Interaction in the Quantum World

Universit´

e Paris-Sud

UFR Scientifique d’Orsay

Rapport scientifique pr´

esent´

e pour l’obtention

d’une Habilitation ´

a Diriger des Recherches

Interaction in the Quantum World

Author: Iordanis Kerenidis

Composition du Jury

Rapporteurs:

Harry Buhrman, CWI and University of Amsterdam

Oded Regev, ENS Ulm, CNRS

Luca Trevisan, Stanford University

Examinateurs:

Gerard Cohen, Telecom ParisTech

Serge Massar, Universit´e Libre de Bruxelles

Phong Nguyen, ENS Ulm, INRIA

Christine Paulin (chair), Universit´e Paris-Sud

Brigitte Vall´

ee, Universit´

e de Caen, CNRS

Contents

1 Introduction 5

1.1 Quantum Computation: a primer . . . 8

2 Quantum Communication Complexity 11

2.1 The Hidden Matching Problem . . . 12 2.2 Non-Local Boxes . . . 17

3 Interactive Proofs 23

3.1 The importance of the number of witnesses . . . 24

4 Quantum Cryptography 27

4.1 Optimal quantum Coin Flipping . . . 27 4.2 Oblivious Transfer . . . 32 4.3 Encryption Schemes . . . 36 4.4 Quantum Statistical Zero Knowledge with non-unitary honest verifier . . 38 4.5 Complexity assumptions for Quantum Commitments . . . 40 5 Interaction with Classical Computer Science 45 5.1 Non-Local Boxes and Secure Function Evaluation . . . 45 5.2 Quantum multiparty communication complexity and circuit lower bounds 47 5.3 Interaction in classical and quantum Zero Knowledge . . . 53

6 Interaction with the Real World 59

6.1 Long distance two-party quantum cryptography made simple . . . 59

Chapter 1

Introduction

Quantum computation studies how information is encoded and processed in quantum mechanical systems. Its goal is to understand the inherent computational power of nature and although it is a rather new research area, there have already been numerous very exciting results. Shor’s algorithm for factoring [51] large numbers shows that quantum computers are probably more powerful than classical ones, since factoring is assumed to be hard for any classical computer. In fact, the hardness of factoring is used as proof of security for most classical cryptographic systems, such as RSA, and hence Shor’s result proves that classical cryptography is vulnerable against quantum computers.

In addition, Bennett and Brassard [186] showed that quantum channels can be used constructively to achieve unconditionally secure key distribution and cryptography even against quantum attacks. On the other hand, Bennett et al. [210] have given evidence that quantum computers are not capable of solving NP-complete problems. Understand-ing the real computational power of nature is a fundamental question at the core of physical and mathematical sciences.

The study of the power and limitations of quantum computation is an interdisciplinary research area that lies on the boundary of physics, computer science, mathematics, chem-istry and brings together a vast array of powerful theories and methodologies. Moreover, quantum information theory is a rich mathematical theory that, in addition to studying information in quantum mechanical systems, has many connections to other disciplines, including classical computer science and solid-state physics.

Nowadays, with the advance of communication systems and the internet, the computa-tional paradigm has shifted from stand-alone machines to large connected networks. One of the main challenges for the future is to ensure fast, reliable and secure communication between millions of clients.

The goal of my research is to study how the communication of quantum information can ameliorate interaction in this connected world. In what follows we attempt to provide answers to some fundamental questions in this area.

1. Are there distributed computational tasks that can be solved much more efficiently with quantum communication than with classical one?

The importance of this question is evident. A negative answer would mean that there is no real advantage to using quantum communication and hence no need for further study. Fortunately, or unfortunately, this is not the case. There have been

a series of examples of distributed tasks that can provably be solved much more efficiently when the players can communicate via quantum channels.

In Chapter 2, we start by defining the Hidden Matching Problem, which was the first example of such a task in the models of bounded-error one-way and public-coin simultaneous messages communication complexity [1, 2, 15, 16]. We also provide applications of this result to cryptography, extractors and streaming algorithms. The Hidden Matching Problem has subsequently been used by numerous researchers as evidence of the power of quantum communication in various models [224, 225, 226, 223].

In subsection 2.2, we show that communication complexity has an intrinsic relation to the notion of non-locality [3, 4]. More specifically, we provide more evidence on the importance of the notion of non-local boxes by showing how they relate to different models of communication complexity.

In Chapter 3, we study the power of quantum communication in the model of interactive proofs and make progress towards proving a quantum analog of the famous Valiant-Vazirani theorem [5].

2. Can quantum communication guarantee security against any all-powerful adversary?

As we have said, the main result that fuels the field of quantum cryptography is the existence of unconditionally secure quantum key distribution. Thenceforth, a long series of work has focused on which other cryptographic primitives are possible with the help of quantum information. Unfortunately, the subsequent results showed the impossibility of secure quantum bit commitment, coin flipping and oblivious transfer and consequently of any type of two-party secure computation [108, 107, 104]. However, several weaker variants of these primitives have been shown to be possible. In Chapter 4, we start by resolving a main open question in the field of quantum cryptography [6]. We describe a quantum coin flipping protocol that achieves the optimal bias possible (Subsection 4.1). More precisely, we present a general method on how to use any weak coin-flipping protocol with cheating probability 1/2 + ε in order to construct a strong coin-flipping protocol with cheating probability 1/√2 + O(ε). Our protocol uses roughly the same number of rounds as the weak coin flipping protocol. Combining our construction with Mochon’s quantum weak coin flipping protocol that achieves arbitrarily small bias, we conclude that it is possible to construct a quantum strong coin flipping protocol with cheating probability arbitrarily close to √1

2, matching Kitaev’s lower bound.

In subsection 4.2, we turn our attention to the universal primitive of Oblivious Transfer and provide the first explicit constant lower bounds on the bias of any quantum oblivious transfer protocol [7]. We continue, in subsection 4.3, by looking at the amount of randomness needed in approximate quantum encryption schemes ([8]) and in subsection 4.4, we study the power of quantum zero knowledge with a non-unitary honest verifier [9]. Last, in subsection 4.5 we study quantum computa-tional security by looking at the existence of quantum commitment schemes based on complexity assumptions about quantum zero knowledge [10].

3. Does the study of quantum communication and information have any reprecussions for the theory of classical information and computation? Research in quantum computation has long benefited from techniques developed for classical computation. Most of the models of computation, such as query models, communication models, are generalizations of the classical models, and many of the problems studied had been studied previously in classical models. More surprisingly, over the last years the field of quantum information theory has developed increasing connections to other areas of theoretical computer science.

One of the first and best known examples of the use of quantum techniques to solve a classical problem is in fact our work on locally decodable codes. An error correcting code is locally decodable if any bit of the message can be decoded by looking at a very few bits of the codeword, even in the presence of errors. In [17, 18] we showed an optimal lower bound for classical locally decodable codes with two queries, by applying techniques from quantum information theory. We refrain from describing this result in detail in this report, since it already appeared in 2003. However, it is important to note that since then, there has been a steady stream of new results in which techniques from quantum computation has helped resolving or understanding questions in classical computation [227, 228, 229, 230, 176, 231, 232, 233, 234].

In Chapter 5, we start by showing how the study of non-local boxes, an important notion in quantum mechanics and non-locality, can be used in order to quantita-tively study secure function evaluation [3] (Subsection 5.1). Then, in subsection 5.2, we propose a new technique for proving classical circuit lower bounds by reduc-ing questions about classical communication to potentially easier questions about quantum communication complexity [11, 12]. Last, in subsection 5.3, we show that non-interactive and interactive zero knowledge are equivalent both in the classical and the quantum case in the ‘help model’, where the dealer is given access to the statement to be proven when generating the reference string [13].

