Results 1  10
of
54
Consistency of local density matrices is QMAcomplete
 In Approximation, Randomization, and Combinatorial Optimization, Algorithms and Techniques, 9th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX 2006 and 10th International Workshop on Randomization and Co
, 2006
"... Suppose we have an nqubit system, and we are given a collection of local density matrices ρ1,..., ρm, where each ρi describes a subset Ci of the qubits. We say that the ρi are “consistent ” if there exists some global state σ (on all n qubits) that matches each of the ρi on the subsets Ci. This gen ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
Suppose we have an nqubit system, and we are given a collection of local density matrices ρ1,..., ρm, where each ρi describes a subset Ci of the qubits. We say that the ρi are “consistent ” if there exists some global state σ (on all n qubits) that matches each of the ρi on the subsets Ci. This generalizes the classical notion of the consistency of marginal probability distributions. We show that deciding the consistency of local density matrices is QMAcomplete (where QMA is the quantum analogue of NP). This gives an interesting example of a hard problem in QMA. Our proof is somewhat unusual: we give a Turing reduction from Local Hamiltonian, using a convex optimization algorithm by Bertsimas and Vempala, which is based on random sampling. Unlike in the classical case, simple mapping reductions do not seem to work here. 1
Efficient authentication from hard learning problems
 EUROCRYPT
"... Abstract. We construct efficient authentication protocols and messageauthentication codes (MACs) whose security can be reduced to the learning parity with noise (LPN) problem. Despite a large body of work – starting with the HB protocol of Hopper and Blum in 2001 – until now it was not even known ho ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We construct efficient authentication protocols and messageauthentication codes (MACs) whose security can be reduced to the learning parity with noise (LPN) problem. Despite a large body of work – starting with the HB protocol of Hopper and Blum in 2001 – until now it was not even known how to construct an efficient authentication protocol from LPN which is secure against maninthemiddle (MIM) attacks. A MAC implies such a (tworound) protocol. 1
New Limits to Classical and Quantum Instance Compression
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 112
, 2012
"... Given an instance of a hard decision problem, a limited goal is to compress that instance into a smaller, equivalent instance of a second problem. As one example, consider the problem where, given Boolean formulas ψ 1,...,ψ t, we must determine if at least one ψ j is satisfiable. An ORcompression s ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Given an instance of a hard decision problem, a limited goal is to compress that instance into a smaller, equivalent instance of a second problem. As one example, consider the problem where, given Boolean formulas ψ 1,...,ψ t, we must determine if at least one ψ j is satisfiable. An ORcompression scheme for SAT is a polynomialtime reduction R that maps (ψ 1,...,ψ t) to a string z, such that z lies in some “target ” language L ′ if and only if ∨ j [ψj ∈ SAT] holds. (Here, L ′ can be arbitrarily complex.) ANDcompression schemes are defined similarly. A compression scheme is strong if z  is polynomially bounded in n = maxj ψ j , independent of t. Strong compression for SAT seems unlikely. Work of Harnik and Naor (FOCS ’06/SICOMP ’10) and Bodlaender, Downey, Fellows, and Hermelin (ICALP ’08/JCSS ’09) showed that the infeasibility of strong ORcompression for SAT would show limits to instance compression for a large number of natural problems. Bodlaender et al. also showed that the infeasibility of strong ANDcompression for SAT would have consequences for a different list of problems. Motivated by this, Fortnow and Santhanam (STOC ’08/JCSS ’11) showed that if SAT is strongly ORcompressible,
Universally composable quantum multiparty computation
 In Advances in Cryptology – Proc. EUROCRYPT 2010, LNCS
, 2010
"... ar ..."
Quantum proofs of knowledge
, 2010
"... We motivate, define and construct quantum proofs of knowledge, proofs of knowledge secure against quantum adversaries. Our constructions are based on a new quantum rewinding technique that allows us to extract witnesses in many classical proofs of knowledge. We give criteria under which a classical ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We motivate, define and construct quantum proofs of knowledge, proofs of knowledge secure against quantum adversaries. Our constructions are based on a new quantum rewinding technique that allows us to extract witnesses in many classical proofs of knowledge. We give criteria under which a classical proof of knowledge is a quantum proof of knowledge. Combining our results with Watrous’ results on quantum zeroknowledge, we show that there are zeroknowledge quantum proofs of knowledge for all languages in NP.
Composable Security in the BoundedQuantumStorage Model
, 2008
"... We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (F ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulationbased, definition for security in the boundedquantumstorage model, and show that this definition allows for sequential composition of protocols. Damgård et al. (FOCS ’05, CRYPTO ’07) showed how to securely implement bit commitment and oblivious transfer in the boundedquantumstorage model, where the adversary is only allowed to store a limited number of qubits. However, their security definitions did only apply to the standalone setting, and it was not clear if their protocols could be composed. Indeed, we first give a simple attack that shows that these protocols are not composable without a small refinement of the model. Finally, we prove the security of their randomized oblivious transfer protocol in our refined model. Secure implementations of oblivious transfer and bit commitment then follow easily by a (classical) reduction to randomized oblivious transfer.
