quantum algorithms for the k xor problem
play

Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara - PowerPoint PPT Presentation

Jun 18, 2023 •174 likes •428 views

Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara Naya-Plasencia 2 , Andr Schrottenloher 2 1 IAIK, Graz University of Technology, Austria 2 Inria, France December

  1. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , María Naya-Plasencia 2 , André Schrottenloher 2 1 IAIK, Graz University of Technology, Austria 2 Inria, France December 3, 2018 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 1/23

  2. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Outline Context 1 Low-qubits k -xor algorithms 2 k -xor algorithms with qRAM 3 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 2/23

  3. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Context L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 3/23

  4. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM The Birthday Problem Collision search Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find a collision of H , i.e a pair x 1 , x 2 ∈ { 0 , 1 } n such that H ( x 1 ) = H ( x 2 ) . � 2 n / 2 � � 2 n / 2 � Classical queries (to L 1 , L 2 or H ) O , time O and memory � O ( 1 ) ( Pollard’s rho method ). Ω( 2 n / 2 ) is a query lower bound. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 4/23

  5. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM The Generalized Birthday problem k -xor for a random function Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find x 1 , . . . , x k such that H ( x 1 ) ⊕ . . . ⊕ H ( x k ) = 0. Many applications in cryptanalysis: (R)FSB, SWIFFT. . . Applications for k -sums: ⊕ is replaced by modular + Wagner, “A Generalized Birthday Problem” , 2002 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 5/23

  6. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Classical Results To get a k -xor on n bits: The query complexity is Ω( 2 n / k ) � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � The time complexity is O � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � The memory complexity is O . . . unless k = 2, in which case memory is � O ( 1 ) . . . when k = 3, logarithmic improvements are available . . . many time-memory-query tradeoffs. n / 4 n / 3 n / 2 0 . . . k = 4 k = 3 k = 2 n / 4 n / 3 n / 2 0 . . . { 8 , 9 , . . . } { 4 , 5 , 6 , 7 } k = 2 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 6/23

  7. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Wagner’s Algorithm Generic method for the k -xor or k -sum with a general k : works at best when k is a power of 2. L 1 L 2 L 3 L 4 n 2 3 elements n n 3 3 n 2 n 2 n 2 3 3 3 n 3 -bit collisions 0 0 1 n -bit collision L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 7/23

  8. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum results To get a k -xor on n bits: The query complexity is Ω( 2 n / ( k + 1 ) ) � 2 2 n / 5 � With O ( n ) qubits, the time complexity for k = 2 is O � 2 n / 3 � With qRAM, the time complexity for k = 2 is � O . n / 5 n / 4 n / 3 n / 2 0 . . . k = 4 k = 3 k = 2 2 n / 5 0 ? k = 2 n / 3 0 ? Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash and Claw-Free Functions” , 1998 Belovs and Spalek, “Adversary lower bound for the k -sum problem” , 2013 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 8/23

  9. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM This work We propose time-efficient quantum algorithms in two scenarios: Using O ( n ) qubits; 1 Allowing read-write quantum memory in the qRAM model. 2 Formalization All elements are produced by a random function H and we access the superposition oracle O H . A query to O H costs O ( 1 ) time. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 9/23

  10. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Results Low-qubits scenario 3-xor is exponentially faster than collision search; A quantum time speedup ( or memory improvement ) over Wagner exists for k ≤ 7. qRAM scenario 3-xor is exponentially faster than collision search; � 2 n / ( 2 + ⌊ log 2 ( k ) ⌋ ) � k -xor can be solved in time � O , using � 2 n / ( 2 + ⌊ log 2 ( k ) ⌋ ) � � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � � O qRAM (instead of O ). L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 10/23

  11. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Low-qubits k -xor algorithms L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 11/23

  12. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum toolbox Grover’s algorithm : { 0 , 1 } n → { 0 , 1 } is a test function. f We look for x such that f ( x ) = 1 (there are 2 t solutions). We implement f as a quantum circuit. � 2 ( n − t ) / 2 � calls to f instead of 2 n − t classically. With Grover: O Grover improves exhaustive search by a quadratic factor when the oracle f is fast. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 12/23

  13. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 1. Testing membership with few qubits Assume that L 1 and L 2 of sizes ℓ each are given classically. We search x such that ∃ z 1 , z 2 ∈ L 1 × L 2 , H ( z 1 ) ⊕ H ( z 2 ) ⊕ H ( x ) = 0. � 2 n /ℓ 2 iterations. Grover requires How to test if x is good? Grover’s test The lists are known classically. But the oracle question is asked for a superposition of x . A solution is to compare sequentially: ℓ 2 n -bit comparisons. Chailloux, Naya-Plasencia, and Schrottenloher, “An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography” , 2017 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 13/23

  14. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 2. Distinguished solution strategy We take specific L 1 and L 2 : images are prefixed by n 2 zeroes. n / 2 n / 2 n / 2 n / 2 β 1 α 1 0 0 2 n / 8 2 n / 8 . . . . . . . . . . . . α 2 n / 8 0 β 2 n / 8 0 We only need to search for a “distinguished solution” (with the same prefix): we compare pairs less often; Producing the lists costs 2 n / 4 × 2 n / 8 = 2 3 n / 8 queries and as much for searching x . � � � � 1 2 · 2 n 5 + n n 1 2 · 2 n n 2 · n 1 2 + n n 1 2 · n n 5 + 2 5 + 2 8 + 2 2 + 2 Collision: 2 2 and 3-xor: 2 2 5 5 8 4 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 14/23

