530 likes | 564 Vues
Potentially Disruptive Technologies Quantum Computation and Cryptography. Michele Mosca Canada Research Chair in Quantum Computation. 15 April 2003. www.iqc.ca. Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics.
E N D
Potentially Disruptive Technologies Quantum Computation and Cryptography Michele Mosca Canada Research Chair in Quantum Computation 15 April 2003
Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics. www.perimeterinstitute.ca
Outline What is quantum information processing? What does quantum mechanics make possible? What quantum mechanics make impossible? When will quantum information processing be realized?
Computer technology is making devices smaller and smaller… …reaching a point where classical physics is no longer a suitable model for the laws of physics.
Physics and Computation • Information is stored in a physical medium, and manipulated by physical processes. • The laws of physics dictate the capabilities of any information processing device. • Designs of “classical” computers are implicitly based in the classical framework for physics • Classical physics is known to be wrong or incomplete… and has been replaced by a more powerful framework: quantum mechanics.
The nineteenth century was known as the machine age, the twentieth century will go down in history as the information age. I believe the twenty-first century will be the quantum age. Paul Davies, Professor Natural Philosophy – Australian Centre for Astrobiology The design of devices on such a small scale will require engineers to control quantum mechanical effects. Allowing computers to take advantage of quantum mechanical behaviour allows us to do more than cram increasingly many microscopic components onto a silicon chip… … it gives us a whole new framework in which information can be processed in fundamentally new ways.
A simple experiment in optics …consider a setup involving a photon source, a half-silvered mirror (beamsplitter), and a pairof photon detectors. detectors photon source beamsplitter
50% 50% Now consider what happens when we fire a single photon into the device… Simplest explanation:beam-splitter acts as a classical coin-flip, randomly sending each photon one way or the other.
The “weirdness” of quantum mechanics… … consider a modification of the experiment… 100% The simplest explanation for the modified setup would still predict a 50-50 distribution… full mirror The simplest explanation is wrong!
0 1 0 1 Classical probabilities… Consider a computation tree for a simple two-step (classical) probabilistic algorithm, which makes a coin-flip at each step, and whose output is 0 or 1: The probability of the computation following a given path is obtained by multiplying the probabilities along all branches of that path… in the example the probability the computation follows the red path is The probability of the computation giving the answer 0 is obtained by adding the probabilities of all paths resulting in 0:
|0 |1 |0 |1 …vs quantum probabilities … In quantum physics, we have probability amplitudes, which can have complex phase factors associated with them. The probability amplitude associated with a path in the computation tree is obtained by multiplying the probability amplitudes on that path. In the example, the red path has amplitude 1/2, and the green path has amplitude –1/2. The probability amplitude for getting the answer |0 is obtained by adding the probability amplitudes… notice that the phase factors can lead to cancellations! The probability of obtaining |0 is obtained by squaring the total probability amplitude. In the example the probability of getting |0 is
100% Explanation of experiment … consider a modification of the experiment… The simplest explanation for the modified setup would still predict a 50-50 distribution… full mirror
When do we use which probability rules? • If no path information is revealed, we must use the quantum probability rules. • If full path information is revealed, we must use the classical probability rules. • If partial path information is revealed, we must use a combination of the two; i.e. there is a more general set of rules that encapsulates both.
Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination What does really mean?? Quantum mechanics and information It’s a “mystery”. THE mystery. We don’t understand it, but we can tell you how it works. (Feynman) The world of the quantum may be bizarre, but it is our world and our future. Gerard Milburn, author of Schrödinger’s Machines.
Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination Quantum mechanics and information How does this affect computational complexity? How does this affect information security? How does this affect communication complexity? Would you believe a quantum proof? How does quantum information help us better understand physics?
How does this affect what is feasibly computable? Which “infeasible” computational tasks become “feasible”? How does this affect “computationally secure” cryptography? What new computationally secure cryptosystems become possible?
Generalization to n qubits The general state of n qubits is where the xare complex numbers satisfying the normalization constraint The state is represented by a unit vector in an exponentially large vector (Hilbert) space! Note, therefore, that it seems exponentially hard to simulate n quantum particles on a classical computer (Feynman).