Quantum expanders and the quantum entropy difference problem
, 2007
"... Classical expanders and extractors have numerous applications in computer science. However, it seems these classical objects have no meaningful quantum generalization. This is because it is easy to generate entropy in quantum computation simply by tracing out registers. In this paper we define quant ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Classical expanders and extractors have numerous applications in computer science. However, it seems these classical objects have no meaningful quantum generalization. This is because it is easy to generate entropy in quantum computation simply by tracing out registers. In this paper we define quantum expanders and extractors in a natural way. We show that this definition is exactly what is needed for showing that QED, the quantum analogue of ED (the entropy difference problem) is QSZKcomplete. We also show that quantum expanders exist and with very good parameters in the high minentropy regime. The first construction is derived from the work of Ambainis and Smith and is based on expander graphs that are based on Cayley graphs of Abelian groups. The drawback of this construction is that it uses logarithmic seed length (yet, this already suffices for showing that QED is QSZKcomplete). We also show a quantum analogue of the Lubotzky, Philips and Sarnak construction of Ramanujan expanders from Cayley graphs of PGL(2, q). Our construction is a sequence of two steps on the Cayley graph with a basis change in between steps. We believe this quantum analogue of classical Ramanujan expanders is of independent interest.
The complexity of the consistency and Nrepresentability problems for quantum states
"... QMA (Quantum MerlinArthur) is the quantum analogue of the class NP. There are a few QMAcomplete problems, most of which are variants of the “Local Hamiltonian” problem introduced by Kitaev. In this dissertation we show some new QMAcomplete problems which are very different from those known previo ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
QMA (Quantum MerlinArthur) is the quantum analogue of the class NP. There are a few QMAcomplete problems, most of which are variants of the “Local Hamiltonian” problem introduced by Kitaev. In this dissertation we show some new QMAcomplete problems which are very different from those known previously, and have applications in quantum chemistry. The first one is “Consistency of Local Density Matrices”: given a collection of density matrices describing different subsets of an nqubit system (where each subset has constant size), decide whether these are consistent with some global state of all n qubits. This problem was first suggested by Aharonov. We show that it is QMAcomplete, via an oracle reduction from Local Hamiltonian. Our reduction is based on algorithms for convex optimization with a membership oracle, due to Yudin and Nemirovskii. Next we show that two problems from quantum chemistry, “Fermionic Local Hamiltonian” and “Nrepresentability, ” are QMAcomplete. These problems involve systems of fermions, rather than qubits; they arise in calculating the ground state energies of molecular systems. Nrepresentability is particularly interesting, as it is a key component
A Characterization of Noninteractive InstanceDependent CommitmentSchemes (NIC)
"... Abstract. We provide a new characterization of certain zeroknowledge protocols as noninteractive instancedependent commitmentschemes (NIC). To obtain this result we consider the notion of Vbit protocols, which are very common, and found many applications in zeroknowledge. Our characterization ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. We provide a new characterization of certain zeroknowledge protocols as noninteractive instancedependent commitmentschemes (NIC). To obtain this result we consider the notion of Vbit protocols, which are very common, and found many applications in zeroknowledge. Our characterization result states that a protocol has a Vbit zeroknowledge protocol if and only if it has a NIC. TheNIC inherits its hiding property from the zeroknowledge property of the protocol, and vice versa. Our characterization result yields a framework that strengthens and simplifies many zeroknowledge protocols in various settings. For example, applying this framework to the result of Micciancio et al. [18] (who showed that some problems, including GRAPHNONISOMORPHISM and QUADRATICRESIDUOUSITY, unconditionally have a concurrent zeroknowledge proof) we easily get that arbitrary, monotone boolean formulae over a large class of problems (which contains, e.g., the complement of any random selfreducible problem) unconditionally have a concurrent zeroknowledge proof.
Quantum Computation vs. Firewalls
 PREPARED FOR SUBMISSION TO JHEP
, 2013
"... In this paper we discuss quantum computational restrictions on the types of thought experiments recently used by Almheiri, Marolf, Polchinski, and Sully to argue against the smoothness of black hole horizons. We argue that the quantum computations required to do these experiments would take a time w ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
In this paper we discuss quantum computational restrictions on the types of thought experiments recently used by Almheiri, Marolf, Polchinski, and Sully to argue against the smoothness of black hole horizons. We argue that the quantum computations required to do these experiments would take a time which is exponential in the entropy of the black hole under study, and we show that for a wide variety of black holes this prevents the experiments from being done. We interpret our results as motivating a broader type of nonlocality than is usually considered in the context of black hole thought experiments, and claim that once this type of nonlocality is allowed there may be no need for firewalls. Our results do not threaten the unitarity of of black hole evaporation or the ability of advanced civilizations to test it.