










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The counterintuitive properties of quantum mechanics and computing. It explains the double slit experiment and how it forced scientists to accept a very counterintuitive picture of the world. The document also talks about quantum amplitudes, interference, measurement, and entanglement. It further explains how quantum computing is different from classical computing and how it requires a different kind of machine. useful for students studying quantum mechanics and computing.
Typology: Lecture notes
1 / 18
This page cannot be seen from the preview
Don't miss anything!











“I think I can safely say that nobody understands quan- tum mechanics.” , Richard Feynman, 1965
“The only difference between a probabilistic classical world and the equations of the quantum world is that somehow or other it appears as if the probabilities would have to go negative” , Richard Feynman, 1982
There were two schools of natural philosophy in ancient Greece. Aristotle believed that objects have an essence that explains their behav- ior, and a theory of the natural world has to refer to the reasons (or “fi- nal cause” to use Aristotle’s language) as to why they exhibit certain phenomena. Democritus believed in a purely mechanistic explanation of the world. In his view, the universe was ultimately composed of elementary particles (or Atoms ) and our observed phenomena arise from the interactions between these particles according to some local rules. Modern science (arguably starting with Newton) has embraced Democritus’ point of view, of a mechanistic or “clockwork” universe of particles and forces acting upon them. While the classification of particles and forces evolved with time, to a large extent the “big picture” has not changed from Newton till Einstein. In particular it was held as an axiom that if we knew fully the current state of the universe (i.e., the particles and their properties such as location and velocity) then we could predict its future state at any point in time. In computational language, in all these theories the state of a system with 𝑛 particles could be stored in an array of 𝑂(𝑛) numbers, and predicting the evolution of the system can be done by running some efficient (e.g., 𝑝𝑜𝑙𝑦(𝑛) time) deterministic computation on this array.
Compiled on 11.17.2021 22:
346 an intensive introduction to cryptography
Figure 18.1 : In the “double baseball experiment” we shoot baseballs from a gun at a soft wall through a hard barrier that has one or two slits open in it. There is only “constructive interference” in the sense that the dent in each position in the wall when both slits are open is the sum of the dents when each slit is open on its own. (^1) A nice illustrated description of the double slit experiment appears in this video.
Figure 18.2 : The setup of the double slit experiment in the case of photon or electron guns. We see also destructive interference in the sense that there are some positions on the wall that get fewer hits when both slits are open than they get when only one of the slits is open. Image credit: Wikipedia.
18.1 THE DOUBLE SLIT EXPERIMENT
Alas, in the beginning of the 20th century, several experimental re- sults were calling into question this “clockwork” or “billiard ball” theory of the world. One such experiment is the famous double slit ex- periment. Here is one way to describe it. Suppose that we buy one of those baseball pitching machines, and aim it at a soft plastic wall, but put a metal barrier with a single slit between the machine and the plastic wall (see Fig. 18.1). If we shoot baseballs at the plastic wall, then some of the baseballs would bounce off the metal barrier, while some would make it through the slit and dent the wall. If we now carve out an ad- ditional slit in the metal barrier then more balls would get through, and so the plastic wall would be even more dented. So far this is pure common sense, and it is indeed (to my knowl- edge) an accurate description of what happens when we shoot base- balls at a plastic wall. However, this is not the same when we shoot photons. Amazingly, if we shoot with a “photon gun” (i.e., a laser) at a wall equipped with photon detectors through some barrier, then (as shown in Fig. 18.2) in some positions of the wall we will see fewer hits when the two slits are open than one only ones of them is!.^1 In particular there are positions in the wall that are hit when the first slit is open, hit when the second gun is open, but are not hit at all when both slits are open!. It seems as if each photon coming out of the gun is aware of the global setup of the experiment, and behaves differently if two slits are open than if only one is. If we try to “catch the photon in the act” and place a detector right next to each slit so we can see exactly the path each photon takes then something even more bizarre happens. The mere fact that we measure the path changes the photon’s behavior, and now this “destructive interference” pattern is gone and the number of times a position is hit when two slits are open is the sum of the number of times it is hit when each slit is open.
P You should read the paragraphs above more than once and make sure you appreciate how truly mind boggling these results are.
18.2 QUANTUM AMPLITUDES
The double slit and other experiments ultimately forced scientists to accept a very counterintuitive picture of the world. It is not merely about nature being randomized, but rather it is about the probabilities in some sense “going negative” and cancelling each other!
348 an intensive introduction to cryptography
Specifically, consider an event that can either occur or not (e.g. “de- tector number 17 was hit by a photon”). In classical probability, we model this by a probability distribution over the two outcomes: a pair of non-negative numbers 𝑝 and 𝑞 such that 𝑝 + 𝑞 = 1, where 𝑝 corre- sponds to the probability that the event occurs and 𝑞 corresponds to the probability that the event does not occur. In quantum mechanics, we model this also by pair of numbers, which we call amplitudes. This is a pair of (potentially negative or even complex) numbers 𝛼 and 𝛽 such that |𝛼|^2 + |𝛽|^2 = 1. The probability that the event occurs is |𝛼|^2 and the probability that it does not occur is |𝛽|^2. In isolation, these negative or complex numbers don’t matter much, since we anyway square them to obtain probabilities. But the interaction of positive and negative amplitudes can result in surprising cancellations where some- how combining two scenarios where an event happens with positive probability results in a scenario where it never does.
P If you don’t find the above description confusing and unintuitive, you probably didn’t get it. Please make sure to re-read the above paragraphs until you are thoroughly confused.
Quantum mechanics is a mathematical theory that allows us to calculate and predict the results of the double-slit and many other ex- periments. If you think of quantum mechanics as an explanation as to what “really” goes on in the world, it can be rather confusing. How- ever, if you simply “shut up and calculate” then it works amazingly well at predicting experimental results. In particular, in the double slit experiment, for any position in the wall, we can compute num- bers 𝛼 and 𝛽 such that photons from the first and second slit hit that position with probabilities |𝛼|^2 and |𝛽|^2 respectively. When we open both slits, the probability that the position will be hit is proportional to |𝛼 + 𝛽|^2 , and so in particular, if 𝛼 = −𝛽 then it will be the case that, despite being hit when either slit one or slit two are open, the position is not hit at all when they both are. If you are confused by quantum mechanics, you are not alone: for decades people have been trying to come up with explanations for “the underlying reality” behind quan- tum mechanics, including Bohmian Mechanics, Many Worlds and others. However, none of these interpretations have gained universal acceptance and all of those (by design) yield the same experimental predictions. Thus at this point many scientists prefer to just ignore the question of what is the “true reality” and go back to simply “shutting up and calculating”.
quantum computing and cryptography i 349
Some of the counterintuitive properties that arise from amplitudes or “negative probabilities” include:
Again, as counter-intuitive as these concepts are, they have been experimentally confirmed, so we just have to live with them.
R Remark 18.1 — Complex vs real, other simplifications. If (like the author) you are a bit intimidated by complex numbers, don’t worry: you can think of all ampli- tudes as real (though potentially negative ) numbers without loss of understanding. All the “magic” of quantum computing already arises in this case, and so we will often restrict attention to real amplitudes in this chapter. We will also only discuss so-called pure quantum states, and not the more general notion of mixed states. Pure states turn out to be sufficient for understanding the algorithmic aspects of quantum computing. More generally, this chapter is not meant to be a com- plete description of quantum mechanics, quantum information theory, or quantum computing, but rather illustrate the main points where these differ from classical computing.
