2 A Fourier Transform for Bivariate Functions
|
|
- Noel Phillips
- 6 years ago
- Views:
Transcription
1 Stanford University CS59Q: Quantum Computing Handout 0 Luca Trevisan October 5, 0 Lecture 0 In which we present a polynomial time quantum algorithm for the discrete logarithm problem. The Discrete Log Problem If p is a prime and g is a generator of the multiplicative group Z p, then the modular eponentiation function g mod p is a bijection of Z p to Z p. The discrete log problem is the problem of inverting this mapping, that is, given a prime p, a generator g of Z p and an element z Z p, find the unique r, 0 r p, such that g r z (mod p). An efficient algorithm for the discrete log problem can be used to break several publickey cryptosystems whose design is based on having (p, g, g y mod p) as a private key, where p is a properly chosen prime, g is a generator of Z p, and, y are randomly chosen, while the public key is (p, g, g mod p, g y mod p). The discrete log problem can be formulated for every group G. Once the group is fied, or a description is given, an input to the problem are two elements a, z G, and the goal is to find an integer r such that a r = z, where a r means a a a r times and is the group operation. An algorithm for this more general problem breaks public-key cryptosystems based on elliptic curves. In this lecture we describe a polynomial time quantum algorithm for the discrete logarithm problem in Z p, but the algorithm can be adapted to work in any Abelian group. (The groups arising in elliptic curves cryptographic constructions are Abelian.) A Fourier Transform for Bivariate Functions We briefly describe a theory of discrete Fourier transforms for functions with two inputs. If is a positive integer, the functions
2 f : {0,..., } {0,..., } C form an -dimensional vector space. In the univariate case of functions f : {0,..., } C, we derived the Fourier transform by defining an orthonormal basis and writing f as a linear combination of basis functions. Similarly, we will now define orthonormal functions and write each bivariate function as a linear combination of basis functions. A general principle is that if v,..., v k are an orthonormal vectors, then the collection of all the tensor products v i v j is a set of k orthonormal vectors. Consider now the functions χ s () = e πi s ; we prove that they are orthonormal, and so the collection of their tensor products χ s,s (, y) := e πi (s +s y) is a collection of orthornomal functions, and thus it is an orthonormal basis for the set of functions f : {0,..., } {0,..., } C Each such function can be written as a linear combination f(, y) = s,s ˆf(s, s ) χ s,s (, y) where the coefficients of the linear combination (the Fourier coefficients of f) can be computed as ˆf(s, s ) = f, χ s,s = f(, y)e πi (s +s y),y The transformation from the values f(, y) to the coefficients ˆf(s, s ) is a change of orthonormal basis, and so it is unitary linear transformation, and so if is a quantum state, then f(, y), y,y s,s ˆf(s, s ) s, s is also a quantum state, and the transformation from the former to the latter is the quantum (bivariate) Fourier transform; it is easy to see that this can be done in quantum polynomial time if = m is a power of by first applying the standard quantum Fourier transform to and then to y.
3 3 A Generalized Period Finding Algorithm Given a prime p, a generator g of Z p and an element a = g r mod p of Z p, define the function F (, y) := a (g ) y mod p = g r y mod p Then F (, ) has a period in the sense that for every (, y) we have F (, y) = F (, y + r) We will perform a bivariate version of the period-finding algorithm that we used to solve the factorization problem, and then we will see that, after a constant number of eecutions of the algorithm, we can recover r. Input: prime p, generator g of Z p, element z Z p Step : Fi an = m such that p p and construct the state y a (g ) y mod p (),y where each of the three parts of the state is an integer in {0,..., }, represented as an m-qubit string. The function, y a g y mod p is computable in polynomial time, and so there is a quantum circuit C modep of polynomial size that, given y 0, outputs y a g y mod p. Starting from the state 0 0 0, we first apply Hadamard gates to the first m bits, which results in the state y 0 and then we apply C modep to the above state. Step : easure the third integer in the quantum state.,y If the outcome of the measurement is g k mod p, then the residual state is Where Sk y g k mod p S k := {, y : 0 < 0 y < r y k (mod p )} From now we will disregard the third integer of the state, which has been fied by the measurement. 3
