trapdoor simulation of quantum algorithms daniel j
play

Trapdoor simulation of quantum algorithms Daniel J. Bernstein - PDF document

Oct 19, 2023 •202 likes •598 views

Trapdoor simulation of quantum algorithms Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Algorithms in CS courses WHAT is your

  1. Trapdoor simulation of quantum algorithms Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven

  2. Algorithms in CS courses “WHAT is your algorithm?”

  3. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.”

  4. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.” “WHAT does it accomplish?”

  5. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.” “WHAT does it accomplish?” “It sorts the input array in place. Here’s a proof.”

  6. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.” “WHAT does it accomplish?” “It sorts the input array in place. Here’s a proof.” “WHAT is its run time?”

  7. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.” “WHAT does it accomplish?” “It sorts the input array in place. Here’s a proof.” “WHAT is its run time?” “ O ( n lg n ) comparisons; and Θ( n lg n ) comparisons for most inputs. Here’s a proof.”

  8. Algorithms in CS courses “WHAT is your algorithm?” “Heapsort. Here’s the code.” “WHAT does it accomplish?” “It sorts the input array in place. Here’s a proof.” “WHAT is its run time?” “ O ( n lg n ) comparisons; and Θ( n lg n ) comparisons for most inputs. Here’s a proof.” “You may pass.”

  9. Algorithms for hard problems Critical question for ECC security: How hard is ECDLP?

  10. Algorithms for hard problems Critical question for ECC security: How hard is ECDLP? Standard estimate for “strong” ECC groups of prime order ‘ : Latest “negating” variants of “distinguished point” rho methods break an average ECDLP instance √ using ≈ 0 : 886 ‘ additions.

  11. Algorithms for hard problems Critical question for ECC security: How hard is ECDLP? Standard estimate for “strong” ECC groups of prime order ‘ : Latest “negating” variants of “distinguished point” rho methods break an average ECDLP instance √ using ≈ 0 : 886 ‘ additions. Is this proven? No! Is this provable? Maybe not!

  12. Algorithms for hard problems Critical question for ECC security: How hard is ECDLP? Standard estimate for “strong” ECC groups of prime order ‘ : Latest “negating” variants of “distinguished point” rho methods break an average ECDLP instance √ using ≈ 0 : 886 ‘ additions. Is this proven? No! Is this provable? Maybe not! So why do we think it’s true?

  13. 2000 Gallant–Lambert–Vanstone: inadequately specified statement of a negating rho algorithm.

  14. 2000 Gallant–Lambert–Vanstone: inadequately specified statement of a negating rho algorithm. 2010 Bos–Kleinjung–Lenstra: a plausible interpretation of that algorithm is non-functional .

  15. 2000 Gallant–Lambert–Vanstone: inadequately specified statement of a negating rho algorithm. 2010 Bos–Kleinjung–Lenstra: a plausible interpretation of that algorithm is non-functional . See 2011 Bernstein–Lange– Schwabe for more history and better algorithms.

  16. 2000 Gallant–Lambert–Vanstone: inadequately specified statement of a negating rho algorithm. 2010 Bos–Kleinjung–Lenstra: a plausible interpretation of that algorithm is non-functional . See 2011 Bernstein–Lange– Schwabe for more history and better algorithms. Why do we believe that the latest algorithms work at the claimed speeds? Experiments!

  17. Similar story for RSA security: we don’t have proofs for the best factoring algorithms.

  18. Similar story for RSA security: we don’t have proofs for the best factoring algorithms. Code-based cryptography: we don’t have proofs for the best decoding algorithms.

  19. Similar story for RSA security: we don’t have proofs for the best factoring algorithms. Code-based cryptography: we don’t have proofs for the best decoding algorithms. Lattice-based cryptography: we don’t have proofs for the best lattice algorithms.

  20. Similar story for RSA security: we don’t have proofs for the best factoring algorithms. Code-based cryptography: we don’t have proofs for the best decoding algorithms. Lattice-based cryptography: we don’t have proofs for the best lattice algorithms. MQ-based cryptography: we don’t have proofs for the best system-solving algorithms.

  21. Similar story for RSA security: we don’t have proofs for the best factoring algorithms. Code-based cryptography: we don’t have proofs for the best decoding algorithms. Lattice-based cryptography: we don’t have proofs for the best lattice algorithms. MQ-based cryptography: we don’t have proofs for the best system-solving algorithms. Confidence relies on experiments.

  22. Where’s my quantum computer? Quantum-algorithm design is moving beyond textbook stage into algorithms without proofs. Example: subset-sum exponent ≈ 0 : 241 from 2013 Bernstein–Jeffery–Lange–Meurer. Don’t expect proofs or provability for the best quantum algorithms to attack post-quantum crypto. How do we obtain confidence in analysis of these algorithms? Quantum experiments are hard.

