challenges in
play

Challenges in def bubblesort(x): quantum algorithms for for j in - PowerPoint PPT Presentation

Mar 08, 2023 •294 likes •1.48k views

1 2 Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer factorization for i in reversed(range(j)): x[i],x[i+1] = ( D. J. Bernstein min(x[i],x[i+1]), University of Illinois at Chicago max(x[i],x[i+1])

  1. 2 3 Analogous: What is the fastest A simple exercise to bubblesort(x): algorithm to factor integers? suboptimality of Sh range(len(x)): Find a prime diviso reversed(range(j)): Shor’s algorithm takes poly time. x[i],x[i+1] = ( 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Huge speedup over NFS! 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 min(x[i],x[i+1]), 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 b 2 (log b ) 1+ o (1) qubit operations 43305727036575959195309218611738193261179310511854807446237996274956735188575272 max(x[i],x[i+1]) 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 to factor b -bit integer, 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 using standard subroutines 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 es poly time. 95082953311686172785588907509838175463746493931925506040092770167113900984882401 for fast integer arithmetic. 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 risons. 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 Is this the end of the story? over blindsort ! 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 No, still not optimal. 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 of the story? 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 “Shor’s algorithm: the bubble sort optimal. 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 of integer factorization.” 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

  2. 2 3 Analogous: What is the fastest A simple exercise to illustrate algorithm to factor integers? suboptimality of Shor’s algorithm: range(len(x)): 10 3009 ¨ Find a prime divisor of reversed(range(j)): Shor’s algorithm takes poly time. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Huge speedup over NFS! 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 min(x[i],x[i+1]), 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 b 2 (log b ) 1+ o (1) qubit operations 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 to factor b -bit integer, 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 using standard subroutines 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 time. 95082953311686172785588907509838175463746493931925506040092770167113900984882401 for fast integer arithmetic. 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 Is this the end of the story? blindsort ! 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 No, still not optimal. 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 ry? 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 “Shor’s algorithm: the bubble sort 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 of integer factorization.” 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

  3. 3 4 Analogous: What is the fastest A simple exercise to illustrate algorithm to factor integers? suboptimality of Shor’s algorithm: 10 3009 ı ¨ ˝ Find a prime divisor of . Shor’s algorithm takes poly time. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Huge speedup over NFS! 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 b 2 (log b ) 1+ o (1) qubit operations 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 to factor b -bit integer, 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 using standard subroutines 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 for fast integer arithmetic. 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 Is this the end of the story? 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 No, still not optimal. 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 “Shor’s algorithm: the bubble sort 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 of integer factorization.” 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

  4. 3 4 Analogous: What is the fastest A simple exercise to illustrate Important rithm to factor integers? suboptimality of Shor’s algorithm: factorization 10 3009 ı ¨ ˝ Find a prime divisor of . • Maybe algorithm takes poly time. • Maybe 31415926535897932384626433832795028841971693993751058209749445923078164062862089 speedup over NFS! 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 b ) 1+ o (1) qubit operations 43305727036575959195309218611738193261179310511854807446237996274956735188575272 • Maybe 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 factor b -bit integer, • Maybe 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 standard subroutines 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 fast integer arithmetic. 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 the end of the story? 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 still not optimal. 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ 74105978859597729754989301617539284681382686838689427741559918559252459539594310 r’s algorithm: the bubble sort 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit 60168427394522674676788952521385225499546667278239864565961163548862305774564980 integer factorization.” 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ 19561814675142691239748940907186494231961567945208

  5. 3 4 What is the fastest A simple exercise to illustrate Important variations factor integers? suboptimality of Shor’s algorithm: factorization problem: 10 3009 ı ¨ ˝ Find a prime divisor of . • Maybe need one takes poly time. • Maybe need all facto 31415926535897932384626433832795028841971693993751058209749445923078164062862089 over NFS! 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 qubit operations • Maybe factors are 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 integer, • Maybe there are 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 subroutines 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 rithmetic. 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 of the story? 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfec 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 optimal. 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including 74105978859597729754989301617539284681382686838689427741559918559252459539594310 rithm: the bubble sort 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations 60168427394522674676788952521385225499546667278239864565961163548862305774564980 rization.” 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). 19561814675142691239748940907186494231961567945208

  6. 3 4 fastest A simple exercise to illustrate Important variations in the integers? suboptimality of Shor’s algorithm: factorization problem: 10 3009 ı ¨ ˝ Find a prime divisor of . • Maybe need one factor. oly time. • Maybe need all factors. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are small. 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 erations • Maybe factors are large. 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 • Maybe there are many inputs. 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in superposition. 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations in metrics 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 ry? 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfect devices): 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including wire 74105978859597729754989301617539284681382686838689427741559918559252459539594310 bubble sort 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations (“gates”). 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). 19561814675142691239748940907186494231961567945208

  7. 4 5 A simple exercise to illustrate Important variations in the suboptimality of Shor’s algorithm: factorization problem: 10 3009 ı ¨ ˝ Find a prime divisor of . • Maybe need one factor. • Maybe need all factors. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are small. 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 • Maybe factors are large. 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 • Maybe there are many inputs. 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in superposition. 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations in metrics 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfect devices): 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including wire area). 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations (“gates”). 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). 19561814675142691239748940907186494231961567945208

  8. 4 5 simple exercise to illustrate Important variations in the Short-term optimality of Shor’s algorithm: factorization problem: 1995 Kitaev, 10 3009 ı ¨ ˝ prime divisor of . • Maybe need one factor. Barenco–Ek • Maybe need all factors. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Chari–Devabhaktuni–Preskill, 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are small. 52712019091456485669234603486104543266482133936072602491412737245870066063155881 1998 Zalk 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 • Maybe factors are large. 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 2000 Park 17363717872146844090122495343014654958537105079227968925892354201995611212902196 • Maybe there are many inputs. 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 2002 Kitaev–Shen–Vy 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in superposition. 68230301952035301852968995773622599413891249721775283479131515574857242454150695 Beaurega 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations in metrics Kunihiro, 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfect devices): 2014 Svo 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 2015 Grosshans–La 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including wire area). Smith, 2016 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations (“gates”). Svore, 2017 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. Johnston: 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). factors out 19561814675142691239748940907186494231961567945208

  9. 4 5 exercise to illustrate Important variations in the Short-term RSA securit Shor’s algorithm: factorization problem: 1995 Kitaev, 1996 10 3009 ı ¨ ˝ divisor of . • Maybe need one factor. Barenco–Ekert, 1996 • Maybe need all factors. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Chari–Devabhaktuni–Preskill, 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are small. 52712019091456485669234603486104543266482133936072602491412737245870066063155881 1998 Zalka, 1999 Mosca–Ek 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 • Maybe factors are large. 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 2000 Parker–Plenio, 17363717872146844090122495343014654958537105079227968925892354201995611212902196 • Maybe there are many inputs. 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 2002 Kitaev–Shen–Vy 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in superposition. 68230301952035301852968995773622599413891249721775283479131515574857242454150695 Beauregard, 2006 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations in metrics Kunihiro, 2010 Ah 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfect devices): 2014 Svore–Hastings–F 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 2015 Grosshans–La 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including wire area). Smith, 2016 H¨ aner–Ro 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations (“gates”). Svore, 2017 Eker˚ a–H 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. Johnston: try to squeeze 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). factors out of Shor’s 19561814675142691239748940907186494231961567945208

  10. 4 5 illustrate Important variations in the Short-term RSA security algorithm: factorization problem: 1995 Kitaev, 1996 Vedral– 10 3009 ı ˝ . • Maybe need one factor. Barenco–Ekert, 1996 Beckman– • Maybe need all factors. 31415926535897932384626433832795028841971693993751058209749445923078164062862089 Chari–Devabhaktuni–Preskill, 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 • Maybe factors are small. 52712019091456485669234603486104543266482133936072602491412737245870066063155881 1998 Zalka, 1999 Mosca–Ek 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 • Maybe factors are large. 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 2000 Parker–Plenio, 2001 Se 17363717872146844090122495343014654958537105079227968925892354201995611212902196 • Maybe there are many inputs. 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 2002 Kitaev–Shen–Vyalyi, 2003 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 • Maybe inputs in superposition. 68230301952035301852968995773622599413891249721775283479131515574857242454150695 Beauregard, 2006 Takahashi– 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 Important variations in metrics Kunihiro, 2010 Ahmadi–Chiang, 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 (even assuming perfect devices): 2014 Svore–Hastings–Freedman, 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 • Qubits. 2015 Grosshans–Lawson–Mo 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 • Area (“ A ”, including wire area). Smith, 2016 H¨ aner–Roetteler– 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 • Qubit operations (“gates”). Svore, 2017 Eker˚ a–H˚ astad, 2017 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 • Depth. Johnston: try to squeeze constant 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 • Time (“ T ”: latency). factors out of Shor’s algorithm.

  11. 5 6 Important variations in the Short-term RSA security factorization problem: 1995 Kitaev, 1996 Vedral– • Maybe need one factor. Barenco–Ekert, 1996 Beckman– • Maybe need all factors. Chari–Devabhaktuni–Preskill, • Maybe factors are small. 1998 Zalka, 1999 Mosca–Ekert, • Maybe factors are large. 2000 Parker–Plenio, 2001 Seifert, • Maybe there are many inputs. 2002 Kitaev–Shen–Vyalyi, 2003 • Maybe inputs in superposition. Beauregard, 2006 Takahashi– Important variations in metrics Kunihiro, 2010 Ahmadi–Chiang, (even assuming perfect devices): 2014 Svore–Hastings–Freedman, • Qubits. 2015 Grosshans–Lawson–Morain– • Area (“ A ”, including wire area). Smith, 2016 H¨ aner–Roetteler– • Qubit operations (“gates”). Svore, 2017 Eker˚ a–H˚ astad, 2017 • Depth. Johnston: try to squeeze constant • Time (“ T ”: latency). factors out of Shor’s algorithm.

