quantum algorithms for the k xor problem
play

Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara - PowerPoint PPT Presentation

Jun 18, 2023 •174 likes •428 views

Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , Mara Naya-Plasencia 2 , Andr Schrottenloher 2 1 IAIK, Graz University of Technology, Austria 2 Inria, France December

  1. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum Algorithms for the k -xor Problem Lorenzo Grassi 1 , María Naya-Plasencia 2 , André Schrottenloher 2 1 IAIK, Graz University of Technology, Austria 2 Inria, France December 3, 2018 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 1/23

  2. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Outline Context 1 Low-qubits k -xor algorithms 2 k -xor algorithms with qRAM 3 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 2/23

  3. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Context L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 3/23

  4. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM The Birthday Problem Collision search Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find a collision of H , i.e a pair x 1 , x 2 ∈ { 0 , 1 } n such that H ( x 1 ) = H ( x 2 ) . � 2 n / 2 � � 2 n / 2 � Classical queries (to L 1 , L 2 or H ) O , time O and memory � O ( 1 ) ( Pollard’s rho method ). Ω( 2 n / 2 ) is a query lower bound. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 4/23

  5. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM The Generalized Birthday problem k -xor for a random function Let H : { 0 , 1 } n → { 0 , 1 } n be a random function, find x 1 , . . . , x k such that H ( x 1 ) ⊕ . . . ⊕ H ( x k ) = 0. Many applications in cryptanalysis: (R)FSB, SWIFFT. . . Applications for k -sums: ⊕ is replaced by modular + Wagner, “A Generalized Birthday Problem” , 2002 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 5/23

  6. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Classical Results To get a k -xor on n bits: The query complexity is Ω( 2 n / k ) � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � The time complexity is O � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � The memory complexity is O . . . unless k = 2, in which case memory is � O ( 1 ) . . . when k = 3, logarithmic improvements are available . . . many time-memory-query tradeoffs. n / 4 n / 3 n / 2 0 . . . k = 4 k = 3 k = 2 n / 4 n / 3 n / 2 0 . . . { 8 , 9 , . . . } { 4 , 5 , 6 , 7 } k = 2 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 6/23

  7. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Wagner’s Algorithm Generic method for the k -xor or k -sum with a general k : works at best when k is a power of 2. L 1 L 2 L 3 L 4 n 2 3 elements n n 3 3 n 2 n 2 n 2 3 3 3 n 3 -bit collisions 0 0 1 n -bit collision L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 7/23

  8. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum results To get a k -xor on n bits: The query complexity is Ω( 2 n / ( k + 1 ) ) � 2 2 n / 5 � With O ( n ) qubits, the time complexity for k = 2 is O � 2 n / 3 � With qRAM, the time complexity for k = 2 is � O . n / 5 n / 4 n / 3 n / 2 0 . . . k = 4 k = 3 k = 2 2 n / 5 0 ? k = 2 n / 3 0 ? Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash and Claw-Free Functions” , 1998 Belovs and Spalek, “Adversary lower bound for the k -sum problem” , 2013 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 8/23

  9. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM This work We propose time-efficient quantum algorithms in two scenarios: Using O ( n ) qubits; 1 Allowing read-write quantum memory in the qRAM model. 2 Formalization All elements are produced by a random function H and we access the superposition oracle O H . A query to O H costs O ( 1 ) time. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 9/23

  10. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Results Low-qubits scenario 3-xor is exponentially faster than collision search; A quantum time speedup ( or memory improvement ) over Wagner exists for k ≤ 7. qRAM scenario 3-xor is exponentially faster than collision search; � 2 n / ( 2 + ⌊ log 2 ( k ) ⌋ ) � k -xor can be solved in time � O , using � 2 n / ( 2 + ⌊ log 2 ( k ) ⌋ ) � � 2 n / ( 1 + ⌊ log 2 ( k ) ⌋ ) � � O qRAM (instead of O ). L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 10/23

  11. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Low-qubits k -xor algorithms L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 11/23

  12. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Quantum toolbox Grover’s algorithm : { 0 , 1 } n → { 0 , 1 } is a test function. f We look for x such that f ( x ) = 1 (there are 2 t solutions). We implement f as a quantum circuit. � 2 ( n − t ) / 2 � calls to f instead of 2 n − t classically. With Grover: O Grover improves exhaustive search by a quadratic factor when the oracle f is fast. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 12/23

