Jekyll2020-09-29T14:35:47+00:00https://unnatural-proofs.github.io/feed.xmlin search of unnatural proofscomplexity theory and moreSelling Quantum Computing2020-02-13T00:00:00+00:002020-02-13T00:00:00+00:00https://unnatural-proofs.github.io/2020/selling-quantum-computing<p>So… this happened a few days ago.</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">"While most experts agree that real-world applications of quantum are still at least several years or longer away"<br /><br />Make that several decades or show me one "expert" who says quantum computers will be commercially viable in a few years. <a href="https://twitter.com/BullshitQuantum?ref_src=twsrc%5Etfw">@BullshitQuantum</a> <a href="https://t.co/NEDqDIMKkv">https://t.co/NEDqDIMKkv</a></p>— Sabine Hossenfelder (@skdh) <a href="https://twitter.com/skdh/status/1225679502136635393?ref_src=twsrc%5Etfw">February 7, 2020</a></blockquote>
<p>I would like to chronicle a few interesting tweets that resulted from the above tweet. As you probably know, I am a quantum optimist so the selection will be biased, but my intent is not to argue in favour of commercial quantum computing, rather to point out interesting arguments.</p>
<h3 id="heuristics-vs-algorithms">Heuristics vs. Algorithms</h3>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Hi. I'm an expert. I'm a Professor in the field.<br /><br />I believe the first heuristic approaches may well achieve quantum advantage for approximate algorithms in less than 10y. I say that being an active practitioner and having funded this research via DARPA.<br /><br />Shor = decades.</p>— Michael J. Biercuk (@MJBiercuk) <a href="https://twitter.com/MJBiercuk/status/1225968738165383169?ref_src=twsrc%5Etfw">February 8, 2020</a></blockquote>
<p>Let’s a lot to unpack here, let’s start with the definition of a heuristic.</p>
<p>An <em>algorithm</em> is a program that solves a problem on all inputs; that is, it outputs the correct answer for every instance of the problem. In contrast, a <em>heuristic</em> is a program that solves a problem on most inputs; that is, it outputs the correct answer for most instances of the problem (typically, these instances correspond to instances that are most likely to arise in practice). To make this more concrete, let’s think of the addition problem which takes a pair of numbers and outputs a number. An algorithm for addition always output the correct answer, while a heuristic outputs the correct answer for most pairs of numbers, but for some pairs of numbers it might output the wrong answer.<sup id="fnref:heurBPP" role="doc-noteref"><a href="#fn:heurBPP" class="footnote">1</a></sup> The definition of a heuristic might seem similar to the definition of a <em>bounded-error algorithm</em>, but there is a subtle difference, a bounded-error algorithm outputs the correct answer with high-probability for <em>every</em> input. So, one could combine this property with heuristics to get bounded-error heuristics, and indeed this is what people typically mean when they say heuristics. A closer to real-life example of a heuristic is facial-recognition software.<sup id="fnref:antivirus" role="doc-noteref"><a href="#fn:antivirus" class="footnote">2</a></sup></p>
<p>If you have been following the field for some time, you know that we are slowing shifting from algorithms to heuristics. Some people believe that heuristics are flat-out bad—they don’t know what they are talking about. Heuristics are amazing, most of the world runs on heuristics (it is hard to come up with algorithms for most real-world problems and in some cases we can prove that the general problem is NP-hard.<sup id="fnref:np-hard" role="doc-noteref"><a href="#fn:np-hard" class="footnote">3</a></sup>) That being said, heuristics are really hard to analyze: deep learning almost died because of this. The best way we have to work with heuristics is to code it up and run it. This means that it is hard for us to know if a quantum heuristic actually works, we can do simulations but that might not be enough to convince skeptics, or even fine-tune our program to perform better. Going back to the deep learning analogy, the field was revived by cheap GPUs which allowed researchers to test their heuristics and fine tune them.<sup id="fnref:dl-history" role="doc-noteref"><a href="#fn:dl-history" class="footnote">4</a></sup> Till we have large quantum computers, writing heuristics is like walking in the dark—we don’t know if we have made any progress.</p>
<p>Algorithms are nicer in this respect, we can prove stuff about their behavior without actual devices. Shor did this with his amazing factoring algorithm. This is actually not that hard, for instance, I have two papers analyzing quantum algorithms, and no quantum computers were harmed in the process.</p>
<p>In principle, Shor’s algorithm is fast, that is, it has a polynomial-time algorithm. In practice, we care about number of qubits and number of gates more than asymptotic scaling. Actually, we don’t care about asymptotic scaling (sorry, man.) Last year, building on the work of many people, Craig Gidney and Martin Ekerå <a href="https://arxiv.org/abs/1905.09749">constructed</a> an optimized circuit for Shor’s algorithm. Unfortunately (or fortunately) this circuit still needs on the order of a million qubits and a gate error (in trace distance) of $10^{-3}$ (which is not too crazy.) This seems out of the reach of current quantum computer chip designs and architectures. Stop whatever you are doing and go read this <a href="https://twitter.com/rdviii/status/1158558531789791233?s=20">awesome thread</a> by @rdviii. Back to topic, so, yeah, millions of qubits might take a long time to get to.</p>
