Introduction to Quantum Algorithms Winter School on Quantum Security, Darmstadt Michele Mosca 25 January 2016
A new paradigm for computation: quantum computation Y. Colombe/NIST© Harald Ritsch E. Lucero, D. Mariantoni, and M. Mariantoni
Quantum circuit model
Reversible computation l Note that irreversible gates are really just reversible gates where we hardwire some inputs and throw away some outputs Known as a Toffoli gate or controlled-controlled-NOT gate. It applies a NOT gate to the “target” bit if and only if both “control” bits are 1.
5 Making reversible circuits l Replace irreversible gates with their reversible counterparts
Bottom line: We don’t lose generality by restricting to reversible circuits
Moving towards a quantum computer… A small reversible computer (negligible coupling to the environment) l From classical reversible circuits to quantum circuits, we first imagine a single physical system with two discernable levels…an atom with its outer electron in either the ground or first excited state.
A small reversible computer (negligible coupling to the environment)
A small reversible computer
Aside: Is this realistic? l We do have a theory of classical linear error correction. But before we worry about stabilizing this system, let’s push forward its capabilities.
Quantum Mechanics and Information Processing l Since physics is quantum mechanical, we need to recast the theory of information processing in a quantum mechanical framework. Any physical medium capable of representing 0 and 1 is in principle capable of being in a state described by
A quantum gate
“Quantum Circuit Model” l This model closely resembles the model of reversible acyclic (deterministic) circuits, except we also have unitary quantum gates that create superpositions of two or more distinguishable states
Universal quantum computation
Definition A set of gates G is said to be universal if for any integer n>0, any n-qubit unitary operator can be approximated to arbitrary accuracy by a quantum circuit using only gates from G.
Definition A two-qubit gate is said to be entangling if for some input product state, the output of the gate is an entangled state. Entangled state Entangled state Entangling gate Input state
Theorem: A set composed of any two-qubit entangling gate, together with all one-qubit gates, is universal. … a bit of an overkill, since such a set allows one to achieve any unitary exactly. Also unrealistic, since one needs access to an infinite number of one-qubit gates. Can we achieve universality with a finite set of gates?
Theorem: The set is a universal set of gates. i.e. any n-qubit unitary operator U can be approximated with error, for any, using a finite circuit with gates from G.
N.B.: most quantum algorithms are not designed to be run directly on (noisy) physical qubits
noisy CNOT fault-tolerant CNOT Physical qubits and gates versus logical qubits and gates Logical layerPhysical layer
Quantum compilers
How close are we to implementing scalable fault-tolerant quantum computers?
23
24 Ongoing progress towards achieving stage 4. e.g. Nature 519, 66–69 (05 March 2015) doi: /nature14270
25 MM: [Oxford 1996]: “20 qubits in 20 years” [NIST April 2015, ISACA September 2015]: “1/7 chance of breaking RSA-2048 by 2026, ½ chance by 2031” NSA [August 2015]: NSA's Information Assurance Directorate “will initiate a transition to quantum resistant algorithms in the not too distant future.” IARPA [July 2015]: “BAA Summary – Build a logical qubit from a number of imperfect physical qubits by combining high- fidelity multi-qubit operations with extensible integration.”
How big of a quantum computer do we need to break RSA-2048?
What resources are required to break RSA-2048? A billion physical qubits and a trillion physical gates? A million qubits and 100 million gates? Something else? Asymptotic complexity estimates give a very coarse- grained approximation. To attempt to estimate this question, we need a more fine- grained study of the full tool chain between algorithms and physical qubits.
Examples of technical advances in quantum compilation Use number theory methods to bypass Solovay-Kitaev algorithm and achieve optimal synthesis of one-qubit unitaries (over Clifford and T gates) Use matroid partitioning to reduce T-complexity and T-depth Use channel representation of unitaries to find optimal T- depth
How do quantum algorithms work?
Several computational paths leading to the same outcome. Add up the probabilities. Classical randomized algorithm
Quantum algorithm
If we look at the state of the system at each step, it behaves like a classical randomized algorithm.
CC-BY-SA-3.0 J. Rathlin
The art of quantum algorithmics is to choreograph constructive interference on desirable outcomes and destructive interference on undesirable outcomes.
Some basic tools
The Hadamard basis change
The Hadamard transformation: summary
The Hadamard transformation: circuit notation
The Hadamard transformation on several bits
The Hadamard transformation: global view
The Hadamard transformation on several bits
The Hadamard transformation: global view
Looking at NOT and CNOT in Hadamard bases Consider applying a NOT gate to the following states
e.g. Now consider applying a controlled-NOT gate to the following states
e.g. Now consider applying a controlled-NOT gate to the following states
Computing functions into the phase Suppose we know how to compute a function
Generalization: Eigenvalue “kick-back” Suppose we know how to compute an operator Then the “controlled-U” gives us
How do we implement c-U? Replace every gate G in the circuit for U with a c-G. For example,
Deutsch’s problem Compute using only once
Deutsch algorithm
Garbage-free implementations of f(x) l Does the Deutsch algorithm work if when we implement we actually leave “junk” information in ancilla qubits? No!! We need a “clean” implementation of f(x).
Making reversible circuits (see Fig. 1.6 in KLM text) l One problem is that there will be junk left in the extra bits l Bennett showed how to “uncompute” the junk
Making reversible circuits l An irreversible circuit with space S and depth (or “time”) T can thus be simulated by a reversible circuit with space in O(S+T) and time O(T) l Bennett also showed how to implement a reversible version with time O(T 1+ ) and space O(S log(T)) or time O(T) and space O(ST ).
Deutsch-Jozsa problem Suppose with the promise that f is either constant or “balanced”. Decide if f is constant or balanced. Equivalently, determine
Deutsch-Jozsa problem Probability of measuring is i.e. we measure iff is constant
Bernstein-Vazirani problem Suppose is of the form for some Given determine
Bernstein-Vazirani problem
Generally
Another property of Hadamard transformation Consider Let Then
Simon’s problem Suppose has the property that iff For some “hidden subgroup” Given find
Simon’s algorithm
Abelian Hidden subgroup problem Suppose has the property that iff for some “hidden subgroup” Given find
Hidden subgroup problem
Applications of Simon’s algorithm??
Denote W(x)=W(a||c)=s
Let Then where
So where (N.B. the “only if” part is critical) In other words, if W is based on the 3-round Feistel cipher, the derived function f will have the above property. Simon’s algorithm will randomly sample vectors orthogonal to (1||z).
In other words, if W is based on the 3-round Feistel cipher, the derived function f will have the above property, and Simon’s algorithm will randomly sample vectors orthogonal to (1||z). However, if W is based on a random permutation, no such pattern is likely to emerge. Thus, a quantum algorithm can efficiently distinguish a 3-round Feistel cipher with internal permutations from a random permutation.
A nice example of how to use a quantum algorithmic tool to attack a cryptographic primitive. Can you find a way to apply any of the tools you learn about this week to attack some cryptographic primitive?
78 Is the quantum-safe cybersecurity workforce ready? cryptoworks21.com
Thank you! Feedback welcome: