Factoring integers with a quantum computer
|
|
- Amber Douglas
- 5 years ago
- Views:
Transcription
1 Factoring integers with a quantum computer Andrew Childs Department of Combinatorics and Optimization and Institute for Quantum Computing University of Waterloo Eighth Canadian Summer School on Quantum Information Montreal, Quebec, 10 June 2008
2 The fundamental theorem of arithmetic Every positive integer larger than 1 can be uniquely* factored as a product of prime numbers. =2 n 2 3 n 3 5 n 5 * Up to the order of the factors.
3 Examples 15 =
4 Examples 15 = 3 5
5 Examples 15 = =
6 Examples 15 = = 7 13
7 Examples 15 = = =
8 Examples 15 = = =
9 The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length... Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. Carl Friedrich Gauss, Disquisitiones Arithmeticæ (1801)
10 RSA public-key cryptosystem M message Rivest, Shamir, Adleman 1977
11 RSA public-key cryptosystem M message M M Rivest, Shamir, Adleman 1977
12 RSA public-key cryptosystem M message Rivest, Shamir, Adleman 1977
13 RSA public-key cryptosystem M message primes p, q Rivest, Shamir, Adleman 1977
14 RSA public-key cryptosystem M message primes p, q n = pq Rivest, Shamir, Adleman 1977
15 RSA public-key cryptosystem M message primes p, q n = pq e Z (p 1)(q 1) encryption key Rivest, Shamir, Adleman 1977
16 RSA public-key cryptosystem M message primes p, q n = pq e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key Rivest, Shamir, Adleman 1977
17 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key Rivest, Shamir, Adleman 1977
18 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext Rivest, Shamir, Adleman 1977
19 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C Rivest, Shamir, Adleman 1977
20 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d Rivest, Shamir, Adleman 1977
21 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d = M ed mod n Rivest, Shamir, Adleman 1977
22 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d = M ed mod n = M Rivest, Shamir, Adleman 1977
23 Outline Integers The quantum Fourier transform Period finding over Z Period finding over Z Reduction of factoring to period finding Beyond factoring
24 Z
25 All else is the work of man Z = {..., 3, 2, 1, 0, 1, 2, 3,...}
26 All else is the work of man Z = {..., 3, 2, 1, 0, 1, 2, 3,...} Z = { 0 := {...,,0,, 2,...} 1 := {..., +1, 1, +1, 2 +1,...} 2 := {..., +2, 2, +2, 2 +2,...}... 1 := {..., 1, 1, 1, 2 1,...} }
27 Multiplication modulo Z = {j Z : k, jk =1}
28 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z
29 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1
30 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1
31 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1 ϕ(p n 1 1 pn k k )=(p 1 1)p n (p k 1)p n k 1 k
32 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1 ϕ(p n 1 1 pn k k )=(p 1 1)p n 1 1 (p 1 k 1)p n k 1 k φ n n 1.0 Fact: ϕ() = Ω ( 1 log log ) n
33 The quantum Fourier transform
34 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 y Z ω xy y
35 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 ω xy y y Z F Z = 1 = 1 x,y Z ω xy y x ω ω 2 ω 1 1 ω 2 ω 4 ω ω 1 ω 2 2 ω ( 1)( 1)
36 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 ω xy y y Z F Z = 1 = 1 x,y Z ω xy y x ω ω 2 ω 1 1 ω 2 ω 4 ω ω 1 ω 2 2 ω ( 1)( 1)
37 Examples
38 Examples F Z2 = 1 ( ) = H (Hadamard gate)
39 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3
40 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 1 ω6 5 ω6 4 ω6 3 ω6 2 ω 6
41 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 = ω3 2 ω 3 1 ω3 2 ω 3 1 ω 3 ω3 2 1 ω 3 ω ω3 2 ω 3 1 ω3 2 ω 3 1 ω 5 6 ω 4 6 ω 3 6 ω 2 6 ω 6 1 ω 3 ω ω 3 ω 2 3
42 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 = ω3 2 ω 3 1 ω3 2 ω 3 1 ω 3 ω3 2 1 ω 3 ω ω3 2 ω 3 1 ω3 2 ω 3 1 ω 5 6 ω 4 6 ω 3 6 ω 2 6 ω 6 1 ω 3 ω ω 3 ω 2 3 = F Z2 F Z3 by the isomorphism Z 6 = Z 2 Z 3
43 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j.
