Michele Mosca

Canada Research Chair in Quantum Computation

15 April 2003

Potentially Disruptive Technologies

Quantum Computation and Cryptography

www.iqc.ca

                                                                             

Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics.

www.perimeterinstitute.ca

Outline

What is quantum information processing?

What does quantum mechanics make possible?

What quantum mechanics make impossible?

When will quantum information processing be realized?

Computer technology is making devices smaller and smaller…

…reaching a point where classical physics is no longer a suitable model for the laws of physics.

Physics and Computation

• Information is stored in a physical medium, and manipulated by physical processes.

• The laws of physics dictate the capabilities of any information processing device.

• Designs of “classical” computers are implicitly based in the classical framework for physics

• Classical physics is known to be wrong or incomplete… and has been replaced by a more powerful framework: quantum mechanics.

The design of devices on such a small scale will require engineers to control quantum mechanical effects.

Allowing computers to take advantage of quantum mechanical behaviour allows us to do more than cram increasingly many microscopic components onto a silicon chip…

… it gives us a whole new framework in which information can be processed in fundamentally new ways.

The nineteenth century was known as the machine age, the twentieth century will go down in history as the information age. I believe the twenty-first century will be the quantum age. Paul Davies, Professor Natural Philosophy – Australian Centre for Astrobiology

…consider a setup involving a photon source, a half-silvered mirror (beamsplitter), and a pair of photon detectors.

photon source

beamsplitter

detectors

A simple experiment in optics

50%

50%

Simplest explanation: beam-splitter acts as a classical coin-flip, randomly sending each photon one way or the other.

Now consider what happens when we fire a single photon into the device…

… consider a modification of the experiment…

100%

The simplest explanation is wrong!

The simplest explanation for the modified setup would still predict a 50-50 distribution…

full mirror

The “weirdness” of quantum mechanics…

Classical probabilities…

Consider a computation tree for a simple two-step (classical) probabilistic algorithm, which makes a coin-flip at each step, and whose output is 0 or 1:

2

1

2

1

2

1

2

1

2

1

0

1

0

1

The probability of the computation following a given path is obtained by multiplying the probabilities along all branches of that path… in the example the probability the computation follows the red path is

4

1

2

1

2

1

The probability of the computation giving the answer 0 is obtained by adding the probabilities of all paths resulting in 0:

21

41

41

2

1

|02

1

2

1

2

1

2

1

|1

|0

|1

2

1

…vs quantum probabilities …

In quantum physics, we have probability amplitudes, which can have complex phase factors associated with them.

The probability amplitude associated with a path in the computation tree is obtained by multiplying the probability amplitudes on that path. In the example, the red path has amplitude 1/2, and the green path has amplitude –1/2.

The probability amplitude for getting the answer |0 is obtained by adding the probability amplitudes… notice that the phase factors can lead to cancellations! The probability of obtaining |0 is obtained by squaring the total probability amplitude. In the example the probability of getting |0 is

02

1

2

12

… consider a modification of the experiment…

The simplest explanation for the modified setup would still predict a 50-50 distribution…

full mirror

Explanation of experiment

0 02

1

12

1

100%

0102

10

2

1

1012

11

2

1

When do we use which probability rules?

•If no path information is revealed, we must use the quantum probability rules.

•If full path information is revealed, we must use the classical probability rules.

•If partial path information is revealed, we must use a combination of the two; i.e. there is a more general set of rules that encapsulates both.

Quantum mechanics and information

10 10

Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination

What does really mean?? 10 10

It’s a “mystery”. THE mystery. We don’t understand it, but we can tell you how it works. (Feynman)

The world of the quantum may be bizarre, but it is our world and our future. Gerard Milburn, author of Schrödinger’s Machines.

Quantum mechanics and information

How does this affect communication complexity?

How does this affect information security?

Would you believe a quantum proof?

How does this affect computational complexity?

10 10

Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination

How does quantum information help us better understand physics?

How does this affect what is feasibly computable?

Which “infeasible” computational tasks become “feasible”? How does this affect “computationally secure” cryptography? What new computationally secure cryptosystems become possible?

Generalization to n qubits

The general state of n qubits is nx

x x}1,0{

α

The state is represented by a unit vector in an exponentially large vector (Hilbert) space!

where the x are complex numbers satisfying the normalization constraint

.1}1,0{

2 nx

xα

Note, therefore, that it seems exponentially hard to simulate n quantum particles on a classical computer (Feynman).

