a quantum computer operates on qubits

8/2/2019 A Quantum Computer Operates on Qubits

1/13

A quantum computer operates on qubits, or quantum bits. Conceptually, a

qubit is simply the quantum analog of a classical bit. The strange rules of quantum

mechanics, however, endow qubits with some interesting properties that have no

counterparts in the classical world. Two properties in particular interest us. The

first is that a qubit can exist not just in one state or another, but in a superposition

of different states. When we measure a qubit that is in a superposition of states, we

force the collapse of the wave function and from that point onward the qubit will

be in only one of the states. Just which state the superposition collapses into

depends on the amplitudes of the various states in the superposition. In order to

convey this more clearly, we introduce a standard notation used to represent these

concepts.

The state of a single qubit alone can be thought of as a unit vector in a two-

dimensional vector space with basis {|0, |1}. Here {|0, |1} are orthogonal

vectors representing quantum states such as spin up and spin down or vertical and

horizontal polarization. A qubit can be in state |0 orin state |1, but it can also be

in a superposition x|0+y|1 of the two states. The complex amplitudes x and y

determine which state we will see if we make a measurement. When an observer

measures a qubit in this superposition, the probability that the observer will see

state |0 is |x|2 and the probability of seeing |1 is |y|

2. Note that because x|0 + y|1

is a unit vector, the sum |x|2 + |y|2 must be equal to 1.


2/13

The second quantum-mechanical property that interests us is quantum

entanglement, which ties qubits inextricably to each other over the course of

operations. Because qubits can be entangled and interfere with each other,

the state of a multiple-qubit system cannot be represented generally as a linear

combination of the state vectors of each qubit the interactions between each pair of

qubits is as relevant as the state of each qubit itself. The state of the system, then,

cannot be described in terms of a simple Cartesian product of the individual

spaces, but rather a tensor product.

One other property of quantum computers that is notable for its difference

from classical computation is that all operations are reversible. On one level, this is

due to the fact that classical computations dissipate heat, and with it information,

whereas quantum operations dissipate no heat and therefore retain all information

across each calculation. Since reversible quantum gates exist that permit the full

complement of familiar logical operations, however, this point need not concern

us.


3/13

Classical Cryptography

According to the Auguste Kerckhoffs, the security of entire cryptosystem

relies on the secrecy of secret key which means the Eve is having the knowledge of

entire algorithm only the thing he dont know is the key. Depending on the number

of keys used in the cryptosystem, it is classified into two groups: symmetric and

asymmetric. Symmetric cryptosystems are the one which uses the single key for

encryption and decryption process. Thus, in order to use such a cryptosystem the

Alice and Bob must agree on a single secret key and this key agreement requires an

expensive secure channel. As it makes no sense to use the unsecure public channel

for secret key agreement. If one party simply chooses some key and sends it

encrypted to the other party, then which key should be used to encrypt the other

key in the first place? This dilemma is known as the key agreement problem, and it

was long considered unsolvable.

Diffie and Hellman

However, Diffie and Hellman found a simple way to avoid this dilemma,

making use of the hardness of the discrete logarithm problem. Diffie and

Hellmans secret-key agreement protocol enables Alice and Bob to agree on a joint

secret key by communicating over a public channel, and even though eve

intercepts each bit transmitted she is not able to determine the secret key, provided

that discrete logarithms are hard to compute. The Diffie and Hellman approach for

secret-key sharing over a public insecure channel is as follows:

This technique makes use of the apparent difficulty of computing logarithms

over a finite field GF(q) with a prime number q of elements. Let

Y = aX mod q,

Each user generates an independent random number Xi chosen uniformly

each keeps Xi secret but share

Yi = aXi mod q


4/13

and when they require to communicate they calculate the secret key as

follows:

Kij = aXiXj mod q

Calculation of Y from X is easy, taking at most 2 * log2q multiplications,

whereas computing X from Y, on the other hand can be much more difficult and,

for certain carefully chosen values of q, requires on the order of q1/2 operations.

