security issues concerning distributed quantum computing

Czech Technical University in PragueFaculty of Electrical Engineering

Department of Computer Science and Engineering

Dissertation Thesis Proposal DCSE-DTP-2005-16

Security Issues Concerning Distributed Quantum Computing

Miroslav Dobsıcek

PhD program: Computer Science and Engineering

Supervisor: Josef KolarCo-Supervisor: Robert Lorencz

September 2005

This research has been supported by MSMT under research program #J04/98:212300014 andby the Grant Agency of the Czech Technical University under grant CTU0507213.

. . . . . . . . . . . . . . . . . . . . . . .Miroslav DobsıcekPhD student

. . . . . . . . . . . . . . . . . . . . . . .Josef KolarSupervisor

ii

Contents

1 Introduction 1

2 Basic definitions and overview 42.1 Terminology and notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.1 Hilbert space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.1.2 Linear operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.3 Operator functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 The postulates of quantum mechanics . . . . . . . . . . . . . . . . . . . . . . . 72.2.1 State space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.2 Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.3 Quantum measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.4 Composite systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Density operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3.1 The reduced density operator . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.4.1 Qubit representation, evolution and measurement . . . . . . . . . . . . . 102.4.2 Composed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.4.3 Basic unitary transformations . . . . . . . . . . . . . . . . . . . . . . . . 142.4.4 Simple circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.5 Physical realizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Previous work and partial results 263.1 Quantum authentication of messages . . . . . . . . . . . . . . . . . . . . . . . . 26

3.1.1 The protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.1.2 Message attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.1.3 Secret-key discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Building stones for future work 294.1 Quantum key generation - BB84 . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.1.1 The BB84 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.1.2 Practical realization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.1.3 Quantum random number generation . . . . . . . . . . . . . . . . . . . 31

4.2 Quantum hidden subgroup problem . . . . . . . . . . . . . . . . . . . . . . . . 324.2.1 Quantum Fourier transform . . . . . . . . . . . . . . . . . . . . . . . . . 334.2.2 Efficient algorithm for QFT . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.3 Distributed quantum computing . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Future work 375.1 Simon’s problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.2 Expected progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6 Conclusions 38

7 Bibliography 39

8 Relevant refereed publications of the author 40

9 Remaining refereed publications of the author 40

iii

10 Unrefereed publications of the author 40

11 Dissertation Thesis 4111.1 Quantum cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4111.2 Quantum hidden subgroup problem . . . . . . . . . . . . . . . . . . . . . . . . 4111.3 Distributed quantum computing . . . . . . . . . . . . . . . . . . . . . . . . . . 41

List of Figures

2.1 Bloch sphere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Sequence of Bloch spheres. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.3 Simple circuit for a single qubit evolution. . . . . . . . . . . . . . . . . . . . . . 122.4 Confrontation of classic and quantum registers. . . . . . . . . . . . . . . . . . . 142.5 Decomposition of a unitary operation. . . . . . . . . . . . . . . . . . . . . . . . 142.6 Number of circuit time steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.7 Circuit decomposition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.8 Tensor product of Hadamard rotation gates. . . . . . . . . . . . . . . . . . . . . 182.9 Circuit producing an entangled pair from product state |0〉|0〉. . . . . . . . . . . 182.10 Quantum implementation of a two-bit adder. . . . . . . . . . . . . . . . . . . . 192.11 Reversible computation with garbage removal. . . . . . . . . . . . . . . . . . . . 202.12 Circuit solving Deutsch’s problem. . . . . . . . . . . . . . . . . . . . . . . . . . 212.13 Uf transformation of (n+m)-qubit register. . . . . . . . . . . . . . . . . . . . . 222.14 Circuit for quantum teleportation. . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Non-orthogonal set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.2 Mach-Zehnder interferometer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.3 Simulation of Mach-Zehnder interferometer. . . . . . . . . . . . . . . . . . . . . 314.4 QKD system named Clavis developed by Id Quantique, Inc. . . . . . . . . . . . 324.5 Efficient circuit for the quantum Fourier transform. . . . . . . . . . . . . . . . . 344.6 Optimal implementation of non-local CNOT gate. . . . . . . . . . . . . . . . . 354.7 n-qubit entangling gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.8 Two primitives for distributed quantum computing. . . . . . . . . . . . . . . . 364.9 Entanglement re-establishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.10 Distributed quantum computing architecture. . . . . . . . . . . . . . . . . . . . 36

List of Tables

2.1 Dirac notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Circuit model notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.3 Bell states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4 One-to-one mapping of a two-bit quantum adder. . . . . . . . . . . . . . . . . . 192.5 The DiVincenzo promise criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.1 Example run of the BB84 protocol. . . . . . . . . . . . . . . . . . . . . . . . . . 304.2 Phase encoding for the BB84 protocol. . . . . . . . . . . . . . . . . . . . . . . . 31

iv

Security Issues Concerning Distributed Quantum Computing

Miroslav Dobsı[email protected]

Department of Computer Science and EngineeringFaculty of Electrical Engineering

Czech Technical University in PragueKarlovo nam. 13, 121 35 Prague 2, CZ

AbstractThis technical report presents a basic overview of quantum computing and quantum cryptog-

raphy. Additionally, it outlines authors’s future work concerning security issues of distributedquantum computing. Quantum computer, in theory, represents an alternative computing de-vice which can efficiently solve some problems that are computationally hard for the Turingmachine computation model. The main new resources for computing and information process-ing are quantum parallelism and entanglement. The laws of quantum mechanics also have greatprospects to cryptography thanks to the no-cloning theorem. Unfortunately, building a quan-tum computer is very hard and no well scalable technology approach is known yet. Therefore,this report deals with distributed paradigm to address scalability. Additionally, security issuesare considered because security should be inherent to all new computing architectures.

Keywordsquantum computing, quantum cryptography, distributed quantum algorithms, Simon’s prob-

lem

1 Introduction

Computer science plays a very fundamental role in our lives. Since the second half of thetwentieth century, we use computers to process and store information, predict weather, simulatenuclear reactions and so on. In 1936, A. Turing developed an abstract notion of what we cancall a programmable universal computer. At about the same time, A. Church showed thatany function of positive integers is efficiently calculable only if it is recursive. This was aremarkable step and a strong version of Church-Turing Thesis: ”Any algorithmic process canbe simulated efficiently using a Turing Machine” became a starting point for evaluation ofalgorithms (problems) complexity.

Few years later, J. von Neumann presented an architecture for a real-life computing devicewith all the capabilities a Turing Machine has. Since transistor was born, we can see the rapidprogress in technology for computer hardware in accordance with Moore’s Law. Moore’s Lawstates that computer power will double for constant cost roughly once every two years.

As the time passed, the first challenges to the strong Church-Turing Thesis appeared. Thereare certain types of analog computing devices which can efficiently solve some problems that arecomputationally hard for the Turing machine computational model. Unfortunately, when thenoise in analog computing devices is taken into account, their power disappear. Randomizedcomputing was a more serious challenge. If we consider a computer with access to a randomnumber generator it is possible to find randomized algorithms which with high probability can

1

2 SECTION 1. INTRODUCTION

efficiently solve problems for which no efficient solution is known on a Turing Machine. Thisresult forced the strong Church-Turing to be reformulated using a Probabilistic Turing Machine.

Also Moore’s law seems to be calling for reformulation in a near future. Computing devicesare becoming so small that they will soon reach the limit of current technology. At nano-scalelevel the quantum mechanic laws are dominant and we need to adopt new technology to beable to follow the spirit of the Moore’s Law. Time will show how quickly can mankind producetechnology dealing with quantum effects. This goal is going to be very fruitful. Not only wewill be able to build smaller and faster computers as we would like to, but there are promisesfor new computing resources such as built-in massive parallelism, quantum random numbergeneration or quantum entanglement.

Here, we can generalize the thesis to the form: ”Any practically realizable computationaldevice can be simulated efficiently by a quantum device”. There are several remarkable pointsconcerning this sentence. First, notice the word ”practically”, which refuses to consider un-practical devices such as ’DNA computers’ or ’field of thinking frogs’. Second, we do not talkabout a Quantum Turing Machine (QTM) here. This is due to several different definitions ofQTM and not clearly stated relations between them. Additionally, it is not know yet whethera universal quantum computer is sufficient to efficiently simulate an arbitrary physical system.This question is closely connected with the very first ideas about quantum computing. In 1982R. Feynman suggested that computers based on the quantum mechanics laws would overcomeessential difficulties in simulating quantum mechanics systems on classical computers.

The research field of quantum computing and information itself attracted many scientistsin 1994, when P. W. Shor published a polynomial time algorithm [16] for large integers fac-toring and discrete logarithm calculations running on a hypothetical quantum computer. Itis exponentially faster than any known algorithm for a Turing Machine. As the mentionedproblems from number theory are crucial for public-key cryptography, Shor’s paper causedhuge investments into developing a quantum computer. The latest known success is a 7-qubit(quantum bit) computer built by IBM in 2001. This machine executed for proof of conceptShor’s algorithm for number 15. At the same time similar proof was made for Grover’s searchalgorithm [9] (published in 1996). This algorithm searches unsorted database of size N in timeO(√

N). Surprisingly, during the last 10 years, no new quantum algorithms have appeared.

Furthermore, the class BQP that contains all problems efficiently computable on a quantumcomputer is still puzzling. The class place between traditional complexity classes is not wellunderstood and questions like ”Does BQP contain NP-complete problems” remain unanswered.

From the practical realization point of view, there is no known viable technology for a scalablequantum computer. Problems with building quantum computers are caused due to difficultiesto keep the computer isolated from its environment. One possible approach toward solvingthis problem is distributed quantum computing. Distributed computing is now being wellunderstood and it is very exciting to thing about a new (quantum) computer architecture whichsupports distributed computing from the ground and not as an add-on as classical computersdo.

Besides quantum computing there is also a discipline called quantum cryptography. Theprotocol BB84 developed by C.H. Bennett and G. Brassard in 1984 solves the problem ofsecret-key distribution in unconditionally secure way. This is assured for free by the quantummechanics laws themselves. First commercial products with the BB84 are already available.They work as point-to-point systems over a fiber optic line, up to 70Km of length, at ratesapproximately 100Kb/s. There is more what quantum resources can offer to cryptography,ranging from random number generation to steganographic channels.

To conclude, there are many open questions about the assumed power and practical real-ization of to-be quantum computers. Technical problems are huge, but nevertheless, as minia-

SECTION 1. INTRODUCTION 3

turization of computing devices continues the technology for dealing with quantum effects is amust. Current difficulties with these effects force us in a good sense to develop a new architec-ture with built-in support for distributed computing, error correcting schemes etc. Moreover,quantum cryptography shows that incorporating security into the architecture should not causehuge overhead. These properties together with the assumed power of a quantum computer areof interest to growing part of computer science community.

The report is organized as follows. Chapter 2 introduces basic definitions and terminology,and gives an overview about quantum computing. Chapter 3 summarizes author’s previouswork and results. Chapter 4 presents building stones for future work. Chapter 5 outlines thefuture work using concepts from the previous chapter. Finally, Chapter 6 concludes the report.

4 SECTION 2. BASIC DEFINITIONS AND OVERVIEW

2 Basic definitions and overview

This chapter begins with a review of some material from linear algebra and introduces thenotation used to describe quantum mechanics. It is good to keep in mind, that algebraicformulation of quantum mechanics is not a physical theory in its own right, but rather providesa working framework. Quantum computing is an abstract concept with qubits and quantumgates within this framework.

Section 2.2 describes the basic postulates of quantum mechanics. Section 2.3 presents thedensity operators formalism as an alternative formalism to the state vector formalism used inprevious sections. Section 2.4 introduces the circuit model and shows some basic examples.The last section 2.5 gives an overview about technologies used for realization of a quantumcomputer.

2.1 Terminology and notation

The following table summarizes the Dirac notation for notions from linear algebra. This’bra(c)ket’ notation is widely used within quantum mechanics. Another formalism based ondensity matrices will be introduced later.

Notation Description|ϕ〉 Column vector. Known as Ket.〈ϕ| Row vector dual to |ϕ〉. Known as Bra.〈ψ|ϕ〉 Inner product of vectors 〈ψ| and |ϕ〉.|ψ〉〈ϕ| Outer product of |ψ〉 and 〈ϕ|.|ψ〉 ⊗ |ϕ〉 Tensor product of |ψ〉 and |ϕ〉.|ψ〉|ϕ〉 Abbreviated notation for tensor product of |ψ〉 and |ϕ〉.|ψ,ϕ〉 Abbreviated notation for tensor product of |ψ〉 and |ϕ〉.A† Adjoint operator of the A matrix. A† =

(AT)∗ = (A∗)T .