  12. 5 6 rtant variations in the Short-term RSA security 2003 Beaurega rization problem: : : : 2016 1995 Kitaev, 1996 Vedral– ybe need one factor. 2 b + 2 qubits; Barenco–Ekert, 1996 Beckman– ybe need all factors. Toffoli gates; Chari–Devabhaktuni–Preskill, ybe factors are small. CNOT gates; 1998 Zalka, 1999 Mosca–Ekert, ybe factors are large. 2000 Parker–Plenio, 2001 Seifert, ybe there are many inputs. 2002 Kitaev–Shen–Vyalyi, 2003 ybe inputs in superposition. Beauregard, 2006 Takahashi– rtant variations in metrics Kunihiro, 2010 Ahmadi–Chiang, assuming perfect devices): 2014 Svore–Hastings–Freedman, Qubits. 2015 Grosshans–Lawson–Morain– (“ A ”, including wire area). Smith, 2016 H¨ aner–Roetteler– Qubit operations (“gates”). Svore, 2017 Eker˚ a–H˚ astad, 2017 Depth. Johnston: try to squeeze constant Time (“ T ”: latency). factors out of Shor’s algorithm.

  13. 5 6 riations in the Short-term RSA security 2003 Beauregard: roblem: : : : 2016 H¨ aner–Ro 1995 Kitaev, 1996 Vedral– one factor. 2 b + 2 qubits; 64 b Barenco–Ekert, 1996 Beckman– all factors. Toffoli gates; simila Chari–Devabhaktuni–Preskill, are small. CNOT gates; depth 1998 Zalka, 1999 Mosca–Ekert, are large. 2000 Parker–Plenio, 2001 Seifert, re many inputs. 2002 Kitaev–Shen–Vyalyi, 2003 in superposition. Beauregard, 2006 Takahashi– riations in metrics Kunihiro, 2010 Ahmadi–Chiang, perfect devices): 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– including wire area). Smith, 2016 H¨ aner–Roetteler– erations (“gates”). Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant latency). factors out of Shor’s algorithm.

  14. 5 6 the Short-term RSA security 2003 Beauregard: 2 b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svo 1995 Kitaev, 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O Barenco–Ekert, 1996 Beckman– Toffoli gates; similar number Chari–Devabhaktuni–Preskill, CNOT gates; depth O ( b 3 ). small. 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, inputs. 2002 Kitaev–Shen–Vyalyi, 2003 osition. Beauregard, 2006 Takahashi– metrics Kunihiro, 2010 Ahmadi–Chiang, devices): 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– wire area). Smith, 2016 H¨ aner–Roetteler– (“gates”). Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

  15. 6 7 Short-term RSA security 2003 Beauregard: 2 b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 1995 Kitaev, 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O (1)) Barenco–Ekert, 1996 Beckman– Toffoli gates; similar number of Chari–Devabhaktuni–Preskill, CNOT gates; depth O ( b 3 ). 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

  16. 6 7 Short-term RSA security 2003 Beauregard: 2 b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 1995 Kitaev, 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O (1)) Barenco–Ekert, 1996 Beckman– Toffoli gates; similar number of Chari–Devabhaktuni–Preskill, CNOT gates; depth O ( b 3 ). 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, Conventional wisdom: 2002 Kitaev–Shen–Vyalyi, 2003 cannot avoid 2 b qubits Beauregard, 2006 Takahashi– for controlled mulmod. Kunihiro, 2010 Ahmadi–Chiang, e.g. 4096 qubits for b = 2048, 2014 Svore–Hastings–Freedman, very common RSA key size. 2015 Grosshans–Lawson–Morain– So 2048-bit factorization Smith, 2016 H¨ aner–Roetteler– needs 4096 qubits? Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

  17. 6 7 Short-term RSA security 2003 Beauregard: 2 b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 1995 Kitaev, 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O (1)) Barenco–Ekert, 1996 Beckman– Toffoli gates; similar number of Chari–Devabhaktuni–Preskill, CNOT gates; depth O ( b 3 ). 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, Conventional wisdom: 2002 Kitaev–Shen–Vyalyi, 2003 cannot avoid 2 b qubits Beauregard, 2006 Takahashi– for controlled mulmod. Kunihiro, 2010 Ahmadi–Chiang, e.g. 4096 qubits for b = 2048, 2014 Svore–Hastings–Freedman, very common RSA key size. 2015 Grosshans–Lawson–Morain– So 2048-bit factorization Smith, 2016 H¨ aner–Roetteler– needs 4096 qubits? Svore, 2017 Eker˚ a–H˚ astad, 2017 No: NFS uses 0 qubits. Johnston: try to squeeze constant factors out of Shor’s algorithm.

  18. 6 7 rt-term RSA security 2003 Beauregard: 2 b + 3 qubits. NFS takes : : : 2016 H¨ aner–Roetteler–Svore: with p = Kitaev, 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log renco–Ekert, 1996 Beckman– Toffoli gates; similar number of ri–Devabhaktuni–Preskill, Analysis CNOT gates; depth O ( b 3 ). Zalka, 1999 Mosca–Ekert, very roughly arker–Plenio, 2001 Seifert, Conventional wisdom: Kitaev–Shen–Vyalyi, 2003 cannot avoid 2 b qubits Beauregard, 2006 Takahashi– for controlled mulmod. Kunihiro, 2010 Ahmadi–Chiang, e.g. 4096 qubits for b = 2048, Svore–Hastings–Freedman, very common RSA key size. Grosshans–Lawson–Morain– So 2048-bit factorization Smith, 2016 H¨ aner–Roetteler– needs 4096 qubits? 2017 Eker˚ a–H˚ astad, 2017 No: NFS uses 0 qubits. Johnston: try to squeeze constant out of Shor’s algorithm.

  19. 6 7 NFS takes L p + o (1) security 2003 Beauregard: 2 b + 3 qubits. with p = 3 p : : : 2016 H¨ aner–Roetteler–Svore: 92 + 26 1996 Vedral– 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 1996 Beckman– Toffoli gates; similar number of ri–Devabhaktuni–Preskill, Analysis for b = 2048 CNOT gates; depth O ( b 3 ). very roughly 2 112 op 1999 Mosca–Ekert, er–Plenio, 2001 Seifert, Conventional wisdom: Kitaev–Shen–Vyalyi, 2003 cannot avoid 2 b qubits 2006 Takahashi– for controlled mulmod. Ahmadi–Chiang, e.g. 4096 qubits for b = 2048, re–Hastings–Freedman, very common RSA key size. Grosshans–Lawson–Morain– So 2048-bit factorization aner–Roetteler– needs 4096 qubits? er˚ a–H˚ astad, 2017 No: NFS uses 0 qubits. squeeze constant Shor’s algorithm.

  20. 6 7 NFS takes L p + o (1) operations 2003 Beauregard: 2 b + 3 qubits. √ with p = 3 p : : : 2016 H¨ aner–Roetteler–Svore: 92 + 26 13 = 3 > 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b Beckman– Toffoli gates; similar number of ri–Devabhaktuni–Preskill, Analysis for b = 2048 (not easy!): CNOT gates; depth O ( b 3 ). very roughly 2 112 operations. Mosca–Ekert, Seifert, Conventional wisdom: 2003 cannot avoid 2 b qubits hashi– for controlled mulmod. di–Chiang, e.g. 4096 qubits for b = 2048, reedman, very common RSA key size. orain– So 2048-bit factorization etteler– needs 4096 qubits? astad, 2017 No: NFS uses 0 qubits. constant rithm.

  21. 7 8 NFS takes L p + o (1) operations 2003 Beauregard: 2 b + 3 qubits. √ with p = 3 p : : : 2016 H¨ aner–Roetteler–Svore: 92 + 26 13 = 3 > 1 : 9, 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . Toffoli gates; similar number of Analysis for b = 2048 (not easy!): CNOT gates; depth O ( b 3 ). very roughly 2 112 operations. Conventional wisdom: cannot avoid 2 b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

  22. 7 8 NFS takes L p + o (1) operations 2003 Beauregard: 2 b + 3 qubits. √ with p = 3 p : : : 2016 H¨ aner–Roetteler–Svore: 92 + 26 13 = 3 > 1 : 9, 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . Toffoli gates; similar number of Analysis for b = 2048 (not easy!): CNOT gates; depth O ( b 3 ). very roughly 2 112 operations. Conventional wisdom: 2017 Bernstein–Biasse–Mosca: cannot avoid 2 b qubits L q + o (1) operations for controlled mulmod. with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits e.g. 4096 qubits for b = 2048, very common RSA key size. (and many non-quantum bits). So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

  23. 7 8 NFS takes L p + o (1) operations 2003 Beauregard: 2 b + 3 qubits. √ with p = 3 p : : : 2016 H¨ aner–Roetteler–Svore: 92 + 26 13 = 3 > 1 : 9, 2 b + 2 qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . Toffoli gates; similar number of Analysis for b = 2048 (not easy!): CNOT gates; depth O ( b 3 ). very roughly 2 112 operations. Conventional wisdom: 2017 Bernstein–Biasse–Mosca: cannot avoid 2 b qubits L q + o (1) operations for controlled mulmod. with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits e.g. 4096 qubits for b = 2048, very common RSA key size. (and many non-quantum bits). So 2048-bit factorization Open: Analyze for b = 2048. needs 4096 qubits? Fewer than 4096 qubits? No: NFS uses 0 qubits. Fewer than 2048 qubits?

