-
Quantum Unpredictability
Authors:
Tomoyuki Morimae,
Shogo Yamada,
Takashi Yamakawa
Abstract:
Unpredictable functions (UPFs) play essential roles in classical cryptography, including message authentication codes (MACs) and digital signatures. In this paper, we introduce a quantum analog of UPFs, which we call unpredictable state generators (UPSGs). UPSGs are implied by pseudorandom function-like states generators (PRFSs), which are a quantum analog of pseudorandom functions (PRFs), and the…
▽ More
Unpredictable functions (UPFs) play essential roles in classical cryptography, including message authentication codes (MACs) and digital signatures. In this paper, we introduce a quantum analog of UPFs, which we call unpredictable state generators (UPSGs). UPSGs are implied by pseudorandom function-like states generators (PRFSs), which are a quantum analog of pseudorandom functions (PRFs), and therefore UPSGs could exist even if one-way functions do not exist, similar to other recently introduced primitives like pseudorandom state generators (PRSGs), one-way state generators (OWSGs), and EFIs. In classical cryptography, UPFs are equivalent to PRFs, but in the quantum case, the equivalence is not clear, and UPSGs could be weaker than PRFSs. Despite this, we demonstrate that all known applications of PRFSs are also achievable with UPSGs. They include IND-CPA-secure secret-key encryption and EUF-CMA-secure MACs with unclonable tags. Our findings suggest that, for many applications, quantum unpredictability, rather than quantum pseudorandomness, is sufficient.
△ Less
Submitted 7 May, 2024;
originally announced May 2024.
-
Exponential Quantum One-Wayness and EFI Pairs
Authors:
Giulio Malavolta,
Tomoyuki Morimae,
Michael Walter,
Takashi Yamakawa
Abstract:
In classical cryptography, one-way functions are widely considered to be the minimal computational assumption. However, when taking quantum information into account, the situation is more nuanced. There are currently two major candidates for the minimal assumption: the search quantum generalization of one-way functions are one-way state generators (OWSG), whereas the decisional variant are EFI pai…
▽ More
In classical cryptography, one-way functions are widely considered to be the minimal computational assumption. However, when taking quantum information into account, the situation is more nuanced. There are currently two major candidates for the minimal assumption: the search quantum generalization of one-way functions are one-way state generators (OWSG), whereas the decisional variant are EFI pairs. A well-known open problem in quantum cryptography is to understand how these two primitives are related. A recent breakthrough result of Khurana and Tomer (STOC'24) shows that OWSGs imply EFI pairs, for the restricted case of pure states.
In this work, we make progress towards understanding the general case. To this end, we define the notion of inefficiently-verifiable one-way state generators (IV-OWSGs), where the verification algorithm is not required to be efficient, and show that these are precisely equivalent to EFI pairs, with an exponential loss in the reduction. Significantly, this equivalence holds also for mixed states. Thus our work establishes the following relations among these fundamental primitives of quantum cryptography: (mixed) OWSGs => (mixed) IV-OWSGs $\equiv_{\rm exp}$ EFI pairs, where $\equiv_{\rm exp}$ denotes equivalence up to exponential security of the primitives.
△ Less
Submitted 21 April, 2024;
originally announced April 2024.
-
A Note on Output Length of One-Way State Generators and EFIs
Authors:
Minki Hhan,
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
We study the output length of one-way state generators (OWSGs), their weaker variants, and EFIs.
- Standard OWSGs. Recently, Cavalar et al. (arXiv:2312.08363) give OWSGs with $m$-qubit outputs for any $m=ω(\log λ)$, where $λ$ is the security parameter, and conjecture that there do not exist OWSGs with $O(\log \log λ)$-qubit outputs. We prove their conjecture in a stronger manner by showing that…
▽ More
We study the output length of one-way state generators (OWSGs), their weaker variants, and EFIs.
- Standard OWSGs. Recently, Cavalar et al. (arXiv:2312.08363) give OWSGs with $m$-qubit outputs for any $m=ω(\log λ)$, where $λ$ is the security parameter, and conjecture that there do not exist OWSGs with $O(\log \log λ)$-qubit outputs. We prove their conjecture in a stronger manner by showing that there do not exist OWSGs with $O(\log λ)$-qubit outputs. This means that their construction is optimal in terms of output length.
- Inverse-polynomial-advantage OWSGs. Let $ε$-OWSGs be a parameterized variant of OWSGs where a quantum polynomial-time adversary's advantage is at most $ε$. For any constant $c\in \mathbb{N}$, we construct $λ^{-c}$-OWSGs with $((c+1)\log λ+O(1))$-qubit outputs assuming the existence of OWFs. We show that this is almost tight by proving that there do not exist $λ^{-c}$-OWSGs with at most $(c\log λ-2)$-qubit outputs.
- Constant-advantage OWSGs. For any constant $ε>0$, we construct $ε$-OWSGs with $O(\log \log λ)$-qubit outputs assuming the existence of subexponentially secure OWFs. We show that this is almost tight by proving that there do not exist $O(1)$-OWSGs with $((\log \log λ)/2+O(1))$-qubit outputs.
- Weak OWSGs. We refer to $(1-1/\mathsf{poly}(λ))$-OWSGs as weak OWSGs. We construct weak OWSGs with $m$-qubit outputs for any $m=ω(1)$ assuming the existence of exponentially secure OWFs with linear expansion. We show that this is tight by proving that there do not exist weak OWSGs with $O(1)$-qubit outputs.
- EFIs. We show that there do not exist $O(\log λ)$-qubit EFIs. We show that this is tight by proving that there exist $ω(\log λ)$-qubit EFIs assuming the existence of exponentially secure PRGs.
△ Less
Submitted 22 April, 2024; v1 submitted 26 December, 2023;
originally announced December 2023.
-
Revocable Quantum Digital Signatures
Authors:
Tomoyuki Morimae,
Alexander Poremba,
Takashi Yamakawa
Abstract:
We study digital signatures with revocation capabilities and show two results. First, we define and construct digital signatures with revocable signing keys from the LWE assumption. In this primitive, the signing key is a quantum state which enables a user to sign many messages and yet, the quantum key is also revocable, i.e., it can be collapsed into a classical certificate which can later be ver…
▽ More
We study digital signatures with revocation capabilities and show two results. First, we define and construct digital signatures with revocable signing keys from the LWE assumption. In this primitive, the signing key is a quantum state which enables a user to sign many messages and yet, the quantum key is also revocable, i.e., it can be collapsed into a classical certificate which can later be verified. Once the key is successfully revoked, we require that the initial recipient of the key loses the ability to sign. We construct digital signatures with revocable signing keys from a newly introduced primitive which we call two-tier one-shot signatures, which may be of independent interest. This is a variant of one-shot signatures, where the verification of a signature for the message ``0'' is done publicly, whereas the verification for the message ``1'' is done in private. We give a construction of two-tier one-shot signatures from the LWE assumption. As a complementary result, we also construct digital signatures with quantum revocation from group actions, where the quantum signing key is simply ``returned'' and then verified as part of revocation.
Second, we define and construct digital signatures with revocable signatures from OWFs. In this primitive, the signer can produce quantum signatures which can later be revoked. Here, the security property requires that, once revocation is successful, the initial recipient of the signature loses the ability to find accepting inputs to the signature verification algorithm. We construct this primitive using a newly introduced two-tier variant of tokenized signatures. For the construction, we show a new lemma which we call the adaptive hardcore bit property for OWFs, which may enable further applications.
△ Less
Submitted 20 December, 2023;
originally announced December 2023.
-
Unconditionally Secure Commitments with Quantum Auxiliary Inputs
Authors:
Tomoyuki Morimae,
Barak Nehoran,
Takashi Yamakawa
Abstract:
We show the following unconditional results on quantum commitments in two related yet different models:
1. We revisit the notion of quantum auxiliary-input commitments introduced by Chailloux, Kerenidis, and Rosgen (Comput. Complex. 2016) where both the committer and receiver take the same quantum state, which is determined by the security parameter, as quantum auxiliary inputs. We show that com…
▽ More
We show the following unconditional results on quantum commitments in two related yet different models:
1. We revisit the notion of quantum auxiliary-input commitments introduced by Chailloux, Kerenidis, and Rosgen (Comput. Complex. 2016) where both the committer and receiver take the same quantum state, which is determined by the security parameter, as quantum auxiliary inputs. We show that computationally-hiding and statistically-binding quantum auxiliary-input commitments exist unconditionally, i.e., without relying on any unproven assumption, while Chailloux et al. assumed a complexity-theoretic assumption, ${\bf QIP}\not\subseteq{\bf QMA}$. On the other hand, we observe that achieving both statistical hiding and statistical binding at the same time is impossible even in the quantum auxiliary-input setting. To the best of our knowledge, this is the first example of unconditionally proving computational security of any form of (classical or quantum) commitments for which statistical security is impossible. As intermediate steps toward our construction, we introduce and unconditionally construct post-quantum sparse pseudorandom distributions and quantum auxiliary-input EFI pairs which may be of independent interest.