44 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )
45 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )
46 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )
47 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )
48 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )
49 QFT circuit We have F Z2 n x = n 1 z j where z j = 1 2 ( 0 + e 2πi(2j n x 0 +2 j+1 n x x n 1 j ) 1 )
50 QFT circuit We have F Z2 n x = n 1 z j where z j = 1 2 ( 0 + e 2πi(2j n x 0 +2 j+1 n x x n 1 j ) 1 ) Quantum circuit: x 0 H z n 1 x 1 H.. R 2 z n 2.. x n 3 z 2 x n 2 H x n 1 H R 2 R 3 R n 1 R 2 R n 2 R n 1 z 1 R n z = R r e 2πi/2r note reversal of order
51 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000
52 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk
53 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk Example: F (Z2 ) n = H H
54 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk Example: F (Z2 ) n = H H We can also define a Fourier transform for a nonabelian group; many of these can be implemented efficiently as well.
55 Period finding over Z
56 Periodic functions A function f : Z S is periodic with period r Z if f(x) =f(y) if x y r Z
57 Periodic functions A function f : Z S is periodic with period r Z if Example (=32): f(x) =f(y) if x y r Z f x x 1 2 1
58 Periodic functions A function f : Z S is periodic with period r Z if Example (=32): f(x) =f(y) if x y r Z f x x (otice that r must divide.)
59 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z
60 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z f x x 1 2 1
61 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z f x x periodic, but not injectively periodic
62 Periodic functions A function f : Z S is injectively periodic with period r Z if Example ( = 32): f(x) =f(y) if and only if x y r Z f x x 1 2 1
63 Periodic functions A function f : Z S is injectively periodic with period r Z if Example ( = 32): f(x) =f(y) if and only if x y r Z f x x 1 2 1
64 Producing a periodic state
65 Producing a periodic state Create the state Z := 1 x Z x
66 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x)
67 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x) Measure the second register: r r 1 s + jr s uniformly random classical value f(s)
68 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x) Measure the second register: r r 1 s + jr s uniformly random classical value f(s)
69 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y
70 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y
71 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y
72 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y
73 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y
74 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0
75 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof:
76 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof: For k = 0 mod M, obvious.
77 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof: For k = 0 mod M, obvious. For k 0, M 1 M = 1 ωkm M 1 ωm k ω jk (geometric series) = 1 e2πik 1 ω k M ω 2 6 ω 1 6 =0 1 =ω 3 6 ω 0 6 =1 ω 4 6 ω 5 6
78 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0
79 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0
80 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0
81 Effect of the QFT r r 1 s + jr periodic, period r unknown offset s FZ 1 r z Z r ω sz /r z r periodic, period /r zero offset unknown phases
82 Learning the period Measure 1 r z Z r ω sz /r z r
83 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random
84 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random Strategy: Compute z/r in lowest terms (Euclid s algorithm) and assume the denominator is r.
85 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random Strategy: Compute z/r in lowest terms (Euclid s algorithm) and assume the denominator is r. Probability of success is ( ) ϕ(r) 1 = Ω r log log r = Ω ( 1 log log )
86 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random
87 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random ρ r = r 2 s Z r 1 j,k=0 s + jr s + kr = 1 s Z r 1 s + jr s
88 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random ρ r = r 2 s Z r 1 j,k=0 s + jr s + kr = 1 s Z r 1 s + jr s F Z F Z ρ r F Z = 1 r z r z r z Z
89 Period finding over Z
90 Unknown domain of periodicity Suppose we have a function f : Z S f(x) =f(y) if and only if satisfying x y r but we don t know an for which f(x + ) = f(x). Z Can we still find r?
91 Unknown domain of periodicity Suppose we have a function f : Z S f(x) =f(y) if and only if satisfying x y r but we don t know an for which f(x + ) = f(x). Z Can we still find r? Strategy: Choose a large, and hope that the procedure still works, even though r will probably not divide r.
