Separating Quantum and Classical Learning Rocco A. Servedio Division of Engineering and Applied Sciences, Harvard University Cambridge, MA 02138 [email protected]

Abstract. We consider a model of learning Boolean functions from quantum membership queries. This model was studied in [26], where it was shown that any class of Boolean functions which is information-theoretically learnable from polynomially many quantum membership queries is also information-theoretically learnable from polynomially many classical membership queries. In this paper we establish a strong computational separation between quantum and classical learning. We prove that if any cryptographic one-way function exists, then there is a class of Boolean functions which is polynomial-time learnable from quantum membership queries but not polynomial-time learnable from classical membership queries. A novel consequence of our result is a quantum algorithm that breaks a general cryptographic construction which is secure in the classical setting.

1 Introduction Over the past decade the study of quantum computation has generated much excitement and attracted intense research attention. One of the most interesting aspects of this new computing paradigm is the possibility that polynomial-time quantum computation may be strictly more powerful than polynomial-time classical computation, i.e. that the quantum class BQP may strictly contain BPP. Evidence for this possibility has been provided by Shor [27], who gave polynomial-time quantum algorithms for factoring and discrete logarithms, two problems which are not known to have polynomial-time classical algorithms. Since many important learning problems are not known to be solvable in polynomial time, from a learning theory perspective the prospect of gaining computing power via quantum computation is quite intriguing. It is natural to ask whether efficient quantum algorithms can be designed for learning problems (such as the problem of learning DNF formulae) which have thus far resisted efforts to construct polynomial-time algorithms. The ultimate goal of research along these lines would be to construct quantum algorithms which learn using traditional (classical) example oracles, but such algorithms are not yet known. 1.1

Previous Work

As a first step in this direction, several researchers have studied quantum learning algorithms which have access to quantum oracles; so in this framework the source of

examples as well as the learning algorithm itself is assumed to operate in a quantum fashion. The first work along these lines is due to Bshouty and Jackson [10] who defined a quantum PAC oracle and gave an efficient algorithm for learning DNF from a uniform-distribution quantum PAC oracle. In a different community, many complexity theory researchers have studied the power of quantum computation with a black-box quantum oracle [3–8, 11, 13, 16, 28, 31]. This research has focused on understanding the relationship between the number of quantum versus classical black-box oracle queries required to determine whether or not a black-box function has some particular property such as ever taking a nonzero value [4, 6, 11, 16, 31] or being evenly balanced between the outputs zero and one [13]. Since a classical black-box oracle query to a Boolean function is the same thing as a membership query in learning theory, in light of the work described above it is natural to consider a model of learning from quantum membership queries. In contrast with the work described above, the goal here is to exactly identify the black-box function rather than to determine whether or not it has some property. Servedio and Gortler [26] defined such a model and proved that any concept class which is information-theoretically learnable from polynomially many quantum membership queries is also informationtheoretically learnable from polynomially many classical membership queries (they also gave a similar result for the quantum PAC learning model of [10]). This result from [26] deals only with query complexity and does not address the computational complexity of quantum versus classical learning. Indeed, [26] also showed that polynomial-time quantum learning is more powerful than polynomial-time classical learning under the assumption that factoring is computationally hard for classical computers. This follows directly from the observation that Shor’s quantum factoring algorithm enables quantum algorithms to efficiently learn concept classes whose classical learnability is directly related to the hardness of factoring [2, 20].




1.2

Our Results

We give strong evidence that efficient quantum learning algorithms are more powerful than efficient classical learning algorithms. Our main result is the following theorem:




Theorem 1. If any one-way function exists, then there is a concept class which is polynomial-time learnable from quantum membership queries but is not polynomialtime learnable from classical membership queries. This separation between quantum and classical learning is far more robust than previous work [26]. Even if a polynomial-time classical factoring algorithm were to be discovered, our separation would hold as long as any one-way function exists (a universally held belief in public-key cryptography). The main cryptographic tool underlying our results is a new construction of pseudorandom functions which are invariant under an XOR mask (see Section 4). As described in Section 5.1, each concept combines these new pseudorandom functions with pseudorandom permutations in a particular way. Roughly speaking, the XOR mask invariance of the new pseudorandom functions ensures that a quantum algorithm due to Simon [28] can be used to extract some information about the structure of the target




concept and thus make progress towards learning. On the other hand, the pseudorandomness ensures that no probabilistic polynomial-time learning algorithm can extract any useful information, and thus no such algorithm can learn successfully. As discussed in Section 6, our results prove the existence of a quantum oracle algorithm which defeats a general cryptographic construction secure in the classical setting. More precisely, given any one-way function we construct a family of pseudorandom functions which are classically secure but can be distinguished from truly random functions (and in fact exactly identified) by an algorithm which makes quantum oracle queries. To our knowledge, this is the first break of a general cryptographic protocol (not based on a specific assumption such as factoring) in a quantum setting.

