Quanum computing
What is quantum computation?
• New model of computing based on quantum mechanics.
• Quantum circuits, quantum Turing machines
• More powerful than conventional models.
Quantum algorithms
• Factoring: given N=pq, find p and q.
• Best algorithm 2O(n1/3), n -number of digits.
• Many cryptosystems based on hardness of factoring.
• O(n2) time quantum algorithm [Shor, 1994]
• Similar quantum algorithm solves discrete log.
Quantum algorithms
• Find if there exists i for which xi=1.
• Queries: input i, output xi.
• Classically, n queries.
• Quantum, O(n) queries [Grover, 1996].
• Speeds up exhaustive search.
0 1 0 0...
x1 x2 xnx3
Quantum cryptography
• Key distribution: two parties want to create a secret shared key by using a channel that can be eavesdropped.
• Classically: secure if discrete log hard.
• Quantum: secure if quantum mechanics valid [Bennett, Brassard, 1984].
• No extra assumptions needed.
Quantum communication
• Dense coding: 1 quantum bit can encode 2 classical bits.
• Teleportation: quantum states can be transmitted by sending classical information.
• Quantum protocols that send exponentially less bits than classical.
Experiments
• ~10 different ideas how to implement QC.
• NMR, ion traps, optical, semiconductor, etc.
• 7 quantum bit QC [Knill et.al., 2000].
• QKD has been implemented.
Outline
• Today: basic notions, quantum key distribution.
• Tomorrow: quantum algorithms, factoring.
• Friday: current research in quantum cryptography, coin flipping.
Model
• Quantum states
• Unitary transformations
• Measurements
Quantum bit
• 2-dimensional vector of length 1.
• Basis states |0>, |1>.• Arbitrary state:
|0>+|1>, , complex,
||2+ ||2=1.
|1>
|0>
Physical quantum bits
• Nuclear spin = orientation of atom’s nucleus in magnetic field. = |0>, = |1>.
• Photons in a cavity.
• No photon = |0>, one photon = |1>
Physical quantum bits (2)
• Energy states of an atom
• Polarization of photon
• Many others.
|0> |1>
ground state excited state
General quantum states
• k-dimensional quantum system.
• Basis |1>, |2>, …, |k>.
• General state
1|1>+2|2>+…+k|k>,
|1|^2+…+ |k|^2=1
• 2k dimensional system can be constructed as a tensor product of k quantum bits.
Unitary transformations
• Linear transformations that preserve vector norm.
• In 2 dimensions, linear transformations that preserve unit circle (rotations and reflections).
Examples
• Bit flip
• Hamamard transform
0|1|
1|0|
1|2
10|
2
11|
1|2
10|
2
10|
Linearity
• Bit flip
|0>|1>
|1>|0>
By linearity,|0>+|1> |1>+|0>
Sufficient to specify U|0>, U|1>.
Examples
|1>
|0>
1|2
10|
2
1
1|2
10|
2
1
• Measuring |0>+|1> in basis |0>, |1> gives: 0 with probability | |2, 1 with probability | |2.
• Measurement changes the state: it becomes |0> or |1>.
• Repeating measurement gives the same outcome.
Measurements
Measurements
1|2
10|
2
1Probability 1/2
Probability 1/2
|0>
|1>
General measurements
• Let |0>, | 1> be two orthogonal one-qubit
states.• Then,
|> = 0|0> + 1|1>.
• Measuring | > gives | i> with probability |i|2.
• This is equivalent to mapping |0>, | 1> to |0>, |1> and then measuring.
Measurements
1|2
10|
2
1
1|2
10|
2
1
Probability 1
Measurements
1|2
10|
2
1 1|
2
10|
2
1
Probability 1/2Probability 1/2
|1>
Measurements
• Measuring
1|1>+2|2>+…+k|k>
in the basis |1>, |2>, …, |k> gives |i> with probability |i|2.
• Any orthogonal basis can be used.
Partial measurements
• Example: two quantum bits, measure first.
102
101
2
100
2
1
01|2
100|
2
1 10|
Result 0 Result 1
Classical vs. Quantum
Classical bits:• can be measured
completely,• are not changed by
measurement,• can be copied,• can be erased.
Quantum bits:• can be measured
partially,• are changed by
measurement,• cannot be copied,• cannot be erased.
Copying
One nuclear spin Two spins
Impossible!
?
Related to impossiblity of measuring a state perfectly.
No-cloning theorem
• Imagine we could copy quantum states.
• Then, by linearity
• Not the same as two copies of |0>+|1>.
