quantum algorithms for the subset sum problem d j
play

Quantum algorithms for the subset-sum problem D. J. Bernstein - PDF document

Jan 27, 2023 •211 likes •1.2k views

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

  1. Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven Alexander Meurer Ruhr-Universit¨ at Bochum

  2. Subset-sum example: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢ 0 ❀ 1 ❣ ; etc. “Subset-sum problem”; “knapsack problem”; etc.

  3. The lattice connection Define ① 1 = 499, ✿ ✿ ✿ , ① 12 = 9413. Define ▲ ✒ Z 12 as ❢ ✈ : ✈ 1 ① 1 + ✁ ✁ ✁ + ✈ 12 ① 12 = 0 ❣ . Define ✉ ✷ Z 12 as (70 ❀ 2 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0). If ❏ ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ 12 ❣ and P ✐ ✷ ❏ ① ✐ = 36634 then ✈ ✷ ▲ where ✈ ✐ = ✉ ✐ � [ ✐ ✷ ❏ ]. ✈ is very close to ✉ . Reasonable to hope that ✈ is the closest vector in ▲ to ✉ . Subset-sum algorithms ✙ codimension-1 CVP algorithms.

  4. The coding connection A weight- ✇ subset-sum problem: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and sum 36634?

  5. The coding connection A weight- ✇ subset-sum problem: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and sum 36634? Replace Z with ( Z ❂ 2) ♠ : Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory.

  6. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙ 0 ✿ 337. (Incorrect claim: ✙ 0 ✿ 311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙ 0 ✿ 291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer.

  7. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones on the subset sum problem”. Hmmm. What’s the best quantum subset-sum exponent?

  8. � � Interlude: Algorithm design Textbook algorithm analysis: Proof of correctness New algorithm Proof of run time Mislead students into thinking that best algorithm = best proven algorithm.

  9. Reality: state-of-the-art cryptanalytic algorithms are almost never proven.

  10. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!”

  11. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly.

  12. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments .

  13. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

  14. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors.

  15. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors. 2. Faster algorithm-specific simulation? Yes, sometimes.

  16. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors. 2. Faster algorithm-specific simulation? Yes, sometimes. 3. Fast trapdoor simulation. Simulator (like prover) knows more than the algorithm does.

  17. Quantum search (0.5) Assume that function ❢ has ♥ -bit input, unique root. Generic brute-force search finds this root using ✙ 2 ♥ evaluations of ❢ . 1996 Grover method finds this root using ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ on superpositions of inputs. Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  18. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ .

  19. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . Apply to the function ❏ ✼✦ Σ( ❏ ) � t where Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . Cost 2 0 ✿ 5 ♥ to find root (i.e., to find indices of subsequence of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) or to decide that no root exists. We suppress poly factors in cost.

  20. Algorithm details for unique root: Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an integer between 0 and 2 ♥ � 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏ : 2 ♥ complex amplitudes ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. Measuring these ♥ qubits has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Start from uniform superposition, i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ .

  21. Step 1: Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , ❜ ❏ = ❛ ❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . This is also easy. Repeat steps 1 and 2 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  22. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 0 steps: 1.0 0.5 0.0 −0.5 −1.0

  23. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1: 1.0 0.5 0.0 −0.5 −1.0

  24. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1 + Step 2: 1.0 0.5 0.0 −0.5 −1.0

  25. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1 + Step 2 + Step 1: 1.0 0.5 0.0 −0.5 −1.0

  26. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 2 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  27. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 3 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  28. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 4 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  29. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 5 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  30. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 6 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  31. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 7 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  32. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 8 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  33. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 9 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  34. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 10 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  35. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 11 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  36. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 12 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  37. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 13 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  38. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 14 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  39. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 15 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  40. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 16 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  41. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 17 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  42. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 18 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  43. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 19 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and Permutation Graphs Charis Papadopoulos Spyridon Tzimas 21st International Symposium on Fundamentals of Computation Theory - FCT 2017 Bordeaux, France,

1.5k views • 103 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara Naya-Plasencia 2 , Andr

Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara Naya-Plasencia 2 , Andr

Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara Naya-Plasencia 2 , Andr Schrottenloher 2 1 IAIK, Graz University of Technology, Austria 2 Inria, France December

428 views • 24 slides
Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Outline General Problem of . . . Probabilistic and . . . Interval . . . Additional Problem: . . . Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known Algorithm for . . . Sch onings Algorithm . .

