1. Quanum computing

2. What is quantum computation? New model of computing based on quantum mechanics. Quantum circuits, quantum Turing machines More powerful than conventional models.

3. Quantum algorithms Factoring: given N=pq, find p and q. Best algorithm 2 O(n 1/3 ), n -number of digits. Many cryptosystems based on hardness of factoring. O(n 2 ) time quantum algorithm [Shor, 1994] Similar quantum algorithm solves discrete log.

4. Quantum algorithms Find if there exists i for which x i =1. Queries: input i, output x i. Classically, n queries. Quantum, O(  n) queries [Grover, 1996]. Speeds up exhaustive search. 0100... x1x1 x2x2 xnxn x3x3

5. Quantum cryptography Key distribution: two parties want to create a secret shared key by using a channel that can be eavesdropped. Classically: secure if discrete log hard. Quantum: secure if quantum mechanics valid [Bennett, Brassard, 1984]. No extra assumptions needed.

6. Quantum communication Dense coding: 1 quantum bit can encode 2 classical bits. Teleportation: quantum states can be transmitted by sending classical information. Quantum protocols that send exponentially less bits than classical.

7. Experiments ~10 different ideas how to implement QC. NMR, ion traps, optical, semiconductor, etc. 7 quantum bit QC [Knill et.al., 2000]. QKD has been implemented.

8. Outline Today: basic notions, quantum key distribution. Tomorrow: quantum algorithms, factoring. Friday: current research in quantum cryptography, coin flipping.

9. Model Quantum states Unitary transformations Measurements

10. Quantum bit 2-dimensional vector of length 1. Basis states |0>, |1>. Arbitrary state:  |0>+  |1>, ,  complex, |  | 2 + |  | 2 =1. |1> |0>

11. Physical quantum bits Nuclear spin = orientation of atom ’ s nucleus in magnetic field.  = |0>,  = |1>. Photons in a cavity. No photon = |0>, one photon = |1>

12. Physical quantum bits (2) Energy states of an atom Polarization of photon Many others. |0>|1> ground state excited state

13. General quantum states k-dimensional quantum system. Basis |1>, |2>, …, |k>. General state  1 |1>+  2 |2>+ … +  k |k>, |  1 |^2+ … + |  k |^2=1 2 k dimensional system can be constructed as a tensor product of k quantum bits.

14. Unitary transformations Linear transformations that preserve vector norm. In 2 dimensions, linear transformations that preserve unit circle (rotations and reflections).

15. Examples Bit flip Hamamard transform

16. Linearity Bit flip |0>  |1> |1>  |0> zBy linearity,  |0>+  |1>   |1>+  |0> zSufficient to specify U|0>, U|1>.

17. Examples |1> |0>

18. Measuring  |0>+  |1> in basis |0>, |1> gives:  0 with probability |  | 2,  1 with probability |  | 2. Measurement changes the state: it becomes |0> or |1>. Repeating measurement gives the same outcome. Measurements

19. Probability 1/2 |0> |1>

20. General measurements Let |  0 >, |  1 > be two orthogonal one-qubit states. Then, |  > =  0 |  0 > +  1 |  1 >. Measuring |  > gives |  i > with probability |  i | 2. This is equivalent to mapping |  0 >, |  1 > to |0>, |1> and then measuring.

21. Measurements Probability 1

22. Measurements Probability 1/2 |1>

23. Measurements Measuring  1 |1>+  2 |2>+ … +  k |k> in the basis |1>, |2>, …, |k> gives |i> with probability |  i | 2. Any orthogonal basis can be used.

24. Partial measurements Example: two quantum bits, measure first. Result 0 Result 1

25. Classical vs. Quantum Classical bits: can be measured completely, are not changed by measurement, can be copied, can be erased. Quantum bits: can be measured partially, are changed by measurement, cannot be copied, cannot be erased.

26. Copying One nuclear spin  Two spins Impossible! ? Related to impossiblity of measuring a state perfectly.

27. No-cloning theorem Imagine we could copy quantum states. Then, by linearity Not the same as two copies of |0>+|1>.

28. Key distribution Alice and Bob want to create a shared secret key by communicating over an insecure channel. Needed for symmetric encryption (one- time pad, DES etc.).

29. Key distribution Can be done classically. Needs hardness assumptions. Impossible classically if adversary has unlimited computational power. Quantum protocols can be secure against any adversary. The only assumption: quantum mechanics.

30. BB84 states |  > = |1> |  > = |0> |  > = |  >=

31. BB84 QKD... NoYes... 001 Alice Bob

32. BB84 QKD Alice sends n qubits. Bob chooses the same basis n/2 times. If there is no eavesdropping/transmission errors, they share the same n/2 bits.