1|1|2
10|0|
2
11|
2
10|
2
1
1|1|1|
0|0|0|
Key distribution
• Alice and Bob want to create a shared secret key by communicating over an insecure channel.
• Needed for symmetric encryption (one-time pad, DES etc.).
Key distribution
• Can be done classically.
• Needs hardness assumptions.
• Impossible classically if adversary has unlimited computational power.
• Quantum protocols can be secure against any adversary.
• The only assumption: quantum mechanics.
BB84 states
1|2
10|
2
1
1|2
10|
2
1|> = |1>
|> = |0>
| >=| >=
BB84 QKD
...
...
...No Yes Yes Yes
...
0 0 1
Alice Bob
BB84 QKD
• Alice sends n qubits.
• Bob chooses the same basis n/2 times.
• If there is no eavesdropping/transmission errors, they share the same n/2 bits.
Eavesdropping
• Assume that Eve measures some qubits in , | basis and resends them.
• If the qubit she measures is |> or |>, Eve resends a different state ( or | ).
• If Bob chooses |>, |> basis, he gets each answer with probability 1/2.
• With probability 1/2, Alice and Bob have different bits.
Eavesdropping
• Theorem: Impossible to obtain information about non-orthogonal states without disturbing them.
• In this protocol:
Check for eavesdropping
• Alice randomly chooses a fraction of the final string and announces it.
• Bob counts the number of different bits.
• If too many different bits, reject (eavesdropper found).
• If Eve measured many qubits, she gets caught.
Next step
• Alice and Bob share a string most of which is unknown to Eve.
• Eve might know a few bits.
• There could be differences due to transmission errors.
Classical post-processing
• Information reconciliation: Alice and Bob apply error correcting code to correct transmission errors.
• They now have the same string but small number of bits might be known to Eve.
• Privacy amplification: apply a hash function to the string.
QKD summary
• Alice and Bob generate a shared bit string by sending qubits and measuring them.
• Eavesdropping results in different bits.
• That allows to detect Eve.
• Error correction.
• Privacy amplification (hashing).
Eavesdropping models
• Simplest: Eve measures individual qubits.
• Most general: coherent measurements.
• Eve gathers all qubits, performs a joint measurement, resends.
Security proofs
• Mayers, 1998.
• Lo, Chau, 1999.
• Preskill, Shor, 2000.
• Boykin et.al., 2000.
• Ben-Or, 2000.
EPR state
1|1|2
10|0|
2
1
• First qubit to Alice, second to Bob.• If they measure, same answers.
||2
1||
2
1
• Same for infinitely many bases.
Bell’s theorem
• Alice’s basis:
• Bob’s basis: y instead of x. |0>
|1>
1sin0cos xx
1cos0sin xx
Bell’s theorem
yx 2cos2
1
yx 2cos2
1
yx 2sin2
1
yx 2sin2
1
Pr[b=0]
Pr[a=1]
Pr[a=0]
Pr[b=1]
Classical simulation
• Alice and Bob share random variables.
• Someone gives to them x and y.
• Can they produce the right distribution without communication?
Bell’s theorem
• Classical simulation impossible:
• Bell’s inequality: constraint satisfied by any result produced by classical randomness.
4
3,
4,
4
3,
4
yx
Ekert’s QKD
• Alice generates n states
sends 2nd qubits to Bob.
• They use half of states for Bell’s test.
• If test passed, they error-correct/amplify the rest and measure.
1|1|2
10|0|
2
1
Equivalence
• In BB84 protocol, Alice could prepare the state
keep the first register and send the second to Bob.
32
12
2
11
2
10
2
1
Ekert and BB84 states
1|1|2
10|0|
2
1E
32
12
2
11
2
10
2
1BB
32
12
2
11
2
11|
32
12
2
10
2
10|
U
U
UI
QKD summary
• Key distribution requires hardness assumptions classically.
• QKD based on quantum mechanics.
• Higher degree of security.
• Showed two protocols for QKD.
QKD implementations
• First: Bennett et.al., 1992.
• Currently: 67km, 1000 bits/second.
• Commercially available: Id Quantique, 2002.
Quantum Factoring
Quantum Algorithms
Quantum Algorithms should exploit quantum parallelism and quantum interference.
We have already seen some elementary algorithms.