622 views • 15 slides
Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

65 views • 5 slides
Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

310 views • 4 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Advanced Algorithms Knapsack Problem Instance : n items i =1,2, ..., n ;

Advanced Algorithms Knapsack Problem Instance : n items i =1,2, ..., n ;

Advanced Algorithms Knapsack Problem Instance : n items i =1,2, ..., n ; weights w 1 , w 2 , ..., w n + ; values v 1 , v 2 , ..., v n + ; knapsack capacity B + ; Find a subset of items whose total

647 views • 45 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Computer Architecture Summer 2020 Instruction Set Architecture (ISA) and Assembly Language Tyler

Computer Architecture Summer 2020 Instruction Set Architecture (ISA) and Assembly Language Tyler

ECE/CS 250 Computer Architecture Summer 2020 Instruction Set Architecture (ISA) and Assembly Language Tyler Bletsch Duke University Slides are derived from work by Daniel J. Sorin (Duke), Alvy Lebeck (Duke), and Amir Roth (Penn) Instruction

1.05k views • 86 slides
Drupal, Alexa, and Big Mouth Billy Bass Walk into a baR Amber Matz & Blake Hall DrupalCon

Drupal, Alexa, and Big Mouth Billy Bass Walk into a baR Amber Matz & Blake Hall DrupalCon

Drupal, Alexa, and Big Mouth Billy Bass Walk into a baR Amber Matz & Blake Hall DrupalCon Baltimore April 27, 2017 About us Amber Matz Blake Hall Production Manager and Trainer Senior Developer and Trainer Drupalize.Me Drupalize.Me

1.12k views • 91 slides
Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

The heart of the matter, part 2: Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid is a Bible word Stupid is a Bible word It occurs 17 times in the NLT. It occurs 17 times in the NLT.

815 views • 53 slides
Review CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2017 Final The

Review CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2017 Final The

Review CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2017 Final The final is on Thursday, March 23, at 7:00 pm There will be 15 questions and worth 15% of the total grade It will cover the material from the

1.34k views • 93 slides
Virtual Cinematography Theory and Practice for Automatic Real-Time Camera Control and

Virtual Cinematography Theory and Practice for Automatic Real-Time Camera Control and

Virtual Cinematography Theory and Practice for Automatic Real-Time Camera Control and Directing Liwei He Microsoft Research http://research.microsoft.com/users/lhe Motivation There are 3 elements in computer graphics lights, scene

1.35k views • 94 slides
3.064 - Polymer Engineering Time & Place (Fall Term 2007): MWF12, 2-135. Instructor: Prof.

3.064 - Polymer Engineering Time & Place (Fall Term 2007): MWF12, 2-135. Instructor: Prof.

3.064 home page http://web.mit.edu/course/3/3.064/www/ 3.064 - Polymer Engineering Time & Place (Fall Term 2007): MWF12, 2-135. Instructor: Prof. David Roylance, room 6-202, phone 3-3309), email roylance@mit.edu. Office hours: MWF 1-3 pm, TTh

347 views • 7 slides
The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Summary Valid Arguments and Rules

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Summary Valid Arguments and Rules

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Summary Valid Arguments and Rules of Inference Proof Methods Proof Strategies Rules of Inference Section 1.6 Section Summary Valid Arguments Inference Rules for Propositional

1.05k views • 78 slides
Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides

More recommend