<h3 id="speed-isnt-everything">Speed isn’t everything</h3>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Complexity theory cannot explain why people still use Microsoft Excel to do business analytics in large companies with algorithms that have a guaranteed slowdown compared to the best available classical algorithms. But they do. And they pay Microsoft a lot of $$$ to do so.</p>— Christopher Savoie 佐保井 久理須 (@cjsavoie) <a href="https://twitter.com/cjsavoie/status/1226824292958162944?ref_src=twsrc%5Etfw">February 10, 2020</a></blockquote>
<p>I really like this tweet—commercial computer science is not about stats, it is about products.</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Interesting point---QCs could be commercially viable without outperforming their classical counterparts if they lead to a better product (usability, price, forward compatibility?)</p>— sanketh (@__c1own) <a href="https://twitter.com/__c1own/status/1226842926648643584?ref_src=twsrc%5Etfw">February 10, 2020</a></blockquote>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Or energy consumption. A dil fridge runs on only 20-30 kWh with capacity to double compute power with each qubit added without adding any significant power consumption. The IBM Summit by contrast requires 15 MWh. Enough to power 7000 homes. Double the compute, double the burn.</p>— Christopher Savoie 佐保井 久理須 (@cjsavoie) <a href="https://twitter.com/cjsavoie/status/1226882619914190848?ref_src=twsrc%5Etfw">February 10, 2020</a></blockquote>
<h3 id="quantum-can-quantum">Quantum can Quantum</h3>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">I think demonstrating a quantum advantage for an application before 2030 is a reasonable prediction. I would say the initial practical impact will mostly be in industries that need to understand quantum mechanical systems better (e.g. materials/molecules), not across the board</p>— Guillaume Verdon (@quantumVerd) <a href="https://twitter.com/quantumVerd/status/1225687936609337345?ref_src=twsrc%5Etfw">February 7, 2020</a></blockquote>
<p>This does not need any commentary. This has now become widely accepted within the community.</p>
<hr />
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:heurBPP" role="doc-endnote">
<p>For a more formal treatment of heuristics see: <em>Bogdanov, Andrej, and Luca Trevisan. “Average-case complexity.” Foundations and Trends® in Theoretical Computer Science 2, no. 1 (2006): 1-106. DOI: <a href="http://dx.doi.org/10.1561/0400000004">10.1561/0400000004</a>. ECCC: <a href="https://eccc.weizmann.ac.il/report/2006/073/">2006/073</a>.</em> <a href="#fnref:heurBPP" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:antivirus" role="doc-endnote">
<p>Another good example is antivirus, see the Wikipedia article on <a href="https://en.wikipedia.org/wiki/Heuristic_analysis">heuristic analysis</a>. <a href="#fnref:antivirus" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:np-hard" role="doc-endnote">
<p>A lot of people look at NP-hardness as a bad thing—I don’t. If someone is able to prove that real-world problem $\Pi$ is NP-hard, it means that they have formally written down $\Pi$ and then managed to show that it is at least as hard as NP-hard problem. First, let us assume that $\Pi$ is in NP, this is true for almost all real-world problems. Now, there there are two ways to solve this problem: (1) solve the NP-hard problem; that is, reduce your problem to SAT and use a SAT solver; (2) attack the formal description of $\Pi$, maybe the description is too general, we only care about some instances. So, showing NP-hardness is a step in the right direction. <a href="#fnref:np-hard" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:dl-history" role="doc-endnote">
<p>See <a href="https://en.wikipedia.org/wiki/Deep_learning#History">Wikipedia</a> for more on the history of deep learning. Another parallel with deep learning is the availability of data. Aside from hardware, deep learning suffered from a lack of data, this is true in quantum computing as well: we don’t have enough <em>quantum data</em> (data that can be efficiently loaded into a quantum state.) You might ask, why not just turn classical data into quantum data? Well, it is not as simple, naïve algorithms for this remove any quantum speedup for some tasks. An infamous example is the <a href="https://arxiv.org/abs/0811.3171">HHL algorithm</a>; see, also, <a href="https://arxiv.org/abs/1811.00414">Ewin Tang’s classical analogue of HHL</a> and <a href="http://nisqybusiness.com/2019/08/05/on-qram/">Joe Fitzsimons’s post on QRAM</a>. <a href="#fnref:dl-history" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>sankethSo… this happened a few days ago.Two Open Problems: Hybrid Quantum Attacks on Crypto2019-10-04T00:00:00+00:002019-10-04T00:00:00+00:00https://unnatural-proofs.github.io/2019/two-open-problems-hybrid-quantum-attacks-on-crypto<p>Today, I want to mention two open problems that I have been thinking about. These are off-shoots of my work with Matt Coudron on the power of quantum depth (<a href="https://arxiv.org/abs/1909.10503">arXiv:1909.10503</a>; see, also, <a href="https://arxiv.org/abs/1909.10303">arXiv:1909.10303</a>).</p>
