Then what about factoring? The is a tonne of number theoretic structure underlying factoring. When factoring is suitably phrased as a decision problem (like, is there a factor less than \( X \)) even its complement (is there no factor less than \( X \)) has a small proof (just give the factors) and hence is in \( \NP \). So factoring is in \( \NP \cap \coNP \). If factoring were \( \NP \)-hard then \( \NP = \coNP \), which we believe is false. (If you wanna convince yourself of this, think about SAT (Is there a satisfying assignment) and its complement TAUTOLOGY (Is there no satisfying assignment)).

If you are interested in exponential quantum speedups, I highly recommend that you read the introduction section of this paper by Scott Aaronson and Andris Ambainis.

Quantum computers being able to solve \( \NP \)-complete problems would be nice for some applications (see, for instance, Lance Fortnow’s book) but would also destroy all cryptography, and is very unlikely in light of the evidence I just presented.

At some point, I might explain the argument for the optimality of Grover’s algorithm but till then I will direct you to Andris Ambainis’ beautiful thesis which, in my view, has the clearest proof of it.

]]>*Can you always parallelize the quantum part of a quantum computation; more precisely, is there even a relativised world where \( \BPP^{\BQNC} \neq \BQP \)?*

*Is there a relativised world where \( \QIP(2) \not\subseteq \AM \)?*

The first problem was apparently first stated by Richard Jozsa and is also mentioned in Scott Aaronson’s Projects aplenty post but it deserves more press. When I say *relativisation*, I mean classical relativisation. Also, I am only interested in the decision problem versions of these classes.

But these problems are relatively non-trivial to state. You need an undergrad in CS and respectively math to properly understand these problems (Unless you’re at Waterloo, in which case you need a BMath in CS for the former^{2}. ;p). For instance, \( \mathrm{P} \) vs. \( \mathrm{NP} \) isn’t exactly about verification vs. provability but rather about polynomial deterministic verification vs. deterministic provability. (Yes, the probabilistic version–\( \mathrm{BPP} \) vs. \( \mathrm{MA} \) is also open and so is \( \mathrm{P} \) vs. \( \mathrm{PSPACE} \) but I think you get my point!)

But try this: It is not yet proven that \( e+\pi \) is irrational! To refresh your memory, a rational number is one that can be expressed as \( \frac{p}{q} \) for \( p,q \) being integers and \( \gcd(p,q) = 1 \). But we know due to the wonderful work of Hermite (1973) and Lindemann (1882) that \( e \) and \( \pi \) respectively are transcendental. Again, transcendental means that it is not algebraic over the rationals. For those of you with social lives, it means that it cannot be expressed as a root of a polynomial with rational coefficients. And from this it follows that any real transcendental number is irrational.

For a friendly introduction to the Riemann hypothesis see “A Friendly Introduction to The Riemann Hypothesis” by Thomas Wright. And for \( \mathrm{P} \) vs. \( \mathrm{NP} \), see “The Golden Ticket P, NP, and the Search for the Impossible” by Lance Fortnow^{3}.

Note. I was going to make a proper blog post on this (I still may at some point. Also, my blog is not ready, for instance, LaTeX is not working).

Recently, I was visiting IIT-Kanpur and I was surprised by them not taking Shor’s factoring algorithm as a sign of *quantum advantage* (I swore to never use the term “quantum supremacy”). With this post I hope to convey some insight into the arguments of both sides.

**Me:** Factoring is hard for classical computers and since there exists an efficient quantum algorithm for factoring, quantum computers can solve more problems!

**The audience at IIT-K:** Well, there is no proof of that! (There isn’t!) Moreover, an efficient factoring algorithm for quantum computers increases the likelihood of an efficient classical algorithm for factoring (I believe that it does!).

Adding to the pain, an unpublished result of Mosca says that there exists an exact quantum algorithm for factoring! And under the assumption that \( \textrm{EQP} \neq \textrm{BQP} \) (I will explain this in a another post but for now take my word that this is very different from the widely held conjuncture that \( \textrm{P} = \textrm{BPP} \)), __Factoring__ is one of the easier problems a quantum computer can solve!

