quantum circuits for the csidh optimizing quantum
play

Quantum circuits for the CSIDH: optimizing quantum evaluation of - PowerPoint PPT Presentation

Dec 20, 2023 •213 likes •499 views

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG

  1. Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org

  2. Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG . Shared secret a ( bG ) = ( ab ) G = ( ba ) G = b ( aG ). quantum.isogeny.org Daniel J. Bernstein

  3. Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG . Shared secret a ( bG ) = ( ab ) G = ( ba ) G = b ( aG ). DH: 1976 Diffie–Hellman. ECDH: 1985 Miller, 1987 Koblitz. Cost poly( λ ) for pre-quantum security level 2 λ ( assuming that the best attacks known are optimal). quantum.isogeny.org Daniel J. Bernstein

  4. Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG . Shared secret a ( bG ) = ( ab ) G = ( ba ) G = b ( aG ). DH: 1976 Diffie–Hellman. ECDH: 1985 Miller, 1987 Koblitz. Cost poly( λ ) for pre-quantum security level 2 λ ( assuming that the best attacks known are optimal). Fast addition of public keys → post-quantum break. quantum.isogeny.org Daniel J. Bernstein

  5. Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG . Shared secret a ( bG ) = ( ab ) G = ( ba ) G = b ( aG ). DH: 1976 Diffie–Hellman. ECDH: 1985 Miller, 1987 Koblitz. Cost poly( λ ) for pre-quantum security level 2 λ ( assuming that the best attacks known are optimal). Fast addition of public keys → post-quantum break. CRS: 2006 Rostovtsev–Stolbunov, 2006 Couveignes. CSIDH: 2018 Castryck-Lange-Martindale-Panny-Renes. Cost poly( λ ) for pre-quantum security level 2 λ . quantum.isogeny.org Daniel J. Bernstein

  6. Non-interactive key exchange Alice: secret a , public aG . Bob: secret b , public bG . Shared secret a ( bG ) = ( ab ) G = ( ba ) G = b ( aG ). DH: 1976 Diffie–Hellman. ECDH: 1985 Miller, 1987 Koblitz. Cost poly( λ ) for pre-quantum security level 2 λ ( assuming that the best attacks known are optimal). Fast addition of public keys → post-quantum break. CRS: 2006 Rostovtsev–Stolbunov, 2006 Couveignes. CSIDH: 2018 Castryck-Lange-Martindale-Panny-Renes. Cost poly( λ ) for pre-quantum security level 2 λ . Cost poly( λ ) for post-quantum security level 2 λ . quantum.isogeny.org Daniel J. Bernstein

  7. Encryption systems with small public keys PKE doesn’t require NIKE: e.g., 2011 SIDH/SIKE. quantum.isogeny.org Daniel J. Bernstein

  8. Encryption systems with small public keys PKE doesn’t require NIKE: e.g., 2011 SIDH/SIKE. Key bits where all known attacks take 2 λ operations (naive serial attack metric, ignoring memory cost): pre-quantum post-quantum SIDH, SIKE (24 + o (1)) λ (36 + o (1)) λ compressed (14 + o (1)) λ (21 + o (1)) λ CRS, CSIDH (4 + o (1)) λ superlinear ECDH (2 + o (1)) λ exponential quantum.isogeny.org Daniel J. Bernstein

  9. Encryption systems with small public keys PKE doesn’t require NIKE: e.g., 2011 SIDH/SIKE. Key bits where all known attacks take 2 λ operations (naive serial attack metric, ignoring memory cost): pre-quantum post-quantum SIDH, SIKE (24 + o (1)) λ (36 + o (1)) λ compressed (14 + o (1)) λ (21 + o (1)) λ CRS, CSIDH (4 + o (1)) λ superlinear ECDH (2 + o (1)) λ exponential Subexp 2010 Childs–Jao–Soukharev attack, using 2003 Kuperberg or 2004 Regev or 2011 Kuperberg. quantum.isogeny.org Daniel J. Bernstein

  10. Major questions What CSIDH key sizes are needed for post-quantum security level 2 64 ? 2 96 ? 2 128 ? quantum.isogeny.org Daniel J. Bernstein

  11. Major questions What CSIDH key sizes are needed for post-quantum security level 2 64 ? 2 96 ? 2 128 ? Subexp attack: many quantum CSIDH queries. • How many queries do these attacks perform? 2011 Kuperberg supersedes previous papers. quantum.isogeny.org Daniel J. Bernstein

  12. Major questions What CSIDH key sizes are needed for post-quantum security level 2 64 ? 2 96 ? 2 128 ? Subexp attack: many quantum CSIDH queries. • How many queries do these attacks perform? 2011 Kuperberg supersedes previous papers. • How is attack affected by occasional errors and non-uniform distributions over the group? quantum.isogeny.org Daniel J. Bernstein

