Quantum Computing

Jim Royer

CIS 428/628: Introduction to Cryptography

November 8, 2018

...

Crypto (CIS 428/628) Quantum Computing November 8, 2018 1 / 25

References

A Physics-Free Introduction to the Quantum Computation Model by StephenA. Fenner. https://arxiv.org/abs/cs/0304008(. . . more importantly, it is complex analysis free)

The Talk by Scott Aaronson and ZachWeinersmith, http://www.smbc-comics.com/comic/the-talk-3

(There is tons of misleading hype aboutquantum computing. This is a good,double-entendre-filled, dehyping.)

Quantum Computing Since Democritus by Scott Aaronsonhttps://www.scottaaronson.com/democritus/

(This connects quantum computing to the wider intellectual world while beingrather goofy.)

Crypto (CIS 428/628) Quantum Computing November 8, 2018 2 / 25

Quantum Computing and Cryptography

Given RSA with key size k,it can be broken by a computer with quantum register size ≈ k.

?

Similarly with discrete-log-based cryptosystems.

There are latticed-based cryptosystems that quantum computersseemingly cannot do better than classical computers in breaking.

We will cover enough about quantum computing give you a glimpse ofwhat is behind all the fuss.

This is based on A Physics-Free Introduction to the Quantum ComputationModel by Stephen A. Fenner. https://arxiv.org/abs/cs/0304008.

?Assuming that you can build a quantum computer of that size.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 3 / 25

Classical Boolean Circuits, I

We view them as naming maps { 0, 1 }n → { 0, 1 }n

a a control

b a∧ b target∧i•

V current flow V

Consider

a ¬a

b (a∧ b) ∨ c

c c

•∧i ∨i

•

¬i

We can describe this by either of:b← a∧ b; a← ¬a; b← b∨ c |x, y, z〉 = state vector

|a, b, c〉 7→ |a, a∧ b, c〉 7→ |¬a, a∧ b, c〉 7→ |¬a, (a∧ b) ∨ c, c〉

Crypto (CIS 428/628) Quantum Computing November 8, 2018 4 / 25

Classical Boolean Circuits, II

Input/Output Conventions

The first k registers are input 0 ≤ k ≤ n

The first ` registers are output 0 ≤ ` ≤ n

Each non-input register is assigned 0 or 1

a a

0 a∨g•

a 7→ (a, a)

Crypto (CIS 428/628) Quantum Computing November 8, 2018 5 / 25

Uniform Computation

A circuit family, C, is a sequence of circuits C0, C1, C2, . . . 3for each i, Ci has i-inputs and 1-output.

L(C)=def{w |w| = n & Cn(w) = 1 }, the language defined by C.A circuit family is ptime uniform ⇐⇒∃ a poly-time alg D 3

for all i,D(1 . . . 1︸ ︷︷ ︸

i many

) = a description of Ci.

FACT: P = the languages accepted by ptime uniform circuit families.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 6 / 25

Reversible Circuits, I

Reversible circuits have inverses.The controlled not gate (CNOT)

a a

b a⊕ b⊕•

Toffoli Gate where �(x, y, z) = z⊕ (x∧ y)

a a

b b

c c⊕ (a∧ b)�

••

Reversible circuits do not collapse states. (Why?)

Crypto (CIS 428/628) Quantum Computing November 8, 2018 7 / 25

Reversible Circuits, II

CNOT Gate

input output0 0 0 00 1 0 11 0 1 11 1 1 0

Toffoli Gate

input output0 0 0 0 0 00 0 1 0 0 10 1 0 0 1 00 1 1 0 1 11 0 0 1 0 01 0 1 1 0 11 1 0 1 1 11 1 1 1 1 0

0 and 1 are the interesting bits.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 8 / 25

Probabilistic Circuits, I

The Biased Coin-Flip Gate — p, q —

input output0 0:p 1:(1− p)1 0:q 1:(1− q)

|~v〉 : 2n basis vectors H : a 2n-dim. real vector space(H for Hilbert space)

x1...xi...xn

p, q

|x1..i−1, 0, xi+1..n〉 7→ p · |x1..i−1, 0, xi+1..n〉+ (1− p) · |x1..i−1, 1, xi+1..n〉|x1..i−1, 1, xi+1..n〉 7→ q · |x1..i−1, 0, xi+1..n〉+ (1− q) · |x1..i−1, 1, xi+1..n〉

Crypto (CIS 428/628) Quantum Computing November 8, 2018 9 / 25

Probabilistic Circuits, II

Consider the subspace spanned by |0〉 and |1〉.