2 Preliminaries



  
   !   
     #    "  $+*!& $-,.&0/ 123 4*!6 8 4 6 , v wo 't'uyx $ o x B > v#w3   I#qUrs 1z

/[42






e

m

$

!
  _@/[4b2  /c4b2

i j .e!k

_

o

1z|{`1z

unitary matrix, and a quantum algorithm is defined by a sequence of such matrices. A single quantum computation step is analogous to a single gate in a classical circuit; in order to ensure that each step of quantum computation performs only a bounded amount of work, the model stipulates that each unitary matrix must be simple and local in a well-defined sense. At the end of a quantum computation a measurement is performed on the register and an -bit string is obtained as output. If the register’s final state is then with probability the string is the output. Quantum computation with access to an oracle proceeds as follows. If the oracle is invoked when the current state of the quantum register is then at the next step the state of the register will be (It can be verified that this change of state is a unitary transformation for any oracle ) Thus a quantum algorithm can invoke its oracle on a superposition of inputs and receives a corresponding superposition of responses. This model of quantum computation with an oracle has been studied by many researchers in complexity theory [3–8, 11, 13, 16, 28, 31] and has also recently been studied from a learning theory perspective [26]. We say that a concept class is polynomial-time learnable from quantum membership queries if there is a quantum oracle algorithm with the following property: for all for all runs for at most poly steps and with probability at least outputs a representation of a Boolean circuit which is logically equivalent to It is well known that any classical oracle algorithm can be efficiently simulated by a quantum oracle algorithm, and thus any concept class which is polynomial-time learnable from classical membership queries is polynomial-time learnable from quantum membership queries.

npo

o I#qUrs ;t'u $ > v w

n~

m

x$ oxB

v\)   z }"   p    S

 ~ ;t ;t € ‚ I#q€rs C s lI#q€rs ns ~ ƒ„I#qUrs ;t'u?… C …‚ $ s s ƒ-> 45'6U†!w ~ I#qUrs 't C s I#qUrs 'tU‚ s ƒ„I#q€rs ;tUu+… C …‚ $ s s ƒ‡> 45U6 *"/c4b2ˆU†!w l


8 fh  ] i j l

d
 ‰ e!k

3 Simon’s Algorithm

Š‹?    Œ    L Š

e

/[852 _

p  Ž L      Š  6  45 Š?/c4b2 ?Š  /[62\‘ 6  4 *’L L Š?/[42 ?Š /[4*’L2 4))     

Let be a function and let We say that is two-to-one with XOR mask if for all More generally, is invariant under XOR mask with if for all (note that such a function need not be two-to-one). Simon [28] has given a simple quantum algorithm which takes oracle access to a function runs in poly time, and behaves as follows:

ŠdR    “     /c852 1. If Š is a permutation on      the algorithm outputs an 8 -bit string 6 which is uniformly distributed over      2. If Š is two-to-one with XOR mask L the algorithm outputs an string 6 which  8 -bit  is uniformly distributed over the 1 R” strings such that 6.9 L 3. If Š is invariant under mask with L the algorithm outputs some 8 -bit string 6  XOR which satisfies 69L  Simon showed that by running this procedure •\/c852 times a quantum algorithm can distinguish between Case 1 ( Š is a permutation) and Case 3 ( Š is invariant under some XOR mask) with high probability. In Case 1 after •\/[852 repetitions the strings obtained will with probability „–1 ”—+˜™š contain a basis for the vector space /œ› 2  (here we are B

8

› B

 66ž9ŸL    L •\/[852

viewing -bit strings as vectors over ), while in Case 3 the strings obtained cannot contain such a basis since each string must lie in the subspace Simon also observed that in Case 2 ( is two-to-one with XOR mask ) the algorithm can be used to efficiently identify with high probability. This is because after repetitions, with high probability will be the unique nonzero vector whose dot product with each is this vector can be found by solving the linear system defined by the ’s. Simon also analyzed the success probability of classical oracle algorithms for this problem. His analysis establishes the following theorem:

6

L

 

Š

L

6

¡  L.y   

Š)     ¢   

Theorem 2. Let be chosen uniformly and let be an oracle chosen uniformly from the set of all functions which are two-to-one with XOR mask Then (i) there is a polynomial-time quantum oracle algorithm which identifies with high probability; (ii) any p.p.t. classical oracle algorithm identifies with probability

L

L

j1 £ ˜™š 

L

L

This surprising ability of quantum oracle algorithms to efficiently find is highly suggestive in the context of our quest for a learning problem which separates polynomialtime classical and quantum computation. Indeed, Simon’s algorithm will play a crucial role in establishing that the concept class which we construct in Section 5 is learnable in poly time by a quantum algorithm. Recall that in our learning scenario, though, the goal is to exactly identify the unknown target function, not just to identify the string Since bits are required to specify a randomly chosen function which is twoto-one with XOR mask no algorithm (classical or quantum) can output a description of in poly time, much less learn in poly time. Thus it will not do to use truly random functions for our learning problem; instead we use pseudorandom functions as described in the next section.

L

Š

/c852 1R£ ˜™š /c852

Š

L

Š

/[852

4 Pseudorandomness

   ¥ H ¥  H;I#qUrs ;tJ§ 8 /c852 Š H /c4b2ˆ  MP 8+ ² EGF HJI#q€rs ;t C ¬ M]¯U° ˆ ­ ©\  © ± ˜™š

lŠH)¤  #¥ H ¥¦ 8 45 ¨\ ©© EGF;ª I « ¬ M ª

­®– C

A pseudorandom function family [15] is a collection of functions with the following two properties: (i) (efficient evaluation) there is a deterministic algorithm which, given an -bit seed and an -bit input runs in time poly and outputs (ii) (pseudorandomness) for all polynomials all p.p.t. oracle algorithms and all sufficiently large we have that outputs outputs Intuitively, the pseudorandomess property ensures that in any p.p.t. computation which uses a truly random function, a randomly chosen pseudorandom function may be used instead without affecting the outcome in a noticeable way. Well known results [15, 17] imply that pseudorandom function families exist if and only if any one-way function exists. A pseudorandom permutation family is a pseudorandom function family with the is a permutation. Luby added property that each function and Rackoff [21] gave the first construction of a pseudorandom permutation family from any pseudorandom function family. In their construction each permutation has a seed of length rather than as in our definition above. Subsequent constructions [22–24] of pseudorandom permutation families use -bit seeds and hence match our definition exactly. (Our

L

Š H ³   ¥ H ¥ ´   ¥ H ¥

    ¶    ŠH!    “    

8

L

> L > h· 8@j1

8

ŠHµ

definition of pseudorandomness could easily be extended to allow seed lengths other than For our construction in Section 5 it will be convenient to have -bit seeds.)