  13. Major questions What CSIDH key sizes are needed for post-quantum security level 2 64 ? 2 96 ? 2 128 ? Subexp attack: many quantum CSIDH queries. • How many queries do these attacks perform? 2011 Kuperberg supersedes previous papers. • How is attack affected by occasional errors and non-uniform distributions over the group? • How expensive is each CSIDH query? See our paper —full 56-page version online, with detailed analysis and many optimizations. quantum.isogeny.org Daniel J. Bernstein

  14. Major questions What CSIDH key sizes are needed for post-quantum security level 2 64 ? 2 96 ? 2 128 ? Subexp attack: many quantum CSIDH queries. • How many queries do these attacks perform? 2011 Kuperberg supersedes previous papers. • How is attack affected by occasional errors and non-uniform distributions over the group? • How expensive is each CSIDH query? See our paper —full 56-page version online, with detailed analysis and many optimizations. • What about memory, using parallel AT metric? quantum.isogeny.org Daniel J. Bernstein

  15. Verifying quantum costs on your laptop We provide software to compute CSIDH group action using bit operations. Automatic tallies of nonlinear ops (AND, OR), linear ops (XOR, NOT). quantum.isogeny.org Daniel J. Bernstein

  16. Verifying quantum costs on your laptop We provide software to compute CSIDH group action using bit operations. Automatic tallies of nonlinear ops (AND, OR), linear ops (XOR, NOT). Generic conversions: sequence of bit ops with ≤ B nonlinear ops ⇒ sequence of reversible ops with ≤ 2 B Toffoli ops quantum.isogeny.org Daniel J. Bernstein

  17. Verifying quantum costs on your laptop We provide software to compute CSIDH group action using bit operations. Automatic tallies of nonlinear ops (AND, OR), linear ops (XOR, NOT). Generic conversions: sequence of bit ops with ≤ B nonlinear ops ⇒ sequence of reversible ops with ≤ 2 B Toffoli ops ⇒ sequence of quantum gates with ≤ 14 B T -gates. quantum.isogeny.org Daniel J. Bernstein

  18. Verifying quantum costs on your laptop We provide software to compute CSIDH group action using bit operations. Automatic tallies of nonlinear ops (AND, OR), linear ops (XOR, NOT). Generic conversions: sequence of bit ops with ≤ B nonlinear ops ⇒ sequence of reversible ops with ≤ 2 B Toffoli ops ⇒ sequence of quantum gates with ≤ 14 B T -gates. Building confidence in correctness of output: 1. Compare output to Sage script for CSIDH. 2. Generating-function analysis of exact error rates. Compare to experiments with noticeable error rates. quantum.isogeny.org Daniel J. Bernstein

  19. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. quantum.isogeny.org Daniel J. Bernstein

  20. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. quantum.isogeny.org Daniel J. Bernstein

  21. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. 765325228976 ≈ 0 . 7 · 2 40 by our Algorithm 8.1. quantum.isogeny.org Daniel J. Bernstein

  22. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. 765325228976 ≈ 0 . 7 · 2 40 by our Algorithm 8.1. ⇒ ≈ 2 43 . 3 T -gates using ≈ 2 40 qubits. quantum.isogeny.org Daniel J. Bernstein

  23. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. 765325228976 ≈ 0 . 7 · 2 40 by our Algorithm 8.1. ⇒ ≈ 2 43 . 3 T -gates using ≈ 2 40 qubits. Can do ≈ 2 45 . 3 T -gates using ≈ 2 20 qubits. quantum.isogeny.org Daniel J. Bernstein

  24. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. 765325228976 ≈ 0 . 7 · 2 40 by our Algorithm 8.1. ⇒ ≈ 2 43 . 3 T -gates using ≈ 2 40 qubits. Can do ≈ 2 45 . 3 T -gates using ≈ 2 20 qubits. Total gates ( T +Clifford): ≈ 2 46 . 9 . quantum.isogeny.org Daniel J. Bernstein

  25. Case study: one CSIDH-512 query CSIDH-512 query, uniform over {− 5 , . . . , 5 } 74 , error rate < 2 − 32 (maybe ok), nonlinear bit ops: ≈ 2 51 by 2018 Jao–LeGrow–Leonardi–Ruiz-Lopez. 1118827416420 ≈ 2 40 by our Algorithm 7.1. 765325228976 ≈ 0 . 7 · 2 40 by our Algorithm 8.1. ⇒ ≈ 2 43 . 3 T -gates using ≈ 2 40 qubits. Can do ≈ 2 45 . 3 T -gates using ≈ 2 20 qubits. Total gates ( T +Clifford): ≈ 2 46 . 9 . Variations in 512, {− 5 , . . . , 5 } , 2 − 32 : see paper. quantum.isogeny.org Daniel J. Bernstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Optimizing quantum circuits with classical thinking Craig Gidney Google Quantum AI QPL/MFPS

Optimizing quantum circuits with classical thinking Craig Gidney Google Quantum AI QPL/MFPS

Optimizing quantum circuits with classical thinking Craig Gidney Google Quantum AI QPL/MFPS 2018 Goal: explain section 3-D of arXiv:1805.03662 [...] [...] Key ideas we'll cover 1. Cost of error corrected quantum computation 2. Preparing

993 views • 45 slides
[&quot;si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

[&quot;si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018 [&quot;si:saId] Why CSIDH?

934 views • 57 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
Sparse Quantum Codes from Quantum Circuits Steve Flammia QEC 2014 15 December 2014 ETH Zrich

Sparse Quantum Codes from Quantum Circuits Steve Flammia QEC 2014 15 December 2014 ETH Zrich

Sparse Quantum Codes from Quantum Circuits Steve Flammia QEC 2014 15 December 2014 ETH Zrich Joint work with D Bacon, A W Harrow, and J Shi arxiv:1411.3334 Quantum Error Correction Quantum error correction allows us to deal with the

641 views • 28 slides
Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing,

Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing,

Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing, Oxford 2020 Aleks Kissinger QNLP 2020 1 / 34 Quantum software 1. := the code the runs on a quantum computer factoring search physical

1.09k views • 73 slides
Classical simulations of quantum circuits Resource-theoretic approach to quantum computing Kamil

Classical simulations of quantum circuits Resource-theoretic approach to quantum computing Kamil

Classical simulations of quantum circuits Resource-theoretic approach to quantum computing Kamil Korzekwa Faculty of Physics, Astronomy and Applied Computer Science, Jagiellonian University, Poland Outline 1. Motivation 2. Background 3.

492 views • 18 slides
Quantum Computation and Quantum Circuits Robert Spalek, CWI September 18, 2003 1 Classical

Quantum Computation and Quantum Circuits Robert Spalek, CWI September 18, 2003 1 Classical

Quantum Computation and Quantum Circuits Robert Spalek, CWI September 18, 2003 1 Classical computation deterministic computer in 1 state at each moment parallel computation modelled by circuits: &amp; &amp; x 1 x 2 x 3 x 4

307 views • 14 slides
Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum

Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum

Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum circuits: Circuit QED Circuit QED Circuit QED: Cavity QED with wires Josephson-junction qubits Transmission-line resonators mediate

435 views • 12 slides
Optimizing the fundamental limits for quantum communication Xin Wang Baidu Research TQC 2020

Optimizing the fundamental limits for quantum communication Xin Wang Baidu Research TQC 2020

Optimizing the fundamental limits for quantum communication Xin Wang Baidu Research TQC 2020 arXiv:1912.00931 Quantum capacity of a quantum channel l The quantum capacity of a channel N is the number of qubits, on average, that can be

697 views • 14 slides
Q UANTUM G ROUP Introduction Quantum circuits Spiders ZX-calculus MBQC Survey Picturing

Q UANTUM G ROUP Introduction Quantum circuits Spiders ZX-calculus MBQC Survey Picturing

Introduction Quantum circuits Spiders ZX-calculus MBQC Survey Diagrammatic Reasoning and Quantum Computation Aleks Kissinger ACA, Kalamata November 4, 2015 Q UANTUM G ROUP Introduction Quantum circuits Spiders ZX-calculus MBQC

1.19k views • 101 slides
Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum

Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum

Leonardo DiCarlo Leonardo DiCarlo Superconducting quantum circuits: Superconducting quantum circuits: The transmon qubit The transmon qubit Natures quantum bits true qubits effective qubits energy = 1 e = 1 = 0 E 01 g = 0

396 views • 10 slides
Simulation of quantum circuits by ZX-diagram contraction John van de Wetering

Simulation of quantum circuits by ZX-diagram contraction John van de Wetering

Simulation of quantum circuits by ZX-diagram contraction John van de Wetering john@vdwetering.name Institute for Computing and Information Sciences Radboud University Nijmegen September 6, 2019 Holy Trinity of quantum circuits Holy Trinity

794 views • 64 slides
Optimisation and verification of quantum circuits with string diagrams Aleks Kissinger STRING 3;

Optimisation and verification of quantum circuits with string diagrams Aleks Kissinger STRING 3;