4. How far is theory from reality? When are, if ever, quantum communi-cation protocols going to become common place?

We have seen so far many situations, where quantum communication enables us to perform tasks that are much harder or even impossible classically. Or at least in theory. When one tries to implement such primitives, many hurdles need to be overcome.

On the positive side, quantum key distribution has been achieved over a distance of 145km in fiber [202] or 144km in freespace [205, 207]. Such protocols are built with current technology and for the security proofs they take into account experimental conditions that include noise, imperfect apparati, decoherence, etc. In fact, they are available on the internet!

However, many questions remain. What other primitives can be succesfully im-plemented with current technology (e.g. with a simple photon source, fiber optics and one-qubit measurements)? How can we defeat decoherence and perform these primitives at long-range and between many nodes in a quantum network?

In Chapter 6 we use techniques from classical cryptography in order to show that long-range quantum cryptography is actually possible, without resolving to tech-nologically difficult procedures that are not currently available [14]. We are also in the process of studying device-independent security proofs for bit commitment and coin flipping.

We would like to end our discussion on quantum communication by remarking that unlike in the classical case, quantum interaction is much more evolved than stand-alone quantum computation. Even though the most advanced computation is the factoring of the number 15, quantum communication devices to perform unconditionally secure key distribution are commercially available. It is not too far-fetched to say that the quantum internet will probably arrive before the quantum laptop. Our goal is to continue the study of quantum information and communication in order to ensure a fast, reliable and secure interaction in the quantum world.

This scientific report is based on work done after the completion of my doctorate degree and corresponds to the first fourteen references at the end of the report.

1.1

Quantum Computation: a primer

We now provide a very short introduction to quantum computation. More details can be found in [45].

Let H denote a 2-dimensional complex vector space, equipped with the standard inner product. We pick an orthonormal basis for this space, label the two basis vectors |0i and |1i, and for simplicity identify them with the vectors 1

0  and  0 1  , respectively. A qubit is a unit length vector in this space, and so can be expressed as a linear combination of the basis states:

α0|0i + α1|1i =

 α₀ α1

 . Here α0, α1 are complex amplitudes, and |α0|2 + |α1|2 = 1.

An m-qubit system is a unit vector in the m-fold tensor space H ⊗ · · · ⊗ H. The 2m _{basis states of this space are the m-fold tensor products of the states |0i and |1i.}

For example, the basis states of a 2-qubit system are the four 4-dimensional unit vectors |0i ⊗ |0i, |0i ⊗ |1i, |1i ⊗ |0i, and |1i ⊗ |1i. We abbreviate, e.g., |1i ⊗ |0i to |0i|1i, or |1, 0i, or |10i, or even |2i (since 2 is 10 in binary). With these basis states, an m-qubit state |ϕi is a 2m_{-dimensional complex unit vector}

|ϕi = X

i∈{0,1}m

αi|ii.

We use hϕ| = |ϕi∗to denote the conjugate transpose of the vector |ϕi, and hϕ|ψi = hϕ|·|ψi for the inner product between states |ϕi and |ψi. These two states are orthogonal if hϕ|ψi = 0. The norm of |ϕi is k ϕ k =phϕ|ϕi.

A mixed state {pi, |ϕii} is a classical distribution over pure quantum states, where

the system is in state |ϕii with probability pi. We can represent a mixed quantum state

by the density matrix which is defined as ρ = P

semidefinite operator with trace (sum of diagonal entries) equal to 1. The density matrix of a pure state |ϕi is ρ = |ϕihϕ|.

A quantum system is called bipartite if it consists of two subsystems. We can de-scribe the state of each of these subsystems separately with the reduced density matrix. For example, if a quantum state has the form |ϕi = P

i

√

pi|ii|ϕii, then the state of a

system holding only the second part of |ϕi is described by the (reduced) density matrix P

ipi|ϕiihϕi|.

A quantum state can evolve by a unitary operation or by a measurement. A unitary transformation is a linear mapping that preserves the `2 norm. If we apply a unitary U

to a state |ϕi, it evolves to U |ϕi. A mixed state ρ evolves to U ρU†.

The most general measurement allowed by quantum mechanics is specified by a family of positive semidefinite operators Ei = Mi∗Mi, 1 ≤ i ≤ k, subject to the condition that

P

iEi = I. Given a density matrix ρ, the probability of observing the ith outcome

under this measurement is given by the trace pi = Tr(Eiρ) = Tr(MiρMi∗). These pi are

nonnegative because Ei and ρ are positive semidefinite. They also sum to 1, as they

should: k X i=1 pi = k X i=1 Tr(Eiρ) = Tr( k X i=1 Eiρ) = Tr(Iρ) = 1.

If the measurement yields outcome i, then the resulting state is MiρMi∗/Tr(MiρMi∗).

In particular, if ρ = |ϕihϕ|, then pi = hϕ|Ei|ϕi = k Mi|ϕi k2, and the resulting state is

Mi|ϕi/ k Mi|ϕi k. A special case is where k = 2m and B = {|ψii} forms an orthonormal

basis of the m-qubit space. “Measuring in the B-basis” means that we apply the mea-surement given by Ei = Mi = |ψiihψi|. Applying this to a pure state |ϕi gives resulting

Chapter 2

Quantum Communication

Complexity

One of the main goals of quantum computing is to exhibit problems where quantum computers are much faster (or otherwise better) than classical computers. Preferably exponentially better. The most famous example, Shor’s efficient quantum factoring algo-rithm [51], constitutes a separation only if one is willing to believe that efficient factoring is impossible on a classical computer—proving this would, of course, imply P 6= NP. One of the few areas where one can establish unconditional exponential separations is communication complexity.

Communication complexity is a central model of computation, first defined by Yao [53]. It has found applications in many areas [40]. In this model, two parties, Alice with input x and Bob with input y, collaborate to solve some computational problem that depends on both x and y. Their goal is to do this with minimal communication. The problem to be solved could be a function f (x, y) or some relational problem where for each x and y, several outputs are valid. The protocols could be interactive (two-way), in which case Alice and Bob take turns sending messages to each other; one-way, in which case Alice sends a single message to Bob who then determines the output; or simultaneous, where Alice and Bob each pass one message to a third party (the referee) who determines the output. The bounded-error communication complexity of the problem is the worst-case communication of the best protocol that gives (for every input x and y) a correct output with probability at least 1 − ε, for some fixed constant ε ∈ [0, 1/2), usually ε = 1/3.

Allowing the players to use quantum resources can reduce the communication complex-ity significantly. Examples of problems where quantum communication gives exponential savings were given by Buhrman, Cleve, and Wigderson for one-way and interactive proto-cols with zero error probability [30]; by Raz for bounded-error interactive protoproto-cols [47]; and by Buhrman, Cleve, Watrous, and de Wolf for bounded-error simultaneous proto-cols [29]. The first two problems are partial Boolean functions, while the third one is a total Boolean function. However, the latter separation does not hold in the presence of public coins.In fact, whether there exists a superpolynomial separation for a total Boolean function in the presence of public coins is one of the main open questions in the area of quantum communication complexity.

2.1

The Hidden Matching Problem

In [15, 16], we showed an exponential separation for one-way protocols and simultaneous protocols with public coins, but we only achieved this for a relational problem, called the Hidden Matching Problem (HMP). This problem can be solved efficiently by one quantum message of log n qubits, while classical one-way protocols need to send nearly √n bits to solve it. However, Boolean functions are much more natural objects than relations both in the model of communication complexity and in the cryptographic settings that we consider later in this chapter.