〈ψ|A|ϕ〉 Inner product of 〈ψ| and A|ϕ〉.||ϕ|| Abbreviated notation for norm |||ϕ〉||.

Table 2.1: Dirac notation.

2.1.1 Hilbert space

Definition 1 (Vector space). A set V = (V,+, · ) is called a vector space over a scalar field Fiff the operations + : V × V → V (vector addition) and · : F × V → V (scalar multiplication)are defined and

1. (V,+) is a commutative group,

and for all α, β ∈ F :

2. α(β|ϕ〉) = (αβ)|ϕ〉,

3. (α+ β)|ϕ〉 = α|ϕ〉+ β|ϕ〉,

4. α(|ϕ〉+ |ψ〉) = α|ϕ〉+ α|ψ〉.

Definition 2 (Inner product). Let V be a vector space over the field of complex numbers. Aninner product over the vector space V is a function 〈·|·〉 : V × V → C satisfying

1. 〈ϕ|ϕ〉 ∈ R, 〈ϕ|ϕ〉 ≥ 0, 〈ϕ|ϕ〉 = 0 ⇔ |ϕ〉 = −→0 ,

SECTION 2. BASIC DEFINITIONS AND OVERVIEW 5

2. 〈ϕ|ψ〉 = 〈ψ|ϕ〉∗,

3. 〈ϕ|(|ψ〉+ |λ〉) = 〈ϕ|ψ〉+ 〈ϕ|λ〉.

An inner product induces a norm ||ϕ|| =√〈ϕ|ϕ〉.

Remark 3 The following inequalities hold:

|〈ψ|ϕ〉| ≤ ||ψ||.||ϕ|| Schwarz inequality. (2.1)

|| |ψ〉+ |ϕ〉 || ≤ ||ψ||+ ||ϕ|| Triangle inequality. (2.2)

Definition 4 (Completeness). Let V be a vector space with the norm || · || and {|ϕi〉}i ∈ V asequence of vectors.

• {|ϕi〉}i is a Cauchy sequence iff ∀ε > 0 ∃N > 0 such that ∀n,m > N : || |ϕn〉−|ϕm〉 || < ε.

• {|ϕi〉}i is convergent iff ∃|ϕ〉 ∈ V such that ∀ε > 0 ∃N > 0 ∀n > N : || |ϕn〉 − |ϕ〉 || < ε.

Space V is complete iff every Cauchy sequence converges.

Definition 5 (Hilbert space). A Hilbert space H is a vector space with an inner product 〈·|·〉that is complete under the induced norm ||ϕ|| =

√〈ϕ|ϕ〉.

Definition 6 (δ matrix). The δ matrix is defined as

δij ={

1, if i=j,0, otherwise.

(2.3)

A vector |ϕ〉 is normalized or unit-vector iff

||ϕ|| = 1. (2.4)

An enumerable set of normalized vectors {|ei〉}i forms an orthonormal basis of a Hilbert spaceH iff

1. ∀i, j : 〈ei|ej〉 = δij ,

2. any vector |ϕ〉 ∈ H can be written as |ϕ〉 =∑

i αi|ei〉.

From now on, we will consider only finite dimensional complex Hilbert spaces H = Cn andnormalized vectors. By convention, basis labeled |0〉 and |1〉 are called standard (computational)basis. Basis labeled |0′〉 and |1′〉 are called dual basis.

|0〉 =(

10

), |1〉 =

(01

), |0′〉 =

1√2

(11

), |1′〉 =

1√2

(1

−1

). (2.5)

Definition 7 (Tensor product of two Hilbert spaces). Let HA and HB be Hilbert spaces withbasis {|ei〉}i and {|fj〉}j respectively. A tensor product

HAB = HA ⊗HB = {|ϕ〉 ⊗ |ψ〉 : |ϕ〉 ∈ HA, |ψ〉 ∈ HB} (2.6)

is also a Hilbert space

• with base {|gk〉}k = {|e〉 ⊗ |f〉 : |e〉 ∈ {|ei〉}i, |f〉 ∈ {|fj〉}j} and

• inner product defined as 〈a⊗ b|c⊗ d〉 = 〈a|c〉〈b|d〉, where |a〉, |c〉 ∈ HA and |b〉, |d〉 ∈ HB.

• dim (HAB) = dim (HA) . dim (HB).


2.1.2 Linear operators

Definition 8 (Linear Operator). Let V be a vector space. Function A : V → V is a linearoperator iff it is linear in its inputs, i.e.

A

(∑i

αi|ei〉

)=∑i

αiA (|ei〉), |ei〉 ∈ V. (2.7)

In Cn a linear operator A can be expressed as an n× n matrix.

A =

a0,0 · · · a0,n−1...

. . ....

an−1,0 · · · an−1,n−1

=∑i,j

aij |i〉〈j|, aij = 〈i|A|j〉. (2.8)

Definition 9 (Adjoint Operator). Let A be a linear operator on a Hilbert space H. A uniquelinear operator A† on H satisfying

〈ϕ|Aψ〉 = 〈A†ϕ|ψ〉, (2.9)

for all vectors ϕ,ψ ∈ H, is called an adjoint operator or Hermitian conjugate of the operatorA. Additionally, we define

|ϕ〉† ≡ 〈ϕ|. (2.10)

Observation 10 Let A and B be linear operators on a Hilbert space H, |ϕ〉 ∈ H. Then

(AB)† = B†A†, (2.11)

(A|ϕ〉)† = 〈ϕ|A†. (2.12)

Definition 11 A linear operator A defined on a vector space V is called

1. identity operator I iff A|ϕ〉 = |ϕ〉 for all vectors |ϕ〉 ∈ V,

2. zero operator 0 iff A|ϕ〉 = −→0 for all vectors |ϕ〉 ∈ V,

3. normal iff A†A = AA†,

4. self-adjoint or Hermitian iff A† = A,

5. unitary iff AA† = I,

6. idempotent iff A2 = A,

7. projection iff A is self-adjoint and idempotent.

Theorem 12 (Spectral decomposition). Any normal operator A on a vector space V is diagonalto some orthonormal basis for V

A =∑i

λi|i〉〈i|, (2.13)

where λi are the eigenvalues of A, {|i〉}i is an orthonormal basis for V, and each |i〉 is aneigenvector of A corresponding to eigenvalue λi. For proof see [15] on page 72.


Definition 13 (Linear operator on a composed Hilbert space). Let A, B, be a linear operatoron HA, HB, respectively. The tensor product

A⊗B =

a1,1B . . . a1,mB...

. . ....

am,1B . . . am,mB

(2.14)

is a linear operator on HA ⊗HB.

(A⊗B)

(∑i

ai (|ei〉 ⊗ |fi〉)

)=∑i

ai (A|ei〉 ⊗B|fi〉). (2.15)

2.1.3 Operator functions

Definition 14 (Operator function). Let A =∑

i λi|i〉〈i| be a spectral decomposition for anormal operator A. An operator function f on A is defined as

f(A) =∑i

f(λi)|i〉〈i|. (2.16)

(This allows us to define functions like square root, logarithm or exponential for operators.)

Definition 15 (Trace of a matrix). The trace of a matrix A is defined as

tr(A) =∑i

aii. (2.17)

Observation 16 Let A and B be linear operators and η ∈ C. Then

• tr(AB) = tr(BA), (cyclic property), (2.18)

• tr(A+B) = tr(A) + tr(B),tr(ηA) = η tr(A),

(linear property). (2.19)

From the cyclic property it follows that the trace of a matrix is invariant under the unitarysimilarity transformation A → UAU †, as tr

(UAU †) = tr

(UU †A

)= tr (A) . This property is

important for density operator formalism. See Section 2.3 .

2.2 The postulates of quantum mechanics

2.2.1 State space

Postulate 1: Associated to any isolated physical system is a complex vector space with innerproduct (Hilbert space) known as the state space of the system. The state of the system iscompletely described by its state vector, which is a unit vector in the system’s state space.

Qubit – The simplest quantum mechanical system is the quantum bit or qubit, which hastwo-dimensional state space. Let {|0〉, |1〉} form an orthonormal basis for that space. Thestate |ϕ〉 of a qubit can be written as linear combination (superposition) of |0〉 and |1〉.

|ϕ〉 = α|0〉+ β|1〉, α, β ∈ C, with |α|2 + |β|2 = 1. (2.20)

The condition |α|2+|β|2 = 1 follows from the unity condition ||ϕ|| = 1. Complex numbersα, β are so-called quantum mechanics amplitudes.


2.2.2 Evolution

Postulate 2: The time evolution of the state of a closed quantum system is described by theSchrodinger equation

i~∂

∂t|ϕ〉 = H|ϕ〉, (2.21)

where ~ is the experimental Planck’s constant ~ ≈ 1.05457 ·10−34Js and H is a fixed self-adjointoperator known as the Hamiltonian of the closed system.

We define an operator of a time evolution as U(t) = e−iHt

~ . Such an operator is unitarybecause H = H† and therefore U(t)U(t)† = e

−iHt+iHt~ = I. Using this definition we can

reformulate the second postulate.The time evolution of a closed quantum system from the state |ϕ〉 at time t1 to the state |ϕ′〉

at time t2 is described by a unitary operator U = U(t2 − t1),

|ϕ′〉 = U |ϕ〉. (2.22)

The correspondence between the discrete-time description of dynamics using unitary opera-tors and continuous time description using Hamiltonians is one-to-one.

2.2.3 Quantum measurement

Postulate 3: A quantum measurement is described by a collection {Mm} of measurementoperators. These are operators acting on the state space of the system being measured. Theindex m refers to the measurement outcomes that may occur in the experiment. Measuring thesystem state |ϕ〉 will give the result m with probability

p(m) = 〈ϕ|M †mMm|ϕ〉, (2.23)

and the state of the system reduces to the post-measurement state

|ϕ′〉 =Mm|ϕ〉√p(m)

. (2.24)

The operators {Mm} satisfy∑

mM†mMm = I and therefore together with the normalization

condition we have1 =

∑m

p(m) =∑m

〈ϕ|M †mMm|ϕ〉. (2.25)

Observation 17 We say that states |ϕ〉 and |ψ〉 are equivalent, |ϕ〉 ∼= |ψ〉, up to the globalphase factor, iff |ϕ〉 = eiΦ|ψ〉, Φ ∈ R. The statistics of measurement predicted for these twostates are the same.

〈ϕ|M †mMm|ϕ〉 = 〈ϕ|e−iΦM †

mMmeiΦ|ϕ〉 (2.26)

The global phase have not to be confused with the relative phase! Let |0〉, |1〉 form a basis of aHilbert space H. States |ϕ〉 = α|0〉+β|1〉 and |ψ〉 = α|0〉−β|1〉 defined on H differ by a relativephase.

For many applications a special class of measurements known as projective measurementis of importance. A projective measurement is described by a self-adjoint operator M , calledobservable, with the spectral decomposition M =

∑mmPm

1. Pm is the projector onto the

1{Pm} are orthogonal projectors,P

m Pm = I and PmPm′ = δmm′Pm.


eigenspace of M with eigenvalue m. The eigenvalues m correspond to possible outcomes of themeasurement. The probability of getting result m and afterward state’s collapse are given by

p(m) = 〈ϕ|Pm|ϕ〉, (2.27)

|ϕ′〉 =Pm|ϕ〉√p(m)

. (2.28)

Observation 18 The average value of a projective measurement is

E(M) =∑m

mp(m) =∑m

m〈ϕ|Pm|ϕ〉 = 〈ϕ|

(∑m

mPm

)|ϕ〉 = 〈ϕ|M |ϕ〉. (2.29)

The average value E(M) is often denoted by 〈M〉.

2.2.4 Composite systems

Postulate 4: The state space H of a composite physical system is the tensor product of thestate spaces Hi of its components, H =

⊗iHi. Moreover, if the subsystems are in the states

|ϕi〉 ∈ Hi, then the joint state |ϕ〉 ∈ H of the total system is |ϕ〉 =⊗

i |ϕi〉.

Entanglement – Let H = HA⊗HB be a Hilbert space. A joint state |ϕ〉 ∈ H that cannot bewritten as tensor product of some vectors |ϕA〉 ∈ HA, |ϕB〉 ∈ HB is said to be entangled,otherwise we call this joint state a product state.

In entangled states, unitary operators or measurements performed on one system have effecton the state of the second system. In product states, these operations affect only the state ofthe target component.