18.2.1 Quantum computing and computation - an executive summary. One of the strange aspects of the quantum-mechanical picture of the world is that unlike in the billiard ball example, there is no obvious algorithm to simulate the evolution of 𝑛 particles over 𝑡 time periods in 𝑝𝑜𝑙𝑦(𝑛, 𝑡) steps. In fact, the natural way to simulate 𝑛 quantum par- ticles will require a number of steps that is exponential in 𝑛. This is a
quantum computing and cryptography i 351
(^5) Of course, given that “export grade” cryptography that was supposed to disappear with 1990’s took a long time to die, I imagine that we’ll still have products running 1024 bit RSA when everyone has a quantum laptop.
been built that achieved tasks that are either not known to be achieved classically, or at least seem to require more resources classically than they do for these quantum computers. When and if such a computer is built that can break reasonable parameters of Diffie Hellman, RSA and elliptic curve cryptography is anybody’s guess. It could also be a “self destroying prophecy” whereby the existence of a small-scale quantum computer would cause everyone to shift away to lattice- based crypto which in turn will diminish the motivation to invest the huge resources needed to build a large scale quantum computer.^5 The above summary might be all that you need to know as a cryp- tographer, and enough motivation to study lattice-based cryptography as we do in this course. However, because quantum computing is such a beautiful and (like cryptography) counter-intuitive concept, we will try to give at least a hint of what it is about and how Shor’s algorithm works.
18.3 QUANTUM 101
We now present some of the basic notions in quantum information. It is very useful to contrast these notions to the setting of probabilistic systems and see how “negative probabilities” make a difference. This discussion is somewhat brief. The chapter on quantum computation in my book with Arora (see draft here) is one relatively short resource that contains essentially everything we discuss here. See also this blog post of Aaronson for a high level explanation of Shor’s algorithm which ends with links to several more detailed expositions. See also this lecture of Aaronson for a great discussion of the feasibility of quantum computing (Aaronson’s course lecture notes and the book that they spawned are fantastic reads as well).
States: We will consider a simple quantum system that includes 𝑛 objects (e.g., electrons/photons/transistors/etc..) each of which can be in either an “on” or “off” state - i.e., each of them can encode a single bit of information, but to emphasize the “quantumness” we will call it a qubit. A probability distribution over such a system can be described as a 2 𝑛^ dimensional vector 𝑣 with non-negative entries summing up to 1 , where for every 𝑥 ∈ {0, 1}𝑛, 𝑣𝑥 denotes the probability that the system is in state 𝑥. As we mentioned, quantum mechanics allows negative (in fact even complex) probabilities and so a quantum state of the system can be described as a 2 𝑛^ dimensional vector 𝑣 such that ‖𝑣‖^2 = ∑𝑥 |𝑣𝑥|^2 = 1.
Measurement: Suppose that we were in the classical probabilistic setting, and that the 𝑛 bits are simply random coins. Thus we can describe the state of the system by the 2 𝑛-dimensional vector 𝑣 such that 𝑣𝑥 = 2−𝑛^ for all 𝑥. If we measure the system and see what the coins
352 an intensive introduction to cryptography
came out, we will get the value 𝑥 with probability 𝑣𝑥. Naturally, if we measure the system twice we will get the same result. Thus, after we see that the coin is 𝑥, the new state of the system collapses to a vector 𝑣 such that 𝑣𝑦 = 1 if 𝑦 = 𝑥 and 𝑣𝑦 = 0 if 𝑦 ≠ 𝑥. In a quantum state, we do the same thing: if we measure a vector 𝑣 corresponds to turning it with probability |𝑣𝑥|^2 into a vector that has 1 on coordinate 𝑥 and zero on all the other coordinates.
Operations: In the classical probabilistic setting, if we have a system in state 𝑣 and we apply some function 𝑓 ∶ {0, 1}𝑛^ → {0, 1}𝑛^ then this transforms 𝑣 to the state 𝑤 such that 𝑤𝑦 = ∑𝑥∶𝑓(𝑥)=𝑦 𝑣𝑥. Another way to state this, is that 𝑤 = 𝑀𝑓 where 𝑀𝑓 is the matrix such that 𝑀𝑓(𝑥),𝑥 = 1 for all 𝑥 and all other entries are 0. If we toss a coin and decide with probability 1/2 to apply 𝑓 and with probability 1/2 to apply 𝑔, this corresponds to the matrix (1/2)𝑀𝑓 + (1/2)𝑀𝑔. More generally, the set of operations that we can apply can be cap- tured as the set of convex combinations of all such matrices- this is simply the set of non-negative matrices whose columns all sum up to 1 - the stochastic matrices. In the quantum case, the operations we can apply to a quantum state are encoded as a unitary matrix, which is a matrix 𝑀 such that ‖𝑀𝑣‖ = ‖𝑣‖ for all vectors 𝑣.
Elementary operations: Of course, even in the probabilistic setting, not every function 𝑓 ∶ {0, 1}𝑛^ → {0, 1}𝑛^ is efficiently computable. We think of a function as efficiently computable if it is composed of poly- nomially many elementary operations, that involve at most 2 or 3 bits or so (i.e., Boolean gates ). That is, we say that a matrix 𝑀 is elemen- tary if it only modifies three bits. That is, 𝑀 is obtained by “lifting” some 8 × 8 matrix 𝑀′^ that operates on three bits 𝑖, 𝑗, 𝑘, leaving all the rest of the bits intact. Formally, given an 8 × 8 matrix 𝑀 ′^ (indexed by strings in {0, 1}^3 ) and three distinct indices 𝑖 < 𝑗 < 𝑘 ∈ {1, … , 𝑛} we define the 𝑛 -lift of 𝑀 ′^ with indices 𝑖, 𝑗, 𝑘 to be the 2 𝑛^ × 2𝑛^ matrix 𝑀 such that for every strings 𝑥 and 𝑦 that agree with each other on all coordinates except possibly 𝑖, 𝑗, 𝑘, 𝑀𝑥,𝑦 = 𝑀 (^) 𝑥′𝑖𝑥𝑗𝑥𝑘,𝑦𝑖𝑦𝑗𝑦𝑘 and other- wise 𝑀𝑥,𝑦 = 0. Note that if 𝑀 ′^ is of the form 𝑀 (^) 𝑓′ for some function 𝑓 ∶ {0, 1}^3 → {0, 1}^3 then 𝑀 = 𝑀𝑔 where 𝑔 ∶ {0, 1}𝑛^ → {0, 1}𝑛^ is defined as 𝑔(𝑥) = 𝑓(𝑥𝑖𝑥𝑗𝑥𝑘). We define 𝑀 as an elementary stochastic matrix or a probabilistic gate if 𝑀 is equal to an 𝑛 lift of some stochas- tic 8 × 8 matrix 𝑀 ′. The quantum case is similar: a quantum gate is a 2 𝑛^ × 2𝑛^ matrix that is an 𝑁 lift of some unitary 8 × 8 matrix 𝑀′. It is an exercise to prove that lifting preserves stochasticity and unitarity. That is, every probabilistic gate is a stochastic matrix and every quantum gate is a unitary matrix.
354 an intensive introduction to cryptography
(^7) It is a good exercise to show that if 𝑀 is a proba- bilistic process with 𝑅(𝑀) ≤ 𝑇 then there exists a probabilistic circuit of size, say, 100𝑇 𝑛^2 that approx- imately computes 𝑀 in the sense that for every input 𝑥, ∑𝑦∈{0,1}𝑛 ∣Pr[𝐶(𝑥) = 𝑦] − 𝑀𝑥,𝑦∣ < 1/3.
where the the ℓ + 𝑖𝑡ℎ^ bit of 𝑔(𝑥 1 , … , 𝑥𝑛) is the result of applying the 𝑖𝑡ℎ^ gate in the calculation of 𝑓(𝑥 1 , … , 𝑥𝑚). So this is “almost” what we wanted except that we have this “extra junk” that we need to get rid of. The idea is that we now simply run the same computation again which will basically we mean we XOR another copy of 𝑔(𝑥 1 , … , 𝑥𝑚) to the last 𝑠 bits, but since 𝑔(𝑥) ⊕ 𝑔(𝑥) = 0𝑠^ we get that we compute the map 𝑥 ↦ 𝑥 1 ⋯ 𝑥𝑚‖(𝑓(𝑥 1 , … , 𝑥𝑚)0𝑠^ ⊕ 𝑥𝑚+1 ⋯ 𝑥𝑚+ℓ+𝑠) as desired.
The ”obviously exponential” fallacy: A priori it might seem “obvious” that quantum computing is exponentially powerful, since to com- pute a quantum computation on 𝑛 bits we need to maintain the 2 𝑛 dimensional state vector and apply 2 𝑛^ × 2𝑛^ matrices to it. Indeed popular descriptions of quantum computing (too) often say some- thing along the lines that the difference between quantum and clas- sical computer is that a classic bit can either be zero or one while a qubit can be in both states at once, and so in many qubits a quantum computer can perform exponentially many computations at once. De- pending on how you interpret this, this description is either false or would apply equally well to probabilistic computation. However, for probabilistic computation it is a not too hard exercise to show that if 𝑓 ∶ {0, 1}𝑚^ → {0, 1}𝑛^ is an efficiently computable function then it has a polynomial size circuit of AND, OR and NOT gates.^7 Moreover, this “obvious” approach for simulating a quantum computation will take not just exponential time but exponential space as well, while it is not hard to show that using a simple recursive formula one can calculate the final quantum state using polynomial space (in physics parlance this is known as “Feynman path integrals”). So, the exponentially long vector description by itself does not imply that quantum computers are exponentially powerful. Indeed, we cannot prove that they are (since in particular we can’t prove that every polynomial space cal- culation can be done in polynomial time, in complexity parlance we don’t know how to rule out that 𝑃 = PSPACE ), but we do have some problems (integer factoring most prominently) for which they do provide exponential speedup over the currently best known classical (deterministic or probabilistic) algorithms.
18.3.1 Physically realizing quantum computation To realize quantum computation one needs to create a system with 𝑛 independent binary states (i.e., “qubits”), and be able to manipulate small subsets of two or three of these qubits to change their state. While by the way we defined operations above it might seem that one needs to be able to perform arbitrary unitary operations on these two or three qubits, it turns out that there several choices for universal sets - a small constant number of gates that generate all others. The
quantum computing and cryptography i 355
Figure 18.3 : Superconducting quantum computer prototype at Google. Image credit: Google / MIT Technology Review.
biggest challenge is how to keep the system from being measured and collapsing to a single classical combination of states. This is sometimes known as the coherence time of the system. The threshold theorem says that there is some absolute constant level of errors 𝜏 so that if errors are created at every gate at rate smaller than 𝜏 then we can recover from those and perform arbitrary long computations. (Of course there are different ways to model the errors and so there are actually several threshold theorems corresponding to various noise models). There have been several proposals to build quantum computers:
These approaches are not mutually exclusive and it could be that ultimately quantum computers are built by combining all of them together. At the moment, we have devices with about 100 qubits, and about 1% error per gate. Such restricted machines are sometimes called “Noisy Intermediate-Scale Quantum Computers” or “NISQ”. See this article by John Preskil for some of the progress and applica- tions of such more restricted devices. If the number of qubits is in- creased and the error is decreased by one or two orders of magnitude, we could start seeing more applications.
18.3.2 Bra-ket notation Quantum computing is very confusing and counterintuitive for many reasons. But there is also a “cultural” reason why people sometimes find quantum arguments hard to follow. Quantum folks follow their own special notation for vectors. Many non quantum people find it ugly and confusing, while quantum folks secretly wish they people used it all the time, not just for non-quantum linear algebra, but also for restaurant bills and elemntary school math classes.
quantum computing and cryptography i 357
(^10) This form of Bell’s game was shown by Clauser, Horne, Shimony, and Holt.
(^11) Theorem 18.2 below assumes that Alice and Bob use deterministic strategies 𝑓 and 𝑔 respectively. More generally, Alice and Bob could use a randomized strategy, or equivalently, each could choose 𝑓 and 𝑔 from some distributions ℱ and 𝒢 respectively. However the averaging principle ( ?? ) implies that if all possible deterministic strategies succeed with probability at most 3/4, then the same is true for all randomized strategies.
(^12) More accurately, one either has to give up on a “billiard ball type” theory of the universe or believe in telepathy (believe it or not, some scientists went for the latter option).
(^13) The strategy we show is not the best one. Alice and Bob can in fact succeed with probability cos^2 (𝜋/8) ∼ 0.854.
response. We say that Alice and Bob win this experiment if 𝑎 ⊕ 𝑏 = 𝑥 ∧ 𝑦. In other words, Alice and Bob need to output two bits that disagree if 𝑥 = 𝑦 = 1 and agree otherwise.^10 Now if Alice and Bob are not telepathic, then they need to agree in advance on some strategy. It’s not hard for Alice and Bob to succeed with probability 3/4: just always output the same bit. Moreover, by doing some case analysis, we can show that no matter what strategy they use, Alice and Bob cannot succeed with higher probability than that:^11
Theorem 18.2 — Bell’s Inequality. For every two functions 𝑓, 𝑔 ∶ {0, 1} → {0, 1}, Pr𝑥,𝑦∈{0,1}[𝑓(𝑥) ⊕ 𝑔(𝑦) = 𝑥 ∧ 𝑦] ≤ 3/4.
Proof. Since the probability is taken over all four choices of 𝑥, 𝑦 ∈ {0, 1}, the only way the theorem can be violated if if there exist two functions 𝑓, 𝑔 that satisfy
𝑓(𝑥) ⊕ 𝑔(𝑦) = 𝑥 ∧ 𝑦 for all the four choices of 𝑥, 𝑦 ∈ {0, 1}^2. Let’s plug in all these four choices and see what we get (below we use the equalities 𝑧 ⊕ 0 = 𝑧, 𝑧 ∧ 0 = 0 and 𝑧 ∧ 1 = 𝑧):
𝑓(0) ⊕ 𝑔(0) = 0 (plugging in 𝑥 = 0, 𝑦 = 0) 𝑓(0) ⊕ 𝑔(1) = 0 (plugging in 𝑥 = 0, 𝑦 = 1) 𝑓(1) ⊕ 𝑔(0) = 0 (plugging in 𝑥 = 1, 𝑦 = 0) 𝑓(1) ⊕ 𝑔(1) = 1 (plugging in 𝑥 = 1, 𝑦 = 1) If we XOR together the first and second equalities we get 𝑔(0) ⊕ 𝑔(1) = 0 while if we XOR together the third and fourth equalities we get 𝑔(0) ⊕ 𝑔(1) = 1, thus obtaining a contradiction. ■
An amazing experimentally verified fact is that quantum mechanics allows for “telepathy”.^12 Specifically, it has been shown that using the weirdness of quantum mechanics, there is in fact a strategy for Alice and Bob to succeed in this game with probability larger than 3/4 (in fact, they can succeed with probability about 0.85, see Lemma 18.3).
18.5 ANALYSIS OF BELL’S INEQUALITY
Now that we have the notation in place, we can show a strategy for Alice and Bob to display “quantum telepathy” in Bell’s Game. Re- call that in the classical case, Alice and Bob can succeed in the “Bell Game” with probability at most 3/4 = 0.75. We now show that quan- tum mechanics allows them to succeed with probability at least 0.8.^13
358 an intensive introduction to cryptography
(^14) We are using the (not too hard) observation that the result of this experiment is the same regardless of the order in which Alice and Bob apply their rotations and measurements.