In the paper [1, 2] we extended this result and proved an exponential quantum-classical one-way communication gap for a variant of the Boolean Hidden Matching Problem. Let us first state a non-Boolean communication problem. Suppose Alice has an n-bit string x, and Bob has a sequence M of αn disjoint pairs (i1, j1), (i2, j2), . . . , (iαn, jαn) ∈ [n] × [n],

for some parameter α ∈ (0, 1/2]. This M may be viewed as a partial matching on the graph whose vertices are the n bits x1, . . . , xn. We call this an α-matching. Together, x

and M induce an αn-bit string z defined by the parities of the αn edges: z = z(x, M ) = (xi1 ⊕ xj1), (xi2 ⊕ xj2), . . . , (xiαn ⊕ xjαn).

Suppose Bob wants to learn some information about z. Let x ∈ {0, 1}n _{be uniformly}

distributed, and M be uniform over the set Mαn of all α-matchings. Note that for any

fixed M , a uniform distribution on x induces a uniform distribution on z. Hence Bob (knowing M but not x) knows nothing about z: from his perspective it is uniformly distributed. But now suppose Alice can send Bob a short message. How much can Bob learn about z, given that message and M ?

The answer is very different depending on whether the message is quantum or clas-sical. To state this difference, we need to introduce some terminology. For probability distributions p and q whose supports are subsets of a set S, define their total variation distance as

k p − q k_tvd=X

i∈S

|p(i) − q(i)|. (2.1) This distance is 0 if and only if p = q; it is 2 if and only if p and q have disjoint supports; and the value lies between 0 and 2 otherwise. Suppose we want to distinguish p from q, given a sample from one of the two. The best probability with which we can succeed is

1 2 +

||p−q||tvd

4 . This well-known fact gives a clear intuitive meaning to the notion of total

variation distance. Modifying the protocol of [15], it is easy to show that a short quantum message of about log(n)/2α qubits allows Bob to learn a bit at a random position in the string z. This already puts a lower bound of 1 on the total variation distance between Bob’s distribution on z and the uniform αn-bit distribution.

Quantum upper bound: Suppose Alice sends a uniform superposition of her bits to Bob: |ψi = √1 n n X i=1 (−1)xi_|ii.

Bob completes his αn edges to a perfect matching in an arbitrary way, and measures with the corresponding set of n/2 2-dimensional projectors. With probability 2α he will get

one of the edges (i`, j`) of his input M . The state then collapses to 1 √ 2((−1) x<sub>i`|i</sub> `i + (−1)xj`|j`i) ,

from which Bob can obtain the bit z` = xi` ⊕ xj` by measuring in the corresponding

|±i-basis. Note that this protocol has so-called “zero-sided error”: Bob knows when he didn’t learn any bit z`. If Bob is given O(k/α) copies of |ψi, then with high probability

(at least while k  αn) he can learn k distinct bits of z.

Remark. This protocol can be modified to a protocol in the simultaneous message passing model in a standard way, first suggested by Buhrman (see [33]). Alice and Bob share the maximally entangled state √1

n

P

i|i, ii. Alice implements the transformation

|ii → (−1)xi|ii on her half. Bob performs the measurement with his projectors on his

half. If he gets one of the edges of his input, he sends the resulting (i`, j`) and w` to the

referee. Now Alice and Bob perform a Hadamard transform on their halves, measure and send the result to the referee, who has enough information to reconstruct z`.

What about a short classical message? Using the Birthday Paradox, one can show that if Alice sends Bob about pn/α bits of x, then with constant probability there will be one edge (i`, j`) for which Bob receives both bits xi` and xj`. Since z` = xi`⊕ xj`, this

gives Bob a bit of information about z. Our key theorem says that this classical upper bound is essentially optimal: if Alice sends much fewer bits, then from Bob’s perspective the string z will be close (in total variation distance) to uniformly distributed, so he does not even know one bit of z.

In order to be able to state this precisely, suppose Alice is deterministic and sends c bits of communication. Then her message partitions the set of 2n _{x’s into 2}c_{sets, one for}

each message. A typical message will correspond to a set A of about 2n−c _{x’s. Given this}

message, Bob knows the random variable X is drawn uniformly from this set A and he knows M , which is his input. Hence his knowledge of the random variable Z = z(X, M ) is fully described by the distribution

pM(z) = Pr[Z = z | given M and Alice’s message] =

|{x ∈ A | z(x, M ) = z}|

|A| .

Our main technical result says that if the communication c is much less thanpn/α bits, then for a typical message and averaged over all matchings M , this distribution is very close to uniform in total variation distance. In other words, most of the time Bob knows essentially nothing about z.

Theorem 2.1.1. Let x be uniformly distributed over a set A ⊆ {0, 1}n of size |A| ≥ 2n−c for some c ≥ 1, and let M be uniformly distributed over the set Mαn of all α-matchings,

for some α ∈ (0, 1/4]. There exists a universal constant γ > 0 (independent of n, c, and α), such that for all ε ∈ (0, 2]: if c ≤ γεpn/α then

EM[k pM − U k_tvd] ≤ ε.

Note that the ε in this theorem is not the error probability of a protocol for a Boolean function, but an upper bound on the expected distance between Bob’s distribution pM

and the uniform distribution. We prove Theorem 2.1.1 using the Fourier coefficients in-equality of Kahn, Kalai, and Linial [36], which is a special case of the Bonami-Beckner

inequality [28, 26]. We remark that Fourier analysis has been previously used in commu-nication complexity by Raz [46] and Klauck [37].

This result allows us to turn the above communication problem into a partial Boolean function, as follows. Again we give Alice input x ∈ {0, 1}n_{, while Bob now receives two}

inputs: a partial matching M as before, and an αn-bit string w. The promise on the input is that w is either equal to z = z(x, M ), or to its complement z (i.e. z with all bits flipped). The goal is to find out which of these two possibilities is the case. We call this communication problem αPM, for “α-Partial Matching”. As mentioned before, Alice can allow Bob to learn a random bit of z with high probability by sending him an O(log(n)/α)-qubit message. Knowing one bit z` of z suffices to compute the Boolean

function: just compare z` with w`. In contrast, if Alice sends Bob much less thanpn/α

classical bits, then Bob still knows essentially nothing about z. In particular, he cannot decide whether w = z or w = z ! This gives the following separation result for the classical and quantum one-way communication complexities (with error probability fixed to 1/3, say):

Theorem 2.1.2. Let α ∈ (0, 1/4]. The classical bounded-error one-way communica-tion complexity of the α-Partial Matching problem is R1_{(αPM) = Θ(pn/α), while the}

quantum bounded-error one-way complexity is Q1_{(αPM) = O(log(n)/α)}

Fixing α to 1/4, we obtain the promised exponential quantum-classical separation for one-way communication complexity of O(log n) qubits vs Ω(√n) classical bits.

