F ANG S ONG IQC, U NIVERSITY OF W ATERLOO Joint Work with: Kirsten - PowerPoint PPT Presentation

 F ANG S ONG IQC, U NIVERSITY OF W ATERLOO Joint Work with: Kirsten Eisentraeger (Penn State) Sean Hallgren (Penn State) Alexei Kitaev (Caltech & KITP)

Which problems have faster | quantum 〉 algorithms than classical algorithms? (Number theory problems are a good source) ∃ Poly-time quantum algorithms for:  Factoring and discrete logarithm [ Shor’94 ]  Unit group in number fields T HIS W ORK : arbitrary-degree  Degree two fields (Pell’s equation as a special case) [ Hallgren’02 ]  Constant-degree [ Hallgren’05,SchmidtVollmer’05 ]  Principal Ideal Problem (PIP) and class group computation  Constant degree number fields [ H’02’05,SV’05 ] Best known classical algorithms need super-polynomial time 2

All these quantum alg’s fall into the framework of Hidden Subgroup Problem (HSP) (Classical) Quantum Reduction Algorithm I NPUT O UTPUT HSP on a Problem Π Solution to Π group 𝐻  Reduction & Algorithm for HSP both need to be efficient. 3

Existing algorithms for constant -degree unit finding [ H’02’05,SV05 ] Classical Quantum Reduction I NPUT O UTPUT Algorithm Constant degree Units of the HSP on ℝ 𝑑𝑝𝑜𝑡𝑢 number field number field Difficulty of extending to high degrees • Reduction takes exponential time in degree. • HSP instance in high dimension hard to solve. 4

Existing algorithms for constant -degree unit finding [ H’02’05,SV05 ] Classical Quantum Reduction I NPUT O UTPUT Algorithm Constant degree Units of the HSP on ℝ 𝑑𝑝𝑜𝑡𝑢 number field number field Our algorithm for arbitrary -degree unit finding ③ ④ New Quantum Quantum Algorithm Reduction I NPUT O UTPUT Arbitrary degree Units of the HSP* on ℝ 𝑃(𝑜) 𝑜 number field number field ② ① *New definition: Continuous HSP 5

Quantum Attacks on Classical Cryptography  Quantum algorithms can break classical crypto-systems  Anything based on factoring/D-Log [Shor94] : e.g. RSA encryption…  Buchmann-Williams key exchange (based on degree-two PIP) [H’02]  O PEN QUESTION : quantum attacks on ( ideal ) lattice based crypto  Fully homomorphic encryption, code obfuscation, and more [Gentry09,SmartV’10,GGH+13…]  Our alg. deals with similar objects: ideal lattices in number fields  A classical approach [ Dan Bernstein Blog 2014 ] • A key component: computing units in classical sub-exp. time  This part becomes (quantum ) poly-time by our alg. 6

Roadmap of Our Algorithm ③ ④ New Quantum Quantum Algorithm Reduction I NPUT O UTPUT Arbitrary degree Units of the HSP* on ℝ 𝑷(𝒐) 𝑜 number field number field ② ① * New definition: Continuous HSP 7

Review: Hidden Subgroup Problem (HSP)  Finite Group 𝐻 𝐼 𝑡 0 Given : oracle function 𝑔: 𝐻 → 𝑇 , s.t. ∃ 𝐼 ≤ 𝐻, 𝑦 + 𝐼 𝑡 1 𝑔 1. (Periodic on 𝐼 ) 𝑦 − 𝑧 ∈ 𝐼 ⇒ 𝑔 𝑦 = 𝑔 𝑧 (Injective on 𝐻/𝐼 ) 2. 𝑡 𝑙 𝑧 + 𝐼 𝑦 − 𝑧 ∉ 𝐼 ⇒ 𝑔 𝑦 ≠ 𝑔(𝑧) 𝐻 𝑇 Goal : Find (hidden subgroup) 𝐼 .  Extend the definition to infinite group ℤ 𝑛   Extend to uncountable group ℝ 𝑛 : non-trivial! An issue with discretization  Assume 𝑔: ℝ → 𝑇 periodic with period 𝑠 ∈ ℝ .  Digital computers can only evaluate 𝑔 on a discrete grid 𝜀ℤ . 𝑔(𝑙𝑠) 𝑔 𝜀 (⌊𝑙𝑠⌉) 𝜀 ≜ 𝑔| 𝜀ℤ : 𝜀ℤ → 𝑇 𝑔 may lose HSP properties 𝜀 (e.g. periodic)! 0 𝑠 ∈ ℝ 2𝑠 3𝑠 8

