On the Concurrent Composition of Quantum Zero-Knowledge

We study the notion of zero-knowledge secure against quantum polynomial-time verifiers (referred to as quantum zero-knowledge) in the concurrent composition setting. Despite being extensively studied in the classical setting, concurrent composition in the quantum setting has hardly been studied. We initiate a formal study of concurrent quantum zero-knowledge. Our results are as follows: -Bounded Concurrent QZK for NP and QMA: Assuming post-quantum one-way functions, there exists a quantum zero-knowledge proof system for NP in the bounded concurrent setting. In this setting, we fix a priori the number of verifiers that can simultaneously interact with the prover. Under the same assumption, we also show that there exists a quantum zero-knowledge proof system for QMA in the bounded concurrency setting. -Quantum Proofs of Knowledge: Assuming quantum hardness of learning with errors (QLWE), there exists a bounded concurrent zero-knowledge proof system for NP satisfying quantum proof of knowledge property. Our extraction mechanism simultaneously allows for extraction probability to be negligibly close to acceptance probability (extractability) and also ensures that the prover's state after extraction is statistically close to the prover's state after interacting with the verifier (simulatability). The seminal work of [Unruh EUROCRYPT'12], and all its followups, satisfied a weaker version of extractability property and moreover, did not achieve simulatability. Our result yields a proof of quantum knowledge system for QMA with better parameters than prior works

How many qubits are needed for quantum computational supremacy?

Quantum computational supremacy arguments, which describe a way for a quantum computer to perform a task that cannot also be done by a classical computer, typically require some sort of computational assumption related to the limitations of classical computation. One common assumption is that the polynomial hierarchy (PH) does not collapse, a stronger version of the statement that P $\neq$ NP, which leads to the conclusion that any classical simulation of certain families of quantum circuits requires time scaling worse than any polynomial in the size of the circuits. However, the asymptotic nature of this conclusion prevents us from calculating exactly how many qubits these quantum circuits must have for their classical simulation to be intractable on modern classical supercomputers. We refine these quantum computational supremacy arguments and perform such a calculation by imposing fine-grained versions of the non-collapse assumption. Each version is parameterized by a constant $a$ and asserts that certain specific computational problems with input size $n$ require $2^{an}$ time steps to be solved by a non-deterministic algorithm. Then, we choose a specific value of $a$ for each version that we argue makes the assumption plausible, and based on these conjectures we conclude that Instantaneous Quantum Polynomial-Time (IQP) circuits with 208 qubits, Quantum Approximate Optimization Algorithm (QAOA) circuits with 420 qubits and boson sampling circuits (i.e. linear optical networks) with 98 photons are large enough for the task of producing samples from their output distributions up to constant multiplicative error to be intractable on current technology. In the first two cases, we extend this to constant additive error by introducing an average-case fine-grained conjecture.Comment: 24 pages + 3 appendices, 8 figures. v2: number of qubits calculation updated and conjectures clarified after becoming aware of Ref. [42]. v3: Section IV and Appendix C added to incorporate additive-error simulation

Efficient classical simulation of random shallow 2D quantum circuits

Random quantum circuits are commonly viewed as hard to simulate classically. In some regimes this has been formally conjectured, and there had been no evidence against the more general possibility that for circuits with uniformly random gates, approximate simulation of typical instances is almost as hard as exact simulation. We prove that this is not the case by exhibiting a shallow circuit family with uniformly random gates that cannot be efficiently classically simulated near-exactly under standard hardness assumptions, but can be simulated approximately for all but a superpolynomially small fraction of circuit instances in time linear in the number of qubits and gates. We furthermore conjecture that sufficiently shallow random circuits are efficiently simulable more generally. To this end, we propose and analyze two simulation algorithms. Implementing one of our algorithms numerically, we give strong evidence that it is efficient both asymptotically and, in some cases, in practice. To argue analytically for efficiency, we reduce the simulation of 2D shallow random circuits to the simulation of a form of 1D dynamics consisting of alternating rounds of random local unitaries and weak measurements -- a type of process that has generally been observed to undergo a phase transition from an efficient-to-simulate regime to an inefficient-to-simulate regime as measurement strength is varied. Using a mapping from quantum circuits to statistical mechanical models, we give evidence that a similar computational phase transition occurs for our algorithms as parameters of the circuit architecture like the local Hilbert space dimension and circuit depth are varied