  24. 7 8 NFS takes L p + o (1) operations Beauregard: 2 b + 3 qubits. Counting √ with p = 3 p 2016 H¨ aner–Roetteler–Svore: 92 + 26 13 = 3 > 1 : 9, oversimplified qubits; 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . communication gates; similar number of See, e.g., Analysis for b = 2048 (not easy!): gates; depth O ( b 3 ). theorem very roughly 2 112 operations. Conventional wisdom: 2017 Bernstein–Biasse–Mosca: cannot avoid 2 b qubits L q + o (1) operations ontrolled mulmod. with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits 4096 qubits for b = 2048, common RSA key size. (and many non-quantum bits). 2048-bit factorization Open: Analyze for b = 2048. 4096 qubits? Fewer than 4096 qubits? NFS uses 0 qubits. Fewer than 2048 qubits?

  25. 7 8 NFS takes L p + o (1) operations rd: 2 b + 3 qubits. Counting operations √ with p = 3 p aner–Roetteler–Svore: 92 + 26 13 = 3 > 1 : 9, oversimplified cost 64 b 3 (lg b + O (1)) log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . communication costs similar number of See, e.g., 1981 Brent–Kung Analysis for b = 2048 (not easy!): depth O ( b 3 ). theorem for realistic very roughly 2 112 operations. wisdom: 2017 Bernstein–Biasse–Mosca: qubits L q + o (1) operations mulmod. with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits for b = 2048, RSA key size. (and many non-quantum bits). factorization Open: Analyze for b = 2048. qubits? Fewer than 4096 qubits? qubits. Fewer than 2048 qubits?

  26. 7 8 NFS takes L p + o (1) operations qubits. Counting operations is an √ with p = 3 p etteler–Svore: 92 + 26 13 = 3 > 1 : 9, oversimplified cost model: igno log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . O (1)) communication costs, parallelism. er of See, e.g., 1981 Brent–Kung Analysis for b = 2048 (not easy!): ). theorem for realistic chip mo very roughly 2 112 operations. 2017 Bernstein–Biasse–Mosca: L q + o (1) operations with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits 2048, size. (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits?

  27. 8 9 NFS takes L p + o (1) operations Counting operations is an √ with p = 3 p 92 + 26 13 = 3 > 1 : 9, oversimplified cost model: ignores log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . communication costs, parallelism. See, e.g., 1981 Brent–Kung AT Analysis for b = 2048 (not easy!): theorem for realistic chip model. very roughly 2 112 operations. 2017 Bernstein–Biasse–Mosca: L q + o (1) operations with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits?

  28. 8 9 NFS takes L p + o (1) operations Counting operations is an √ with p = 3 p 92 + 26 13 = 3 > 1 : 9, oversimplified cost model: ignores log L = (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . communication costs, parallelism. See, e.g., 1981 Brent–Kung AT Analysis for b = 2048 (not easy!): theorem for realistic chip model. very roughly 2 112 operations. NFS suffers somewhat from 2017 Bernstein–Biasse–Mosca: communication costs inside L q + o (1) operations big linear-algebra subroutine. with q = 3 p 8 = 3 ≈ 1 : 387, using b 2 = 3+ o (1) qubits 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. (and many non-quantum bits). Open: Analyze for b = 2048. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 Fewer than 4096 qubits? using b 2 = 3+ o (1) qubits. Fewer than 2048 qubits? Open: Analyze for b = 2048.

  29. 8 9 takes L p + o (1) operations Counting operations is an Actually √ = 3 p 92 + 26 13 = 3 > 1 : 9, oversimplified cost model: ignores Lower cost (log 2 b ) 1 = 3 (log log 2 b ) 2 = 3 . communication costs, parallelism. Lower cost See, e.g., 1981 Brent–Kung AT Analysis for b = 2048 (not easy!): theorem for realistic chip model. roughly 2 112 operations. NFS suffers somewhat from Bernstein–Biasse–Mosca: communication costs inside (1) operations big linear-algebra subroutine. = 3 p 8 = 3 ≈ 1 : 387, b 2 = 3+ o (1) qubits 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. many non-quantum bits). Analyze for b = 2048. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 than 4096 qubits? using b 2 = 3+ o (1) qubits. than 2048 qubits? Open: Analyze for b = 2048.

  30. 8 9 (1) operations Counting operations is an Actually have many √ 26 13 = 3 > 1 : 9, oversimplified cost model: ignores Lower cost for some = 3 (log log 2 b ) 2 = 3 . communication costs, parallelism. Lower cost for many See, e.g., 1981 Brent–Kung AT 2048 (not easy!): theorem for realistic chip model. operations. NFS suffers somewhat from Bernstein–Biasse–Mosca: communication costs inside erations big linear-algebra subroutine. ≈ 1 : 387, qubits 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. on-quantum bits). for b = 2048. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 qubits? using b 2 = 3+ o (1) qubits. qubits? Open: Analyze for b = 2048.

  31. 8 9 erations Counting operations is an Actually have many inputs. > 1 : 9, oversimplified cost model: ignores Lower cost for some output? 2 b ) 2 = 3 . communication costs, parallelism. Lower cost for many outputs? See, e.g., 1981 Brent–Kung AT (not easy!): theorem for realistic chip model. erations. NFS suffers somewhat from Bernstein–Biasse–Mosca: communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. bits). 2048. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 using b 2 = 3+ o (1) qubits. Open: Analyze for b = 2048.

  32. 9 10 Counting operations is an Actually have many inputs. oversimplified cost model: ignores Lower cost for some output? communication costs, parallelism. Lower cost for many outputs? See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 using b 2 = 3+ o (1) qubits. Open: Analyze for b = 2048.

  33. 9 10 Counting operations is an Actually have many inputs. oversimplified cost model: ignores Lower cost for some output? communication costs, parallelism. Lower cost for many outputs? See, e.g., 1981 Brent–Kung AT 1993 Coppersmith: theorem for realistic chip model. L 1 : 638 ::: + o (1) operations NFS suffers somewhat from after precomp( b ) involving L 2 : 006 ::: + o (1) operations. communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 using b 2 = 3+ o (1) qubits. Open: Analyze for b = 2048.

  34. 9 10 Counting operations is an Actually have many inputs. oversimplified cost model: ignores Lower cost for some output? communication costs, parallelism. Lower cost for many outputs? See, e.g., 1981 Brent–Kung AT 1993 Coppersmith: theorem for realistic chip model. L 1 : 638 ::: + o (1) operations NFS suffers somewhat from after precomp( b ) involving L 2 : 006 ::: + o (1) operations. communication costs inside big linear-algebra subroutine. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. to factor L 0 : 5+ o (1) inputs; L 1 : 704 ::: + o (1) per input. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 using b 2 = 3+ o (1) qubits. Open: Analyze for b = 2048.

  35. 9 10 Counting operations is an Actually have many inputs. oversimplified cost model: ignores Lower cost for some output? communication costs, parallelism. Lower cost for many outputs? See, e.g., 1981 Brent–Kung AT 1993 Coppersmith: theorem for realistic chip model. L 1 : 638 ::: + o (1) operations NFS suffers somewhat from after precomp( b ) involving L 2 : 006 ::: + o (1) operations. communication costs inside big linear-algebra subroutine. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) 2001 Bernstein: AT = L p ′ + o (1) with p ′ ≈ 1 : 976. to factor L 0 : 5+ o (1) inputs; L 1 : 704 ::: + o (1) per input. 2017 Bernstein–Biasse–Mosca: AT = L q ′ + o (1) with q ′ ≈ 1 : 456 Open: Any quantum speedups using b 2 = 3+ o (1) qubits. for factoring many integers? Open: Analyze for b = 2048.

  36. 9 10 Counting operations is an Actually have many inputs. Long-term oversimplified cost model: ignores Lower cost for some output? Long histo communication costs, parallelism. Lower cost for many outputs? in integer e.g., 1981 Brent–Kung AT 1993 Coppersmith: Long histo rem for realistic chip model. L 1 : 638 ::: + o (1) operations switching suffers somewhat from after precomp( b ) involving not far b L 2 : 006 ::: + o (1) operations. communication costs inside linear-algebra subroutine. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) Bernstein: L p ′ + o (1) with p ′ ≈ 1 : 976. to factor L 0 : 5+ o (1) inputs; L 1 : 704 ::: + o (1) per input. Bernstein–Biasse–Mosca: L q ′ + o (1) with q ′ ≈ 1 : 456 Open: Any quantum speedups b 2 = 3+ o (1) qubits. for factoring many integers? Analyze for b = 2048.

  37. 9 10 erations is an Actually have many inputs. Long-term RSA securit cost model: ignores Lower cost for some output? Long history of advances costs, parallelism. Lower cost for many outputs? in integer factorization. Brent–Kung AT 1993 Coppersmith: Long history of RSA realistic chip model. L 1 : 638 ::: + o (1) operations switching to larger somewhat from after precomp( b ) involving not far beyond brok L 2 : 006 ::: + o (1) operations. costs inside ra subroutine. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) with p ′ ≈ 1 : 976. to factor L 0 : 5+ o (1) inputs; L 1 : 704 ::: + o (1) per input. Bernstein–Biasse–Mosca: with q ′ ≈ 1 : 456 Open: Any quantum speedups qubits. for factoring many integers? for b = 2048.