  13. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 1. Testing membership with few qubits Assume that L 1 and L 2 of sizes ℓ each are given classically. We search x such that ∃ z 1 , z 2 ∈ L 1 × L 2 , H ( z 1 ) ⊕ H ( z 2 ) ⊕ H ( x ) = 0. � 2 n /ℓ 2 iterations. Grover requires How to test if x is good? Grover’s test The lists are known classically. But the oracle question is asked for a superposition of x . A solution is to compare sequentially: ℓ 2 n -bit comparisons. Chailloux, Naya-Plasencia, and Schrottenloher, “An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography” , 2017 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 13/23

  14. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 2. Distinguished solution strategy We take specific L 1 and L 2 : images are prefixed by n 2 zeroes. n / 2 n / 2 n / 2 n / 2 β 1 α 1 0 0 2 n / 8 2 n / 8 . . . . . . . . . . . . α 2 n / 8 0 β 2 n / 8 0 We only need to search for a “distinguished solution” (with the same prefix): we compare pairs less often; Producing the lists costs 2 n / 4 × 2 n / 8 = 2 3 n / 8 queries and as much for searching x . � � � � 1 2 · 2 n 5 + n n 1 2 · 2 n n 2 · n 1 2 + n n 1 2 · n n 5 + 2 5 + 2 8 + 2 2 + 2 Collision: 2 2 and 3-xor: 2 2 5 5 8 4 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 14/23

  15. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 3. Merging technique We take more specific L 1 and L 2 to reduce the checking cost. 2 n / 7 n / 7 n / 7 3 n / 7 2 n / 7 n / 7 n / 7 3 n / 7 0 0 y 1 α 1 0 z 1 0 β 1 . . . . . . . . ℓ = 2 n / 7 2 n / 7 . . . . . . . . . . . . . . . . y 2 n / 7 α 2 n / 7 z 2 n / 7 β 2 n / 7 0 0 0 0 Now to test a distinguished point x : Find a partially colliding element from L 1 ; Find a partially colliding element from L 2 ; Compute the xor of the three values; � ℓ 2 � The test costs O ( ℓ ) comparisons instead of O . L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 15/23

  16. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Optimization and results � 2 5 n / 14 � Optimizing the lists / prefix sizes leads to O time for k = 3. General k The same merging method can be extended to the k -xor. Time speedup over Wagner for k = 3 , 5 , 6 , 7 and memory improvement for k = 4. Quantum low-qubits: 5 n 2 n n 0 14 5 2 7 6 5 4 3 2 Classical: n n n 0 4 3 2 . . . 8 { 4 , 5 , 6 , 7 } k = 2 , 3 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 16/23

  17. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM k -xor algorithms with qRAM L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 17/23

  18. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM 3 -xor with qRAM qRAM is now available. No need for a distinguished solution (testing membership is efficient) but the merging technique still applies. � 2 3 n / 10 � ⇒ � time with 2 lists of size 2 n / 5 : better than quantum O collision search. 3 n n n 0 10 3 2 3 2 L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 18/23

  19. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM General k Combining: Wagner’s method (successive lists of i -collisions with increasing zero prefixes) A quantum walk on the Johnson graph We obtain a general time speedup. L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 19/23

  20. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Results Classical time (using classical memory) Quantum time ( O ( n ) qubits and classical memory) Quantum time (unbounded qRAM) L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 20/23

  21. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Memory Classical (using classical memory) Quantum low-qubits ( O ( n ) qubits and classical memory) Quantum (qRAM) L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 21/23

  22. Context Low-qubits k -xor algorithms k -xor algorithms with qRAM Conclusion and perspectives L. Grassi, M. Naya-Plasencia, A. Schrottenloher Quantum Algorithms for k -xor 22/23

Recommend

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum

Quantum Algorithms for Topological Invariants Stephen Jordan Wed Feb. 3, 2010 What is a quantum algorithm? Classical Quantum 0101101 the rules: solve problem using sequence of local quantum gates the goal: use fewer gates than

1.11k views • 37 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees

Quantum Algorithms for Quantum Algorithms for Evaluating M IN Evaluating M IN -M -M AX AX Trees Trees Richard Cleve Dmitry Gavinsky D. L. Yonge-Mallo Institute for Quantum Computing, University of Waterloo January 30, 2008 TQC Tokyo,

842 views • 34 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known

Outline General Problem of . . . Probabilistic and . . . Interval . . . Additional Problem: . . . Quantum Versions of k-CSP The Need for . . . k -CSP problems Algorithms: a First Step Known Algorithm for . . . Sch onings Algorithm . .