8+

4.1

8

Pseudorandom Functions Invariant under XOR Mask

Our main cryptographic result, stated below, is proved in Appendix A:

QH/c4b2  QH/[4¹*ºL2

QH¸    ¥ H ¥ V   ¥ H ¥ 

> 4„>  > L >»

Theorem 3. If any one-way function exists, then there is a pseudorandom function family such that for all A first approach to constructing such a family is as follows: given any pseudorandom function family let be defined by

lŠH

QH

QH/[42?¼ ½œ¾ ŠH/[42'*ºŠH/[4*:L 2ˆ (1) This simple construction ensures that each function QH is invariant under XOR mask with L but the family QH need not be pseudorandom just because ŠH is pseudoran dom. Indeed, if l_‰H is similarly defined by _‰H/c4b2 ¼½œ¾ QH/c4b2'*"QH/[4*’L2ˆ then l _‰H is  not pseudorandom since _bHl/[42 /NŠH/[4b2;*’ŠHl/c4*’L2U2;*/NŠH/c4*ºL2'*"ŠH/[4*’Ll*"L2 

While this example shows that (1) does not always preserve pseudorandomness, it leaves open the possibility that (1) may preserve pseudorandomness for certain function families . In Appendix A we show that if is a pseudorandom function family which is constructed from any one-way function in a particular way, then the family defined by (1) is indeed pseudorandom. It may at first appear that the pseudorandom function family given by Theorem 3 immediately yields a concept class which separates efficient quantum learning from efficient classical learning. The pseudorandomness of ensures that no p.p.t. algorithm can learn successfully; on the other hand, if Simon’s quantum algorithm is given oracle access to a function which is two-to-one with XOR mask then it can efficiently find with high probability. Hence it may seem that given access to Simon’s quantum algorithm can efficiently identify the seed and thus learn the target concept. The flaw in this argument is that each function from Theorem 3, while invariant under XOR mask with need not be two-to-one. Indeed could conceivably be invariant under XOR mask with, say, linearly independent strings Such a set of strings spans a -element subspace of ; even if Simon’s algorithm could identify this subspace, it would not indicate which element of the subspace is the true seed Hence a more sophisticated construction is required.

lŠ H 

Š H 

Q H 

Q H 

Q H 

L

L

L Q H

L

1À

¿ 8

QH

QH L  L JL B ˆJLÀ      

L

5 Proof of Theorem 1 5.1

The Concept Class

Á

  z m   8 ,‹1?™ÃÄG8,g  Each concept in
z /[8, 2 /[6;L  ;L  2 where 6 6 '6  (    and each LÅ]   \Æ   #
z 1  /®1  –Ç

2  distinct concepts. For brevity we L L JL 

We describe concepts over where is defined by an -tuple so contains write to stand for below.




8  
z ` /®ÈU4@UÉJ®Ê 2

z

Roughly speaking, each concept in comprises pseudorandom functions; as explained below the string acts as a “password” and the strings are the seeds to the pseudorandom functions. Each concept takes -bit strings as inputs; we view such an -bit input as a 4-tuple where and each represent a number in the range Let be a pseudorandom permutation family be the pseudorandom function family from and let Theorem 3, so The concept is defined as follows on input

6

L  JL  m È}Ë  # 4  ;13U8?#

m      r ÉJ®ÊÌ) H  Í Î;Ï  l_ H ¤   ¥ ¥%´  #¥ H ¥» H;I#qUrs 'tJ§ l_ H    ¥ H ¥ V    ¥ H ¥  H;I#qUrs 'tJ§  _ H /c4b2 _ H /c4*’L23  s H /NÈ'45UÉJœÊ#2- – If НÑ|Ò : A query /c '45'É;œÊ 2 is called a function query. The value of  ls H /c '45'É;œÊ 2 JÓ JÓ is _ H Ó /[42®Ô i.e. the Ê -th bit of the 8 -bit string _ H Ó /c4b23 Thus the bit 6 determines Å whether the É -th pseudorandom function used is a permutation or is invariant under XOR mask with L Å . – If еÑÖ of  s H /€ U4@UÉJ®Ê 2 is  Õ : A query /€ '45'É;œÊ 2 is called a seed query. The value 0 if 4  6 and is L Ô Å (the Ê -th bit of the É -th seed L Å ) if 4 6

The intuition behind our construction is simple: in order to learn the target concept successfully a learning algorithm must identify each seed string These strings can be identified by making seed queries but in order to make the correct seed queries the learning algorithm must know Since each bit corresponds to whether an oracle is a permutation or is XOR-mask invariant, a quantum algorithm can determine each and thus can learn successfully. However, no p.p.t. algorithm can distinguish between these two types of oracles (since in either case the oracle is pseudorandom and hence is indistinguishable from a truly random function), so no p.p.t. algorithm can learn

/U '6b'ÉJ®Ê 23 6

6Å

L ˆ;L   6Å

6

5.2

A Quantum Algorithm Which Learns




Á

in Polynomial Time

is polynomial-time learnable from quantum membership queries.