Define Continuous HSP on ℝ 𝑛  Previous definition: extra constraint on discrete 𝑔 𝜀  E.g. pseudo-periodic [ H’02 ]: 𝑔 𝑙𝑠 + 𝑦 = 𝑔 𝜀 𝑦 for most 𝑦 . 𝜀  Not suitable in high dimensions ℝ 𝑛 .  Our definition (HSP on ℝ 𝒏 ) : make 𝑔 continuous Given 𝑔: ℝ 𝑛 → ℋ (quantum states), s.t.: ∃ 𝐼 ≤ ℝ 𝑛 , 1. (Periodic) 𝑦 − 𝑧 ∈ 𝐼 ⇒ |𝑔(𝑦)〉 = |𝑔(𝑧)〉 . 2. (Pseudo-injective) min 𝑤∈𝐼 ||𝑦 − 𝑧 − 𝑤|| ≥ 𝑠 ⇒ 𝑔 𝑦 𝑔 𝑧 ≤ 𝜗 . “ 𝑦 − 𝑧 far from 𝐼 ⇒ 𝑔 𝑦 𝑔 𝑧 small ” (Lipschitz) |||𝑔 𝑦 〉 − |𝑔 𝑧 〉|| ≤ 𝑏 ⋅ ||𝑦 − 𝑧|| . 3. “ 𝑦 − 𝑧 close to 𝐼 ⇒ 𝑔 𝑦 𝑔 𝑧 big ” Goal : Find (hidden subgroup) 𝐼 . 9

Interesting HSP Instances Abelian HSP on 𝑯 Computational Problems → ℤ 𝑂 × ℤ 𝑂 Discrete log ∃ efficient → ℤ Factoring quantum Unit group, PIP, class group, algorithms ℝ 𝑑𝑝𝑜𝑡𝑢 → constant degree ℝ 𝑃(𝑜) → [ This Work ] Unit group, arbitrary degree 𝑜 [New Definition] Non-abelian HSP on 𝑯 Computational Problems → Symmetric group 𝑇 𝑜 Graph isomorphism → Dihedral group 𝐸 𝑜 Unique shortest vector ? efficient alg. (open question) 10

Roadmap of Our Algorithm ③ ④ New Quantum Quantum Algorithm Reduction I NPUT O UTPUT Arbitrary degree Units of the HSP* on ℝ 𝑷(𝒐) 𝑜 number field number field ② ① ` * New definition: Continuous HSP 11

Number Field Basics  Number Field 𝐿 ⊆ ℂ: Finite field extension of ℚ.  Ex. 1 (Quadratic field) . Take 𝑒 ∈ ℤ, ℚ 𝑒 = 𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ .  Ex. 2 (Cyclotomic field). Take 𝜕 = 𝑓 2𝜌𝑗/𝑞 , 𝑞 prime. ℚ 𝜕 = 𝑏 0 + 𝑏 1 𝜕 + ⋯ + 𝑏 𝑞−2 𝜕 𝑞−2 : 𝑏 𝑗 ∈ ℚ .  Ring of Integers 𝒫 : 𝐿 ∩ Roots of monic irreducible poly ℤ[𝑌] .  Group of Units 𝒫 ∗ : invertible elements in 𝒫 . Field ℚ 𝑒 = {𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ} 𝐿 ℚ Ring of 𝒫 ℤ ℤ[ 𝑒] = {𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℤ} integers 𝒫 ∗ = {±𝑣 𝑙 : 𝑙 ∈ ℤ} {±1} 𝒫 ∗ Unit group 𝑒 = 109, 𝑣 = 158070671986249 + 15140424455100 109 Exercise. Verify 𝑣𝑣 −1 = 1 . 12

Complexity of Computing Unit Group  Two parameters for measuring computational complexity  Degree 𝑜 : dimension of 𝐿 as vector space over ℚ .  Discriminant Δ : “size” of ring of integers. [ more to come ] ℚ 𝑒 = 𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ , 𝒐 = 𝟑, 𝚬 ≈ 𝒆 ℚ 𝜕 = 𝑏 0 + 𝑏 1 𝜕 + ⋯ + 𝑏 𝑞−2 𝜕 𝑞−2 : 𝑏 𝑗 ∈ ℚ , 𝒐 = 𝒒 − 𝟐, 𝚬 ≈ 𝒒 𝒒 Goal: computation in time poly(𝑜, log Δ) .  Previous algorithms for computing units Classical Quantum exp( log Δ 1/3 ) poly(log Δ) (Factoring) [reduces to ℚ( 𝑒) case] exp( log Δ 1/2 ) poly(logΔ) ℚ 𝑒 exp(𝑜, log Δ) exp 𝑜 poly(log Δ) ℚ 𝜕 𝑞 This work poly(𝑜, log Δ) 13

Roadmap of Our Algorithm ③ ④ New Quantum Quantum Algorithm Reduction I NPUT O UTPUT Arbitrary degree Units of the HSP* on ℝ 𝑷(𝒐) 𝑜 number field number field ② ① * New definition: Continuous HSP 14