4 Step 3: Apply the bivariate quantum Fourier transform. This gives the state where ω = e πi (s +s y) Step 4: easure the state Sk s =0 s =0 ω s+sy s s It remains to show that after seeing a constant number of eecutions of the algorithm we can reconstruct r from the outcomes at Step 4. 4 Analysis of the Last Step To understand the distribution of outcomes that we get at Step 4, let us first do a non-rigorous calculation assuming that = p and that p is prime. In such a case, S k is just the set of p pairs (, y) Z p Z p such that y = r k mod p. The amplitude of state s, s at Step 4 is ω s +s (r k mod p ) = (p ).5 (p ).5 ω s +s r s k because operations in the eponent of ω are performed mod, which is the same as mod p. The probability of the outcome s, s is (p ) 3 ω s +s r s k = ω s k (p ) 3 ω s +s r = (p ) 3 (ω s +s r ) and if s + s r 0 mod p then the probability is /(p ), and otherwise it is zero. This means that from an outcome (s, s ) of Step 4 we can reconstruct r as r = s (s ) mod (p ) Unfortunately, we do not have = p, and so the modular identities that we get in the eponent of ω are not the same as in the eponent of g, complicating the structure of S k and adding error terms to the above calculations. We also don t have that p is prime, which means that at the end we may have problems inverting modulo p. 4
5 Before discussing how to deal with these problems, let us see what we may epect in practice. Suppose that we run the algorithm on input p = 6, g = 6 and z = 8. We pick = 64, and the probability of the possible outcomes s, s at Step 4 is plotted below: and we see that most of the probability is concentrated on outcomes s, s such that s + 3s is close to a multiple of 64, and indeed 3 is the correct answer. For every {0,..., }, the set S k contains the pairs (, y) such that 0 y < and y = r k mod p and there is always either one or two such y. Hence, S k. In our analysis it will be convenient to use the following notation: {a} is the difference between a and the multiple of that is closest to a. Note that a {a} (mod ) and that / {a} /. The probability of an outcome s, s at Step 4 is 5
6 S k 3 = 3 = 3 = 3 ω s+sy ω s+sy ω s+s(r k mod p ) ω s+sr sk (p )s ω s+sr (p )s r k p r k p where, in the second-to-last equation, we use a mod k = a a k. Our approach is now to define a notion of good pair (s, s ), to show that there are Ω() such pairs, that each of them is generate with probability Ω(/), and that from a good pair it is possible to compute (a large amount of information about) r. Definition (Good Pairs) A pair (s, s ) is good if. s + s r r p {s (p )} differs from a multiple of by at most ±/.. s (p )differs from a multiple of by at most ±/. Lemma (any Good Pairs) There are at least / good pairs. Proof: We first prove the following fact. Claim 3 Let k > a > 0 be positive integers, and t < k/. Then there are at least t distinct values such that t {a} k t Proof: Consider the mapping a mod k This is a gcd(a, k)-to- mapping, that is, there are k/ gcd(a, k) possible outputs, each having gcd(a, k) preimages, and each possible output is a multiple of gcd(a, k). 6 ()
7 (This is easy to see using the Chinese remainders theorem.) We are interested in the number of preimages of 0 and of possible outputs in the range,..., t and in the range t,..., ; overall there are t d + d d such preimages, where d := gcd(a, k). If t d, then we have at least d t preimages; if t > d we have at least ( ) t d + d d = t d > t preimages. From the claim above (applied to = s, a = p and k = ), we see that there are at least / choices of s that satisfy property () of being a good pair. For each such s, we can find an s for which property () holds. Lemma 4 (High Probability of Good Pairs) Each good pair has probability at least Ω(/) of being a possible outcome of Step 4. Proof: [Sketch] We write where and ω s +s r (p )s r k p = ω A+B() A := s + s r B() := {s (p )} r p {s (p )} ( r p ) r k p When (s, s ) is a good pair, we have A / and B /. The summation ω A+B() is a summation of comple numbers ω A, which are either all of the form e iθ either with θ between 0 and π or between 0 and π, and they are uniformly spaced and some of them may be repeated twice in the sum. Each of them is shifted by e B(), which is of the form e iθ with θ π/6. Such a sum produces a vector of length Ω(), and so the overall amplitude of (s, s ) is Ω(/). Now suppose that we have a good pair (s, s ); we see that 7