  38. 9 10 Actually have many inputs. Long-term RSA security ignores Lower cost for some output? Long history of advances rallelism. Lower cost for many outputs? in integer factorization. Brent–Kung AT 1993 Coppersmith: Long history of RSA users model. L 1 : 638 ::: + o (1) operations switching to larger key sizes, from after precomp( b ) involving not far beyond broken sizes. L 2 : 006 ::: + o (1) operations. inside routine. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) to factor L 0 : 5+ o (1) inputs; 1 : 976. L 1 : 704 ::: + o (1) per input. Bernstein–Biasse–Mosca: 1 : 456 Open: Any quantum speedups for factoring many integers? 2048.

  39. 10 11 Actually have many inputs. Long-term RSA security Lower cost for some output? Long history of advances Lower cost for many outputs? in integer factorization. 1993 Coppersmith: Long history of RSA users L 1 : 638 ::: + o (1) operations switching to larger key sizes, after precomp( b ) involving not far beyond broken sizes. L 2 : 006 ::: + o (1) operations. 2014 Bernstein–Lange: AT = L 2 : 204 ::: + o (1) to factor L 0 : 5+ o (1) inputs; L 1 : 704 ::: + o (1) per input. Open: Any quantum speedups for factoring many integers?

  40. 10 11 Actually have many inputs. Long-term RSA security Lower cost for some output? Long history of advances Lower cost for many outputs? in integer factorization. 1993 Coppersmith: Long history of RSA users L 1 : 638 ::: + o (1) operations switching to larger key sizes, after precomp( b ) involving not far beyond broken sizes. L 2 : 006 ::: + o (1) operations. “Expert” cryptographers: 2014 Bernstein–Lange: “Obviously they won’t react to AT = L 2 : 204 ::: + o (1) Shor’s algorithm this way! They’ll to factor L 0 : 5+ o (1) inputs; switch to codes, lattices, etc. long L 1 : 704 ::: + o (1) per input. before quantum computers break Open: Any quantum speedups RSA-2048! We don’t need to for factoring many integers? analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  41. 10 11 Actually have many inputs. Long-term RSA security We consider cost for some output? quantum Long history of advances cost for many outputs? we also consider in integer factorization. of users Coppersmith: Long history of RSA users ::: + o (1) operations switching to larger key sizes, recomp( b ) involving not far beyond broken sizes. ::: + o (1) operations. “Expert” cryptographers: Bernstein–Lange: “Obviously they won’t react to L 2 : 204 ::: + o (1) Shor’s algorithm this way! They’ll factor L 0 : 5+ o (1) inputs; switch to codes, lattices, etc. long ::: + o (1) per input. before quantum computers break Any quantum speedups RSA-2048! We don’t need to factoring many integers? analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  42. 10 11 many inputs. Long-term RSA security We consider possible some output? quantum computers. Long history of advances many outputs? we also consider possible in integer factorization. of users wanting to ersmith: Long history of RSA users erations switching to larger key sizes, ) involving not far beyond broken sizes. erations. “Expert” cryptographers: Bernstein–Lange: “Obviously they won’t react to (1) Shor’s algorithm this way! They’ll (1) inputs; switch to codes, lattices, etc. long input. before quantum computers break quantum speedups RSA-2048! We don’t need to many integers? analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  43. 10 11 inputs. Long-term RSA security We consider possible impact output? quantum computers. Shouldn’t Long history of advances outputs? we also consider possible impact in integer factorization. of users wanting to stick to RSA? Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break eedups RSA-2048! We don’t need to integers? analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  44. 11 12 Long-term RSA security We consider possible impact of quantum computers. Shouldn’t Long history of advances we also consider possible impact in integer factorization. of users wanting to stick to RSA? Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  45. 11 12 Long-term RSA security We consider possible impact of quantum computers. Shouldn’t Long history of advances we also consider possible impact in integer factorization. of users wanting to stick to RSA? Long history of RSA users 2017 Bernstein–Heninger–Lou– switching to larger key sizes, Valenta “Post-quantum RSA” not far beyond broken sizes. (pqRSA): Generated 1-terabyte “Expert” cryptographers: RSA key; 2000000 core-hours. Shor’s algorithm: > 2 100 gates. “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  46. 11 12 Long-term RSA security We consider possible impact of quantum computers. Shouldn’t Long history of advances we also consider possible impact in integer factorization. of users wanting to stick to RSA? Long history of RSA users 2017 Bernstein–Heninger–Lou– switching to larger key sizes, Valenta “Post-quantum RSA” not far beyond broken sizes. (pqRSA): Generated 1-terabyte “Expert” cryptographers: RSA key; 2000000 core-hours. Shor’s algorithm: > 2 100 gates. “Obviously they won’t react to Shor’s algorithm this way! They’ll Bernstein–Fried–Heninger–Lou– switch to codes, lattices, etc. long Valenta: Draft NIST submission before quantum computers break proposing 1-gigabyte RSA keys. RSA-2048! We don’t need to Much faster to generate. analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

  47. 11 12 Long-term RSA security We consider possible impact of The secret quantum computers. Shouldn’t 4096 bits history of advances we also consider possible impact 1024 bits integer factorization. of users wanting to stick to RSA? Important history of RSA users keygen, signing, 2017 Bernstein–Heninger–Lou– switching to larger key sizes, Valenta “Post-quantum RSA” Is this a r beyond broken sizes. (pqRSA): Generated 1-terabyte ECM finds √ ert” cryptographers: RSA key; 2000000 core-hours. using L Shor’s algorithm: > 2 100 gates. “Obviously they won’t react to where log algorithm this way! They’ll Bernstein–Fried–Heninger–Lou– Beats Sho to codes, lattices, etc. long Valenta: Draft NIST submission (log log mo quantum computers break proposing 1-gigabyte RSA keys. RSA-2048! We don’t need to Public ECM Much faster to generate. analyze the security of RSA-4096, 274-bit facto RSA-8192, RSA-16384, etc.!”

  48. 11 12 security We consider possible impact of The secret primes quantum computers. Shouldn’t 4096 bits in terabyte advances we also consider possible impact 1024 bits in gigabyte rization. of users wanting to stick to RSA? Important time-saver RSA users keygen, signing, decryption. 2017 Bernstein–Heninger–Lou– rger key sizes, Valenta “Post-quantum RSA” Is this a weakness? roken sizes. (pqRSA): Generated 1-terabyte ECM finds any prime √ cryptographers: RSA key; 2000000 core-hours. 2+ o (1) mulmo using L Shor’s algorithm: > 2 100 gates. won’t react to where log L = (log this way! They’ll Bernstein–Fried–Heninger–Lou– Beats Shor for log lattices, etc. long (log log modulus) 2+ Valenta: Draft NIST submission computers break proposing 1-gigabyte RSA keys. don’t need to Public ECM record: Much faster to generate. security of RSA-4096, 274-bit factor of 7 RSA-16384, etc.!”

  49. 11 12 We consider possible impact of The secret primes are small: quantum computers. Shouldn’t 4096 bits in terabyte key; we also consider possible impact 1024 bits in gigabyte key. of users wanting to stick to RSA? Important time-saver in keygen, signing, decryption. 2017 Bernstein–Heninger–Lou– sizes, Valenta “Post-quantum RSA” Is this a weakness? sizes. (pqRSA): Generated 1-terabyte ECM finds any prime <y √ RSA key; 2000000 core-hours. 2+ o (1) mulmods, using L Shor’s algorithm: > 2 100 gates. react to where log L = (log y log log y They’ll Bernstein–Fried–Heninger–Lou– Beats Shor for log y below etc. long (log log modulus) 2+ o (1) . Valenta: Draft NIST submission computers break proposing 1-gigabyte RSA keys. to Public ECM record: Much faster to generate. 274-bit factor of 7 337 + 1. A-4096, etc.!”

  50. 12 13 We consider possible impact of The secret primes are small: quantum computers. Shouldn’t 4096 bits in terabyte key; we also consider possible impact 1024 bits in gigabyte key. of users wanting to stick to RSA? Important time-saver in keygen, signing, decryption. 2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” Is this a weakness? (pqRSA): Generated 1-terabyte ECM finds any prime <y √ RSA key; 2000000 core-hours. 2+ o (1) mulmods, using L Shor’s algorithm: > 2 100 gates. where log L = (log y log log y ) 1 = 2 . Bernstein–Fried–Heninger–Lou– Beats Shor for log y below (log log modulus) 2+ o (1) . Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Public ECM record: Much faster to generate. 274-bit factor of 7 337 + 1.

  51. 12 13 consider possible impact of The secret primes are small: Analysis > 2 125 mulmo quantum computers. Shouldn’t 4096 bits in terabyte key; and 2 33 -bit also consider possible impact 1024 bits in gigabyte key. users wanting to stick to RSA? Important time-saver in 2 23 target keygen, signing, decryption. Bernstein–Heninger–Lou– finding just alenta “Post-quantum RSA” Is this a weakness? qRSA): Generated 1-terabyte ECM finds any prime <y √ ey; 2000000 core-hours. 2+ o (1) mulmods, using L algorithm: > 2 100 gates. where log L = (log y log log y ) 1 = 2 . Bernstein–Fried–Heninger–Lou– Beats Shor for log y below (log log modulus) 2+ o (1) . alenta: Draft NIST submission osing 1-gigabyte RSA keys. Public ECM record: faster to generate. 274-bit factor of 7 337 + 1.

