Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . - - PowerPoint PPT Presentation

Quantum Computing

Jim Royer

CIS 675 Algorithms

April 24, 2019 . . .

Crypto (CIS 675) Quantum Computing April 24, 2019 1 / 1

References

A Physics-Free Introduction to the Quantum Computation Model by Stephen A. Fenner.

https://arxiv.org/abs/cs/0304008

(. . . more importantly, it is complex analysis free) The Talk by Scott Aaronson and Zach Weinersmith,

http://www.smbc-comics.com/comic/the-talk-3

(There is tons of misleading hype about quantum

• computing. This is a good, double-entendre-filled,

dehyping.) Quantum Computing Since Democritus by Scott Aaronson

https://www.scottaaronson.com/democritus/

(This connects quantum computing to the wider world while being rather goofy.)

Crypto (CIS 675) Quantum Computing April 24, 2019 2 / 1

Quantum Computing and Cryptography

Given RSA with key size k, it can be broken by a computer with quantum register size ≈ k.⋆ Similarly with discrete-log-based cryptosystems. There are latticed-based and other post-quantum cryptosystems that quantum computers seemingly cannot break better than classical computers. We will cover enough about quantum computing give you a glimpse of what is behind all the fuss. This is based on A Physics-Free Introduction to the Quantum Computation Model by Stephen A.

• Fenner. https://arxiv.org/abs/cs/0304008.

⋆Assuming that you can build a reliable quantum computer of that size.

Crypto (CIS 675) Quantum Computing April 24, 2019 3 / 1

Classical Boolean Circuits, I

We view them as naming maps { 0, 1 }n → { 0, 1 }n a a control b a ∧ b target ∧

✐

• ⇛ current flow ⇛

Consider a ¬a b (a ∧ b) ∨ c c c

• ∧

✐

∨

✐

• ¬

✐

We can describe this by either of: b ← a ∧ b; a ← ¬a; b ← b ∨ c

|x, y, z = state vector

|a, b, c → |a, a ∧ b, c → |¬a, a ∧ b, c → |¬a, (a ∧ b) ∨ c, c

Crypto (CIS 675) Quantum Computing April 24, 2019 4 / 1

Classical Boolean Circuits, II

Input/Output Conventions The first k registers are input 0 ≤ k ≤ n The first ℓ registers are output 0 ≤ ℓ ≤ n Each non-input register is assigned 0 or 1 a a a ∨ ❣

• a → (a, a)

Crypto (CIS 675) Quantum Computing April 24, 2019 5 / 1

Uniform Computation

A circuit family, C, is a sequence of circuits C0, C1, C2, . . . ∋ for each i, Ci has i-inputs and 1-output. L(C) =def { w |w| = n & Cn(w) = 1 }, L(C) is the language defined by C. A circuit family is ptime uniform ⇐ ⇒ ∃ a poly-time alg D ∋ for all i, D(1 . . . 1

i many

) = a description of Ci. FACT: P = the languages accepted by ptime uniform circuit families.

Crypto (CIS 675) Quantum Computing April 24, 2019 6 / 1

Reversible Circuits, I

Reversible circuits have inverses. The controlled not gate (CNOT) a a b a ⊕ b ⊕

• Toffoli Gate where ⊙(x, y, z) = z ⊕ (x ∧ y)

a a b b c c ⊕ (a ∧ b) ⊙

• Reversible circuits do not collapse states.

(Why?)

Crypto (CIS 675) Quantum Computing April 24, 2019 7 / 1

Reversible Circuits, II

CNOT Gate input

• utput

1 1 1 1 1 1 1 1 Toffoli Gate input

• utput

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 and 1 are the interesting bits.