The security of this technique depends crucially on the difficulty of computing

logarithms mod q, and if an algorithm whose complexity grew as log2q were to be

found, our system would be broken. Thus, if logs mod q is easily computed the

system can be broken.

A major disadvantage of symmetric ciphers is the sharing of secret key

between every pairs of user which becomes a hectic process when a

communication group is very large. In principle, for a group of n users, the total n

(n + 1) / 2 secret keys are required to be generated. Public-key cryptosystems, also

called asymmetric cryptosystems, circumvent this key distribution problem as

follows: Instead of having one key for every pair of parties, only one pair of keys

per party is needed to communicate securely. Diffie and Hellman proposed the

principle idea of public key for encryption and a private key for decryption.

Hardness in RSA

The first public-key cryptosystem that appeared is the RSA system[2], name

after its three inventors, Ron Rivest, Adi Shamir, and Leonard Adleman. The

public cryptosystem are based on so called (trapdoor) one-way functions, functions

that are easy to compute but hard to invert. Unfortunately, it is a central open

question whether one-way functions exist.

To communicate through the public cryptosystem the Alice creates two

keys, for encryption and decryption. Her encryption key is public, but Alice keeps

her decryption key as private. Each time Bob wants to communicate with Alice, he


5/13

looks up her public key and uses it to encrypt his message. Since only Alice knows

her private key, she alone can decrypt the ciphertext, that is, invert the encryption

function, which is oneway.

One more advantage of using a RSA is the authentication; the Alice can

digitally sign the document using its private key which can be verified using the

Alice public key.

RSA works as follows:

1. Selecting two prime numbers p and q.2. Calculate n = p * q.3. Calculate (n) = (p -1) * (q - 1).4. Select integer function such that gcd((n), e) = 1; 1 < e < (n).5. Calculate d = e-1 mod (n).6. Public key PU = {e, n}7. Private key PR = {d, n}

The security of the RSA underlies in the complexity of factoring the number

n. While factoring large numbers is not provably difficult, it is a well-known

problem that has been worked on for more than three hundred years by many

famous mathematicians. Fermat, Legendre developed factoring algorithms.

Factoring n would enable an enemy cryptanalyst to break the RSA. The

factors of n enable him to compute (n) and thus d. Fortunately, factoring a

number seems to be much more difficult than determining whether it is prime orcomposite.

A.Factoring NFactoring n would enable an enemy cryptanalyst to \break" our method. The

factors of n enable him to compute _(n) and thus d. Fortunately, factoring a


6/13

number seems to be much more di_cult than determining whether it is prime or

composite.

The fastest factoring algorithm can factor n in approximately

() (()) ()()

= ()()(())

steps.

B.Computing (n) without factoring nIf a cryptanalyst could compute (n) then he could break the system by

computing d as the multiplicative inverse of e modulo (n).

This approach is no easier than factoring n since it enables the cryptanalyst

to easily factor n using (n). This approach to factoring n has not turned out to be

practical.

How can n be factored using (n)? First, (p + q) is obtained from n and

(n) = n - (p + q) + 1. Then (p - q) is the square root of (p + q) 2 - 4n. Finally, q is

half the difference of (p + q) and (p - q).

Therefore breaking our system by computing (n) is no easier than

breaking our system by factoring n.


7/13

Shors Algorithm

Shors algorithm, proposed by Peter Shor in 1994, is a quantum algorithm used to

factor an integer and can be applied to cracking RSA. The first efficient algorithm

to attack the factoring of the product of two large prime numbers, Shor's algorithm

sparked a great deal of interest among the scientific community in the quantum

computing field.

Some properties of quantum computation that will be useful for constructing

algorithms for quantum machines.

