Dagstuhl Workshop Quantum Cryptanalysis Schloss Dagstuhl / - - PowerPoint PPT Presentation

Dagstuhl Workshop “Quantum Cryptanalysis” Schloss Dagstuhl / Leibniz-Zentrum für Informatik, October 2, 2017

5

[Shor’94], [Kitaev’95], [Brassard/Høyer’97], [Eker ert/Mosca’98]

6

Shor’s algorithm for dlogs:

Step 1: Create σ𝑙∈ 0,1 𝑜 𝑙1, … , 𝑙𝑜 ⊗ σℓ∈ 0,1 𝑜 ℓ1, … , ℓ𝑜 ⊗ |𝒫 〉 by applying Hadamard gates to 2 registers of 𝑜 qubits; 𝑜 = ⌈log 𝑝𝑠𝑒𝑄 ⌉ Step 2: For fixed generator 𝑄 and fixed target 𝑅 ∈ 𝑄 compute the transformation that maps this state to ෍

𝑙∈ 0,1 𝑜

𝑙 ⊗ ෍

ℓ∈ 0,1 𝑜

ℓ ⊗ |𝑙𝑄 + ℓ𝑅〉 Step 3: Measure the 3rd register. Obtain a result 𝑆. Letting 𝑅 = 𝛽𝑄 and 𝑆 = 𝛾𝑄, we obtain a state corresponding to a “line” ෍

𝑙,ℓ∈ 0,1 𝑜: 𝑙+𝛽ℓ=𝛾

𝑙 ⊗ ℓ ⊗ 𝑆 = ෍

ℓ∈ 0,1 𝑜

𝛾 − 𝛽ℓ ⊗ ℓ Step 4: Apply 𝑅𝐺𝑈 ⊗ 𝑅𝐺𝑈 and measure to sample from the line { 𝑦, 𝛽𝑦 , 𝑦 ∈ 0, . . , 2𝑜 − 1 . If 𝑦 is a unit, we obtain 𝛽.

7

8

[Proo

• os, Zalka’03]

Universal gate sets

Important universal gate set “Clifford + T” (for logical operations):

Consists of all Clifford operations (i.e., the group generated by 𝐼2, 𝐷𝑂𝑃𝑈 and 𝑒𝑗𝑏𝑕(1, 𝑗)) and the “T gate” T = 𝑒𝑗𝑏𝑕(1, 𝜕8). Can be shown to be universal, i.e., for any unitary U and any given 𝜗 > 0, there exists an element A in the Clifford+T group such that || 𝑉 − 𝐵 || ≤ 𝜗 .

• This gate set arises naturally in the context of fault-tolerant computing for several quantum codes. The

T gates are usually implemented via a process called “magic state distillation” which is expensive.

• Common metrics used to measure resources:
• T-count = total number of T gates used in a circuit
• T-depth = number of T-layers
• #qubits = total number of qubits used, including “ancillas” (=scratch space)
• Toffoli gate:

[Amy, Maslov, Mosca, R., TCAD 2013]

9

Using already allocated memory as scratch space

Can we apply tricks similar to the above (Barenco et al, PRA’95) to use “dirty” ancillas for optimization? In a sense: “yes”… [Buhrman, Cleve, Koucky, Loff, Speelman, ‘14]

11

How to increment a quantum register?

Problem

• blem: How can we implement 𝑦 ↦ 𝑦 + 1 𝑛𝑝𝑒 2𝑜, which cyclically shifts the

basis states of an 𝑜 qubit register? Solutio ution 1: Recu cursive sive Solutio ution 2: 2: Draper er-style style

12

How to increment a quantum register?

Solutio ution 3: 3: Using regul ular ar adder r + co constant tant folding ing Qu Question: tion: Is there e a s solution lution that at co combi bines es all good featu tures? es?

13

Incrementer “+1” by Craig Gidney

• Based on the following trick:

𝑦 𝑕 ↦ 𝑦 − 𝑕 |𝑕⟩ ↦ |𝑦 − 𝑕⟩ 𝑕′ − 1 ↦ 𝑦 − 𝑕 − 𝑕′ + 1 ↦ 𝑦 + 1 |𝑕⟩

• Here 𝑕 denotes a qubit in an unknown state (it can be entangled with the rest
• f the quantum memory). We denote such qubits as dirty qubits.
• Denote the one’s complement (i.e, flip all bits) of a state by 𝑕, and the two’s

complement by 𝑕′ (i.e., 𝑕 + 𝑕′ = 0), then it is known that 𝑕′ = 𝑕 + 1.