2.3 Density operator

Next to the state vectors formalism, there exists an alternative density operator (density matrix)formalism. The postulates of quantum mechanics can be equivalently written using densityoperators. Density operator formalism is of advantage when describing individual subsystemsof a composite quantum system or dealing with quantum systems whose state is not completelyknown.

Definition 19 (Density operator). Let a quantum system S with associated Hilbert space Hbe at a state |ϕi〉 ∈ H with probability pi. The density operator for the system described by anensemble {pi, |ϕi〉} is defined as

ρ =∑i

pi|ϕi〉〈ϕi|. (2.30)

A density operator satisfies the conditions:

1. tr(ρ) = 1,

2. ρ is a positive operator.

A quantum state represented by a density operator ρ is said to be a pure state iff

tr(ρ2) = 1. (2.31)


Otherwise the state is said to be mixed. For a pure state described by a state vector |ϕ〉 theequation (2.30) reduces to

ρ|ϕ〉 = |ϕ〉〈ϕ|. (2.32)

Equation (2.22) for temporal unitary evolution of a closed quantum system has the form

ρ′ = UρU † (2.33)

using the density operator formalism. This can be easily seen from a transformation∑i

pi|ϕi〉〈ϕi|U−→∑i

piU |ϕi〉〈ϕi|U †. (2.34)

Equations (2.23), (2.24) from the 3rd postulate of quantum mechanics have the form

p(m) = tr(M †mMmρ

), (2.35)

ρ′ =MmρM

†m

p(m). (2.36)

For composite systems described by the 4th postulate where the individual components are inthe states ρi, the joint state of the total system is

ρ =⊗i

ρi. (2.37)

2.3.1 The reduced density operator

When we are dealing with a subsystem of a larger system S whose state is described by a densityoperator ρ, we need to find a function which will provide the correct measurement statisticsfor this subsystem. Such a function is called a partial trace and the provided statistics is areduced density operator. It can be shown that a partial trace is a unique function with theabove written property.

Definition 20 (Partial trace). Let ρA and ρB be a density operator of a system A and B,respectively. The partial trace over system B is defined by

trB (ρA ⊗ ρB) = ρA tr (ρB) . (2.38)

Definition 21 (Reduced density operator). Let ρAB be a density operator describing a state ofphysical systems A and B. The reduced density operator ρA for system A is defined by

ρA = trB (ρAB) . (2.39)

2.4 Examples

2.4.1 Qubit representation, evolution and measurement

When describing a quantum computation (algorithm) we can either write equations using statevector or density matrix formalism, or use some graphic schemes. Two widely used graphicschemes are Bloch sphere and circuit model. Bloch sphere is very intuitive but unfortunatelyis of use only for a single qubit. A computation with a qubit is drawn as a sequence of Blochspheres.


Bloch sphere. A Bloch sphere is a unit sphere in Euclidean space R3. Equation (2.20) for aqubit may be rewritten as

|ψ〉 = eiγ(

cosθ

2|0〉+ eiϕ sin

θ

2|1〉), (2.40)

where γ, θ, ϕ ∈ R. According to (2.26), the global phase factor eiγ can be ignored because ithas no observable effect. The numbers θ, ϕ, interpreted as polar coordinates, define a point ona Bloch sphere. We write the (x, y, z)-coordinates as a unit Bloch vector

r = (sin θ cosϕ, sin θ sinϕ, cos θ) . (2.41)

ϕ

θ

x

z

y

|1〉

|0〉

|ψ〉

Figure 2.1: Bloch sphere.

Circuit model. A quantum circuit model is very similar to a classical electrical circuit model.The notation follows:

Wire carrying a qubit |q0〉

Wire carrying a bit c

Projection onto |0〉 and |1〉 |q0〉LL�� ________

��

_ _ _ _ _ _ _ _

��

Unitary operation U |q0〉 U

Controlled unitary operation U

|q0〉 •

|q1〉 U

Controlled NOT operation

|q0〉 •

|q1〉 ⊕

Swap

|q0〉 ×

|q1〉 ×

Table 2.2: Circuit model notation.


Example 22 Let us have unitary transformations U , V and a qubit |ψ〉 = |0〉 ∈ H2, where H2

is a two-dimensional Hilbert space with base vectors labeled |0〉 and |1〉. The qubit evolution isgiven by |ψ〉 VU−→ |ψ′′〉.

U =1√2

(1 11 −1

), V =

(1 00 eiπ

), |0〉 =

(10

), |1〉 =

(01

).

State vector formalism.

|ψ〉 = |0〉, |ψ′〉 = U |ψ〉 =1√2

(|0〉+ |1〉) , |ψ′′〉 = V |ψ′〉 =1√2

(|0〉 − |1〉) .

Density operator formalism.

ρ|ψ〉 = |ψ〉〈ψ| =(

1 00 0

), ρ|ψ′ 〉 = Uρ|ψ〉U

† =12

(1 11 1

),

ρ|ψ′′ 〉 = V ρ|ψ′ 〉V† =

12

(1 −1

−1 1

).

Bloch sphere scheme. A sequence of Bloch spheres represents a qubit evolution. Time goesleft to right.

|0〉 |0〉 |0〉

|1〉 |1〉 |1〉|ψ′′〉 = 1√

2(|0〉 − |1〉)|ψ′〉 = 1√

2(|0〉+ |1〉)|ψ〉 = |0〉

Figure 2.2: Sequence of Bloch spheres.

Circuit model. Time goes left to right. The right end of the wire represents the state |ψ′′〉.

|ψ〉 = |0〉 U V

Figure 2.3: Simple circuit for a single qubit evolution.

Example 23 Let us have a qubit |ϕ〉 = α|0〉 + β|1〉 ∈ H2, where H2 is a two-dimensionalHilbert space with standard basis {|0〉, |1〉}, and a standard observable M .

M =(

1 00 −1

)Standard observable. (2.42)


The eigenvalues of M are +1,−1 and the corresponding eigenvectors are(

10

),

(01

). Hence

the spectral decomposition of M is

M = 1 ·(

1 00 0

)P0

+ (−1) ·(

0 00 1

)P1

. (2.43)

Using equations (2.27), (2.28) the post-measurement state with respect to the standard observ-able M is

|ϕ′〉 ={|0〉, with probability α2, and the result is + 1,|1〉, with probability β2, and the result is − 1.

(2.44)

From equation (2.29) the average value of this measurement is 〈ϕ|M |ϕ〉 = α2 − β2.

2.4.2 Composed systems

By the 4th postulate of quantum mechanics the joint state of a composed system is given bythe tensor product of its individual subsystem states. Let us have two qubits |φ〉, |ψ〉 ∈ H2.|φ〉 = α|0〉+ β|1〉, |ψ〉 = γ|0〉+ δ|1〉.

|φ〉|ψ〉 = αγ|0〉|0〉+ αδ|0〉|1〉+ βγ|1〉|0〉+ βγ|1〉|1〉

We can rewrite this equation to the form

|φ〉|ψ〉 = α00|00〉+ α01|01〉+ α10|10〉+ α11|11〉 =∑

i∈{0,1}2αi|i〉.

States |00〉, |01〉, |10〉, |11〉 are the basis vectors of the composed Hilbert space H4.

|00〉 =(

10

)⊗(

10

)=

1000

, |01〉 =(

10

)⊗(

01

)=

0100

,

|10〉 =(

01

)⊗(

10

)=

0010

, |11〉 =(

01

)⊗(

01

)=

0001

.

Labels 00, 01, 10, 11 may be renamed to 0, 1, 2, 3 because they can be easily seen as binaryrepresentation of these positive integers. Using this representation we write

|φ〉|ψ〉 = α0|0〉+ α1|1〉+ α2|2〉+ α3|3〉 =3∑i=0

αi|i〉.

A general state of n-qubit system (often called a quantum register) |ψ〉 ∈ H2n is described as

|ψ〉 =∑

i∈{0,1}n

αi|i〉 =2n−1∑i=0

αi|i〉, (2.45)

where∑

i |αi|2 = 1 and {|i〉} is a standard basis of 2n-dimensional Hilbert space H2n . Vector|i〉 has the form (· · · , 0, · · · , 1, · · · , 0, · · ·)′ with 1 only at the ith position assuming the positionsare counted from 0. Equation (2.45) shows us how a state space of quantum system grows


exponentially with its physical size. It is due to the property of tensor product of Hilbertspaces (see equation (2.6)) that dim(HA ⊗HB) = dim(HA).dim(HB).

Let us compare a classic 4-bit register and quantum 4-qubit register. Such a classic registercan store any number from the set {0, . . . , 24 − 1} but only one of them at the same time. Bycontrast, a quantum register can be at superposition of all these numbers at the same time.Figure 2.4 shows a situation in which a classic register is set to the state x = 5 and a quantumregister ”contains” numbers 0, 1, 8, 9.

1√2

(|0〉+ |1〉) |0〉 |0〉 1√2

(|0〉+ |1〉)

Quantum register

|ψ〉 = 12 (|0〉+ |1〉+ |8〉+ |9〉)

0 1 0 1

int x=5

Classic register

Figure 2.4: Confrontation of classic and quantum registers.

It may seem that an n-qubit quantum register is capable of storing exponentially moreinformation than n-bit classic register. However, Holevo theorem [10] states that one canretrieve faithfully only n bits from an n-qubit register. Using another words, retrieving ofclassic information from a quantum register requires measurement and by the 3th postulate weknow that measurement destroys the superposition. As a result we can retrieve only n bitsfrom an n-qubit register.

2.4.3 Basic unitary transformations

As we stated in Section 2.2.2, the time evolution of a closed quantum system can be describedby a unitary operator U . Let us have a state |ψ〉 ∈ H2n . Then U is 2n×2n unitary matrix. Fora scalable quantum computer it is necessary to find a small set of universal unitary operators(called gates) such that any unitary operator U may be approximated to arbitrary accuracy bya quantum circuit involving only these gates.

...

...

...

...

... ...U...

Figure 2.5: Decomposition of a unitary operation.

To compute arbitrary logical function, a set of gates like AND, OR, NOT is sufficient. EvenNAND gate alone forms a universal set. For quantum computation a similar result holds.

Theorem 24 (Universal set). A Controlled-NOT gate and the set of all 2× 2 unitary gates isa universal set. In particular, Controlled-NOT, Hadamard gate and phase gate is a universalset. For proof see [15] on page 195.

2.4.3.1 Common single qubit gates

(Pauli matrices). Pauli matrices (gates) are defined as

σx ≡(

0 11 0

), σy ≡

(0 −ii 0

), σz ≡

(1 00 −1

). (2.46)


These matrices are also often denoted by X,Y, Z. Additionally, σx is called a NOT gate. TheNOT gate acts in the following way

X (α|0〉+ β|1〉) = X

(αβ

)=(βα

)= β|0〉+ α|1〉; X|0〉 = |1〉, X|1〉 = |0〉. (2.47)

When speaking of X,Y, Z matrices the identity matrix I is often added. The dimension of I isusually expected to be clear from the context.

(Rotation operators). Rotation operators raise by exponentiation of Pauli matrices (recallequation (2.16) for operator function). They represent rotation about the x, y and z axes.

Rx(θ) ≡ e−iθX/2 = cosθ

2I − sin

θ

2X =

[cos θ2 −i sin θ

2

−i sin θ2 cos θ2

]. (2.48)

Ry(θ) ≡ e−iθY/2 = cosθ

2I − sin

θ

2Y =

[cos θ2 − sin θ

2

sin θ2 cos θ2

]. (2.49)

Rz(θ) ≡ e−iθZ/2 = cosθ

2I − sin

θ

2Z =

[e−iθ/2 0

0 eiθ/2

]. (2.50)

Other important quantum gates are the Hadamard gate H, phase gate S, and π/8 gate T(somehow misleading name π/8 gate is due to historical reasons).

H =1√2

[1 11 −1

], S =

[1 00 i

], T =

[1 00 eiπ/4

]. (2.51)

2.4.3.2 Controlled operations

Controlled operations (i.e. ”if -like” operations) are one of the most useful in quantum com-puting as well as in classic one. A controlled operation acts at least on two qubits, of which oneis called a control qubit and the other a target qubit. The prototypical controlled operationis the Controlled-NOT, which is often denoted by CNOT or XOR. CNOT gate flips the targetqubit if the control qubit is |1〉 (i.e. true logical value). We write

|c〉|t〉 CNOT−→ |c〉|t⊕ c〉, (2.52)

where ⊕ denotes XOR logic function or addition modulo 2. CNOT matrix representation follows.

