* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Introduction to Quantum Computation
Aharonov–Bohm effect wikipedia , lookup
Matter wave wikipedia , lookup
Quantum dot cellular automaton wikipedia , lookup
Ensemble interpretation wikipedia , lookup
Topological quantum field theory wikipedia , lookup
Wave–particle duality wikipedia , lookup
Renormalization wikipedia , lookup
Relativistic quantum mechanics wikipedia , lookup
Renormalization group wikipedia , lookup
Scalar field theory wikipedia , lookup
Bell test experiments wikipedia , lookup
Basil Hiley wikipedia , lookup
Theoretical and experimental justification for the Schrödinger equation wikipedia , lookup
Bohr–Einstein debates wikipedia , lookup
Quantum decoherence wikipedia , lookup
Particle in a box wikipedia , lookup
Measurement in quantum mechanics wikipedia , lookup
Quantum field theory wikipedia , lookup
Density matrix wikipedia , lookup
Double-slit experiment wikipedia , lookup
Delayed choice quantum eraser wikipedia , lookup
Hydrogen atom wikipedia , lookup
Quantum dot wikipedia , lookup
Quantum entanglement wikipedia , lookup
Coherent states wikipedia , lookup
Copenhagen interpretation wikipedia , lookup
Bell's theorem wikipedia , lookup
Path integral formulation wikipedia , lookup
Quantum fiction wikipedia , lookup
Symmetry in quantum mechanics wikipedia , lookup
Orchestrated objective reduction wikipedia , lookup
Many-worlds interpretation wikipedia , lookup
Probability amplitude wikipedia , lookup
Quantum electrodynamics wikipedia , lookup
EPR paradox wikipedia , lookup
History of quantum field theory wikipedia , lookup
Quantum computing wikipedia , lookup
Interpretations of quantum mechanics wikipedia , lookup
Quantum group wikipedia , lookup
Quantum teleportation wikipedia , lookup
Quantum machine learning wikipedia , lookup
Canonical quantization wikipedia , lookup
Quantum state wikipedia , lookup
Quantum cognition wikipedia , lookup
Potentially Disruptive Technologies Quantum Computation and Cryptography Michele Mosca Canada Research Chair in Quantum Computation 15 April 2003 www.iqc.ca Perimeter Institute is a community of theoretical physicists dedicated to investigating fundamental issues in theoretical physics. www.perimeterinstitute.ca Outline What is quantum information processing? What does quantum mechanics make possible? What quantum mechanics make impossible? When will quantum information processing be realized? Computer technology is making devices smaller and smaller… …reaching a point where classical physics is no longer a suitable model for the laws of physics. Physics and Computation • Information is stored in a physical medium, and manipulated by physical processes. • The laws of physics dictate the capabilities of any information processing device. • Designs of “classical” computers are implicitly based in the classical framework for physics • Classical physics is known to be wrong or incomplete… and has been replaced by a more powerful framework: quantum mechanics. The nineteenth century was known as the machine age, the twentieth century will go down in history as the information age. I believe the twentyfirst century will be the quantum age. Paul Davies, Professor Natural Philosophy – Australian Centre for Astrobiology The design of devices on such a small scale will require engineers to control quantum mechanical effects. Allowing computers to take advantage of quantum mechanical behaviour allows us to do more than cram increasingly many microscopic components onto a silicon chip… … it gives us a whole new framework in which information can be processed in fundamentally new ways. A simple experiment in optics …consider a setup involving a photon source, a half-silvered mirror (beamsplitter), and a pair of photon detectors. detectors photon source beamsplitter Now consider what happens when we fire a single photon into the device… 50% 50% Simplest explanation: beam-splitter acts as a classical coin-flip, randomly sending each photon one way or the other. The “weirdness” of quantum mechanics… … consider a modification of the experiment… 100% The simplest explanation for the modified setup would still predict a 50-50 distribution… full mirror The simplest explanation is wrong! Classical probabilities… Consider a computation tree for a simple two-step (classical) probabilistic algorithm, which makes a coin-flip at each step, and whose output is 0 or 1: 1 2 1 2 0 1 2 1 2 1 1 2 0 1 The probability of the computation following a given path is obtained by multiplying the probabilities along all branches of that path… in the example the probability the computation follows the red path is 1 1 1 2 2 4 The probability of the computation giving the answer 0 is obtained by adding the probabilities of all paths resulting in 0: 1 1 1 4 4 2 …vs quantum probabilities … In quantum physics, we have probability amplitudes, which can have complex phase factors associated with them. 1 2 1 2 1 2 |0 1 2 |1 1 2 |0 1 2 |1 The probability amplitude associated with a path in the computation tree is obtained by multiplying the probability amplitudes on that path. In the example, the red path has amplitude 1/2, and the green path has amplitude –1/2. The probability amplitude for getting the answer |0 is obtained by adding the probability amplitudes… notice that the phase factors can lead to cancellations! The probability of obtaining |0 is obtained by squaring the total probability amplitude. In the example the probability of getting |0 is 2 1 1 0 2 2 Explanation of experiment … consider a modification of the experiment… 100% The simplest explanation for 1 1 the modified setup would still 0 0 1 0 predict a 50-50 distribution… 2 2 1 1 2 0 1 1 1 1 01 2 2 1 0 2 full mirror When do we use which probability