Fact 1:

A deterministic computation is performable on a quantum computer if andonly if it is reversible. From results on reversible computation, we can compute

any polynomial time function f(a) as long as we keep the input, a on the machine.

To erase a and replace it with f(a) we need in addition that f is ont-to-one and that a

is computable in polynomial time from f(a); i.e., that both f and f-1 are polynomial-

time computable.

Fact 2:

Any polynomial size unitary matrix can be approximated using a polynomial

number of elementary unitary transformations and thus can be approximated in

polynomial time on a quantum computer. Further, this approximation is good

enough so as to introduce at most a bounded probability of error into results of the

computation.

Discrete Log:

The discrete log problem is: given a prime p, a generator g of the

multiplicative group (mod p) and x (mod p), find an r such that gr = x (mod p).

The algorithm starts with x, g and p on the tape (i.e., in the quantum memory

of our machine.) Then trying to compute r such that gr = x (mod p). Since it will


8/13

never delete them, x, g, and p are constants, and it will specify a state of our

machine by the other contents of the tape.

The algorithm starts out by choosing numbers a and b (mod p - 1)

uniformly, so the state of the machine after this step is

.

The algorithm next computes gax-b(mod p) reversibly, so it must keep the

values a and b on the tape. The state of the machine is now

( )

now it will use the unitary transformation Ap-1 to map a -> c and b -> d with

certain amplitude. As this is the unitary transformation, and since p -1 is smooth it

can be accomplished in polynomial time on a quantum machine.

Then it will compute the probability that the computation ends with machine

in state |c, d, y with y = gk (mod p). This probability is the absolute value of the

square of the square of the sum over all ways the machine could produce this state,

or where the sum is over all a, b satisfying arb = k (modp1). This computation

aries from the fact that computation paths can only interfere when they give the

same y = garb = gk(mod p).

Factoring:

The algorithm for factoring is similar to the one for the general case of

discrete log, only somewhat simpler.

Instead of giving a quantum computer algorithm to factor n, we will give a

quantum computer algorithm for finding the order of an element x in the


9/13

multiplicative group (mod n); that is, the least integer r such that x r = 1(mod n).

There is a randomized reduction from factoring to the order of an element.

To factor an odd number n, given a method for computing the order of an

element, we choose a random x, find the order rx of x, and compute gcd(xrx/2 - 1, n)

This fails to give a non-trivial divisor of n only if r x is odd or if xrx/2 = -1(mod n).

Using this criterion, it has been shown that the algorithm finds a factor of n with

probability at least 1 a/2k, where k is the number of distinct prime factors of n.

This scheme will work as long as n is not a prime power; however, factoring prime

powers can be done efficiently with classical method.

To achieve these results, Shor's algorithm breaks down the factoring

problem to an order-finding problem because an order finding problem can be

computed concurrently. Once it is reduced to an order-find problem, the algorithm

uses quantum Fourier transforms to find the period. The Quantum Fourier

Transform is the reason for the computational speedup because the problem can be

broken up and calculated simultaneously. The Big O of Shor's Algorithm for

factoring an integer N is O((logN)^3) time with a O(log N) space. This is a huge

accomplishment because on a classical computer there is no algorithm that can

solve the factoring problem in polynomial time. This is a huge accomplishment

because on a classical computer there is no algorithm that can solve the factoring

problem in polynomial time.

Shor's algorithm has been successfully tested on a quantum computer by

IBM in 2001, when they factored 15 to find 3 and 5 [3]. The test was a proof of

concept and the quantum computer used only contained 7 qubits.


10/13

Search Problem in Computer Science

Even in theoretical computer science, the typical problem can be looked at

as that of examining a number of different possibilities to see which, if any, of

them satisfy a given condition. This is analogous to the search problem stated in

the summary above, except that usually there exists some structure to the problem,

i.e some sorting does exist on the database. Most interesting problems are

concerned with the effect of this structure on the speed of the algorithm. For

example the SAT problem asks whether it is possible to find any combination of n

binary variables that satisfies a certain set of clauses C, the crucial issue in NP-

completeness is whether it is possible to solve it in time polynomial in n.