<p>There does not seem to be a clear metric in quantum cryptanalysis. For example, we say that the security level of AES-256 is 256 bits, and the quantum security level of AES-256 is 256/2 = 128 bits. But, that number 128 does not capture the hardness of the attack. The classical attack can be trivially parallelized, but the quantum attack (which uses Grover’s algorithm) cannot be parallelized well. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf">NIST (2016)</a> tries to account for this in their PQC competition by introducing a variable MAXDEPTH, corresponding to the maximum depth of the quantum circuit in the attack, set to a value between $2^{40}$ and $2^{96}$. But, this might still understate the security of the schemes (think of memory-intensive quantum algorithms). <a href="https://ia.cr/2019/103">Jaques and Schanck (2019)</a> solve this problem with their <em>DW-cost metric</em> (depth of the circuit times the width of the circuit). I like the DW-cost metric because it makes more sense from a <em>quantum-native</em> perspective. But, this raises new a problem, what about hybrid attacks? It turns out that this can be easily remedied by using the DW-cost for the quantum part and the traditional number of ops cost for the classical part.</p>
<p>The setting is the following, the MAXDEPTH is set to be $2^{32}$ (say each layer (depth-1 circuit) takes $1000$ nanoseconds to apply<sup id="fnref:time" role="doc-noteref"><a href="#fn:time" class="footnote">1</a></sup>, and we can run a computation for an hour) and MAXWIDTH is set to $2^{32}$ (that is about 4 giga(qu)bits). From this setting it is obvious that you cannot do a purely quantum attack, you need a hybrid attack (and that is my intention.) Just to be clear, a <em>hybrid quantum attack</em> is a classical circuit with embedded quantum circuits with depth at most MAXDEPTH and width at most MAXWIDTH, and the output of a quantum circuit is a classical bit string (or, to be more precise, a probability distribution.) Let’s define the <em>hybrid-DW-cost</em> as the sum of the DW-costs of the embedded quantum circuits and the number of gates in the classical circuit.</p>
<h3 id="question-1-hybrid-generic-pre-image-attacks-on-aes">Question 1: Hybrid Generic Pre-Image Attacks on AES?</h3>
<p><strong>Question.</strong> Is there a non-trivial hybrid generic pre-image attack on AES?</p>
<p><strong>Conjecture.</strong> The security level of AES-256, under hybrid quantum attacks in the hybrid-DW-cost model, is essentially the same as the its classical security level.</p>
<p>A good starting point: <a href="https://arxiv.org/abs/1512.04965">arXiv:1512.04965</a>, <a href="https://ia.cr/2019/854">2019/854</a>, and <a href="https://ia.cr/2019/1146">2019/1146</a>.</p>
<h3 id="question-2-hybrid-generic-claw-finding-attacks-on-sike">Question 2: Hybrid Generic Claw-Finding Attacks on SIKE?</h3>
<p><strong>Question.</strong> <a href="https://arxiv.org/abs/0708.2584">Tani’s (2007)</a> algorithm, which is used for generic claw-finding attacks, is based on quantum walks which seem to have the same parallelization difficulties as Grover’s algorithm. (See Section 5.6 in <a href="https://ia.cr/2019/103">Jaques and Schanck (2019)</a>.) Is there a non-trivial hybrid generic claw-finding attack on SIKE?</p>
<p><strong>Conjecture.</strong> The security level of SIKE-(503|610|751), under hybrid quantum attacks in the hybrid-DW-cost model, is essentially the same as the its classical security level.</p>
<p>A good starting point: <a href="https://arxiv.org/abs/0708.2584">arXiv:0708.2584</a> and <a href="https://ia.cr/2019/103">2019/103</a>.</p>
<h3 id="why-these-questions">Why These Questions?</h3>
<ol>
<li>They force one to think about hybrid attacks.</li>
<li>They seem to model near-term attacks.</li>
<li>They don’t seem too hard. Question 1 might even be easy because we know explicit bounds on how Grover parallelizes.</li>
<li>They are fun math problems. :-)</li>
</ol>
<hr />
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:time" role="doc-endnote">
<p>At first glance, this number might seem absurd—surely we can apply a gate in less than $1000$ nanoseconds, but I am trying to account for the lost nearest neighbor property. For now, it seems easier to make this number larger than to impose a nearest neighbor constraint. (Also, I am trying to be architecture agnostic.) <a href="#fnref:time" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>sankethToday, I want to mention two open problems that I have been thinking about. These are off-shoots of my work with Matt Coudron on the power of quantum depth (arXiv:1909.10503; see, also, arXiv:1909.10303).What Is a Stochastic Process?2019-09-02T00:00:00+00:002019-09-02T00:00:00+00:00https://unnatural-proofs.github.io/2019/what-is-a-stochastic-process<div style="display:none;">
$$
\newcommand{\F}{\mathcal{F}}
\newcommand{\I}{\mathcal{I}}
$$
</div>
<p>Recently I have discovered the awesome world of stochastic processes. Firstly, “stochastic process” is a horrible name, it does not have anything to do with “process.” If you have never heard of this term, brace yourself because this is gonna sound insanely familiar. So, a <em>stochastic process</em> is an indexed list of random variables. That’s it. If you have ever worked with randomized algorithms, this is what you call an algorithm, it takes an input and the output is modeled by a random variable.</p>
<p>I am going to give a slightly more formal definition now that we know what it means.</p>
<p><strong>Definition.</strong> Fix a probability space $(\Omega, \F, P)$ and a measurable space $(S, \Sigma)$. A <em>stochastic process</em> is a collection
\[
\{X(i) : i \in \I\}
\]
of $S$-valued random variables indexed by a set $\I$.</p>
<p>In many applications, the index set $\I$ is the positive real numbers and represents time. More generally, it is common to assume that $\I$ is ordered. This adds a lot of structure and allows one to talk about <em>increments</em> (how much $X(i)$ differs from $X(i+j)$) and stuff like that.</p>
<p>Also, if you have done some advanced probability, you can observe that stochastic processes generalize <em>Markov chains</em>, <em>random walks</em>, and <em>martingales</em>.</p>