Theorem 4.

 ls H 
z

6Å

_ ;H ÓÓ

6Å

L Å   /c85J2 Ó _ HÓ

Proof sketch: Let be the target concept. Each function is a permutation iff and is XOR-mask invariant iff (this is why we do not allow in the definition of the concept class). Using quantum membership queries, a poly -time quantum algorithm can run Simon’s procedure times, once for each function and thus determine each bit with high probability. (One detail which arises here is that Simon’s algorithm uses an oracle whereas in our learning setting the oracle outputs one bit at a time. This is not a problem since it is possible to simulate any call to Simon’s oracle by making sequential calls, bit by bit, to our oracle.) Given the string the algorithm can then make queries on inputs for to learn each of the strings Once and are known it is straightforward to output a circuit for

6Å

6  6 '6  

Ž×ÉJ®Ê¡×8

5.3

8     ¶      8 8B 8 L ;L    s H 

No Classical Algorithm Learns

Theorem 5.




Á

6

/U '6b'ÉJ®Ê 2 L ˆJL  ØÙ

in Polynomial Time

is not polynomial-time learnable from classical membership queries.

’
Ú
‰> ’
Ú >  1  WUÝ  be the concept class
’Ú    s H 6JL JL   Û
’z Ú includes z z thus concepts in which L Å may be   The
following lemma     #  zÜ Ú  z states that it is hard to learn a target concept chosen uniformly from z Lemma 1. For all polynomials p.p.t. learning algorithms e: and all sufficiently ¬ e kœÞJß ° outputs¨\a all large 8 , E%F hypothesis  I 5 à á _7⠁s H ­ ± ² ˜ãš  kœÞJß ° u
’Ú To see that Lemma 1 implies Theorem 5, we note that the uniform distribution over
z and the uniform distribution over are nearly identical (the two distributions have
z total variation distance •\/[8@j1  2 ). Lemma 1 thus has the following analogue for z which clearly implies Theorem 5: Let

¨\

8 %E F œk ÞJß ° Ià u ¬ e kœÞJß °

all p.p.t. learning algorithms Lemma 2. For all polynomials large , outputs a hypothesis

6 e

_7⠁s H ­ ± ² ˜ãš 

e: and all sufficiently e

The proof of Lemma 1 proceeds as follows: we say that a learning algorithm hits if at some point during its execution makes a seed query and we say that misses if does not hit We have that

6

e

e

6  E%IF à u á ¬ e k ÞJß ° outputs _7âä s H ­  GE F ¬ e œk ÞJß ° EGF ¬¬ e ×`EGF ¬ e EGF e

/€ '6UÉJ®Ê 23

k Þ3ß ° k Þ3ß ° kœÞ3ß ° kœÞ3ß °

_7⠁s Hµå e k ÞJß ° hits 6#­ , outputs _7⠁s Hµå e k ÞJß ° misses 6#­ hits 6#­ , outputs _7⠁s H >‡e kœÞJß ° misses 6#­® outputs

Lemma 1 thus follows from the following two lemmas:

¨\ all p.p.t. learning algorithms e: and all sufficiently 8 %E F œk ÞJß ° Ià5u á ¬ e kœÞJß ° 6­ ± ² ˜ãš  Lemma 4. For all polynomials p.p.t. learning algorithms e: and all sufficiently ¬ e kœÞJß ° outputs¨\_ all p â  large 8 , E%F  I 5 à á ls H >-e kœÞJß ° misses 6#­ ± ² ˜™š  kœÞJß ° u Lemma 3. For all polynomials large , hits

6

Proof of Lemma 3. The idea of the proof is as follows: before hitting for the first time algorithm gets as the answer to each seed query, so might as well be querying a modified oracle which answers 0 to every seed query. We show that no p.p.t. algorithm which has access to such an oracle can output with inverse polynomial success probability (intuitively this is because such an oracle consists entirely of pseudorandom functions and hence can provide no information to any p.p.t. algorithm), and thus ’s probability of hitting must be less than poly as well. More formally, let be any p.p.t. learning algorithm. Without loss of generality we may suppose that always makes exactly seed queries during its execution for some polynomial Let be the sequence of strings in on which makes its seed queries, i.e. uses as its -th seed query. Each is a random variable over the probability space defined by the uniform choice of and any internal randomness of algorithm .

e



e

6

6

e

e kœÞJß ° çdé ’
Ú  s H  z

æ

j

e

ç ˆ'ç)è ˜™š e kœÞJß °

e

/[852

æR/[852 /€ Uçdé;UÉ é ®Ê é 2 e

ê

   

 s H 
’z Ú

 ë s H R   zpV     ls H  ë N /  È '  5 4 U  J É œ  # Ê 2  ® /  È U  @ 4 U  J É ®  Ê 2 È l  s H   s H È   ì  ë s H 8 ì eºkœí ÞJß °  ë  s H  s H

×ê!×æR/[852 ç=ë ;é  e:kœí ÞJß ° ê çdé ç=ë é  s H 
’z Ú e ¬ ¬ Lemma 5. 1æR/c852 B 9 EGF kœÞ3ß ° Ià5u á ì kœí ÞJß ° outputs 6#­5fîE%F kœÞJß ° Ià5u á e kœÞJß ° hits 6­œ Lemma 6. ©© E%F Ià5u á ¬ ìÌkœí ÞJß ° outputs 6­‰– B C ©© ± ² ˜™š for all polynomials ¨ and all œ k J Þ ß ° © © sufficiently large 8+

For each let be a modified version of which answers 0 to all seed queries, i.e. is if and is if Consider the following algorithm which takes access to an oracle for and outputs an -bit string. executes algorithm (note that the oracle used is rather than ), then chooses a uniform random value and outputs the string on which made its -th seed query. Like the s, each is a random variable over the probability space defined by a uniform choice of and any internal randomness of . The following two lemmas together imply Lemma 3:

Proof of Lemma 5. We have that

è ï ˜™š ¬  EGF ç é 6 å ç=ñ   6 é[ð

èï ˜™š ¬  EGF ç é 6ó>-ç=ñ   6 for ò ± ꜭœ é[ð Since the left side of this inequality is exactly EGF Ià uá ¬ e kœÞ3ß ° hits 6#­® for some value œ k J Þ ß °

º×%ç ñ7  6 for ò ± êXrˆ­föE%F ¬ e kœÞJß ° hits 6­cjlæR/c8523 Since the distribution of responses to function queries which e makes prior to its first seed query is the same regardless of whether the oracle is  s H or  ë s H  it is clear that the random variables ç and ç ë are identically distributed. An inductive argument  shows that for  all êfh  the conditional random variables çdé¤>/[ç ñ  6 for ò ± êU2 ë é¦>/ ç ë ñ  6 for ò êU2 are identically distributed (in each case the conditioning and çd ± ensures that the distribution of responses to seed queries which e makes prior to its ê -th seed query is the same, i.e. all 0). ¬  We consider two possible cases. If EGF kœÞJß ° Ià@u á ç ë ñ  6 for ò ± ê r ­5÷g lj1 then EGIF à@u á ¬ ì kœí ÞJß ° outputs 6#­5f‹EGF ¬ ì kœí ÞJß ° chooses êXr­‰9EGF ¬ ç ë é[ô  6 å ç)ë ñ   6 for ò ± êXrˆ­ kœÞJß °  EGF ¬ çdë é[ô  67> ç ë ñ   6 for ò ± êXrˆ­ 9 EGF ¬ ç ë ñ   6 for ò ± êXrˆ­ æR/c852 ¬   ë ë é ô > ç ñ  6 for ò ± ê r ­cj1æR/c852 ÷‹EGEGFF ¬ çç é ô  67   6 for ò ê r ­cj1æR/c852 7 6  > ç ñ ± f‹EGF ¬ e kœÞJß ° hits 6#­cj1æR/[852 B  by (2) ¬  ê r ­¦× j1R then n é[é[ôð ” r E%F ¬ çdë é  6#­¦fõ j1 Otherwise if EGF Þ3ß Ià u á ç ë ñ  6 for ò k ° ¬ ± and hence EGF kœÞ3ß ° Ià uá ì kí ÞJß ° outputs 6#­ is at least ¬ é ï ôˆ” ¬ 6#­  E%F ì kœí ÞJß ° chooses ꜭb9EGF ¬ ç ë é  6­@f 1æR /c852 f E%F e 1k æRÞJ/cß °852hits ØÙ B é[ð for

ò ± ꜭ5×

où  Proof of Lemma 6. For v‰;ø)    let Y GE F œk ÞJß ° Ià@u á ¬ ì kœí Þ3ß ° outputs v}>6  øl­® For Z"¡ ˆ'8? let ø >ã> Z denote ø with the Z -th bit flipped. Similarly, for D`ú# ˆ'8? let ø‰>™> D denote ø with bits flipped in all positions corresponding to D? o ù Fix v‰;øÌ}   and Zº( ˆ'8? and consider the following algorithm û s s S ù an oracle Š¡b    ü    and outputs which takes accesso to o ù a single bit: For all É  Z algorithm û s s S first chooses a random 8 -bit string L Å'û s s S then runs algorithm ì , simulating the oracle for ì as follows: ù – queries /c U4@€Z®Ê 2 are answered with the bit Š?/[42 Ô  Ó – for É  Z queries /N '45UÉJœÊ#2 are answered with the bit _ H Ó /[42®Ô – all queries /€ '45'É;œÊ 2 are answered with the bit  o ù Finally algorithm û s s outputs if ì ’s output isoù v and outputs otherwise. ù‚ S ¬ o  ;t ° où It  is easy to verify¬ that ù … for ‚ all v‰;ø€Z we have Y EGF H;I#qUrs C û7ýs þ s S outputs ­ and o T ;t Y ¥ÿ¥ S EGF HJI#q€rs C û7ý s ° s S þ outputs ˆ­œoù Fromoù the definition of pseudorandomness and > ±  ² ˜™š  Making > D¤où >R×î8 où applications the triangle inequality it follows that > Y –"Y S ÿ ¥ ¥ ² où  of this inequality andoù usingo the triangle inequality, we find that > Y –)Y K > ± o ÿ ¥ ¥ n o ˜™ š ;t ² Y We thus have that > Y –(Y > for all v Jø‹Ë     Since # I € q  r s o ± ˜™š C

 we have that ©© o E%F kœÞJß °où Ià u á ¬ ì kœí ÞJß ° outputs 6­b– B C ©©  ©© B C no I#qUrs 't C Y o
– B C ©©  © © © ©© npo I#qUrs ;t /»Y © o –Y 2 ©© ²  ØÙ BC © C © ± ˜™š e

6

Proof of Lemma 4. The idea here is that conditioning on the event that misses ensures that the only information which has about and comes from querying oracles for the pseudorandom functions Since these pseudorandom functions are indistinguishable from truly random functions, no p.p.t. algorithm can learn successfully. Formally, let be any p.p.t. learning algorithm. Consider the following algorithm which takes access to an oracle and outputs a representation of a function Algorithm first chooses  uniformly from and chooses strings each uniformly from then runs algorithm (observe that can simulate the oracle since it has access to an oracle for and knows for ) which generates some hypothesis Finally outputs the function defined by

e _ JH ÓÓ 

6

L

e _ H CC     “    Qy„          ì 6  6 €6  ”     ” 8¡–g L ;L  ”     ?ì e:kí ÞJ߁ ° ì  ë s H _ H CC 6 Å JL Å É   8 _ž ì Q(?  =Œ    Q/c4b2 ¼½œ¾ _@/c '45'8+ 2'_5/N '45U8+J12'_@/c U4@U8+U852ˆ ì

