1 / 20

Scott Aaronson ( UT Austin ) Beyond Crypto, Santa Barbara, CA, August 19, 2018

Certified Randomness from Quantum Supremacy. 1101000011010011110110110011001100010100100110100011111011110100. Scott Aaronson ( UT Austin ) Beyond Crypto, Santa Barbara, CA, August 19, 2018.

brandas
Télécharger la présentation

Scott Aaronson ( UT Austin ) Beyond Crypto, Santa Barbara, CA, August 19, 2018

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certified Randomness from Quantum Supremacy 1101000011010011110110110011001100010100100110100011111011110100 Scott Aaronson (UT Austin) Beyond Crypto, Santa Barbara, CA, August 19, 2018 With a special bonus on: A connection between gentle measurement and differential privacy (joint work with Guy Rothblum)

  2. Sampling-Based Quantum Supremacy Theoretical foundations: Terhal-DiVincenzo 2004, Bremner et al. 2011, A.-Arkhipov 2011, A.-Chen 2017... Showed that sampling the output distributions of various quantum systems is classically intractable under plausible assumptions… My previous line: Exciting because Google et al. might be able to do this in O(1) years, and because it will refute Oded Goldreich & Gil Kalai. Obviously, useless in itself… 1101000011010011110110110011001100010100100110100011111011110100

  3. Certified Random Bits: Who Needs ‘Em? For public use:Election auditing, lotteries, parameters for cryptosystems, zero-knowledge protocols, proof-of-stake cryptocurrencies… For private use: Cryptographic keys (a big one!) Trivial Quantum Randomness Solution! |0 H Problem: What if your quantum hardware was backdoored by the NSA? (Like the DUAL_EC_DRBG pseudorandom generator was?) Want to trust a deterministic classical computer only PostBQP: where we allow postselection on exponentially-unlikely measurement outcomes PostBPP: Classical randomized subclass Theorem (A. 2004): PostBQP = PP PostBPP is in the polynomial hierarchy PostBQP PostBPP

  4. Earlier Approach: Bell-Certified Randomness Generation Colbeck and Renner, Pironio et al., Vazirani and Vidick, Coudron and Yuen, Miller and Shi… Upside: Doesn’t need a QC; uses only “current technology” (though loophole-free Bell violations are only ~2 years old) Downside: If you’re getting the random bits over the Internet, how do you know Alice and Bob were separated?

  5. New Approach: Randomness from Quantum Supremacy SEED CHALLENGES Key Insight: A QC can solve certain sampling problems quickly—but under plausible hardness assumptions, it can only do so by sampling (and hence, generating real entropy) Upsides: Requires just a single device—perfect for remote use. Ideally suited to near-term QCs Caveats: Requires hardness assumptions and initial seed randomness. Verification (with my scheme) takes exp(n) time

  6. INHERENTLY REQUIRES QM Why? Because a classical server could always replace its randomness source by a pseudorandom one without the client being able to detect it Indeed, our protocol requires certain tasks (e.g., finding heavy outputs of a quantum circuit) to be easy for QCs, and other tasks (e.g., finding the same heavy outputs every time) to be hard for QCs!

  7. The protocol does require pseudorandom challenges, but: Even if the pseudorandom generator is broken later, the truly random bits will remain safe (“forward secrecy”) Even if the seed was public, the random bits can be private The random bits demonstrably weren’t known to anyone, even the QC, before it received a challenge (freshness)

  8. The Protocol 1. The classical client generates n-qubit quantum circuits C1,…,CT pseudorandomly (mimicking a random ensemble) 2. For each t, the client sends Ct to the server, then demands a response St within a very short time In the “honest” case, the response is a list of k samples from the output distribution of Ct|0n 3. The client picks O(1) random iterations t, and for each one, checks whether St solves “HOG” (Heavy Output Generation) 4. If these checks pass, then the client feeds S=S1,…,ST into a classical randomness extractor, such as GUV (Guruswami-Umans-Vadhan), to get nearly pure random bits

  9. The HOG Problem Given as input an n-qubit quantum circuit C, and parameters b(1,2) and kN, output n-bit strings s1,…,sk such that We can verify that s1,…,sk solves HOG in ~2n classical time For b(1,2) and large enough k, an ideal QC solves HOGb,k with probability close to 1, because of Porter-Thomas speckle behavior and the law of large numbers I can now prove Porter-Thomas behavior! Albeit for a weird circuit ensemble

  10. Long List Hardness Assumption (LLHA) Arthur is given random access to a list of random n-qubit quantum circuits C1,…,CM, as well as n-bit strings s1,…,sM, where (say) M=23n. He’s promised that either • the si’s were drawn uniformly at random, or • each si was drawn from the output distribution of Ci. Then there’s no AM protocol wherein Arthur sends Merlin an nO(1)-bit classical challenge, then Merlin sends back an nO(1)-bit reply that convinces Arthur it’s case (2). Even if Arthur can do the verification using a 20.49n-time quantum computation, with 20.49n qubits of quantum advice.