rules? •If no path information is revealed, we must use the quantum probability rules. •If full path information is revealed, we must use the classical probability rules. •If partial path information is revealed, we must use a combination of the two; i.e. there is a more general set of rules that encapsulates both. Quantum mechanics and information Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination 0 0 1 1 What does 0 0 1 1 really mean?? It’s a “mystery”. THE mystery. We don’t understand it, but we can tell you how it works. (Feynman) The world of the quantum may be bizarre, but it is our world and our future. Gerard Milburn, author of Schrödinger’s Machines. Quantum mechanics and information Any physical medium capable of representing 0 and 1 is in principle capable of storing any linear combination 0 0 1 1 How does this affect computational complexity? How does this affect information security? How does this affect communication complexity? Would you believe a quantum proof? How does quantum information help us better understand physics? How does this affect what is feasibly computable? Which “infeasible” computational tasks become “feasible”? How does this affect “computationally secure” cryptography? What new computationally secure cryptosystems become possible? Generalization to n qubits The general state of n qubits is α x x x{0 ,1}n where the x are complex numbers satisfying the normalization constraint α 2 x 1. x{0 ,1}n The state is represented by a unit vector in an exponentially large vector (Hilbert) space! Note, therefore, that it seems exponentially hard to simulate n quantum particles on a classical computer (Feynman). The Classical Computing Model A “Probabilistic Turing Machine” (PTM) is an abstract model of the modern (classical) computer. Strong Church-Turing Thesis: A PTM can efficiently simulate any realistic model of computing. Widespread belief in the Strong Church-Turing thesis has been one of the underpinnings of theoretical computer science. What do we mean by “efficient”? The complexity of an algorithm measures how much of some resource (e.g. time, space, energy) the algorithm uses as a function of the input size. e.g. the best known algorithms for factoring an n bit number uses time in O e(1.92o (1))( n) 1 2 3 (logn ) 3 k3 n (number field sieve algorithm) Factoring is believed to be hard on a Turing machine (or any equivalent model), but how do we know that there isn’t some novel architecture on which it is easy? The Strong Church Turing thesis tells us that all reasonable models can be efficiently simulated by a PTM, which implies that if it’s hard for a PTM it must be hard for any other reasonable computer. i.e. we believe computational problems, like factoring, have an intrinsic difficulty, independent of how hard we try to find an efficient algorithm. In the early 1980s, Richard Feynman observed that it seems implausible for a PTM to efficiently simulate quantum mechanical systems… …quantum computers are quantum mechanical systems… … so quantum computing is a model which seems to violate the Strong Church-Turing thesis! Are quantum computers realistic? The answer seems to be YES! If the quantum computers are a reasonable model of computation, and classical devices cannot efficiently simulate them, then the Strong ChurchTuring thesis needs to be modified to state: A quantum computer can efficiently simulate any realistic model of computation. A quantum circuit provides an visual representation of a quantum algorithm. 0 0 0 0 initial state quantum gates time measurement Quantum Parallelism Why are quantum computers capable of solving seemingly very difficult mathematical problems? Since quantum states can exist in exponential superposition, a computation of a function being performed on quantum states can process an exponential number of possible inputs in a single evaluation of f : 2 n 1 αx x i 0 2 n 1 f α i 0 x f ( x) By exploiting a phenomenon known as quantum interference, some global properties of f can be deduced from the output. Applications • Efficient simulations of quantum systems • Phase estimation; improved time-frequency and other measurement standards (e.g. GPS) • Factoring and Discrete Logarithms • Hidden subgroup problems • Amplitude amplification • and much more… Quantum Algorithms Integer Factorization (basis of RSA cryptography): Given N=pq, find p and q. Discrete logarithms (basis of DH crypto, including ECC): a,b G , ak = b , find k Computational Complexity Comparison Classical Factoring e O n1 / 3 log2 / 3 n Elliptic Curve Discrete Logarithms e O n Quantum On e O logn On e O logn (in terms of number of group multiplications for n-bit inputs) Which cryptosystems are threatened by Quantum Computers?? Information security protocols must be studied in the context of quantum information processing. The following cryptosystems are insecure against such quantum attacks: • RSA (factoring) • Rabin (factoring) • ElGamal (discrete log, including ECC – see Proos and Zalka) http://arxiv.org/abs/quant-ph/0301141 •Buchmann-Williams (principal ideal distance problem) •and others… (see MMath thesis, Michael Brown, IQC) We need to worry NOW about information that needs to remain private for long periods of time. It takes a long time to change an infrastructure. What sort of cryptography will quantum computers enable? Can efficient factoring, discrete logarithms, or other efficient quantum tasks be used to produce new computationally secure cryptosystems secure against quantum attacks? •A quantum public key cryptosystem was proposed by a group in Japan [OTU00]; require a quantum computer to set up the system, but only require classical means to encrypt and decrypt •others?? These are techniques that can be employed once