Quantum Lower Bound for the Collision Problem
Scott Aaronson 1/10/2002
quant-ph/0111102
I was born atthe Big Bang.
Cool! We havethe samebirthday.
Collision Problem• Given 1 : 1, , 1, ,nX x x n n
• Promised:
(1) X is one-to-one (permutation) or
(2) X is two-to-one
• Problem: Decide which w.h.p., using few queries to the xi
• Randomized alg: (n)
One-to-One Two-to-One
Result• Any quantum algorithm for the
collision problem uses (n1/5) queries
• Previously no lower bound better than (1)
• Shi improved to (n1/4)
(n1/3) when |range| >> n
Implications
1. No polytime blackbox algorithms for
– graph isomorphism
– nonabelian hidden subgroup
– breaking cryptographic hash functions
Implications
2. “Dynamical quantum theories” can’t be
simulated in BQP, relative to oracle
Define joint distribution over values of observable at times t1, t2, etc.
(I.e. classical history)
Given polytime quantum algorithm and set of “sampling points,” how hard to sample from this distribution?
How to Find a Collision in O(1) Queries If Your Memory Is Perfect
1. Prepare and observe 2nd register
If X is 2-1, obtain (|i+|j)/2 with xi=xj
1
1 n
ii
i xn
2. Sample
3. Hadamard every bit, and sample again
4. Hadamard every bit again (returning to (|i+|j)/2), and sample again
Which basis state (|i or |j) were you “in” after Step 2? After Step 4?
Implications
3. |x|f(x) oracles (Kashefi et al. 2001)
more powerful than |x|x|f(x)
Requires (n1/7) lower bound for set comparison problem: given sequences x1…xn and y1…yn, decide whether {x1,…,xn}={y1,…,yn} or |{x1,…,xn,y1,…,yn}|>1.1n
Can improve to (n1/6) using ideas of Shi
Quantum Query Model• State after
t queries:: workbits i: index to query z: output
, , ,, ,
, ,t i zi z
i z
•Query: |,i,z |xi,i,z
•Arbitrary unitaries that don’t depend on X
2
, , ,1,
1( ) , ( )
10T ii
P X P X f X
•By end:
Brassard-Høyer-Tapp (1998)(n1/3) quantum alg for collision problem
n1/3 xi’s, queried classically,
sorted for fast lookup
Grover’s algorithm over n2/3 xi’s
Do I collide with any of the pink xi’s?
Lower Bound: Main Ideas• P(X)[0,1], even for g-1 inputs X with g>2.
Surprisingly strong constraint.
•Take uniform dist. over g-1 inputs
•P becomes poly in g of deg 2T. Algebraic magic!
•Use approximation theory to show T large
Lemma (follows Beals et al. 1998): Let (xi,h)=1 if xi=h, 0 otherwise. Then P(X) is poly of deg 2T over the (xi,h).
, , , ,1
, .t X h i z ih n
x h
Proof: Let t,X,,i,z = amplitude of |,i,z after t queries. t,X,,i,z is poly of degt, by induction.
Base case (t=0) trivial. Unitaries can’t increase degree.
Query replaces t,X,,i,z by
Input Distribution• D(g): Uniform distribution over g-1 inputs
•Technicality: g might not divide n
But assume for simplicity that it does
X D gP g EX P X•Let
Monomials of P(X)
• I(X) = product of r variables (xi,h)
, .X D gI g EX I X •Let
: 2
, .II r T
P g I g
•Then for some I,
• Claim: If T=O(n) then P(g) is a polynomial of degree 2T in g for integers 1gn.
Calculating (I,g): #1
•“Range” of I: Y. w=|Y|.
(I,g) = 0 unless YS (“range” of X)
2 .n n
S T rg n
/Pr
/
n w
n g wY S
n
n g
•So
since
Calculating (I,g): #2
• Given an S containing Y,
# of g-1 inputs of size n: n!/(g!)n/g
•Let {y1,…,yw} be distinct values in Y
–ri = # of times yi appears in Y
–r1 + … + rw = r
/
1
!
! !w
n g w
ii
n r
g g r
•# of g-1 inputs X with range S s.t. I(X)=1:
Becomes ~polynomial(g)
11
20 1 1
! !,
!
irw w
i i j
n w n rI g n gi g j
n
Polynomial in g of degree
w + (r-w) = r 2T
Markov’s InequalityLet P(x) be a poly with b1P(x)b2 for all
a1xa2 and |dP(x*)/dx|c for some a1x*a2. Then
2 1
2 1
deg .c a a
Pb b
Long
Short
Large derivative
Lower Bound• 0 P(g) 1 for all 0 g n
• P(1) 1/10 and P(2) 9/10
So dP/dg 4/5 somewhere
(n1/4) lower bound would follow if g always divided n
How to Handle n mod g 0: Sketch
• Choose N slightly larger than n such that g divides N
• Choose g-1 function on {1,…,N} u.a.r, then subfunction of size n
• Acceptance prob. close to bivariate polynomial in g,N for all g|N s.t.
11
10n N n
T
(continued)• Restrict g’s range to [1,G]; then (g,N) points
with g|N are plentiful, so P is bounded
• P has large derivative somewhere in either
the g or N directions
• Lower bound obtained when G=n2/5:
1/5min ,n
G nTG
0
0.5
1
1.5
2
P
1 2 3 4 5 6 750
54
g
N
Largederivativebetween1-1 and
2-1
Lots of points at which g|N so P is bounded
Shi’s Improvement to (n1/4)
• Choose Nn s.t. g divides N, instead of Nn• If basis state | queries an undefined xi, | “drops out of the universe”
• Result: Final state vector has norm in [0,1] Still OK!
• P(g,N) is exactly polynomial in (g,N); so g’s range need not be restricted to [1,n2/5]
Shi’s Improvement to (n1/3)
• For functions with range {1,…,3n/2}
• Uses Paturi’s inequality:
if 0p(x)1 for 0xn and p’()=(1)
deg 1 1p n