a quantum computer operates on qubits
TRANSCRIPT
-
8/2/2019 A Quantum Computer Operates on Qubits
1/13
A quantum computer operates on qubits, or quantum bits. Conceptually, a
qubit is simply the quantum analog of a classical bit. The strange rules of quantum
mechanics, however, endow qubits with some interesting properties that have no
counterparts in the classical world. Two properties in particular interest us. The
first is that a qubit can exist not just in one state or another, but in a superposition
of different states. When we measure a qubit that is in a superposition of states, we
force the collapse of the wave function and from that point onward the qubit will
be in only one of the states. Just which state the superposition collapses into
depends on the amplitudes of the various states in the superposition. In order to
convey this more clearly, we introduce a standard notation used to represent these
concepts.
The state of a single qubit alone can be thought of as a unit vector in a two-
dimensional vector space with basis {|0, |1}. Here {|0, |1} are orthogonal
vectors representing quantum states such as spin up and spin down or vertical and
horizontal polarization. A qubit can be in state |0 orin state |1, but it can also be
in a superposition x|0+y|1 of the two states. The complex amplitudes x and y
determine which state we will see if we make a measurement. When an observer
measures a qubit in this superposition, the probability that the observer will see
state |0 is |x|2 and the probability of seeing |1 is |y|
2. Note that because x|0 + y|1
is a unit vector, the sum |x|2 + |y|2 must be equal to 1.
-
8/2/2019 A Quantum Computer Operates on Qubits
2/13
The second quantum-mechanical property that interests us is quantum
entanglement, which ties qubits inextricably to each other over the course of
operations. Because qubits can be entangled and interfere with each other,
the state of a multiple-qubit system cannot be represented generally as a linear
combination of the state vectors of each qubit the interactions between each pair of
qubits is as relevant as the state of each qubit itself. The state of the system, then,
cannot be described in terms of a simple Cartesian product of the individual
spaces, but rather a tensor product.
One other property of quantum computers that is notable for its difference
from classical computation is that all operations are reversible. On one level, this is
due to the fact that classical computations dissipate heat, and with it information,
whereas quantum operations dissipate no heat and therefore retain all information
across each calculation. Since reversible quantum gates exist that permit the full
complement of familiar logical operations, however, this point need not concern
us.
-
8/2/2019 A Quantum Computer Operates on Qubits
3/13
Classical Cryptography
According to the Auguste Kerckhoffs, the security of entire cryptosystem
relies on the secrecy of secret key which means the Eve is having the knowledge of
entire algorithm only the thing he dont know is the key. Depending on the number
of keys used in the cryptosystem, it is classified into two groups: symmetric and
asymmetric. Symmetric cryptosystems are the one which uses the single key for
encryption and decryption process. Thus, in order to use such a cryptosystem the
Alice and Bob must agree on a single secret key and this key agreement requires an
expensive secure channel. As it makes no sense to use the unsecure public channel
for secret key agreement. If one party simply chooses some key and sends it
encrypted to the other party, then which key should be used to encrypt the other
key in the first place? This dilemma is known as the key agreement problem, and it
was long considered unsolvable.
Diffie and Hellman
However, Diffie and Hellman found a simple way to avoid this dilemma,
making use of the hardness of the discrete logarithm problem. Diffie and
Hellmans secret-key agreement protocol enables Alice and Bob to agree on a joint
secret key by communicating over a public channel, and even though eve
intercepts each bit transmitted she is not able to determine the secret key, provided
that discrete logarithms are hard to compute. The Diffie and Hellman approach for
secret-key sharing over a public insecure channel is as follows:
This technique makes use of the apparent difficulty of computing logarithms
over a finite field GF(q) with a prime number q of elements. Let
Y = aX mod q,
Each user generates an independent random number Xi chosen uniformly
each keeps Xi secret but share
Yi = aXi mod q
-
8/2/2019 A Quantum Computer Operates on Qubits
4/13
and when they require to communicate they calculate the secret key as
follows:
Kij = aXiXj mod q
Calculation of Y from X is easy, taking at most 2 * log2q multiplications,
whereas computing X from Y, on the other hand can be much more difficult and,
for certain carefully chosen values of q, requires on the order of q1/2 operations.