2. We introduce a new model which we call the common reference quantum state (CRQS) model where both the committer and receiver take the same quantum state that is randomly sampled by an efficient setup algorithm. We unconditionally prove that there exist statistically hiding and statistically binding commitments in the CRQS model, circumventing the impossibility in the plain model.
We also discuss their applications to zero-knowledge proofs, oblivious transfers, and multi-party computations.
△ Less
Submitted 30 November, 2023;
originally announced November 2023.
-
Quantum Public-Key Encryption with Tamper-Resilient Public Keys from One-Way Functions
Authors:
Fuyuki Kitagawa,
Tomoyuki Morimae,
Ryo Nishimaki,
Takashi Yamakawa
Abstract:
We construct quantum public-key encryption from one-way functions. In our construction, public keys are quantum, but ciphertexts are classical. Quantum public-key encryption from one-way functions (or weaker primitives such as pseudorandom function-like states) are also proposed in some recent works [Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Barooti-Grilo-Malavolta-Sattath-…
▽ More
We construct quantum public-key encryption from one-way functions. In our construction, public keys are quantum, but ciphertexts are classical. Quantum public-key encryption from one-way functions (or weaker primitives such as pseudorandom function-like states) are also proposed in some recent works [Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Barooti-Grilo-Malavolta-Sattath-Vu-Walter, eprint:2023/877]. However, they have a huge drawback: they are secure only when quantum public keys can be transmitted to the sender (who runs the encryption algorithm) without being tampered with by the adversary, which seems to require unsatisfactory physical setup assumptions such as secure quantum channels. Our construction is free from such a drawback: it guarantees the secrecy of the encrypted messages even if we assume only unauthenticated quantum channels. Thus, the encryption is done with adversarially tampered quantum public keys. Our construction is the first quantum public-key encryption that achieves the goal of classical public-key encryption, namely, to establish secure communication over insecure channels, based only on one-way functions. Moreover, we show a generic compiler to upgrade security against chosen plaintext attacks (CPA security) into security against chosen ciphertext attacks (CCA security) only using one-way functions. As a result, we obtain CCA secure quantum public-key encryption based only on one-way functions.
△ Less
Submitted 23 May, 2024; v1 submitted 4 April, 2023;
originally announced April 2023.
-
Certified Everlasting Secure Collusion-Resistant Functional Encryption, and More
Authors:
Taiga Hiroka,
Fuyuki Kitagawa,
Tomoyuki Morimae,
Ryo Nishimaki,
Tapas Pal,
Takashi Yamakawa
Abstract:
We study certified everlasting secure functional encryption (FE) and many other cryptographic primitives in this work. Certified everlasting security roughly means the following. A receiver possessing a quantum cryptographic object can issue a certificate showing that the receiver has deleted the cryptographic object and information included in the object was lost. If the certificate is valid, the…
▽ More
We study certified everlasting secure functional encryption (FE) and many other cryptographic primitives in this work. Certified everlasting security roughly means the following. A receiver possessing a quantum cryptographic object can issue a certificate showing that the receiver has deleted the cryptographic object and information included in the object was lost. If the certificate is valid, the security is guaranteed even if the receiver becomes computationally unbounded after the deletion. Many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. Hence, certified everlasting security is a nice compromise (intrinsic to quantum).
In this work, we define certified everlasting secure versions of FE, compute-and-compare obfuscation, predicate encryption (PE), secret-key encryption (SKE), public-key encryption (PKE), receiver non-committing encryption (RNCE), and garbled circuits. We also present the following constructions:
- Adaptively certified everlasting secure collusion-resistant public-key FE for all polynomial-size circuits from indistinguishability obfuscation and one-way functions.
- Adaptively certified everlasting secure bounded collusion-resistant public-key FE for NC1 circuits from standard PKE.
- Certified everlasting secure compute-and-compare obfuscation from standard fully homomorphic encryption and standard compute-and-compare obfuscation
- Adaptively (resp., selectively) certified everlasting secure PE from standard adaptively (resp., selectively) secure attribute-based encryption and certified everlasting secure compute-and-compare obfuscation.
- Certified everlasting secure SKE and PKE from standard SKE and PKE, respectively.
- Certified everlasting secure RNCE from standard PKE.
- Certified everlasting secure garbled circuits from standard SKE.
△ Less
Submitted 12 May, 2024; v1 submitted 20 February, 2023;
originally announced February 2023.
-
Quantum Advantage from One-Way Functions
Authors:
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
We demonstrate quantum advantage with several basic assumptions, specifically based on only the existence of OWFs. We introduce inefficient-verifier proofs of quantumness (IV-PoQ), and construct it from classical bit commitments. IV-PoQ is an interactive protocol between a verifier and a quantum prover consisting of two phases. In the first phase, the verifier is probabilistic polynomial-time, and…
▽ More
We demonstrate quantum advantage with several basic assumptions, specifically based on only the existence of OWFs. We introduce inefficient-verifier proofs of quantumness (IV-PoQ), and construct it from classical bit commitments. IV-PoQ is an interactive protocol between a verifier and a quantum prover consisting of two phases. In the first phase, the verifier is probabilistic polynomial-time, and it interacts with the prover. In the second phase, the verifier becomes inefficient, and makes its decision based on the transcript of the first phase. If the prover is honest, the inefficient verifier accepts with high probability, but any classical malicious prover only has a small probability of being accepted by the inefficient verifier. Our construction demonstrates the following results: (1)If one-way functions exist, then IV-PoQ exist. (2)If distributional collision-resistant hash functions exist (which exist if hard-on-average problems in $\mathbf{SZK}$ exist), then constant-round IV-PoQ exist. We also demonstrate quantum advantage based on worst-case-hard assumptions. We define auxiliary-input IV-PoQ (AI-IV-PoQ) that only require that for any malicious prover, there exist infinitely many auxiliary inputs under which the prover cannot cheat. We construct AI-IV-PoQ from an auxiliary-input version of commitments in a similar way, showing that (1)If auxiliary-input one-way functions exist (which exist if $\mathbf{CZK}\not\subseteq\mathbf{BPP}$), then AI-IV-PoQ exist. (2)If auxiliary-input collision-resistant hash functions exist (which is equivalent to $\mathbf{PWPP}\nsubseteq \mathbf{FBPP}$) or $\mathbf{SZK}\nsubseteq \mathbf{BPP}$, then constant-round AI-IV-PoQ exist.
△ Less
Submitted 21 May, 2024; v1 submitted 9 February, 2023;
originally announced February 2023.
-
From the Hardness of Detecting Superpositions to Cryptography: Quantum Public Key Encryption and Commitments
Authors:
Minki Hhan,
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
Recently, Aaronson et al. (ar** these states. While their original motivation was from quantum gravity, we show its applications in quantum cryptography.
1. We construct the first public key encryption scheme from cryptographic \emph{non-abelian} group actions. Interestingly, the ciphertexts of o…
▽ More
Recently, Aaronson et al. (ar** these states. While their original motivation was from quantum gravity, we show its applications in quantum cryptography.
1. We construct the first public key encryption scheme from cryptographic \emph{non-abelian} group actions. Interestingly, the ciphertexts of our scheme are quantum even if messages are classical. This resolves an open question posed by Ji et al. (TCC '19). We construct the scheme through a new abstraction called swap-trapdoor function pairs, which may be of independent interest.
2. We give a simple and efficient compiler that converts the flavor of quantum bit commitments. More precisely, for any prefix X,Y $\in$ {computationally,statistically,perfectly}, if the base scheme is X-hiding and Y-binding, then the resulting scheme is Y-hiding and X-binding. Our compiler calls the base scheme only once. Previously, all known compilers call the base schemes polynomially many times (Crépeau et al., Eurocrypt '01 and Yan, Asiacrypt '22). For the security proof of the conversion, we generalize the result of Aaronson et al. by considering quantum auxiliary inputs.