The following two lemmas together imply Lemma 4:

8 E%F  IUqUrs 't s H C I'qUrs ;t C ¬ ì ý Þ° CC outputs Qâ]_ H CC ­+÷ ¬ C 6#­cj1R EGF œk Þ3ß ° Ià5uá e k JÞ ß ° _7⠁s H > e k ÞJß ° misses ¬ Þ  ² for all polynomials Lemma 8. EGF  I#q€rs ;t s H I#q€rs ;t ì ý ° CC outputs Q}â _ H C ­ ± C C C ˜™š C ¨ and all sufficiently large 8+ Proof of Lemma 7. It is easy to see that if e k í Þ3ß ° outputs a hypothesis which is equivalent  to  s H  then Q will be equivalent to _ H C  For sufficiently large 8 we thus have that C

Lemma 7. For all sufficiently large , outputs

EGF  'I qUrs ;t s H C IUqUrs 't C ¬ ì ý Þ° CC outputs Q\âg_ H CC ­ is at least C E%IF à u á ¬ e kœí ÞJß ° outputs _7âp s H ­5f‹EGF ¬ e kœí Þ3ß ° outputs _7âp s H å kœÞJß °  EGF ¬ e kœí Þ3ß ° outputs _7âp s H -> e EGF ¬¬ e kœí Þ3ß ° misses 6#­ ÷‹EGF e kœí Þ3ß ° outputs _7âp s H -> e

e œkí ÞJß ° misses 6#­ kœí ÞJß ° misses 6­‰9 kœí ÞJß °

misses

6­cj1

where the last inequality follows from Lemma 3. (  respectively) denote a complete transcript Let   of algorithm ’s execution on oracle ( respectively).   and   are each random variables over the probability space defined by a uniform choice of and any internal randomness of algorithm . An easy induction shows that the two conditional random variables   misses and   misses are identically distributed. This implies that outputs misses outputs misses which combined with the inequality above proves the lemma.

’e =D¸/ce kœÞJß ° 2 ’e =D¸/Ne:kœí ÞJß ° 2 e  s H  ë s H ’e =D¸/Ne kœÞJß ° 2 ’e =D¸/Ne:kœí ÞJß ° 2  s H 
’z Ú e ’e =D¸/Ne kí ÞJß ° 2„> /ce kí ÞJß ° 6R2 ’e )¬ D¸/ce k ÞJß ° 2>?/Ne k ÞJß ° 6 2 EGF kœÞ3ß ° Ià5uá e:kí ÞJß ° _hâ  s H > e:kí JÞ ß ° #6 ­  %E F œk ÞJß ° Ià5u á ¬ e k ÞJß ° _|â  s H > e kœÞJß ° 6#­® ØÙ _ r 

Proof of Lemma 8. The following fact, which follows easily from the pseudorandomness of and states that is a pseudorandom function family:

 _ H  I#qUrs 't s H;I#qUrs 't C Fact 1 For all polynomials ¨\ p.p.t. oracle algorithms e: and sufficiently large 8+ we ¬ ¬ ª outputs ­ © ²  have ©© EGF I#qUrs 't s H;I#qUrs 't e ý ° outputs ­ –¡E%F ª I« e ©© ± ˜™š C © C Intuitively the pseudorandomness of 

_ H  should make it hard for ì ý Þ° CC to output _ H CC since clearly no p.p.t. algorithm, given oracle access to a truly random function ‡ could output a function equivalent to ‡ Formally, we consider an algorithm û which takes oracle access to a function Š(         and outputs a single bit. û runs ì¯ to obtain a function Q and then selects a string v)ä    which was not used as an oracle query in the computation of 쯉û calls the oracle to obtain Š?/cv 23 evaluates Q to obtain Q¹/cv 23 and ¬ ouputs 1 if the two¬ values are equal and 0 otherwise. ¬ ª outputs ­  Clearly EGF û7¯ outputs ˆ­@fîEGF ì¯ outputs Q\⊉­œ Since EGF'ª I« û

j1   using Fact 1 we find that ©© EGF  I#q€rs ;t s H C I#q€rs ;t C ¬ û ý Þ° CC outputs C ˆ­‰– B ©© ± B ² ˜ãš C © ¬© Þ C  ²  ØÙ and hence EGF  I#qUrs 't s H I#qUrs 't ì ý ° C C outputs Qâg_ H C ­ ± C C C ˜™š C l_ 

6 Breaking Classical Cryptography in a Quantum Setting Our constructions highlight some interesting issues concerning the relation between quantum oracle computation and classical cryptography. It is clear that a quantum algorithm, given access to a quantum black-box oracle for an unknown function, can efficiently distinguish between truly random functions and pseudorandom functions of Theorem 3. Our construction of thus shows that drawn from the family cryptographic constructions which are provably secure in the classical model can fail in a quantum setting. We emphasize that this failure does not depend on the ability of polynomial-time quantum algorithms to invert particular one-way functions such as

QH

QH

factoring; even if no quantum algorithm can efficiently invert the one-way function used to construct our results show that a polynomial-time quantum algorithm can be a successful distinguisher. It would be interesting to obtain stronger constructions of pseudorandom functions which are provably secure in the quantum oracle framework.