Optimisation and verification of quantum circuits with string diagrams Aleks Kissinger STRING 3; Birmingham 2019 Aleks Kissinger STRING 3, 2019 1 / 43 Quantum software 1. := the code the runs on a quantum computer factoring search quantum

1.16k views • 91 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Simulating Quantum Field Theories on a Quantum Computer Stephen Jordan C a n q u a n t u m c o m

Simulating Quantum Field Theories on a Quantum Computer Stephen Jordan C a n q u a n t u m c o m

Simulating Quantum Field Theories on a Quantum Computer Stephen Jordan C a n q u a n t u m c o m p u t e r s s i m u l a t e a l l p h y s i c a l processes efficiently? Universality Conjecture: Quantum circuits can simulate all physical

334 views • 30 slides
Symbolism for Generative Grammars The book chapter gives a good explanation of the background

Symbolism for Generative Grammars The book chapter gives a good explanation of the background

Chapter 12: Context-Free Grammars Peter Cappello Department of Computer Science University of California, Santa Barbara Santa Barbara, CA 93106 cappello@cs.ucsb.edu The corresponding textbook chapter should be read before attending

404 views • 13 slides
Higher connectivity in linear -terms as 3-valent graphs Noam Zeilberger an update on

Higher connectivity in linear -terms as 3-valent graphs Noam Zeilberger an update on

Higher connectivity in linear -terms as 3-valent graphs Noam Zeilberger an update on work-in-progress w/Jason Reed also showcasing some tools by George Kaye SYCO 5 @ bham! 4-sep-2019 [Background] A few views on linear &amp; planar

690 views • 54 slides
CSC421/2516 Lecture 6: Automatic Differentiation Roger Grosse and Jimmy Ba Roger Grosse and

CSC421/2516 Lecture 6: Automatic Differentiation Roger Grosse and Jimmy Ba Roger Grosse and

CSC421/2516 Lecture 6: Automatic Differentiation Roger Grosse and Jimmy Ba Roger Grosse and Jimmy Ba CSC421/2516 Lecture 6: Automatic Differentiation 1 / 25 Overview Implementing backprop by hand is like programming in assembly language.

508 views • 25 slides
The Role of the Business Analyst in Change - the skills and tactics required (Strategy v Delivery)

The Role of the Business Analyst in Change - the skills and tactics required (Strategy v Delivery)

The Role of the Business Analyst in Change - the skills and tactics required (Strategy v Delivery) Objectives to stimulate and facilitate discussion on how Business Analysts gain earlier and continuing engagement and involvement in Change. Lasts

700 views • 12 slides
Bayesian Inference for Parameter Estimation + Topic Modeling Matt Gormley Lecture 20 Nov. 4,

Bayesian Inference for Parameter Estimation + Topic Modeling Matt Gormley Lecture 20 Nov. 4,

10-418 / 10-618 Machine Learning for Structured Data Machine Learning Department School of Computer Science Carnegie Mellon University Bayesian Inference for Parameter Estimation + Topic Modeling Matt Gormley Lecture 20 Nov. 4, 2019 1

579 views • 57 slides
The K-FAC method for neural network optimization James Martens Thanks to my various

The K-FAC method for neural network optimization James Martens Thanks to my various

The K-FAC method for neural network optimization James Martens Thanks to my various collaborators on K-FAC research and engineering: Roger Grosse, Jimmy Ba, Vikram Tankasali, Matthew Johnson, Daniel Duckworth, Zack Nado, and many more!

537 views • 41 slides
The Demographics of Web Search Ingmar Weber, Carlos Castillo Yahoo! Research Barcelona Warm-up

The Demographics of Web Search Ingmar Weber, Carlos Castillo Yahoo! Research Barcelona Warm-up

The Demographics of Web Search Ingmar Weber, Carlos Castillo Yahoo! Research Barcelona Warm-up DEMO The DEMOgraphics of a query ofine slides http://adlab.microsoft.com/Demographics-Prediction/DP UI.aspx - 2 - How the Data was Obtained Q

389 views • 23 slides
E0358 Uday Kumar Reddy B uday@csa.iisc.ernet.in Dept of CSA, Indian Institute of Science,

E0358 Uday Kumar Reddy B uday@csa.iisc.ernet.in Dept of CSA, Indian Institute of Science,

E0358 Uday Kumar Reddy B uday@csa.iisc.ernet.in Dept of CSA, Indian Institute of Science, Bangalore, India A course on advanced compilation at Dept of CSA IISc 1/104 R ESEARCH IN P ROGRAMMING AND C OMPILER T ECHNOLOGIES Current: C, C++,

1.67k views • 145 slides

More recommend