△ Less
Submitted 23 April, 2023; v1 submitted 12 October, 2022;
originally announced October 2022.
-
One-Wayness in Quantum Cryptography
Authors:
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
The existence of one-way functions is one of the most fundamental assumptions in classical cryptography. In the quantum world, on the other hand, there are evidences that some cryptographic primitives can exist even if one-way functions do not exist. We therefore have the following important open problem in quantum cryptography: What is the most fundamental element in quantum cryptography? In this…
▽ More
The existence of one-way functions is one of the most fundamental assumptions in classical cryptography. In the quantum world, on the other hand, there are evidences that some cryptographic primitives can exist even if one-way functions do not exist. We therefore have the following important open problem in quantum cryptography: What is the most fundamental element in quantum cryptography? In this direction, Brakerski, Canetti, and Qian recently defined a notion called EFI pairs, which are pairs of efficiently generatable states that are statistically distinguishable but computationally indistinguishable, and showed its equivalence with some cryptographic primitives including commitments, oblivious transfer, and general multi-party computations. However, their work focuses on decision-type primitives and does not cover search-type primitives like quantum money and digital signatures. In this paper, we study properties of one-way state generators (OWSGs), which are a quantum analogue of one-way functions. We first revisit the definition of OWSGs and generalize it by allowing mixed output states. Then we show the following results. (1) We define a weaker version of OWSGs, weak OWSGs, and show that they are equivalent to OWSGs. (2) Quantum digital signatures are equivalent to OWSGs. (3) Private-key quantum money schemes (with pure money states) imply OWSGs. (4) Quantum pseudo one-time pad schemes imply both OWSGs and EFI pairs. (5) We introduce an incomparable variant of OWSGs, which we call secretly-verifiable and statistically-invertible OWSGs, and show that they are equivalent to EFI pairs.
△ Less
Submitted 7 May, 2024; v1 submitted 7 October, 2022;
originally announced October 2022.
-
Proofs of Quantumness from Trapdoor Permutations
Authors:
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
Assume that Alice can do only classical probabilistic polynomial-time computing while Bob can do quantum polynomial-time computing. Alice and Bob communicate over only classical channels, and finally Bob gets a state $|x_0\rangle+|x_1\rangle$ with some bit strings $x_0$ and $x_1$. Is it possible that Alice can know $\{x_0,x_1\}$ but Bob cannot? Such a task, called {\it remote state preparations},…
▽ More
Assume that Alice can do only classical probabilistic polynomial-time computing while Bob can do quantum polynomial-time computing. Alice and Bob communicate over only classical channels, and finally Bob gets a state $|x_0\rangle+|x_1\rangle$ with some bit strings $x_0$ and $x_1$. Is it possible that Alice can know $\{x_0,x_1\}$ but Bob cannot? Such a task, called {\it remote state preparations}, is indeed possible under some complexity assumptions, and is bases of many quantum cryptographic primitives such as proofs of quantumness, (classical-client) blind quantum computing, (classical) verifications of quantum computing, and quantum money. A typical technique to realize remote state preparations is to use 2-to-1 trapdoor collision resistant hash functions: Alice sends a 2-to-1 trapdoor collision resistant hash function $f$ to Bob, and Bob evaluates it on superposition and measures the image. Bob's post-measurement state is $|x_0\rangle+|x_1\rangle$, where $f(x_0)=f(x_1)=y$. With the trapdoor, Alice can learn $\{x_0,x_1\}$, but due to the collision resistance, Bob cannot. This Alice's advantage can be leveraged to realize the quantum cryptographic primitives listed above. It seems that the collision resistance is essential here. In this paper, surprisingly, we show that the collision resistance is not necessary for a restricted case: we show that (non-verifiable) remote state preparations of $|x_0\rangle+|x_1\rangle$ secure against {\it classical} probabilistic polynomial-time Bob can be constructed from classically-secure (full-domain) trapdoor permutations. Trapdoor permutations are not likely to imply the collision resistance, because black-box reductions from collision-resistant hash functions to trapdoor permutations are known to be impossible. As an application of our result, we construct proofs of quantumness from classically-secure (full-domain) trapdoor permutations.
△ Less
Submitted 25 August, 2022;
originally announced August 2022.
-
Certified Everlasting Functional Encryption
Authors:
Taiga Hiroka,
Tomoyuki Morimae,
Ryo Nishimaki,
Takashi Yamakawa
Abstract:
Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future. One solution is to construct information-theoretically-secure protocols, but many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. A nice compromise (intrinsic to quantum) is certified…
▽ More
Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future. One solution is to construct information-theoretically-secure protocols, but many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. A nice compromise (intrinsic to quantum) is certified everlasting security, which roughly means the following. A receiver with possession of quantum encrypted data can issue a certificate that shows that the receiver has deleted the encrypted data. If the certificate is valid, the security is guaranteed even if the receiver becomes computationally unbounded. Although several cryptographic primitives, such as commitments and zero-knowledge, have been made certified everlasting secure, there are many other important primitives that are not known to be certified everlasting secure.
In this paper, we introduce certified everlasting FE. In this primitive, the receiver with the ciphertext of a message m and the functional decryption key of a function f can obtain f(m) and nothing else. The security holds even if the adversary becomes computationally unbounded after issuing a valid certificate. We, first, construct certified everlasting FE for P/poly circuits where only a single key query is allowed for the adversary. We, then, extend it to q-bounded one for NC1 circuits where q-bounded means that q key queries are allowed for the adversary with an a priori bounded polynomial q. For the construction of certified everlasting FE, we introduce and construct certified everlasting versions of secret-key encryption, public-key encryption, receiver non-committing encryption, and a garbling scheme, which are of independent interest.
△ Less
Submitted 28 July, 2022;
originally announced July 2022.
-
Improved Hardness Results for the Guided Local Hamiltonian Problem
Authors:
Chris Cade,
Marten Folkertsma,
Sevag Gharibian,
Ryu Hayakawa,
François Le Gall,
Tomoyuki Morimae,
Jordi Weggemans
Abstract:
Estimating the ground state energy of a local Hamiltonian is a central problem in quantum chemistry. In order to further investigate its complexity and the potential of quantum algorithms for quantum chemistry, Gharibian and Le Gall (STOC 2022) recently introduced the guided local Hamiltonian problem (GLH), which is a variant of the local Hamiltonian problem where an approximation of a ground stat…
▽ More
Estimating the ground state energy of a local Hamiltonian is a central problem in quantum chemistry. In order to further investigate its complexity and the potential of quantum algorithms for quantum chemistry, Gharibian and Le Gall (STOC 2022) recently introduced the guided local Hamiltonian problem (GLH), which is a variant of the local Hamiltonian problem where an approximation of a ground state (which is called a guiding state) is given as an additional input. Gharibian and Le Gall showed quantum advantage (more precisely, BQP-completeness) for GLH with $6$-local Hamiltonians when the guiding state has fidelity (inverse-polynomially) close to $1/2$ with a ground state.
In this paper, we optimally improve both the locality and the fidelity parameter: we show that the BQP-completeness persists even with 2-local Hamiltonians, and even when the guiding state has fidelity (inverse-polynomially) close to 1 with a ground state. Moreover, we show that the BQP-completeness also holds for 2-local physically motivated Hamiltonians on a 2D square lattice or a 2D triangular lattice. Beyond the hardness of estimating the ground state energy, we also show BQP-hardness persists when considering estimating energies of excited states of these Hamiltonians instead. Those make further steps towards establishing practical quantum advantage in quantum chemistry.
△ Less
Submitted 3 February, 2024; v1 submitted 20 July, 2022;
originally announced July 2022.