Crypto (CIS 675) Quantum Computing April 24, 2019 8 / 1

Probabilistic Circuits, I

The Biased Coin-Flip Gate — p, q — input

• utput

0:p 1:(1 − p) 1 0:q 1:(1 − q) | v : 2n basis vectors Our new state space: H, a 2n-dim. real vector space (H for Hilbert space) x1

. . .

xi

. . .

xn p, q |x1..i−1, 0, xi+1..n → p · |x1..i−1, 0, xi+1..n + (1 − p) · |x1..i−1, 1, xi+1..n |x1..i−1, 1, xi+1..n → q · |x1..i−1, 0, xi+1..n + (1 − q) · |x1..i−1, 1, xi+1..n

Crypto (CIS 675) Quantum Computing April 24, 2019 9 / 1

Probabilistic Circuits, II

Consider the subspace spanned by |0 and |1.

❅ ❅ ❅ ❅ ✟✟ ✟

q|0 + (1 − q)|1 p|0 + (1 − p)|1

✁ ✁ ✁

|1 |0 The gate p, q always maps the line segment from (1,0) to (0,1) to itself. We can also represent the p, q gate by the matrix:

• p

q 1 − p 1 − q

• This is a stochastic matrix: all entries ≥ 0, all columns sum to 1.

Crypto (CIS 675) Quantum Computing April 24, 2019 10 / 1

Probabilistic Circuits: Gates as Linear Maps

The irreversible AND gate is: a b a a ∧ b 1 1 1 1 1 1 1 a b 00 01 10 11 00 1 1 01 10 1 11 1

◮ All entries are 0–1 ◮ One 1 in each col ◮ ∴ Stochastic

Reversible gates are permutation matrices! (Why?)

Definition

A probabilistic circuit is a circuit built from Boolean & p, q gates, where The input state is a basis state. The output state is of the form: ∑x∈{ 0,1 }n px|x ∋ (i) each px ≥ 0 and (ii) ∑ px = 1. px = the probability that the output will be |x.

Crypto (CIS 675) Quantum Computing April 24, 2019 11 / 1

“Majority Coin Flips” Circuit 1 ∧ ∧ ∧ ∨ ∧ ∨

1 2, 1 2 1 2, 1 2 1 2, 1 2

1 2, 1 2 = flip of a fair coin

Crypto (CIS 675) Quantum Computing April 24, 2019 12 / 1

A Complexity-Theoretic Aside

• C = C0, C1, C2, . . . : a ptime uniform probablistic circuit family

(R, A) is an acceptance criterion when R, A ⊂ [0, 1] with R ∩ A = ∅. (R for reject, A for accept)

• C computes L with acceptance criterion (R, A) when

for each n and each x ∈ { 0, 1 }n: x ∈ L = ⇒ Prob[Cn(x) = 1] ∈ A x / ∈ L = ⇒ Prob[Cn(x) = 1] ∈ R Class Acceptance Criterion P ({ 0 }, { 1 }) NP ({ 0 }, (0, 1]) RP ({ 0 }, ( 1

2, 1])

BPP ([0, q], [1 − q, 1]) where 0 < q < 1

2

PP ([0, 1

2], ( 1 2, 1])

Crypto (CIS 675) Quantum Computing April 24, 2019 13 / 1

Quantum Circuits (´ a la Fenner), I

states = vectors in H gates = matrices Now allow negative entries in matrices. (But all real numbers) Now require: Mv2 = v2 for all v. Note:

• a2 =def
• a2

1 + · · · + a2 n

This forces the matrices to be orthonormal, i.e., its columns form an orthogonal basis of H. Registers are now called qubits (quantum bits) instead of bits. The Hadamard gate, – H –, has the matrix:

1 √ 2

• 1

1 1 −1

• See the

next slide

H|0 =

1 √ 2(|0 + |1).

H|1 =

1 √ 2(|0 − |1).

Note: H2 = I. Fact:{ H, Toffoli gates } are a universal collection of quantum gates. The p, q gates now correspond to measurements.

Crypto (CIS 675) Quantum Computing April 24, 2019 14 / 1

Hadamard Gate Geometrically

(|0 + |1)/ √ 2 (|0 − |1)/ √ 2 |0 |1

1

Transpose around the x-axis: (x, y) → (x, −y)

2

Then do a +45o rotation.