QH

Acknowledgements. We thank S. Gortler and A. Klivans for stimulating discussions.

References 1. D. Angluin. Queries and concept learning. Machine Learning 2 (1988), 319-342. 2. D. Angluin and M. Kharitonov. When won’t membership queries help? J. Comp. Syst. Sci. 50 (1995), 336-355. 3. R. Beals, H. Buhrman, R. Cleve, M. Mosca and R. de Wolf. Quantum lower bounds by polynomials, in “Proc. 39th Symp. on Found. of Comp. Sci.,” (1998), 352-361. 4. C. Bennett, E. Bernstein, G. Brassard and U. Vazirani. Strengths and weaknesses of quantum computing, SIAM J. Comp. 26(5) (1997), 1510-1523. 5. E. Bernstein & U. Vazirani. Quantum complexity theory, SICOMP 26(5) (1997), 1411-1473. 6. M. Boyer, G. Brassard, P. Høyer, A. Tapp. Tight bounds on quantum searching, Forschritte der Physik 46(4-5) (1998), 493-505. 7. G. Brassard, P. Høyer and A. Tapp. Quantum counting, in “Proc. 25th Int. Conf. on Automata, Languages and Programming” (1998), 820-831. 8. G. Brassard and P. Høyer. An exact quantum polynomial-time algorithm for Simon’s problem, in “Proc. Fifth Israeli Symp. on Theory of Comp. and Systems” (1997), 12-23. 9. N. Bshouty, R. Cleve, R. Gavald`a, S. Kannan and C. Tamon. Oracles and queries that are sufficient for exact learning, J. Comput. Syst. Sci. 52(3) (1996), 421-433. 10. N. Bshouty and J. Jackson. Learning DNF over the uniform distribution using a quantum example oracle, SIAM J. Comp. 28(3) (1999), 1136-1153. 11. H. Buhrman, R. Cleve and A. Wigderson. Quantum vs. classical communication and computation, in “Proc. 30th Symp. on Theory of Comp.” (1998), 63-68. 12. R. Cleve. An introduction to quantum complexity theory, to appear in “Collected Papers on Quantum Computation and Quantum Information Theory,” ed. by C. Macchiavello, G.M. Palma and A. Zeilinger. 13. D. Deutsch and R. Jozsa. Rapid solution of problems by quantum computation, Proc. Royal Society of London A, 439 (1992), 553-558. 14. R. Gavald`a. The complexity of learning with queries, in “Proc. Ninth Structure in Complexity Theory Conference” (1994), 324-337. 15. O. Goldreich, S. Goldwasser and S. Micali. How to construct random functions, J. ACM 33(4) (1986), 792-807. 16. L. K. Grover. A fast quantum mechanical algorithm for database search, in “Proc. 28th Symp. on Theory of Comp.” (1996), 212-219. 17. J. H˚astad, R. Impagliazzo, L. Levin and M. Luby. A pseudorandom generator from any oneway function, SIAM J. Comp. 28(4) (1999), 1364-1396. 18. T. Heged˝us. Generalized teaching dimensions and the query complexity of learning, in “Proc. Eighth Conf. on Comp. Learning Theory,” (195), 108-117. 19. L. Hellerstein, K. Pillaipakkamnatt, V. Raghavan and D. Wilkins. How many queries are needed to learn? J. ACM 43(5) (1996), 840-862. 20. M. Kearns and L. Valiant. Cryptographic limitations on learning boolean formulae and finite automata, J. ACM 41(1) (1994), 67-95.

21. M. Luby and C. Rackoff. How to construct pseudorandom permutations from pseudrandom functions, SIAM J. Comp. 17(2) (1988), 373-386. 22. J. Patarin. How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function, in “Adv. in Crypt. – EUROCRYPT ’92” (1992), 256-266. 23. J. Pierpzyk. How to construct pseudorandom permutations from single pseudorandom functions. in “Adv. in Crypt. – EUROCRYPT ’90” (1990), 140-150. 24. J. Pierpzyk and B. Sadeghiyan. A construction for super pseudorandom permutations from a single pseudorandom function. in “Adv. in Crypt. – EUROCRYPT ’92” (1992), 267-284. 25. J. Preskill. Lecture notes on quantum computation (1998). Available at http://www.theory.caltech.edu/people/preskill/ph229/ 26. R. Servedio and S. Gortler. Quantum versus classical learnability, to appear in “Proc. 16th Conf. on Comput. Complex.” (2001). 27. P. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comp. 26(5) (1997), 1484-1509. 28. D. Simon. On the power of quantum computation, SIAM J. Comp. 26(5) (1997), 1474-1483. 29. A. Yao. Theory and applications of trapdoor functions, in “Proc. 23rd FOCS” (1982), 80-91. 30. A. Yao. Quantum circuit complexity, in “Proc. 34th FOCS” (1993), 352-361. 31. C. Zalka. Grover’s quantum searching algorithm is optimal. Physical Review A 60 (1999), 2746–2751.