  52. 12 13 Analysis for y ≈ 2 1024 ossible impact of The secret primes are small: > 2 125 mulmods, huge computers. Shouldn’t 4096 bits in terabyte key; and 2 33 -bit mulmo possible impact 1024 bits in gigabyte key. to stick to RSA? Important time-saver in 2 23 target primes, keygen, signing, decryption. Bernstein–Heninger–Lou– finding just one isn’t ost-quantum RSA” Is this a weakness? Generated 1-terabyte ECM finds any prime <y √ 2000000 core-hours. 2+ o (1) mulmods, using L rithm: > 2 100 gates. where log L = (log y log log y ) 1 = 2 . ried–Heninger–Lou– Beats Shor for log y below (log log modulus) 2+ o (1) . NIST submission 1-gigabyte RSA keys. Public ECM record: generate. 274-bit factor of 7 337 + 1.

  53. 12 13 Analysis for y ≈ 2 1024 : impact of The secret primes are small: > 2 125 mulmods, huge depth; Shouldn’t 4096 bits in terabyte key; and 2 33 -bit mulmod is slow. impact 1024 bits in gigabyte key. to RSA? Important time-saver in 2 23 target primes, but keygen, signing, decryption. Bernstein–Heninger–Lou– finding just one isn’t enough. RSA” Is this a weakness? 1-terabyte ECM finds any prime <y √ re-hours. 2+ o (1) mulmods, using L gates. where log L = (log y log log y ) 1 = 2 . ried–Heninger–Lou– Beats Shor for log y below (log log modulus) 2+ o (1) . submission keys. Public ECM record: 274-bit factor of 7 337 + 1.

  54. 13 14 Analysis for y ≈ 2 1024 : The secret primes are small: > 2 125 mulmods, huge depth; 4096 bits in terabyte key; and 2 33 -bit mulmod is slow. 1024 bits in gigabyte key. Important time-saver in 2 23 target primes, but keygen, signing, decryption. finding just one isn’t enough. Is this a weakness? ECM finds any prime <y √ 2+ o (1) mulmods, using L where log L = (log y log log y ) 1 = 2 . Beats Shor for log y below (log log modulus) 2+ o (1) . Public ECM record: 274-bit factor of 7 337 + 1.

  55. 13 14 Analysis for y ≈ 2 1024 : The secret primes are small: > 2 125 mulmods, huge depth; 4096 bits in terabyte key; and 2 33 -bit mulmod is slow. 1024 bits in gigabyte key. Important time-saver in 2 23 target primes, but keygen, signing, decryption. finding just one isn’t enough. Is this a weakness? 2017 Bernstein–Heninger–Lou– ECM finds any prime <y Valenta: Grover+ECM √ 2+ o (1) mulmods, using L finds any prime <y using L 1+ o (1) mulmods. where log L = (log y log log y ) 1 = 2 . Beats Shor for log y below (log log modulus) 2+ o (1) . Public ECM record: 274-bit factor of 7 337 + 1.

  56. 13 14 Analysis for y ≈ 2 1024 : The secret primes are small: > 2 125 mulmods, huge depth; 4096 bits in terabyte key; and 2 33 -bit mulmod is slow. 1024 bits in gigabyte key. Important time-saver in 2 23 target primes, but keygen, signing, decryption. finding just one isn’t enough. Is this a weakness? 2017 Bernstein–Heninger–Lou– ECM finds any prime <y Valenta: Grover+ECM √ 2+ o (1) mulmods, using L finds any prime <y using L 1+ o (1) mulmods. where log L = (log y log log y ) 1 = 2 . Beats Shor for log y below Seems swamped by overhead. (log log modulus) 2+ o (1) . Open: Better ways for quantum Public ECM record: algorithms to find small factors? 274-bit factor of 7 337 + 1.

  57. 13 14 Analysis for y ≈ 2 1024 : secret primes are small: Minimum > 2 125 mulmods, huge depth; bits in terabyte key; NIST allo and 2 33 -bit mulmod is slow. bits in gigabyte key. submissions: rtant time-saver in search fo 2 23 target primes, but eygen, signing, decryption. finding just one isn’t enough. Is a gigab a weakness? Shor’s algo 2017 Bernstein–Heninger–Lou– finds any prime <y Valenta: Grover+ECM √ 2+ o (1) mulmods, L finds any prime <y using L 1+ o (1) mulmods. log L = (log y log log y ) 1 = 2 . Shor for log y below Seems swamped by overhead. log modulus) 2+ o (1) . Open: Better ways for quantum ECM record: algorithms to find small factors? 274-bit factor of 7 337 + 1.

  58. 13 14 Analysis for y ≈ 2 1024 : rimes are small: Minimum security > 2 125 mulmods, huge depth; terabyte key; NIST allows for post-quantum and 2 33 -bit mulmod is slow. gigabyte key. submissions: brute-fo time-saver in search for a 128-bit 2 23 target primes, but decryption. finding just one isn’t enough. Is a gigabyte key so eakness? Shor’s algorithm to 2017 Bernstein–Heninger–Lou– rime <y Valenta: Grover+ECM mulmods, finds any prime <y using L 1+ o (1) mulmods. (log y log log y ) 1 = 2 . log y below Seems swamped by overhead. dulus) 2+ o (1) . Open: Better ways for quantum record: algorithms to find small factors? 7 337 + 1.

  59. 13 14 Analysis for y ≈ 2 1024 : small: Minimum security level that > 2 125 mulmods, huge depth; NIST allows for post-quantum and 2 33 -bit mulmod is slow. submissions: brute-force/Grover search for a 128-bit AES key 2 23 target primes, but decryption. finding just one isn’t enough. Is a gigabyte key so difficult Shor’s algorithm to break? 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L 1+ o (1) mulmods. log y ) 1 = 2 . Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

  60. 14 15 Analysis for y ≈ 2 1024 : Minimum security level that > 2 125 mulmods, huge depth; NIST allows for post-quantum and 2 33 -bit mulmod is slow. submissions: brute-force/Grover search for a 128-bit AES key. 2 23 target primes, but finding just one isn’t enough. Is a gigabyte key so difficult for Shor’s algorithm to break? 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L 1+ o (1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

  61. 14 15 Analysis for y ≈ 2 1024 : Minimum security level that > 2 125 mulmods, huge depth; NIST allows for post-quantum and 2 33 -bit mulmod is slow. submissions: brute-force/Grover search for a 128-bit AES key. 2 23 target primes, but finding just one isn’t enough. Is a gigabyte key so difficult for Shor’s algorithm to break? 2017 Bernstein–Heninger–Lou– 64 b 3 lg b ≈ 2 110 for b = 2 33 . Valenta: Grover+ECM finds any prime <y Not totally implausible to argue using L 1+ o (1) mulmods. that Grover’s algorithm could Seems swamped by overhead. break AES-128 faster than this. Open: Better ways for quantum algorithms to find small factors?

  62. 14 15 Analysis for y ≈ 2 1024 : Minimum security level that > 2 125 mulmods, huge depth; NIST allows for post-quantum and 2 33 -bit mulmod is slow. submissions: brute-force/Grover search for a 128-bit AES key. 2 23 target primes, but finding just one isn’t enough. Is a gigabyte key so difficult for Shor’s algorithm to break? 2017 Bernstein–Heninger–Lou– 64 b 3 lg b ≈ 2 110 for b = 2 33 . Valenta: Grover+ECM finds any prime <y Not totally implausible to argue using L 1+ o (1) mulmods. that Grover’s algorithm could Seems swamped by overhead. break AES-128 faster than this. Open: Better ways for quantum But Shor’s algorithm can (with algorithms to find small factors? more qubits) use faster mulmods.

  63. 14 15 Analysis for y ≈ 2 1024 : Minimum security level that NIST allo mulmods, huge depth; NIST allows for post-quantum assume reasonable 33 -bit mulmod is slow. submissions: brute-force/Grover “Plausible search for a 128-bit AES key. rget primes, but range from just one isn’t enough. Is a gigabyte key so difficult for approximate Shor’s algorithm to break? presently Bernstein–Heninger–Lou– computing 64 b 3 lg b ≈ 2 110 for b = 2 33 . alenta: Grover+ECM expected any prime <y Not totally implausible to argue a year) through L 1+ o (1) mulmods. that Grover’s algorithm could (the app swamped by overhead. break AES-128 faster than this. that current architectures Better ways for quantum But Shor’s algorithm can (with in a decade), rithms to find small factors? more qubits) use faster mulmods. logical gates

  64. 14 15 2 1024 : Minimum security level that NIST allows submissions ds, huge depth; NIST allows for post-quantum assume reasonable mulmod is slow. submissions: brute-force/Grover “Plausible values fo search for a 128-bit AES key. range from 2 40 logical rimes, but isn’t enough. Is a gigabyte key so difficult for approximate numb Shor’s algorithm to break? presently envisioned Bernstein–Heninger–Lou– computing architectures 64 b 3 lg b ≈ 2 110 for b = 2 33 . Grover+ECM expected to serially <y Not totally implausible to argue a year) through 2 64 mulmods. that Grover’s algorithm could (the approximate numb by overhead. break AES-128 faster than this. that current classical architectures can p ays for quantum But Shor’s algorithm can (with in a decade), to no find small factors? more qubits) use faster mulmods. logical gates : : : ”

