Dagstuhl Workshop “Quantum Cryptanalysis” Schloss Dagstuhl / Leibniz-Zentrum für Informatik, October 2, 2017
5
[Shor’94], [Kitaev’95], [Brassard/Høyer’97], [ Eker ert /Mosca’98] 6
Shor’s algorithm for dlogs: Step 1: Create σ 𝑙∈ 0,1 𝑜 𝑙 1 , … , 𝑙 𝑜 ⊗ σ ℓ∈ 0,1 𝑜 ℓ 1 , … , ℓ 𝑜 ⊗ |𝒫 〉 by applying Hadamard gates to 2 registers of 𝑜 qubits ; 𝑜 = ⌈log 𝑝𝑠𝑒 𝑄 ⌉ Step 2: For fixed generator 𝑄 and fixed target 𝑅 ∈ 𝑄 compute the transformation that maps this state to 𝑙 ⊗ ℓ ⊗ |𝑙𝑄 + ℓ𝑅〉 𝑙∈ 0,1 𝑜 ℓ∈ 0,1 𝑜 Step 3: Measure the 3 rd register. Obtain a result 𝑆. Letting 𝑅 = 𝛽𝑄 and 𝑆 = 𝛾𝑄, we obtain a state corresponding to a “line” 𝑙 ⊗ ℓ ⊗ 𝑆 = 𝛾 − 𝛽ℓ ⊗ ℓ 𝑙,ℓ∈ 0,1 𝑜 : ℓ∈ 0,1 𝑜 𝑙+𝛽ℓ=𝛾 Step 4: Apply 𝑅𝐺𝑈 ⊗ 𝑅𝐺𝑈 and measure to sample from the line { 𝑦, 𝛽𝑦 , 𝑦 ∈ 0, . . , 2 𝑜 − 1 . If 𝑦 is a unit, we obtain 𝛽. 7
[Proo oos , Zalka’03] 8
Universal gate sets Important universal gate set “ Clifford + T ” (for logical operations): Consists of all Clifford operations (i.e., the group generated by 𝐼 2 , 𝐷𝑂𝑃𝑈 and 𝑒𝑗𝑏(1, 𝑗)) and the “T gate” T = 𝑒𝑗𝑏(1, 𝜕 8 ) . Can be shown to be universal, i.e., for any unitary U and any given 𝜗 > 0, there exists an element A in the Clifford+T group such that || 𝑉 − 𝐵 || ≤ 𝜗 . • This gate set arises naturally in the context of fault-tolerant computing for several quantum codes. The T gates are usually implemented via a process called “magic state distillation” which is expensive. • Common metrics used to measure resources: • T-count = total number of T gates used in a circuit • T-depth = number of T-layers • #qubits = total number of qubits used, including “ancillas” (=scratch space) • Toffoli gate: [Amy, Maslov, Mosca, R., TCAD 2013] 9
Using already allocated memory as scratch space Can we apply tricks similar to the above (Barenco et al, PRA’95) to use “dirty” ancillas for optimization? In a sense: “yes”… [Buhrman, Cleve, Koucky, Loff , Speelman, ‘14] 11
How to increment a quantum register? Problem oblem: How can we implement 𝑦 ↦ 𝑦 + 1 𝑛𝑝𝑒 2 𝑜 , which cyclically shifts the basis states of an 𝑜 qubit register? Solutio ution 1: Recu cursive sive Solutio ution 2: 2: Draper er-style style 12
How to increment a quantum register? Solutio ution 3: 3: Using regul ular ar adder r + co constant tant folding ing Question: Qu tion: Is there e a s solution lution that at co combi bines es all good featu tures? es? 13
Incrementer “+1” by Craig Gidney • Based on the following trick: 𝑦 ↦ 𝑦 − |⟩ ↦ |𝑦 − ⟩ ′ − 1 ↦ 𝑦 − − ′ + 1 ↦ 𝑦 + 1 |⟩ • Here denotes a qubit in an unknown state (it can be entangled with the rest of the quantum memory). We denote such qubits as dirty qubits. • Denote the one’s complement ( i.e, flip all bits) of a state by , and the two’s complement by ′ (i.e., + ′ = 0) , then it is known that ′ = + 1 . • If 𝑜 dirty qubits are available, the above trick allows to implement a “+1” incrementer using only 𝑃(𝑜) Toffoli gates. • If only 1 dirty qubit is available, then one can precompute the final carry, apply a splitting step & recurse. The result is an 𝑃(𝑜 log 𝑜) algorithm. 14
Carry prediction with dirty ancillas [Haener, R., Svore, QIC 2017] [Gidney, arXiv:1706.07884] 15 Based on this, on can build constant folded modular arithmetic (+,*,exp)
Putting it all together: addition-by-a-constant 16
Modular addition: requires 3 integer additions 17
[Bernstein, Lange: Database of explicit ECC formulas: http://www.hyperelliptic.org/EFD/] 19
20
Why garbage is fatal for interference • By inserting polarization filters, the paths can be made distinguishable. The interference pattern disappears. Example using reversible functions: 𝑦 0 |0⟩ ↦ 𝑦 𝑔 𝑦 | 𝑦 ⟩ • Quantum eraser experiment: ([Wheeler ‘78], [Scully et al, ‘82 and ‘99]): “Erase” polarization information after the photon passed the slits. The interference pattern re-appears! Example using reversible functions: 𝑦 0 |0⟩ ↦ 𝑦 𝑔 𝑦 |0⟩ 21 [Pictures credit: Wikipedia]
How to avoid garbage? • Replacing each gate with a reversible one works fine, however, it produces “garbage”, i.e., help registers will be in a state different from 0 at the end. • There is a principled way out of this dilemma: the Bennett trick Forward computation: |x ⟩ |0 ⟩ |0 ⟩ |0 ⟩ ↦ 𝑦 𝑔 𝑦 𝑏𝑠𝑐𝑏𝑓 𝑦 0 ↦ 𝑦 𝑔 𝑦 𝑏𝑠𝑐𝑏𝑓 𝑦 𝑔(𝑦) Copy the result: ↦ 𝑦 0 0 𝑔(𝑦) Reverse computation: Idea: “ uncompute ” the garbage by running the computation backwards. Problem: this leads to a large quantum memory footprint. 22
• Requires to handle a WHILE loop (with known upper bound (here: 2n)) • Implemented in LIQ Ui|>, including [B. Kaliski, IEEE Trans. Comp. 44(8), 1995] P-192, P-224, P-256, P-384, P-521 23
𝑣 /2 /2 - - + - 𝑤 /2 /2 𝑡 •2 •2 + + •2 𝑠 •2 𝑦 (𝑗) 𝑧 (𝑗) 𝑏 these qubits can be reused 𝑔 𝑙 INC 24
25
26
27
28
T esting and debugging large quantum algorithms Toffoli networks can be classically simulated. This can be used to localize (systematic) faults! 30
Modular Inverse a la Fermat? Idea: • Let 𝑞 be prime, let 𝑦 ∈ 1, … , 𝑞 − 2 . • Recall that in any finite group: 𝑦 |𝐻| = 𝑓. • When applied to 𝐻𝐺 𝑞 × this implies • 𝑦 𝑞−1 ≡ 1 𝑞 𝑦 𝑦 MUL 𝑧 𝑧 A • Or in other words: 𝑦 𝑞−2 ⋅ 𝑦 ≡ 1 𝑞 𝑨 𝑨 + 𝑦𝑧 • Or in other words: 𝑦 −1 ≡ 𝑦 𝑞−2 𝑞 • That means we can compute the inverse by exponentiation of the (unknown) 𝑦 for the (known, fixed) exponent 𝑞. 31
Square & multiply by unrolling 𝑦 𝑦 - MUL 𝑦 A 𝑦 2 + - MUL 0 A 𝑦 4 + 𝑦 8 … 𝑦 16 … Depth: 2𝑜 × 𝑒𝑓𝑞𝑢ℎ 𝑁𝑉𝑀 + 2𝑒𝑓𝑞𝑢ℎ 𝐵𝐸𝐸 ) + 𝑜 Width: 2𝑜 × 𝑜 = 𝑜 2 • Here 𝑜 is the bit-size of 𝑦 Use binary representation of 𝑞 − 2 to compute 𝑦 𝑞−2 • Unknown whether linear space can be achieved by this approach! 32
Shor for factoring vs ECC dlog [Proos, Zalka, quant-ph/0301141] • Suggests that quantum attacks on ECC/dlog can be done more efficiently than RSA/factoring with comparable level of security. • Circuits are somewhat non-trivial to implement and to layout. • Only short Weierstrass forms considered, unclear how classical optimizations of point additions can be leveraged. 33
Recommend
More recommend