  23. Where’s my big computer? Analogy: Public hasn’t carried out a 2 80 NFS RSA-1024 experiment.

  24. Where’s my big computer? Analogy: Public hasn’t carried out a 2 80 NFS RSA-1024 experiment. But public has carried out 2 50 , 2 60 , 2 70 NFS experiments. Hopefully not too much extrapolation error for 2 80 .

  25. Where’s my big computer? Analogy: Public hasn’t carried out a 2 80 NFS RSA-1024 experiment. But public has carried out 2 50 , 2 60 , 2 70 NFS experiments. Hopefully not too much extrapolation error for 2 80 . Vastly larger extrapolation for the quantum situation. Imagine attacker performing 2 80 operations on 2 40 qubits; compare to today’s challenges of 2 1 , 2 2 , 2 3 , 2 4 , 2 5 , 2 6 qubits.

  26. Simulation An algorithm simulation is a computer-assisted proof of the algorithm’s performance for a particular input .

  27. Simulation An algorithm simulation is a computer-assisted proof of the algorithm’s performance for a particular input . Compared to traditional proofs: Theorem statement is easier. Steps in proof are easier. Don’t need to generalize beyond a single input. Provability is guaranteed. Proof has computer assistance, so less chance of error.

  28. The standard structure of an algorithm simulation: Compute s 0 ; s 1 ; s 2 ; : : : and t 0 ; t 1 ; t 2 ; : : : such that s i represents algorithm state at time t i . Prove that the computation matches the original algorithm. Special case: experiment. The computation is the original algorithm plus printouts of state. Particularly easy proof.

  29. Simulation of quantum algorithms “If you can efficiently simulate a quantum algorithm using a pre-quantum computer then you have an efficient pre-quantum algorithm for the same problem.”

  30. Simulation of quantum algorithms “If you can efficiently simulate a quantum algorithm using a pre-quantum computer then you have an efficient pre-quantum algorithm for the same problem.” No, not necessarily!

  31. Simulation of quantum algorithms “If you can efficiently simulate a quantum algorithm using a pre-quantum computer then you have an efficient pre-quantum algorithm for the same problem.” No, not necessarily! “Yes, you do! Simply run the simulation on the same input and extract the original algorithm’s output from the final state.”

  32. Simulation of quantum algorithms “If you can efficiently simulate a quantum algorithm using a pre-quantum computer then you have an efficient pre-quantum algorithm for the same problem.” No, not necessarily! “Yes, you do! Simply run the simulation on the same input and extract the original algorithm’s output from the final state.” Ah, but did I say that the simulation takes only this input?

  33. Trapdoor simulation Input to simulation doesn’t have to be input to original algorithm. Simulation can use extra input that makes simulation much faster than original algorithm. Typical example: • Algorithm input: f ( x ). • Algorithm output: x . • Simulation input: x . This is still useful: can try many choices of x , understand algorithm for f ( x ).

  34. For comparison: Often see x inside proofs in traditional algorithm analyses. Typical proof has formula ( x; i ) �→ ( s i ; t i ). Formula is proven inductively. Simulation is more flexible. Given x , for each i , simulation computes ( s i ; t i ). Doesn’t need unified formula that works for all x; i . Proof can work “locally”.

  35. Proof of concept 2014.04 Chou → Ambainis: Simulation shows error in proof of 2003 Ambainis distinctness algorithm.

  36. Proof of concept 2014.04 Chou → Ambainis: Simulation shows error in proof of 2003 Ambainis distinctness algorithm. Ambainis: Yes, thanks, will fix.

  37. Proof of concept 2014.04 Chou → Ambainis: Simulation shows error in proof of 2003 Ambainis distinctness algorithm. Ambainis: Yes, thanks, will fix. 2014.04 Chou → Childs: Simulation shows that 2003 Childs–Eisenberg distinctness algorithm is non-functional; need to take half angle.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

1 Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers

1.42k views • 138 slides
Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

1 Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set. How do we

1.53k views • 135 slides
Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J.

Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel J. Bernstein, Bo-Yin Yang https://eprint.iacr.org/2017/1206.pdf Asymptotically faster quantum algorithms to solve multivariate quadratic equations Daniel

702 views • 45 slides
Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J.