Quantum Algorithms
These algorithms have been computing essentially classical functions on quantum superpositions
This encoded information in the phases of the basis states: measuring basis states would provide little useful information
But a simple quantum transformation translated the phase information into information that was measurable in the computational basis
Extracting phase information with the Hadamard operation
nH
nH
x y
yx
ny)1(
2
1
y
yx
ny)1(
2
1x
Overview
Quantum Phase Estimation Eigenvalue Kick-back Eigenvalue estimation and order-findi
ng/factoring Shor’s approach Discrete Logarithm and Hidden Subgr
oup Problem (if there’s time)
Quantum Phase Estimation
Suppose we wish to estimate a numbergiven the quantum state )1,0[
12
0y
i2n
yye
Note that in binary we can express321 xxx.0
321 xx.x2
1nn1n3211n xx.xxxx2
Quantum Phase Estimation
1e ik2 Since for any integer k, we have
...)xx.0(i2...)xx.0(i2ix2...)xx.x(i2)(i2 32321321 eeee2e
...)xx.0(i2)k(i2 2k1ke2e
Quantum Phase Estimation
1x.0 If then we can do the following
H 1x2
1)1(02
1e0
1
1
x
)x.0(i2
Useful identity
We can show that
1e0
1e01e0
1e0
1e01e0
yye
...)xx.0(i2
...)xxx.0(i2...)xx.0(i2
)(i2
)2n2(i2)1n2(i2
12
0y
i2
21
1nn1n1nn
n
Quantum Phase Estimation
21xx.0 So if then we can do the following
H 2x
2
1e0 )xx.0(i2 21
2
1e0 )x.0(i2 2
H 1x12R
k2/i2k e0
01R
Quantum Phase Estimation
321 xxx.0 So if then we can do the following
H 3x
2
1e0 )xx.0(i2 32
2
1e0 )x.0(i2 3
H 2x12R
2
1e0 )xxx.0(i2 321H 1x1
2R 13R
Quantum Phase Estimation
Generalizing this network (and reversing the order of the qubits at the end) gives us a network with O(n2) gates that implements
xyyx
e12
0y
n2i2
n
Discrete Fourier Transform
The discrete Fourier transform maps vectors of dimension N by transforming the elementary vector according to
1N
0y
Ni2
yyx
ex
)e,,e,e,1()0,...0,1,0,...,0,0( Nx)1N(
i2Nx2
i2Nx
i2
thx
The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to
Discrete Fourier Transform
Thus we have illustrated how to implement (the inverse of) the quantum Fourier transform in a Hilbert space of dimension 2n
Estimating arbitrary
What if is not necessarily of the formfor some integer x?
)1,0[
12
0x
i2n
zze The QFT will map to a
superposition
n2x
where
y
y y~
Ny
1Oy2
8N1
Ny
obPr
For any real
Quantum Phase Estimation
H
1x
2
10 22 )( ie
2
10 42 )( ie
H 2x12R
2
1e0 )(i2
H
3x
12R 1
3R
)1,0[
With high probability ω8
24 321 xxx
Recall the “trick”:
Eigenvalue kick-back
x
)x(f10
x)1( )x(f
)10(x)1(
)10()1(x)x(f
)x(f
10
)1)x(f)x(f(x)10(x
Consider a unitary operation U with eigenvalue and eigenvector
Eigenvalue kick-back
i2e 1
1e i2
1e
e1i2
i2 U11
U
Eigenvalue kick-back
0
0
U
Eigenvalue kick-back
10
1e0 i2
U
As a relative phase, becomes measurable
i2e
If we exponentiate U, we get multiples of
Eigenvalue kick-back
1
1xe i2
xU
Eigenvalue kick-back
10
1xe0 i2
xU
Eigenvalue kick-back
10
1e0 i2
U
10 1e0 )2(i2 1n
10
10 1e0 )2(i2
U2U U
1n2 2n2
1e0 )2(i2 2n
Phase estimation
1e0 i2
1e0 )2(i2 1n
1e0 )2(i2
1e0 )2(i2 2n
H
1x
H
2x
12R
nn2
2n1
1n
2
xx2x2
nx
12R 1
3R
1nx
H
Eigenvalue estimation
10
10
2U U 4U
10 H
1x
2x12R
H
3x
12R 1
3R
H
Eigenvalue estimation
xU
0
1x
2x
3x
00
8QFT 18QFT
Eigenvalue estimation
U Given with eigenvector and eigenvalue we thus have an algorithm that maps
i2e
~0 IQFT,Uc,IQFT 1x
Eigenvalue kick-back
U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps
kki2
e
kkk~0
k
kkkk
kkk
kk~00
and therefore
Eigenvalue kick-back
Measuring the first register of
k
kkk~
is equivalent to measuring with probability
k~
2
k
kkkk
kkkk
kkkk
Tr
~~
~~ *
22
i.e.