@@@@��

�

q|0〉+ (1− q)|1〉p|0〉+ (1− p)|1〉

���

|1〉

|0〉

The gate p, q always maps the linesegment from (1,0) to (0,1) to itself.

We can also represent the p, q gate by the matrix:

[p q

1− p 1− q

]

This is a stochastic matrix: all entries ≥ 0, all columns sum to 1.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 10 / 25

Probabilistic Circuits: Gates as Linear Maps

The irreversible AND gate is:a b a a∧ b0 0 0 00 1 0 01 0 1 01 1 1 1

a b 00 01 10 1100 1 1 0 001 0 0 0 010 0 0 1 011 0 0 0 1

I All entries are 0–1I One 1 in each colI∴ Stochastic

Reversible gates are permutation matrices! (Why?)

DefinitionA probabilistic circuit is a circuit built from Boolean & p, q gates, where

The input state is a basis state.

The output state is of the form: ∑x∈{ 0,1 }n px|x〉 3(i) each px ≥ 0 and (ii) ∑ |px| = 1.

px = the probability that the output will be |x〉.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 11 / 25

“Majority Coin Flips” Circuit

0

1 !

!

!

"! "

12, 1

2

12, 1

2

12, 1

20

0

Recall that the output bit is in the first register. We observe the outputbit as follows: write |final# as

!

x2,...,xn

p0x2···xn|0, x2, . . . , xn# +!

x2,...,xn

p1x2···xn|1, x2, . . . , xn#.

The probability of seeing 0 is then"

x2,...,xnp0x2···xn , and likewise the probabil-

ity of seeing 1 is"

x2,...,xnp1x2···xn . These formulas generalize in the obvious

way to the case of more than one output register being observed.

4.1 More Complexity Classes

Many well-known complexity classes can be characterized using ptime uni-form families of probabilistic circuits and placing a threshold on the proba-bilities of observing 1 on a given input. Let an acceptance criterion be a pair(R, A) of disjoint subsets of the unit interval [0, 1]. A ptime uniform proba-bilistic circuit family C0, C1, . . . with acceptance criterion (R, A) computes alanguage L if, for all n $ 0 and all input strings x of length n, if x % L thenp % A and if x &% L then p % R, where p is the probability of seeing 1 onthe output bit of Cn when the input is x. Using ptime uniform probabilisticcircuits, we get the following correspondences between acceptance criteriaand complexity classes:

Class Acceptance CriterionP ({0} , {1})

NP ({0} , (0, 1])RP ({0} , (1

2, 1])

BPP ([0, 13], [2

3, 1])

PP ([0, 12], (1

2, 1])

10

12 , 1

2 = flip of a fair coin

Crypto (CIS 428/628) Quantum Computing November 8, 2018 12 / 25

A Complexity-Theoretic Aside

~C = C0, C1, C2, . . . : a ptime uniform probablistic circuit family(R, A) is an acceptance criterion when R, A ⊂ [0, 1] with R∩A = ∅.

(R for reject, A for accept)~C computes L with acceptance criterion (R, A) when

for each n and each x ∈ { 0, 1 }n:

x ∈ L =⇒ Prob[Cn(x) = 1] ∈ Ax /∈ L =⇒ Prob[Cn(x) = 1] ∈ R

Class Acceptance CriterionP ({ 0 }, { 1 })

NP ({ 0 }, (0, 1])RP ({ 0 }, ( 1

2 , 1])BPP ([0, q], [1− q, 1]) where 0 < q < 1

2PP ([0, 1

2 ], (12 , 1])

Crypto (CIS 428/628) Quantum Computing November 8, 2018 13 / 25

Quantum Circuits (a la Fenner), I

states = vectors inH gates = matrices

Now allow nonegative entries in matrices. (But all real numbers)

Now require: ‖Mv‖2 = ‖v‖2 for all v.