  15. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 3. Merging technique We take more specific L 1 and L 2 to reduce the checking cost. 2 n / 7 n / 7 n / 7 3 n / 7 2 n / 7 n / 7 n / 7 3 n / 7 0 0 y 1 α 1 0 z 1 0 β 1 . . . . . . . . ℓ = 2 n / 7 2 n / 7 . . . . . . . . . . . . . . . . y 2 n / 7 α 2 n / 7 z 2 n / 7 β 2 n / 7 0 0 0 0 Now to test a distinguished point x : Find a partially colliding element from L 1 ; Find a partially colliding element from L 2 ; Compute the xor of the three values; � ℓ 2 � The test costs O ( ℓ ) comparisons instead of O . L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 15/23

  16. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Optimization and results � 2 5 n / 14 � Optimizing the lists / prefix sizes leads to O time for k = 3. General k The same merging method can be extended to the k -xor. Time speedup over Wagner for k = 3 , 5 , 6 , 7 and memory improvement for k = 4. Quantum low-qubits: 5 n 2 n n 0 14 5 2 7 6 5 4 3 2 Classical: n n n 0 4 3 2 . . . 8 { 4 , 5 , 6 , 7 } k = 2 , 3 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 16/23

  17. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM k -xor algorithms with qRAM L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 17/23

  18. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 3 -xor with qRAM qRAM is now available. No need for a distinguished solution (testing membership is efficient) but the merging technique still applies. � 2 3 n / 10 � ⇒ � time with 2 lists of size 2 n / 5 : better than quantum O collision search. 3 n n n 0 10 3 2 3 2 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 18/23

  19. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM General k Combining: Wagner’s method (successive lists of i -collisions with increasing zero prefixes) A quantum walk on the Johnson graph We obtain a general time speedup. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 19/23

  20. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Results Classical time (using classical memory) Quantum time ( O ( n ) qubits and classical memory) Quantum time (unbounded qRAM) L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 20/23

  21. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Memory Classical (using classical memory) Quantum low-qubits ( O ( n ) qubits and classical memory) Quantum (qRAM) L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 21/23

  22. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Conclusion and perspectives L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 22/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Outline General Problem of . . . Probabilistic and . . . Interval . . . Additional Problem: . . . Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known Algorithm for . . . Sch onings Algorithm . .

622 views • 15 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

1.2k views • 98 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of

Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of

Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of Waterloo, IQC and NEC Labs Joint work with: Martin R otteler (NEC Labs) (NEC Labs) J er emie Roland Andrew Childs (University of

1.51k views • 74 slides
From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

CLASSICAL BIT vs QUBIT Computation as physical process Concept of programmable matter Classical neural network Distance between quantum states Quantum algorithms Quantum Neural Networks From quantum hardware to quantum AI School of

322 views • 31 slides
Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

QIS Workshop: Welcome Argonne PSE/CELS QIS Working Group Salman Habib CPS/HEP Divisions September 23, 2019 Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers Error correction Precision metrology

285 views • 6 slides
Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

1 Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers

1.42k views • 138 slides
Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de

Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de

. Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de Bruxelles Quantum Information & Communication J er emie Roland (ULB - QuIC) Quantum walks Grenoble, Novembre 2012 1 / 39 Outline

564 views • 29 slides
Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John

Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John

Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John Preskill [arXiv:1111.3633 and 1112.4833] Feb 21, 2012 Quantum Mechanics Each state of the system is a basis vector. | dead i | alive i A general

672 views • 36 slides
Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

1 Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set. How do we

1.53k views • 135 slides
Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in

Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in

Discovery Logic / NIH Discovery Logic, Inc. Established in 2001 SBA 8(a) Certified in 2003 Woman-Owned Business Small Disadvantaged Business (SDB) GSA Schedule Unlimited ID/IQ Prime Contractor to HHS and

324 views • 10 slides
Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard

Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard

Unboxing Cluster Heatmaps Sophie Engle Sean Whalen Alark Joshi Katherine Pollard vgl.cs.usfca.edu docpollard.org Visualization and Graphics Lab Pollard Group University of San Francisco Gladstone Institutes, UCSF 2 Contributions

262 views • 24 slides
Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL

Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL

Pollard Rho on the PlayStation 3 Joppe W. Bos 1 Marcelo E. Kaihara 1 Peter L. Montgomery 2 1 EPFL IC LACAL, CH-1015 Lausanne, Switzerland 2 Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA RAIM09 October 27 th 2009 LIP ENS Lyon

386 views • 28 slides
ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18 2y 2 =x 3 +x/GF(8 91 +5) Simplest secure and fast ECC ? Benefits of Galois field size 8 91 +5 for ECC Feature

285 views • 12 slides
Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University

Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University

Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University November 29, 2011 Carl Pollard Introduction to Higher Order Logic Extending TLC to HOL (Church 1940) Start with a TLC. Add a type t for truth

464 views • 18 slides
Beyond Removing Impediments: Scrum Master as Team Coach Image by Pictofigo Allison Pollard

Beyond Removing Impediments: Scrum Master as Team Coach Image by Pictofigo Allison Pollard

Beyond Removing Impediments: Scrum Master as Team Coach Image by Pictofigo Allison Pollard Agile Coach and Consultant Certified Professional Co-Active Coach Help people discover and develop their agile instincts DFW Scrum user group

174 views • 15 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State

Advances in Logical Grammar: Course Overview Carl Pollard Department of Linguistics Ohio State University June 6, 2012 Carl Pollard Advances in Logical Grammar: Course Overview What this Course is About (1/2) Using mathematical logic to

218 views • 7 slides

More recommend