Outline of Quantum Reduction 1. Identify 𝒫 ∗ as a subgroup in ℝ 𝑛 , 𝑛 = 𝑃(𝑜) . 2. Define 𝑔: ℝ 𝑛 → ℋ satisfying HSP properties.  (Periodic) 𝑦 − 𝑧 ∈ 𝒫 ∗ ⇒ |𝑔(𝑦)〉 = |𝑔(𝑧)〉  (Pseudo-injective) 𝑦 − 𝑧 far from 𝒫 ∗ ⇒ 𝑔 𝑦 𝑔 𝑧 small  (Lipschitz) 𝑦 − 𝑧 close to 𝒫 ∗ ⇒ 𝑔 𝑦 𝑔 𝑧 big 3. Compute 𝑔 by an efficient quantum algorithm. (omitted) 15

Set Up Units as a Subgroup  𝒫 is identified with a lattice 𝒫 in ℝ 𝑜 .  𝑨 ∈ 𝒫 ↦ 𝑨: = 𝑨 1 , … , 𝑨 𝑜 ∈ ℝ 𝑜 (conjugate vector representation) Lattice 𝑀(𝐶) = 𝑏 1 𝑤 1 + ⋯ + 𝑏 𝑜 𝑤 𝑜 : 𝑏 𝑗 ∈ ℤ ⊆ ℝ 𝑜  Basis 𝐶 : 𝑤 𝑗 ∈ ℝ 𝑜 : 𝑗 = 1, … , 𝑜  𝑀 has (infinitely) many bases  det 𝑀 : volume of fundamental domain  Discriminant of 𝒫 : Δ = det 2 (𝒫)  Log coordinates of units: 𝑨 ∈ 𝒫 ∗ → 𝑨 𝑗 ≠ 0 → write 𝑣 𝑗 ≔ log|𝑨 𝑗 |  Fact : units have algebraic norm 1 𝑨 ∈ 𝒫 ∗ → 𝒪 𝑨 = Π 𝑨 𝑗 = 1 → ∑𝑣 𝑗 = 0.  𝒫 ∗ ≤ ℝ 𝑜−1 = 𝑣 1 , … , 𝑣 𝑜 ∈ ℝ 𝑜 : ∑𝑣 𝑗 = 0 N.B.: Not precise; sign/phase info. missing! 16

Define Hiding Function: Classical Part 𝑔 𝑟 𝑔 𝑑 lattices in ℝ 𝑜 𝑔: ℝ 𝑜−1 {quantum states} 𝑔 𝑑 = 𝑦 1 , … , 𝑦 𝑜 𝑈 , ∑𝑦 𝑗 = 0 Output: 𝑀 𝑦 = 𝑓 𝑦 𝒫 Input: 𝑦 ↦ 𝑒 , 𝑒 ∈ ℤ + , 𝑜 = 2, 𝒫 ⊆ ℝ 2 .  Example. 𝐿 = ℚ 𝑑 : 𝑦, −𝑦 ↦ 𝑓 𝑦 𝒫 𝑔 ∀ 𝑤 = 𝑤 1 , 𝑤 2 𝑈 ∈ 𝒫 𝑓 𝑦 𝑤 ≔ 𝑓 𝑦 𝑤 1 , 𝑓 −𝑦 𝑤 2 𝑈 • Stretch/Squeeze each coordinate  Obs . 𝑔 𝑑 preserves algebraic norm 𝒪 𝑨 = Π𝑨 𝑙 . 17

Real Quadratic Example 𝑑 : ℝ → {lattices in ℝ 2 }  ℚ 102 , 𝑜 = 2, 𝑔 𝑔 𝑑 𝑀 𝑦 ⊆ ℝ 2 𝑦 ∈ ℝ ↦ Courtesy of Hallgren. 18

Properties of 𝑔 𝑑 𝑔 𝑟 𝑔 𝑑 lattices in ℝ 𝑜 𝑔: ℝ 𝑜−1 {quantum states} 𝑑 : 𝑦 ↦ 𝑀 = 𝑓 𝑦 𝒫 𝑔  𝒫 ∗ -Periodic. ( Fact : 𝑣 ∈ 𝒫 ∗ ⇒ 𝑣𝒫 = 𝒫 ) •  If 𝑓 𝑧 ∈ 𝒫 ∗ , then 𝑓 𝑦 +𝑧 𝒫 = 𝑓 𝑦 𝒫 .  (Lipschitz) “ Small ” shift in inputs  “ Similar ” lattices in outputs  (Pseudo-inj) “ Big ” shift in inputs  “ Far-apart ” (small overlap) lattices 𝑑 delicate: 𝑓 𝑦 doubly-exp. large & precision loss. ! Computing 𝑔 19