Note: ‖~a‖2 =def

√a2

1 + · · ·+ a2n

This forces the matrices to be orthonormal,i.e., its columns form an orthogonal basis ofH.

Registers are now called qubits (quantum bits) instead of bits.

The Hadamard gate, – H –, has the matrix: 1√2

[1 11 −1

]See the

next slideH|0〉 = 1√

2(|0〉+ |1〉). H|1〉 = 1√

2(|0〉 − |1〉). Note: H2 = I.

Fact:{H, Toffoli gates } are a universal collection of quantum gates.

The p, q gates now correspond to measurements.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 14 / 25

Hadamard Gate Geometrically

Its matrix is1!2

!1 11 "1

".

This gate maps the one-bit basis state |b# to 1!2(|0# + ("1)b|1#), for b $

{0, 1}. The two possible resulting states can be described geometrically asthe following points on the unit circle:

(|0# + |1#)/!

2

(|0# " |1#)/!

2

|0#

|1#

The transformation amounts to a reflection in the |0#-axis followed by acounterclockwise rotation through !/4. As with any legal one-qubit quantumgate, it maps the unit circle onto itself. Note that H2 = I, the identity map.That is, H is its own inverse.

A quantum circuit is a circuit that allows only quantum gates. It corre-sponds to an orthogonal linear transformation of H, and thus it maps the unitsphere in H onto itself. Here’s an example taken from Nielsen and Chuang[1, Exercise 4.20]. This particular example is interesting in that it blurs thedistinction between the control and target qubits. I’ll justify below that theCNOT gate qualifies as a quantum gate.

H

H

H

H

12

1 Transpose aroundthe x-axis:(x, y) 7→ (x,−y)

2 Then do a +45o

rotation.

H|0〉 = 1√2(|0〉+ |1〉). H|1〉 = 1√

2(|0〉 − |1〉).

Crypto (CIS 428/628) Quantum Computing November 8, 2018 15 / 25

Quantum Circuits (a la Fenner), II

QCF (Quantum Coin Flip)This is a variation on Hadamard gate.

QCF =1√2

[1 −11 1

]

Note that (QCF)2 =

[0 11 0

]= the not gate.

So, QCF =√

NOT, the square root of not.

Quantum I/OInput: basis statesOutput: ∑x∈{ 0,1 }n ax|x〉 Note: ∑ a2

x = 1a2

x = the probability associated with |x〉ax = the probability amplitude for |x〉

Crypto (CIS 428/628) Quantum Computing November 8, 2018 16 / 25

Another Complexity-Theoretic Aside

If we use quantum circuits, then

Class Description Acceptance CriterionEQP Exact quantum polynomial time ({ 0 }, { 1 })C 6=P Co-Exact-Counting Polynomial-Time ({ 0 }, (0, 1])RQP One-sided Error Extension of EQP ({ 0 }, ( 1

2 , 1])BQP Bounded-Error Quantum Polynomial-Time ([0, 1

n ), (n−1

n , 1])PP Probabilistic Polynomial-Time [0, 1

2 ], (12 , 1])

See: https://complexityzoo.uwaterloo.ca/Complexity_Zoo

Crypto (CIS 428/628) Quantum Computing November 8, 2018 17 / 25

“Traditional” Quantum Circuits

In place of vector spaces over R, we use v.s.’s over C.In place of orthonormal matrices, we use unitary matrices.Etc., etc. See §6 of Fenner for details.

Past this point, we shall be even sketchier than before.. . . so, we won’t digress into complex linear algebra.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 18 / 25

Towards Shor’s Algorithm: Number Theory Facts, I

Suppose we want to factor N (assuming N isn’t prime).

a If we find an x ∈ { 2, . . . , N− 2 } with x2 ∼= 1 (mod N)then we can factor N. (Why?)

b If we can find an a and an even r with:i gcd(a, N) = 1,ii ar ∼= 1 (mod N), andiii ar/2 6∼= ±1 (mod N),

then we can factor N. (Why?)