-
Quantum commitments and signatures without one-way functions
Authors:
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
In the classical world, the existence of commitments is equivalent to the existence of one-way functions. In the quantum setting, on the other hand, commitments are not known to imply one-way functions, but all known constructions of quantum commitments use at least one-way functions. Are one-way functions really necessary for commitments in the quantum world? In this work, we show that non-intera…
▽ More
In the classical world, the existence of commitments is equivalent to the existence of one-way functions. In the quantum setting, on the other hand, commitments are not known to imply one-way functions, but all known constructions of quantum commitments use at least one-way functions. Are one-way functions really necessary for commitments in the quantum world? In this work, we show that non-interactive quantum commitments (for classical messages) with computational hiding and statistical binding exist if pseudorandom quantum states exist. Pseudorandom quantum states are sets of quantum states that are efficiently generated but their polynomially many copies are computationally indistinguishable from the same number of copies of Haar random states [Ji, Liu, and Song, CRYPTO 2018]. It is known that pseudorandom quantum states exist even if $\BQP=\QMA$ (relative to a quantum oracle) [Kretschmer, TQC 2021], which means that pseudorandom quantum states can exist even if no quantum-secure classical cryptographic primitive exists. Our result therefore shows that quantum commitments can exist even if no quantum-secure classical cryptographic primitive exists. In particular, quantum commitments can exist even if no quantum-secure one-way function exists. In this work, we also consider digital signatures, which are other fundamental primitives in cryptography. We show that one-time secure digital signatures with quantum public keys exist if pseudorandom quantum states exist. In the classical setting, the existence of digital signatures is equivalent to the existence of one-way functions. Our result, on the other hand, shows that quantum signatures can exist even if no quantum-secure classical cryptographic primitive (including quantum-secure one-way functions) exists.
△ Less
Submitted 14 February, 2022; v1 submitted 12 December, 2021;
originally announced December 2021.
-
Certified Everlasting Zero-Knowledge Proof for QMA
Authors:
Taiga Hiroka,
Tomoyuki Morimae,
Ryo Nishimaki,
Takashi Yamakawa
Abstract:
In known constructions of classical zero-knowledge protocols for NP, either of zero-knowledge or soundness holds only against computationally bounded adversaries. Indeed, achieving both statistical zero-knowledge and statistical soundness at the same time with classical verifier is impossible for NP unless the polynomial-time hierarchy collapses, and it is also believed to be impossible even with…
▽ More
In known constructions of classical zero-knowledge protocols for NP, either of zero-knowledge or soundness holds only against computationally bounded adversaries. Indeed, achieving both statistical zero-knowledge and statistical soundness at the same time with classical verifier is impossible for NP unless the polynomial-time hierarchy collapses, and it is also believed to be impossible even with a quantum verifier. In this work, we introduce a novel compromise, which we call the certified everlasting zero-knowledge proof for QMA. It is a computational zero-knowledge proof for QMA, but the verifier issues a classical certificate that shows that the verifier has deleted its quantum information. If the certificate is valid, even unbounded malicious verifier can no longer learn anything beyond the validity of the statement. We construct a certified everlasting zero-knowledge proof for QMA. For the construction, we introduce a new quantum cryptographic primitive, which we call commitment with statistical binding and certified everlasting hiding, where the hiding property becomes statistical once the receiver has issued a valid certificate that shows that the receiver has deleted the committed information. We construct commitment with statistical binding and certified everlasting hiding from quantum encryption with certified deletion by Broadbent and Islam [TCC 2020] (in a black box way), and then combine it with the quantum sigma-protocol for QMA by Broadbent and Grilo [FOCS 2020] to construct the certified everlasting zero-knowledge proof for QMA. Our constructions are secure in the quantum random oracle model. Commitment with statistical binding and certified everlasting hiding itself is of independent interest, and there will be many other useful applications beyond zero-knowledge.
△ Less
Submitted 28 September, 2021;
originally announced September 2021.
-
Quantum Encryption with Certified Deletion, Revisited: Public Key, Attribute-Based, and Classical Communication
Authors:
Taiga Hiroka,
Tomoyuki Morimae,
Ryo Nishimaki,
Takashi Yamakawa
Abstract:
Broadbent and Islam (TCC '20) proposed a quantum cryptographic primitive called quantum encryption with certified deletion. In this primitive, a receiver in possession of a quantum ciphertext can generate a classical certificate that the encrypted message is deleted. Although their construction is information-theoretically secure, it is limited to the setting of one-time symmetric key encryption (…
▽ More
Broadbent and Islam (TCC '20) proposed a quantum cryptographic primitive called quantum encryption with certified deletion. In this primitive, a receiver in possession of a quantum ciphertext can generate a classical certificate that the encrypted message is deleted. Although their construction is information-theoretically secure, it is limited to the setting of one-time symmetric key encryption (SKE), where a sender and receiver have to share a common key in advance and the key can be used only once. Moreover, the sender has to generate a quantum state and send it to the receiver over a quantum channel in their construction. Although deletion certificates are privately verifiable, which means a verification key for a certificate has to be kept secret, in the definition by Broadbent and Islam, we can also consider public verifiability.
In this work, we present various constructions of encryption with certified deletion.
- Quantum communication case: We achieve (reusable-key) public key encryption (PKE) and attribute-based encryption (ABE) with certified deletion. Our PKE scheme with certified deletion is constructed assuming the existence of IND-CPA secure PKE, and our ABE scheme with certified deletion is constructed assuming the existence of indistinguishability obfuscation and one-way function. These two schemes are privately verifiable.
- Classical communication case: We also achieve PKE with certified deletion that uses only classical communication. We give two schemes, a privately verifiable one and a publicly verifiable one. The former is constructed assuming the LWE assumption in the quantum random oracle model. The latter is constructed assuming the existence of one-shot signatures and extractable witness encryption.
△ Less
Submitted 11 May, 2021;
originally announced May 2021.
-
Classically Verifiable NIZK for QMA with Preprocessing
Authors:
Tomoyuki Morimae,
Takashi Yamakawa
Abstract:
We propose three constructions of classically verifiable non-interactive zero-knowledge proofs and arguments (CV-NIZK) for QMA in various preprocessing models.
- We construct a CV-NIZK for QMA in the quantum secret parameter model where a trusted setup sends a quantum proving key to the prover and a classical verification key to the verifier. It is information theoretically sound and zero-knowle…
▽ More
We propose three constructions of classically verifiable non-interactive zero-knowledge proofs and arguments (CV-NIZK) for QMA in various preprocessing models.
- We construct a CV-NIZK for QMA in the quantum secret parameter model where a trusted setup sends a quantum proving key to the prover and a classical verification key to the verifier. It is information theoretically sound and zero-knowledge.
- Assuming the quantum hardness of the learning with errors problem, we construct a CV-NIZK for QMA in a model where a trusted party generates a CRS and the verifier sends an instance-independent quantum message to the prover as preprocessing. This model is the same as one considered in the recent work by Coladangelo, Vidick, and Zhang (CRYPTO '20).
Our construction has the so-called dual-mode property, which means that there are two computationally indistinguishable modes of generating CRS, and we have information theoretical soundness in one mode and information theoretical zero-knowledge property in the other. This answers an open problem left by Coladangelo et al, which is to achieve either of soundness or zero-knowledge information theoretically. To the best of our knowledge, ours is the first dual-mode NIZK for QMA in any kind of model.
- We construct a CV-NIZK for QMA with quantum preprocessing in the quantum random oracle model. This quantum preprocessing is the one where the verifier sends a random Pauli-basis states to the prover. Our construction uses the Fiat-Shamir transformation. The quantum preprocessing can be replaced with the setup that distributes Bell pairs among the prover and the verifier, and therefore we solve the open problem by Broadbent and Grilo (FOCS '20) about the possibility of NIZK for QMA in the shared Bell pair model via the Fiat-Shamir transformation.
△ Less
Submitted 14 November, 2022; v1 submitted 17 February, 2021;
originally announced February 2021.
-
Quantum randomized encoding, verification of quantum computing, no-cloning, and blind quantum computing
Authors:
Tomoyuki Morimae
Abstract:
Randomized encoding is a powerful cryptographic primitive with various applications such as secure multiparty computation, verifiable computation, parallel cryptography, and complexity lower-bounds. Intuitively, randomized encoding $\hat{f}$ of a function $f$ is another function such that $f(x)$ can be recovered from $\hat{f}(x)$, and nothing except for $f(x)$ is leaked from $\hat{f}(x)$. Its quan…
▽ More
Randomized encoding is a powerful cryptographic primitive with various applications such as secure multiparty computation, verifiable computation, parallel cryptography, and complexity lower-bounds. Intuitively, randomized encoding $\hat{f}$ of a function $f$ is another function such that $f(x)$ can be recovered from $\hat{f}(x)$, and nothing except for $f(x)$ is leaked from $\hat{f}(x)$. Its quantum version, quantum randomized encoding, has been introduced recently [Brakerski and Yuen, arXiv:2006.01085]. Intuitively, quantum randomized encoding $\hat{F}$ of a quantum operation $F$ is another quantum operation such that, for any quantum state $ρ$, $F(ρ)$ can be recovered from $\hat{F}(ρ)$, and nothing except for $F(ρ)$ is leaked from $\hat{F}(ρ)$. In this paper, we show that if quantum randomized encoding of BB84 state generations is possible with an encoding operation $E$, then a two-round verification of quantum computing is possible with a classical verifier who can additionally do the operation $E$. One of the most important goals in the field of the verification of quantum computing is to construct a verification protocol with a verifier as classical as possible. This result therefore demonstrates a potential application of quantum randomized encoding to the verification of quantum computing: if we can find a good quantum randomized encoding (in terms of the encoding complexity), then we can construct a good verification protocol of quantum computing. We, however, also show that too good quantum randomized encoding is impossible: if quantum randomized encoding with a classical encoding operation is possible, then the no-cloning is violated. We finally consider a natural modification of blind quantum computing protocols in such a way that the server gets the output like quantum randomized encoding. We show that the modified protocol is not secure.