  11. Basic Theorem: Suppose LLHA holds. Let Q be a polynomial-time quantum algorithm that solves HOGb,k(C) with success probability at least q, averaged over all C. Then Q’s output distribution has at least of its mass (again, averaged over all circuits C) on outputs with probability at most 2-0.49n Proof Idea: Using a “low-entropy” quantum algorithm Q to solve HOG, we design an AM protocol, based on Stockmeyer approximate counting, that violates LLHA—one where Merlin points Arthur to various high-probability outputs of Q to convince him he’s in case (2)

  12. Pseudorandom Function Assumption (PRFA) There’s a family of efficiently-computable Boolean functions, gk:{0,1}n{0,1}, parameterized by an O(n)-bit seed k, such that for every 3n-time quantum algorithm Q, Moreover, this is true even if Q is a PDQP algorithm (A. et al. 2014): a quantum algorithm that can contain both ordinary measurements and “non-collapsing” measurements LLHA and PRFA are strong assumptions, though both can be shown to hold in the random oracle model

  13. Main Result Suppose LLHA and PRFA both hold, and that the server does at most nO(1) quantum computation per iteration. Suppose also that we run the protocol, for T2n steps, and the client accepts with probability >½. Then conditioned on the client accepting, the output bits S are 1/exp(n(1))-close in variation distance to a distribution with min-entropy(Tn). Which means: the extractor will output (Tn) bits that are exponentially close to uniform Hard part: show accumulation of min-entropy across the T iterations. E.g., rule out that the samples are correlated

  14. Independent Approach Brakerski, Christiano, Mahadev, Vazirani, Vidick arXiv:1804.00640 Method for a QC to generate random bits, assuming the quantum hardness of breaking lattice-based cryptosystems 2-to-1 function f, plus trapdoor f f(x) measurement basis measurement result Huge advantage of the BCMVV scheme: Polynomial-time classical verification! Huge advantage of mine: Can run on near-term devices!

  15. Open Problems Can we get polynomial-time classical verification and near-term implementability at the same time? Can we get more and more certified randomness by sampling with the same circuit C over and over? Would greatly improve the bit rate, remove the need for a PRF Can we prove our scheme sound under less boutique complexity assumptions (without the quantum advice, non-collapsing measurements, long list of circuits…)? What about soundness against adversaries that are entangled with the QC? Certified randomness generation: the most plausible application for near-term QCs? All the weaknesses of sampling-based quantum supremacy experiments have become strengths!

  16. Gentle Measurement Bonus Measurements in QM are destructive … but not always! Given a quantum measurement M on n registers, we call M -gentle if for every product state =1n, and every possible outcome y of M, Example: Measuring the total Hamming weight of n unentangled qubits could be highly destructive But measuring the Hamming weight plus noise of order >>n is much safer!

  17. Quantum Differential Privacy“Protecting the Privacy Rights of Quantum States” Given a quantum measurement M on n registers, we call M -DP if for every product state =1n, every ’ that differs from  on only 1 register, and every possible outcome y of M, Example: Measuring the total Hamming weight of n unentangled qubits plus a noise term Hmmmm….

  18. Our DPGentleness Theorem (1) M is -gentle  M is O()-DP (2) M is -DP, and consists of a classical algorithm applied to the results of separate measurements on each register  M can be implemented in a way that’s O(n)-gentle Could be seen as a quantum analogue of the known connection between DP and adaptive data analysis (Dwork et al.) Notes: Both directions are asymptotically tight Restriction to product states is essential for part (2) (without it we only get O(n)-gentleness) Part (2) preserves efficiency, as long as the DP algorithm’s output distribution can be efficiently QSampled

  19. Application: Shadow Tomography Theorem (A., STOC’2018): Let  be an unknown D-dimensional mixed state, and let E1,…,EM be known 2-outcome measurements. Suppose we want to estimate Pr[Ei accepts ] to within  for all i[M] w.h.p. We can do this given k where Using a quantum version of the Private Multiplicative Weights algorithm (Hardt-Rothblum 2010), together with our DPgentleness theorem, we can now get via a procedure that’s also online and gentle

  20. Open Problems Prove a fully general DPgentleness theorem? In shadow tomography, does the number of copies of  need to have any dependence on log D? Best lower bound we can show: k=(-2 log M). But for gentle shadow tomography, can use known lower bounds from DP to show that k=((log D)) is needed Use quantum to say something new about classical DP?

More Related