As noted by Aaronson [23, Section 5], Theorem 2.1.2 implies that his general simula-tion of bounded-error one-way quantum protocols by deterministic one-way protocols

D1(f ) = O(mQ1(f ) log Q1(f )),

is tight up to a polylogarithmic factor. Here m is the length of Bob’s input. This simulation works for any partial Boolean function f . _{Taking f to be our αPM for} α = 1/4, one can show that D1(f ) = Θ(n), m = Θ(n log n), and Q1(f ) = O(log n). It also implies that his simulation of quantum bounded-error one-way protocols by classical bounded-error one-way protocols

R1(f ) = O(mQ1(f )),

cannot be considerably improved. In particular, the product on the right cannot be replaced by the sum: if we take f = αPM with α = 1/√n, then by Theorem 2.1.2 we have R1_{(f ) ≈ n}3/4_{, m ≈}√_{n log n, and Q}1_{(f ) = O(}√_{n log n).}

Moreover, the separation given here can be modified to a separation in the simultane-ous message passing model, between the models of classical communication with shared entanglement and classical communication with shared randomness. Earlier, such a sep-aration was known only for a relational problem [15, 16, 33], not for a Boolean function. Application: privacy amplification

Randomness extractors extract almost uniform randomness from an imperfect (i.e. non-uniform) source of randomness X with the help of an independent uniform seed Y . With a bit of extra work, Theorem 2.1.1 actually implies that our function z : {0, 1}n_{× M}

αn →

If X ∈ {0, 1}n _{is a random variable with min-entropy at least n − γεpn/α}

(i.e. maxxPr[X = x] ≤ 2−(n−γε

√

n/α)_{) and Y is a random variable uniformly}

distributed over Mαn, then the random variable Z := z(X, Y ) is ε-close to

the uniform distribution on {0, 1}αn_.

It is in fact a strong extractor: the pair (Y, Z) is ε-close to the uniform distribution on Mαn× {0, 1}αn.1 Informally, this says that if there is a lot of uncertainty about X, then

Z will be close to uniform even if Y is known.2

Extractors have found numerous applications in computer science, in particular in complexity theory (see e.g. [50] and the references therein) and cryptography. One im-portant cryptographic application is that of privacy amplification, introduced in [27, 35]. In this setting two parties called Alice and Bob start with a shared random variable X, about which an adversary has partial knowledge. The parties’ goal is to generate a secret key Z, about which the adversary would have very little information.

They can achieve this by communicating an independent uniform seed Y over a pub-lic channel, and using a strong extractor to generate the key Z(X, Y ). Our extractor guarantees that if the shared variable X, conditioned upon the adversary’s knowledge, has min-entropy at least n − γεpn/α, then the generated αn-bit key Z, conditioned upon adversary’s knowledge, is ε-close to uniform. On the other hand, we show that this scheme is insecure against a quantum adversary who uses only O(log n) qubits of storage. This is the first example of a privacy amplification scheme that is safe against classical adversaries with up to Θ(√n) bits of storage (with some small constant in the Θ(·)), but not against quantum adversaries with exponentially less quantum storage.

This dependence on whether the adversary has quantum or classical memory is quite surprising, particularly in light of the following two facts. First, privacy amplification based on two-universal hashing provides exactly the same security against classical and quantum adversaries. The length of the key that can be extracted is given by the min-entropy both in the classical ([27, 35]) and the quantum case ([38, 49], [48, Ch. 5]). Second, K¨onig and Terhal [39] have shown that for protocols that extract just one bit, the level of security against a classical and a quantum adversary (with the same information bound) is comparable.

Application: key-expansion in the bounded-storage model

In privacy amplification, we can ensure that the adversary has much uncertainty about the random variable X by assuming that he has only bounded storage. The idea of basing cryptography on storage-limitations of the adversary was introduced by Maurer [42] with the aim of implementing information-theoretically secure key-expansion. In this setting,

1

Note that EM[k pM − U ktvd] = k (Y, Z) − U ktvd, where ‘U ’ on left and right is uniform over different

domains.

2_{It should be noted that the parameters of our extractor are quite bad, as far as these things go.}

First, the uniform input seed Y takes about αn log n bits to describe, which is more than the αn bits that the extractor outputs; in a good extractor, we want the seed length to be much shorter than the output length. Second, our assumed lower bound on the initial min-entropy is quite stringent. Finally, the distance from uniform can be made polynomially small in n (by putting an n − n1/2−η lower bound on the min-entropy of X) but not exponentially small, which is definitely a drawback in cryptographic contexts. Still, this extractor suffices for our purposes here.

a large random variable X is publicly but only temporarily available. Alice and Bob use a shared secret key Y to extract an additional key Z = Z(X, Y ) from X, in such a way that the adversary has only limited information about the pair (Y, Z). “Limited information” means that the distribution on (Y, Z) is ε-close to uniform even when conditioned on the information about X that the adversary stored. Thus Alice and Bob have expanded their shared secret key from Y to (Y, Z). Aumann, Ding, and Rabin [25] were the first to prove a bounded-storage scheme secure, and essentially tight constructions have subsequently been found [31, 41, 52].

It is an important open question whether any of these constructions remain secure if the adversary is allowed to store quantum information. One may even conjecture that a bounded-storage protocol secure against classical adversaries with a certain amount of memory, should be roughly as secure against quantum adversaries with roughly the same memory bound. After all, Holevo’s theorem [34] tells us that k qubits cannot contain more information than k classical bits. However, a key-expansion scheme based on our extractor refutes this conjecture. The scheme is essentially the same as the above privacy amplification scheme, but we describe it separately because the context is a bit different. Alice and Bob will compute Z := z(X, Y ) by applying our extractor to X and Y . If the adversary’s memory is bounded by γεpn/α bits, then Z will be ε-close to uniform from the adversary’s perspective. On the other hand, O(log n) qubits of storage suffice to learn one or more bits of information about Z, given Y , which shows that (Y, Z) is not good as a key against a quantum adversary. Thus we have an example of a key-expansion scheme that is secure against classical adversaries with nearly √n bits of storage, but insecure against quantum adversaries even with exponentially less quantum storage.

Application: a separation in the streaming model

In the streaming model of computation, the input is given as a stream of bits and the algorithm is supposed to compute or approximate some function of the input, having only space of size S available. See for instance [24, 43].

There is a well-established connection between one-way communication complexity and the streaming model: if we view the input as consisting of two consecutive parts x and y, then the content of the memory after x has been processed, together with y, contains enough information to compute f (x, y). Hence, a space-S streaming algorithm for f implies a one-way protocol for f of communication S with the same success probability. The classical lower bound for our Boolean communication complexity problem, together with the observation that our quantum protocol can be implemented in the streaming model, implies a separation between the quantum and classical streaming model. Namely, there is a partial Boolean function f that can be computed in the streaming model with small error probability using quantum space of O(log n) qubits, but requires Ω(√n) bits if the space is classical.

Le Gall [32] constructed a problem that can be solved in the streaming model using O(log n) qubits of space, while any classical algorithm needs Ω(n1/3_{) classical bits. His}

log n-vs-n1/3 separation is a bit smaller than our log n-vs-√n, but his separation is for a total Boolean function while ours is only partial (i.e. requires some promise on the input). Le Gall’s result predates ours, though we only learned about it after finishing the conference version of our paper. We remark also that Le Gall’s separation holds only in

the streaming model variant where the bits arrive in order, while ours holds in the more general model where we allow the different pieces of the input to arrive in any order.

The algorithm for solving our problem in the streaming model starts out with a log n-qubit superposition √1

n

Pn

i=1|ii. Whenever a bit xi streams by in the input, the algorithm

unitarily multiplies basis state |ii with a phase (−1)xi_{. Whenever an edge (i}

`, j`) streams

by, the algorithm measures with operators E1 = |i`ihi`| + |j`ihj`| and E0 = I − E1; in case

of outcome E1, the algorithm records the values i` and j` (note that E1 can be obtained

at most once, as the edges are pairwise disjoint). And whenever a bit (i`, j`, w`) streams

by, the algorithm unitarily multiplies basis state | min(i`, j`)i with a phase (−1)w`. At

the end, with probability 2α the algorithm is left with a classical record of (i`, j`) ∈ M

and the corresponding quantum state √1 2((−1)

x<sub>i`</sub>⊕w`_|i

`i + (−1)xj`|j`i). The algorithm can

learn the function value xi`⊕ xj`⊕ w` from this by a final measurement.