92 Producing an (almost) periodic state Create the state Z := 1 x Z x
93 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x)
94 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x) Measure the second register: n 1 1 s + jr n n /r s ¼ uniformly random
95 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x) Measure the second register: n 1 1 s + jr n n /r s ¼ uniformly random
96 The (almost) periodic state {}}{ s } {{ }} {{ } r r }{{}}{{} r r /r } {{ } /r periods n 1 1 n s + jr n = { /r +1 /r s < r /r otherwise. where s occurs with probability n/
97 Apply the QFT Recall x F Z 1 ω xy y y Z
98 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y
99 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y
100 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y
101 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y Probability of observing y: Pr(y) = 1 n n 1 ω jry 2
102 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2
103 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0
104 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0 In general, Pr(y) is sharply peaked around multiples of /r. Example ( = 64, r = 5):
105 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0 In general, Pr(y) is sharply peaked around multiples of /r. Example ( = 64, r = 5): 0 Exercise: Show Pr ( y {0, r, 2 r,..., (r 1) r }) = Ω(1)
106 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r.
107 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 +
108 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 + Suppose we know that r < rmax. Then the closest continued fraction approximation with denominator less than rmax is guaranteed to be r provided > (rmax) 2.
109 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 + Suppose we know that r < rmax. Then the closest continued fraction approximation with denominator less than rmax is guaranteed to be r provided > (rmax) 2. If we are not given an a priori upper bound rmax, we can start with rmax = 2 and successively double it until we find r; then the running time will be poly(log r).
110 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1.
111 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G.
112 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: f(x + r) =g x+r = g x = f(x)
113 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: injectivity: f(x + r) =g x+r = g x = f(x) there is no x < r for which f(x) = f(0)
114 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: injectivity: f(x + r) =g x+r = g x = f(x) there is no x < r for which f(x) = f(0) So there is an efficient (running time poly(log G )) quantum algorithm for order finding.
115 Reduction of factoring to period finding
116 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability.
117 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if
118 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if We can assume is odd, since it is easy to find the factor 2.
119 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if We can assume is odd, since it is easy to find the factor 2. We can also assume that contains at least two distinct prime powers, since it is easy to check if it is a power of some integer.
120 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z
121 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z.
122 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo.
123 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod
124 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod (a r/2 1)(a r/2 + 1) = 0 mod
125 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod (a r/2 1)(a r/2 + 1) = 0 mod so we might hope for gcd(a r/2 1,) to be a nontrivial factor of.
126 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of?
127 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be
128 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be So it suffices to ensure that a r/ mod.
129 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be So it suffices to ensure that a r/ mod. Lemma: Suppose a Z is chosen uniformly at random, where is an odd integer with at least two distinct prime factors. Then with probability at least 1/2, the multiplicative order r of a is even and a r/2 1 mod.
130 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri
131 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck.
132 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0.
133 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0. If r is even and a r/2 = 1 mod, then a r/2 = 1 mod p m i i for each i, so ri does not divide r/2; but notice that ri does divide r.
134 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0. If r is even and a r/2 = 1 mod, then a r/2 = 1 mod p m i i for each i, so ri does not divide r/2; but notice that ri does divide r. Hence r/ri is an odd integer for each i, and every ri must contain the same number of powers of 2 as r.
135 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2
136 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.)
137 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.) a Z uniformly at random a i Z p m i i uniformly at random
138 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.) a Z uniformly at random a i Z p m i i uniformly at random Z p m i i Since is cyclic and of even order, exactly half its elements have the maximal value of ci, so in particular the probability of any particular ci is at most 1/2.
139 Shor s factoring algorithm Input: Integer Output: A nontrivial factor of 1. Choose a random a {2, 3,..., 1} 2. Compute gcd(a, ); if it is not 1 then it is a nontrivial factor, and otherwise we continue 3. Prepare the uniform superposition Z 2 (or replace 2 by the next largest power of 2) 4. Append an ancilla register, and conditioned on the value x in the first register, compute f(x) = a x mod in the ancilla register; discard the ancilla 5. Perform the quantum Fourier transform over 6. Measure in the computational basis Z 2 7. Compute the continued fraction expansion of the result divided by 2, obtaining the best approximation with denominator less than ; call this denominator r 8. Compute gcd(ar/2 1, ). If it is 1 or then we have failed, and we start over; otherwise the result is a nontrivial factor of.