So, *why do I think factoring is hard?*

Because in the black box setting, __PeriodFinding__ is *provably hard* for classical computers but easy for quantum computers (*Shor’s actual result!*). What does this have to do with factoring? And what is a black box? (Is it anything like the orange boxes?)

But, first, __PeriodFinding__ is the problem of finding the period of a function that is promised to be periodic (duh!). By a simple number-theoretic reduction you can use an efficient algorithm for period finding to solve factoring (see any one of the \( 10^{10^{10}} \) articles on Shor’s algorithm online).

So does this implication go the other way (ie does an efficient algorithm for factoring imply an efficient algorithm for period finding)? We do not know. But I trust black boxes (and orange boxes!).

Actually, *I believe that quantum computers are strictly more powerful than classical computers?*

Why? you ask. We need to go all the way back to the dark days of 1993 when Quantum Computing was solely done by physicists and papers on the topic had phrases like “quantum parallelism”, when a sage and his grad student did the first complexity theoretic study of quantum computing. Bernstein and Vazirani showed that quantum computers were better than classical probabilistic computers in the black box setting by giving an efficient quantum algorithm for __RecursiveFourierSampling__ (which btw until recently was one of the top candidates for showing \( \textrm{BQP} \not\subseteq \textrm{PH} \) (Which is still an open problem, if anyone is interested.) which is not efficiently computable classically. Simon then using similar (but not too similar!) techniques proved that a quantum computer can also efficiently solve Simon’s problem (invariance under an XOR mask, or __PeriodFinding__ but in \( \mathbb{Z}/2\mathbb{Z} \)). Shor then extended that to \( \mathbb{Z}/n\mathbb{Z} \) to get an efficient quantum algorithm for __PeriodFinding__ and hence __Factoring__. In the same paper, Shor also gave an efficient quantum algorithm for __DiscreteLogarithm__ which is another problem which is conjectured to be hard for classical computer and on whose presumed hardness many cryptosystems are proven safe!

Also, the guys at IIT-K are not crazy. Recently (I mean in 2002, it is still more than a decade “recent” than quantum computing!) a group of three mathematicians (Agrawal, Kayal and Saxena; two of them were undergrads at the time!! #goals) at IIT-K showed that __Primality__ was in \( \textrm{P} \) ie there exists a deterministic polynomial time algorithm for checking if a number is prime. So, that’s the dream. But the case with __Primality__ is very different from that with __Factoring__. For instance, we do not yet have a \( \textrm{BPP} \) algorithm for __Factoring__ but we did for __Primality__. But again, that was not trivial and required a lot of number theory, but one could argue that a proportional amount of effort has also been invested into doing that for __Factoring__. Trivially, if you assume some far-reaching extension of the Riemann hypothesis (like uniformity of primes) you can get an efficient bounded-error algorithm for factoring but at that point you might as well appeal to the Anthropic principle and say that if an efficient primality-testing algorithm existed then we would have already found it! So, yeah this research program is prolly going to take a while. And for the computational number theorists reading this, *I believe in you!*

Regardless, I do not have too much interest in this debate. An efficient classical algorithm for __Factoring__ would merely almost all of current cryptography but theoretically it is still a very easy problem, it is in \( \textrm{UP} \cap \textrm{coUP} \) (the proof without AKS’s primality algorithm is very hard, but with it, is just four words: FUNDAMENTAL THEOREM OF ARITHMETIC!) On a side note, cryptographic assumptions are usually significantly stronger than what we assume in complexity (and people say we are too artificial!), for instance, \( \textrm{P} \neq \textrm{NP} \) cannot give you a public key cryptosystem.

If you cared, (as I wrote on the board during my talk,) my other beliefs are as follows:

\( \mathrm{BPP} = \mathrm{P} \) (See Nisan-Widgerson generator)

\( {\rm NP} \neq {\rm P} \) (See anything Aaronson ever wrote)

\( {\rm BQP} \neq {\rm BPP} \) (If it were untrue then Quantum Mechanics is very wrong)

A fun read regarding some material here is Scott Aaronson’s The Prime Facts: From Euclid to AKS.

]]>I am currently in the process of setting up my blog. I’m busy reading, travelling and writing. If you want to get updates about my future posts, please subscribe to this blog via email or RSS. I promise to help you procrastinate!

Thanks,

Sanketh

]]>