The Classical Computing Model A “Probabilistic Turing Machine” (PTM) is an abstract model of the modern (classical) computer. Strong Church-Turing Thesis: A PTM can efficiently simulate any realistic model of computing. Widespread belief in the Strong Church-Turing thesis has been one of the underpinnings of theoretical computer science.
(number field sieve algorithm) What do we mean by “efficient”? The complexity of an algorithm measures how much of some resource (e.g. time, space, energy) the algorithm uses as a function of the input size. e.g. the best known algorithms for factoring an n bit number uses time in
Factoring is believed to be hard on a Turing machine (or any equivalent model), but how do we know that there isn’t some novel architecture on which it is easy?
The Strong Church Turing thesis tells us that all reasonable models can be efficiently simulated by a PTM, which implies that if it’s hard for a PTM it must be hard for any other reasonable computer. i.e. we believe computational problems, like factoring, have an intrinsic difficulty, independent of how hard we try to find an efficient algorithm.
In the early 1980s, Richard Feynman observed that it seems implausible for a PTM to efficiently simulate quantum mechanical systems… …quantum computers are quantum mechanical systems… … so quantum computing is a model which seems to violate the Strong Church-Turing thesis!
The answer seems to be YES! If the quantum computers are a reasonable model of computation, and classical devices cannot efficiently simulate them, then the Strong Church-Turing thesis needs to be modified to state: Are quantum computers realistic? A quantum computer can efficiently simulate any realistic model of computation.
A quantum circuit provides an visual representation of a quantum algorithm. initial state quantum gates measurement time
Quantum Parallelism Why are quantum computers capable of solving seemingly very difficult mathematical problems? Since quantum states can exist in exponential superposition, a computation of a function being performed on quantum states can process an exponential number of possible inputs in a single evaluation of f : f By exploiting a phenomenon known as quantum interference, some global properties of f can be deduced from the output.
Applications • Efficient simulations of quantum systems • Phase estimation; improved time-frequency and other measurement standards (e.g. GPS) • Factoring and Discrete Logarithms • Hidden subgroup problems • Amplitude amplification • and much more…
Quantum Algorithms Integer Factorization (basis of RSA cryptography): Given N=pq, find p and q. Discrete logarithms (basis of DH crypto, including ECC): a,b G , ak = b , find k
Computational Complexity Comparison (in terms of number of group multiplications for n-bit inputs)
Which cryptosystems are threatened by Quantum Computers?? Information security protocols must be studied in the context of quantum information processing. The following cryptosystems are insecure against such quantum attacks: • RSA (factoring) • Rabin (factoring) • ElGamal (discrete log, including ECC – see Proos and Zalka) • Buchmann-Williams (principal ideal distance problem) • and others… (see MMath thesis, Michael Brown, IQC) http://arxiv.org/abs/quant-ph/0301141 We need to worry NOW about information that needs to remain private for long periods of time. It takes a long time to change an infrastructure.
What sort of cryptography will quantum computers enable? Can efficient factoring, discrete logarithms, or other efficient quantum tasks be used to produce new computationally secure cryptosystems secure against quantum attacks? • A quantum public key cryptosystem was proposed by a group in Japan [OTU00]; require a quantum computer to set up the system, but only require classical means to encrypt and decrypt • others?? These are techniques that can be employed once large-scale quantum computation are available.
Amplitude Amplification Consider any function f : X {0,1}. Find x satisfying f(x)=1. Suppose algorithmAsucceeds with probabilityp. With classical methods, we expect to repeat A a total of time before finding a solution, since each application of A “boosts” the probability of finding a solution by roughly
Amplitude Amplification (Grover96, BBHT98, BH97, Gro98, BHMT02) A quantum mechanical implementation ofAsucceeds with probability amplitude . With quantum methods, each application of A “boosts” the probability amplitude of finding a solution by roughly i.e. we get a square-root speedup!