CNOT =

1 0 0 00 1 0 00 0 0 10 0 1 0

. (2.53)

Example 25 Let us apply the CNOT gate to the state |ψ〉 = |1〉|0〉 ∈ H2.

|1〉|0〉 CNOT−→ |1〉|1〉 (2.54)

CNOT(|1〉|0〉) = CNOT|10〉 =

1 0 0 00 1 0 00 0 0 10 0 1 0

.

0010

=

0001

= |11〉 = |1〉|1〉. (2.55)


A general single qubit controlled operation U is an operation satisfying evolution

|c〉|t〉 c−U−→ |c〉U c|t〉. (2.56)

Note that U0 = I and U1 = U , therefore the control qubit really controls an operation appliedto the target qubit. A matrix representation of Controlled-U has the following form2

c-U =[I 00 U

]. (2.57)

Although there is a wild variety of what unitary transformations can do, it is not possibleto clone an unknown quantum state.

Theorem 26 (No cloning theorem). An unknown quantum state cannot be cloned. Namely,there is no unitary transformation performing evolution

|χ〉|0〉 U−→ |χ〉|χ〉 (2.58)

for any one-qubit state |χ〉.Proof. Let us have two different orthogonal states |ψ〉 and |φ〉, and |χ〉 = 1√

2(|ψ〉 + |φ〉).

Assuming a ’cloning’ U exists we have U(|ψ〉|0〉) = |ψ〉|ψ〉, U(|φ〉|0〉) = |φ〉|φ〉. Additionally,

U(|χ〉|0〉) = U

(1√2(|ψ〉+ |φ〉)|0〉

)=

1√2U(|ψ〉|0〉+ |φ〉|0〉) =

1√2(|ψ〉|ψ〉+ |φ〉|φ〉)

6= |χ〉|χ〉 =12(|ψ〉|ψ〉+ |ψ〉|φ〉+ |φ〉|ψ〉+ |ψ〉|ψ〉).

2.4.4 Simple circuits

Quantum computation, in principle, consists of several steps. First, an initial state is prepared;usually |ψ〉t0 = |0(n)〉 = |0〉|0〉 . . . |0〉. Second, the initial state is evolved and finally appropriatequbits are measured to obtain desired classical values representing the result.

The evolution of a state |ψ〉t0 ∈ H2n is described by a unitary matrix U of size 2n × 2n. Itcould be technically very hard to build a device capable of manipulating many qubits at a unittime as described by the U matrix. Additionally, such a device will be only a so called single-purpose machine, i.e. far from universal and scalable computing device. As a first approach tosolve this problem, we can express3 U in the form

U = Uk · Uk−1 · · · U2 · U1, (2.59)

where · denotes ordinary matrix multiplication and Ui are unitary matrices with technicallymore feasible solution. Each evolution step described by Ui is executed at time ti, ti < ti+1,thus the whole computation has k time steps; see Figure 2.6. Likewise to classical computing,quantum computation (algorithm) is said to be efficient iff the number of time steps k isbounded by a polynomial with respect to its input size n.

It still may be a hard technical problem to build a device corresponding to an evolutiondescribed by some matrix Ui. Therefore, we decompose Ui to tensor product of elementary gatesdenoted by ♣,♦, . . . ∈ S, where S is some set of universal gates. Thus, Ui = ♣⊗♠⊗ · · · ⊗ ♦.Strictly speaking, let � denote all gates from a universal set S, then assuming � represents aspecific gate at each step l, we write

Ui =⊗l

�, where 1 ≤ l ≤ n, and Ui is a 2n × 2n matrix. (2.60)

2Note that for U=NOT we have the CNOT gate.3The existence of a set of universal gates guarantees this decomposition to be possible.


...U

|0〉

|0〉 ...|0〉

...

|0〉|0〉|0〉 ..

.UkU2U1

|ψ〉t0 t0 t1 t2 ... tk

Circuit with 1-step evolution Circuit with k-step evolution

Figure 2.6: Number of circuit time steps.

Let us see how to read a simple circuit in Figure 2.7. The whole computation (algorithm) isrepresented by a unitary matrix U . However, U may not be an elementary gate and it couldbe better (technically feasible) to evolve the system in three steps in order to complete thecomputation. In the first step, we apply the Hadamard rotation to both qubits, U1 = H⊗2 =H ⊗ H. In case of need, this step can be divided into two steps because the rotation of onequbit is independent of the other. The second step consists of applying the CNOT gate. It canbe shown that the CNOT gate is irreducible, i.e. cannot be written as a tensor product of two2 × 2 unitary matrices, and therefore this gate is inevitable elementary. At the last step, theHadamard rotation is applied to the first qubit only. Empty wire on the second qubit can beseen as an identity operation I is acting on it, hence U3 = H ⊗ I. Using equations (2.59) and(2.60) we can write U = U3 · U2 · U1 = (H ⊗ I) · (CNOT) · (H ⊗H).

U3U2U1UH

H H

a) b) c)

Figure 2.7: Circuit decomposition.

Example 27 (Equally weighted superposition of basis states). For many algorithms, it is ofimportance to prepare equally weighted superposition of basis states as the initial state. Thiscan be achieved using a linear number of the Hadamard rotations assuming we have a state|0(n)〉 = |0〉|0〉 . . . |0〉.

H|0〉 =1√2

(|0〉+ |1〉) (2.61)

H⊗2|0(2)〉 = H|0〉 ⊗H|0〉 =12

(|0〉+ |1〉+ |2〉+ |3〉) (2.62)

H⊗n|0(n)〉 =⊗n

H|0〉 =1√2n

2n−1∑i=0

|i〉. (2.63)

For a general state |x〉 ∈ {0, 1}n we have

H⊗n|x〉 =1√2n

∑i∈{0,1}n

(−1)x·y|i〉, where x · y =n⊕j=0

xjyj . (2.64)


H

H

H

... ... ...

∼H⊗n

Figure 2.8: Tensor product of Hadamard rotation gates.

Example 28 (Entangled pair creation). Two systems are said to be entangled iff the jointstate is not a product state.

• State |ψ〉 = |00〉 is a product state: |00〉 = |0〉 ⊗ |0〉.

• State |ψ〉 = 12(|00〉+ |01〉+ |10〉+ |11〉) is a product state:

12(|00〉+ |01〉+ |10〉+ |11〉) = 1√

2(|0〉+ |1〉)⊗ 1√

2(|0〉+ |1〉).

• State |ψ〉 = 1√2(|00〉+ |11〉) is not a product state.

An entangled state cannot be created from a product state by applying only local actions. Toentangle two qubits an irreducible gate, e.g. CNOT, must be used. Figure 2.9 shows a circuitcorresponding to the following computation.

|0〉 ⊗ |0〉 H⊗I−→ H|0〉 ⊗ |0〉 =1√2(|0〉+ |1〉)⊗ |0〉 =

1√2(|00〉+ |10〉)

CNOT−→ 1√2(|00〉+ |11〉)

|q0〉 = |0〉 H •

|q1〉 = |0〉 ⊕

Figure 2.9: Circuit producing an entangled pair from product state |0〉|0〉.

As one may expect, it is not possible to transform an entangled state into a product state byapplying only local actions. An irreducible gate must be used in order to do it.

For a two-qubit system, there are four entangled states of special importance. We call themBell states. Bell states are orthogonal and can be used as a basis for a 4-dimensional Hilbertspace H4. See Table 2.3 for Bell states. The state |Ψ−〉 is called a singleton.

|Φ+〉 = 1√2(|00〉+ |11〉)

|Φ−〉 = 1√2(|00〉 − |11〉)

|Ψ+〉 = 1√2(|01〉+ |10〉)

|Ψ−〉 = 1√2(|01〉 − |10〉)

Table 2.3: Bell states


Example 29 (Two-bit adder). A two-bit adder is a function performing the mapping

(a, b) −→ (a⊕ b, a ∧ b), (2.65)

where (a⊕ b) is the sum and (a∧ b) represents the carry. Such a computation is not reversiblebecause taking an output we cannot always reconstruct the input. If we want to implement atwo-bit adder using quantum gates without performing a measurement, i.e. reversibly, we needto find a modified one-to-one mapping. Recall that unitarity of quantum gates implies theirreversibility. The mapping

(a, b, 0) −→ (a, a⊕ b, a ∧ b), (2.66)

involving additional input and output is one-to-one (see Table 2.4) and therefore could be im-plemented using quantum gates. The solution is shown in Figure 2.10.

a b 0 a a⊕ b a ∧ b0 0 0 0 0 00 1 0 0 1 01 0 0 1 1 01 1 0 1 0 1

Table 2.4: One-to-one mapping of a two-bit quantum adder.

|a〉|b〉|0〉

|a〉|a⊕ b〉|a ∧ b〉

Figure 2.10: Quantum implementation of a two-bit adder.

The mentioned quantum implementation of a two-bit adder does not bring advantages interms of parallelism and speed-up over the classic adders. However, one big advantage is clearfrom the first sight. It is the reversibility of this computation and its connection to heatdissipation. This connection is given by Landauer’s principle. Reversible gates do not destroyany information, thus there is, in principle, no heat dissipation.

Remark 30 (Landauer’s principle). Suppose a gate erases a single bit of information. Theamount of energy dissipated into the environment is at least kB T ln 2, where kB is the Boltz-mann constant and T is the temperature of the environment.

The example with an adder showed us an approach how to build a reversible circuit forirreversible Boolean function. We had to add one more input and find a suitable unitary gate.The gate we have used, the first one in the Figure 2.10, is the Toffoli gate4 (Controlled-CNOT,CCNOT). The Toffoli gate performs the mapping

(a, b, c) → (a, b, c⊕ ab), (2.67)

4Finding a decomposition of the Toffoli gate using only CNOT and one-qubit gates is not trivial, see [7].


and its matrix representation is

CCNOT =(

I 00 CNOT

)=

1 0 0 0 0 0 0 00 1 0 0 0 0 0 00 0 1 0 0 0 0 00 0 0 1 0 0 0 00 0 0 0 1 0 0 00 0 0 0 0 1 0 00 0 0 0 0 0 0 10 0 0 0 0 0 1 0

. (2.68)

The Toffoli gate is universal for classical computation. The NAND gate, which is universal, canbe constructed from the Toffoli gate setting its third input to 1.

(a, b, 1) −→ (a, b, 1⊕ ab) = (a, b,¬(ab)) (2.69)

Unfortunately, the price of construction of a quantum circuit for a classical irreversiblefunction f(x) is quite high. The example with an adder has shown us that an additionalqubit was required. Larger circuits would involve more qubits to be able to accumulate thewhole history of a computation. Such qubits are called, by convention, ancilla qubits.

To deal with growing amount of ancilla qubits some kind of ’garbage’ removal must byapplied. In general, it is done by ’uncomputing’. The basic idea is sketched in Figure 2.11.

x

0

00

... ... ......

Vf(x)

a)

Implementation details

y ⊕ f(x)

x

y

x

General scheme

Uf(x)

b)

V −1f(x)

x

f(x)0

00

0

Figure 2.11: Reversible computation with garbage removal.

First, we take a reversible circuit Vf(x) for a function f : {0, 1} → {0, 1} and execute thecomputation. As the computation is done the result is ’copied’ using CNOT gate. Qubitsmarked with dashed line labeled a) now accumulate the history of the computation. Second,we perform the ’uncomputation’ by applying V −1

f(x). Ancilla qubits marked with dashed linelabeled b) are zeroed and ready to be reused. To conclude, when designing a good quantumalgorithm one must stop to think in terms of classical irreversible gates causing the need forancilla qubits.

Example 31 (Deutsch’s problem). Given a function f : {0, 1} → {0, 1} as a black box Uf , thetask is to determine whether f(0) ⊕ f(1) = 0 or 1 (i.e. whether f is constant or balanced).The classical solution would involve evaluating f in all points of its domain, while exploitingquantum parallelism this can be done, in principle, in one step. Figure 2.12 shows the circuitfor the following computation. Notice that the computation is deterministic!

|0〉|1〉 H⊗2

−→ 12(|0〉+ |1〉)(|0〉 − |1〉) (2.70)

Uf−→ 12

((−1)f(0)|0〉+ (−1)f(1)|1〉

)(|0〉 − |1〉) (2.71)


=12(−1)f(0)

(|0〉+ (−1)f(0)⊕f(1)|1〉

)(|0〉 − |1〉) (2.72)

=12(−1)f(0)(|f(0)⊕ f(1)〉′) (|0〉 − |1〉) (2.73)

H⊗I−→ 1√2(−1)f(0)(|f(0)⊕ f(1))〉 (|0〉 − |1〉) (2.74)

=

1√2(−1)f(0)|0〉 (|0〉 − |1〉) if f is constant,

1√2(−1)f(0)|1〉 (|0〉 − |1〉) if f is balanced.

