical work (Terhal-DiVincenzo 2004, A.-Arkhipov 2011, Bremner-Jozsa-Shepherd 2011…) has uncovered many advantages to switching our attention from problems with a single valid answer to sampling problems The classical hardness of sampling problems can even be based on the belief that the polynomial hierarchy is infinite Additional huge advantage: potential to realize these sampling speedups using NISQ devices We “merely” give up on: obvious applications, a fast classical way to verify the result…? PostBQP: where we allow postselection on exponentially-unlikely measurement outcomes PostBPP: Classical randomized subclass Theorem (A. 2004): PostBQP = PP PostBPP is in the polynomial hierarchy PostBQP PostBPP

  6. The Random Quantum Circuit Proposal Generate a quantum circuit C on n qubits in a nn lattice, with d layers of random nearest-neighbor gates Apply C to |0n and measure. Repeat T times, to obtain samples x1,…,xT from {0,1}n Check whether x1,…,xT solve the “Heavy Output Generation” (HOG) problem—e.g., do at least 2/3 of the xi’s have more than the median probability?(takes classical exponential time, which is OK for n70) Publish C. Challenge skeptics to generate samples passing the test in a reasonable amount of time

  7. A. and Lijie Chen, arXiv:1612.05903 Theorem (paraphrased): Suppose there’s a poly-time classical “faking” algorithm—one that, given a a random quantum circuit C, with n qubits and m>>n gates, solves HOG with high probability. Then there’s also a poly-time classical algorithm to guess whether Pr[C outputs 0n] exceeds some threshold , with ~1/2n bias over flipping a coin Theorem: There is a poly-time classical algorithm to guess if Pr[C outputs 0n] >  with 1/exp(m) bias Theorem: There’s also a recursive classical algorithm to simulate C using mO(n) time and linear memory—“interpolating between Schrödinger and Feynman” But neither of these yield guessing algorithms that undermine the presumed hardness of HOG!

  8. “But even if these sampling-based supremacy experiments work, they’ll just produce mostly-random bits, which is obviously useless…” 1101000011010011110110110011001100010100100110100011111011110100

  9. Certified Random Bits: Who Needs ‘Em? For public use:Election auditing, lotteries, parameters for cryptosystems, zero-knowledge protocols, proof-of-stake cryptocurrencies… For private use: Cryptographic keys (a big one!) Trivial Quantum Randomness Solution! |0 H Problem: What if your quantum hardware was backdoored by the NSA? (Like the DUAL_EC_DRBG pseudorandom generator apparently was?) Want to trust a deterministic classical computer only PostBQP: where we allow postselection on exponentially-unlikely measurement outcomes PostBPP: Classical randomized subclass Theorem (A. 2004): PostBQP = PP PostBPP is in the polynomial hierarchy PostBQP PostBPP

  10. Earlier Approach: Bell-Certified Randomness Generation Colbeck and Renner, Pironio et al., Vazirani and Vidick, Coudron and Yuen, Miller and Shi… Upside: Doesn’t need a QC; uses only “current technology” (though loophole-free Bell violations are only ~2 years old) Downside: If you’re getting the random bits over the Internet, how do you know Alice and Bob were separated?

  11. Randomness from Quantum Supremacy Experiments SEED CHALLENGES Key Insight: A QC can solve certain sampling problems quickly—but under plausible hardness assumptions, it can only do so by sampling (and hence, generating real entropy) Upsides: Requires just a single device—good for certified randomness over the Internet. Ideal for near-term devices Caveats: Requires hardness assumptions and initial seed randomness. Verification (with my scheme) takes exp(n) time

  12. INHERENTLY REQUIRES QUANTUM Why? Because a classical server could always replace its randomness source by a pseudorandom one without the client being able to detect it Indeed, our protocol requires certain tasks (e.g., finding heavy outputs of a quantum circuit) to be easy for QCs, and other tasks (e.g., finding the same heavy outputs every time) to be hard for QCs!

  13. The Protocol 1. The classical client generates n-qubit quantum circuits C1,…,CT pseudorandomly (mimicking a random ensemble) 2. For each t, the client sends Ct to the server, then demands a response St within a very short time In the “honest” case, the response is a list of k samples from the output distribution of Ct|0n 3. The client picks O(1) random iterations t, and for each one, checks whether St solves the HOG problem 4. If these checks pass, then the client feeds S=S1,…,ST into a classical randomness extractor, to get nearly pure random bits Soundness theorem (in preparation): Under suitable (strong) computational hardness assumptions, if the server is a fast QC and the client accepts w.h.p., then conditioned on the client accepting, cn bits of min-entropy must be generated per iteration, for some constant c>0

  14. Applications For those connecting over the cloud: Public randomness For the QC owner: Private randomness The protocol does require pseudorandom challenges, but: Even if the pseudorandom generator is broken later, the truly random bits will remain safe (“forward secrecy”) Even if the seed was public, the random bits can be private The random bits demonstrably weren’t known to anyone, even the QC, before it received a challenge (freshness)

  15. Different Approach Brakerski, Christiano, Mahadev, Vazirani, Vidick arXiv:1804.00640 Method for a QC to generate random bits, assuming the quantum hardness of breaking lattice-based cryptosystems 2-to-1 function f, plus trapdoor f f(x) measurement basis measurement result Huge advantage of the BCMVV scheme over mine: Polynomial-time classical verification! Advantage of mine: Can be run on near-term devices!

  16. Some Future Directions Can we prove quantum supremacy, as well as certified randomness, under more “standard” and less “boutique” computational hardness assumptions? Can we get polynomial-time classical verification with any of the problems solvable by NISQ devices? Can we get more and more certified randomness by sampling with the same circuit C over and over? Would greatly improve the bit rate

  17. Conclusions We might be close to 50-70 qubit quantum supremacy experiments. We can say interesting things about the hardness of simulating them classically; we’d like to say more Certified randomness generation: the most plausible application of a very-near-term QC? This application requires sampling problems: problems with definite answers (like factoring) are useless! Not only can we do it with ~70 qubits, we don’t want more. No expensive encoding needed; can fully exploit hardware “Try to embrace the weaknesses of NISQ devices, and turn them into strengths…”

More Related