As we have said, the Hidden Matching Problem has been used by other researchers as an example for the advantage of quantum information in various models. In [223] it is used to achieve better non-local games, in [224] as a quantum pseudo-telepathy game, in [225] in order to get an exponential separation between quantum and classical interactive multiparty communication complexity and last, [226] provides a generalization of the problem and proves another exponential separation in the one-way communication model.

2.2

Non-Local Boxes

In different variants of the communication complexity model, we allow Alice and Bob to share a priori some common resources in an attempt to enable them to solve their task in a more efficient way.

One such resource is shared randomness, i.e., a common random string that both Alice and Bob know before they receive their inputs. It is clear that in the case where Alice and Bob are not allowed any errors, then shared randomness does not reduce the communication complexity. On the other hand, when they are allowed to err, then a common random string can reduce the amount of communication needed. However, Newman’s result tells us that shared randomness can be replaced by private randomness at an additional cost logarithmic in the input size[44].

Another very powerful shared resource is entanglement. In this model, Alice and Bob can transmit quantum messages by using their entanglement and only classical commu-nication. This model has been proven to be very powerful, in some cases exponentially more efficient than the classical one. Another way to understand the power of entangle-ment is by looking at the CHSH game [61], where Alice and Bob receive bits x and y respectively and their goal is to output bits a and b resp. such that a ⊕ b = x ∧ y without communicating. It is not hard to conclude that even if Alice and Bob share randomness, their optimal strategy will be successful with probability 0.75. However, if they share entanglement, then there is a strategy that succeeds with probability 0.85. This game proves that quantum entanglement can enable two parties to create correlations that are impossible to create with classical means.

of communication complexity, we can easily transform one to the other. From now on, in our communication complexity model, instead of demanding Bob to output the value of the function f (x, y), we require Alice and Bob to output two bits a and b respectively, which are uniformly random but a ⊕ b = f (x, y). We call this “computing f in parity”. It is easy to see that the two models are equivalent up to one bit of communication. Non-local boxes and communication complexity

As we said, entanglement enables Alice and Bob to succeed in the CHSH game with probability 0.85. But what if they shared some resource that would enable them to win the game with probability 1? Starting from such considerations, Popescu and Rohrlich [69] defined the notion of a non-local box. A non-local box is an abstract device shared by Alice and Bob. By one use of a non-local box, we mean that Alice inputs x, Bob inputs y, Alice gets as output a and Bob gets b where a, b are uniformly distributed and more importantly a ⊕ b = x ∧ y. The name non-local box is due to the property that one use of a local box creates correlations between two bits that are maximally non-local (allowing to win the CHSH game with probability one), but still does not allow to communicate, since taken separately, each bit is just an unbiased random coin. As such, a non-local box may be considered as a unit of non-locality. We note here an important property of a non-local box, namely that, similar to entanglement, one player can enter an input and receive an output even before the second player has entered an input.

The importance of the notion of a non-local box has become increasingly evident in the last years. Non-local boxes were first introduced to study (quantum or generalized) non-locality. In particular, it was shown than one of the most studied versions of the EPR experiment, where Alice and Bob perform projective measurements on a maximally entangled qubit pair, may be simulated using only one use of a non-local box [60]. More generally, it was shown that any non-signaling distribution over Boolean outputs may be exactly simulated with some finite number of non-local boxes (for finite input size) [59, JM05]. This was later generalized to any non-signaling distribution, except that the simulation may not always be performed exactly for non-Boolean outputs [62]. These results rely on the fact that the set of non-signaling distributions is a polytope, so it suffices to simulate the extremal vertices to be able simulate the whole set. In the context of non-locality, another application of non-local boxes is the study of pseudo-telepathy games [58].

It is easy to see that one use of a non-local box can be simulated with one bit of communication and shared randomness: Alice outputs a uniform bit r and sends x to Bob, who outputs r ⊕ x · y. However, the converse cannot possibly hold, since a non-local box cannot be used for communication.

The first question is what happens if we use non-local boxes as shared resource in the communication complexity model. Van Dam showed a remarkable result, that for any Boolean function f : {0, 1}n_{× {0, 1}}n _{→ {0, 1}, Alice and Bob can use 2}n _{non-local boxes}

and no communication at all and at the end output bits a and b such that a ⊕ b = f (x, y) [73]. In other words, if non-local boxes were physically implementable, then all functions would have trivial communication complexity. His results were strengthened by Brassard et al. who showed that even if a non-ideal non-local box existed, one that solves the CHSH game with probability 0.91, then still all functions would have trivial

communication complexity [54]. Note that in these results, the number of non-local boxes needed may be exponential in the input size and do not take into account any properties of the function and more precisely its communication complexity without non-local boxes. It also follows from the work of [59, 54] that for any Boolean function f , if f has a circuit with fan-in 2 of size s, then there is a deterministic non-local box protocol of complexity O(s), where the bits of the input of f are split arbitrarily among the players. This implies that exhibiting an explicit function for which the deterministic non-local box complexity is superlinear, would translate into a superlinear circuit lower bound for this function. This is a notoriously difficult problem, and while a simple counting argument shows that a random function requires exponential size circuits, the best lower bound to date for an explicit function is linear [67, IM02].

In the paper [3], we provide more evidence on the importance of non-local boxes by showing how they relate to different models of communication complexity as well as how they can be used as a tool in order to quantitatively study secure function evaluation.

First, we study quantitatively how many non-local boxes are needed in order to distributively compute a Boolean function f . We define four different variants de-noted by N L, N Lε, N L||, N L

||

ε, where the first two are the deterministic and

random-ized non-local box complexity and the latter two are the deterministic and randomrandom-ized complexity where the non-local boxes are only used in parallel.

For the deterministic parallel non-local box complexity, we show that N L||(f ) is ex-actly equal to the rank of the function f over GF2. This also implies that it is equivalent

to the communication complexity of the function Dk,IP2_{(f ) in the following model: Alice}

and Bob send to a referee one message each and the referee outputs the Inner Product of the two vectors mod 2. Moreover we show that N L||(f ) is always greater than the deterministic communication complexity D(f ) and less than 2D(f )_.

More precisely, we start by studying a restricted model of non-local box complexity, where the non-local boxes are used in parallel and at the end of the protocol, Alice and Bob output the parity of the outputs of their non-local boxes respectively. We show that the complexity of f in this model is equal to the rank of the communication matrix of f over GF2. It is known that this rank is equal to the minimum m, such that f (x, y) can

be written as f (x, y) =Lm

i=1ai(x) · bi(y) (see also [56]).

Theorem 2.2.1. For any Boolean function f : X ×Y → {0, 1}, N L||,⊕(f ) = rank_GF2(Mf) =

Dk,IP2_{(f ).}

Using the characterisation of rank, we also have that

Corollary 2.2.2. For any Boolean function f : X × Y → {0, 1}, N L||,⊕(f ) ≤ 2D(f )_.

In Theorem 2.2.12, we provide an explicit protocol for any boolean function f with deterministic communication complexity D(f ) that uses 2D(f )_{− 1 non-local boxes.}

On the other hand, it is easy to see that the one-way communication complexity D→(f ) is a lower bound on the non-local box complexity.