largescale quantum computation are available. Amplitude Amplification Consider any function f : X {0,1}. Find x satisfying f(x)=1. Suppose algorithm A succeeds with probability p. With classical methods, we expect to repeat A a total 1 time before finding a solution, since of p each application of A “boosts” the probability of finding a solution by roughly p p p p p p p p p p 1 1/ p Amplitude Amplification (Grover96, BBHT98, BH97, Gro98, BHMT02) A quantum mechanical implementation of A succeeds with probability amplitude p . With quantum methods, each application of A “boosts” the probability amplitude of finding a solution by roughly p p p p 1 1/ p i.e. we get a square-root speedup! Application of Amplitude Amplification: Searching a key space f (x)=1 if and only if x is the correct n-bit cryptographic key Find an x satisfying f(x)=1. Suppose algorithm A succeeds with probability p=1/2n. We can iterate A and f O 2n / 2 times to find such an x. i.e. we need to roughly double our key lengths This algorithm is VERY broadly applicable to any sort of computational search. How else does quantum mechanics affect information security? No-cloning theorem There is no procedure that will copy or “clone” an arbitrary quantum state, i.e. ψ 0 ψ ψ Such an operation is not linear, and is not permitted by quantum mechanics. We can copy all the elements of an orthogonal set of states, but when we extend this operation linearly, no other states will be correctly cloned. For example, we can map 0 0 0 0 However 0 1 0 11 1 0 0 0 1 1 0 1 0 1 Eavesdropper detection Any attempts to produce pseudo-clones will be detected with significant probability. In general, any scheme to extract information about the state of a quantum system, will disturb the system in a way that can be detected with some probability. This idea motived Wiesner to invent quantum money around 1970. His work was essentially ignored by the scientific community for a decade, until Bennett and Brassard built on these ideas to create quantum key distribution. Quantum Key Establishment (general idea) Alice quantum bits Bob Eve Alice and Bob measure their qubits Quantum Key Distribution (general idea) Authenticated public channel Alice and Bob publicly discuss the information they measured to assess how much information Eve could have obtained. If Eve’s information is very likely to be below a certain constant threshold, they can communicate further and distill out a very private shared key (“privacy amplification”). Otherwise they abandon the key. Quantum Information Security We can exploit the eavesdropper detection that is intrinsic to quantum systems in order to derive new “unconditionally secure” information security protocols. The security depends only on the laws of physics, and not on computational assumptions. •Quantum key establishment (available now/soon) •Quantum random number generation (available now/soon) •Quantum money (require stable quantum memory) •Quantum digital signatures (requires quantum computer) •Quantum secret sharing (requires quantum computer) •Multi-party quantum computations •and more… Implementations? Why is it so hard? How will they be built? When will we see quantum information processors? Quantum Information is Fragile CLASSICAL 106 eV QUANTUM |0 10-6 eV 0 1 |1 • low energy • control of operations • superpositions are very fragile • isolation from environment Quantum Error Correction … allows quantum computation in the presence of noise. A quantum computation of any length can be made as accurate as desired, so long as the noise is below some threshold, e.g. P < 10-4. Significance: • imperfections and imprecision are not fundamental obstacles to building quantum computers • gives a criterion for scalability guide for experimentalists benchmark for comparing technologies Devices for Quantum Computing • Atom traps • Cavity QED • Electron floating on helium • Electron trapped by surface acoustic waves • Ion traps • Nuclear magnetic resonance (NMR) • Quantum optics • Quantum dots • Solid state • Spintronics • Superconducting Josephson junctions •and more… Implementations Who’s Trying? • Aarhus • Berkeley • Caltech • Cambridge • College Park • Delft • DERA (U.K.) • École normale supérieure • Geneva • HP Labs (Palo Alto and Bristol) • Hitachi • IBM Research (Yorktown Heights and Palo Alto) • Innsbruck • Los Alamos National Labs • McMaster • Max Planck Institute-Munich • Melbourne • MIT • NEC • New South Wales • NIST • NRC • Orsay • Oxford • Paris • Queensland • Santa Barbara • Stanford • Toronto • Vienna • Waterloo • Yale • many others… Bottom line What are the capabilities of quantum information processors? What will be the impact of these capabilities? Which technologies will be realized and when? What technologies will be implemented and when? Quantum random number generators: now. Quantum key establishment: <10 years; some prototypes already available Small scale quantum computers (e.g. needed for long distance quantum communication): medium term Large scale quantum computers: medium-long term Precise times are hard to predict since we are in the early stages and still trying a very broad range of approaches. Once we focus on technologies that show promise, expect progress to be very fast. •Wireless Sensor Networks •Injectable Tissue Engineering •Nano Solar Cells •Mechatronics •Grid Computing •Molecular Imaging •Nanoimprint Lithography •Software Assurance •Glycomics •Quantum Cryptography Goal: to take quantum information from the blackboard to the drawing board Investments Canada makes today in quantum computing will set the foundation for Canada’s global commercial success in this important new technology over the coming century. Mike Lazaridis, President and co-CEO, RIM. www.quantumworks.net