<p>I’m going to end this short post by answering a burning question: how can you use stochastic processes to prove theorems? By leveraging <a href="https://en.wikipedia.org/wiki/Stochastic_calculus">stochastic calculus</a>.</p>
<h2 id="further-reading">Further Reading</h2>
<ul>
<li>Gregory F. Lawler’s “Stochastic Calculus: An Introduction with Applications” looks great. I have been meaning to read it for a while now.</li>
<li>Xinyu Wu’s “A stochastic calculus approach to the oracle separation of BQP and PH” simplifies the breakthrough oracle separation of Raz and Tal. [<a href="https://eccc.weizmann.ac.il/report/2018/202/">ECCC</a>]</li>
<li>If you want to apply stochastic calculus to TCS, chapter 11 of Ryan O’Donnell’s Analysis of Boolean Functions might be a good place to start. [<a href="http://www.contrib.andrew.cmu.edu/~ryanod/">book website</a>] Also take a look at Ronen Eldan’s “
A two-sided estimate for the Gaussian noise stability deficit” which simplifies a theorem due Guy Kindler and Ryan O’Donnell. [<a href="https://arxiv.org/abs/1307.2781">arXiv</a>] [<a href="https://www.cs.cmu.edu/~odonnell/papers/gaussian-noise-sensitivity.pdf">Kindler and O’Donnell paper</a>]</li>
</ul>sanketh$$ \newcommand{\F}{\mathcal{F}} \newcommand{\I}{\mathcal{I}} $$In Defense of Random Oracles2019-05-23T00:00:00+00:002019-05-23T00:00:00+00:00https://unnatural-proofs.github.io/2019/in-defense-of-random-oracles<div style="display:none;">
$$
\newcommand{\QSZK}{\textsf{QSZK}}
\newcommand{\SZK}{\textsf{SZK}}
\newcommand{\NP}{\textsf{NP}}
\newcommand{\P}{\textsf{P}}
\newcommand{\coNP}{\textsf{coNP}}
\newcommand{\UP}{\textsf{UP}}
\newcommand{\coUP}{\textsf{coUP}}
\newcommand{\BQP}{\textsf{BQP}}
\newcommand{\BPP}{\textsf{BPP}}
\newcommand{\PSPACE}{\textsf{PSPACE}}
\newcommand{\IP}{\textsf{IP}}
$$
$$
\newcommand{\N}{\mathbb{N}}
$$
$$
\newcommand{\A}{\mathcal{A}}
\newcommand{\poly}{\text{poly}}
\newcommand{\polylog}{\text{polylog}}
$$
$$
\newcommand{\ket}[1]{\lvert #1 \rangle}
\newcommand{\bra}[1]{\langle #1 \rvert}
\newcommand{\coloneqq}{\mathrel{:=}}
\newcommand{\dim}{\text{dim}}
$$
</div>
<p>A few days ago, I read<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote">1</a></sup></p>
<blockquote>
<p><em>The Random Oracle Model: A Twenty-Year Retrospective</em><br />
Neal Koblitz and Alfred Menezes<br />
Crypto ePrint <a href="https://eprint.iacr.org/2015/140">2015/140</a></p>
</blockquote>
<p>and it reaffirmed my longstanding belief that oracle results are useful. There is a counter example to the “Random Oracle Hypothesis” (one can <a href="https://doi.org/10.1016/S0022-0000(05)80084-4">show</a> that relative to a random oracle $\IP \neq \PSPACE$; it is exactly what you’d expect) but if used correctly, they are a very powerful tool to reason about the real world. There are similar counterexamples in the crypto world, perhaps the most famous one is Shafi Goldwasser and Yael Tauman’s <a href="https://eprint.iacr.org/2003/034">proof</a> of the insecurity of the <em>Fiat-Shamir transform</em>.<sup id="fnref:2" role="doc-noteref"><a href="#fn:2" class="footnote">2</a></sup> I don’t want take up more of your time—read the paper.</p>
<p>Some people might call me a hypocrite for liking Koblitz’s view about random oracles but not liking <a href="https://www.ams.org/notices/200708/tx070800972p.pdf">his views</a> towards the foundations of cryptography. To them, I say that it is more nuanced than that. Trashing random oracles because of a few synthetic counterexamples is just as bad as trashing an entire field based on a few anecdotes. (Contrary to the expectations of most people, I never claimed or will claim that, “foundations of crypto—or any other subfield of theoretical computer science—is immediately useful.” Also, I agree with Koblitz that “nontightness” in reductions is a huge problem, especially in lattice crypto where people keep throwing around “our scheme is secure based on the worst-case hardness of approximating lattice problems.” Sanjit Chatterjee, Neal Koblitz, Alfred Menezes, and Palash Sarkar have a <a href="https://eprint.iacr.org/2016/360">beautiful paper</a> emphasizing this issue.)</p>
<p>On another side note, the bandwagon effect that Koblitz describes with regard to crypto in the 1990s is exactly what is happening right now with blockchain and machine learning (and to a smaller extent, even quantum computing.)</p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1" role="doc-endnote">
<p>(on the bus) <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:2" role="doc-endnote">
<p>Remind me to write a blog post on this. <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>sanketh$$ \newcommand{\QSZK}{\textsf{QSZK}} \newcommand{\SZK}{\textsf{SZK}} \newcommand{\NP}{\textsf{NP}} \newcommand{\P}{\textsf{P}} \newcommand{\coNP}{\textsf{coNP}} \newcommand{\UP}{\textsf{UP}} \newcommand{\coUP}{\textsf{coUP}} \newcommand{\BQP}{\textsf{BQP}} \newcommand{\BPP}{\textsf{BPP}} \newcommand{\PSPACE}{\textsf{PSPACE}} \newcommand{\IP}{\textsf{IP}} $$ $$ \newcommand{\N}{\mathbb{N}} $$ $$ \newcommand{\A}{\mathcal{A}} \newcommand{\poly}{\text{poly}} \newcommand{\polylog}{\text{polylog}} $$ $$ \newcommand{\ket}[1]{\lvert #1 \rangle} \newcommand{\bra}[1]{\langle #1 \rvert} \newcommand{\coloneqq}{\mathrel{:=}} \newcommand{\dim}{\text{dim}} $$More Tweets: Quantum Economics2019-05-11T00:00:00+00:002019-05-11T00:00:00+00:00https://unnatural-proofs.github.io/2019/more-tweets-quantum-economics<p>This post is essentially a reference to my tweets. I will write a coherent blog post sometime in the future.</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Quantum cs peeps looking at quantum economics for the first time.<br />(For more fun, take a look at this article: <a href="https://t.co/30DiYd2qiM">https://t.co/30DiYd2qiM</a> and the referenced paper.) <a href="https://t.co/f9FYz9krvy">pic.twitter.com/f9FYz9krvy</a></p>— sanketh (@__c1own) <a href="https://twitter.com/__c1own/status/1127289507240456194?ref_src=twsrc%5Etfw">May 11, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<p>See, also, <a href="https://twitter.com/sgmenda/status/1126907682626125824">this thread</a>.</p>