H|0 =

1 √ 2(|0 + |1).

H|1 =

1 √ 2(|0 − |1).

Crypto (CIS 675) Quantum Computing April 24, 2019 15 / 1

Quantum Circuits (´ a la Fenner), II

QCF (Quantum Coin Flip)

This is a variation on Hadamard gate. QCF = 1 √ 2 1 −1 1 1

• Note that (QCF)2 =

1 1

• = the not gate.

So, QCF = √ NOT, the square root of not.

Quantum I/O

Input: basis states Output: ∑x∈{ 0,1 }n ax|x Note: ∑ a2

x = 1

a2

x = the probability associated with |x

ax = the probability amplitude for |x

Crypto (CIS 675) Quantum Computing April 24, 2019 16 / 1

Another Complexity-Theoretic Aside

If we use quantum circuits, then Class Description Acceptance Criterion EQP

Exact quantum polynomial time

({ 0 }, { 1 }) C=P

Co-Exact-Counting Polynomial-Time

({ 0 }, (0, 1]) RQP

One-sided Error Extension of EQP

({ 0 }, ( 1

2, 1])

BQP

Bounded-Error Quantum Polynomial-Time

([0, 1

n), ( n−1 n , 1])

PP

Probabilistic Polynomial-Time

[0, 1

2], ( 1 2, 1])

See: https://complexityzoo.uwaterloo.ca/Complexity_Zoo

Crypto (CIS 675) Quantum Computing April 24, 2019 17 / 1

“Traditional” Quantum Circuits

In place of vector spaces over R, we use vector spaces over C. In place of orthonormal matrices, we use unitary matrices. Etc., etc. See §6 of Fenner for details. Past this point, we shall be even sketchier than before. . . . so, we won’t digress into complex linear algebra.

Crypto (CIS 675) Quantum Computing April 24, 2019 18 / 1

Towards Shor’s Algorithm: Number Theory Facts, I

Suppose we want to factor N (assuming N isn’t prime).

a

If we find an x ∈ { 2, . . . , N − 2 } with x2 ∼ = 1 (mod N) then we can factor N. (Why?)

b

If we can find an a and an even r with:

i

gcd(a, N) = 1,

ii

ar ∼ = 1 (mod N), and

iii

ar/2 ∼ = ±1 (mod N),

then we can factor N. (Why?)

Crypto (CIS 675) Quantum Computing April 24, 2019 19 / 1

Towards Shor’s Algorithm: Number Theory Facts, I

Suppose we want to factor N (assuming N isn’t prime).

If we find an x ∈ { 2, . . . , N − 2 } with x2 ∼ = 1 (mod N) then we can factor N. (Why?)

If we can find an a and an even r with:

gcd(a, N) = 1,

ar ∼ = 1 (mod N), and

ar/2 ∼ = ±1 (mod N), then we can factor N. (Why?)

2019-04-24

Quantum Computing Shor’s Algorithms Towards Shor’s Algorithm: Number Theory Facts, I

a

Suppose 1 < x < N − 1 and x2 ∼ = 1 (mod N). Then N|(x2 − 1), i.e, N|(x − 1)(x + 1). Since 1 < x < N − 1, neither x − 1 = 0 nor x + 1 = n. So gcd(N, x − 1) > 1 or gcd(N, x + 1) > 1.

b

Use (a).

Towards Shor’s Algorithm: Number Theory Facts, II

Heuristic Procedure for Factoring Input N. Pick a

ran

∈ { 2, . . . , N − 2 }. If gcd(a, N) > 1, return gcd(a, N). (* It is a (nontrivial) factor *) (* So, gcd(a, N) = 1 *) Find the smallest r > 0 with ar ∼ = 1 (mod N). (* Expensive classically *) If r is odd or ar/2 ∼ = −1 (mod N), then: return FAILURE else: use the trick of the previous page to compute a factor of N return this factor. FACT: If N = pk1

1 . . . pks s where p1, . . . , ps are distinct primes and s > 1, then

Prob[the procedure succeeds on N] ≥ 1 −

1 2s−1 ≥ 1 2.

