On Cryptography and Distribution Verification, with Applications to Quantum Advantage
Bruno Cavalar, Eli Goldin, Matthew Gray, Taiga Hiroka, Tomoyuki Morimae
TL;DR
This work develops a formal framework for verifying distributions produced by probabilistic and quantum samplers, focusing on the identity testing problem under the promise of efficient samplability. It introduces selective- and adaptive-verifiability and proves that classical efficiently-samplable distributions are verifiable by a PPT verifier with access to an NP oracle, while quantumly-samplable distributions are verifiable by a PPT verifier with a PP oracle; in the quantum setting these results yield polynomial-sample verification of quantum advantage. The paper also establishes cryptographic trade-offs: the non-existence of OWFs implies verifiability, whereas cryptographic primitives like OWFs or QEFID pairs imply limits on verifiability, including unconditional impossibility results for high-entropy distributions. Additionally, it connects verification to strong quantum advantage samplers and one-way puzzles, showing that under plausible cryptographic assumptions, verification can be achieved by quantum or classical verifiers under different regimes, and it identifies open problems around high-entropy quantum samplers and verifiability boundaries. Overall, the results illuminate the landscape of when and how sampling-based quantum advantage can be efficiently verified, with implications for quantum supremacy demonstrations and cryptographic protocol design.
Abstract
One of the most fundamental problems in the field of hypothesis testing is the identity testing problem: whether samples from some unknown distribution $\mathcal{G}$ are actually from some explicit distribution $\mathcal{D}$. It is known that when the distribution $\mathcal{D}$ has support $[N]$, the optimal sample complexity for the identity testing problem is roughly $O(\sqrt{N})$. However, many distributions of interest, including those which can be sampled efficiently, have exponential support size, and therefore the optimal identity tester also requires exponential samples. In this paper, we bypass this lower bound by considering restricted settings. The above $O(\sqrt{N})$ sample complexity identity tester is constructed so that it is not fooled by any (even inefficiently-sampled) distributions. However, in most applications, the distributions under consideration are efficiently samplable, and therefore it is enough to consider only identity testers that are not fooled by efficiently-sampled distributions. In this setting we can hope to construct efficient identity testers. We investigate relations between efficient verification of classical/quantum distributions with classical/quantum cryptography, showing the following results: (1). Classically efficiently samplable distributions are verifiable if and only if one-way functions do not exist. (2). Quantumly efficiently samplable distributions are verifiable by $\mathbf{P}^\mathbf{PP}$ with a polynomial number of samples. (3). Sampling-based quantum advantage can be verified quantumly (with a polynomial number of samples) if one-way puzzles do not exist. (4). If QEFID pairs exist, then some quantumly efficiently samplable distributions are not verifiable.