(2.75)

|0〉 H

Uf

H

LL�� ________

��

_ _ _ _ _ _ _ _

��

|1〉 H

Figure 2.12: Circuit solving Deutsch’s problem.

Let us take a closer look at each step of this algorithm. We know that we are interestedin values f(x) where x ∈ {0, 1}. One qubit is sufficient to represent numbers 0 and 1 at thesame time. Equally weighted superposition 1√

2(|0〉+ |1〉) is created by applying the Hadamard

rotation to the state |0〉. In the second step, we want to use a special property of the mapping

Uf : (x, y) → (x, y ⊕ f(x)),

when y is set to 1√2(|0〉 − |1〉).

Uf |x,1√2(|0〉 − |1〉)〉 =

1√2(|x, 0⊕ f(x)〉 − |x, 1⊕ f(x)〉)

= (−1)f(x)|x, 1√2(|0〉 − |1〉)〉. (2.76)

State 1√2(|0〉− |1〉) is prepared on the second qubit by applying the Hadamard rotation to state

|1〉. Expression 2.71 shows the resulting state after the second step of the computation is done.Exploiting quantum parallelism, we have calculated f(0) and f(1) at the same time. Now, bothvalues are encoded in the superposition of the first qubit and a question arises how to harvestthe desired information f(0)⊕f(1). After a subtle rearrangement of equations, we see that thestate of the first qubit is{

1√2(|0〉+ |1〉), i.e. |0′〉, if f(0)⊕ f(1) = 0,

1√2(|0〉 − |1〉), i.e. |1′〉, if f(1)⊕ f(1) = 1.

States labeled |0′〉 and |1′〉 are so called dual basis vectors, see expressions (2.5). We use theHadamard rotation for transformation to standard basis vectors. Finally, the first qubit ismeasured (i.e. projected to |0〉 and |1〉). Resulting state |0〉 signifies f is constant, while state|1〉 signifies f is balanced. Note that it is not necessary to make a projection to standard basisonly. Dual basis is suitable as well.

Note on quantum parallelism. Let f : {0, 1}n → {0, 1}m be a function. There is a unitarytransformation Uf acting on (n+m)-qubit register such that

|x, y〉Uf−→ |x, y ⊕ f(x)〉,


n

m

n

mx

y ⊕ f(x)Uf

x

y

Figure 2.13: Uf transformation of (n+m)-qubit register.

where x ∈ n-qubit subregister, and y ∈ m-qubit subregister. See Figure 2.13.Suppose a state |ψ〉 of (n+m)-qubit register a is uniform superposition of all 2n basis states,

|ψ〉 =(H⊗n ⊗ I⊗m

)(|0, 0〉) =

1√2n

2n−1∑x=0

|x, 0〉. (2.77)

If now the operator Uf is applied to |ψ〉 we compute, in one computational step,

Uf |ψ〉 =1√2n

2n−1∑n=0

|x, f(x)〉, (2.78)

all values f(x), x ∈ {0, 1, . . . , 2n − 1}. On a classic computer this would involve 2n repetitionsof executing f to compute all these values. However, if the decomposition of Uf to elementarygates is efficient, which is often the case, there is a significant speed-up using a quantumcomputing device.

Unfortunately, it is not possible to say that we get all values f(x) thanks to quantum para-lellism. Strictly speaking, all values f(x) are really computed and they are encoded at thesuperposition, but following Holevo theorem [10] one can retrieve only m bits of informationfrom an m-qubit (sub)register. Hence quantum parallelism is of use for tasks concerning globalproperties of a function such as its periodicity or whether it is constant a function, as we haveseen at the Deutsch’s problem. Additionally, finding an efficient algorithm for extracting anencoded information may be highly non-trivial.

Example 32 (Quantum teleportation.) Quantum teleportation is a novel way how to transfera state of a qubit without using physical quantum channel like a fiber optic line. In order toteleport a quantum state a previously shared entangled pair is needed and two classic bits haveto be transferred.

Let |ψ〉 = α|0〉 + β|1〉 be a state to be teleported, where α and β are unknown amplitudes,and |φ〉 = 1√

2(|0〉A|0〉B + |1〉A|1〉B) be a shared entangled pair. Party A owns the qubit |ψ〉 and

the first qubit from the shared pair. Party B owns the second qubit from the shared pair. Theteleportation can be described as follows. The corresponding circuit is shown in Figure 2.14.

|ψ〉|φ〉 =1√2

(α|0〉(|0〉A|0〉B + |1〉A|1〉B) + β|1〉(|0〉A|0〉B + |1〉A|1〉B)) (2.79)

CNOT⊗I−→ 1√2

(α|0〉(|0〉A|0〉B + |1〉A|1〉B) + β|1〉(|1〉A|0〉B + |0〉A|1〉B)) (2.80)

H⊗I⊗I−→ 12

(α(|0〉+ |1〉)(|0〉A|0〉B + |1〉A|1〉B) + β(|0〉 − |1〉)(|1〉A|0〉B + |0〉A|1〉B))

=12

[|0〉|0〉A(α|0〉B + β|1〉B) + |0〉|1〉A(α|1〉B + β|0〉B)

+ |1〉|0〉A(α|0〉B − β|1〉B) + |1〉|1〉A(α|1〉B − β|0〉B)] (2.81)


measurementM1⊗M2⊗I−→

|0〉|0〉A(α|0〉B + β|1〉B), if the result is 00,

|0〉|1〉A(α|1〉B + β|0〉B), if the result is 01,

|1〉|0〉A(α|0〉B − β|1〉B), if the result is 10,

|1〉|1〉A(α|1〉B − β|0〉B), if the result is 11.

(2.82)

communication−→ The two-bit result is communicated over a classic channel. (2.83)

correction−→

case 00: α|0〉B + β|1〉BI−→ α|0〉B + β|1〉B

case 01: α|1〉B + β|0〉BX−→ α|0〉B + β|1〉B

case 10: α|0〉B − β|1〉BZ−→ α|0〉B + β|1〉B

case 11: α|1〉B − β|0〉BX·Z−→ α|0〉B + β|1〉B

(2.84)

LL�� ________

��

_ _ _ _ _ _ _ _

��

LL�� ________

��

_ _ _ _ _ _ _ _

��

H

XM2 ZM1

M1

M2

|ψ〉

|ψ〉

{|φ〉 = 1√2(|00〉+ |11〉)

Figure 2.14: Circuit for quantum teleportation.

At first sight, it may appear that party B, after the measurement step, almost have thestate |ψ〉 although a bit corrupted; see equation (2.82). Hence it looks like faster then lightcommunication! However, this is not the case. Party B have no information about the state|ψ〉 till he do not receive the two bits of information.

The density operator of the total system after the measurement is

ρ =14

[ |0〉|0〉A〈0|〈0|A (α|0〉B + β|1〉B)(α∗〈0|B + β∗|1〉B)

+ |0〉|1〉A〈0|〈1|A (α|1〉B + β|0〉B)(α∗〈1|B + β∗|0〉B)+ |0〉|0〉A〈0|〈0|A (α|0〉B − β|1〉B)(α∗〈0|B − β∗|1〉B)+ |0〉|1〉A〈0|〈1|A (α|1〉B − β|0〉B)(α∗〈1|B − β∗|0〉B) ] . (2.85)

Tracing out the qubit |ψ〉 and the one labeled A, we will get the reduced density operator forthe qubit labeled B.

ρB = trψ,A(ρ)

=14

[ (α|0〉B + β|1〉B)(α∗〈0|B + β∗|1〉B)

+ (α|1〉B + β|0〉B)(α∗〈1|B + β∗|0〉B)+ (α|0〉B − β|1〉B)(α∗〈0|B − β∗|1〉B)+ (α|1〉B − β|0〉B)(α∗〈1|B − β∗|0〉B) ] (2.86)

=2(|α2|+ |β2|)|0〉〈0|B + 2(|α2|+ |β2|)|1〉〈1|B

4(2.87)

=|0〉〈0|B + |1〉〈1|B

2(2.88)

=I

2(2.89)


This maximally mixed state has not dependence upon the state |ψ〉 and therefore any measure-ment performed by B will contain no information about |ψ〉 as long as the A’s results are nottransferred.

Quantum teleportation is a good example5 how can be entanglement used as a resource forquantum computation and information processing. From the mathematical point of view, theconcept of entanglement is a trivial one. Physically, the fact that entangled particles can be faraway from each other, and a measurement on one particle immediately determines the stateof the others, is very puzzling phenomena. Quoting Schrodinger (1935), an entanglement isthe characteristic trait of quantum mechanics, the one that enforces its entire departure fromclassical lines of thought.

2.5 Physical realizations

There are many technological approaches for quantum computing based on different experi-mental physics subfields. These subfields are

• nuclear magnetic resonance (NMR) quantum computation,

• ion trap quantum computation,

• neutral atom quantum computation,

• cavity quantum electro-dynamic (QED) computation,

• optical quantum computation,

• solid state (spin-based and quantum-dots-based) quantum computation,

• superconducting quantum computation.

To represent the promise of each approach, the DiVincezo criteria are widely accepted.Necessary conditions for any viable quantum computation technology are

1. a scalable physical system of well-characterized qubits,

2. the ability to initialize the state of the qubits to a simple fiducial state,

3. relatively long decoherence times, much longer than the gate-operation time,

4. a universal set of quantum gates,

5. a qubit-specific measurement capability,

6. the ability to interconvert stationary and flying qubits,

7. the ability to faithfully transmit flying qubits between specified locations.

Table 2.5 summarizes the state-of-the-art according to ARDA Quantum Information Scienceand Technology Roadmap v2.0; http://qist.lanl.gov/ .

The latest known success is a 7-qubit system build by IBM in 2001. They have used NMRapproach to quantum computing. However, this technology is not well scalable and mostprobably another approach will have to be used.

5Another example is is a dense coding, a counterpart to quantum teleportation, where two classic bits aretransferred using one qubit.


QC approach #1 #2 #3 #4 #5 #6 #7NMR ♠ ♦ ♦ ♥ ♦ ♠ ♠Trapped Ion ♦ ♥ ♦ ♥ ♥ ♦ ♦Neutral Atom ♦ ♥ ♦ ♦ ♦ ♦ ♦Cavity QED ♦ ♥ ♦ ♦ ♥ ♦ ♦Optical ♦ ♦ ♥ ♦ ♦ ♦ ♥Solid State ♦ ♦ ♦ ♦ ♦ ♠ ♠Superconducting ♦ ♥ ♦ ♦ ♦ ♠ ♠

Legend: ♥ - a potentially viable approach has achieved sufficientproof of principle

♦ - a potentially viable approach has been proposed,but there has not been sufficient proof of principle

♠ - no viable approach is known

Table 2.5: The DiVincenzo promise criteria.

26 SECTION 3. PREVIOUS WORK AND PARTIAL RESULTS

3 Previous work and partial results

My background comes from the field of computer languages compiler constructions and oper-ating systems design. Master thesis focused on low-level security in GNU/Linux system wererevised and published as a book ’Linux - bezpecnost a exploity’ (in English: Linux -securityand exploits), see [A.4], by Kopp publisher at 2004. The thesis were also awarded from theArmed Forces Communications and Electronics Association Czech Republic at 2003.

Starting Ph.D. studies, the author concentrated his effort to study cryptography andsteganography. The state-of-the-art of these disciplines led him to quantum cryptography andquantum computation in general. He presented an overview of advantages of quantum cryp-tography over the classic cryptography at CTU Workshop’05, see [A.1], and CryptoFest’05, see[A.2].

The latest work [A.3] was focused on an analysis of protocol for qubit authentication pre-sented by M. Curty et al. [6]. It has also been shown how to simulate such a protocol usingQuantum-Octave package for numerical simulations. Results of this work were presented at The3rd International Workshop on Quantum Physics and Communication, Dubna, Russia, 2005.The following subsection briefly summarizes quantum authentication and author’s contribution.

3.1 Quantum authentication of messages

It is an open question whether quantum resources can help to improve security or effectivenessof message authentication. Generally, we can want to authenticate classic messages as well asquantum ones. Leung has proposed a protocol [11] based on modified private quantum channel.Barnum and co-workers presented a secret-key quantum authentication protocol [1] that usesstabilizer purity testing codes. At [6] authors studied a qubit authentication using a unitarycoding set and a key of minimal length.

