Michele Mosca Canada Research Chair in Quantum Computation 28 October 2004 Quantum Computation and the Future 13th CACR Information Security Workshop &

Michele Mosca

Canada Research Chair in Quantum Computation

28 October 2004

Quantum Computation and the Future

13th CACR Information Security Workshop &

5th Annual Privacy and Security Workshop

Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics.

www.perimeterinstitute.ca

www.iqc.ca

Our Research

Outline

Implementing quantum information processing.

What is quantum information processing?

How does quantum mechanics affect computational assumptions?

How else does quantum mechanics affect information security?

Physics and Computation

• Information is stored in a physical medium, and manipulated by physical processes.

• The laws of physics dictate the capabilities of any information processing device.

• Designs of “classical” computers are implicitly based in the classical framework for physics

• Classical physics is known to be wrong or incomplete… and has been replaced by a more powerful framework: quantum mechanics.

Computer technology is making devices smaller and smaller…

…reaching a point where classical physics is no longer a suitable model for the laws of physics.

The design of devices on such a small scale will require engineers to control quantum mechanical effects.

Allowing computers to take advantage of quantum mechanical behaviour allows us to do more than cram increasingly many microscopic components onto a silicon chip…

… it gives us a whole new framework in which information can be processed in fundamentally new ways.

…consider a setup involving a photon source, a half-silvered mirror (beamsplitter), and a pair of photon detectors.

photon source

beamsplitter

detectors

A simple experiment in optics

50%

50%

Simplest explanation: beam-splitter acts as a classical coin-flip, randomly sending each photon one way or the other.

Now consider what happens when we fire a single photon into the device…

… consider a modification of the experiment…

100%

The simplest explanation is wrong!

The simplest explanation for the modified setup would still predict a 50-50 distribution…

full mirror

The “weirdness” of quantum mechanics…

… consider a modification of the experiment…

The simplest explanation for the modified setup would still predict a 50-50 distribution…

full mirror

Explanation of experiment

0 02

1

12

i100%

0002

10

2

1

112

12

iii

Quantum mechanics and information

10 10

Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination

What does really mean?? 10 10

It’s a “mystery”. THE mystery. We don’t understand it, but we can tell you how it works. (Feynman)

Quantum mechanics and information

How does this affect communication complexity?

How does this affect information security?

How does this affect computational complexity?

10 10

Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination

How does quantum mechanics affect computation?

A small ‘classical’ computer

0 1NOT

A small ‘classical’ computer

01 1

1(negligible coupling to the environment)

A small ‘classical’ computer

000

01

1

Is this system reliable?

We do have a theory of classical linear error correction.

But before we worry about stabilizing this system, let’s push forward its capabilities.

A ‘quantum’ gate

1NOT 0

NOT 0 12

i

2

i

2

1

2

1 1

0

2

i 2

1

A quantum circuit provides an visual representation of a quantum algorithm.

00

00

time

quantum gatesinitial state

measurement

Quantum parallelism (cannot be feasibly simulated on a classical computer)

000

001

010111

111010001000 111010001000

Applications

• Simulating quantum mechanical systems

• Factoring and Discrete Logs

• Hidden subgroup problems

• Amplitude amplification

• and more…

Quantum Algorithms

a,b G , ak = b , find k

Integer Factorization (basis of RSA cryptography):

Discrete logarithms (basis of DH crypto, including ECC):

Given N=pq, find p and q.

Computational Complexity Comparison

Classical Quantum

Factoring

Elliptic Curve Discrete Logarithms

nnOe3/23/1 log nOenO log

nOe nOenO log

(in terms of number of group multiplications, for n-bit inputs)

The following cryptosystems are insecure against such quantum attacks:

Which cryptosystems are threatened by Quantum Computers??

• RSA (factoring)

• Rabin-Williams (factoring)

• ElGamal (discrete log… including ECC – see Proos and Zalka)

• Goldwasser-Micali (factoring)

•Buchmann-Williams (principal ideal distance problem)

•And others… (see MMath thesis, Michael Brown, IQC)

Information security protocols must be studied in the context of quantum information processing.

Amplitude Amplification

Find x satisfying f(x)=1.