  65. 14 15 Minimum security level that NIST allows submissions to depth; NIST allows for post-quantum assume reasonable time limits: w. submissions: brute-force/Grover “Plausible values for MAXDEPTH search for a 128-bit AES key. range from 2 40 logical gates enough. Is a gigabyte key so difficult for approximate number of gates Shor’s algorithm to break? presently envisioned quantum Bernstein–Heninger–Lou– computing architectures are 64 b 3 lg b ≈ 2 110 for b = 2 33 . expected to serially perform a year) through 2 64 logical gates Not totally implausible to argue that Grover’s algorithm could (the approximate number of overhead. break AES-128 faster than this. that current classical computing architectures can perform serially quantum But Shor’s algorithm can (with in a decade), to no more than factors? more qubits) use faster mulmods. logical gates : : : ”

  66. 15 16 Minimum security level that NIST allows submissions to NIST allows for post-quantum assume reasonable time limits: submissions: brute-force/Grover “Plausible values for MAXDEPTH search for a 128-bit AES key. range from 2 40 logical gates (the Is a gigabyte key so difficult for approximate number of gates that Shor’s algorithm to break? presently envisioned quantum computing architectures are 64 b 3 lg b ≈ 2 110 for b = 2 33 . expected to serially perform in a year) through 2 64 logical gates Not totally implausible to argue that Grover’s algorithm could (the approximate number of gates break AES-128 faster than this. that current classical computing architectures can perform serially But Shor’s algorithm can (with in a decade), to no more than 2 96 more qubits) use faster mulmods. logical gates : : : ”

  67. 15 16 Minimum security level that NIST allows submissions to What is allows for post-quantum assume reasonable time limits: for b -bit submissions: brute-force/Grover “Plausible values for MAXDEPTH Light tak for a 128-bit AES key. range from 2 40 logical gates (the to cross gigabyte key so difficult for approximate number of gates that 1981 Brent–Kung algorithm to break? presently envisioned quantum AT ≥ small computing architectures are b ≈ 2 110 for b = 2 33 . even if wire expected to serially perform in a year) through 2 64 logical gates totally implausible to argue (Work around Grover’s algorithm could faster-than-light (the approximate number of gates AES-128 faster than this. through that current classical computing Haven’t architectures can perform serially Shor’s algorithm can (with in a decade), to no more than 2 96 even if reversible qubits) use faster mulmods. avoids FTL logical gates : : : ”

  68. 15 16 security level that NIST allows submissions to What is the minimum post-quantum assume reasonable time limits: for b -bit integer multiplication? rute-force/Grover “Plausible values for MAXDEPTH Light takes time Ω( 128-bit AES key. range from 2 40 logical gates (the to cross a b 1 = 2 × b so difficult for approximate number of gates that 1981 Brent–Kung to break? presently envisioned quantum AT ≥ small constant computing architectures are for b = 2 33 . even if wire latency expected to serially perform in a year) through 2 64 logical gates implausible to argue (Work around obstacles algorithm could faster-than-light communication (the approximate number of gates faster than this. through long-distance that current classical computing Haven’t seen plausible architectures can perform serially rithm can (with in a decade), to no more than 2 96 even if reversible computation faster mulmods. avoids FTL impossibilit logical gates : : : ”

  69. 15 16 that NIST allows submissions to What is the minimum time ost-quantum assume reasonable time limits: for b -bit integer multiplication? e/Grover Light takes time Ω( b 1 = 2 ) “Plausible values for MAXDEPTH ey. range from 2 40 logical gates (the to cross a b 1 = 2 × b 1 = 2 chip. difficult for approximate number of gates that 1981 Brent–Kung AT theorem: presently envisioned quantum AT ≥ small constant · b 3 = 2 , computing architectures are 33 . even if wire latency is 0. expected to serially perform in a year) through 2 64 logical gates argue (Work around obstacles using could faster-than-light communication (the approximate number of gates this. through long-distance EPR pairs? that current classical computing Haven’t seen plausible designs, architectures can perform serially (with in a decade), to no more than 2 96 even if reversible computation ulmods. avoids FTL impossibility pro logical gates : : : ”

  70. 16 17 NIST allows submissions to What is the minimum time assume reasonable time limits: for b -bit integer multiplication? Light takes time Ω( b 1 = 2 ) “Plausible values for MAXDEPTH range from 2 40 logical gates (the to cross a b 1 = 2 × b 1 = 2 chip. approximate number of gates that 1981 Brent–Kung AT theorem: presently envisioned quantum AT ≥ small constant · b 3 = 2 , computing architectures are even if wire latency is 0. expected to serially perform in a year) through 2 64 logical gates (Work around obstacles using faster-than-light communication (the approximate number of gates through long-distance EPR pairs? that current classical computing Haven’t seen plausible designs, architectures can perform serially in a decade), to no more than 2 96 even if reversible computation avoids FTL impossibility proofs.) logical gates : : : ”

  71. 16 17 allows submissions to What is the minimum time What is assume reasonable time limits: for b -bit integer multiplication? for Shor’s Light takes time Ω( b 1 = 2 ) “Plausible values for MAXDEPTH Main bottleneck: from 2 40 logical gates (the to cross a b 1 = 2 × b 1 = 2 chip. for 2 b -bit ximate number of gates that 1981 Brent–Kung AT theorem: Traditiona resently envisioned quantum AT ≥ small constant · b 3 = 2 , controlled computing architectures are even if wire latency is 0. a and 1 =a ected to serially perform in a 2 mod N r) through 2 64 logical gates (Work around obstacles using a 4 mod N faster-than-light communication approximate number of gates through long-distance EPR pairs? Can multiply current classical computing Haven’t seen plausible designs, using many rchitectures can perform serially decade), to no more than 2 96 even if reversible computation but hard avoids FTL impossibility proofs.) computation gates : : : ”

  72. 16 17 submissions to What is the minimum time What is the minimum reasonable time limits: for b -bit integer multiplication? for Shor’s algorithm? Light takes time Ω( b 1 = 2 ) values for MAXDEPTH Main bottleneck: a to cross a b 1 = 2 × b 1 = 2 chip. logical gates (the for 2 b -bit superposition number of gates that 1981 Brent–Kung AT theorem: Traditional approach: envisioned quantum AT ≥ small constant · b 3 = 2 , controlled multiplications hitectures are even if wire latency is 0. a and 1 =a mod N ; serially perform in a 2 mod N and 1 =a 2 64 logical gates (Work around obstacles using a 4 mod N and 1 =a faster-than-light communication ximate number of gates through long-distance EPR pairs? Can multiply these classical computing Haven’t seen plausible designs, using many more qubits; perform serially no more than 2 96 even if reversible computation but hard to parallelize computation of a 2 i avoids FTL impossibility proofs.) ”

  73. 16 17 to What is the minimum time What is the minimum time limits: for b -bit integer multiplication? for Shor’s algorithm? Main bottleneck: a e mod N Light takes time Ω( b 1 = 2 ) MAXDEPTH to cross a b 1 = 2 × b 1 = 2 chip. gates (the for 2 b -bit superposition e . gates that 1981 Brent–Kung AT theorem: Traditional approach: series quantum AT ≥ small constant · b 3 = 2 , controlled multiplications by re even if wire latency is 0. a and 1 =a mod N ; rm in a 2 mod N and 1 =a 2 mod N ; (Work around obstacles using logical gates a 4 mod N and 1 =a 4 mod N ; faster-than-light communication of gates through long-distance EPR pairs? Can multiply these in parallel, computing Haven’t seen plausible designs, using many more qubits; serially than 2 96 even if reversible computation but hard to parallelize initial computation of a 2 i mod N . avoids FTL impossibility proofs.)

  74. 17 18 What is the minimum time What is the minimum time for b -bit integer multiplication? for Shor’s algorithm? Main bottleneck: a e mod N Light takes time Ω( b 1 = 2 ) to cross a b 1 = 2 × b 1 = 2 chip. for 2 b -bit superposition e . 1981 Brent–Kung AT theorem: Traditional approach: series of AT ≥ small constant · b 3 = 2 , controlled multiplications by even if wire latency is 0. a and 1 =a mod N ; a 2 mod N and 1 =a 2 mod N ; (Work around obstacles using a 4 mod N and 1 =a 4 mod N ; etc. faster-than-light communication through long-distance EPR pairs? Can multiply these in parallel, Haven’t seen plausible designs, using many more qubits; even if reversible computation but hard to parallelize initial computation of a 2 i mod N . avoids FTL impossibility proofs.)

  75. 17 18 is the minimum time What is the minimum time Why gigab -bit integer multiplication? for Shor’s algorithm? big enough beyond the Main bottleneck: a e mod N takes time Ω( b 1 = 2 ) under reasonable cross a b 1 = 2 × b 1 = 2 chip. for 2 b -bit superposition e . Gigabyte Brent–Kung AT theorem: Traditional approach: series of millions of small constant · b 3 = 2 , controlled multiplications by than 2048-bit if wire latency is 0. a and 1 =a mod N ; These algo a 2 mod N and 1 =a 2 mod N ; around obstacles using billions of a 4 mod N and 1 =a 4 mod N ; etc. faster-than-light communication More cost through long-distance EPR pairs? Can multiply these in parallel, Haven’t seen plausible designs, using many more qubits; if reversible computation but hard to parallelize initial computation of a 2 i mod N . FTL impossibility proofs.)