It is also mandatory to acknowledge the solution based on quantum teleportation [2]. At thisscenario communicating parties must share an EPR-pair. They follow the rules for quantumteleportation which require several unitary operations, measurement and transfer of two classicbits. These two bits must be transfered over an authenticated classic channel. Thus the problemof qubit authentication only shifts to two classic bits authentication.

3.1.1 The protocol

The description of a protocol for one qubit message-length case as presented in [6] follows.Prepositions. Party A wants to send an arbitrary qubit described by the density operator

ρM acting on a two-dimensional message space M. As in a classic case, some tag needs tobe appended to a message, in order to allow the recipient party B to convince himself aboutthe authenticity of the message. Let the tag be given by a density operator ρT acting on atwo-dimensional tag space T . The space T has to be divided into two orthogonal subspaces.One subspace represents a valid tag while the other represents an invalid tag. Without loss ofgenerality, the state ρT = |0〉〈0|T can be fixed as a valid tag.

The space of tagged messages is defined as ε = M⊗T ; the tagged message as ρε = ρM ⊗ρT .On space ε is defined a unitary coding set {Idε, Uε}, where Idε is the identity matrix and Uε aunitary transformation. The shared secret-key has the form of maximally entangled EPR-pair.Each of the parties owns one qubit of publicly-known state |ψ〉AB = 1√

2(|01〉AB − |10〉AB). The

state of the global system (secret-key + tagged message) is given by

ρABε = |ψ〉〈ψ|AB ⊗ ρε = |ψ〉〈ψ|AB ⊗ ρM ⊗ |0〉〈0|T . (3.1)

SECTION 3. PREVIOUS WORK AND PARTIAL RESULTS 27

Encoding. Party A performs an encoding operation

EAε = |0〉〈0|A ⊗ IdB ⊗ Idε + |1〉〈1|A ⊗ IdB ⊗ Uε. (3.2)

The encoding operation can be seen as a selection of operation from the set {Idε, Uε} triggeredby the resulting state of the key. Once the operation is selected, it is applied to ρε beforesending it through the quantum chancel. The state of the global system after the encodingoperation is given by

ρeABε = EAερABεE†Aε =

12

(|01〉〈01| ⊗ ρε − |01〉〈10| ⊗ ρεU

†ε

−|10〉〈01| ⊗ Uερε + |10〉〈10| ⊗ UερεU†ε

). (3.3)

Decoding. Party B performs a decoding operation

DBε = IdA ⊗ |0〉〈0|B ⊗ U †ε + IdA ⊗ |1〉〈1|B ⊗ Idε. (3.4)

The state of the global system after the decoding operation is given by

ρdABε = DBερeABεD

†Bε =

12

(|01〉〈01| ⊗ ρε − |01〉〈10| ⊗

(ρεU

†ε

)Uε

−|10〉〈01| ⊗ U †ε (Uερε) + |10〉〈10| ⊗ U †

ε

(UερεU

†ε

)Uε

). (3.5)

Verification. Party B receives decoded tagged message ρdε by tracing out the key from thestate of the global system. ρdε = TrAB

(ρdABε

)= 1/2 (ρε + ρε) = ρε. Finally, the tag-portion of

ρε is measured and if it belongs to a valid tag subspace of space T , then extracted message ρMis considered to be authentic.

3.1.2 Message attack

Let us now consider a ’message attack’ performed by some adversary party E. This party withfull access to a public quantum channel sees the state

ρeε = TrAB(EAε (|ψ〉〈ψ|AB ⊗ ρM ⊗ |0〉〈0|T )E†

Aε

)=

12

(ρM ⊗ |0〉〈0|T + Uε (ρM ⊗ |0〉〈0|T )U †

ε

). (3.6)

The task is to find a transformation QE which, applied to ρeε, will modify the ρM keeping thetag portion intact. The authors of [6] have an existential proof that such a transformationalways exists regardless the choice of Uε, thus the protocol is not secure. However, they do notstate the form of such a transformation and its consequences.

Contribution. Let Uε be a separable gate of the form Uε = UM ⊗ UT , then

ρeε =12

(ρM ⊗ |0〉〈0|T +

(UMρMU

†M

)⊗(UT |0〉〈0|TU †

T

)). (3.7)

For QE = X ⊗ Id, where QE ∈ ε, X ∈M, Id ∈ T , we have ρe,Eε = QEρeεQ

†E ;

ρe,Eε =12

(XρMX

† ⊗ |0〉〈0|T +(X(UMρMU

†M

)X†)⊗(UT |0〉〈0|TU †

T

)). (3.8)

28 SECTION 3. PREVIOUS WORK AND PARTIAL RESULTS

After the decoding operation we have

ρd,Eε =12

(XρMX

† ⊗ |0〉〈0|T

+(U †MXUMρMU

†MX

†UM

)⊗(U †TUT |0〉〈0|TU

†TUT

)), (3.9)

andTrM

(ρd,Eε

)= |0〉〈0|T . (3.10)

Hence the adversary party is always able to change ρM keeping the tag-portion intact, andthere are no limits on the form of unitary matrix X. This means that the adversary party,having some statistics of usually sent states ρM , is able to prepare such X that will causemaximal damage or even modify ρM at will.

3.1.3 Secret-key discussion

Shared EPR-pair was used as a secret-key in the protocol. It is also possible to use a classicalone-bit key for selecting the operation from the set {Id, Uε}. However, authenticating quantumdata makes sense only in a scenario where the reliable technology for quantum informationprocessing is available. From this point of view it is more logical to use a quantum key insteadof a classic one. A quantum key has also better key-management properties due to the no-cloning theorem.

Anyway, EPR-pair might get corrupted in the transit. In such a case, the protocol does notbehave in a deterministic way any more. One solution is to use entanglement purification [4] toestablish a clean pair. In situations where the purification processes cannot be used for somereason (e.g. non-interactive processes), we need to evaluate how much the determinism of theprotocol depends on the purity of the key.

Contribution. Let us correlate the EPR-pair corruption with the quantity of maximallymixed state in a mixture. The density operator of the key |ψ〉AB = 1√

2(|01〉AB − |10〉AB) is

|ψ〉〈ψ|AB. Let the mixture be a function of p of the form

ρp,AB = (1− p) |ψ〉〈ψ|AB + pIdAB

4. (3.11)

When the protocol is executed with this mixture the resulting global state of the system is

ρdABε = DABε

(EABε (ρp,AB ⊗ ρM ⊗ |0〉〈0|T )E†

ABε

)D†ABε , and (3.12)

ρdε = TrAB(ρdABε

)=

2− p

2(ρM ⊗ |0〉〈0|T ) +

p

4

(U †ε (ρM ⊗ |0〉〈0|T )Uε + Uε (ρM ⊗ |0〉〈0|T )U †

ε

). (3.13)

Here, we can see that the probability of ρdε passing B’s verification test is unpleasantly high.Even for p = 1, i.e. maximally mixed state of the key, the probability P that B will receivestate |0〉〈0|T (and accept ρM as authentic) after the measurement of the tag-portion is P ≥ 1/2.Equality P = 1/2 holds for the case p = 1 and both Uε, U

†ε take the tag-portion to |1〉〈1|T .

With a good protocol, the probability of accepting a message should decrease very fast tozero if something is wrong with the key. Clearly, this is not the case.

SECTION 4. BUILDING STONES FOR FUTURE WORK 29

4 Building stones for future work

My future work builds on three stones. These are quantum key generation, quantum hiddensubgroup problem and distributed quantum computing. Section 4.1 describes a protocol forquantum key generation. There are also remarks on practical realizations. At the end of thesection quantum random number generation is mentioned. Section 4.2 introduces the hiddensubgroup problem and its quantum version. For example Shor’s famous factoring algorithm[16] is an instance of quantum hidden subgroup problem. Section 4.3 presents ideas consideringdistributed quantum computing.

4.1 Quantum key generation - BB84

Quantum key generation (distribution, QKG/QKD) is one of the most important applicationsof quantum mechanics to cryptography. While quantum computing is still at very experimentaland theoretical stage, first commercial products offering a key generation based on the laws ofquantum mechanics are already available. Pioneers at this field are companies like New Yorkbased MagiQ Technologies Inc., and Geneva based Id Quantique Inc.

The aim of quantum key generation is unconditionally secure key distribution. That meansthat an eavesdropper tapping a public channel is always detected. The security is conditionedonly on the laws of quantum mechanics. The basic idea is that an eavesdropper cannot gainany information from the transmitted qubits without disturbing their state.

1. By the no-cloning theorem, an eavesdropper cannot clone an unknown state for laterprocessing.

2. An attempt to distinguish two non-orthogonal states causes irreversible changes.

4.1.1 The BB84 protocol

The protocol BB84 [3] developed by G. Brassard and C. H. Bennett uses a non-orthogonal set{|0〉, |1〉, |0′〉, |1′〉}.

|0〉

|0′〉 = 1√2(|0〉+ |1〉)

|1〉

|1′〉 = 1√2(|0〉 − |1〉)

Figure 4.1: Non-orthogonal set.

To produce an n-bit key, n < m, parties A and B, by convention called Alice and Bob, followthese steps:

1. Alice generates an (4+ δ)m = l-bit string a = a1 . . . al and string b = b1 . . . bl of the samelength at random, where δ is a parameter depending on the error rate of the channel.

2. Alice prepares and sends l qubits, where a state of i-th qubit is given by |ψi〉 = Hbi |ai〉,|ψi〉 ∈ {|0〉, |1〉, |0′〉, |1′〉}, i.e. bit bi select standard/dual base encoding for a bit ai.

30 SECTION 4. BUILDING STONES FOR FUTURE WORK

3. Bob receives all the qubits and projects each qubit to |0〉, |1〉 (standard base) or |0′〉, |1′〉(dual base) according to his random l-bit string c.

4. Alice announces b and Bob announces c.

5. Alice and Bob discard qubits |ψi〉 for which bi ⊕ ci = 1. With high probability, there are2m bit left (if not, abort the protocol).

6. Alice selects a subset of m bits that will serve as a check on eavesdropper interference,and tells Bob which bits she selected.

7. Alice and Bob announce and compare the values of the n check bits. If the error rate ishigher then the error rate of the channel, i.e. the channel is broken or an eavesdropper ispresent, they abort the protocol.

8. Alice and Bob perform information reconciliation and privacy amplification on the re-maining m bits to obtain n-bit shared key.

Information reconciliation is an error-correction conducted over a public channel. Privacyamplification additionally reduces mutual information of a possible eavesdropper about theresult to any desired level of security. In general, privacy amplification can be accomplished bya universal hash function mapping m-bit strings to n-bit strings. Table 4.1 shows an examplerun of steps 1− 5.

index i 1 2 3 4 5ai 0 1 1 1 0bi 1 0 1 1 0|ψi〉Alice |0′〉 |1〉 |1′〉 |0′〉 |0〉ci 1 1 0 1 1Bob’s results 0 0/1 0/1 0 0/1bi ⊕ ci 0 1 1 0 1Shared bit string 0 1

Table 4.1: Example run of the BB84 protocol.

The main difference between Bob and an eavesdropper, while they both perform measure-ments at standard/dual basis at random, is that Bob and Alice coordinate their steps bycommunication over a classical public channel. In order to do it, their communication must beauthentic. Therefore before the very first quantum key generation happens, they have to meetor use trusted third party to establish a secret necessary for authentication. For next run ofa quantum key generation, they simply select a subset of the previously established key anduse this secret for authentication. Besides the BB84 there are many other protocols, but theunderlying principle is the same. In general, an authentication is the weakest point of all theseprotocols for quantum key generation.

4.1.2 Practical realization

Using fiber optic line, we can assign horozintal/vertical polarization to states |0〉, |1〉 and diag-onal/slantwise polarization to states |0′〉, |1′〉. Besides polarization encoding, it it also possibleto encode a state of qubit to the phase of a particle, which is preferred in practical realiza-tion. Table 4.2 summarizes how to set up blocks ΦA and ΦB for performing the BB84 using aMach-Zehnder interferometer. See Figure 4.2.


��

��

��

0

1

ΦB

ΦAa

b

Figure 4.2: Mach-Zehnder interferometer.

ΦA + (std. base) 0◦ ∼ 0 180◦ ∼ 1 ΦB + (std. base) 0◦

× (dual base) 90◦ ∼ 0 270◦ ∼ 1 × (dual base) 90◦

Table 4.2: Phase encoding for the BB84 protocol.