The security of this technique depends crucially on the difficulty of computing
logarithms mod q, and if an algorithm whose complexity grew as log2q were to be
found, our system would be broken. Thus, if logs mod q is easily computed the
system can be broken.
A major disadvantage of symmetric ciphers is the sharing of secret key
between every pairs of user which becomes a hectic process when a
communication group is very large. In principle, for a group of n users, the total n
(n + 1) / 2 secret keys are required to be generated. Public-key cryptosystems, also
called asymmetric cryptosystems, circumvent this key distribution problem as
follows: Instead of having one key for every pair of parties, only one pair of keys
per party is needed to communicate securely. Diffie and Hellman proposed the
principle idea of public key for encryption and a private key for decryption.
Hardness in RSA
The first public-key cryptosystem that appeared is the RSA system[2], name
after its three inventors, Ron Rivest, Adi Shamir, and Leonard Adleman. The
public cryptosystem are based on so called (trapdoor) one-way functions, functions
that are easy to compute but hard to invert. Unfortunately, it is a central open
question whether one-way functions exist.
To communicate through the public cryptosystem the Alice creates two
keys, for encryption and decryption. Her encryption key is public, but Alice keeps
her decryption key as private. Each time Bob wants to communicate with Alice, he
-
8/2/2019 A Quantum Computer Operates on Qubits
5/13
looks up her public key and uses it to encrypt his message. Since only Alice knows
her private key, she alone can decrypt the ciphertext, that is, invert the encryption
function, which is oneway.
One more advantage of using a RSA is the authentication; the Alice can
digitally sign the document using its private key which can be verified using the
Alice public key.
RSA works as follows:
1. Selecting two prime numbers p and q.2. Calculate n = p * q.3. Calculate (n) = (p -1) * (q - 1).4. Select integer function such that gcd((n), e) = 1; 1 < e < (n).5. Calculate d = e-1 mod (n).6. Public key PU = {e, n}7. Private key PR = {d, n}
The security of the RSA underlies in the complexity of factoring the number
n. While factoring large numbers is not provably difficult, it is a well-known
problem that has been worked on for more than three hundred years by many
famous mathematicians. Fermat, Legendre developed factoring algorithms.
Factoring n would enable an enemy cryptanalyst to break the RSA. The
factors of n enable him to compute (n) and thus d. Fortunately, factoring a
number seems to be much more difficult than determining whether it is prime orcomposite.
A.Factoring NFactoring n would enable an enemy cryptanalyst to \break" our method. The
factors of n enable him to compute _(n) and thus d. Fortunately, factoring a
-
8/2/2019 A Quantum Computer Operates on Qubits
6/13
number seems to be much more di_cult than determining whether it is prime or
composite.
The fastest factoring algorithm can factor n in approximately
() (()) ()()
= ()()(())
steps.
B.Computing (n) without factoring nIf a cryptanalyst could compute (n) then he could break the system by
computing d as the multiplicative inverse of e modulo (n).
This approach is no easier than factoring n since it enables the cryptanalyst
to easily factor n using (n). This approach to factoring n has not turned out to be
practical.
How can n be factored using (n)? First, (p + q) is obtained from n and
(n) = n - (p + q) + 1. Then (p - q) is the square root of (p + q) 2 - 4n. Finally, q is
half the difference of (p + q) and (p - q).
Therefore breaking our system by computing (n) is no easier than
breaking our system by factoring n.
-
8/2/2019 A Quantum Computer Operates on Qubits
7/13
Shors Algorithm
Shors algorithm, proposed by Peter Shor in 1994, is a quantum algorithm used to
factor an integer and can be applied to cracking RSA. The first efficient algorithm
to attack the factoring of the product of two large prime numbers, Shor's algorithm
sparked a great deal of interest among the scientific community in the quantum
computing field.
Some properties of quantum computation that will be useful for constructing
algorithms for quantum machines.