<p><strong>Edit (26/05):</strong> See, also,</p>
<blockquote class="twitter-tweet tw-align-center" data-lang="en"><p lang="en" dir="ltr">"Money or currency is believed by some to have a quantum nature. As we move towards a cashless economy and as digital- and crypto-currencies are on the rise, their diffusion will have commonality on which quantum physics operates." <br /> <a href="https://t.co/P0GcSg9TU4">https://t.co/P0GcSg9TU4</a></p>— Jonathan P. Dowling (@jpdowling) <a href="https://twitter.com/jpdowling/status/1132462366950600704?ref_src=twsrc%5Etfw">May 26, 2019</a></blockquote>
<script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>sankethThis post is essentially a reference to my tweets. I will write a coherent blog post sometime in the future.Quantum Computers Could Not Have Prevented 2008!!!2019-04-09T00:00:00+00:002019-04-09T00:00:00+00:00https://unnatural-proofs.github.io/2019/quantum-computers-could-not-have-prevented-2008<p>This post is essentially a reference to <a href="https://twitter.com/__c1own/status/1102202355376943104?s=20">my month-old tweets</a>.</p>
<p>After 2008, Taleb also <a href="http://nassimtaleb.org/2010/06/nassim-taleb-speaks-to-congress-value-at-risk-var/">spoke</a> to Congress about the risks of using VaR. (Ignore the description under the video.) You can see the full hearing <a href="https://youtu.be/40Gkp0wJplU">here</a>. More generally, see the <a href="https://en.wikipedia.org/wiki/Value_at_risk#Criticism">Criticism section</a> on VaR’s Wikipedia page.</p>sankethThis post is essentially a reference to my month-old tweets.Edmonds in 19672019-04-07T00:00:00+00:002019-04-07T00:00:00+00:00https://unnatural-proofs.github.io/2019/edmonds-in-1967<div style="display:none;">
$$
\newcommand{\P}{\text{P}}
\newcommand{\EdmondsP}{\text{EdmondsP}}
\newcommand{\NP}{\text{NP}}
\newcommand{\coNP}{\text{coNP}}
\newcommand{\BQP}{\text{BQP}}
$$
</div>
<blockquote>
<p>
I conjecture that there is no good algorithm for the traveling salesman problem. My reasons are the same as for any mathematical conjecture: (1) It is a legitimate mathematical possibility, and (2) I do not know.
</p><br />
<cite>Jack Edmonds, <a href="https://nvlpubs.nist.gov/nistpubs/jres/71b/jresv71bn4p233_a1b.pdf">Optimum Branchings</a>, J. Res. Natl. Bur. Stand. 71B, 233-240 (1967). </cite>
</blockquote>
<p>I have seen this quote many times (it appears in Papadimitriou and Arora and Barak) but I haven’t read the source till today. I highly recommend anything by Edmonds, he is awesome. If you want to read just one paper: check out <a href="https://doi.org/10.4153/CJM-1965-045-4">Paths, Trees, and Flowers</a>.</p>
<p>If you are wondering, I still don’t believe that $\P = \NP \cap \coNP$. On the other hand, I wouldn’t be surprised if every combinatorial problem that is currently in $\NP \cap \coNP$—you could call this class $\EdmondsP$—turns out to be in $\P$. $\EdmondsP$, for instance, would include graph isomorphism, which I strongly believe is in $\P$. Also, if you are wondering, why this does not imply $\P = \NP \cap \coNP$—after all, if all combinatorial problems in $\NP$ are in $\P$, then $\P=\NP$—it is because we don’t believe that $\NP \cap \coNP$ has complete problems (Sipster <a href="https://doi.org/10.1007/BFb0012797">constructed</a> a relativized world where this holds.)</p>
<p><strong>Added on May 11, 2019:</strong> I heard Jack Edmonds talk about this at the <a href="http://www.fields.utoronto.ca/activities/18-19/NP50">CookSymposium</a>. I admire him a lot more now. On a side note, a debate between Edmonds and Sipser broke out at the conference about the progress towards proving $\P \neq \NP$; you can see it for yourself <a href="http://www.fields.utoronto.ca/talks/Adventures-Complexity">here</a> (the debate starts at 10:00.) I used be in Sipster’s camp, but now I am squarely in Edmonds’s camp: the point of complexity theory is to inform real world decisions. It doesn’t matter whether $\P = \NP$ or not if we have an efficient (in the real world) algorithm for SAT.</p>sanketh$$ \newcommand{\P}{\text{P}} \newcommand{\EdmondsP}{\text{EdmondsP}} \newcommand{\NP}{\text{NP}} \newcommand{\coNP}{\text{coNP}} \newcommand{\BQP}{\text{BQP}} $$Mulmuley’s PRAM2019-03-17T00:00:00+00:002019-03-17T00:00:00+00:00https://unnatural-proofs.github.io/2019/Mulmuleys-PRAM<div style="display:none;">
$$
\newcommand{\P}{\text{P}}
\newcommand{\NC}{\text{NC}}
\newcommand{\NP}{\text{NP}}
\newcommand{\BQP}{\text{BQP}}
\newcommand{\BPP}{\text{BPP}}
\newcommand{\PSPACE}{\text{PSPACE}}
\newcommand{\SP}{\text{#P}}
\newcommand{\BQNC}{\text{BQNC}}
$$
$$
\newcommand{\CC}{\mathbb{C}}
\newcommand{\ZZ}{\mathbb{Z}}
\newcommand{\NN}{\mathbb{N}}
$$
$$
\newcommand{\A}{\mathcal{A}}
\newcommand{\poly}{\text{poly}}
\newcommand{\polylog}{\text{polylog}}
$$
$$
\newcommand{\ket}[1]{\lvert #1 \rangle}
\newcommand{\bra}[1]{\langle #1 \rvert}
\newcommand{\coloneqq}{\mathrel{:=}}
\newcommand{\dim}{\text{dim}}
$$
</div>
<p>Today, I will talk about one of my favorite models of computation—Mulmuley’s PRAM. To keep this post short, avoid embarrassing myself, and not fail any of my assignments, I will stick to just the model. In a later post, I will talk more generally about GCT.</p>
