Michele Mosca Canada Research Chair in Quantum Computation 28 October 2004 Quantum Computation and the Future 13th CACR Information Security Workshop & 5th Annual Privacy and Security Workshop

Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics.

Our Research

Outline Implementing quantum information processing. What is quantum information processing? How does quantum mechanics affect computational assumptions? How else does quantum mechanics affect information security?

Physics and Computation Information is stored in a physical medium, and manipulated by physical processes. The laws of physics dictate the capabilities of any information processing device. Designs of “classical” computers are implicitly based in the classical framework for physics Classical physics is known to be wrong or incomplete… and has been replaced by a more powerful framework: quantum mechanics.

Computer technology is making devices smaller and smaller… …reaching a point where classical physics is no longer a suitable model for the laws of physics.

The design of devices on such a small scale will require engineers to control quantum mechanical effects. Allowing computers to take advantage of quantum mechanical behaviour allows us to do more than cram increasingly many microscopic components onto a silicon chip… … it gives us a whole new framework in which information can be processed in fundamentally new ways.

…consider a setup involving a photon source, a half-silvered mirror (beamsplitter), and a pair of photon detectors. photon source beamsplitter detectors A simple experiment in optics

50% Simplest explanation: beam-splitter acts as a classical coin-flip, randomly sending each photon one way or the other. Now consider what happens when we fire a single photon into the device…

… consider a modification of the experiment… 100% The simplest explanation is wrong! The simplest explanation for the modified setup would still predict a distribution… full mirror The “weirdness” of quantum mechanics…

… consider a modification of the experiment… The simplest explanation for the modified setup would still predict a distribution… full mirror Explanation of experiment 100%

Quantum mechanics and information Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination What does really mean?? It’s a “mystery”. THE mystery. We don’t understand it, but we can tell you how it works. (Feynman)

Quantum mechanics and information How does this affect communication complexity? How does this affect information security? How does this affect computational complexity? Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination

How does quantum mechanics affect computation?

A small ‘classical’ computer NOT

A small ‘classical’ computer (negligible coupling to the environment)

A small ‘classical’ computer

Is this system reliable? l We do have a theory of classical linear error correction. l But before we worry about stabilizing this system, let’s push forward its capabilities.

A ‘quantum’ gate  NOT

A quantum circuit provides an visual representation of a quantum algorithm. time quantum gates initial state measurement

Quantum parallelism (cannot be feasibly simulated on a classical computer)

Applications Simulating quantum mechanical systems Factoring and Discrete Logs Hidden subgroup problems Amplitude amplification and more…

Quantum Algorithms a,b  G, a k = b, find k Integer Factorization (basis of RSA cryptography): Discrete logarithms (basis of DH crypto, including ECC): Given N=pq, find p and q.

Computational Complexity Comparison ClassicalQuantum Factoring Elliptic Curve Discrete Logarithms (in terms of number of group multiplications, for n-bit inputs)

The following cryptosystems are insecure against such quantum attacks: Which cryptosystems are threatened by Quantum Computers?? RSA (factoring) Rabin-Williams (factoring) ElGamal (discrete log… including ECC – see Proos and Zalka) Goldwasser-Micali (factoring) Buchmann-Williams (principal ideal distance problem) And others… (see MMath thesis, Michael Brown, IQC) Information security protocols must be studied in the context of quantum information processing.

Amplitude Amplification Find x satisfying f(x)=1. Suppose algorithm A succeeds with probability p. With classical methods, we expect to repeat A a total of time before finding a solution, since each application of A “boosts” the probability of finding a solution by roughly Consider any function f : X  {0,1}.

Amplitude Amplification A quantum mechanical implementation of A succeeds with probability amplitude. With quantum methods, each application of A “boosts” the probability amplitude of finding a solution by roughly i.e. we get a square-root speedup!

Application of Amplitude Amplification: Searching a key space f (x)=1 if and only if x is the correct n-bit cryptographic key Find an x satisfying f(x)=1. Suppose algorithm A succeeds with probability p=1/2 n. We can iterate A and f times to find such an x. i.e. we need to roughly double our key lengths

Open problems include: More non-Abelian HSP, including Graph Automorphism Graph Isomorphism Short vectors in a lattice McEliece cryptosystem (NTRU recently cracked) NP-complete problems Several physics simulation problems Many more…

How does quantum mechanics affect information security?

“No-cloning” theorem There is no procedure that will copy or “clone” an arbitrary quantum state, i.e. Such an operation is not linear, and is not permitted by quantum mechanics.

Eavesdropper detection Any attempts to produce pseudo-clones will be detected with significant probability. In general, any scheme to extract information about the state of a quantum system, will disturb the system in a way that can be detected with some probability. This idea motived Wiesner to invent quantum money around His work was ignored by the scientific community for a decade, until Bennett and Brassard built on these ideas to create quantum key distribution.

Quantum Key Distribution (general idea) quantum bits Alice and Bob measure their qubits Authenticated public channel

Quantum Key Distribution (general idea) Authenticated public channel Alice and Bob publicly discuss the information they measured to assess how much information Eve could have obtained. If Eve’s information is very likely to be below a certain constant threshold, they can communicate further and distill out a very private shared key (“privacy amplification”). Otherwise they abandon the key.

Wireless Sensor Networks Injectable Tissue Engineering Nano Solar Cells Mechatronics Grid Computing Molecular Imaging Nanoimprint Lithography Software Assurance Glycomics Quantum Cryptography

Objections to the plausibility of large scale quantum computation?? “Change is bad”

Objections to the plausibility of quantum computation?? A=“Quantum Computers are realistic and are superpolynomially faster than any classical computer for some classical computation problem” is unpleasant B=“classical Strong Church-Turing thesis is false”

Implementations?

Quantum Information is Fragile low energy isolation from environment control of operations superpositions are very fragile eV CLASSICAL |0  |1  eV QUANTUM

Quantum Error Correction … allows quantum computation in the presence of noise. A quantum computation of any length can be made as accurate as desired, so long as the noise is below some threshold, e.g. P < Significance: imperfections and imprecision are not fundamental obstacles to building quantum computers gives a criterion for scalability  guide for experimentalists  benchmark for comparing technologies

Proposed Devices for Quantum Computing Atom traps Cavity QED Electron floating on helium Electron trapped by surface acoustic waves Ion traps Nuclear magnetic resonance (NMR) Quantum optics Quantum dots Solid state Spintronics Superconducting Josephson junctions Etc…

When will these technologies be implemented? Quantum random number generators: now. Quantum key distribution: <10 years; some prototypes already available Large scale quantum computers: medium -long term Small scale quantum computers (e.g. needed for long distance quantum communication): medium term

Conclusions l Quantum mechanics forces us to redefine the notions of information, information processing, and computational complexity. l Large scale quantum information processing seems possible, though technologically very challenging to realize; this is a major focus for experimental physics today

Implications for Quantum Information Security We must continually reassess the security of our existing information security infrastructure in light of the capabilities of quantum computers. We can exploit the eavesdropper detection that is intrinsic to quantum systems in order to derive new “unconditionally secure” information security protocols. The security depends only on the laws of physics, and not on computational assumptions. Challenge: Incorporating quantum cryptographic protocols and the prospect of quantum computing into the information security infrastructure.