3. Focus on secure cryptosystems. How do we know what a quantum computer will do?

Transcription

1 Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. How do we know what a quantum computer will do?

2 Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? How do we know what a quantum computer will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs.

3 aphic readiness levels, impact um computers. Bernstein crypto developed? onfident are we ypto is secure? o we know what a m computer will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study fault 7. Focus imple 8. Focus meeti requir

4 iness levels, ters veloped? re we cure? what a ter will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-chan fault attacks, et 7. Focus on secure implementation 8. Focus on imple meeting perform requirements.

5 ls,? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-channel attack fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementation meeting performance requirements.

6 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs.

7 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. 5. Study implementations on real hardware: e.g., software for popular CPUs.

8 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in 1985.

9 ges of research ptographic design orld deployment: re space of systems. algorithms for the ers. on secure cryptosystems. algorithms for the users. implementations l hardware: e.g., are for popular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s t Case stu famous l 2006 Silv and CVP studied f both as problems pure and physics a Best SVP by 2000: almost a

10 earch design yment: f s for the cryptosystems. s for the users. tations e: e.g., ular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best at Case study: SVP, famous lattice prob 2006 Silverman: and CVP, have bee studied for more th both as intrinsic m problems and for a pure and applied m physics and crypto Best SVP algorithm by 2000: time 2 Θ( almost all dimensio

11 stems. users. s. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best attack algor Case study: SVP, the most famous lattice problem Silverman: Lattices, S and CVP, have been intensiv studied for more than 100 ye both as intrinsic mathematic problems and for application pure and applied mathemati physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattic

12 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.

13 side-channel attacks, attacks, etc. on secure, reliable mentations. on implementations ng performance ements. ate securely into orld applications. ll this right takes time: tic-curve cryptography ntered stage 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP today: 2 Approx c believed 0:415: 2 0:415: 2

14 nel attacks, c., reliable s. mentations ance ly into cations. ht takes time: cryptography ge 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithm today: 2 Θ(N). Approx c for some believed to take tim 0:415: 2008 Nguye 0:415: 2010 Micci

15 s, s me: hy 85. What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithm believed to take time 2 (c+o( 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Vou

16 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.

17 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.

18 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.

19 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.

20 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven.

21 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding.

22 he best attack algorithm? dy: SVP, the most attice problem. erman: Lattices, SVP, have been intensively or more than 100 years, intrinsic mathematical and for applications in applied mathematics, nd cryptography. algorithms known time 2 Θ(N log N) for ll dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-ba Some pa against Pra 1981 Om 1988 Lee 1988 Leo 1989 Kro 1989 Ste 1989 Du 1990 Co 1990 van 1991 Du 1991 Co

23 tack algorithm? the most lem. Lattices, SVP n intensively an 100 years, athematical pplications in athematics, graphy. s known N log N) for n-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based crypto Some papers study against 1978 McEl 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Good 1990 van Tilburg Dumer Coffey Good

24 ithm? VP ely ars, al s in cs, es. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based cryptography Some papers studying attack against 1978 McEliece system 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farre

25 Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell.

26 algorithms known Θ(N). for some algorithms to take time 2 (c+o(1))n : 008 Nguyen Vidick. 010 Micciancio Voulgaris. 011 Wang Liu Tian Bi. 013 Zhang Pan Hu. 014 Laarhoven. 015 Laarhoven de Weger. 015 Becker Ducas ama Laarhoven. rypto: more attack even less understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Ch 1993 Ch 1994 van 1994 Ca 1998 Ca 1998 Ca 2008 Be 2009 Be van 2009 Be 2009 Fin 2010 Be 2011 Ma 2011 Be 2012 Be

27 s known algorithms e 2 (c+o(1))n : n Vidick. ancio Voulgaris. Liu Tian Bi. Pan Hu. oven. oven de Weger. r Ducas hoven. re attack understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne C 1993 Chabaud van Tilburg Canteaut Ch 1998 Canteaut Ch 1998 Canteaut Se 2008 Bernstein La 2009 Bernstein La van Tilborg Bernstein (po 2009 Finiasz Send 2010 Bernstein La 2011 May Meurer 2011 Becker Coro 2012 Becker Joux

28 s 1))N : lgaris.. Bi. eger. ding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peter 2009 Bernstein Lange Peter van Tilborg Bernstein (post-quantu 2009 Finiasz Sendrier Bernstein Lange Peter 2011 May Meurer Thomae Becker Coron Joux Becker Joux May Meu

29 Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer.