△ Less
Submitted 3 November, 2021; v1 submitted 5 November, 2020;
originally announced November 2020.
-
Information-theoretically-sound non-interactive classical verification of quantum computing with trusted center
Authors:
Tomoyuki Morimae
Abstract:
The posthoc verification protocol [J. F. Fitzsimons, M. Hajdu{\v s}ek, and T. Morimae, Physical Review Letters {\bf120}, 040501 (2018)] enables an information-theoretically-sound non-interactive verification of quantum computing, but the message from the prover to the verifier is quantum and the verifier has to do single-qubit measurements. The Mahadev protocol removes these quantum parts, but the…
▽ More
The posthoc verification protocol [J. F. Fitzsimons, M. Hajdu{\v s}ek, and T. Morimae, Physical Review Letters {\bf120}, 040501 (2018)] enables an information-theoretically-sound non-interactive verification of quantum computing, but the message from the prover to the verifier is quantum and the verifier has to do single-qubit measurements. The Mahadev protocol removes these quantum parts, but the soundness becomes the computational one. In this paper, we construct an information-theoretically-sound non-interactive classical verification protocol for quantum computing with a trusted center. The trusted center sends random BB84 states to the prover, and the classical descriptions of these BB84 states to the verifier. The messages from the center to the prover and the verifier are independent of the instance. By slightly modifying our protocol, we also construct a non-interactive statistical zero-knowledge proof system for QMA with the trusted center.
△ Less
Submitted 24 March, 2020;
originally announced March 2020.
-
Sumcheck-based delegation of quantum computing to rational server
Authors:
Yuki Takeuchi,
Tomoyuki Morimae,
Seiichiro Tani
Abstract:
Delegated quantum computing enables a client with weak computational power to delegate quantum computing to a remote quantum server in such a way that the integrity of the server can be efficiently verified by the client. Recently, a new model of delegated quantum computing has been proposed, namely, rational delegated quantum computing. In this model, after the client interacts with the server, t…
▽ More
Delegated quantum computing enables a client with weak computational power to delegate quantum computing to a remote quantum server in such a way that the integrity of the server can be efficiently verified by the client. Recently, a new model of delegated quantum computing has been proposed, namely, rational delegated quantum computing. In this model, after the client interacts with the server, the client pays a reward to the server. The rational server sends messages that maximize the expected value of the reward. It is known that the classical client can delegate universal quantum computing to the rational quantum server in one round. In this paper, we propose novel one-round rational delegated quantum computing protocols by generalizing the classical rational sumcheck protocol. The construction of the previous rational protocols depends on gate sets, while our sumcheck technique can be easily realized with any local gate set. Furthermore, as with the previous protocols, our reward function satisfies natural requirements. We also discuss the reward gap. Simply speaking, the reward gap is a minimum loss on the expected value of the server's reward incurred by the server's behavior that makes the client accept an incorrect answer. Although our sumcheck-based protocols have only exponentially small reward gaps as in the previous protocols, we show that a constant reward gap can be achieved if two noncommunicating but entangled rational servers are allowed. We also discuss whether a single rational server is sufficient under the (widely believed) assumption that the learning-with-errors problem is hard for polynomial-time quantum computing. Apart from these results, we show, under a certain condition, the equivalence between $rational$ and $ordinary$ delegated quantum computing protocols. This equivalence then serves as a basis for a reward-gap amplification method.
△ Less
Submitted 6 July, 2022; v1 submitted 12 November, 2019;
originally announced November 2019.
-
Fine-grained quantum supremacy based on Orthogonal Vectors, 3-SUM and All-Pairs Shortest Paths
Authors:
Ryu Hayakawa,
Tomoyuki Morimae,
Suguru Tamaki
Abstract:
Fine-grained quantum supremacy is a study of proving (nearly) tight time lower bounds for classical simulations of quantum computing under "fine-grained complexity" assumptions. We show that under conjectures on Orthogonal Vectors (OV), 3-SUM, All-Pairs Shortest Paths (APSP) and their variants, strong and weak classical simulations of quantum computing are impossible in certain exponential time wi…
▽ More
Fine-grained quantum supremacy is a study of proving (nearly) tight time lower bounds for classical simulations of quantum computing under "fine-grained complexity" assumptions. We show that under conjectures on Orthogonal Vectors (OV), 3-SUM, All-Pairs Shortest Paths (APSP) and their variants, strong and weak classical simulations of quantum computing are impossible in certain exponential time with respect to the number of qubits. Those conjectures are widely used in classical fine-grained complexity theory in which polynomial time hardness is conjectured. All previous results of fine-grained quantum supremacy are based on ETH, SETH, or their variants that are conjectures for SAT in which exponential time hardness is conjectured. We show that there exist quantum circuits which cannot be classically simulated in certain exponential time with respect to the number of qubits first by considering a Quantum Random Access Memory (QRAM) based quantum computing model and next by considering a non-QRAM model quantum computation. In the case of the QRAM model, the size of quantum circuits is linear with respect to the number of qubits and in the case of the non-QRAM model, the size of the quantum circuits is exponential with respect to the number of qubits but the results are still non-trivial.
△ Less
Submitted 7 November, 2019; v1 submitted 22 February, 2019;
originally announced February 2019.
-
Fine-grained quantum computational supremacy
Authors:
Tomoyuki Morimae,
Suguru Tamaki
Abstract:
Output probability distributions of several sub-universal quantum computing models cannot be classically efficiently sampled unless some unlikely consequences occur in classical complexity theory, such as the collapse of the polynomial-time hierarchy. These results, so called quantum supremacy, however, do not rule out possibilities of super-polynomial-time classical simulations. In this paper, we…
▽ More
Output probability distributions of several sub-universal quantum computing models cannot be classically efficiently sampled unless some unlikely consequences occur in classical complexity theory, such as the collapse of the polynomial-time hierarchy. These results, so called quantum supremacy, however, do not rule out possibilities of super-polynomial-time classical simulations. In this paper, we study "fine-grained" version of quantum supremacy that excludes some exponential-time classical simulations. First, we focus on two sub-universal models, namely, the one-clean-qubit model (or the DQC1 model) and the HC1Q model. Assuming certain conjectures in fine-grained complexity theory, we show that for any $a>0$ output probability distributions of these models cannot be classically sampled within a constant multiplicative error and in $2^{(1-a)N+o(N)}$ time, where $N$ is the number of qubits. Next, we consider universal quantum computing. For example, we consider quantum computing over Clifford and $T$ gates, and show that under another fine-grained complexity conjecture, output probability distributions of Clifford-$T$ quantum computing cannot be classically sampled in $2^{o(t)}$ time within a constant multiplicative error, where $t$ is the number of $T$ gates.
△ Less
Submitted 18 October, 2019; v1 submitted 6 January, 2019;
originally announced January 2019.
-
Impossibility of blind quantum sampling for classical client
Authors:
Tomoyuki Morimae,
Harumichi Nishimura,
Yuki Takeuchi,
Seiichiro Tani
Abstract:
Blind quantum computing enables a client, who can only generate or measure single-qubit states, to delegate quantum computing to a remote quantum server in such a way that the input, output, and program are hidden from the server. It is an open problem whether a completely classical client can delegate quantum computing blindly. In this paper, we show that if a completely classical client can blin…
▽ More
Blind quantum computing enables a client, who can only generate or measure single-qubit states, to delegate quantum computing to a remote quantum server in such a way that the input, output, and program are hidden from the server. It is an open problem whether a completely classical client can delegate quantum computing blindly. In this paper, we show that if a completely classical client can blindly delegate sampling of subuniversal models, such as the DQC1 model and the IQP model, then the polynomial-time hierarchy collapses to the third level. Our delegation protocol is the one where the client first sends a polynomial-length bit string to the server and then the server returns a single bit to the client. Generalizing the no-go result to more general setups is an open problem.