Lemma 18.3 There is a 2-qubit quantum state 𝜓 ∈ ℂ^4 so that if Alice has access to the first qubit of 𝜓, can manipulate and measure it and output 𝑎 ∈ {0, 1} and Bob has access to the second qubit of 𝜓 and can manipulate and measure it and output 𝑏 ∈ {0, 1} then Pr[𝑎 ⊕ 𝑏 = 𝑥 ∧ 𝑦] ≥ 0.8.
Proof. Alice and Bob will start by preparing a 2-qubit quantum system in the state
(this state is known as an EPR pair). Alice takes the first qubit of the system to her room, and Bob takes the qubit to his room. Now, when Alice receives 𝑥 if 𝑥 = 0 she does nothing and if 𝑥 = 1 she ap-
plies the unitary map 𝑅−𝜋/8 to her qubit where 𝑅𝜃 = (𝑐𝑜𝑠𝜃^ −^ sin^ 𝜃 sin 𝜃 cos 𝜃
is the unitary operation corresponding to rotation in the plane with angle 𝜃. When Bob receives 𝑦, if 𝑦 = 0 he does nothing and if 𝑦 = 1 he applies the unitary map 𝑅𝜋/8 to his qubit. Then each one of them measures their qubit and sends this as their response. Recall that to win the game Bob and Alice want their outputs to be more likely to differ if 𝑥 = 𝑦 = 1 and to be more likely to agree otherwise. We will split the analysis in one case for each of the four possible values of 𝑥 and 𝑦. Case 1: 𝑥 = 0 and 𝑦 = 0. If 𝑥 = 𝑦 = 0 then the state does not change. * Because the state 𝜓 is proportional to |00⟩ + |11⟩, the mea- surements of Bob and Alice will always agree (if Alice measures 0 then the state collapses to |00⟩ and so Bob measures 0 as well, and similarly for 1 ). Hence in the case 𝑥 = 𝑦 = 1, Alice and Bob always win. Case 2: 𝑥 = 0 and 𝑦 = 1. If 𝑥 = 0 and 𝑦 = 1 then after Alice measures her bit, if she gets 0 then the system collapses to the state |00⟩, in which case after Bob performs his rotation, his qubit is in the state cos(𝜋/8)|0⟩ + sin(𝜋/8)|1⟩. Thus, when Bob measures his qubit, he will get 0 (and hence agree with Alice) with probability cos^2 (𝜋/8) ≥ 0.85. Similarly, if Alice gets 1 then the system collapses to |11⟩, in which case after rotation Bob’s qubit will be in the state − sin(𝜋/8)|0⟩ + cos(𝜋/8)|1⟩ and so once again he will agree with Alice with probability cos^2 (𝜋/8). The analysis for Case 3 , where 𝑥 = 1 and 𝑦 = 0, is completely analogous to Case 2. Hence Alice and Bob will agree with probability cos^2 (𝜋/8) in this case as well.^14
360 an intensive introduction to cryptography
18.6 GROVER’S ALGORITHM
Shor’s Algorithm, which we’ll see in the next lecture, is an amazing achievement, but it only applies to very particular problems. It does not seem to be relevant to breaking AES, lattice based cryptography, or problems not related to quantum computing at all such as schedul- ing, constraint satisfaction, traveling salesperson etc.. etc.. Indeed, for the most general form of these search problems, classically we don’t how to do anything much better than brute force search, which takes 2 𝑛^ time over an 𝑛-bit domain. Lev Grover showed that quantum computers can obtain a quadratic improvement over this brute force search, solving SAT in 2 𝑛/2^ time. The effect of Grover’s algorithm on cryptography is fairly mild: one essentially needs to double the key lengths of symmetric primitives. But beyond cryptography, if large scale quantum computers end up being built, Grover search and its variants might end up being some of the most useful computational problems they will tackle. Grover’s theorem is the following:
Theorem (Grover search , 1996): There is a quantum 𝑂(2𝑛/2𝑝𝑜𝑙𝑦(𝑛))- time algorithm that given a 𝑝𝑜𝑙𝑦(𝑛)-sized circuit computing a function 𝑓 ∶ {0, 1}𝑛^ → {0, 1} outputs a string 𝑥∗^ ∈ {0, 1}𝑛^ such that 𝑓(𝑥∗) = 1.