Fact 1:
A deterministic computation is performable on a quantum computer if andonly if it is reversible. From results on reversible computation, we can compute
any polynomial time function f(a) as long as we keep the input, a on the machine.
To erase a and replace it with f(a) we need in addition that f is ont-to-one and that a
is computable in polynomial time from f(a); i.e., that both f and f-1 are polynomial-
time computable.
Fact 2:
Any polynomial size unitary matrix can be approximated using a polynomial
number of elementary unitary transformations and thus can be approximated in
polynomial time on a quantum computer. Further, this approximation is good
enough so as to introduce at most a bounded probability of error into results of the
computation.
Discrete Log:
The discrete log problem is: given a prime p, a generator g of the
multiplicative group (mod p) and x (mod p), find an r such that gr = x (mod p).
The algorithm starts with x, g and p on the tape (i.e., in the quantum memory
of our machine.) Then trying to compute r such that gr = x (mod p). Since it will
-
8/2/2019 A Quantum Computer Operates on Qubits
8/13
never delete them, x, g, and p are constants, and it will specify a state of our
machine by the other contents of the tape.
The algorithm starts out by choosing numbers a and b (mod p - 1)
uniformly, so the state of the machine after this step is
.
The algorithm next computes gax-b(mod p) reversibly, so it must keep the
values a and b on the tape. The state of the machine is now
( )
now it will use the unitary transformation Ap-1 to map a -> c and b -> d with
certain amplitude. As this is the unitary transformation, and since p -1 is smooth it
can be accomplished in polynomial time on a quantum machine.
Then it will compute the probability that the computation ends with machine
in state |c, d, y with y = gk (mod p). This probability is the absolute value of the
square of the square of the sum over all ways the machine could produce this state,
or where the sum is over all a, b satisfying arb = k (modp1). This computation
aries from the fact that computation paths can only interfere when they give the
same y = garb = gk(mod p).
Factoring:
The algorithm for factoring is similar to the one for the general case of
discrete log, only somewhat simpler.
Instead of giving a quantum computer algorithm to factor n, we will give a
quantum computer algorithm for finding the order of an element x in the
-
8/2/2019 A Quantum Computer Operates on Qubits
9/13
multiplicative group (mod n); that is, the least integer r such that x r = 1(mod n).
There is a randomized reduction from factoring to the order of an element.
To factor an odd number n, given a method for computing the order of an
element, we choose a random x, find the order rx of x, and compute gcd(xrx/2 - 1, n)
This fails to give a non-trivial divisor of n only if r x is odd or if xrx/2 = -1(mod n).
Using this criterion, it has been shown that the algorithm finds a factor of n with
probability at least 1 a/2k, where k is the number of distinct prime factors of n.
This scheme will work as long as n is not a prime power; however, factoring prime
powers can be done efficiently with classical method.
To achieve these results, Shor's algorithm breaks down the factoring
problem to an order-finding problem because an order finding problem can be
computed concurrently. Once it is reduced to an order-find problem, the algorithm
uses quantum Fourier transforms to find the period. The Quantum Fourier
Transform is the reason for the computational speedup because the problem can be
broken up and calculated simultaneously. The Big O of Shor's Algorithm for
factoring an integer N is O((logN)^3) time with a O(log N) space. This is a huge
accomplishment because on a classical computer there is no algorithm that can
solve the factoring problem in polynomial time. This is a huge accomplishment
because on a classical computer there is no algorithm that can solve the factoring
problem in polynomial time.
Shor's algorithm has been successfully tested on a quantum computer by
IBM in 2001, when they factored 15 to find 3 and 5 [3]. The test was a proof of
concept and the quantum computer used only contained 7 qubits.
-
8/2/2019 A Quantum Computer Operates on Qubits
10/13
Search Problem in Computer Science
Even in theoretical computer science, the typical problem can be looked at
as that of examining a number of different possibilities to see which, if any, of
them satisfy a given condition. This is analogous to the search problem stated in
the summary above, except that usually there exists some structure to the problem,
i.e some sorting does exist on the database. Most interesting problems are
concerned with the effect of this structure on the speed of the algorithm. For
example the SAT problem asks whether it is possible to find any combination of n
binary variables that satisfies a certain set of clauses C, the crucial issue in NP-
completeness is whether it is possible to solve it in time polynomial in n.