<p>This post is based on my notes which in turn are based on Joshua Grochow’s <a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture7-1.pdf">lec</a><a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture7-2.pdf">tur</a><a href="https://www.cs.toronto.edu/~toni/Courses/PvsNP/Lectures/lecture8.pdf">es</a> for CSC 2429 and Mulmuley’s <a href="http://gct.cs.uchicago.edu/">GCT papers</a>.</p>
<p>But, first, why should you care about models others than Turing machines (or uniform circuits!)? Because you can <em>prove</em> stuff. Remember that time, more than a decade ago, when STOC papers had actual unconditional proofs? That kind of proofs. ;-p</p>
<p>Here is the punchline:</p>
<p><strong>Theorem 1</strong> (Mulmuley (1997, 1999))<strong>.</strong> In the PRAM model without bit operations (Mulmuley’s PRAM), $\P \neq \NC$.</p>
<p>If you have never seen $\NC$ before, don’t worry, we will see a definition soon. For now, think of it as problems that admit really fast ($\polylog$ time) parallel algorithms.</p>
<p>One of the reasons we care about $\P$ vs. $\NC$ is the existence of fast parallel algorithms for combinatorial optimization problems like <a href="https://en.wikipedia.org/wiki/Maximum_flow_problem">max-flow</a> which are $\P$-Complete. If $\P \neq \NC$, then there is no fast parallel algorithm for max-flow. Max-flow is a particularly nice problem because it has a strongly-polynomial time algorithm; that is, the running time is polynomial in the number of input parameters, not on the input bitlength. We don’t know if this property holds for all $\P$ problems (where it makes sense to ask this question!), a major open problem in TCS is to determine if linear programming has a strongly-polynomial algorithm.</p>
<p>For algebraic problems like max-flow, it makes sense to ask if there is a parallel algorithm that does not use bit operations. Theorem 1 unconditionally rules out this possibility. Notice that Theorem 1 is a formal implication of $\P \neq \NC$—I later argue that it is very strong evidence in favor of it.</p>
<p><strong>What is a bit operation?</strong> An operation that acts on the individual bits of the input/data like $\vee$, $\wedge$, <code class="language-plaintext highlighter-rouge">extract-bit</code>, <code class="language-plaintext highlighter-rouge">modify-bit</code>,… For this to make sense, think of the input as an array of integers.</p>
<h3 id="pram-model-without-bit-operations-aka-mulmuleys-pram">PRAM Model Without Bit Operations aka Mulmuley’s PRAM</h3>
<p>This model was introduced in Mulmuley (1993). Informally, it is hybrid between algebraic models and restricted circuit models. The input is a bunch of integers. Like algebraic models, you can add and multiply these integers at unit cost. But—unlike algebraic models—the runtime and the number of processors is allowed to depend on <em>both</em> the number of inputs and their bitlength (don’t worry, this will become more clear in a second). Because of these weird characteristics, this model can do almost everything parallel algorithms can do. For example, it can do</p>
<ul>
<li>Neff’s <a href="https://doi.org/10.1016/S0022-0000(05)80061-3">specified precision polynomial root isolation</a></li>
<li>Csanky’s <a href="https://doi.org/10.1137/0205040">matrix inversion</a></li>
<li>Ben-Or et al.’s <a href="https://epubs.siam.org/doi/10.1137/0217069">determination of all roots of a polynomial with real roots</a></li>
<li>Karger and Motwani’s <a href="https://www.cs.bu.edu/faculty/gacs/courses/cs535/papers/p497-karger.pdf">min-cuts</a></li>
</ul>
<p>I don’t quite understand these results, so don’t ask me about them…</p>
<p><strong>Definition</strong> (Algebraic RAM Program over $\ZZ$)<strong>.</strong> First, think of your garden-variety RAM machine with 1 processor and infinite memory locations (the addresses start at <code class="language-plaintext highlighter-rouge">0x1</code> and go to infinity). Here, each memory location can store an integer (instead of a bit). As usual, the memory is split between input, output and workspace. There are constant number of unique instructions and each is of the form:</p>
<ol>
<li>$w = u \circ v$ where
<ul>
<li>$\circ \in {+, -, \times}$</li>
<li>$w$ is a memory location</li>
<li>$u,v$ are memory locations or constants.</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">goto</code> $\ell$ where $\ell$ is an instruction label.</li>
<li>conditioned on $u \square 0$, <code class="language-plaintext highlighter-rouge">branch</code> to $\ell$, where
<ul>
<li>$\square \in {<, \leq, =}$</li>
<li>$u$ is a memory location</li>
<li>$\ell$ is an instruction label</li>
</ul>
</li>
<li>copy $u$ to $v$, where $u,v$ are memory locations.</li>
<li>dereference $*u$; that is, interpret the value of $v$ as a memory location and read from there.</li>
<li>address of $\&u$; that is, get address of $u$.</li>
<li><code class="language-plaintext highlighter-rouge">return</code></li>
</ol>
<p>If you have taken a computer architecture course, then the above definition should look familiar. Yes, there are some gaps in my definition; if you care, try to fill them as an exercise. One important thing to note is that—unlike real processors—here, we are assuming that all these instructions take unit time (“unit cost model”). This assumption only makes our claim stronger as we are only going to talk about lower bounds.</p>
<p><strong>Definition</strong> (Nonuniform Algebraic RAM over $\ZZ$)<strong>.</strong> This is similar to a nonuniform family of circuits. A sequence
\begin{equation}
\A = \{A_{n,N} : n,N \in \NN \}
\end{equation}
of algebraic RAM programs over $\ZZ$. For an input of $n$ integers and total bitlength at most $N$ we use $A_{n,N}$.</p>