• If 𝑜 dirty qubits are available, the above trick allows to implement a “+1”

incrementer using only 𝑃(𝑜) Toffoli gates.

• If only 1 dirty qubit is available, then one can precompute the final carry,

apply a splitting step & recurse. The result is an 𝑃(𝑜 log 𝑜) algorithm.

14

Carry prediction with dirty ancillas

Based on this, on can build constant folded modular arithmetic (+,*,exp)

[Haener, R., Svore, QIC 2017] [Gidney, arXiv:1706.07884]

15

Putting it all together: addition-by-a-constant

16

Modular addition: requires 3 integer additions

17

[Bernstein, Lange: Database of explicit ECC formulas: http://www.hyperelliptic.org/EFD/]

19

20

Why garbage is fatal for interference

• By inserting polarization filters, the paths can be made distinguishable. The interference pattern disappears.
• Quantum eraser experiment: ([Wheeler ‘78], [Scully et al, ‘82 and ‘99]): “Erase” polarization information after

the photon passed the slits. The interference pattern re-appears!

Example using reversible functions: 𝑦 0 |0⟩ ↦ 𝑦 𝑔 𝑦 |𝑕 𝑦 ⟩ Example using reversible functions: 𝑦 0 |0⟩ ↦ 𝑦 𝑔 𝑦 |0⟩

[Pictures credit: Wikipedia]

21

• Replacing each gate with a reversible one works fine, however, it produces

“garbage”, i.e., help registers will be in a state different from 0 at the end.

• There is a principled way out of this dilemma: the Bennett trick

Idea: “uncompute” the garbage by running the computation backwards. Problem: this leads to a large quantum memory footprint.

How to avoid garbage?

22

Forward computation: |x⟩|0⟩ |0⟩ |0⟩ ↦ 𝑦 𝑔 𝑦 𝑕𝑏𝑠𝑐𝑏𝑕𝑓 𝑦 Copy the result: ↦ 𝑦 𝑔 𝑦 𝑕𝑏𝑠𝑐𝑏𝑕𝑓 𝑦 𝑔(𝑦) Reverse computation: ↦ 𝑦 0 0 𝑔(𝑦)

[B. Kaliski, IEEE Trans. Comp. 44(8), 1995]

• Requires to handle a WHILE loop

(with known upper bound (here: 2n))

• Implemented in LIQUi|>, including

P-192, P-224, P-256, P-384, P-521

23

𝑣

• 𝑤

𝑡 𝑠 𝑦(𝑗) 𝑧(𝑗) 𝑏 𝑔 𝑙

• +

INC

• 2

/2

• 2

/2 /2

• 2

+

• 2

/2

+

these qubits can be reused

24

25

26

27

28

T esting and debugging large quantum algorithms

Toffoli networks can be classically simulated. This can be used to localize (systematic) faults!30

Modular Inverse a la Fermat?

Idea:

• Let 𝑞 be prime, let 𝑦 ∈ 1, … , 𝑞 − 2 .
• Recall that in any finite group: 𝑦|𝐻| = 𝑓.
• When applied to 𝐻𝐺 𝑞 × this implies
• 𝑦𝑞−1 ≡ 1 𝑞
• Or in other words: 𝑦𝑞−2 ⋅ 𝑦 ≡ 1 𝑞
• Or in other words: 𝑦−1 ≡ 𝑦𝑞−2 𝑞
• That means we can compute the inverse by exponentiation
• f the (unknown) 𝑦 for the (known, fixed) exponent 𝑞.

A MUL 𝑧 𝑦 𝑨 + 𝑦𝑧 𝑦 𝑨 𝑧

31

Square & multiply by unrolling

A MUL 𝑦 A MUL 𝑦 𝑦 𝑦2 𝑦4 𝑦8 𝑦16 … …

Depth: 2𝑜 × 𝑒𝑓𝑞𝑢ℎ 𝑁𝑉𝑀 + 2𝑒𝑓𝑞𝑢ℎ 𝐵𝐸𝐸 ) + 𝑜 Width: 2𝑜 × 𝑜 = 𝑜2

• Here 𝑜 is the bit-size of 𝑦
• Use binary representation of 𝑞 − 2 to compute 𝑦𝑞−2
• +
• +

Unknown whether linear space can be achieved by this approach!

32

Shor for factoring vs ECC dlog

• Suggests that quantum attacks on ECC/dlog can be done more

efficiently than RSA/factoring with comparable level of security.

• Circuits are somewhat non-trivial to implement and to layout.
• Only short Weierstrass forms considered, unclear how classical
• ptimizations of point additions can be leveraged.

[Proos, Zalka, quant-ph/0301141]

33