33. Eavesdropping Assume that Eve measures some qubits in , |  basis and resends them. If the qubit she measures is |  > or |  >, Eve resends a different state (  or |  ). If Bob chooses |  >, |  > basis, he gets each answer with probability 1/2. With probability 1/2, Alice and Bob have different bits.

34. Eavesdropping Theorem: Impossible to obtain information about non-orthogonal states without disturbing them. In this protocol:

35. Check for eavesdropping Alice randomly chooses a fraction of the final string and announces it. Bob counts the number of different bits. If too many different bits, reject (eavesdropper found). If Eve measured many qubits, she gets caught.

36. Next step Alice and Bob share a string most of which is unknown to Eve. Eve might know a few bits. There could be differences due to transmission errors.

37. Classical post-processing Information reconciliation: Alice and Bob apply error correcting code to correct transmission errors. They now have the same string but small number of bits might be known to Eve. Privacy amplification: apply a hash function to the string.

38. QKD summary Alice and Bob generate a shared bit string by sending qubits and measuring them. Eavesdropping results in different bits. That allows to detect Eve. Error correction. Privacy amplification (hashing).

39. Eavesdropping models Simplest: Eve measures individual qubits. Most general: coherent measurements. Eve gathers all qubits, performs a joint measurement, resends.

40. Security proofs Mayers, 1998. Lo, Chau, 1999. Preskill, Shor, 2000. Boykin et.al., 2000. Ben-Or, 2000.

41. EPR state First qubit to Alice, second to Bob. If they measure, same answers.  Same for infinitely many bases.

42. Bell ’ s theorem Alice ’ s basis: Bob ’ s basis: y instead of x. |0> |1>

43. Bell ’ s theorem Pr[b=0] Pr[a=1] Pr[a=0] Pr[b=1]

44. Classical simulation Alice and Bob share random variables. Someone gives to them x and y. Can they produce the right distribution without communication?

45. Bell ’ s theorem Classical simulation impossible: Bell ’ s inequality: constraint satisfied by any result produced by classical randomness.

46. Ekert ’ s QKD Alice generates n states sends 2nd qubits to Bob. They use half of states for Bell ’ s test. If test passed, they error-correct/amplify the rest and measure.

47. Equivalence In BB84 protocol, Alice could prepare the state keep the first register and send the second to Bob. 

48. Ekert and BB84 states   UIUI

49. QKD summary Key distribution requires hardness assumptions classically. QKD based on quantum mechanics. Higher degree of security. Showed two protocols for QKD.

50. QKD implementations First: Bennett et.al., 1992. Currently: 67km, 1000 bits/second. Commercially available: Id Quantique, 2002.

51. Quantum Factoring

52. Quantum Algorithms l Quantum Algorithms should exploit quantum parallelism and quantum interference. l We have already seen some elementary algorithms.

53. Quantum Algorithms l These algorithms have been computing essentially classical functions on quantum superpositions l This encoded information in the phases of the basis states: measuring basis states would provide little useful information l But a simple quantum transformation translated the phase information into information that was measurable in the computational basis

54. Extracting phase information with the Hadamard operation

55. Overview l Quantum Phase Estimation l Eigenvalue Kick-back l Eigenvalue estimation and order- finding/factoring l Shor’s approach l Discrete Logarithm and Hidden Subgroup Problem (if there’s time)

56. Quantum Phase Estimation l Suppose we wish to estimate a number given the quantum state l Note that in binary we can express

57. Quantum Phase Estimation l Since for any integer k, we have

58. Quantum Phase Estimation l If then we can do the following

59. Useful identity l We can show that

60. Quantum Phase Estimation l So if then we can do the following

61. Quantum Phase Estimation l So if then we can do the following

62. Quantum Phase Estimation l Generalizing this network (and reversing the order of the qubits at the end) gives us a network with O(n 2 ) gates that implements

63. Discrete Fourier Transform l The discrete Fourier transform maps vectors of dimension N by transforming the elementary vector according to l The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to

64. Discrete Fourier Transform l Thus we have illustrated how to implement (the inverse of) the quantum Fourier transform in a Hilbert space of dimension 2 n

65. Estimating arbitrary l What if is not necessarily of the formfor some integer x? l The QFT will mapto a superposition where

66. l For any real Quantum Phase Estimation l With high probability

67. l Recall the “trick”: Eigenvalue kick-back

68. l Consider a unitary operation U with eigenvalue and eigenvector Eigenvalue kick-back