△ Less
Submitted 10 December, 2018;
originally announced December 2018.
-
Interactive Proofs with Polynomial-Time Quantum Prover for Computing the Order of Solvable Groups
Authors:
François Le Gall,
Tomoyuki Morimae,
Harumichi Nishimura,
Yuki Takeuchi
Abstract:
In this paper we consider what can be computed by a user interacting with a potentially malicious server, when the server performs polynomial-time quantum computation but the user can only perform polynomial-time classical (i.e., non-quantum) computation. Understanding the computational power of this model, which corresponds to polynomial-time quantum computation that can be efficiently verified c…
▽ More
In this paper we consider what can be computed by a user interacting with a potentially malicious server, when the server performs polynomial-time quantum computation but the user can only perform polynomial-time classical (i.e., non-quantum) computation. Understanding the computational power of this model, which corresponds to polynomial-time quantum computation that can be efficiently verified classically, is a well-known open problem in quantum computing. Our result shows that computing the order of a solvable group, which is one of the most general problems for which quantum computing exhibits an exponential speed-up with respect to classical computing, can be realized in this model.
△ Less
Submitted 9 May, 2018;
originally announced May 2018.
-
Rational proofs for quantum computing
Authors:
Tomoyuki Morimae,
Harumichi Nishimura
Abstract:
It is an open problem whether a classical client can delegate quantum computing to an efficient remote quantum server in such a way that the correctness of quantum computing is somehow guaranteed. Several protocols for verifiable delegated quantum computing have been proposed, but the client is not completely free from any quantum technology: the client has to generate or measure single-qubit stat…
▽ More
It is an open problem whether a classical client can delegate quantum computing to an efficient remote quantum server in such a way that the correctness of quantum computing is somehow guaranteed. Several protocols for verifiable delegated quantum computing have been proposed, but the client is not completely free from any quantum technology: the client has to generate or measure single-qubit states. In this paper, we show that the client can be completely classical if the server is rational (i.e., economically motivated), following the "rational proofs" framework of Azar and Micali. More precisely, we consider the following protocol. The server first sends the client a message allegedly equal to the solution of the problem that the client wants to solve. The client then gives the server a monetary reward whose amount is calculated in classical probabilistic polynomial-time by using the server's message as an input. The reward function is constructed in such a way that the expectation value of the reward (the expectation over the client's probabilistic computing) is maximum when the server's message is the correct solution to the problem. The rational server who wants to maximize his/her profit therefore has to send the correct solution to the client.
△ Less
Submitted 11 March, 2020; v1 submitted 24 April, 2018;
originally announced April 2018.
-
Merlin-Arthur with efficient quantum Merlin and quantum supremacy for the second level of the Fourier hierarchy
Authors:
Tomoyuki Morimae,
Yuki Takeuchi,
Harumichi Nishimura
Abstract:
We introduce a simple sub-universal quantum computing model, which we call the Hadamard-classical circuit with one-qubit (HC1Q) model. It consists of a classical reversible circuit sandwiched by two layers of Hadamard gates, and therefore it is in the second level of the Fourier hierarchy. We show that output probability distributions of the HC1Q model cannot be classically efficiently sampled wit…
▽ More
We introduce a simple sub-universal quantum computing model, which we call the Hadamard-classical circuit with one-qubit (HC1Q) model. It consists of a classical reversible circuit sandwiched by two layers of Hadamard gates, and therefore it is in the second level of the Fourier hierarchy. We show that output probability distributions of the HC1Q model cannot be classically efficiently sampled within a multiplicative error unless the polynomial-time hierarchy collapses to the second level. The proof technique is different from those used for previous sub-universal models, such as IQP, Boson Sampling, and DQC1, and therefore the technique itself might be useful for finding other sub-universal models that are hard to classically simulate. We also study the classical verification of quantum computing in the second level of the Fourier hierarchy. To this end, we define a promise problem, which we call the probability distribution distinguishability with maximum norm (PDD-Max). It is a promise problem to decide whether output probability distributions of two quantum circuits are far apart or close. We show that PDD-Max is BQP-complete, but if the two circuits are restricted to some types in the second level of the Fourier hierarchy, such as the HC1Q model or the IQP model, PDD-Max has a Merlin-Arthur system with quantum polynomial-time Merlin and classical probabilistic polynomial-time Arthur.
△ Less
Submitted 12 November, 2018; v1 submitted 28 November, 2017;
originally announced November 2017.
-
Hardness of classically sampling one clean qubit model with constant total variation distance error
Authors:
Tomoyuki Morimae
Abstract:
The one clean qubit model (or the DQC1 model) is a restricted model of quantum computing where only a single input qubit is pure and all other input qubits are maximally mixed. In spite of the severe restriction, the model can solve several problems (such as calculating Jones polynomials) whose classical efficient solutions are not known. Furthermore, it was shown that if the output probability di…
▽ More
The one clean qubit model (or the DQC1 model) is a restricted model of quantum computing where only a single input qubit is pure and all other input qubits are maximally mixed. In spite of the severe restriction, the model can solve several problems (such as calculating Jones polynomials) whose classical efficient solutions are not known. Furthermore, it was shown that if the output probability distribution of the one clean qubit model can be classically efficiently sampled with a constant multiplicative error, then the polynomial hierarchy collapses to the second level. Is it possible to improve the multiplicative error hardness result to a constant total variation distance error one like other sub-universal quantum computing models such as the IQP model, the Boson Sampling model, and the Fourier Sampling model? In this paper, we show that it is indeed possible if we accept a modified version of the average case hardness conjecture. Interestingly, the anti-concentration lemma can be easily shown by using the special property of the one clean qubit model that each output probability is so small that no concentration occurs.
△ Less
Submitted 12 April, 2017;
originally announced April 2017.
-
Merlinization of complexity classes above BQP
Authors:
Tomoyuki Morimae,
Harumichi Nishimura
Abstract:
We study how complexity classes above BQP, such as postBQP, ${\rm postBQP}_{\rm FP}$, and SBQP, change if we "Merlinize" them, i.e., if we allow an extra input quantum state (or classical bit string) given by Merlin as witness. Main results are the following three: First, the Merlinized version of postBQP is equal to PSPACE. Second, if the Merlinized postBQP is restricted in such a way that the po…
▽ More
We study how complexity classes above BQP, such as postBQP, ${\rm postBQP}_{\rm FP}$, and SBQP, change if we "Merlinize" them, i.e., if we allow an extra input quantum state (or classical bit string) given by Merlin as witness. Main results are the following three: First, the Merlinized version of postBQP is equal to PSPACE. Second, if the Merlinized postBQP is restricted in such a way that the postselection probability is equal to all witness states, then the class is equal to PP. Finally, the Merlinization does not change the class SBQP.
△ Less
Submitted 5 April, 2017;
originally announced April 2017.
-
Power of one non-clean qubit
Authors:
Tomoyuki Morimae,
Keisuke Fujii,
Harumichi Nishimura
Abstract:
The one-clean qubit model (or the DQC1 model) is a restricted model of quantum computing where only a single qubit of the initial state is pure and others are maximally mixed. Although the model is not universal, it can efficiently solve several problems whose classical efficient solutions are not known. Furthermore, it was recently shown that if the one-clean qubit model is classically efficientl…
▽ More
The one-clean qubit model (or the DQC1 model) is a restricted model of quantum computing where only a single qubit of the initial state is pure and others are maximally mixed. Although the model is not universal, it can efficiently solve several problems whose classical efficient solutions are not known. Furthermore, it was recently shown that if the one-clean qubit model is classically efficiently simulated, the polynomial hierarchy collapses to the second level. A disadvantage of the one-clean qubit model is, however, that the clean qubit is too clean: for example, in realistic NMR experiments, polarizations are not enough high to have the perfectly pure qubit. In this paper, we consider a more realistic one-clean qubit model, where the clean qubit is not clean, but depolarized. We first show that, for any polarization, a multiplicative-error calculation of the output probability distribution of the model is possible in a classical polynomial time if we take an appropriately large multiplicative error. The result is in a strong contrast to that of the ideal one-clean qubit model where the classical efficient multiplicative-error calculation (or even the sampling) with the same amount of error causes the collapse of the polynomial hierarchy. We next show that, for any polarization lower-bounded by an inverse polynomial, a classical efficient sampling (in terms of a sufficiently small multiplicative error or an exponentially-small additive error) of the output probability distribution of the model is impossible unless BQP is contained in the second level of the polynomial hierarchy, which suggests the hardness of the classical efficient simulation of the one non-clean qubit model.