A systematic study of the sensitivity of triangular flow to the initial state fluctuations in relativistic heavy-ion collisions

Experimental data from the Relativistic Heavy Ion Collider (RHIC) suggests that the quark gluon plasma behaves almost like an ideal fluid. Due to its short lifetime, many QGP properties can only be inferred indirectly through a comparison of the final state measurements with transport model calculations. Among the current phenomena of interest are the interdependencies between two collective flow phenomena, elliptic and triangular flow. The former is mostly related to the initial geometry and collective expansion of the system whereas the latter is sensitive to the fluctuations of the initial state. For our investigation we use a hybrid transport model based on the Ultra-relativistic Quantum Molecular Dynamics (UrQMD) transport approach using an ideal hydrodynamic expansion for the hot and dense stage. Using UrQMD initial conditions for an Au-Au collision, particles resulting from a collision are mapped into an energy density distribution that is evolved event-by-event with a hydrodynamic calculation. By averaging these distributions over different numbers of events, we have studied how the granularity/smoothness of the distribution affects the initial eccentricity, the initial triangularity, and the resulting flow components. The average elliptic flow in non central collisions is not sensitive to the granularity, while triangular flow is. The triangularity might thus provide a good measure of the amount of initial state fluctuations that is necessary to reproduce the experimental data.Comment: 10 pages, 7 figure

Cryptographic Simulation Techniques with Applications to Quantum Zero-Knowledge and Copy-Protection

Bob is stuck doing a crossword puzzle and is starting to think that the puzzle is impossible to complete. Alice assures Bob that the puzzle can be solved, but she wants to prove it without revealing a single entry of the puzzle. Their cryptographer friend, Eve, tells them that Alice can prove it by using a zero-knowledge (ZK) protocol. These protocols are a cornerstone of modern cryptography, yet most of the work has been limited to the classical setting. Since Bob has a quantum computer, Alice needs to be careful choosing the right protocol to make sure it is a quantum zero-knowledge (QZK) protocol, guaranteeing that quantum Bob cannot learn anything about the puzzle except that it has a solution. Proving the security of ZK protocols comes with additional hurdles when adversaries are quantum capable, in part because the main tool used in the classical setting, rewinding, has additional limitations in the quantum case. While one version of quantum rewinding introduced by Watrous has been successfully used to construct QZK protocols, most of the classical ZK results have been challenging to port to the quantum setting. Ideally, we want quantum secure protocols with the same desirable properties that have been achieved in the classical literature, like concurrent security or low-round complexity. In this thesis, we introduce new quantum simulation techniques and apply them to construct the following QZK protocols assuming the quantum hardness of learning with errors (QLWE). • (1)-round black-box QZK classical argument system for NP: We use techniques developed in the context of ‘tests of quantumness’ to obtain an extraction mechanism that can be leveraged to construct a QZK simulator. • Public coin bounded concurrent black-box QZK proof system for NP and QMA: We introduce the technique of block rewinding and use it to obtain a concurrent QZK simulator. • Simulatable and extractable quantum proofs of knowledge for NP: We construct QPoK with desirable properties needed for composability. The technique combines Watrous’ rewinding with a recently studied cryptographic tool, statistical receiver-private oblivious transfer. This is the first construction of QPoK with the desired composability features. We also introduce a new non-black-box knowledge extraction technique using quantum fully homomorphic encryption (QFHE) and lockable obfuscation. One of our main results is that we can adapt this non-black-box technique to the setting of quantum copy-protection to prove that it is impossible to quantum copy-protect arbitrary unlearnable functions. This resolves a long-standing open problem in the negative, assuming QLWE and the existence of QFHE. Our impossibility result states that we can’t construct quantum copy-protection for arbitrary functions. However, we can hope to do it for restricted families of functions like point functions or compute-and-compare functionalities. While this remains an interesting and challenging open question, we show that provable secure constructions in a standard model (without oracles) are possible if we consider weaker security guarantees from those of quantum copy-protection. For this purpose, we introduce the notion of Secure Software Leasing (SSL), and construct an SSL scheme for a general class of evasive circuits.Ph.D