Proof sketch: The proof is not hard but we only sketch it here. The general idea can be illustrated in the case that there exists a single 𝑥∗ satisfying 𝑓(𝑥∗) = 1. (There is a classical reduction from the general case to this problem.) As in Simon’s algorithm, we can efficiently ini- tialize an 𝑛-qubit system to the uniform state 𝑢 = 2−𝑛/2^ ∑𝑥∈{0,1}𝑛 |𝑥⟩
which has 2 −𝑛/2^ dot product with |𝑥∗⟩. Of course if we measure 𝑢, we only have probability (2−𝑛/2)^2 = 2−𝑛^ of obtaining the value 𝑥∗. Our goal would be to use 𝑂(2𝑛/2) calls to the oracle to transform the sys- tem to a state 𝑣 with dot product at least some constant 𝜖 > 0 with the state |𝑥∗⟩. It is an exercise to show that using 𝐻𝑎𝑑 gets we can efficiently com- pute the unitary operator 𝑈 such that 𝑈 𝑢 = 𝑢 and 𝑈 𝑣 = −𝑣 for every 𝑣 orthogonal to 𝑢. Also, using the circuit for 𝑓, we can efficiently com- pute the unitary operator 𝑈 ∗^ such that 𝑈 ∗|𝑥⟩ = |𝑥⟩ for all 𝑥 ≠ 𝑥∗ and 𝑈 ∗|𝑥∗⟩ = −|𝑥∗⟩. It turns out that 𝑂(2𝑛/2) applications of UU ∗ to 𝑢 yield a vector 𝑣 with Ω(1) inner product with |𝑥∗⟩. To see why, consider what these operators do in the two dimensional linear sub- space spanned by 𝑢 and |𝑥∗⟩. (Note that the initial state 𝑢 is in this subspace and all our operators preserve this property.) Let 𝑢⟂ be the unit vector orthogonal to 𝑢 in this subspace and let 𝑥∗⟂ be the unit vec- tor orthogonal to |𝑥∗⟩ in this subspace. Restricted to this subspace, 𝑈 ∗ is a reflection along the axis 𝑥∗⟂ and 𝑈 is a reflection along the axis 𝑢.
quantum computing and cryptography i 361
Now, let 𝜃 be the angle between 𝑢 and 𝑥∗⟂. These vectors are very close to each other and so 𝜃 is very small but not zero - it is equal to sin−1(2−𝑛/2) which is roughly 2 −𝑛/2. Now if our state 𝑣 has angle 𝛼 ≥ 0 with 𝑢, then as long as 𝛼 is not too large (say 𝛼 < 𝜋/8) then this means that 𝑣 has angle 𝑢 + 𝜃 with 𝑥∗⟂. That means that 𝑈 ∗𝑣 will have angle −𝛼 − 𝜃 with 𝑥∗⟂ or −𝛼 − 2𝜃 with 𝑢, and hence UU ∗𝑣 will have angle 𝛼 + 2𝜃 with 𝑢. Hence in one application from UU ∗^ we move 2𝜃 radians away from 𝑢, and in 𝑂(2−𝑛/2) steps the angle between 𝑢 and our state will be at least some constant 𝜖 > 0. Since we live in the two dimensional space spanned by 𝑢 and |𝑥⟩, it would mean that the dot product of our state and |𝑥⟩ will be at least some constant as well. QED