Suppose algorithm A succeeds with probability p.

p1

With classical methods, we expect to repeat A a total of time before finding a solution, since each application of A “boosts” the probability of finding a solution by roughly

1/1

p

ppppppppp

p

Consider any function f : X {0,1}.

Amplitude Amplification

A quantum mechanical implementation of A succeeds with probability amplitude .

With quantum methods, each application of A “boosts” the probability amplitude of finding a solution by roughly

i.e. we get a square-root speedup!

1

/1

p

ppp

p

p

Application of Amplitude Amplification: Searching a key space

f (x)=1 if and only if x is the correct n-bit cryptographic key

Find an x satisfying f(x)=1.

Suppose algorithm A succeeds with probability p=1/2n.

We can iterate A and f 2/2nO times to find such an x.

i.e. we need to roughly double our key lengths

Open problems include:

•More non-Abelian HSP, including Graph Automorphism

•Graph Isomorphism

•Short vectors in a lattice

•McEliece cryptosystem (NTRU recently cracked)

•NP-complete problems

•Several physics simulation problems

•Many more…

How does quantum mechanics affect

information security?

“No-cloning” theorem

ψψψ 0

There is no procedure that will copy or “clone” an arbitrary quantum state, i.e.

Such an operation is not linear, and is not permitted by quantum mechanics.

Eavesdropper detection

Any attempts to produce pseudo-clones will be detected with significant probability. In general, any scheme to extract information about the state of a quantum system, will disturb the system in a way that can be detected with some probability.

This idea motived Wiesner to invent quantum money around 1970. His work was ignored by the scientific community for a decade, until Bennett and Brassard built on these ideas to create quantum key distribution.

Quantum Key Distribution (general idea)

quantum bits

Alice and Bob measure their qubits

Authenticated public channel

Quantum Key Distribution (general idea)

Authenticated public channel

Alice and Bob publicly discuss the information they measured to assess how much information Eve could have obtained. If Eve’s information is very likely to be below a certain constant threshold, they can communicate further and distill out a very private shared key (“privacy amplification”). Otherwise they abandon the key.

•Wireless Sensor Networks•Injectable Tissue Engineering•Nano Solar Cells•Mechatronics •Grid Computing •Molecular Imaging •Nanoimprint Lithography•Software Assurance •Glycomics •Quantum Cryptography

Objections to the plausibility of large scale quantum computation??

“Change is bad”

Objections to the plausibility of quantum computation??

A=“Quantum Computers are realistic and are superpolynomially faster than any classical computer for some classical computation problem”

BA B is unpleasant A

B=“classical Strong Church-Turing thesis is false”

Implementations?

Quantum Information is Fragile

• low energy

• isolation from environment

• control of operations

• superpositions are very fragile

0 1

106 eV

CLASSICAL|0

|1

10-6 eV

QUANTUM

Quantum Error Correction

… allows quantum computation in the presence of noise.

A quantum computation of any length can be made as accurate as desired, so long as the noise is below some threshold, e.g. P < 10-4.

Significance:• imperfections and imprecision are not fundamental obstacles to building quantum computers

• gives a criterion for scalability guide for experimentalists benchmark for comparing technologies

Proposed Devices for Quantum Computing

• Atom traps• Cavity QED• Electron floating on helium• Electron trapped by surface acoustic waves• Ion traps• Nuclear magnetic resonance (NMR)• Quantum optics• Quantum dots• Solid state• Spintronics• Superconducting Josephson junctions• Etc…

When will these technologies be implemented?

Quantum random number generators: now.

Quantum key distribution: <10 years; some prototypes already available

Large scale quantum computers: medium-long term

Small scale quantum computers (e.g. needed for long distance quantum communication): medium term

Conclusions

Quantum mechanics forces us to redefine the notions of information, information processing, and computational complexity.

Large scale quantum information processing seems possible, though technologically very challenging to realize; this is a major focus for experimental physics today

Implications for Quantum Information Security

We must continually reassess the security of our existing information security infrastructure in light of the capabilities of quantum computers.

We can exploit the eavesdropper detection that is intrinsic to quantum systems in order to derive new “unconditionally secure” information security protocols. The security depends only on the laws of physics, and not on computational assumptions.

Challenge: Incorporating quantum cryptographic protocols and the prospect of quantum computing into the information security infrastructure.