Lemma 2.2.3. For any Boolean function f : X × Y → {0, 1}, D→(f ) ≤ N L(f )

We then show how to remove the assumption that the players compute the XOR of their answers (with a non-trivial proof).

Theorem 2.2.4. For any Boolean function f : {0, 1}n _{× {0, 1}}n _{→ {0, 1}, we have}

N L||(f ) ≤ N L||,⊕(f ) ≤ N L||(f ) + 2.

We show here that the bounds we proved in the previous section on the parallel and general non-local box complexity (D(f ) ≤ N L||(f ) ≤ 2D(f ) _{and D(f ) ≤ N L(f ) ≤}

N L||(f ) respectively) are optimal by giving examples of functions that saturate them. The first function we consider is the Inner Product function, IP (x, y) = ⊕i(xi∧ yi), with

x, y ∈ {0, 1}n_{. For this function we have that D(IP ) = N L(IP ) = N L}||_{(IP ) = n.}

The second function we consider is Disjointness, which is equal to DISJ (x, y) = ∨i(xi ∧ yi), with x, y ∈ {0, 1}n. It is well-known that for the communication matrix of

the Disjointness function we have rank_GF2(MDISJ) = 2

n _{and hence N L}||,⊕_{(DISJ ) = 2}n_.

On the other hand, we have D(DISJ ) = n and show that N L(DISJ ) = O(n). We describe below a simple protocol for the Disjointness function that follows from [54] and was pointed out to us by Troy Lee and Falk Unger. The Disjointness function also provides an example of an exponential separation between deterministic parallel and general non-local box complexity.

Proposition 2.2.5. N L(DISJ ) ≤ O(n).

Proof. On input x = x1· · · xn, y = y1· · · yn, Alice and Bob use n non-local boxes with

in-puts (xi, yi) and get outputs ai, biwith ai⊕bi = xi·yi. Then, they can use 2 non-local boxes

in order to compute the OR of two such distributed bits since (ak ⊕ bk) ∨ (a` ⊕ b`) =

(ak ∨ a`) ⊕ (ak ∨ b`) ⊕ (bk ∨ a`) ⊕ (bk∨ b`). The terms (ak ∨ a`) and (bk∨ b`) can be

locally computed by Alice and Bob respectively and hence they only need to use two non-local boxes with inputs (¬ak, ¬b`) and (¬a`, ¬bk) to compute the remaining terms.

By combining n such distributed OR computations they compute ∨i(ai ⊕ bi) and hence

output the value of DISJ (x, y) after using 3n non-local boxes.

In the randomized parallel case, we define a notion of approximate rank over GF2

which is equal to N L||ε(f ), under the assumption that the output of the protocol is the

XOR of the outcomes of the non-local boxes. The notion of approximate rank over R has been used for communication complexity [56] and gives upper and lower bounds in the randomized model.

Theorem 2.2.6. For any Boolean function f , N L||,⊕ε (f ) = ε−rank_GF2(Mf)

In the randomized case, it is easy to get rid of the XOR restriction in general non-local box protocols, since the proof for the deterministic case still goes through. On the other hand, for the parallel case, this appears to be a surprisingly deep question, which remains open. The main obstacle appears to be related to the inherent randomness of the non-local boxes.

Next, we relate the general non-local box complexity to the following model of com-munication: Alice and Bob send to a referee one message each and the referee outputs 1 if for the majority of indices, the two messages are equal. We denote the communication complexity in this model by R||,M AJ (f ). This is a natural model of communication

com-plexity that has appeared repeatedly in the simulation of quantum protocols by classical ones, as well as various upper bounds on simultaneous messages [65, 63, 71, 68].

Theorem 2.2.7. R_ε→(f ) ≤ N Lε(f ) ≤ O(R ||,M AJ  (f )).

The above theorem implies

Corollary 2.2.8. For any Boolean function f , 2 log(γ₂α(f )/α) ≤ N Lε(f ) ≤ O((γ2∞(f ))2),

where α = _1−2ε1 .

It is known that γ₂∞(f ) = Θ(_{Disc(f )}1 ), and also that for any α, γ₂∞(f ) ≤ γα

2(f ) [68].

Hence, since discrepancy gives a lower bound on the quantum communication complexity with entanglement Q∗_ε(f ) [66], we get the following corollary.

Corollary 2.2.9. N L(f ) ≤ O(22Q

∗ ε(f )_).

Finally, we can relate the non-local box complexity of a function f , to the L1 norm

of the Fourier coefficients of f by using a result by Grolmusz. Grolmusz showed that for any Boolean function f , there exists a randomized public coin protocol that solves f with complexity O(L2₁(f )). This protocol can be easily transformed into a simultaneous messages protocol where the referee outputs the distributed majority of the message bits. Hence,

Corollary 2.2.10. N L(f ) ≤ O(L21(f )).

In the deterministic case, we showed that our bounds are tight and also that the parallel and the general non-local box complexity can be exponentially different. Is the same true for the randomized case?

In fact, the Disjointness and Inner Product functions almost saturate our bound in terms of γ₂∞ for the general randomized non-local box complexity. More precisely, for the Disjointness function, we have that N Lε(DISJ ) = Θ(n) (since Rε(DISJ ) = Ω(n) and

N L(DISJ ) ≤ O(n)) and using discrepancy [64, Exercise 3.32], we have (γ₂∞(DISJ ))2 ₌

Θ(n2_{). On the other hand, for the Inner Product function we have N L}

ε(IP ) = Θ(n) but

(γ₂∞(IP ))2 = Θ(2n).

The case of parallel non-local box complexity is more interesting. We can give a simple parallel protocol for the Disjointness function of complexity O(n), hence showing that the exponential separation does not hold anymore. It is an open question whether or not parallel and general randomized non-local box complexity are polynomially related. Proposition 2.2.11. N L||_1/3(DISJ ) ≤ O(n).

Proof. The idea is to reduce the Disjointness problem to a problem of calculating an Inner Product, which we know how to do with n parallel non-local boxes. In order to solve the general Disjointness problem with high probability, Alice and Bob proceed as follows: they look at a shared random string r1, . . . , rnand consider the strings x∧r and y ∧r as inputs.

In other words, they pick a random subset of their input bits, by picking each index with probability 1/2. Then they perform an Inner Product calculation on their new inputs by using n non-local boxes in parallel. Let a ⊕ b = IP (x ∧ r, y ∧ r). It is easy to see that if DISJ (x, y) = 0, then IP (x ∧ r, y ∧ r) = 0 for all r. On the other hand, if DISJ (x, y) = 1, i.e., if the intersection is non-empty, then Probr[IP (x ∧ r, y ∧ r) = 1] = 1/2, since for

a random subset, the probability that the size of the intersection on this subset is odd is exactly the same as the probability that the intersection is even. Hence, we have a one-sided error algorithm for Disjointness that is always correct when DISJ (x, y) = 0 and is correct with probability 1/2 when DISJ (x, y) = 1.

We can get a two-sided error algorithm in the following way: Alice and Bob simulate the protocol above until they obtain the outputs a, b. Then, using their shared random-ness, they output a ⊕ b with probability 1 − p, and 0 ⊕ 1 or 1 ⊕ 0 with probability p/2. It is easy to see that when DISJ (x, y) = 0 then the success probability is 1 − p and when DISJ (x, y) = 1 the success probability is p + (1 − p)/2 = (1 + p)/2. Taking p = 1/3 makes the overall success probability of our algorithm 2/3.

We provide another interesting application of our work. Using the recent result of Regev and Toner [70], we show that traceless two-outcome measurements on maximally entangled states can be simulated with 3 non-local boxes. Previously, no finite bound was known for this case. In order to do this we need to extend our results from Boolean functions to any distribution.