<p><strong>Definition</strong> (Algebraic PRAM Program over $\ZZ$)<strong>.</strong> The P in PRAM stands for parallel. Here, the number of processors is $\poly(n,N)$. Every processor has private memory and can communicate with other processors using shared memory. As usual, we have EREW, CREW, and CRCW modes (if you don’t know about these modes, forget that I mentioned them.).</p>
<h3 id="mulmuleys-lower-bound">Mulmuley’s Lower Bound</h3>
<p>As I mentioned above, I am not going to explain this result. (I don’t quite understand it myself!) But I want to state it a little more formally.</p>
<p><strong>Theorem 1</strong> (Mulmuley (1997, 1999))<strong>.</strong> Max-flow problem for $n$ nodes, where every edge-capacity is a nonnegative integer of bitlength at most $O(n^2)$, cannot be solved $\Omega(\sqrt{n})$ time with $2^{\Omega(\sqrt{n})}$ processors.</p>
<p>Here we are considering the decision version of the max-flow problem. The input also has a parameter $f_0$ and you want to decide if the max flow exceeds $f_0$.</p>
<p>Mulmuley’s result also holds for the constant-additive-error approximation version. Mulmuley’s also extends to <em>PRAM with limited bit operations</em> where parity, left shift (by 1) and right shift (by 1) are allowed. I will elaborate on this in a forthcoming GCT post but it is super cool how you can make this model “more boolean” without fucking everything up. Roughly speaking, this is why GCT has the potential to prove boolean $\P \neq \NP$.</p>
<h3 id="random-and-quantum-pram">Random and Quantum PRAM</h3>
<p>Let us start by talking about Randomized PRAM. This turns out to be not that hard, just add an instruction</p>
<ol>
<li><code class="language-plaintext highlighter-rouge">random-branch</code> $\ell$ which flips a fair coin and branches to label $\ell$ if coin returns 1.</li>
</ol>
<p>Defining quantum PRAM is equally easy, add the instruction</p>
<ol>
<li><code class="language-plaintext highlighter-rouge">quantum-branch</code> $\ell$ $\theta$ which
<ul>
<li>continues with amplitude $\sin(\theta)$, and</li>
<li>branches with amplitude $i\cos(\theta)$.</li>
</ul>
</li>
</ol>
<p>This gate is inspired by <a href="https://doi.org/10.1098/rspa.1989.0099">Deutsch’s (1989)</a> construction of a universal quantum gate. I am not going to get into it here, but for our purposes, it suffices to have this gate only for a fixed constant number of values of $\theta$. (For a far better definition of quantum PRAM, see <a href="https://doi.org/10.1098/rspa.2012.0686">Beals et al. (2013)</a>.)</p>
<p><strong>Claim.</strong> Quantum PRAM corresponds to $\BQNC$.</p>
<p>Now, here is my conjecture (which I think I can prove):</p>
<p><strong>Conjecture 1.</strong> In the PRAM model without bit operations, $\P \neq \BQNC$.</p>
<p>The reason this conjecture might be interesting is concerning the power of $\P^\BQNC$ which kinda models the power of near-term quantum computers. Hit me up if you want to chat about this.</p>
<h3 id="references">References</h3>
<p>Mulmuley, Ketan. “A Lower Bound for Solvability of Polynomial Equations.” In Foundations of Software Technology and Theoretical Computer Science, 13th Conference, Bombay, India, December 15-17, 1993, Proceedings, 268–83, 1993. DOI: <a href="https://doi.org/10.1007/3-540-57529-4_60">10.1007/3-540-57529-4_60</a>.</p>
<p>—. “Lower Bounds for Parallel Linear Programming and Other Problems.” In Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, 23-25 May 1994, Montréal, Québec, Canada, 603–14, 1994. DOI: <a href="https://doi.org/10.1145/195058.195413">10.1145/195058.195413</a>.</p>
<p>—. “Is There an Algebraic Proof for P != NC? (Extended Abstract).” In Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 4-6, 1997, 210–19, 1997. DOI: <a href="https://doi.org/10.1145/258533.258586">10.1145/258533.258586</a>.</p>
<p>—. “Lower Bounds in a Parallel Model without Bit Operations.” SIAM J. Comput. 28, no. 4 (1999): 1460–1509. DOI: <a href="https://doi.org/10.1137/S0097539794282930">10.1137/S0097539794282930</a>.</p>sanketh$$ \newcommand{\P}{\text{P}} \newcommand{\NC}{\text{NC}} \newcommand{\NP}{\text{NP}} \newcommand{\BQP}{\text{BQP}} \newcommand{\BPP}{\text{BPP}} \newcommand{\PSPACE}{\text{PSPACE}} \newcommand{\SP}{\text{#P}} \newcommand{\BQNC}{\text{BQNC}} $$ $$ \newcommand{\CC}{\mathbb{C}} \newcommand{\ZZ}{\mathbb{Z}} \newcommand{\NN}{\mathbb{N}} $$ $$ \newcommand{\A}{\mathcal{A}} \newcommand{\poly}{\text{poly}} \newcommand{\polylog}{\text{polylog}} $$ $$ \newcommand{\ket}[1]{\lvert #1 \rangle} \newcommand{\bra}[1]{\langle #1 \rvert} \newcommand{\coloneqq}{\mathrel{:=}} \newcommand{\dim}{\text{dim}} $$What Does It Mean to Simulate a Quantum Computer?2018-12-01T00:00:00+00:002018-12-01T00:00:00+00:00https://unnatural-proofs.github.io/2018/what-does-it-mean-to-simulate-a-quantum-computer<p><a href="https://scholar.google.com/citations?user=GqpgudUAAAAJ&hl=en">Hakop Pashayan</a> of The University of Sydney gave an excellent talk on classical simulation of quantum circuits at the Institute for Quantum Computing yesterday. The talk was based on the following paper:</p>
<blockquote>
<p><em>From estimation of quantum probabilities to simulation of quantum circuits</em><br />
Hakop Pashayan, Stephen D. Bartlett, and David Gross<br />
<a href="https://arxiv.org/abs/1712.02806">arXiv:1712.02806 [quant-ph]</a></p>
</blockquote>
<p>The big takeaway for me was the new perspective on classical simulation (of quantum computation).</p>
<p>Normally, when we talk about classical simulation we talk about efficient algorithms for outputting an approximation to the answer; that is, if the original circuit accepts the input with high probability, then the simulation should accept the input with high probability. A self-contained paper that I really like in this direction is <a href="https://arxiv.org/abs/quant-ph/0406196v5">Aaronson and Gottesman (2004)</a>.</p>