A “Probabilistic Turing Machine” (PTM) is an abstract model of the modern (classical) computer.

Strong Church-Turing Thesis: A PTM can efficiently simulate any realistic model of computing.

Widespread belief in the Strong Church-Turing thesis has been one of the underpinnings of theoretical computer science.

The Classical Computing Model

What do we mean by “efficient”?

The complexity of an algorithm measures how much of some resource (e.g. time, space, energy) the algorithm uses as a function of the input size.

e.g. the best known algorithms for factoring an n bit number uses time in

332

31

)(log)))(1(92.1( nnno keO

(number field sieve algorithm)

Factoring is believed to be hard on a Turing machine (or any equivalent model), but how do we know that there isn’t some novel architecture on which it is easy?

The Strong Church Turing thesis tells us that all reasonable models can be efficiently simulated by a PTM, which implies that if it’s hard for a PTM it must be hard for any other reasonable computer.

i.e. we believe computational problems, like factoring, have an intrinsic difficulty, independent of how hard we try to find an efficient algorithm.

In the early 1980s, Richard Feynman observed that it seems implausible for a PTM to efficiently simulate quantum mechanical systems…

…quantum computers are quantum mechanical systems…

… so quantum computing is a model which seems to violate the Strong Church-Turing thesis!

Are quantum computers realistic?

The answer seems to be YES!

If the quantum computers are a reasonable model of computation, and classical devices cannot efficiently simulate them, then the Strong Church-Turing thesis needs to be modified to state:

A quantum computer can efficiently simulate any realistic model of computation.

A quantum circuit provides an visual representation of a quantum algorithm.

00

00

time

quantum gatesinitial state

measurement

Quantum Parallelism

Why are quantum computers capable of solving seemingly very difficult mathematical problems?

Since quantum states can exist in exponential superposition, a computation of a function being performed on quantum states can process an exponential number of possible inputs in a single evaluation of f :

By exploiting a phenomenon known as quantum interference, some global properties of f can be deduced from the output.

12

0

n

ix xα f

12

0

)(n

ix xfα

Applications

• Efficient simulations of quantum systems

• Phase estimation; improved time-frequency and other measurement standards (e.g. GPS)

• Factoring and Discrete Logarithms

• Hidden subgroup problems

• Amplitude amplification

• and much more…

Quantum Algorithms

a,b G , ak = b , find k

Integer Factorization (basis of RSA cryptography):

Discrete logarithms (basis of DH crypto, including ECC):

Given N=pq, find p and q.

Computational Complexity Comparison

Classical Quantum

Factoring

Elliptic Curve Discrete Logarithms

nnOe3/23/1 log nOenO log

nOe nOenO log

(in terms of number of group multiplications for n-bit inputs)

The following cryptosystems are insecure against such quantum attacks:

Which cryptosystems are threatened by Quantum Computers??

• RSA (factoring)

• Rabin (factoring)

• ElGamal (discrete log, including ECC – see Proos and Zalka)

•Buchmann-Williams (principal ideal distance problem)

•and others… (see MMath thesis, Michael Brown, IQC)

Information security protocols must be studied in the context of quantum information processing.

http://arxiv.org/abs/quant-ph/0301141

We need to worry NOW about information that needs to remain private for long periods of time.

It takes a long time to change an infrastructure.

What sort of cryptography will quantum computers enable?

•A quantum public key cryptosystem was proposed by a group in Japan [OTU00]; require a quantum computer to set up the system, but only require classical means to encrypt and decrypt

•others??

Can efficient factoring, discrete logarithms, or other efficient quantum tasks be used to produce new computationally secure cryptosystems secure against quantum attacks?

These are techniques that can be employed once large-scale quantum computation are available.

Amplitude Amplification

Find x satisfying f(x)=1.

Suppose algorithm A succeeds with probability p.

p1

With classical methods, we expect to repeat A a total of time before finding a solution, since each application of A “boosts” the probability of finding a solution by roughly

1/1

p

ppppppppp

p

Consider any function f : X {0,1}.

Amplitude Amplification(Grover96, BBHT98, BH97, Gro98, BHMT02)

A quantum mechanical implementation of A succeeds with probability amplitude .

With quantum methods, each application of A “boosts” the probability amplitude of finding a solution by roughly

i.e. we get a square-root speedup!

1

/1

p

ppp

p

p

Application of Amplitude Amplification: Searching a key space

f (x)=1 if and only if x is the correct n-bit cryptographic key

Find an x satisfying f(x)=1.