Example
Suppose we have a group and we wish to find the order of (I.e. the smallest positive such that )
If we can efficiently do arithmetic in the group, then we can realize a unitary operator that maps
Notice that
GGa
r 1ar
aU axx I
aUaU r
r
This means that the eigenvalues of are of the form where k is an integer
aU
rki2
e
(Aside: more on reversible computing)
If we know how to efficiently compute and then we can efficiently and reversibly map
x
bfU
x
)(xfb
c
y1f
U)(1 yfc
y
f1f
(Aside: more on reversible computing)
And therefore we can efficiently map
x
0fU 1f
U0
)(xf
)(xfx
Example
Let Then We can easily implement, for example,
14,13,12,11 2441
5mod}4,3,2,1{ZG *5
010001U2
The eigenvectors of include
100001U 22
011001U 32
2U
00100142 U
2U
5mod2e j3
0j
4
jki2
k
Example
011e100e010e001
011e100e010e001
41
i242
i243
i2
49
i246
i243
i2
3
Example
343
i2
41
i242
i243
i243
i2
41
i242
i243
i2
32
e
)001011e100e010e(e
001e011e100e010
U
Example
343
i2
32
242
i2
22
141
i2
12
002
eU
eU
eU
U
00121
3210
Example
343
i2
32
242
i2
22
141
i2
12
002
1e010Uc
1e010Uc
1e010Uc
1010Uc
Example
342
i2
32
2
222
2
142
i2
12
2
002
2
1e010Uc
1010Uc
1e010Uc
1010Uc
Eigenvalue Kickback
10
3
10
22U 2U
1e0 )1.0(i2
1e0 )11.0(i2
Eigenvalue Kickback
10
3
10
22U 2U
1H12R
H
3
1
1123
Eigenvalue Kickback
10
k
10
22U 2U
1kH12R
H
k
2k
21 kk2k
Eigenvalue Kickback
10
3
0kk2
1
1
10
22U 2U
H12R
H
3
0kkk
21
Quantum Factoring
• The security of many public key cryptosystems used in industry today relies on the difficulty of factoring large numbers into smaller factors.
• Factoring the integer N into smaller factors can be reduced to the following task: Given integer a, find the smallest positive integer r so that ar Nmod1
Example
Let We can easily implement
1ar *NZGa
axxUa
The eigenvectors of include
xaxa
UxU 22
2a
aUj
1r
0j
r
jki2
k ae
xaxa
UxUn2
n2
n2a
Example
krki2
1rrk)1r(
i22rk2
i2rki2
rki2
rrk)1r(
i23rk2
i22rki2
1rrk)1r(
i22rk2
i2rki2
aka
e
)aeaeae1(e
aeaeaea
)aeaeae1(UU
Example
1r1
1r210
krk2
i2
kj21e010
aUc
j
Eigenvalue kick-back
U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps
krki2
e
kk rk~
0
k
kkk
kkk
kk rk~
00
and therefore
Eigenvalue Estimation
10
1r
0kkr
1
1
10
22U 2U
n21QFT
1r
0kkr
k~
21
10
2U21n
Eigenvalue kick-back
Measuring the first register of
k
krk~
r1
is equivalent to measuring with probability r
k~
r1
Finding r
For most integers k, a good estimate of
(with error at most ) allows us to determine r (even if we don’t know k). (using continued fractions)
rk
2r21
(aside: how does factoring reduce to order-finding??)
• The most common approach for factoring integers is the difference of squares technique:– “Randomly” find two integers x and y
satisfying
– So N divides– Hope that is non-trivial
• If r is even, then let so that
Nyx mod22
),gcd( yxN ))((22 yxyxyx
Nax r mod2/Nx mod122
Shor’s approach
This eigenvalue estimation approach is not the original approach discovered by Shor
Kitaev developed an eigenvalue estimation approach (to the more general “Hidden Stabilizer Problem”)
We’ve presented the CEMM version here
Discrete Fourier Transform
The discrete Fourier transform maps uniform periodic states, say with period r dividing N, and offset w, to a periodic state with period N/r.