Introduction to quantum algorithms and introduction to code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (state) stored in n bits: an element of { 0 ; 1 } n ,

1.97k views • 138 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Superconducting qubits for analogue quantum simulation Gerhard Kirchmair Workshop on Quantum

Superconducting qubits for analogue quantum simulation Gerhard Kirchmair Workshop on Quantum

Superconducting qubits for analogue quantum simulation Gerhard Kirchmair Workshop on Quantum Science and Quantum Technologies ICTP Trieste September 13 th 2017 Experiments in Innsbruck on cQED Quantum Simulation using cQED Quantum

670 views • 44 slides
Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland

Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland

Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland Dmitri Maslov Yuan Su Yunseong Nam Neil Julien Ross arXiv:1711.10980; PNAS 2018 Toward practical quantum speedup IBM Google/UCSB Delft

1.05k views • 77 slides
Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Quantum Device Simulation 30A MOS CV Curve Quantum Currents and PHEMTs Introduction

Quantum Device Simulation 30A MOS CV Curve Quantum Currents and PHEMTs Introduction

Quantum Device Simulation 30A MOS CV Curve Quantum Currents and PHEMTs Introduction Why a Quantum Mechanical based simulator is necessary Introduction to QM issues and theory Implementation and syntax Practicalities of use

356 views • 19 slides
Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
Classical simulation of linear optics subject to (nonuniform) losses Micha l Oszmaniec and

Classical simulation of linear optics subject to (nonuniform) losses Micha l Oszmaniec and

Classical simulation of linear optics subject to (nonuniform) losses Micha l Oszmaniec and Daniel Brod 51st Symposium on Mathematical Physics, Toru n, 16 June 2019 Daniel Brod (UFF Niteroi) Motivation: Quantum Computational Supremacy

823 views • 64 slides
"I Can't Pay That!": S ocial S ecurity Overpayments and Low-Income Clients Kate

"I Can't Pay That!": S ocial S ecurity Overpayments and Low-Income Clients Kate

"I Can't Pay That!": S ocial S ecurity Overpayments and Low-Income Clients Kate Lang, S enior S taff Attorney Trinh Phan, S enior S taff Attorney February 22, 2017 Justice in Aging is a national organization that uses the

701 views • 34 slides
Search George Konidaris gdk@cs.duke.edu Spring 2016 (pictures: Wikipedia) Search Basic to

Search George Konidaris gdk@cs.duke.edu Spring 2016 (pictures: Wikipedia) Search Basic to

Search George Konidaris gdk@cs.duke.edu Spring 2016 (pictures: Wikipedia) Search Basic to problem solving: How to take action to reach a goal? Search Specifically: Problem can be in various states . Start in an initial state .

822 views • 46 slides
Software Quality Engineering: Testing, Quality Assurance, and Quantifiable Improvement Jeff

Software Quality Engineering: Testing, Quality Assurance, and Quantifiable Improvement Jeff

Slide (Ch.15) 1 Software Quality Engineering Software Quality Engineering: Testing, Quality Assurance, and Quantifiable Improvement Jeff Tian, tian@engr.smu.edu www.engr.smu.edu/ tian/SQEbook Chapter 15. Formal Verification General

539 views • 26 slides
Course Objective : to teach you some data structures and associated algorithms INF421, Lecture 4

Course Objective : to teach you some data structures and associated algorithms INF421, Lecture 4

Course Objective : to teach you some data structures and associated algorithms INF421, Lecture 4 Evaluation : TP not en salle info le 16 septembre, Contrle la fin. Sorting Note: max( CC, 3 4 CC + 1 4 TP ) Organization : fri 26/8, 2/9, 9/9,

345 views • 10 slides
On SI -groups R. R. Andruszkiewicz and M. Woronowicz University of Bia lystok 20.06.2014 M.

On SI -groups R. R. Andruszkiewicz and M. Woronowicz University of Bia lystok 20.06.2014 M.

On SI -groups R. R. Andruszkiewicz and M. Woronowicz University of Bia lystok 20.06.2014 M. Woronowicz (University of Bia lystok) On SI -gropus 20.06.2014 1 / 19 Preliminaries For an arbitrary abelian group A and a prime number p we

1.02k views • 42 slides
Optimal Distribution Testing via Reductions Ilias Diakonikolas USC Joint work with Daniel Kane

Optimal Distribution Testing via Reductions Ilias Diakonikolas USC Joint work with Daniel Kane

Optimal Distribution Testing via Reductions Ilias Diakonikolas USC Joint work with Daniel Kane (UCSD) Distribution Testing Given samples from one or more unknown probability distributions, decide whether they satisfy a certain property.

887 views • 26 slides
Horn clauses A literal is an atomic formula or its negation A clause is a disjunction of

Horn clauses A literal is an atomic formula or its negation A clause is a disjunction of

Horn clauses A literal is an atomic formula or its negation A clause is a disjunction of literals A Horn clause is a clause with exactly one positive literal A Horn formula is a conjunctive normal form formula whose clauses are

347 views • 13 slides
More on functions Modified from materials by Mark Hansen, STAT 202a Functional programming

More on functions Modified from materials by Mark Hansen, STAT 202a Functional programming

More on functions Modified from materials by Mark Hansen, STAT 202a Functional programming Functional programming takes inspiration from the work of Princeton mathematician Alonzo Church on the lambda calculus While the lambda calculus is a

411 views • 30 slides

More recommend