Suppose algorithm A succeeds with probability p=1/2n.

We can iterate A and f 2/2nO times to find such an x.

i.e. we need to roughly double our key lengths

This algorithm is VERY broadly applicable to any sort of computational search.

How else does quantum mechanics affect

information security?

No-cloning theorem

ψψψ 0

There is no procedure that will copy or “clone” an arbitrary quantum state, i.e.

Such an operation is not linear, and is not permitted by quantum mechanics.

We can copy all the elements of an orthogonal set of states, but when we extend this operation linearly, no other states will be correctly cloned. For example, we can map

0000 1101 However

10101100010

Eavesdropper detection

Any attempts to produce pseudo-clones will be detected with significant probability. In general, any scheme to extract information about the state of a quantum system, will disturb the system in a way that can be detected with some probability.

This idea motived Wiesner to invent quantum money around 1970. His work was essentially ignored by the scientific community for a decade, until Bennett and Brassard built on these ideas to create quantum key distribution.

Quantum Key Establishment (general idea)

quantum bits

Alice and Bob measure their qubits

Alice Bob

Eve

Quantum Key Distribution (general idea)

Authenticated public channel

Alice and Bob publicly discuss the information they measured to assess how much information Eve could have obtained. If Eve’s information is very likely to be below a certain constant threshold, they can communicate further and distill out a very private shared key (“privacy amplification”). Otherwise they abandon the key.

Quantum Information Security

•Quantum key establishment (available now/soon)

•Quantum random number generation (available now/soon)

•Quantum money (require stable quantum memory)

•Quantum digital signatures (requires quantum computer)

•Quantum secret sharing (requires quantum computer)

•Multi-party quantum computations

•and more…

We can exploit the eavesdropper detection that is intrinsic to quantum systems in order to derive new “unconditionally secure” information security protocols. The security depends only on the laws of physics, and not on computational assumptions.

Implementations?

Why is it so hard?How will they be built?When will we see quantum information processors?

Quantum Information is Fragile

• low energy

• isolation from environment

• control of operations

• superpositions are very fragile

0 1

106 eV

CLASSICAL|0

|1

10-6 eV

QUANTUM

Quantum Error Correction

… allows quantum computation in the presence of noise.

A quantum computation of any length can be made as accurate as desired, so long as the noise is below some threshold, e.g. P < 10-4.

Significance:• imperfections and imprecision are not fundamental obstacles to building quantum computers

• gives a criterion for scalability guide for experimentalists benchmark for comparing technologies

Devices for Quantum Computing

• Atom traps• Cavity QED• Electron floating on helium• Electron trapped by surface acoustic waves• Ion traps• Nuclear magnetic resonance (NMR)• Quantum optics• Quantum dots• Solid state• Spintronics• Superconducting Josephson junctions•and more…

Implementations

Who’s Trying?

• Aarhus• Berkeley• Caltech• Cambridge• College Park• Delft• DERA (U.K.)• École normale supérieure • Geneva• HP Labs (Palo Alto and Bristol)• Hitachi• IBM Research (Yorktown Heights and Palo Alto)• Innsbruck• Los Alamos National Labs• McMaster• Max Planck Institute-Munich

• Melbourne• MIT • NEC• New South Wales• NIST• NRC• Orsay• Oxford • Paris• Queensland• Santa Barbara• Stanford• Toronto• Vienna• Waterloo• Yale• many others…

Bottom line

What are the capabilities of quantum information processors?

What will be the impact of these capabilities?

Which technologies will be realized and when?

What technologies will be implemented and when?

Quantum random number generators: now.

Quantum key establishment: <10 years; some prototypes already available

Small scale quantum computers (e.g. needed for long distance quantum communication): medium term

Large scale quantum computers: medium-long term

Precise times are hard to predict since we are in the early stages and still trying a very broad range of approaches. Once we focus on technologies that show promise, expect progress to be very fast.

                        

•Wireless Sensor Networks•Injectable Tissue Engineering•Nano Solar Cells•Mechatronics •Grid Computing •Molecular Imaging •Nanoimprint Lithography•Software Assurance •Glycomics •Quantum Cryptography

                         

               

                        

                

                   

             

                               

        

www.quantumworks.net

Goal: to take quantum information from the blackboard to the drawing board

Investments Canada makes today in quantum computing will set the foundation for Canada’s global commercial success in this important new technology over the coming century. Mike Lazaridis, President and co-CEO, RIM.