),0,0,,0,0,,0,0,1(
1
)0,1,0,0,0,1,0,0,0,1,0,0(
12
222
rwr
irw
irwi
eeer
Nr
Discrete Fourier Transform
1
0
21
0
r
k
irN
x
krNr
wk
ewxrNr
The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to
Shor’s Factoring Algorithm
x
/\x /
\ax
/\
/\a
y
r y
( ) /\a
r0
r r1 k
F-1
w0w
0w
x
/\x /
\1w
w
1r
1r
Network for Shor’s Factoring Algorithm
U
F-1
x
F
a/\1
/\0
Eigenvalue Estimation Factoring Algorithm
( ) /\
kk r
k
x /
\xk
e2π ix
rk
/\
k
/\0 /
\1 x /
\xk
/\
k
Network for Eigenvalue Estimation Factoring Algorithm
U
F-1
x
F
a/\1
/\0
Equivalence of Shor&CEMM Shor analysis CEMM analysis
s
s010
s
sxx
xx 1
ss
x
r
sxix
r
x k
xeaxrk 21
0
ss
xr
x
a 1
0 r
s
r
k
rrr
210
Equivalence of Shor&CEMM Shor analysis CEMM analysis
ss
xr
x
a 1
0
s
r
x
1
0
r
k
rrr
210 r
s
r
k
rrr
210 r
k
rrr
210 r
s
r
s
Consider two elements from a group G satisfying
Find s.
Gba ,
1rasab
xU xaa
Discrete Logarithm Problem
Discrete Logarithm Problem
We know has eigenvectorsUa
Ua kk k
i2π
e r
j1r
0j
r
kji2-
k aeψ
Discrete Logarithm Problem
Thus has the same eigenvectors but with eigenvalues exponentiated to the power of s
Ub
Ub kkk ψψψ ks
i2π
erU sa
Discrete Logarithm Problem
1 kΨxaU
k0rF
1rF
Discrete Logarithm Problem
kΨkΨx
bU
ks0rF
1rF
Given k and ks, we can compute s mod r (provided k and r are coprime)
Abelian Hidden Subgroup Problem
f ( ) f ( )x
f :
Z Z ZM MM
1
. . .
nG
G X
y iff x y-
KG
K
Find generators for K
0
Network for AHS
U
F-1F/
\0
f
AHS Algorithm in standard basis
( )s
/\
x
/\x /
\f ( )x
f ( )w
s s0
1n
w
F-
/\f ( )ww
/\w K
1
K
AHS for in eigenbasis
/\
( )
s K /\f ( )x- )1(
x.ss
s ss/\
is an eigenvector of f ( )x f ( )x y
x
/\x /
\f ( )xF
-
(Simon’s Problem)
nZ
2
1
K
Other applications of Abelian HSP
• Any finite Abelian group G is the direct sum of finite cyclic groups
• But finding generators satisfying is not always easy, e.g.
for it’s as hard as factoring N• Given any polynomial sized set of generators,
we can use the Abelian HSP algorithm to find new generators that decompose G into a direct sum of finite cyclic groups.
nggg 21
nggg ,,, 21
ngggG 21
*NZG
Examples:
Deutsch’s Problem: }1,0{G X
K }1,0{
}1,0{
}0{ or
Order finding: ZGf
X
)x( K rZ
any group
ax
Example:
Discrete Log of to base :
G rr ZZ X any group
b a
f )y,x( ax by
K 1,
ak
k
Examples:
Self-shift equivalences: n)q(GFG
f
]X,...,X,X)[q(GFX n21
)a,...,a,a( n21
K
)aX,...,aX(P nn11
)}X,...,X(P)aX,...,aX(P
:)a,...,a{(
n1nn11
n1
What about non-Abelian HSP
• Consider the symmetric group• Sn is the set of permutations of n elements• Let G be an n-vertex graph• Let
• Define• Then where
nSG
}|)({ nG SGX ππ
)(GfG ππ GnG XSf :
KKff GG 2121 ππππ GGGAUTK ππ |)(
Graph automorphism problem
• So the hidden subgroup of is the automorphism group of G
• This is a difficult problem in NP that is believed not to be in BPP and yet not NP-complete.
Gf
Other
Progress on the Hidden Subgroup Problem in non-Abelian groups (not an exhaustive list)•Ettinger, Hoyer arxiv.gov/abs/quant-ph/9807029•Roetteler,Beth quant-ph/9812070•Ivanyos,Magniez,Santha arxiv.org/abs/quant-ph/0102014•Friedl,Ivanyos,Magniez,Santha,Sen quant-ph/0211091 (Hidden Translation and Orbit Coset in Quantum Computing); they show e.g. that the HSP can be solved for solvable groups with bounded exponent and of bounded derived series•Moore,Rockmore,Russell,Schulman, quant-ph/0211124