70. l As a relative phase, becomes measurable

71. l If we exponentiate U, we get multiples of Eigenvalue kick-back

74. Phase estimation

75. Eigenvalue estimation

77. l Given with eigenvectorand eigenvalue we thus have an algorithm that maps

78. Eigenvalue kick-back l Given with eigenvectorsand respective eigenvalues we thus have an algorithm that maps and therefore

79. Eigenvalue kick-back l Measuring the first register of is equivalent to measuring with probability i.e.

80. Example l Suppose we have a group and we wish to find the order of (I.e. the smallest positive such that ) l If we can efficiently do arithmetic in the group, then we can realize a unitary operator that maps l Notice that l This means that the eigenvalues of are of the formwhere k is an integer

81. (Aside: more on reversible computing) If we know how to efficiently compute and then we can efficiently and reversibly map

82. (Aside: more on reversible computing) And therefore we can efficiently map

83. Example l Let l Then l We can easily implement, for example, l The eigenvectors of include

84. Example

89. Eigenvalue Kickback

93. Quantum Factoring The security of many public key cryptosystems used in industry today relies on the difficulty of factoring large numbers into smaller factors. Factoring the integer N into smaller factors can be reduced to the following task: Given integer a, find the smallest positive integer r so that

94. Example l Let l We can easily implement l The eigenvectors of include

95. Example

97. Eigenvalue kick-back l Given with eigenvectorsand respective eigenvalues we thus have an algorithm that maps and therefore

98. Eigenvalue Estimation

99. Eigenvalue kick-back l Measuring the first register of is equivalent to measuring with probability

100. Finding r For most integers k, a good estimate of (with error at most ) allows us to determine r (even if we don’t know k). (using continued fractions)

101. (aside: how does factoring reduce to order-finding??) The most common approach for factoring integers is the difference of squares technique: –“Randomly” find two integers x and y satisfying –So N divides –Hope that is non-trivial If r is even, then let so that

102. Shor ’ s approach l This eigenvalue estimation approach is not the original approach discovered by Shor l Kitaev developed an eigenvalue estimation approach (to the more general “Hidden Stabilizer Problem”) l We’ve presented the CEMM version here

103. Discrete Fourier Transform l The discrete Fourier transform maps uniform periodic states, say with period r dividing N, and offset w, to a periodic state with period N/r.

104. Discrete Fourier Transform l The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to

105. Shor ’ s Factoring Algorithm

106. Network for Shor ’ s Factoring Algorithm

107. Eigenvalue Estimation Factoring Algorithm

108. Network for Eigenvalue Estimation Factoring Algorithm

109. Equivalence of Shor&CEMM Shor analysisCEMM analysis

110. Equivalence of Shor&CEMM Shor analysisCEMM analysis

111. Consider two elementsfrom a group G satisfying Find s. Discrete Logarithm Problem

112. We know has eigenvectors

113. Discrete Logarithm Problem Thus has the same eigenvectors but with eigenvalues exponentiated to the power of s

114. Discrete Logarithm Problem

115. Given k and ks, we can compute s mod r (provided k and r are coprime)

116. Abelian Hidden Subgroup Problem Find generators for

117. Network for AHS

118. AHS Algorithm in standard basis

119. AHS for in eigenbasis is an eigenvector of (Simon’s Problem)

120. Other applications of Abelian HSP Any finite Abelian group G is the direct sum of finite cyclic groups But finding generators satisfying is not always easy, e.g. for it’s as hard as factoring N Given any polynomial sized set of generators, we can use the Abelian HSP algorithm to find new generators that decompose G into a direct sum of finite cyclic groups.

121. Examples: Deutsch’s Problem: or Order finding: any group

122. Example: Discrete Log of to base : any group

123. Examples: Self-shift equivalences:

124. What about non-Abelian HSP Consider the symmetric group S n is the set of permutations of n elements Let G be an n-vertex graph Let Define Then where

125. Graph automorphism problem So the hidden subgroup of is the automorphism group of G This is a difficult problem in NP that is believed not to be in BPP and yet not NP- complete.

126. Other Progress on the Hidden Subgroup Problem in non-Abelian groups (not an exhaustive list) Ettinger, Hoyer arxiv.gov/abs/quant-ph/9807029 Roetteler,Beth quant-ph/9812070 Ivanyos,Magniez,Santha arxiv.org/abs/quant-ph/0102014 Friedl,Ivanyos,Magniez,Santha,Sen quant-ph/0211091 (Hidden Translation and Orbit Coset in Quantum Computing); they show e.g. that the HSP can be solved for solvable groups with bounded exponent and of bounded derived series Moore,Rockmore,Russell,Schulman, quant-ph/0211124