622 views • 15 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

1.2k views • 98 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of

Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of

Quantum algorithms for the hidden shift problem of Boolean functions Maris Ozols University of Waterloo, IQC and NEC Labs Joint work with: Martin R otteler (NEC Labs) (NEC Labs) J er emie Roland Andrew Childs (University of

1.51k views • 74 slides
From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

CLASSICAL BIT vs QUBIT Computation as physical process Concept of programmable matter Classical neural network Distance between quantum states Quantum algorithms Quantum Neural Networks From quantum hardware to quantum AI School of

322 views • 31 slides
Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers

QIS Workshop: Welcome Argonne PSE/CELS QIS Working Group Salman Habib CPS/HEP Divisions September 23, 2019 Quantum Quantum Computing Sensing Algorithms Hybrid computing Compilers Error correction Precision metrology

285 views • 6 slides
Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

1 Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers

1.42k views • 138 slides
Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de

Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de

. Quantum algorithms based on quantum walks . J er emie Roland Universit e Libre de Bruxelles Quantum Information & Communication J er emie Roland (ULB - QuIC) Quantum walks Grenoble, Novembre 2012 1 / 39 Outline

564 views • 29 slides
Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John

Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John

Quantum Algorithms for Quantum Field Theories Stephen Jordan Joint work with Keith Lee John Preskill [arXiv:1111.3633 and 1112.4833] Feb 21, 2012 Quantum Mechanics Each state of the system is a basis vector. | dead i | alive i A general

672 views • 36 slides
Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

1 Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set. How do we

1.53k views • 135 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; & Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum

Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum

Quantum algorithms for Information Set Decoding Elena Kirshanova ENS Lyon April 11, 2018 Quantum ISD | E.Kirshanova Information Set Decoding (ISD) The ISD Problem Given H P F p n k q n , s P F n k , find e P F n 2 s.t. He s 2 2 e

669 views • 38 slides
Diagrammatic Methods for the Specification and Verification of Quantum Algorithms William Zeng

Diagrammatic Methods for the Specification and Verification of Quantum Algorithms William Zeng

Diagrammatic Methods for the Specification and Verification of Quantum Algorithms William Zeng Quantum Group Department of Computer Science University of Oxford Quantum Programming and Circuits Workshop IQC, University of Waterloo June, 2015

833 views • 79 slides
Quantum impurity problem Nonperturbative interaction between a single quantum object/impurity

Quantum impurity problem Nonperturbative interaction between a single quantum object/impurity

Fermi polaron-polaritons in MoSe 2 Meinrad Sidler, Patrick Back, Ovidiu Cotlet, Ajit Srivastava, Thomas Fink, Martin Kroner, Eugene Demler, Atac Imamoglu Quantum impurity problem Nonperturbative interaction between a single quantum

924 views • 44 slides
Variational quantum algorithms for state preparation & matrix decomposition Xin Wang Baidu

Variational quantum algorithms for state preparation & matrix decomposition Xin Wang Baidu

Variational quantum algorithms for state preparation & matrix decomposition Xin Wang Baidu Research PCL Innovation Salon 2020/07/31 Based on arXiv:2005.08797 and 2006.02336. Overview l Near-term Quantum Computing l Quantum Gibbs State

554 views • 40 slides
Types for Quantum Computing Peter Selinger Dalhousie University Halifax, Canada 1 Why Quantum

Types for Quantum Computing Peter Selinger Dalhousie University Halifax, Canada 1 Why Quantum

Types for Quantum Computing Peter Selinger Dalhousie University Halifax, Canada 1 Why Quantum Programming Languages? For certain problems, quantum algorithms have an exponential speedup over best known classical algorithms. Most

636 views • 52 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides

More recommend