Crypto (CIS 428/628) Quantum Computing November 8, 2018 19 / 25

Towards Shor’s Algorithm: Number Theory Facts, I

Suppose we want to factor N (assuming N isn’t prime).

a If we find an x ∈ { 2, . . . , N− 2 } with x2 ∼= 1 (mod N)then we can factor N. (Why?)

b If we can find an a and an even r with:i gcd(a, N) = 1,ii ar ∼= 1 (mod N), andiii ar/2 6∼= ±1 (mod N),

then we can factor N. (Why?)2018

-11-

08

Quantum ComputingShor’s Algorithms

Towards Shor’s Algorithm: Number TheoryFacts, I

a Suppose 1 < x < N− 1 and x2 ∼= 1 (mod N).Then N|(x2 − 1), i.e, N|(x− 1)(x + 1).Since 1 < x < N− 1, neither x− 1 = 0 nor x + 1 = n.So gcd(N, x− 1) > 1 or gcd(N, x + 1) > 1.

b Use (a).

Towards Shor’s Algorithm: Number Theory Facts, II

Heuristic Procedure for Factoring

Input N.

Pick aran∈ { 2, . . . , N− 2 }.

If gcd(a, N) > 1, return gcd(a, N). (* It is a (nontrivial) factor *)(* So, gcd(a, N) = 1 *)

Find the smallest r > 0 with ar ∼= 1 (mod N). (* Expensive classically *)

If r is odd or ar/2 ∼= −1 (mod N),then: return FAILUREelse: use the trick of the previous page to compute a factor of N

return this factor.

FACT: If N = pk11 . . . pks

s where p1, . . . , ps are distinct primes and s > 1,then Prob[the procedure succeeds on N] ≥ 1− 1

2s−1 ≥ 12 .

So repeating the procedure on N not too many times will find us a factor(with high probability).

BUT the best know classical methods for finding r are exponential time.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 20 / 25

Peter Shor’s Clever Idea (One of Many)

Heuristic Procedure for Factoring

Input N.

Pick aran∈ { 2, . . . , N− 2 }.

If gcd(a, N) > 1, return gcd(a, N).

Find the smallest r > 0 with ar ∼= 1 (mod N). (* PROBLEM *)If r is odd or ar/2 ∼= −1 (mod N),then: return FAILUREelse: compute a factor of N and return it

Use QC to find r. That is:Consider 1, a1, a2, a3, . . . (mod n).If ar ≡ 1 (mod n), then the sequence repeats every r times.

∴ Finding the period of the sequence, finds r.In signal processing, Fourier transforms are used to find periods.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 21 / 25

Quantum Fourier Transform

QFT(|x〉) =def1√2m ∑

c∈{ 0,1 }m

e2πixc

2m |c〉

This can be realized as a quantum circuit.We’ll come back to the properties of this thing shortly.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 22 / 25

Shor’s Factoring Algorithm, I

|0 . . . 0, 0 . . . 0〉 m + n long↓

1√2(|00 . . . 0, 0 . . . 0〉+ |10 . . . 0, 0 . . . 0〉)

↓...↓

1√2m ∑c∈{ 0,1 }m |c,~0〉 superimposition of 2m states

↓1√2m ∑c∈{ 0,1 }m |c, ac mod n . . . 〉

↓QFT( — ) Now what???

Crypto (CIS 428/628) Quantum Computing November 8, 2018 23 / 25

Shor’s Factoring Algorithm, II

When you measure ∑i ai|xi〉you get state |xi〉 with probability a2

i .

Thanks to QFT,states near the period have pretty high probability.

∴ Measure, test, and refine.See: Shor’s Quantum Factoring Algorithm by Samuel J. Lomonaco,https://arxiv.org/abs/quant-ph/0010034

A similar trick (using QFT) can compute discrete logs.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 24 / 25

Quantum Algorithms Beyond Shor’s

Grover’s Algorithm

Suppose that C : { 0, 1 }n → { 0, 1 } is such thatC(s) = 1 for only one s ∈ { 0, 1 }n.Classically, finding this s takes Θ(2m) time.Using QFT trickery, one can do this in Θ(

√2m) time.

This is the best known quantum algorithm besides Shor’s.

For other quantum algorithms, see:https://en.wikipedia.org/wiki/Quantum_algorithm

The take away is that quantum computers are magic bullets,but only for some fairly special problems.

As factoring and discrete-log are among these special problems,Cryptography must respond, e.g., lattice-based cryptosystems.

Crypto (CIS 428/628) Quantum Computing November 8, 2018 25 / 25