Theorem 2.2.12. For any non-signaling distribution over binary outputs with uniform marginals, any protocol with t bits of communication can be simulated with 2t_{−1 non-local}

boxes in parallel.

Another important application of our result to secure function evaluation will be described in a following Chapter.

Chapter 3

Interactive Proofs

One of the most fundamental ideas of modern complexity theory is that, the study of decision making procedures involving a single party should be extended to the study of more complex procedures where several parties interact. The notions of verification and witness are at the heart of those complexity classes whose definition inherently involves interaction. The complexity classes P is the set of languages decidable by a polynomial-time deterministic algorithm. Similarly, BPP is the set of promise problems decidable by a polynomial-time bounded-error randomized algorithm. We can think of such an algorithm as a verifier acting alone. The simplest interactive extensions of P and BPP are their non-deterministic analogues, respectively NP and MA [83, 79]. These classes involve also an all powerful prover that sends a single message which is used by the verifier’s decision making procedure together with the input. We require that on positive instances there is some message (called in that case a witness) that makes the verifier accept, whereas on negative instances the verifier rejects independently of the message sent by the prover. In the case of MA we can fix the permitted error of the verifier, rather arbitrarily to any constant, say 1/3.

Quantum complexity classes are often defined by analogy to their classical counter-parts. Since quantum computation is inherently probabilistic, the quantum analog of MA is considered to be the right definition of non-deterministic quantum polynomial-time. The quantum extension is twofold: the verifier has the power to decide promise problems in BQP, quantum polynomial-time, and the messages he receives from the prover are also quantum. Thus, QMA is the set of promise problems such that on positive instances there exists a quantum witness accepted with probability at least 2/3 by the polynomial-time quantum verifier and on negative instances the verifier accepts every quantum state with probability at most 1/3. While the idea that a quantum state might play the role of a witness goes back to Knill [90], the class was formally defined by Kitaev [89] under the name of BQNP. The currently used name QMA was given to the class by Watrous [97]. Kitaev has established several error probability reduction properties of QMA, and proved that the Local Hamiltonian, the quantum analog of SAT was complete for it. Watrous has shown that Group non-Membership was a problem in QMA and based on this result he has constructed an oracle under which MA is strictly included in QMA. Since then, various problems have been proven to be complete for QMA [85, 87, 92, 86, 93]. A po-tentially weaker quantum extension of MA, namely QCMA, was defined by Aharonov and Naveh [75]: in the case of QCMA, the verifier is still a quantum polynomial-time

algorithm, but the message of the prover can only be classical.

3.1

The importance of the number of witnesses

The number of witnesses for positive instances of problems in NP can be exponentially high. Also, known NP-complete problems have different instances with widely varying numbers of solutions. In a celebrated paper, Valiant and Vazirani [96] have raised the question of whether the difficulty of the class NP was due to this wide variation. They gave a strong negative answer to this question in the following sense. Let UP be the set of problems in NP where in addition on positive instances there exists a unique witness. We denote by PromiseUP the extention of UP from languages to promise problems. The theorem of Valiant and Vazirani states that any problem in NP can be reduced in ran-domized polynomial-time to a promise problem in PromiseUP, or in set theoretical terms, NP ⊆ RPPromiseUP, where RP is the subclass of problems in BPP where the computation does not err on negative instances. The complexity class UP has also its importance because of its connection to one-way functions: worst case one-way functions exist if and only if UP 6= P [91, 84].

In a recent paper Aharonov, Ben-Or, Brand˜ao and Sattah [76] have asked a similar question for MA, QCMA and QMA. The restriction of the classical-witness classes MA and QCMA to their unique variants UMA and UQCMA is rather natural: no change for negative instances, but on positive instances there has to be exactly one witness that makes the verifier accept with probability at least 2/3, while all other messages make him accept with probability at most 1/3. The definition of UQMA, the unique variant of QMA is the following: there is no change for negative instances with respect to QMA, but on positive instances there has to be a quantum witness state |ψi which is accepted by the verifier with probability at least 2/3, whereas all states orthogonal to |ψi are accepted with probability at most 1/3. Aharonov et al. extended the Valiant-Vazirani proof for the classical witness classes by showing that MA ⊆ RPUMA and QCMA ⊆ RPUQCMA. On the other hand, they left the existence of a similar result for QMA as an open problem.

Why is it so difficult to reduce the witnesses to a single witness in the quantum case? The basic idea of Valiant and Vazirani is to use pairwise independent universal hash functions, having polynomial size descriptions, that eliminate independently each witness with some constant probability. The size of the original witness set can be guessed approximately by a polynomial-time probabilistic procedure, and in case of a correct guess the hashing keeps alive exactly one witness with again some constant probability. The same idea basically works for MA and QCMA as long as one additional difficulty is overcome: on positive instances there can be exponentially more “pseudo-witnesses”, accepted with probability between 1/3 and 2/3, than witnesses which are accepted with probability at least 2/3. In this case, the Valiant–Vazirani proof technique will eliminate with high probability all witnesses before the elimination of the pseudo-witnesses. The solution of Aharonov et al. for this problem is to divide the interval (1/3, 2/3) into polynomially many smaller intervals and to show that there exists at least one interval such that there are approximately as many witnesses accepted with probability within this interval as above it.

problem in QMA, we can suppose without loss of generality that on positive instances there exists a subspace W such that all unit vectors in W are accepted. The dimension of W could be large and we wish to reduce it to one. Aharonov et. al [76] considered the special case where the dimension of W is two. Although classically two witnesses are trivially reducible to the unique witness case, they have shown that the natural generalization of the Valiant–Vazirani construction cannot solve even the two-dimensional quantum witness case.

Indeed, the natural generalization of the Valiant–Vazirani construction to this situa-tion is to use random projecsitua-tions and hope that some one-dimensional subspace of W will be accepted with substantially higher probability than its orthogonal. A first difficulty is to implement such projections efficiently. But more importantly, a random projection would not create a polynomial gap in the acceptance probabilities for the pure states of W : in fact all states in W which were accepted with exponentially close probabilities, will still be accepted after the random projection with exponentially close probabilities.

In the paper [5], we describe a fundamentally different proof technique to tackle this problem, which is sufficiently powerful to solve the case when the dimension of the witness subspace W is polynomially bounded in the length of the input. This leads us naturally to the quantum analog of the promise problem class FewP. This complexity class was defined by Allender [77] as the set of problems in NP with the additional constraint that there is a polynomial q such that on every positive instance of length n, the number of witnesses is at most q(n). The class FewP was extensively studied in the context of counting complexity classes [78, 95, 88, 82, 94]. We define FewQMA, the quantum analog of FewP, as the set of promise problems in QMA for which there exists a polynomial q with the following properties: on negative instances every message of the prover is accepted by the verifier with probability at most 1/3; on a positive instance x there exists a subspace Wx of dimension between 1 and q(|x|), such that all pure states in

Wx are accepted with probability at least 2/3, while all pure states orthogonal to Wx

are accepted with probability at most 1/3. Our main theorem extends the result of Valiant and Vazirani to this complexity class. More precisely, we show that FewQMA is deterministic polynomial-time Turing-reducible to UQMA.

Main Theorem FewQMA ⊆ PUQMA.