Application of Amplitude Amplification: Searching a key space f (x)=1 if and only if x is the correct n-bit cryptographic key Find an x satisfying f(x)=1. Suppose algorithmAsucceeds with probabilityp=1/2n. We can iterateAandf times to find such anx. i.e. we need to roughly double our key lengths This algorithm is VERY broadly applicable to any sort of computational search.
How else does quantum mechanics affect information security?
No-cloning theorem There is no procedure that will copy or “clone” an arbitrary quantum state, i.e. Such an operation is not linear, and is not permitted by quantum mechanics. We can copy all the elements of an orthogonal set of states, but when we extend this operation linearly, no other states will be correctly cloned. For example, we can map However
Eavesdropper detection Any attempts to produce pseudo-clones will be detected with significant probability. In general, any scheme to extract information about the state of a quantum system, will disturb the system in a way that can be detected with some probability. This idea motived Wiesner to invent quantum money around 1970. His work was essentially ignored by the scientific community for a decade, until Bennett and Brassard built on these ideas to create quantum key distribution.
Quantum Key Establishment (general idea) Alice Bob quantum bits Eve Alice and Bob measure their qubits
Quantum Key Distribution (general idea) Authenticated public channel Alice and Bob publicly discuss the information they measured to assess how much information Eve could have obtained. If Eve’s information is very likely to be below a certain constant threshold, they can communicate further and distill out a very private shared key (“privacy amplification”). Otherwise they abandon the key.
Quantum Information Security We can exploit the eavesdropper detection that is intrinsic to quantum systems in order to derive new “unconditionally secure” information security protocols. The security depends only on the laws of physics, and not on computational assumptions. • Quantum key establishment (available now/soon) • Quantum random number generation (available now/soon) • Quantum money (require stable quantum memory) • Quantum digital signatures (requires quantum computer) • Quantum secret sharing (requires quantum computer) • Multi-party quantum computations • and more…
Implementations? Why is it so hard? How will they be built? When will we see quantum information processors?
CLASSICAL QUANTUM |0 106 eV 10-6 eV 0 1 |1 Quantum Information is Fragile • low energy • control of operations • superpositions are very fragile • isolation from environment
Quantum Error Correction … allows quantum computation in the presence of noise. A quantum computation of any length can be made as accurate as desired, so long as the noise is below some threshold, e.g. P < 10-4. Significance: • imperfections and imprecision are not fundamental obstacles to building quantum computers • gives a criterion for scalability • guide for experimentalists • benchmark for comparing technologies
Devices for Quantum Computing • Atom traps • Cavity QED • Electron floating on helium • Electron trapped by surface acoustic waves • Ion traps • Nuclear magnetic resonance (NMR) • Quantum optics • Quantum dots • Solid state • Spintronics • Superconducting Josephson junctions • and more…
Who’s Trying? • Melbourne • MIT • NEC • New South Wales • NIST • NRC • Orsay • Oxford • Paris • Queensland • Santa Barbara • Stanford • Toronto • Vienna • Waterloo • Yale • many others… • Aarhus • Berkeley • Caltech • Cambridge • College Park • Delft • DERA (U.K.) • École normale supérieure • Geneva • HP Labs (Palo Alto and Bristol) • Hitachi • IBM Research (Yorktown Heights and Palo Alto) • Innsbruck • Los Alamos National Labs • McMaster • Max Planck Institute-Munich
Bottom line What are the capabilities of quantum information processors? What will be the impact of these capabilities? Which technologies will be realized and when?
What technologies will be implemented and when? • Quantum random number generators: now. • Quantum key establishment: <10 years; some prototypes already available • Small scale quantum computers (e.g. needed for long distance quantum communication): medium term • Large scale quantum computers: medium-long term • Precise times are hard to predict since we are in the early stages and still trying a very broad range of approaches. Once we focus on technologies that show promise, expect progress to be very fast.
Wireless Sensor Networks • Injectable Tissue Engineering • Nano Solar Cells • Mechatronics • Grid Computing • Molecular Imaging • Nanoimprint Lithography • Software Assurance • Glycomics • Quantum Cryptography