quantum algorithms for the subset sum problem d j
play

Quantum algorithms for the subset-sum problem D. J. Bernstein - PDF document

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische


  1. Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven Alexander Meurer Ruhr-Universit¨ at Bochum

  2. Subset-sum example: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢ 0 ❀ 1 ❣ ; etc. “Subset-sum problem”; “knapsack problem”; etc.

  3. The lattice connection Define ① 1 = 499, ✿ ✿ ✿ , ① 12 = 9413. Define ▲ ✒ Z 12 as ❢ ✈ : ✈ 1 ① 1 + ✁ ✁ ✁ + ✈ 12 ① 12 = 0 ❣ . Define ✉ ✷ Z 12 as (70 ❀ 2 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0). If ❏ ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ 12 ❣ and P ✐ ✷ ❏ ① ✐ = 36634 then ✈ ✷ ▲ where ✈ ✐ = ✉ ✐ � [ ✐ ✷ ❏ ]. ✈ is very close to ✉ . Reasonable to hope that ✈ is the closest vector in ▲ to ✉ . Subset-sum algorithms ✙ codimension-1 CVP algorithms.

  4. The coding connection A weight- ✇ subset-sum problem: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and sum 36634?

  5. The coding connection A weight- ✇ subset-sum problem: Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and sum 36634? Replace Z with ( Z ❂ 2) ♠ : Is there a subsequence of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory.

  6. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙ 0 ✿ 337. (Incorrect claim: ✙ 0 ✿ 311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙ 0 ✿ 291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer.

  7. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones on the subset sum problem”. Hmmm. What’s the best quantum subset-sum exponent?

  8. � � Interlude: Algorithm design Textbook algorithm analysis: Proof of correctness New algorithm Proof of run time Mislead students into thinking that best algorithm = best proven algorithm.

  9. Reality: state-of-the-art cryptanalytic algorithms are almost never proven.

  10. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!”

  11. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly.

  12. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments .

  13. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

  14. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors.

  15. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors. 2. Faster algorithm-specific simulation? Yes, sometimes.

  16. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack. 1. Simulate tiny q. computer? ✮ Huge extrapolation errors. 2. Faster algorithm-specific simulation? Yes, sometimes. 3. Fast trapdoor simulation. Simulator (like prover) knows more than the algorithm does.

  17. Quantum search (0.5) Assume that function ❢ has ♥ -bit input, unique root. Generic brute-force search finds this root using ✙ 2 ♥ evaluations of ❢ . 1996 Grover method finds this root using ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ on superpositions of inputs. Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  18. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ .

  19. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . Apply to the function ❏ ✼✦ Σ( ❏ ) � t where Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . Cost 2 0 ✿ 5 ♥ to find root (i.e., to find indices of subsequence of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) or to decide that no root exists. We suppress poly factors in cost.

  20. Algorithm details for unique root: Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an integer between 0 and 2 ♥ � 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏ : 2 ♥ complex amplitudes ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. Measuring these ♥ qubits has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Start from uniform superposition, i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ .

  21. Step 1: Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , ❜ ❏ = ❛ ❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . This is also easy. Repeat steps 1 and 2 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  22. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 0 steps: 1.0 0.5 0.0 −0.5 −1.0

  23. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1: 1.0 0.5 0.0 −0.5 −1.0

  24. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1 + Step 2: 1.0 0.5 0.0 −0.5 −1.0

  25. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after Step 1 + Step 2 + Step 1: 1.0 0.5 0.0 −0.5 −1.0

  26. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 2 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  27. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 3 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  28. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 4 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  29. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 5 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  30. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 6 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  31. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 7 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  32. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 8 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  33. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 9 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  34. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 10 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  35. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 11 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  36. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 12 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  37. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 13 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  38. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 14 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  39. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 15 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  40. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 16 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  41. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 17 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  42. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 18 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

  43. Graph of ❏ ✼✦ ❛ ❏ for 36634 example with ♥ = 12 after 19 ✂ (Step 1 + Step 2): 1.0 0.5 0.0 −0.5 −1.0

Recommend


More recommend