In this case there areN=2npossible combinations which have to be searched
for any that satisfy the specified property and the question is whether we can do
that in a time which is polynomial in O(logN), i.e.O(). Thus if it were possibleto reduce the number of steps to a finite power of, it would yield a polynomial time
algorithm for NP-complete problems.
In view of the fundamental nature of the search problem in both theoretical
and applied computer science, it is natural to ask - how fast can the basic
identification problem be solved without assuming anything about the structure of
the problem? It is generally assumed that this limit is since there are Nitems to be
examined and a classical algorithm will clearly take steps. However, quantum
mechanical systems can simultaneously be in multiple Schrodinger cat states and
carry out multiple tasks at the same time. Here is an step algorithm for the search
problem.Algorithm:
Suppose that there exist N = 2n states and each state is labeled by S1, S2, SN. The
states are represented by n bit binary strings. Let F be a Boolean function of the set
of these 2n states. Let there be a unique state, say Sn, that satisfies the condition
-
8/2/2019 A Quantum Computer Operates on Qubits
11/13
C(Sn) = 1, whereas for all other states S, C(S) = 0 (assume that for any state S, the
condition C(S) can be evaluated in unit time). The problem is to identify the state
Sn.
Algorithm:
(i) Initialize the system to the distribution:
,
i.e. there is the same amplitude
to be in each of theNstates. This distribution can be obtained in O (logN) steps,
(ii) Repeat the following unitary operations O() times:
(a) Let the system be in any state S:
In case C(S) = 1, rotate the phase by radians;
In case C(S) = 0, leave the system unaltered.
(b) Apply the diffusion transformD which is defined by the matrixD as
follows:
This diffusion transform, D can be implemented as D = WRW, where R the
rotation matrix & w the Walsh-Hadamard transform Matrix are defined as
follows.
Rij = 0 if i != j;
Rij = 1 if i = 0; Rij = -1 if i = 0;
(iii) Sample the resulting state. In case C(Sv) = 1 there is a unique state Sn
such that the final state is Sn with a probability of at least 0.5.
C.CRYPTANALYSIS USING GROVERs ALGORITHMPlain text attack can be built using the Grovers algorithm.
-
8/2/2019 A Quantum Computer Operates on Qubits
12/13
Let E be a block cipher of key and block size n. Suppose that an attacker is
given an arbitrary pair of a plaintext P and the ciphertext C encrypted by E with a
certain secret key kj . Applying Grovers algorithm, he can find the secret key. For
simplicity, we assume that there exists only one key kj such that C = E (P, kj). As a
matter of fact, there exist several keys satisfying C= E (P, kj) in general.
1. Prepare a pair (P, C) of a plaintext P and a ciphertext C, that is, C = E (P, kj)for some secretkey kj. Define F by
{ () ()
2. Initialize the system by making a superposition of all possible keys (ki) withthe same amplitude. Suppose the key length is 64 bit. There exist N = 264
states representing N keys in the superposition. So we have the
superposition.
3. Iterate 2 step, Note that Kj is the solution of the equation F (k) = 1. PossiblyO () steps are needed.We can reduce the computational cost using the detailed information on
block ciphers. Consider searching a structured database. In a structured database,
each data can be represented by a binary sequence. To obtain information from a
structured database $O(log N) steps are needed, where N is the size of database.
In cryptanalysis of block ciphers, one employs the knowledge of non-
uniformity of the distribution between plaintexts, secret keys and ciphertexts.
Differential cryptanalysis and linear cryptanalysis [7, 8, 10] are such cryptanalysis.
Using non-uniformity of distributions, the size of key space can be reduced. If the
size can be reduced to a tractable size, one can analyze by the brute-force method.
-
8/2/2019 A Quantum Computer Operates on Qubits
13/13
In quantum cryptanalysis, we may do the same. First, we reduce the size of
the searching space by using the (possibly statistical) information on the searching
space.