30 sed cryptography pers studying attacks 978 McEliece system: nge. ura. Brickell. n. uk. rn. mer. ffey Goodman. Tilburg. mer. ffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Be Me 2015 Ma

31 graphy ing attacks iece system: man. man Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Je Meurer (post 2015 May Ozerov.

32 s : ll Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lang Meurer (post-quantum 2015 May Ozerov.

33 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov.

34 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0:

35 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2.

36 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2.

37 abanne Courteau. abaud. Tilburg. nteaut Chabanne. nteaut Chabaud. nteaut Sendrier. rnstein Lange Peters. rnstein Lange Peters Tilborg. rnstein (post-quantum). iasz Sendrier. rnstein Lange Peters. y Meurer Thomae. cker Coron Joux. cker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is Quantum stores m can effic Hadam controll Making is the m comput Combine to comp : : : Sim : : : Sho : : : Gro

38 ourteau. abanne. abaud. ndrier. nge Peters. nge Peters st-quantum). rier. nge Peters. Thomae. n Joux. May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum Quantum compute stores many qubi can efficiently perf Hadamard gate, controlled NOT g Making these ins is the main goal computer engine Combine these ins to compute Toffo : : : Simon s algor : : : Shor s algorit : : : Grover s algo

39 s. s m). s. rer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum compute Quantum computer type 1 ( stores many qubits ; can efficiently perform Hadamard gate, T gate controlled NOT gate. Making these instructions is the main goal of quantu computer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; et

40 2013 Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc.

41 rnstein Jeffery Lange urer (post-quantum). y Ozerov. needed for 2 b security attack known in 1978: 1))b 2 (lg b) 2. 0: needed for 2 b security pre-quantum attack day: 1))b 2 (lg b) 2. needed for 2 b security quantum attack known 4C 0 + o(1))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum stores a efficientl laws of q with as m This is t quantum by 1982 physics w

42 ffery Lange -quantum). r 2 b security wn in 1978: ) r 2 b security m attack ) 2. r 2 b security ttack known ))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum compute stores a simulated efficiently simulate laws of quantum p with as much accu This is the original quantum compute by 1982 Feynman physics with comp

43 e ). ity 8: ity ity wn 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum computer type 2 ( stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as de This is the original concept o quantum computers introduc by 1982 Feynman Simulatin physics with computers.

44 What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc.

45 What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories.

46 a quantum computer? computer type 1 (QC1): any qubits ; iently perform ard gate, T gate, ed NOT gate. these instructions work ain goal of quantumer engineering. these instructions ute Toffoli gate ; on s algorithm ; r s algorithm ; ver s algorithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum efficientl that any can com

47 computer? r type 1 (QC1): ts ; orm T gate, ate. tructions work of quantumering. tructions li gate ; ithm ; hm ; rithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum compute efficiently compute that any physical c can compute effici

48 r? QC1):, work m- c. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 ( efficiently computes anything that any physical computer can compute efficiently.

49 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories.

50 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. General belief: any QC2 is a QC3. Argument for belief: any physical computer must follow the laws of quantum physics, so a QC2 can efficiently simulate any physical computer.

51 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. General belief: any QC2 is a QC3. Argument for belief: any physical computer must follow the laws of quantum physics, so a QC2 can efficiently simulate any physical computer. General belief: any QC3 is a QC1. Argument for belief: look, we re building a QC1.