  76. 17 18 minimum time What is the minimum time Why gigabyte keys multiplication? for Shor’s algorithm? big enough to push beyond the 2 64 limit, Main bottleneck: a e mod N Ω( b 1 = 2 ) under reasonable a b 1 = 2 chip. for 2 b -bit superposition e . Gigabyte inputs are Brent–Kung AT theorem: Traditional approach: series of millions of times la constant · b 3 = 2 , controlled multiplications by than 2048-bit inputs latency is 0. a and 1 =a mod N ; These algorithms will a 2 mod N and 1 =a 2 mod N ; obstacles using billions of times longer. a 4 mod N and 1 =a 4 mod N ; etc. communication More cost to find all long-distance EPR pairs? Can multiply these in parallel, plausible designs, using many more qubits; computation but hard to parallelize initial computation of a 2 i mod N . ossibility proofs.)

  77. 17 18 time What is the minimum time Why gigabyte keys are reasonable: multiplication? for Shor’s algorithm? big enough to push latency beyond the 2 64 limit, Main bottleneck: a e mod N under reasonable assumption chip. for 2 b -bit superposition e . Gigabyte inputs are theorem: Traditional approach: series of millions of times larger , controlled multiplications by than 2048-bit inputs. a and 1 =a mod N ; These algorithms will take a 2 mod N and 1 =a 2 mod N ; using billions of times longer. a 4 mod N and 1 =a 4 mod N ; etc. communication More cost to find all primes. pairs? Can multiply these in parallel, designs, using many more qubits; computation but hard to parallelize initial computation of a 2 i mod N . roofs.)

  78. 18 19 What is the minimum time Why gigabyte keys are reasonable: for Shor’s algorithm? big enough to push latency beyond the 2 64 limit, Main bottleneck: a e mod N under reasonable assumptions. for 2 b -bit superposition e . Gigabyte inputs are Traditional approach: series of millions of times larger controlled multiplications by than 2048-bit inputs. a and 1 =a mod N ; These algorithms will take a 2 mod N and 1 =a 2 mod N ; billions of times longer. a 4 mod N and 1 =a 4 mod N ; etc. More cost to find all primes. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a 2 i mod N .

  79. 18 19 What is the minimum time Why gigabyte keys are reasonable: for Shor’s algorithm? big enough to push latency beyond the 2 64 limit, Main bottleneck: a e mod N under reasonable assumptions. for 2 b -bit superposition e . Gigabyte inputs are Traditional approach: series of millions of times larger controlled multiplications by than 2048-bit inputs. a and 1 =a mod N ; These algorithms will take a 2 mod N and 1 =a 2 mod N ; billions of times longer. a 4 mod N and 1 =a 4 mod N ; etc. More cost to find all primes. Can multiply these in parallel, Open: What is minimum time using many more qubits; for integer factorization? but hard to parallelize initial computation of a 2 i mod N .

  80. 18 19 is the minimum time Why gigabyte keys are reasonable: NIST’s middle Shor’s algorithm? big enough to push latency is defined beyond the 2 64 limit, bottleneck: a e mod N under reasonable assumptions. -bit superposition e . Gigabyte inputs are raditional approach: series of millions of times larger controlled multiplications by than 2048-bit inputs. 1 =a mod N ; These algorithms will take d N and 1 =a 2 mod N ; billions of times longer. d N and 1 =a 4 mod N ; etc. More cost to find all primes. multiply these in parallel, Open: What is minimum time many more qubits; for integer factorization? rd to parallelize initial computation of a 2 i mod N .

  81. 18 19 minimum time Why gigabyte keys are reasonable: NIST’s middle securit rithm? big enough to push latency is defined by an AES-192 beyond the 2 64 limit, ottleneck: a e mod N under reasonable assumptions. osition e . Gigabyte inputs are roach: series of millions of times larger multiplications by than 2048-bit inputs. ; These algorithms will take =a 2 mod N ; billions of times longer. =a 4 mod N ; etc. More cost to find all primes. these in parallel, Open: What is minimum time re qubits; for integer factorization? rallelize initial a 2 i mod N .

  82. 18 19 time Why gigabyte keys are reasonable: NIST’s middle security level big enough to push latency is defined by an AES-192 key beyond the 2 64 limit, N under reasonable assumptions. Gigabyte inputs are series of millions of times larger by than 2048-bit inputs. These algorithms will take ; billions of times longer. ; etc. More cost to find all primes. rallel, Open: What is minimum time for integer factorization? initial .

  83. 19 20 Why gigabyte keys are reasonable: NIST’s middle security level big enough to push latency is defined by an AES-192 key. beyond the 2 64 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

  84. 19 20 Why gigabyte keys are reasonable: NIST’s middle security level big enough to push latency is defined by an AES-192 key. beyond the 2 64 limit, With maximum depth 2 64 , under reasonable assumptions. finding an AES-192 key requires ≈ 2 144 cores. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

  85. 19 20 Why gigabyte keys are reasonable: NIST’s middle security level big enough to push latency is defined by an AES-192 key. beyond the 2 64 limit, With maximum depth 2 64 , under reasonable assumptions. finding an AES-192 key requires ≈ 2 144 cores. Gigabyte inputs are millions of times larger This is nonsense! There is than 2048-bit inputs. not enough time to broadcast These algorithms will take the input to 2 144 parallel billions of times longer. computations, and not enough More cost to find all primes. time to collect the results. Open: What is minimum time for integer factorization?

  86. 19 20 Why gigabyte keys are reasonable: NIST’s middle security level big enough to push latency is defined by an AES-192 key. beyond the 2 64 limit, With maximum depth 2 64 , under reasonable assumptions. finding an AES-192 key requires ≈ 2 144 cores. Gigabyte inputs are millions of times larger This is nonsense! There is than 2048-bit inputs. not enough time to broadcast These algorithms will take the input to 2 144 parallel billions of times longer. computations, and not enough More cost to find all primes. time to collect the results. Open: What is minimum time Is NIST implicitly assuming for integer factorization? a higher latency limit?

  87. 19 20 gigabyte keys are reasonable: NIST’s middle security level Some imp enough to push latency is defined by an AES-192 key. (2017 Bernstein–Biasse–Mosca) ond the 2 64 limit, With maximum depth 2 64 , Consider reasonable assumptions. finding an AES-192 key factoring requires ≈ 2 144 cores. yte inputs are ( p j − 1) p millions of times larger This is nonsense! There is 2048-bit inputs. Unit group not enough time to broadcast Z = 2 t 1 × algorithms will take the input to 2 144 parallel billions of times longer. computations, and not enough cost to find all primes. time to collect the results. What is minimum time Is NIST implicitly assuming integer factorization? a higher latency limit?

  88. 19 20 eys are reasonable: NIST’s middle security level Some improvements push latency is defined by an AES-192 key. (2017 Bernstein–Biasse–Mosca) limit, With maximum depth 2 64 , Consider Shor’s algo assumptions. finding an AES-192 key factoring N = p e 1 requires ≈ 2 144 cores. 1 are e j − 1 as 2 t ( p j − 1) p j larger This is nonsense! There is inputs. Unit group is isomo not enough time to broadcast Z = 2 t 1 × · · · × Z = 2 rithms will take the input to 2 144 parallel longer. computations, and not enough find all primes. time to collect the results. minimum time Is NIST implicitly assuming rization? a higher latency limit?

  89. 19 20 reasonable: NIST’s middle security level Some improvements to Shor latency is defined by an AES-192 key. (2017 Bernstein–Biasse–Mosca) With maximum depth 2 64 , Consider Shor’s algorithm umptions. finding an AES-192 key 1 · · · p e f factoring N = p e 1 f . W requires ≈ 2 144 cores. e j − 1 as 2 t j u j with u ( p j − 1) p j This is nonsense! There is Unit group is isomorphic to not enough time to broadcast Z = 2 t 1 × · · · × Z = 2 t f × Z =u 1 the input to 2 144 parallel computations, and not enough rimes. time to collect the results. time Is NIST implicitly assuming a higher latency limit?

  90. 20 21 NIST’s middle security level Some improvements to Shor is defined by an AES-192 key. (2017 Bernstein–Biasse–Mosca) With maximum depth 2 64 , Consider Shor’s algorithm finding an AES-192 key 1 · · · p e f factoring N = p e 1 f . Write requires ≈ 2 144 cores. e j − 1 as 2 t j u j with u j odd. ( p j − 1) p j This is nonsense! There is Unit group is isomorphic to not enough time to broadcast Z = 2 t 1 × · · · × Z = 2 t f × Z =u 1 × · · · . the input to 2 144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit?

  91. 20 21 NIST’s middle security level Some improvements to Shor is defined by an AES-192 key. (2017 Bernstein–Biasse–Mosca) With maximum depth 2 64 , Consider Shor’s algorithm finding an AES-192 key 1 · · · p e f factoring N = p e 1 f . Write requires ≈ 2 144 cores. e j − 1 as 2 t j u j with u j odd. ( p j − 1) p j This is nonsense! There is Unit group is isomorphic to not enough time to broadcast Z = 2 t 1 × · · · × Z = 2 t f × Z =u 1 × · · · . the input to 2 144 parallel computations, and not enough Shor’s algorithm (hopefully) time to collect the results. computes order r of random unit. Order 2 c j in Z = 2 t j is Is NIST implicitly assuming 2 t j with probability 1 = 2; a higher latency limit? 2 t j − 1 with probability 1 = 4; etc.