A

Proof of Theorem 3

:        B; ¨  o \ :e 

­ –¡E%F I#qUrs ;t W C ¬ e./Nv#2

ˆ­J©R© ± 8

We say that a polynomial-time deterministic algorithm  is a pseudorandom generator if for all polynomials all p.p.t. algorithms and all sufficiently large outputs outputs  Thus a pseudorandom generator is an efficient algorithm which converts an bit random string into a -bit string which “looks random” to any polynomial-time algorithm. H˚astad et al. [17] have shown that pseudorandom generators exist if any one-way function exists. For  a pseudorandom generator and we write  to denote the first bits of  and  to denote the last bits of  . For let

²

˜™š 

o 8+©© E%F #I qUrs ;t C ¬ e/ Ì/cv 2U2 18

L(    ’r /NL2 8 Ì ® /  L 2 ~ ~ ~ 45;L~ `     be defined as ŠH/[4b2 ¼½œ¾  / … T /U999/ W / T /NL2U2'2999 2'23 C family. C In [15] it is shown that ŠH is a pseudorandom function We now show that the  family QHÚ  defined by QH/[4b2 ¼½œ¾ ŠH/[4b2;*ºŠH/c4*’L2 is pseudorandom. Let A be the following probability distribution over functions from     to     : a function Ú is drawn from A  Ú by drawing Ú a random function fromÚ A    drawing a random string Lº)     and letting be the function defined as /[42

Ì/[4b2;* Ì/[4¹*’L23 Theorem 3 follows from the following two lemmas: Lemma 9. For all polynomials ¨\ all p.p.t. oracle algorithms MP and all sufficiently ¬ ª outputs ˆ­‰–¡E%F ª ácI«+á ¬ M ª á outputs ­ © ²  large 8 , ©© EGF ª I« M ©© ± ˜ãš © C C Ú Proof. Consider an execution of M with an oracle  A  Ú defined by Ú /c4b2  

Ì/[4b2;* Ì/[4¹*’L23 Let D 4 ˆ'4 éJ     Ô be the set of strings which M uses Ú as queries to  We say that M finds L if 4‰Å 4 *’L for some 4bÅU'4 Ô ( Ú D? If M does not find L then the distribution of answers which M receives from is identical to 8 Ì/®L2 ŠH5        

/®L 2

M

ó0A  8

the distribution which would receive if it were querying a random function , since in both cases each distinct query is answered with a uniformly distributed -bit string. Thus the left side of the inequality above is at most finds A simple inductive argument given in the proof of Theorem 3.3 of [28] shows that this probability    is at most  . Since is polynomial-time, is at most and the lemma follows. poly

E%F ¬ M

L­œ

n é / j/N1  –)/ ¸–012ˆ/ ¸–= 2'j12U2 M ê ð /c852 ØÙ Lemma 10. For all polynomials ¨Ì all p.p.t. oracle algorithms e. and all sufficiently ¬ ª á outputs ˆ­‰–¡E%F H;I#qUrs 't ¬ MPO;° outputs ­ © ²  large 8 , ©© EGF;ª á[I«+á M ©© ± 㘠š C © C Proof. We require the following fact which is due to Yao [29]:

æR/[852 ¨/[852 æR/[852 > Y  –Y  > ± ² ˜ãš     B;

Fact 2 Let  be a pseudorandom generator, let and be polynomials, and let  be a p.p.t. algorithm which takes as input strings each of length bits. Then for all sufficiently large we have  where  is the probability  that  outputs 1 on input random strings in and  is the probability that  outputs 1 on input strings each of which is obtained by applying  to a random string from

M

M

M

    

8 Ræ /c852 æR/[852

Y Y

18

We prove Lemma 10 by contradiction; so suppose that there exists a p.p.t. oracle algorithm and a polynomial such that for infinitely many values of

M

¨

8+ ©© E%F ¬ M ª á outputs ­ – EGF ¬ M OJ° outputs ˆ­ ©© f  (3) JH I#q€rs ;t C ©© ª á[I«+á ©© ¨Ì/[852 C We will show that there is a p.p.t. algorithm M  which contradicts Fact 2. As in the proof in [15] that lŠ H  is a pseudorandom function family, use a so  we     ˆ  U  8 ), each called “hybrid” argument. Consider the following algorithms e (É Å of which defines a mapping from     to     and hence could conceivably be used as an oracle to answer M ’s queries. Conceptually, each algorithm e contains a Å full binary tree of depth 8 in which the root (at depth 0) is labeled with a random 8 -bit string L  if ÉG÷‹ then each node at depth É is also labeled with an independently chosen random 8 -bit string. Each node at depth Ê`÷ËÉ also has an 8 -bit label determined as follows: if node  has label v then the left child of  has label ’r#/cv 2 and the right child of  has label  /cv 23 Each node in the tree has an address which is a binary string: the root’s address is the empty string, and if a node has address $^P    then its left child has address $„ and its right child has address $¦ (so each leaf has a different 8 -bit string as its address). Let ³/[42 denote the label of the node whose address is 45 * ³/[4¹*’L23 Algorithm e answers a query 4µ¡    with the 8 -bit string ³/c4b2;! Å (Note that algorithm e need not precompute any leaf labels. Instead, e can run Å Å in poly /[852 time at each invocation by randomly choosing L once and for all the first time it is invoked and labeling the necessary portion of the tree “on the fly” at each invocation by choosing random strings for the depth- É nodes as required and computing descendents’ labels as described above. e must store the random strings which it uses Å to label depthÉ nodes so as to maintain consistency over successive invocations.) ¬  Ó For É  3U8 let YbÅ EGF # M " outputs ­® i.e. the probability that outputs ¬ MPO M ° outputs 't 1 if its oracle queries are answered by algorithm e  Let Y O % E F

ˆ­ ; H # I U q  r s Å  C

Y ª á  %E F ª [á I«?á ¬ M ª á

­® Y r  Y O e³r C Q  H L 8 Ú }A Ú  Y   Y ª á e  > Y r  – Y  > fl j¨Ì/c852 8+  M æR/[852 M 8 M æR/[852         M 1æR/[852 1l8+M