The first idea to establish this result is that instead of manipulating the states within the original space H of dimension K, we consider its t-fold tensor powers H⊗t. At first glance, this does not seem to be going in the right direction because the dimension of W⊗t grows as dt_{, where d is the dimension of the witness space W . Our second idea is}

to consider the alternating subspace Alt of H⊗t whose dimension is K_t
. The important thing to notice is that the dimension of the intersection Alt ∩ W⊗t is equal to one when t = d. The reason is that this intersection is in fact equal to the alternating subspace of W⊗t whose dimension is d_t
. Therefore, we will choose this one-dimensional subspace as our unique quantum witness. Of course, we don’t know exactly the dimension of W , but since we have a polynomial upper bound q(|x|) on it, we just try every possible value t between 1 and q(|x|).

For a fixed t, we would ideally implement ΠW⊗t· Π_Alt, the product of the projection to

Alt followed by the projection to W⊗t. The reason that this would work is the following. The unique pure state in Alt ∩ W⊗t (up to a global phase) is clearly accepted with

probability 1. On the other hand, we claim that any state |ϕi orthogonal to that is rejected with probability 1. Indeed, |ϕi can be decomposed as |ϕ1i + |ϕ2i, where |ϕ1i ∈

Alt⊥ and |ϕ2i ∈ W⊗t⊥. Therefore |ϕ1i is rejected by ΠAlt and |ϕ2i is rejected by ΠW⊗t.

This implies the claim since we can show that the two projectors actually commute. We can efficiently implement ΠAltby a procedure we call the Alternating Test. A similar

procedure to ours, implementing efficiently the projection to the symmetric subspace Sym of H⊗t, was proposed by Barenco et al. [80] as the basis of a method for the stabilization of quantum computations. In fact, in the two-fold tensor product case, the two procedures coincide and become the well know Swap Test which was used by Buhrman et al. [81] for deciding if two given pure states are close or far apart.

We can’t implement ΠW⊗t exactly, but we can approximate it efficiently by a procedure

called the Witness Test. This test just applies independently to all the t components of the state the procedure at our disposal which decides in H whether a state is a witness or not, and accepts if all applications accept. There is only one difficulty left: since ΠAlt and

the Witness Test don’t necessarily commute, our previous argument which showed that states in W⊗t⊥ were rejected with probability 1 doesn’t work anymore. We overcome this difficulty by showing that the commutativity of the two projections implies that the projections to Alt of such states are also in W⊗t⊥, and therefore get rejected with high probability by the Witness Test.

An interesting feature of our reduction is that it is deterministic, while the Valiant-Vazirani procedure is probabilistic. It is fair to say though that classically the witnesses can all be enumerated when their number is bounded by a polynomial. Therefore, in that case, the reduction can also be done deterministically, implying that FewP ⊆ PPromiseUP_.

We believe that reducing QMA to a unique witness, which we leave as an open question, will require a probabilistic or a quantum procedure.

Chapter 4

Quantum Cryptography

In an increasingly connected and globalized world, the notions of security and privacy are an imperative, henceforth making cryptography a very important research field. When one is concerned with the notion of security, it is wise to build systems that are secure not only against current adversaries, but also against future malicious parties with ever more sophisticated computational abilities. In the not so far future, such adversaries are likely to possess the ability to perform computations on quantum computers that would enable them to break most of the commonly used security systems. It is, therefore, an urgency to strengthen the foundations of cryptography, in order to make them sufficient for a world where quantum computation and communication is an available resource.

Quantum computation has had a tremendous impact in the field of cryptography in the last decades. Peter Shor’s algorithm for factoring large numbers [51] shows that quantum computers are probably more powerful than classical ones, since factoring is assumed to be hard for any classical computer. In fact, the hardness of factoring is used as proof of security for most currently used classical cryptographic systems, such as RSA, and hence Shor’s result proves that classical cryptography is vulnerable against quantum computers.

Moreover, the ability to communicate over quantum channels has made it possible to revisit unconditionally secure cryptography. In one of the most celebrated results in quantum computation, Bennett and Brassard [186] showed that it is possible for two par-ties to distribute a secret key in a way which is unconditionally secure against all attacks. Hence, in theory it is possible to have quantum cryptography against any adversary.

Since the discovery of unconditionally secure key distribution, a series of work has investigated what other fundamental cryptographic primitives are possible or not in the quantum world.

4.1

Optimal quantum Coin Flipping

Coin flipping is a cryptographic primitive that enables two distrustful and far apart parties, Alice and Bob, to create a random bit that remains unbiased even if one of the players tries to force a specific outcome. It was first proposed by Blum [103] and has since found numerous applications in two-party secure computation. In the classical world, coin flipping is possible under computational assumptions like the hardness of factoring or the discrete log problem. However, in the information theoretic setting, it is

not hard to see that in any classical protocol, one of the players can always bias the coin to his or her desired outcome with probability 1.

Quantum information has given us the opportunity to revisit information theoretic security in cryptography. The first breakthrough result was a protocol of Bennett and Brassard [186] that showed how to securely distribute a secret key between two players in the presence of an omnipotent eavesdropper. Thenceforth, a long series of work has focused on which other cryptographic primitives are possible with the help of quantum information. Unfortunately, the subsequent results were not positive. Mayers and Lo, Chau proved the impossibility of secure quantum bit commitment and oblivious transfer and consequently of any type of two-party secure computation [108, 107, 104]. However, several weaker variants of these primitives have been shown to be possible [105, 102].

The case of coin flipping is one of the most intriguing ones. Even though the results of Mayers and of Lo and Chau exclude the possibility of perfect quantum coin flipping, i.e. where the resulting coin is perfectly unbiased, it still remained open whether one can construct a quantum protocol where no player could bias the coin with probability 1. A few years later, Aharonov et al. [101] provided such a protocol where no dishonest player could bias the coin with probability higher than 0.9143. Then, Ambainis [99] described an improved protocol whose cheating probability was at most 3/4. Subsequently, a number of different protocols have been proposed [113, 112, 21] that achieved the same bound of 3/4.

On the other hand, Kitaev [106], using a formulation of quantum coin flipping pro-tocols as semi-definite programs proved a lower bound of 1/2 on the product of the two cheating probabilities for Alice and Bob (for a proof see e.g. [98]). In other words, no quantum coin flipping protocol can achieve a cheating probability less than 1/√2 for both Alice and Bob.

The question of whether 3/4 or 1/√2 was ultimately the right bound for quantum coin flipping had been open since then. In fact, there had been “evidence” suggesting both cases. First, Kitaev’s semi-definite program formulation of coin flipping seems to be a natural one and using this semi-definite program one cannot hope to prove a better lower bound. On the other hand, most of the suggested coin flipping protocols were using some form of imperfect bit commitment scheme. More precisely, Alice would quantumly commit to a bit a, Bob would announce a bit b and then Alice would reveal her bit a. The outcome of the coin flip would be a ⊕ b. However, Ambainis had proved a lower bound of 3/4 for any protocol of this type and even though more complicated protocols based on similar ideas had been proposed, they all seemed to get stuck at the same 3/4 bound.

During the study of quantum coin flipping, a weaker variant was introduced that is referred to as weak coin flipping. In this setting, Alice and Bob have a priori a desired coin outcome, in other words the two values of the coin can be thought of as ‘Alice wins’ and ‘Bob wins’. We are again interested in bounding the probability that a dishonest player can win this game.

Weak coin flipping protocols with cheating probabilities less than 3/4 were constructed in [114, 100, 21]. In Weak coin flipping with small bias we had studied the primitive of weak coin flipping and gave an efficient protocol with small bias.

The best achieved bound was in fact 1/√2, a strange coincidence, since Kitaev’s lower bound of 1/√2 does not apply in the case of weak coin flipping. The only lower bound