In this case there areN=2npossible combinations which have to be searched

for any that satisfy the specified property and the question is whether we can do

that in a time which is polynomial in O(logN), i.e.O(). Thus if it were possibleto reduce the number of steps to a finite power of, it would yield a polynomial time

algorithm for NP-complete problems.

In view of the fundamental nature of the search problem in both theoretical

and applied computer science, it is natural to ask - how fast can the basic

identification problem be solved without assuming anything about the structure of

the problem? It is generally assumed that this limit is since there are Nitems to be

examined and a classical algorithm will clearly take steps. However, quantum

mechanical systems can simultaneously be in multiple Schrodinger cat states and

carry out multiple tasks at the same time. Here is an step algorithm for the search

problem.Algorithm:

Suppose that there exist N = 2n states and each state is labeled by S1, S2, SN. The

states are represented by n bit binary strings. Let F be a Boolean function of the set

of these 2n states. Let there be a unique state, say Sn, that satisfies the condition


11/13

C(Sn) = 1, whereas for all other states S, C(S) = 0 (assume that for any state S, the

condition C(S) can be evaluated in unit time). The problem is to identify the state

Sn.

Algorithm:

(i) Initialize the system to the distribution:

,

i.e. there is the same amplitude

to be in each of theNstates. This distribution can be obtained in O (logN) steps,

(ii) Repeat the following unitary operations O() times:

(a) Let the system be in any state S:

In case C(S) = 1, rotate the phase by radians;

In case C(S) = 0, leave the system unaltered.

(b) Apply the diffusion transformD which is defined by the matrixD as

follows:

This diffusion transform, D can be implemented as D = WRW, where R the

rotation matrix & w the Walsh-Hadamard transform Matrix are defined as

follows.

Rij = 0 if i != j;

Rij = 1 if i = 0; Rij = -1 if i = 0;

(iii) Sample the resulting state. In case C(Sv) = 1 there is a unique state Sn

such that the final state is Sn with a probability of at least 0.5.

C.CRYPTANALYSIS USING GROVERs ALGORITHMPlain text attack can be built using the Grovers algorithm.


12/13

Let E be a block cipher of key and block size n. Suppose that an attacker is

given an arbitrary pair of a plaintext P and the ciphertext C encrypted by E with a

certain secret key kj . Applying Grovers algorithm, he can find the secret key. For

simplicity, we assume that there exists only one key kj such that C = E (P, kj). As a

matter of fact, there exist several keys satisfying C= E (P, kj) in general.

1. Prepare a pair (P, C) of a plaintext P and a ciphertext C, that is, C = E (P, kj)for some secretkey kj. Define F by

{ () ()

2. Initialize the system by making a superposition of all possible keys (ki) withthe same amplitude. Suppose the key length is 64 bit. There exist N = 264

states representing N keys in the superposition. So we have the

superposition.

3. Iterate 2 step, Note that Kj is the solution of the equation F (k) = 1. PossiblyO () steps are needed.We can reduce the computational cost using the detailed information on

block ciphers. Consider searching a structured database. In a structured database,

each data can be represented by a binary sequence. To obtain information from a

structured database $O(log N) steps are needed, where N is the size of database.

In cryptanalysis of block ciphers, one employs the knowledge of non-

uniformity of the distribution between plaintexts, secret keys and ciphertexts.

Differential cryptanalysis and linear cryptanalysis [7, 8, 10] are such cryptanalysis.

Using non-uniformity of distributions, the size of key space can be reduced. If the

size can be reduced to a tractable size, one can analyze by the brute-force method.


13/13

In quantum cryptanalysis, we may do the same. First, we reduce the size of

the searching space by using the (possibly statistical) information on the searching

space.

a quantum computer operates on qubits

Documents