140 Performance Most expensive step: Modular exponentiation. Using repeated squaring, this can be done in time O((log ) 3 ). ) Running time of Shor s algorithm is O((log ) 3 ) In contrast, the best known classical algorithm for factoring (the number field sieve) takes time 2 O((log )1/3 (log log ) 2/3 ).
141 Performance Most expensive step: Modular exponentiation. Using repeated squaring, this can be done in time O((log ) 3 ). ) Running time of Shor s algorithm is O((log ) 3 ) In contrast, the best known classical algorithm for factoring (the number field sieve) takes time 2 O((log )1/3 (log log ) 2/3 ). ote that the quantum part of Shor s algorithm can be highly parallelized: with polynomial-time classical pre- and post-processing, can achieve depth O((log log ) 2 ) and size O((log ) 3 ) (Cleve and Watrous 2000).
142 Beyond factoring
143 So much more than Shor and Grover Quantum simulation Algebraic problems Factoring, discrete log, decomposing abelian groups, Pell s equation, principal ideal problem, computing unit/class groups of number fields, shifted Legendre symbol, approximating Gauss sums, counting points on curves, some nonabelian hidden subgroup problems,... Search and its applications (Peter Høyer s lectures yesterday) Unstructured search (decision, finding, counting), collision, median finding, graph connectivity, minimum spanning trees, single source shortest paths, matchings, network flows,... Quantum walk algorithms (Eddie Farhi s lectures on Friday) Black box graph traversal, spatial search, element distinctness, triangle finding, checking matrix multiplication, testing group commutativity, formula evaluation,... Approximation of #P-hard problems Jones polynomial, HOMFLYPT polynomial, Tutte polynomial/potts model partition function,... Miscellanea Oracle interrogation, ordered search, gradient estimation,...
144 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}.
145 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}. Computing logg x is (apparently) classically hard, and (as for factoring) this assumption is used in cryptographic protocols. Common groups: G = Z M G = elliptic curve best classical algorithm 2 O((log M)1/3 (log log M) 2/3 ) O( O(log ) ) = 2
146 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}. Computing logg x is (apparently) classically hard, and (as for factoring) this assumption is used in cryptographic protocols. Common groups: G = Z M G = elliptic curve best classical algorithm 2 O((log M)1/3 (log log M) 2/3 ) O( O(log ) ) = 2 But there is an efficient quantum algorithm for discrete log in general groups (Shor 1994).
147 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H.
148 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r
149 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r Example: The function f(α, β) =x α g β hides (α, α log g x):α Z Z Z
150 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r Example: The function f(α, β) =x α g β hides (α, α log g x):α Z Z Z There is an efficient quantum algorithm for the hidden subgroup problem in any finitely generated abelian group.
151 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)?
152 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer.
153 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer. But Kedlaya showed it can be solved in time poly(log p, d) on a quantum computer, where d is the degree of the polynomial.
154 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer. But Kedlaya showed it can be solved in time poly(log p, d) on a quantum computer, where d is the degree of the polynomial. Approach: Use the algorithm for the abelian HSP to learn the structure of the class group of the curve, which determines the number of points.
155 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1.
156 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1).
157 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d).
158 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d). This can be found efficiently by a quantum computer using a generalization of period finding to the real numbers.
159 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d). This can be found efficiently by a quantum computer using a generalization of period finding to the real numbers. Similar ideas lead to efficient quantum algorithms for computing properties of number fields.
160 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H.
161 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H. When G is nonabelian, this can be significantly harder.
162 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H. When G is nonabelian, this can be significantly harder. Potential applications: Graph isomorphism Lattice problems
163 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group?
164 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 =
165 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5
166 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2
167 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2 Aut(Γ 3 ) = {id}
168 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2 Aut(Γ 3 ) = {id} This is an HSP in with having hidden subgroup G = S n f(π) = π(γ) H = Aut( )
169 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z}
170 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0
171 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0
172 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice?
173 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice? This is P-hard, but what if we promise that the shortest vector is shorter than the next-shortest non-parallel vector by some factor?
174 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice? This is P-hard, but what if we promise that the shortest vector is shorter than the next-shortest non-parallel vector by some factor? Lattice cryptosystems assume this is hard with a factor poly(n).
175 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon.
176 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections).
177 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections). Standard method : Given samples of φ x = 1 2 ( 0 + e 2πisx/ 1 ) Z with x uniformly random in (and known), determine s.
178 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections). Standard method : Given samples of φ x = 1 2 ( 0 + e 2πisx/ 1 ) Z with x uniformly random in (and known), determine s. Solving this problem would break lattice-based cryptography, one of the few types of cryptosystems not yet known to be broken by quantum computers!
Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP
Quantum algorithms (CO 78, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP So far, we have considered the hidden subgroup problem in abelian groups.
More informationShort Course in Quantum Information Lecture 5
Short Course in Quantum Information Lecture 5 Quantum Algorithms Prof. Andrew Landahl University of New Mexico Course Info All materials downloadable @ website http://info.phys.unm.edu/~deutschgroup/deutschclasses.html
More informationLecture 15: The Hidden Subgroup Problem
CS 880: Quantum Information Processing 10/7/2010 Lecture 15: The Hidden Subgroup Problem Instructor: Dieter van Melkebeek Scribe: Hesam Dashti The Hidden Subgroup Problem is a particular type of symmetry
More informationQuantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem
Quantum Computing Lecture Notes, Extra Chapter Hidden Subgroup Problem Ronald de Wolf 1 Hidden Subgroup Problem 1.1 Group theory reminder A group G consists of a set of elements (which is usually denoted
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT
Quantum algorithms (CO 78, Winter 008) Prof. Andrew Childs, University of Waterloo LECTURE : Quantum circuits and the abelian QFT This is a course on quantum algorithms. It is intended for graduate students
More informationQuantum Algorithms Lecture #2. Stephen Jordan
Quantum Algorithms Lecture #2 Stephen Jordan Last Time Defined quantum circuit model. Argued it captures all of quantum computation. Developed some building blocks: Gate universality Controlled-unitaries
More informationShor s Prime Factorization Algorithm
Shor s Prime Factorization Algorithm Bay Area Quantum Computing Meetup - 08/17/2017 Harley Patton Outline Why is factorization important? Shor s Algorithm Reduction to Order Finding Order Finding Algorithm
More informationQuantum algorithms for hidden nonlinear structures
Quantum algorithms for hidden nonlinear structures Andrew Childs Waterloo Leonard Schulman Caltech Umesh Vazirani Berkeley Shor s algorithm finds hidden linear structures [Shor 94]: Efficient quantum algorithms
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationExponential algorithmic speedup by quantum walk
Exponential algorithmic speedup by quantum walk Andrew Childs MIT Center for Theoretical Physics joint work with Richard Cleve Enrico Deotto Eddie Farhi Sam Gutmann Dan Spielman quant-ph/0209131 Motivation
More informationPh 219b/CS 219b. Exercises Due: Wednesday 4 December 2013
1 Ph 219b/CS 219b Exercises Due: Wednesday 4 December 2013 4.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationFrom the shortest vector problem to the dihedral hidden subgroup problem
From the shortest vector problem to the dihedral hidden subgroup problem Curtis Bright University of Waterloo December 8, 2011 1 / 19 Reduction Roughly, problem A reduces to problem B means there is a
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationADVANCED QUANTUM INFORMATION THEORY
CDT in Quantum Engineering Spring 016 Contents ADVANCED QUANTUM INFORMATION THEORY Lecture notes Ashley Montanaro, University of Bristol ashley.montanaro@bristol.ac.uk 1 Introduction Classical and quantum
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationPh 219b/CS 219b. Exercises Due: Wednesday 11 February 2009
1 Ph 219b/CS 219b Exercises Due: Wednesday 11 February 2009 5.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More informationQIP Note: On the Quantum Fourier Transform and Applications
QIP ote: On the Quantum Fourier Transform and Applications Ivan Damgård 1 Introduction This note introduces Fourier transforms over finite Abelian groups, and shows how this can be used to find the period
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Part II Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 13, 2011 Overview Outline Grover s Algorithm Quantum search A worked example Simon s algorithm
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationMath 412: Number Theory Lecture 13 Applications of
Math 412: Number Theory Lecture 13 Applications of Gexin Yu gyu@wm.edu College of William and Mary Partition of integers A partition λ of the positive integer n is a non increasing sequence of positive
More informationQUANTUM COMPUTATION. Lecture notes. Ashley Montanaro, University of Bristol 1 Introduction 2
School of Mathematics Spring 018 Contents QUANTUM COMPUTATION Lecture notes Ashley Montanaro, University of Bristol ashley.montanaro@bristol.ac.uk 1 Introduction Classical and quantum computational complexity
More informationOn the query complexity of counterfeiting quantum money
On the query complexity of counterfeiting quantum money Andrew Lutomirski December 14, 2010 Abstract Quantum money is a quantum cryptographic protocol in which a mint can produce a state (called a quantum
More informationIntroduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681
Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 48 / C&O 68 Lecture (2) Richard Cleve DC 27 cleve@cs.uwaterloo.ca Order-finding via eigenvalue estimation 2 Order-finding
More informationGraph isomorphism, the hidden subgroup problem and identifying quantum states
1 Graph isomorphism, the hidden subgroup problem and identifying quantum states Pranab Sen NEC Laboratories America, Princeton, NJ, U.S.A. Joint work with Sean Hallgren and Martin Rötteler. Quant-ph 0511148:
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationHidden Symmetry Subgroup Problems
1/27 Hidden Symmetry Subgroup Problems Miklos Santha CNRS, Université Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore joint work with Thomas Decker Gábor Ivanyos Pawel Wocjan
More informationLecture 8: Finite fields
Lecture 8: Finite fields Rajat Mittal IIT Kanpur We have learnt about groups, rings, integral domains and fields till now. Fields have the maximum required properties and hence many nice theorems can be
More informationFigure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.
CS 94 //09 Fourier Transform, Period Finding and Factoring in BQP Spring 009 Lecture 4 Recap: Simon s Algorithm Recall that in the Simon s problem, we are given a function f : Z n Zn (i.e. from n-bit strings
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationAlgorithms for ray class groups and Hilbert class fields
(Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring
More informationPh 219b/CS 219b. Exercises Due: Wednesday 22 February 2006
1 Ph 219b/CS 219b Exercises Due: Wednesday 22 February 2006 6.1 Estimating the trace of a unitary matrix Recall that using an oracle that applies the conditional unitary Λ(U), Λ(U): 0 ψ 0 ψ, 1 ψ 1 U ψ
More informationQuantum algorithms for computing short discrete logarithms and factoring RSA integers
Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationShor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015
Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationIntroduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871
Introduction to Quantum Information Processing QIC 71 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 8 (217) Jon Yard QNC 3126 jyard@uwaterloo.ca http://math.uwaterloo.ca/~jyard/qic71 1 Recap of: Eigenvalue
More informationCS483 Design and Analysis of Algorithms
CS483 Design and Analysis of Algorithms Lectures 2-3 Algorithms with Numbers Instructor: Fei Li lifei@cs.gmu.edu with subject: CS483 Office hours: STII, Room 443, Friday 4:00pm - 6:00pm or by appointments
More informationShor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017
Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationNumber Theory and Algebra: A Brief Introduction
Number Theory and Algebra: A Brief Introduction Indian Statistical Institute Kolkata May 15, 2017 Elementary Number Theory: Modular Arithmetic Definition Let n be a positive integer and a and b two integers.
More informationQuantum Algorithms. 1. Definition of the Subject and Its Importance. 4. Factoring, Discrete Logarithms, and the Abelian Hidden Subgroup Problem
Quantum Algorithms Michele Mosca Institute for Quantum Computing and Dept. of Combinatorics & Optimization University of Waterloo and St. Jerome s University, and Perimeter Institute for Theoretical Physics
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationCompute the Fourier transform on the first register to get x {0,1} n x 0.
CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationFactoring on a Quantum Computer
Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationCongruent Number Problem and Elliptic curves
Congruent Number Problem and Elliptic curves December 12, 2010 Contents 1 Congruent Number problem 2 1.1 1 is not a congruent number.................................. 2 2 Certain Elliptic Curves 4 3 Using
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Randomness and Computation Lecture 18 (October 25, 2007) Checking Our Work Suppose we want to check p(x) q(x) = r(x), where p, q and r are three polynomials.