△ Less
Submitted 23 October, 2016;
originally announced October 2016.
-
Finding resource states of measurement-based quantum computing is harder than quantum computing
Authors:
Tomoyuki Morimae
Abstract:
Measurement-based quantum computing enables universal quantum computing with only adaptive single-qubit measurements on certain many-qubit states, such as the graph state, the Affleck-Kennedy-Lieb-Tasaki (AKLT) state, and several tensor-network states. Finding new resource states of measurement-based quantum computing is a hard task, since for a given state there are exponentially many possible me…
▽ More
Measurement-based quantum computing enables universal quantum computing with only adaptive single-qubit measurements on certain many-qubit states, such as the graph state, the Affleck-Kennedy-Lieb-Tasaki (AKLT) state, and several tensor-network states. Finding new resource states of measurement-based quantum computing is a hard task, since for a given state there are exponentially many possible measurement patterns on the state. In this paper, we consider the problem of deciding, for a given state and a set of unitary operators, whether there exists a way of measurement-based quantum computing on the state that can realize all unitaries in the set, or not. We show that the decision problem is QCMA-hard, which means that finding new resource states of measurement-based quantum computing is harder than quantum computing itself (unless BQP is equal to QCMA). We also derive an upperbound of the decision problem: the problem is in a quantum version of the second level of the polynomial hierarchy.
△ Less
Submitted 1 September, 2016;
originally announced September 2016.
-
Quantum Merlin-Arthur with noisy channel
Authors:
Tomoyuki Morimae,
Keisuke Fujii,
Harumichi Nishimura
Abstract:
What happens if in QMA the quantum channel between Merlin and Arthur is noisy? It is not difficult to show that such a modification does not change the computational power as long as the noise is not too strong so that errors are correctable with high probability, since if Merlin encodes the witness state in a quantum error-correction code and sends it to Arthur, Arthur can correct the error cause…
▽ More
What happens if in QMA the quantum channel between Merlin and Arthur is noisy? It is not difficult to show that such a modification does not change the computational power as long as the noise is not too strong so that errors are correctable with high probability, since if Merlin encodes the witness state in a quantum error-correction code and sends it to Arthur, Arthur can correct the error caused by the noisy channel. If we further assume that Arthur can do only single-qubit measurements, however, the problem becomes nontrivial, since in this case Arthur cannot do the universal quantum computation by himself. In this paper, we show that such a restricted complexity class is still equivalent to QMA. To show it, we use measurement-based quantum computing: honest Merlin sends the graph state to Arthur, and Arthur does fault-tolerant measurement-based quantum computing on the noisy graph state with only single-qubit measurements. By measuring stabilizer operators, Arthur also checks the correctness of the graph state. Although this idea itself was already used in several previous papers, these results cannot be directly used to the present case, since the test that checks the graph state used in these papers is so strict that even honest Merlin is rejected with high probability if the channel is noisy. We therefore introduce a more relaxed test that can accept not only the ideal graph state but also noisy graph states that are error-correctable.
△ Less
Submitted 16 August, 2016;
originally announced August 2016.
-
Quantum state and circuit distinguishability with single-qubit measurements
Authors:
Tomoyuki Morimae
Abstract:
We show that the Quantum State Distinguishability (QSD), which is a QSZK-complete problem, and the Quantum Circuit Distinguishability (QCD), which is a QIP-complete problem, can be solved by the verifier who can perform only single-qubit measurements. To show these results, we use measurement-based quantum computing: the honest prover sends a graph state to the verifier, and the verifier can perfo…
▽ More
We show that the Quantum State Distinguishability (QSD), which is a QSZK-complete problem, and the Quantum Circuit Distinguishability (QCD), which is a QIP-complete problem, can be solved by the verifier who can perform only single-qubit measurements. To show these results, we use measurement-based quantum computing: the honest prover sends a graph state to the verifier, and the verifier can perform universal quantum computing on it with only single-qubit measurements. If the prover is malicious, he does not necessarily generate the correct graph state, but the verifier can verify the correctness of the graph state by measuring the stabilizer operators.
△ Less
Submitted 2 July, 2016;
originally announced July 2016.
-
Space-Efficient Error Reduction for Unitary Quantum Computations
Authors:
Bill Fefferman,
Hirotada Kobayashi,
Cedric Yen-Yu Lin,
Tomoyuki Morimae,
Harumichi Nishimura
Abstract:
This paper develops general space-efficient methods for error reduction for unitary quantum computation. Consider a polynomial-time quantum computation with completeness $c$ and soundness $s$, either with or without a witness (corresponding to QMA and BQP, respectively). To convert this computation into a new computation with error at most $2^{-p}$, the most space-efficient method known requires e…
▽ More
This paper develops general space-efficient methods for error reduction for unitary quantum computation. Consider a polynomial-time quantum computation with completeness $c$ and soundness $s$, either with or without a witness (corresponding to QMA and BQP, respectively). To convert this computation into a new computation with error at most $2^{-p}$, the most space-efficient method known requires extra workspace of ${O \bigl( p \log \frac{1}{c-s} \bigr)}$ qubits. This space requirement is too large for scenarios like logarithmic-space quantum computations. This paper presents error-reduction methods for unitary quantum computations (i.e., computations without intermediate measurements) that require extra workspace of just ${O \bigl( \log \frac{p}{c-s} \bigr)}$ qubits. This in particular gives the first methods of strong amplification for logarithmic-space unitary quantum computations with two-sided bounded error. This also leads to a number of consequences in complexity theory, such as the uselessness of quantum witnesses in bounded-error logarithmic-space unitary quantum computations, the PSPACE upper bound for QMA with exponentially-small completeness-soundness gap, and strong amplification for matchgate computations.
△ Less
Submitted 27 April, 2016;
originally announced April 2016.
-
Quantum Arthur-Merlin with single-qubit measurements
Authors:
Tomoyuki Morimae
Abstract:
We show that the class QAM does not change even if the verifier's ability is restricted to only single-qubit measurements. To show the result, we use the idea of the measurement-based quantum computing: the verifier, who can do only single-qubit measurements, can test the graph state sent from the prover and use it for his measurement-based quantum computing. We also introduce a new QMA-complete p…
▽ More
We show that the class QAM does not change even if the verifier's ability is restricted to only single-qubit measurements. To show the result, we use the idea of the measurement-based quantum computing: the verifier, who can do only single-qubit measurements, can test the graph state sent from the prover and use it for his measurement-based quantum computing. We also introduce a new QMA-complete problem related to the stabilizer test.
△ Less
Submitted 27 February, 2016;
originally announced February 2016.
-
Modified group non-membership is in AWPP
Authors:
Tomoyuki Morimae,
Harumichi Nishimura,
Francois Le Gall
Abstract:
It is known that the group non-membership problem is in QMA relative to any group oracle and in ${\rm SPP}\cap{\rm BQP}$ relative to group oracles for solvable groups. We consider a modified version of the group non-membership problem where the order of the group is also given as an additional input. We show that the problem is in AWPP relative to any group oracle. To show the result, we use the i…
▽ More
It is known that the group non-membership problem is in QMA relative to any group oracle and in ${\rm SPP}\cap{\rm BQP}$ relative to group oracles for solvable groups. We consider a modified version of the group non-membership problem where the order of the group is also given as an additional input. We show that the problem is in AWPP relative to any group oracle. To show the result, we use the idea of the postselected quantum computing.
△ Less
Submitted 19 February, 2016;
originally announced February 2016.
-
Quantum proofs can be verified using only single qubit measurements
Authors:
Tomoyuki Morimae,
Daniel Nagaj,
Norbert Schuch
Abstract:
QMA (Quantum Merlin Arthur) is the class of problems which, though potentially hard to solve, have a quantum solution which can be verified efficiently using a quantum computer. It thus forms a natural quantum version of the classical complexity class NP (and its probabilistic variant MA, Merlin-Arthur games), where the verifier has only classical computational resources. In this paper, we study w…
▽ More
QMA (Quantum Merlin Arthur) is the class of problems which, though potentially hard to solve, have a quantum solution which can be verified efficiently using a quantum computer. It thus forms a natural quantum version of the classical complexity class NP (and its probabilistic variant MA, Merlin-Arthur games), where the verifier has only classical computational resources. In this paper, we study what happens when we restrict the quantum resources of the verifier to the bare minimum: individual measurements on single qubits received as they come, one-by-one. We find that despite this grave restriction, it is still possible to soundly verify any problem in QMA for the verifier with the minimum quantum resources possible, without using any quantum memory or multiqubit operations. We provide two independent proofs of this fact, based on measurement based quantum computation and the local Hamiltonian problem, respectively. The former construction also applies to QMA$_1$, i.e., QMA with one-sided error.