To deal with phase shifts caused by different phase fluctuations on trajectories a and b inMach-Zehnder interferometer, we usually simulate this interferometer with two unbalancedinterferometers. See Figure 4.3. Unbalanced interferometer has trajectories a and b of differentlengths, a� b, and the difference of a and b must be greater than the input pulse width.

� ��

��

��

��

t

1

0

t t

ΦA ΦBa

b

a

b

ab bb aaabba

Interference

Figure 4.3: Simulation of Mach-Zehnder interferometer.

First commercial products with the BB84 are already available, for an example see Figure4.4. They work as point-to-point systems over a fiber optic line, up to 70Km of length, at ratesapproximately 100Kb/s. The distance is enough for large metropolitan areas. A generated keycan be used for AES-like symmetric ciphers or directly at one-time pad systems for the highestsecurity. To deal with point-to-many key generation ’quantum repeaters’ must be incorporated.These repeaters will be very probably based on quantum teleportation and generalized GHZ-states.

4.1.3 Quantum random number generation

Random numbers are of use at many applications ranging from cryptography, numerical simu-lations, statistical research to lotteries and gambling. Software generators produce only pseudo-random numbers and these numbers should not be used in most applications where randomnessis required. Formally, quantum random number generators are the only true random numbergenerators. A generation of exactly one random bit is described as follows.

|0〉 H−→ 1√2(|0〉+ |1〉) measurement−→

{0, with probability 1

2 ,

1, with probability 12 .

(4.1)


Figure 4.4: QKD system named Clavis developed by Id Quantique, Inc.

This process can be simply and at low costs (when compared to the observation of theradioactive decay of some element) implemented exploiting an elementary quantum optics pro-cess. Exactly one photon is sent onto a semi-transparent mirror and detected. This exclusiveevent, reflection or transmission, is associated to 0 or 1 bit values. System Quantis developedby Id Quantique Inc., is one of common generators using the above principle. It is capable togenerate random numbers at rate 16Mb/s in its PCI card version.

4.2 Quantum hidden subgroup problem

There are available (with some minor exceptions) three classes of quantum algorithms:

• Quantum hidden subgroup (QHS) algorithms (i.e. Simon/Shor-like).

• Amplitude amplification algorithms (i.e. Grover-like).

• Algorithms for quantum systems simulations.

The following text will consider the QHS algorithms class.

Definition 33 (Hidden subgroup problem.) Let G be a finitely generated group, X a finite set,and f : G→ X a function such that there exists a subgroup H < G for which f separates cosetsof H:

for all g1, g2 ∈ G, f(g1) = f(g2) iff g1H = g2H. (4.2)

Using information gained from evaluations of f , determine a generating set for H. The sub-group H is called a hidden subgroup.

A classical algorithm determines H by evaluating f(g) for each g ∈ G using |G| function calls.The tantalizing promise of quantum computing is to reduce this naive O(|G|) time algorithmto O(poly(log |G|)) time.

Definition 34 (Quantum hidden subgroup problem.) Let HG and HX be Hilbert spaces withrespective orthonormal bases {|g〉 : g ∈ G} and {|x〉 : x ∈ X}. Let f : G → X is given as aunitary transformation Uf : HG ⊗HX −→ HG ⊗HX such that

|g〉|x〉 Uf−→ |g〉|x⊕ f(g)〉. (4.3)

Determine the hidden subgroup H with bounded probability of error by making as few queriesas possible of the blackbox Uf .

The first results solving QHS problem in polynomial time for finitely generated abelian groupswere published by D. R. Simon and P. W. Shor in 1994. Simon’s algorithm [17] determines a


hidden subgroup of the direct sum of cyclic groups of order 2. Shor’s algorithm [16] determines ahidden subgroup of the infinite cyclic group. It is still not known whether the hidden subgroupproblem has a bounded-error polynomial time algorithm for the general case of non-abeliangroups too. This is of interest, because the graph isomorphism problem is reducible to findinga hidden subgroup of the symmetric group Sn. Fore information on QHS can be found at[14, 12, 13].

The sketch of a generic QHS algorithm can be described as follows.

1. Initialize registers a ∈ HG and b ∈ HX to produce the initial state |0〉a|0〉b or |0〉a|1〉b.

2. Apply the Fourier transform F to the register a.

3. Apply the unitary transform Uf .

4. Apply the Fourier transform F to the register a again.

5. Measure the register a.

6. Repeat these steps until the hidden subgroup is determined.

4.2.1 Quantum Fourier transform

It is easy to see that the Fourier transform is the key ingredient of QHS algorithms. Thediscrete Fourier transform (DFT) takes as input a vector of complex numbers, x0, . . . , xN−1,and outputs the transformed data, a vector of complex numbers y0, . . . , yN−1, defined by

yk ≡1√N

N−1∑j=0

e2πijk/Nxj . (4.4)

Quantum Fourier transform (QFT) is a Fourier transform of quantum mechanical amplitudes.Therefore for a general state |ψ〉 =

∑N−1j=0 xj |j〉, we have

N−1∑j=0

xj |j〉QFT−→

N−1∑k=0

yk|k〉, (4.5)

where yk are defined by equation (4.4). Equation (4.5) reduces for an orthonormal basis{|0〉, . . . , |N − 1〉} to an action

|j〉 QFT−→N−1∑k=0

e2πijk/N |k〉. (4.6)

From (4.4) we observe that the amplitudes yk are linear in the original xj . Thus there isindeed a linear operator F which implements the transform.

F =N−1∑j,k=0

e2πijk/N√N

|k〉〈j|, F † =N−1∑j,k=0

e−2πijk/N

√N

|j〉〈k|. (4.7)

Additionally,

FF † =1N

N−1∑j=0

N−1∑k=0

e2πij(k−k)/N |k〉〈j|j〉〈k| = 1N

N−1∑j=0

N−1∑k=0

|k〉〈k| = 1N

N−1∑j=0

I = I, (4.8)

and thus F is unitary.


4.2.2 Efficient algorithm for QFT

Let us have an n-qubit register, N = 2n, and {|0〉, . . . , |N − 1〉} be the computational basis.The binary representation of the state |j〉 is j1j2 . . . jn, ji ∈ {0, 1}, where j =

∑ni=1 ji 2

n−i. Thenotation 0.jljl+1 . . . jm denotes the binary fraction

∑mi=l ji/2

i−l+1. According to (4.6) we have

|j〉 → 1√2n

2n−1∑k=0

e2πijk/2n |k〉 (4.9)

=1√2n

1∑k1=0

· · ·1∑

kn=0

e2πij(Pn

l=1 kl2−l)|k1 . . . kn〉 (4.10)

=1√2n

1∑k1=0

· · ·1∑

kn=0

n⊗l=1

e2πijkl2−l |kl〉 (4.11)

=1√2n

n⊗l=1

1∑kl=0

e2πijkl2−l |kl〉

(4.12)

=1√2n

n⊗l=1

[|0〉+ e2πij2

−l |1〉]

(4.13)

=(|0〉+ e2πi0.jn |1〉) (|0〉+ e2πi0.jn−1jn |1〉) · · · (|0〉+ e2πi0.j1j2···jn |1〉)√

2n(4.14)

From the product representation (4.14) we can derive an efficient circuit for QFT. See Figure4.5.

...

... ...

...

...

... ...

|jn−1〉

|jn〉

|j2〉

|j1〉 |0〉+ e2πi0.j1···jn |1〉

|0〉+ e2πi0.j2···jn |1〉

|0〉+ e2πi0.jn−1···jn |1〉

|0〉+ e2πi0.jn |1〉

H R2 Rn−1 Rn

H Rn−2 Rn−1

R2

H

H

Figure 4.5: Efficient circuit for the quantum Fourier transform.

The gate Rk denotes the unitary transformation

Rk ≡[

1 00 e2πi/2

k

]. (4.15)

The circuit in Figure 4.5 should be followed by swap gates to reverse the order of qubits backto the right order. The total amount of gates needed to perform QFT is Θ(n2). In contrast,classical Fast Fourier Transform (FFT) needs Θ(n2n) gates to produce Fourier transform on2n elements. However, recall that we cannot access all the transformed values after QFT bymeasurement. Thus QFT is not of speed-up for computing Fourier transform in applicationslike speech recognition!

4.3 Distributed quantum computing

The distributed computing paradigm can be used to overcome difficulties with limited capa-city quantum computers. Since the Controlled-NOT gate together with all one-qubit gates is


a universal set of gates, the non-local implementation of the CNOT gate is crucial point ofdistributed quantum computing. Eisert et al [8] proposed an optimal implementation of thenon-local CNOT gate. He proved that one shared entangled pair (ebit) and two classical bitsare necessary and sufficient to implement this gate. See Figure 4.6.

LL�� ________

��

_ _ _ _ _ _ _ _

��

LL�� ________

��

_ _ _ _ _ _ _ _

��

α|0〉+ β|1〉

Computer 2

Control line

Target line|t〉

X H

Z

Computer 1

1√2(|00〉+ |11〉) communication

Classical

Figure 4.6: Optimal implementation of non-local CNOT gate.

Thanks to an entangled pair the control line state is distributed to the second computerusing local CNOT gate, classical communication and the NOT gate. The second computer isnow able to perform a local controlled operation. Hereafter disentangling takes place and thecontrol line at the first computer is restored.

A. Yimsiriwattana and S. Lomonaco [19] have used this circuit to identify two primitive op-erations for distributed quantum computing, the cat-entangler and cat-disentangler. Assumingthat an entanglement has been previously established the cat-entangler and cat-disentanglercan be implemented using only local operations and classical communication (LOCC).

To establish an entanglement (generalized GHZ state created from so-called channel qubits)we use an n-qubit entangling gate. See Figure 4.7.

H

1√2(|0 . . . 0〉

+|1 . . . 1〉)

|0〉|0〉|0〉|0〉|0〉

...... +|1 . . . 1〉)

|0〉|0〉|0〉|0〉|0〉

1√2(|0 . . . 0〉 ∼

Figure 4.7: n-qubit entangling gate.

The cat-entangler and disentangler is in Figure 4.8. For simplicity only three channel qubitsare used, thus the generalized GHZ-state reduces to the common GHZ-state. The cat-entangleris used to transform a control qubit α|0〉+ β|1〉 and channel qubits 1√

2(|000〉+ |111〉) into the

state α|000〉 + β|111〉, called a cat-like state. This state allows three computers to share thecontrol qubit. Consequently a qubit shared within the cat-like state can now be used as alocal control qubit for each computer. The cat-disentangler restores the control qubit fromthe cat-like state. The Z gate is controlled by exclusive-or of two classical bits. Finally, NOTgates controlled by classical bits are used to reset channel qubits. In this way, entanglement(generalized GHZ-state) can be later re-established.

Entanglement re-establishing can be done in the following way. To establish two ebits be-tween computers A and B in the cost of sending one qubit per ebit, each computer entanglesits own two channel qubits and then exchanges one qubit of the pair with the other computer.See Figure 4.9.


LL�� ________

��

_ _ _ _ _ _ _ _

��

LL�� ________

��

_ _ _ _ _ _ _ _

��

LL�� ________

��

_ _ _ _ _ _ _ _

��

XX

XXX

Z

|0〉|0〉

α|0〉+ β|1〉|0〉

α|0〉+ β|1〉|0〉|0〉|0〉

|0〉

Cat-entangler Cat-disentangler

1√2(|000〉+ |111〉) α|000〉+ β|111〉

H

HH

...

...

...

...

...

... ...

...

Figure 4.8: Two primitives for distributed quantum computing.

H|0〉|0〉

H|0〉|0〉

H

H

non-local

BComputer

ComputerA

gates

Figure 4.9: Entanglement re-establishing.

In general, a distributed quantum computer is a network of quantum computers connected viaclassical and quantum channels. Each computer (node) possesses few of it qubits for quantumchannel purposes. The rest of qubits is dedicated for computing. Each qubit can freely interactswith other qubits within the node. Each qubit can also interact with other qubits on a remotecomputer via non-local operations. The architecture overview is in Figure 4.10.

Classical computer Classical channel

Quantum computer Quantum channel

’Computational’qubits

Channelqubits

Figure 4.10: Distributed quantum computing architecture.

Papers [19, 18] by A. Yimsiriwattana and S. Lomonaco present distributed algorithms forquantum Fourier transform and Shor’s factoring algorithm using the above mentioned concepts.Their distributed version of Shor’s algorithm requires an additional overhead of O((logN)2)communication complexity, where N denotes the integer to be factored.