More informationAlgorithms for quantum computers. Andrew Childs Department of Combinatorics & Optimization and Institute for Quantum Computing University of Waterloo
Algorithms for quantum computers Andrew Childs Department of Combinatorics & Optimization and Institute for Quantum Computing University of Waterloo What is a computer? A means for performing calculations
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationHallgren s Quantum Algorithm for Pell s Equation
Hallgren s Quantum Algorithm for Pell s Equation Pradeep Sarvepalli pradeep@cs.tamu.edu Department of Computer Science, Texas A&M University Quantum Algorithm for Pell s Equation p. /6 Outline Pell s equation
More informationA Glimpse of Quantum Computation
A Glimpse of Quantum Computation Zhengfeng Ji (UTS:QSI) QCSS 2018, UTS 1. 1 Introduction What is quantum computation? Where does the power come from? Superposition Incompatible states can coexist Transformation
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More information2 A Fourier Transform for Bivariate Functions
Stanford University CS59Q: Quantum Computing Handout 0 Luca Trevisan October 5, 0 Lecture 0 In which we present a polynomial time quantum algorithm for the discrete logarithm problem. The Discrete Log
More information1. Algebra 1.7. Prime numbers
1. ALGEBRA 30 1. Algebra 1.7. Prime numbers Definition Let n Z, with n 2. If n is not a prime number, then n is called a composite number. We look for a way to test if a given positive integer is prime
More informationLecture note 8: Quantum Algorithms
Lecture note 8: Quantum Algorithms Jian-Wei Pan Physikalisches Institut der Universität Heidelberg Philosophenweg 12, 69120 Heidelberg, Germany Outline Quantum Parallelism Shor s quantum factoring algorithm
More informationShor s Quantum Factorization Algorithm
Shor s Quantum Factorization Algorithm Tayeb Aïssiou Department of Mathematics and Statistics McGill University, Montreal, Quebec Canada H3A K6 e-mail: tayeb.aissiou@mail.mcgill.ca November, 5 Abstract
More informationSupplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.
Glossary 1 Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.23 Abelian Group. A group G, (or just G for short) is
More informationDefinitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations
Page 1 Definitions Tuesday, May 8, 2018 12:23 AM Notations " " means "equals, by definition" the set of all real numbers the set of integers Denote a function from a set to a set by Denote the image of
More informationSimon s algorithm (1994)
Simon s algorithm (1994) Given a classical circuit C f (of polynomial size, in n) for an f : {0, 1} n {0, 1} n, such that for a certain s {0, 1} n \{0 n }: x, y {0, 1} n (x y) : f (x) = f (y) x y = s with
More informationSolution to the Hidden Subgroup Problem for a Class of Noncommutative Groups
Solution to the Hidden Subgroup Problem for a Class of Noncommutative Groups Demerson N. Gonçalves 1,2, Renato Portugal 2, arxiv:1104.1361v1 [quant-ph] 7 Apr 2011 1 Universidade Católica de Petrópolis
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationQUANTUM COMPUTATION AND LATTICE PROBLEMS
QUATUM COMPUTATIO AD LATTICE PROBLEMS ODED REGEV Abstract. We present the first explicit connection between quantum computation and lattice problems. amely, our main result is a solution to the Unique
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationThe non-injective hidden shift problem
The non-injective hidden shift problem by Mirmojtaba Gharibi A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Computer
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationarxiv: v2 [quant-ph] 1 Aug 2017
A quantum algorithm for greatest common divisor problem arxiv:1707.06430v2 [quant-ph] 1 Aug 2017 Wen Wang, 1 Xu Jiang, 1 Liang-Zhu Mu, 1, 2, 3, 4, and Heng Fan 1 School of Physics, Peking University, Beijing
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More informationChapter 5. Modular arithmetic. 5.1 The modular ring
Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationSolutions to Assignment 4
1. Let G be a finite, abelian group written additively. Let x = g G g, and let G 2 be the subgroup of G defined by G 2 = {g G 2g = 0}. (a) Show that x = g G 2 g. (b) Show that x = 0 if G 2 = 2. If G 2
More informationCryptography: Joining the RSA Cryptosystem
Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Overview First,
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationShor Factorization Algorithm
qitd52 Shor Factorization Algorithm Robert B. Griffiths Version of 7 March 202 References: Mermin = N. D. Mermin, Quantum Computer Science (Cambridge University Press, 2007), Ch. 3 QCQI = M. A. Nielsen
More information