△ Less
Submitted 22 October, 2015;
originally announced October 2015.
-
Power of Quantum Computation with Few Clean Qubits
Authors:
Keisuke Fujii,
Hirotada Kobayashi,
Tomoyuki Morimae,
Harumichi Nishimura,
Shuhei Tamate,
Seiichiro Tani
Abstract:
This paper investigates the power of polynomial-time quantum computation in which only a very limited number of qubits are initially clean in the |0> state, and all the remaining qubits are initially in the totally mixed state. No initializations of qubits are allowed during the computation, nor intermediate measurements. The main results of this paper are unexpectedly strong error-reducible prope…
▽ More
This paper investigates the power of polynomial-time quantum computation in which only a very limited number of qubits are initially clean in the |0> state, and all the remaining qubits are initially in the totally mixed state. No initializations of qubits are allowed during the computation, nor intermediate measurements. The main results of this paper are unexpectedly strong error-reducible properties of such quantum computations. It is proved that any problem solvable by a polynomial-time quantum computation with one-sided bounded error that uses logarithmically many clean qubits can also be solvable with exponentially small one-sided error using just two clean qubits, and with polynomially small one-sided error using just one clean qubit. It is further proved in the case of two-sided bounded error that any problem solvable by such a computation with a constant gap between completeness and soundness using logarithmically many clean qubits can also be solvable with exponentially small two-sided error using just two clean qubits. If only one clean qubit is available, the problem is again still solvable with exponentially small error in one of the completeness and soundness and polynomially small error in the other. As an immediate consequence of the above result for the two-sided-error case, it follows that the TRACE ESTIMATION problem defined with fixed constant threshold parameters is complete for the classes of problems solvable by polynomial-time quantum computations with completeness 2/3 and soundness 1/3 using logarithmically many clean qubits and just one clean qubit. The techniques used for proving the error-reduction results may be of independent interest in themselves, and one of the technical tools can also be used to show the hardness of weak classical simulations of one-clean-qubit computations (i.e., DQC1 computations).
△ Less
Submitted 24 September, 2015;
originally announced September 2015.
-
Quantum interpretations of AWPP and APP
Authors:
Tomoyuki Morimae,
Harumichi Nishimura
Abstract:
AWPP is a complexity class introduced by Fenner, Fortnow, Kurtz, and Li, which is defined using GapP functions. Although it is an important class as the best upperbound of BQP, its definition seems to be somehow artificial, and therefore it would be better if we have some "physical interpretation" of AWPP. Here we provide a quantum physical interpretation of AWPP: we show that AWPP is equal to the…
▽ More
AWPP is a complexity class introduced by Fenner, Fortnow, Kurtz, and Li, which is defined using GapP functions. Although it is an important class as the best upperbound of BQP, its definition seems to be somehow artificial, and therefore it would be better if we have some "physical interpretation" of AWPP. Here we provide a quantum physical interpretation of AWPP: we show that AWPP is equal to the class of problems efficiently solved by a quantum computer with the ability of postselecting an event whose probability is close to an FP function. This result is applied to also obtain a quantum physical interpretation of APP. In addition, we consider "classical physical analogue" of these results, and show that a restricted version of ${\rm BPP}_{\rm path}$ contains ${\rm UP}\cap{\rm coUP}$ and is contained in WAPP.
△ Less
Submitted 11 February, 2016; v1 submitted 30 January, 2015;
originally announced February 2015.
-
Impossibility of Classically Simulating One-Clean-Qubit Computation
Authors:
Keisuke Fujii,
Hirotada Kobayashi,
Tomoyuki Morimae,
Harumichi Nishimura,
Shuhei Tamate,
Seiichiro Tani
Abstract:
Deterministic quantum computation with one quantum bit (DQC1) is a restricted model of quantum computing where the input state is the completely mixed state except for a single clean qubit, and only a single output qubit is measured at the end of the computing. It is proved that the restriction of quantum computation to the DQC1 model does not change the complexity classes NQP and SBQP. As a main…
▽ More
Deterministic quantum computation with one quantum bit (DQC1) is a restricted model of quantum computing where the input state is the completely mixed state except for a single clean qubit, and only a single output qubit is measured at the end of the computing. It is proved that the restriction of quantum computation to the DQC1 model does not change the complexity classes NQP and SBQP. As a main consequence, it follows that the DQC1 model cannot be efficiently simulated by classical computers unless the polynomial-time hierarchy collapses to the second level (more precisely, to AM), which answers the long-standing open problem posed by Knill and Laflamme under the very plausible complexity assumption. The argument developed in this paper also weakens the complexity assumption necessary for the existing impossibility results on classical simulation of various sub-universal quantum computing models, such as the IQP model and the Boson sampling.
△ Less
Submitted 26 February, 2015; v1 submitted 23 September, 2014;
originally announced September 2014.
-
On the hardness of classically simulating the one clean qubit model
Authors:
Tomoyuki Morimae,
Keisuke Fujii,
Joseph F. Fitzsimons
Abstract:
Deterministic quantum computation with one quantum bit (DQC1) is a model of quantum computing where the input restricted to containing a single qubit in a pure state and with all other qubits in a completely-mixed state, with only a single qubit measurement at the end of the computation [E. Knill and R. Laflamme, Phys. Rev. Lett. {\bf81}, 5672 (1998)]. While it is known that DQC1 can efficiently s…
▽ More
Deterministic quantum computation with one quantum bit (DQC1) is a model of quantum computing where the input restricted to containing a single qubit in a pure state and with all other qubits in a completely-mixed state, with only a single qubit measurement at the end of the computation [E. Knill and R. Laflamme, Phys. Rev. Lett. {\bf81}, 5672 (1998)]. While it is known that DQC1 can efficiently solve several problems for which no known classical efficient algorithms exist, the question of whether DQC1 is really more powerful than classical computation remains open. In this paper, we introduce a slightly modified version of DQC1, which we call DQC1$_k$, where $k$ output qubits are measured, and show that DQC1$_k$ cannot be classically efficiently simulated for any $k\geq3$ unless the polynomial hierarchy collapses at the third level.
△ Less
Submitted 2 April, 2014; v1 submitted 9 December, 2013;
originally announced December 2013.
-
Quantum Commuting Circuits and Complexity of Ising Partition Functions
Authors:
Keisuke Fujii,
Tomoyuki Morimae
Abstract:
Instantaneous quantum polynomial-time (IQP) computation is a class of quantum computation consisting only of commuting two-qubit gates and is not universal in the sense of standard quantum computation. Nevertheless, it has been shown that if there is a classical algorithm that can simulate IQP efficiently, the polynomial hierarchy (PH) collapses at the third level, which is highly implausible. How…
▽ More
Instantaneous quantum polynomial-time (IQP) computation is a class of quantum computation consisting only of commuting two-qubit gates and is not universal in the sense of standard quantum computation. Nevertheless, it has been shown that if there is a classical algorithm that can simulate IQP efficiently, the polynomial hierarchy (PH) collapses at the third level, which is highly implausible. However, the origin of the classical intractability is still less understood. Here we establish a relationship between IQP and computational complexity of the partition functions of Ising models. We apply the established relationship in two opposite directions. One direction is to find subclasses of IQP that are classically efficiently simulatable in the strong sense, by using exact solvability of certain types of Ising models. Another direction is applying quantum computational complexity of IQP to investigate (im)possibility of efficient classical approximations of Ising models with imaginary coupling constants. Specifically, we show that there is no fully polynomial randomized approximation scheme (FPRAS) for Ising models with almost all imaginary coupling constants even on a planar graph of a bounded degree, unless the PH collapses at the third level. Furthermore, we also show a multiplicative approximation of such a class of Ising partition functions is at least as hard as a multiplicative approximation for the output distribution of an arbitrary quantum circuit.
△ Less
Submitted 30 August, 2016; v1 submitted 8 November, 2013;
originally announced November 2013.