So repeating the procedure on N not too many times will find us a factor (with high probability). BUT the best know classical methods for finding r are exponential time.

Crypto (CIS 675) Quantum Computing April 24, 2019 20 / 1

Peter Shor’s Clever Idea (One of Many)

Heuristic Procedure for Factoring

Input N. Pick a

ran

∈ { 2, . . . , N − 2 }. If gcd(a, N) > 1, return gcd(a, N). Find the smallest r > 0 with ar ∼ = 1 (mod N). (* PROBLEM *) If r is odd or ar/2 ∼ = −1 (mod N), then: return FAILURE else: compute a factor of N and return it

Use QC to find r. That is: Consider 1, a1, a2, a3, . . . (mod n). If ar ≡ 1 (mod n), then the sequence repeats every r times.

∴ Finding the period of the sequence, finds r.

In signal processing, Fourier transforms are used to find periods.

Crypto (CIS 675) Quantum Computing April 24, 2019 21 / 1

Quantum Fourier Transform

QFT(|x) =def 1 √ 2m

∑

c∈{ 0,1 }m

e

2πixc 2m |c

This can be realized as a quantum circuit. We’ll come back to the properties of this thing shortly.

Crypto (CIS 675) Quantum Computing April 24, 2019 22 / 1

Shor’s Factoring Algorithm, I

|0 . . . 0, 0 . . . 0 m + n long ↓ 1 √ 2 (|00 . . . 0, 0 . . . 0 + |10 . . . 0, 0 . . . 0) ↓ . . . ↓ 1 √ 2m ∑c∈{ 0,1 }m |c, superimposition of 2m states ↓ 1 √ 2m ∑c∈{ 0,1 }m |c, ac mod n . . . ↓ QFT( — ) Now what???

Crypto (CIS 675) Quantum Computing April 24, 2019 23 / 1

Shor’s Factoring Algorithm, II

When you measure ∑i ai|xi you get state |xi with probability a2

i .

Thanks to QFT, states near the period have pretty high probability.

∴ Measure, test, and refine.

See: Shor’s Quantum Factoring Algorithm by Samuel J. Lomonaco,

https://arxiv.org/abs/quant-ph/0010034

A similar trick (using QFT) can compute discrete logs.

Crypto (CIS 675) Quantum Computing April 24, 2019 24 / 1

Quantum Algorithms Beyond Shor’s

Grover’s Algorithm

Suppose that C : { 0, 1 }n → { 0, 1 } is such that C(s) = 1 for only one s ∈ { 0, 1 }n. Classically, finding this s takes Θ(2m) time. Using QFT trickery, one can do this in Θ( √ 2m) time. This is the best known quantum algorithm besides Shor’s. For other quantum algorithms, see:

https://en.wikipedia.org/wiki/Quantum_algorithm

The take away is that quantum computers are magic bullets, but only for some fairly special problems. As factoring and discrete-log are among these special problems, Cryptography must respond, e.g., lattice-based cryptosystems.

Crypto (CIS 675) Quantum Computing April 24, 2019 25 / 1

Quantum Supremacy

. . . we hope to hasten the day when well controlled quantum systems can perform tasks surpassing what can be done in the classical world. One way to achieve such “quantum supremacy” would be to run an algorithm on a quantum computer which solves a problem with a super-polynomial speedup relative to classical computers, but there may be other ways that can be achieved sooner, such as simulating exotic quantum states of strongly correlated matter.

From the abstract of Quantum Computing and the Entanglement Frontier John Preskill, 2012 https://arxiv.org/abs/1203.5813

We may be getting closer, but we are not there yet. See https://podcasts.ox.ac.uk/strachey-lecture-quantum-supremacy.

Crypto (CIS 675) Quantum Computing April 24, 2019 27 / 1