SECTION 5. FUTURE WORK 37

5 Future work

Using results and concepts from the previous chapter the direction of my future work is todevelop a distributed quantum algorithm with consideration to security problems. In particular,I will focus to

1. develop a distributed quantum algorithm for Simon’s problem,

2. evaluate the communication overhead and minimum resources needed,

3. modify the algorithm to run safely in the case of a public accessible network,

4. evaluate the overhead caused by security demands.

5.1 Simon’s problem.

Suppose we are given a function f : {0, 1}n → {0, 1}m, with m ≥ n, and we are promised thateither f is one-to-one, or there exists a non-trivial s such that

∀x 6= x′(f(x) = f(x′) ⇐⇒ x′ = x⊕ s

),

where ⊕ denotes bitwise exclusive-or. We wish to determine which of these conditions holdsfor f , and, in the second case, to find s. The original solution [17] by Simon follows.

The algorithm for a Quantum Turing Machine which solves the above problem, with zeroerror probability, in expected time O (nTf (n) +G(n)), where Tf (n) is the time required tocompute f on inputs of size n, and G(n) is the time required to solve an n × n linear systemof equations over Z2, consists mainly of (expected) O(n) repetitions of Fourier-twice procedurein its quantum part.

1. |0, 0〉 QFT,I−→ 1√2n

∑x |x, 0〉

2. 1√2n

∑x |x, 0〉

Uf−→ 1√2n

∑x |x, f(x)〉

3. 1√2

∑x |x, f(x)〉 QFT,I−→ 1

2n

∑x,y (−1)x·y|y, f(x)〉

After each performance of Fourier-twice there are all the possible configurations |y, f(x)〉in the superposition. In the case that f is one-to-one all the configurations will be distinctand their respective probabilities will be 2−2n. Therefore k independent repetitions of Fourier-twice followed by a measurement will yield k configurations each distributed uniformly overconfigurations of the form |y, f(x)〉.

In the case that there is some s such that ∀x 6= x′ : (f(x) = f(x′) ⇐⇒ x′ = x ⊕ s), theconfigurations |y, f(x)〉 and |y, f(x ⊕ s)〉 are identical and the amplitude of this configurationwill be 2−n((−1)x·y + (−1)(x⊕s)·y). Note that if y · s = 0, then x · y = (x ⊕ s) · y, and theprobability is 2−n+1, otherwise it is 0. Thus k independent repetitions of Fourier-twice followedby a measurement will yield k configurations distributed uniformly over configurations of theform |y, f(x)〉 such that y · s = 0.

In both cases, after expected O(n) repetitions, sufficiently many linearly independent valuesof y will have been collected that the non-trivial string s will be uniquely determined by solvingthe linear system of equations defined by the values of y. In the case f is one-to-one s will bea random string, in the second s is the s we are looking for. The decision if we have found thetrue s can be done by evaluating f(0) and f(s).

38 SECTION 6. CONCLUSIONS

Note that this solution does not specify the upper bound for the worst-case running time.The algorithm is polynomial time algorithm in the expected sense only. In 1997 G. Brassardand P. Høyer [5] have generalized both Simon’s and Grover’s algorithm and combined them ina novel way. It follows that there is a decision problem that can be solved in exact quantumpolynomial time.

5.2 Expected progress

1. I expect to be able to reuse some result from the distributed version of Shor’s algorithm,namely the distributed quantum Fourier transform.

2. As the first version of distributed algorithm for Simon’s problem will be done the com-munication overhead will be evaluated.

3. At this stage I am going to identify and solve security problems in the case the algorithmis executed in a public accessible quantum network.

4. The key point is to reuse ideas behind quantum key generation and strengthen the au-thentication phase.

5. It could also be interesting to consider quantum steganographic channel there.

6 Conclusions

This report introduces basic concepts of quantum computing and outlines author’s future di-rection concerning distributed quantum computing with respect to security issues. The firstpart of the report describes basic definitions and most of the notation used within quantumcomputing community.

Following this introduction the previous work of the author is summarized. In particular,quantum authentication is discussed in more depth. Some parts of the chapter has been pre-sented at The 3rd International Workshop on Quantum Physics and Communication, Dubna,Russia, June 2005, and corresponding research paper is submitted to separate volume of thejournal ’Physics of Particles and Nuclei, Letters’.

Future work is oriented to distributed quantum computing. Especially, the intention is todevelop distributed algorithm for Simon’s problem. This idea was suggested to the author bySamuel Lomonaco while they have met in Prague this year. Yimsiriwattana and Lomonaco [18]have already used distributed paradigm for Shor’s factoring algorithm and it looks that thisconcept has good prospects. Moreover, Lomonaco at [13] pointed out that Shor’s and Simon’salgorithm are far from the same generic QHS algorithm contrary to conventional wisdom. Henceit will be interesting to compare how much distributed versions of these algorithms do differ.

Additional intention of the author is to modify the distributed algorithm to fulfill securitydemands. Classic computers have a lot of problems with security issues and it is a good idea todeal with security directly while developing pieces of a future framework for quantum computer.

SECTION 7. BIBLIOGRAPHY 39

7 Bibliography

[1] H. Barnum, C. Crepeau, D. Gottesman, A. Smith, and A. Tapp. Authentication of quan-tum messages. In FOCS ’02: Proceedings of the 43rd Symposium on Foundations ofComputer Science, pages 449–458, Washington, DC, USA, 2002. IEEE Computer Society.

[2] C. Bennett, G. Brassard, C. Crepeau, R. Jozsa, A. Peres, and W. Wootters. Teleporting anunknown quantum state via dual classical and EPR channels. Phys Rev Lett, 70(13):1895–1899, March 1993.

[3] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and cointossing. In Proceedings of International Conference on Computers, Systems and SignalProcessing, pages 175–179, December 1984.

[4] C. H. Bennett, G. Brassard, S. Popescu, B. Schumacher, J. A. Smolin, and W. K. Wootters.Purification of noisy entanglement and faithful teleportation via noisy channels. Phys. Rev.Lett., 76:722–725, 1996.

[5] G. Brassard and P. Hoyer. An exact quantum polynomial-time algorithm for simon’sproblem. In ISTCS ’97: Proceedings of the Fifth Israel Symposium on the Theory ofComputing Systems (ISTCS ’97), page 12, Washington, DC, USA, 1997. IEEE ComputerSociety.

[6] M. Curty, D. J. Santos, E. Perez, and P. Garcia-Fernandez. Qubit authentication. PhysicalReview A, 66:022301, 2002.

[7] D. P. DiVincenzo. Quantum gates and circuits. In Proceedings of the ITP Conference onQuantum Coherence and Decoherence. Proc. R. Soc. London A, 1996.

[8] J. Eisert, K. Jacobs, P. Papadopoulos, and M. B. Plenio. Optimal local implementationof nonlocal quantum gates. Phys. Rev. A, 62:52317, 2000.

[9] L. K. Grover. A fast quantum mechanical algorithm for database search. In STOC ’96:Proceedings of the twenty-eighth Annual ACM Symposium on Theory of Computing, pages212–219, New York, NY, USA, 1996. ACM Press.

[10] A. S. Holevo (Kholevo). Bounds for the quantity of information transmitted by a quantumcommunication channel. Probl. Inform. Transm., 9(3):177–183, 1973. Transl. from theRussian.

[11] D. W. Leung. Quantum vernam cipher. Quantum Information and Computation, 2(1):14–34, 2002.

[12] S. J. Lomonaco and L. H. Kauffman. Quantum hidden subgroup problems: A mathematicalperspective. AMS CONM, 305:139–202, 2002.

[13] S. J. Lomonaco and L. H. Kauffman. Quantum hidden subgroup algorithms: The devil isin the details. ArXiv Quantum Physics e-prints, 2004. To appear on Proceedings of SPIEon Quantum Information & Computation.

[14] C. Lomont. The Hidden Subgroup Problem - Review and Open Problems. ArXiv QuantumPhysics e-prints, Nov. 2004.

[15] M. A. Nielsen and I. L. Chuang. Quantum Computation and Quantum Information, vol-ume 1. Cambridge University Press, The Edinburgh Building, Cambridge CB2 2RU, UK,4th edition, 2000.

40 SECTION 10. UNREFEREED PUBLICATIONS OF THE AUTHOR

[16] P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. InFoundations of Computer Science, Proc. 35th Ann. Symp., pages 124–134. IEEE ComputerSociety Press, 1994.

[17] D. R. Simon. On the power of quantum computation. In Proceedings of the 35th AnnualSymposium on Foundations of Computer Science, pages 116–123, Los Alamitos, CA, 1994.Institute of Electrical and Electronic Engineers Computer Society Press.

[18] A. Yimsiriwattana and S. J. Lomonaco. Distributed Quantum Computing: A DistributedShor Algorithm. ArXiv Quantum Physics e-prints, Mar. 2004.

[19] A. Yimsiriwattana and S. J. Lomonaco. Generalized GHZ states and distributed quantumcomputing. In NFS Workshop on Coding Theory & Quantum Computing, University ofVirginia, june 2004.

8 Relevant refereed publications of the author

[A.1] M. Dobsıcek, J. Kolar, and R. Lorencz. Quantum technologies for trust and security. InCTU Workshop: Proceedings of the fourteenth CTU Workshop, pages 266–267, Prague,Czech Republic, 2005. Vydavatelstvı CVUT.

[A.2] M. Dobsıcek. Komercnı vyrobky pro kvantovou kryptografii. In Proceedings of CryptoFest2005, pages 1–7, Prague, Czech Republic, 2005. Vydavatelstvı CVUT.

[A.3] M. Dobsıcek. Simulation on Quantum Authentication. Submitted to: Special Volume ofthe Journal Physics of Particles and Nuclei, Letters.

9 Remaining refereed publications of the author

[A.4] M. Dobsıcek and R. Ballner. Linux - bezpecnost a exploity. Kopp nakladatelstvı, CeskeBudejovice, 1st edition, 2004.

10 Unrefereed publications of the author

[A.5] M. Dobsıcek. Extended steganographic system. In FEE CTU Poster: 8th InternationalStudent Conference on Electrical Engineering, page IC10, Prague, Czech Republic, 2004.FEE CTU.

[A.6] M. Dobsıcek. Modern steganography. In International Academic Conference OpenWeek-end, pages 59–62, Prague, Czech Republic, 2004. Vydavatelstvı CVUT.

[A.7] M. Dobsıcek. Quantum Computation and Security. Submitted to: Computer Architec-tures & Diagnostics 2005.

SECTION 11. DISSERTATION THESIS 41

11 Dissertation Thesis

Title: Security Issues Concerning Distributed Quantum Computing

AbstractThe thesis is focused on distributed quantum algorithms with respect to security issues. In

particular, distributed version of Simon’s problem is presented. The goal is to achieve minimalcommunication overhead and to address security issues. This topic is closely connected withquantum cryptography, quantum hidden subgroup problem and distributed paradigm. Resultsare expected to be useful in future working framework for a quantum computer. Scalability viadistributed paradigm and security should be inherent to all new computing architectures.

Keywordsquantum computing, quantum cryptography, distributed quantum algorithms, Simon’s prob-

lem

11.1 Quantum cryptography

The laws of quantum mechanics have good prospects to cryptography. By the no-cloningtheorem, an eavesdropper cannot clone an unknown quantum state for later processing. Addi-tionally, an attempt to distinguish two non-orthogonal states causes irreversible changes. Thisis of use for quantum key generation, which offers unconditionally secure key distribution.Slightly modified ideas can be used to establish a steganographic channel. The result of quan-tum measurement strongly depends on the selection of the base. Two parties can agree on anon-standard base to measure in. As long as their base is kept in secret, no one can figure outwhat results they get by a measurement. On the other hand, it seems that unconditionallysecure bit commitment scheme is not possible using quantum resources.

11.2 Quantum hidden subgroup problem

Quantum hidden subgroup problem represents one big class of quantum algorithms. Shor’sfactoring algoritm and Simon’s algorithm are instances of this class. Another class based onamplitude amplification is represented by Grover’s search algorithm. The report only mentioneda novel way of combination of Simon’s and Grover’s algorithm. It is of interest to follow thiscombination and create stepping stones for the development of new quantum algorithms.

11.3 Distributed quantum computing

Distributed paradigm can be used to simulate a large capacity quantum computer via networkof small capacity quantum computers (nodes). These nodes have to be connected by quantumchannels and classic channels as well. Distributed version of Shor’s algorithm have already beenpresented with satisfactory conclusions. To show sufficient proof of principle new distributedalgorithms are needed.

security issues concerning distributed quantum computing

Documents