  92. 20 21 NIST’s middle security level Some improvements to Shor Shor compu defined by an AES-192 key. Divisible (2017 Bernstein–Biasse–Mosca) c j < max maximum depth 2 64 , Consider Shor’s algorithm an AES-192 key Factoriza 1 · · · p e f factoring N = p e 1 f . Write requires ≈ 2 144 cores. equal. Chance e j − 1 as 2 t j u j with u j odd. ( p j − 1) p j nonsense! There is Unit group is isomorphic to enough time to broadcast Z = 2 t 1 × · · · × Z = 2 t f × Z =u 1 × · · · . input to 2 144 parallel computations, and not enough Shor’s algorithm (hopefully) to collect the results. computes order r of random unit. Order 2 c j in Z = 2 t j is NIST implicitly assuming 2 t j with probability 1 = 2; higher latency limit? 2 t j − 1 with probability 1 = 4; etc.

Recommend

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES Urban Ministries CHALLENGES FINDING SHAPE for a CHANGING CHURCH CHALLENGES for GREATER NEW JERSEY 560 congregations 90,697 members

579 views • 15 slides
Challenges &amp; Opportunities for the Challenges &amp; Opportunities for the Pharmaceutical

Challenges &amp; Opportunities for the Challenges &amp; Opportunities for the Pharmaceutical

Challenges &amp; Opportunities for the Challenges &amp; Opportunities for the Pharmaceutical Industry Dr Gino Martini FRPharmS EIPG President Why do I enjoy being an Industrial Pharmacist? Something happened here Sir Alexander Fleming &amp; his

647 views • 46 slides
The technical and mathematical challenges What are the goals that set the challenges? We want

The technical and mathematical challenges What are the goals that set the challenges? We want

The technical and mathematical challenges What are the goals that set the challenges? We want maps that can yield an atomic model with a known accuracy, and we want to visualize conformational variability. We want tomograms of cells in which we

813 views • 37 slides
! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency -

! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency -

! Mutuelle ! ! de microfinance (Qubec) ! ! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency - Mission, vision ! Innovation ! Growth and profitability ! Governance ! Access ! Transition !

573 views • 15 slides
Challenges facing all Additional challenges providers for new providers

Challenges facing all Additional challenges providers for new providers

Challenges facing all Additional challenges providers for new providers Delivering Apprenticeship Standards Systems Data End Point Assessment Claims Reports 20% off the job training Audit

809 views • 41 slides
Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The

Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The

Christopher J. Miller Asst. Professor, Astronomy Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The Demand for Higher Precision Science The Hubble Constant The Challenges The Demand for Higher

504 views • 27 slides
Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Domestication of the Harmonised Seed Security Project (HASSP) through the Food, Agriculture and Natural R Resources Policy Analysis Network(FANRPAN) P li A l i N t k(FANRPAN) Challenges and Opportunities Challenges and Opportunities

676 views • 53 slides
Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the

Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the

Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the Home Holly Jimison, PhD, FACMI Consortium on Technology for Proactive Care College of Computer &amp; Information Science &amp; School of Nursing

551 views • 37 slides
The Need Advances and Challenges Related to The Need, Advances and Challenges Related to

The Need Advances and Challenges Related to The Need, Advances and Challenges Related to

The Need Advances and Challenges Related to The Need, Advances and Challenges Related to Wireless Body Area Network Communications Technology Richard Kramer and Jin Phyo (JP) Rhee Oregon State University What is a hero? What is a hero?

457 views • 41 slides
Challenges and Challenges and Opportunities Opportunities of of the the CEVA Project EVA

Challenges and Challenges and Opportunities Opportunities of of the the CEVA Project EVA

40th International Society of City and Regional Planners Young Planners Workshop Challenges and Challenges and Opportunities Opportunities of of the the CEVA Project EVA Project presented by SCALED SOLUTIONS Aletta Britz, South Africa

446 views • 22 slides
EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in

EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in

EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems EDA Challenges in Systems Integration Integration J. A. G. Jess NSF EDA Workshop July 8 and 9 2009 July 8 and 9, 2009 Why should IC- Why should IC -EDA and

247 views • 10 slides
Challenges of Continuous Parallel Challenges of Continuous Parallel Operation of GTG Units in DPS

Challenges of Continuous Parallel Challenges of Continuous Parallel Operation of GTG Units in DPS

Challenges of Continuous Parallel Challenges of Continuous Parallel Operation of GTG Units in DPS A case study &amp; Simulation Presented By: Date: 05-Dec-2014 Sri Rajib Kumar Sarmah Venue: Elect Conf Room Free Powerpoint Templates

728 views • 19 slides
Daubert Challenges in Construction Claims Defending and Asserting Challenges to Construction

Daubert Challenges in Construction Claims Defending and Asserting Challenges to Construction

Presenting a live 90-minute webinar with interactive Q&amp;A Daubert Challenges in Construction Claims Defending and Asserting Challenges to Construction Expert Witness Evidence THURSDAY, MAY 9, 2013 1pm Eastern | 12pm Central | 11am

780 views • 39 slides
Fracking Litigation and Daubert Challenges Defending Against and Asserting Challenges to Expert

Fracking Litigation and Daubert Challenges Defending Against and Asserting Challenges to Expert

Presenting a live 60-minute webinar with interactive Q&amp;A Fracking Litigation and Daubert Challenges Defending Against and Asserting Challenges to Expert Witness Evidence TUESDAY, MAY 21, 2013 1pm Eastern | 12pm Central | 11am

565 views • 56 slides
The Ethical Challenges of Representing Entities Ross Fischer Common Challenges

The Ethical Challenges of Representing Entities Ross Fischer Common Challenges

The Ethical Challenges of Representing Entities Ross Fischer Common Challenges Decision-making authority Confidentiality Conflicting Interests Rule 1.12 Organization as a Client No prohibitions Recognizes

652 views • 24 slides
SCP&amp; the Marrakech Process: Stakes &amp; Challenges Sustainable Consumption and Production

SCP&amp; the Marrakech Process: Stakes &amp; Challenges Sustainable Consumption and Production

SCP&amp; the Marrakech Process: Stakes &amp; Challenges Sustainable Consumption and Production and the Green Economy Workshop, 18-19 March, Paris Arab Hoballah, UNEP Challenges &amp; Opportunities Challenges: Pollution &amp; Impacts

555 views • 16 slides
San Juan, PR March 22, 2016 Grand Challenges for Social Work Timeline 2012 Grand Challenges

San Juan, PR March 22, 2016 Grand Challenges for Social Work Timeline 2012 Grand Challenges

Social progress powered by science Richard P. Barth, PhD, MSW NADD Panel on Grand Challenges Implementation San Juan, PR March 22, 2016 Grand Challenges for Social Work Timeline 2012 Grand Challenges Planning Begins 2013 First GCs

487 views • 11 slides
Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies

Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies

presents presents Canadian Sales Tax Compliance Challenges for U S Companies Challenges for U.S. Companies Mastering New Provincial Harmonized Sales Taxes, Nexus Standards, and Other Critical Topics A Live 110-Minute Teleconference/Webinar

586 views • 55 slides
Veteran Challenges in Academia Introduction Challenges Statistics 55,739 Veterans in ND

Veteran Challenges in Academia Introduction Challenges Statistics 55,739 Veterans in ND

Veteran Challenges in Academia Introduction Challenges Statistics 55,739 Veterans in ND 6,415 Veterans in Ward County 237 Minot State Veteran Students (Spring 2015) Veteran homeless rate decreased 17.2% from 2009- 2012, still

442 views • 21 slides
Tunisias Economic Challenges Caroline Freund Tunisia Economic Challenges Structural

Tunisias Economic Challenges Caroline Freund Tunisia Economic Challenges Structural

Tunisias Economic Challenges Caroline Freund Tunisia Economic Challenges Structural issues: Bloated civil service Energy subsidies Regulations and rent-seeking Results: Insufficient growth Low labor force

621 views • 13 slides
India-Japan-China Trilateralism Challenges and Opportunities Challenges and Opportunities Vijay

India-Japan-China Trilateralism Challenges and Opportunities Challenges and Opportunities Vijay

India-Japan-China Trilateralism Challenges and Opportunities Challenges and Opportunities Vijay Sakhuja, PhD Director (Research) Indian Council of World Affairs New Delhi Enhanced economic dynamism Rise of Asia in the Geoeconomic

828 views • 14 slides
Laser Wires: Technical Challenges Outstanding Josef Frisch Challenges Measuring small beam

Laser Wires: Technical Challenges Outstanding Josef Frisch Challenges Measuring small beam

Laser Wires: Technical Challenges Outstanding Josef Frisch Challenges Measuring small beam sizes Wavelength requirements CW cavity laser wire challenges Tricks to achieve better resolution (difficult) Low beam energies -

616 views • 26 slides
Bipolar Disorder 2. Pharmacologic Treatment Challenges with therapeutic vs side effects 3.

Bipolar Disorder 2. Pharmacologic Treatment Challenges with therapeutic vs side effects 3.

Overview Bipolar Disorder Solving Clinical Challenges 1. Diagnostic Nosology Solving Clinical Challenges in Challenges distinguishing bipolar from unipolar Bipolar Disorder 2. Pharmacologic Treatment Challenges with therapeutic vs

420 views • 8 slides
Local Operations And Future Challenges Challenges On The Tomorrow Horizon For The Railroad

Local Operations And Future Challenges Challenges On The Tomorrow Horizon For The Railroad

The Railroad Industry Local Operations And Future Challenges Challenges On The Tomorrow Horizon For The Railroad Industry September 14-16, 2008 January 23, 2009 2 Railroad Challenges RSSM Tomorrow Demographics Of Assets

415 views • 26 slides

More recommend