<p>But, the metric we <em>really</em> care about is <em>computational indistinguishability</em>. If we cannot tell the difference between a quantum computer and the simulator in polynomial time, it doesn’t matter which one we have. Of course, the simulator should be able to do everything in $\text{NP} \cap \text{BQP}$ but when we are talking about sampling problems (like simulating restricted quantum systems) outside $\text{NP}$ this distinction matters. Also, most restricted quantum systems cannot do stuff like factoring which puts $\text{NP} \cap \text{BQP}$ outside $\text{P}$.</p>
<p>So, lemme define a simulator as follows. A classical algorithm $A$ is a <em>(classical) simulator</em> of a quantum system $\mathcal{Q}$ if there does not exist a polynomially-bounded classical verifier $V$ such that $V$ can tell the difference between $A$ and $\mathcal{Q}$ given oracle access.</p>
<p>Now that we have this definition. A natural question is if we can construct such simulators for near-term models like noisy IQP circuits (see <a href="https://arxiv.org/abs/1610.01808">Bremner, Montanaro, and Shepherd (2017)</a>) and noisy boson sampling circuits (see <a href="https://arxiv.org/abs/1801.06166">Oszmaniec and Brod (2018)</a>).</p>
<p>Also, now that we got interactive proofs in the picture, what about zero-knowledge proofs? Can we construct a protocol such that a quantum computer/simulator can prove its “quantumness” without “leaking” any further information?</p>
<p>Also, one can ask about the power of adaptive queries in this setting. Do there exist simulators that are indistinguishable from a quantum system in the parallel query model but are easy distinguished once we allow adaptive queries.</p>
<p>A question that I have been interested in for quite sometime is lower bounds on the simulation of quantum computation. Maybe this is the right model to ask these questions.</p>
<p>Finally, although these problems seem super theoretical, I strongly believe that they are of practical interest.</p>sankethHakop Pashayan of The University of Sydney gave an excellent talk on classical simulation of quantum circuits at the Institute for Quantum Computing yesterday. The talk was based on the following paper: From estimation of quantum probabilities to simulation of quantum circuits Hakop Pashayan, Stephen D. Bartlett, and David Gross arXiv:1712.02806 [quant-ph]Shannon in 19772018-11-15T00:00:00+00:002018-11-15T00:00:00+00:00https://unnatural-proofs.github.io/2018/shannon-in-1977<blockquote>
<p>Well, back in '42 ... computers were just emerging, so to speak. They had things like the ENIAC down at University of Pennsylvania. ... Now they were slow, they were very cumbersome and huge and all, there were computers that would fill a couple rooms this size and they would have about the ability of one of the little calculators that you can buy now for $10. But nevertheless we could see the potential of this, the thing that happened here if things ever got cheaper and we could ever make the up-time better, sort of keep the machines working for more than ten minutes, things like that. It was really very exciting.</p><br />
<p>We had dreams, Turing and I used to talk about the possibility of simulating entirely the human brain, could we really get a computer which would be the equivalent of the human brain or even a lot better? And it seemed easier then than it does now maybe. We both thought that this should be possible in not very long. in ten or 15 years. Such was not the case, it hasn't been done in thirty years.</p><br />
<cite>Shannon, 1977; as cited in Soni, Jimmy, and Rob Goodman. A mind at play: How Claude Shannon invented the information age. Simon and Schuster, 2017. p. 106</cite>
</blockquote>
<p><a href="https://books.google.ca/books?id=gygsDwAAQBAJ&lpg=PA107&ots=YKtABbgVEM&dq=shannon%201977%20now%20they%20were%20slow%2C%20they%20were%20cumbersome%20and%20huge%20and%20all%2C%20they%20were%20computers&pg=PA107#v=onepage&q&f=false">Here</a> is the page in Google books.</p>
<p>Also, since you are here, check out <a href="https://twitter.com/dabacon/status/1063163663815663616">this twitter thread</a> by <a href="https://twitter.com/dabacon">@dabacon</a>. The cited <a href="https://spectrum.ieee.org/computing/hardware/the-case-against-quantum-computing">article</a> is infuriating; for example, look at this:</p>
<blockquote>
<p>Indeed, all of the assumptions that theorists make about the preparation of qubits into a given state, the operation of the quantum gates, the reliability of the measurements, and so forth, cannot be fulfilled exactly. They can only be approached with some limited precision. So, the real question is: What precision is required? With what exactitude must, say, the square root of 2 (an irrational number that enters into many of the relevant quantum operations) be experimentally realized? Should it be approximated as 1.41 or as 1.41421356237? Or is even more precision needed? Amazingly, not only are there no clear answers to these crucial questions, but they were never even discussed!</p>
</blockquote>sankethWell, back in '42 ... computers were just emerging, so to speak. They had things like the ENIAC down at University of Pennsylvania. ... Now they were slow, they were very cumbersome and huge and all, there were computers that would fill a couple rooms this size and they would have about the ability of one of the little calculators that you can buy now for $10. But nevertheless we could see the potential of this, the thing that happened here if things ever got cheaper and we could ever make the up-time better, sort of keep the machines working for more than ten minutes, things like that. It was really very exciting.