8 s ( ) + r s (p ) {s (p )} (p ) mod where mod stand for the difference between the real number and the closest integer to. We also note that s (p ) {s (p )} is an integer. This means that by finding the multiple a/(p ) of /(p ) closest to s / we find a number of the form rc/ mod, where c = s (p ) {s (p )} is a known quantity. So we have found numbers a, c such that a/(p ) rc/(p ) mod, that is, Now we can find a rc mod (p ) r = a c mod p provided that gcd(c, p ) = 0. What do we do if c and p have common factors? We can still get some useful information, because it is definitely true that a rc mod p gcd(p, c) and we can invert c modulo (p )/ gcd(p, c) and we find r mod (p )/ gcd(p, c). If we run the algorithm twice, we get good pairs both times, and the two good pairs lead us to values c, c with no common factors, then from r mod (p )/ gcd(p, c) and r mod (p )/ gcd(p, c ) we can reconstruct r mod p via the Chinese remainders theorem. The probability of getting good pairs twice in two consecutive runs of the algorithm is Ω(). Conditioned on that, what is the probability of ending up with c, c having no common factor? This is tricky issue and, indeed, c and c will always be even. However, it can be argued that c, c have Ω() probability of having distinct factors ecept possibly for the first O() primes. When we reconstruct r with the Chinese remainder theorem, we will try all possible values of r modulo those primes. Overall, two eecutions of the algorithm give us probability Ω() of generating a list of values that include r. After O() iterations, we get a list that has a high probability of including r. It is then possible to compute modular eponentiation for each candidate in the list and find the correct r. 8
Applied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationShor s Prime Factorization Algorithm
Shor s Prime Factorization Algorithm Bay Area Quantum Computing Meetup - 08/17/2017 Harley Patton Outline Why is factorization important? Shor s Algorithm Reduction to Order Finding Order Finding Algorithm
More informationFigure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.
CS 94 //09 Fourier Transform, Period Finding and Factoring in BQP Spring 009 Lecture 4 Recap: Simon s Algorithm Recall that in the Simon s problem, we are given a function f : Z n Zn (i.e. from n-bit strings
More informationTheoretical Cryptography, Lecture 13
Theoretical Cryptography, Lecture 13 Instructor: Manuel Blum Scribe: Ryan Williams March 1, 2006 1 Today Proof that Z p has a generator Overview of Integer Factoring Discrete Logarithm and Quadratic Residues
More informationQIP Note: On the Quantum Fourier Transform and Applications
QIP ote: On the Quantum Fourier Transform and Applications Ivan Damgård 1 Introduction This note introduces Fourier transforms over finite Abelian groups, and shows how this can be used to find the period
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More information1 Quantum Circuits. CS Quantum Complexity theory 1/31/07 Spring 2007 Lecture Class P - Polynomial Time
CS 94- Quantum Complexity theory 1/31/07 Spring 007 Lecture 5 1 Quantum Circuits A quantum circuit implements a unitary operator in a ilbert space, given as primitive a (usually finite) collection of gates
More informationLecture 9: Phase Estimation
CS 880: Quantum Information Processing 9/3/010 Lecture 9: Phase Estimation Instructor: Dieter van Melkebeek Scribe: Hesam Dashti Last lecture we reviewed the classical setting of the Fourier Transform
More informationLecture Examples of problems which have randomized algorithms
6.841 Advanced Complexity Theory March 9, 2009 Lecture 10 Lecturer: Madhu Sudan Scribe: Asilata Bapat Meeting to talk about final projects on Wednesday, 11 March 2009, from 5pm to 7pm. Location: TBA. Includes
More informationShor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015
Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best
More informationCompute the Fourier transform on the first register to get x {0,1} n x 0.
CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary
More informationLecture 11: Cantor-Zassenhaus Algorithm
CS681 Computational Number Theory Lecture 11: Cantor-Zassenhaus Algorithm Instructor: Piyush P Kurur Scribe: Ramprasad Saptharishi Overview In this class, we shall look at the Cantor-Zassenhaus randomized
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationNotes for Lecture 25
U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol
More informationQuantum algorithms for computing short discrete logarithms and factoring RSA integers
Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationMATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.
MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences. Congruences Let n be a postive integer. The integers a and b are called congruent modulo n if they have the same
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationFourier Sampling & Simon s Algorithm
Chapter 4 Fourier Sampling & Simon s Algorithm 4.1 Reversible Computation A quantum circuit acting on n qubits is described by an n n unitary operator U. Since U is unitary, UU = U U = I. This implies
More informationPh 219b/CS 219b. Exercises Due: Wednesday 20 November 2013
1 h 219b/CS 219b Exercises Due: Wednesday 20 November 2013 3.1 Universal quantum gates I In this exercise and the two that follow, we will establish that several simple sets of gates are universal for
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing The lecture notes were prepared according to Peter Shor s papers Quantum Computing and Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a
More informationIntroduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681
Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 48 / C&O 68 Lecture (2) Richard Cleve DC 27 cleve@cs.uwaterloo.ca Order-finding via eigenvalue estimation 2 Order-finding
More informationLecture 8: Linearity and Assignment Testing
CE 533: The PCP Theorem and Hardness of Approximation (Autumn 2005) Lecture 8: Linearity and Assignment Testing 26 October 2005 Lecturer: Venkat Guruswami cribe: Paul Pham & Venkat Guruswami 1 Recap In
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationQuantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem
Quantum Computing Lecture Notes, Extra Chapter Hidden Subgroup Problem Ronald de Wolf 1 Hidden Subgroup Problem 1.1 Group theory reminder A group G consists of a set of elements (which is usually denoted
More informationChapter 10. Quantum algorithms
Chapter 10. Quantum algorithms Complex numbers: a quick review Definition: C = { a + b i : a, b R } where i = 1. Polar form of z = a + b i is z = re iθ, where r = z = a 2 + b 2 and θ = tan 1 y x Alternatively,
More informationModular Arithmetic and Elementary Algebra
18.310 lecture notes September 2, 2013 Modular Arithmetic and Elementary Algebra Lecturer: Michel Goemans These notes cover basic notions in algebra which will be needed for discussing several topics of
More informationShor s Quantum Factorization Algorithm
Shor s Quantum Factorization Algorithm Tayeb Aïssiou Department of Mathematics and Statistics McGill University, Montreal, Quebec Canada H3A K6 e-mail: tayeb.aissiou@mail.mcgill.ca November, 5 Abstract
More informationLecture 10: Eigenvalue Estimation
CS 880: Quantum Information Processing 9/7/010 Lecture 10: Eigenvalue Estimation Instructor: Dieter van Melkebeek Scribe: Dalibor Zelený Last time we discussed the quantum Fourier transform, and introduced
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationQUANTUM COMPUTATION. Exercise sheet 1. Ashley Montanaro, University of Bristol H Z U = 1 2
School of Mathematics Spring 017 QUANTUM COMPUTATION Exercise sheet 1 Ashley Montanaro, University of Bristol ashley.montanaro@bristol.ac.uk 1. The quantum circuit model. (a) Consider the following quantum
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationQuantum Complexity Theory and Adiabatic Computation
Chapter 9 Quantum Complexity Theory and Adiabatic Computation 9.1 Defining Quantum Complexity We are familiar with complexity theory in classical computer science: how quickly can a computer (or Turing
More informationComplex numbers: a quick review. Chapter 10. Quantum algorithms. Definition: where i = 1. Polar form of z = a + b i is z = re iθ, where
Chapter 0 Quantum algorithms Complex numbers: a quick review / 4 / 4 Definition: C = { a + b i : a, b R } where i = Polar form of z = a + b i is z = re iθ, where r = z = a + b and θ = tan y x Alternatively,
More informationRichard Cleve David R. Cheriton School of Computer Science Institute for Quantum Computing University of Waterloo
CS 497 Frontiers of Computer Science Introduction to Quantum Computing Lecture of http://www.cs.uwaterloo.ca/~cleve/cs497-f7 Richard Cleve David R. Cheriton School of Computer Science Institute for Quantum
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationAn integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.
Chapter 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p. If n > 1
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT
Quantum algorithms (CO 78, Winter 008) Prof. Andrew Childs, University of Waterloo LECTURE : Quantum circuits and the abelian QFT This is a course on quantum algorithms. It is intended for graduate students
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationLecture 7: Quantum Fourier Transform over Z N
Quantum Computation (CMU 18-859BB, Fall 015) Lecture 7: Quantum Fourier Transform over Z September 30, 015 Lecturer: Ryan O Donnell Scribe: Chris Jones 1 Overview Last time, we talked about two main topics:
More informationFactoring integers with a quantum computer
Factoring integers with a quantum computer Andrew Childs Department of Combinatorics and Optimization and Institute for Quantum Computing University of Waterloo Eighth Canadian Summer School on Quantum
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationQFT, Period Finding & Shor s Algorithm
Chapter 5 QFT, Period Finding & Shor s Algorithm 5 Quantum Fourier Transform Quantum Fourier Transform is a quantum implementation of the discreet Fourier transform You might be familiar with the discreet
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationSome notes on streaming algorithms continued
U.C. Berkeley CS170: Algorithms Handout LN-11-9 Christos Papadimitriou & Luca Trevisan November 9, 016 Some notes on streaming algorithms continued Today we complete our quick review of streaming algorithms.
More informationCSE20: Discrete Mathematics
Spring 2018 Today Greatest Common Divisor (GCD) Euclid s algorithm Proof of Correctness Reading: Chapter 4.3 Primes and GCD Universe: U = N = {0, 1, 2,...} a divides b (written a b) iff k.b = ak Set of
More informationCHAPTER 6. Prime Numbers. Definition and Fundamental Results
CHAPTER 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results 6.1. Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and the only positive divisors of p are 1 and p. If n
More informationFactoring on a Quantum Computer
Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationIntroduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871
Introduction to Quantum Information Processing QIC 71 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 8 (217) Jon Yard QNC 3126 jyard@uwaterloo.ca http://math.uwaterloo.ca/~jyard/qic71 1 Recap of: Eigenvalue
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 21 November 15, 2017 CPSC 467, Lecture 21 1/31 Secure Random Sequence Generators Pseudorandom sequence generators Looking random
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Petros Wallden Lecture 7: Complexity & Algorithms I 13th October 016 School of Informatics, University of Edinburgh Complexity - Computational Complexity: Classification
More informationCIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography 1 Review of Modular Arithmetic 2 Remainders and Congruency For any integer a and any positive
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 25, 2017 CPSC 467, Lecture 15 1/31 Primitive Roots Properties of primitive roots Lucas test Special form primes Functions
More informationQuantum Circuits and Algorithms
Quantum Circuits and Algorithms Modular Arithmetic, XOR Reversible Computation revisited Quantum Gates revisited A taste of quantum algorithms: Deutsch algorithm Other algorithms, general overviews Measurements
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Part I Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 12, 2011 Overview Outline What is quantum computing? Background Caveats Fundamental differences
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information1 Measurements, Tensor Products, and Entanglement
Stanford University CS59Q: Quantum Computing Handout Luca Trevisan September 7, 0 Lecture In which we describe the quantum analogs of product distributions, independence, and conditional probability, and
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationInstructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test
Introduction to Algorithms (CS 482) Cornell University Instructor: Bobby Kleinberg Lecture Notes, 25 April 2008 The Miller-Rabin Randomized Primality Test 1 Introduction Primality testing is an important
More informationLecture 11 - Basic Number Theory.
Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,
More informationSimon s algorithm (1994)
Simon s algorithm (1994) Given a classical circuit C f (of polynomial size, in n) for an f : {0, 1} n {0, 1} n, such that for a certain s {0, 1} n \{0 n }: x, y {0, 1} n (x y) : f (x) = f (y) x y = s with
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationVerification of quantum computation
Verification of quantum computation THOMAS VIDICK, CALIFORNIA INSTITUTE OF TECHNOLOGY Presentation based on the paper: Classical verification of quantum computation by U. Mahadev (IEEE symp. on Foundations
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationQUANTUM COMPUTATION. Lecture notes. Ashley Montanaro, University of Bristol 1 Introduction 2
School of Mathematics Spring 018 Contents QUANTUM COMPUTATION Lecture notes Ashley Montanaro, University of Bristol ashley.montanaro@bristol.ac.uk 1 Introduction Classical and quantum computational complexity
More informationALG 4.0 Number Theory Algorithms:
Algorithms Professor John Reif ALG 4.0 Number Theory Algorithms: (a) GCD (b) Multiplicative Inverse (c) Fermat & Euler's Theorems (d) Public Key Cryptographic Systems (e) Primality Testing Greatest Common
More informationLecture 15: The Hidden Subgroup Problem
CS 880: Quantum Information Processing 10/7/2010 Lecture 15: The Hidden Subgroup Problem Instructor: Dieter van Melkebeek Scribe: Hesam Dashti The Hidden Subgroup Problem is a particular type of symmetry
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationShor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017
Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation
More informationLecture 8: Finite fields
Lecture 8: Finite fields Rajat Mittal IIT Kanpur We have learnt about groups, rings, integral domains and fields till now. Fields have the maximum required properties and hence many nice theorems can be
More informationArthur-Merlin Streaming Complexity
Weizmann Institute of Science Joint work with Ran Raz Data Streams The data stream model is an abstraction commonly used for algorithms that process network traffic using sublinear space. A data stream
More information2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.
CHAPTER 2 INTRODUCTION TO NUMBER THEORY ANSWERS TO QUESTIONS 2.1 A nonzero b is a divisor of a if a = mb for some m, where a, b, and m are integers. That is, b is a divisor of a if there is no remainder
More informationStanford University CS366: Graph Partitioning and Expanders Handout 13 Luca Trevisan March 4, 2013
Stanford University CS366: Graph Partitioning and Expanders Handout 13 Luca Trevisan March 4, 2013 Lecture 13 In which we construct a family of expander graphs. The problem of constructing expander graphs
More informationQuantum algorithms (CO 781/CS 867/QIC 823, Winter 2013) Andrew Childs, University of Waterloo LECTURE 13: Query complexity and the polynomial method
Quantum algorithms (CO 781/CS 867/QIC 823, Winter 2013) Andrew Childs, University of Waterloo LECTURE 13: Query complexity and the polynomial method So far, we have discussed several different kinds of
More informationQuantum Fourier Transforms
Quantum Fourier Transforms Burton Rosenberg November 10, 2003 Fundamental notions First, review and maybe introduce some notation. It s all about functions from G to C. A vector is consider a function
More informationADVANCED QUANTUM INFORMATION THEORY
CDT in Quantum Engineering Spring 016 Contents ADVANCED QUANTUM INFORMATION THEORY Lecture notes Ashley Montanaro, University of Bristol ashley.montanaro@bristol.ac.uk 1 Introduction Classical and quantum
More informationShor Factorization Algorithm
qitd52 Shor Factorization Algorithm Robert B. Griffiths Version of 7 March 202 References: Mermin = N. D. Mermin, Quantum Computer Science (Cambridge University Press, 2007), Ch. 3 QCQI = M. A. Nielsen
More informationarxiv:quant-ph/ v1 15 Jan 2006
Shor s algorithm with fewer (pure) qubits arxiv:quant-ph/0601097v1 15 Jan 2006 Christof Zalka February 1, 2008 Abstract In this note we consider optimised circuits for implementing Shor s quantum factoring
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationShort Course in Quantum Information Lecture 5
Short Course in Quantum Information Lecture 5 Quantum Algorithms Prof. Andrew Landahl University of New Mexico Course Info All materials downloadable @ website http://info.phys.unm.edu/~deutschgroup/deutschclasses.html
More informationIntroduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871
Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 1 (2017) Jon Yard QNC 3126 jyard@uwaterloo.ca TAs Nitica Sakharwade nsakharwade@perimeterinstitute.ca
More informationLinear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:
Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=
More informationPh 219b/CS 219b. Exercises Due: Wednesday 4 December 2013
1 Ph 219b/CS 219b Exercises Due: Wednesday 4 December 2013 4.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationQuantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity
Quantum Computing 1. Quantum States and Quantum Gates 2. Multiple Qubits and Entangled States 3. Quantum Gate Arrays 4. Quantum Parallelism 5. Examples of Quantum Algorithms 1. Grover s Unstructured Search
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationC/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19
C/CS/Phys 9 Shor s order (period) finding algorithm and factoring /0/05 Fall 2005 Lecture 9 Readings Benenti et al., Ch. 3.2-3.4 Stolze and Suter, uantum Computing, Ch. 8.3 Nielsen and Chuang, uantum Computation
More informationCS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II
CS 5319 Advanced Discrete Structure Lecture 9: Introduction to Number Theory II Divisibility Outline Greatest Common Divisor Fundamental Theorem of Arithmetic Modular Arithmetic Euler Phi Function RSA
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationarxiv:quant-ph/ v2 22 Jan 2004
Shor s discrete logarithm quantum algorithm for elliptic curves arxiv:quant-ph/0301141v2 22 Jan 2004 John Proos and Christof Zalka Department of Combinatorics and Optimization University of Waterloo, Waterloo,
More informationNotes for Lecture 11
Stanford University CS254: Computational Complexity Notes 11 Luca Trevisan 2/11/2014 Notes for Lecture 11 Circuit Lower Bounds for Parity Using Polynomials In this lecture we prove a lower bound on the
More informationQuantum Computing and Shor s Algorithm
Quantum Computing and Shor s Algorithm Tristan Moore June 7, 06 Abstract This paper covers the basic aspects of the mathematical formalism of quantum mechanics in general and quantum computing in particular,
More information