* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Quantum computation and cryptography: an overview
Wave function wikipedia , lookup
Spin (physics) wikipedia , lookup
Wheeler's delayed choice experiment wikipedia , lookup
Aharonov–Bohm effect wikipedia , lookup
Ensemble interpretation wikipedia , lookup
Quantum dot cellular automaton wikipedia , lookup
Topological quantum field theory wikipedia , lookup
Renormalization group wikipedia , lookup
Renormalization wikipedia , lookup
Basil Hiley wikipedia , lookup
Scalar field theory wikipedia , lookup
Relativistic quantum mechanics wikipedia , lookup
Wave–particle duality wikipedia , lookup
Particle in a box wikipedia , lookup
Theoretical and experimental justification for the Schrödinger equation wikipedia , lookup
Quantum field theory wikipedia , lookup
Bell test experiments wikipedia , lookup
Path integral formulation wikipedia , lookup
Quantum decoherence wikipedia , lookup
Double-slit experiment wikipedia , lookup
Measurement in quantum mechanics wikipedia , lookup
Coherent states wikipedia , lookup
Density matrix wikipedia , lookup
Quantum dot wikipedia , lookup
Bohr–Einstein debates wikipedia , lookup
Copenhagen interpretation wikipedia , lookup
Probability amplitude wikipedia , lookup
Hydrogen atom wikipedia , lookup
Quantum electrodynamics wikipedia , lookup
Quantum fiction wikipedia , lookup
Delayed choice quantum eraser wikipedia , lookup
Many-worlds interpretation wikipedia , lookup
Orchestrated objective reduction wikipedia , lookup
Symmetry in quantum mechanics wikipedia , lookup
Bell's theorem wikipedia , lookup
History of quantum field theory wikipedia , lookup
Quantum entanglement wikipedia , lookup
Quantum group wikipedia , lookup
Interpretations of quantum mechanics wikipedia , lookup
Quantum computing wikipedia , lookup
Quantum machine learning wikipedia , lookup
Canonical quantization wikipedia , lookup
EPR paradox wikipedia , lookup
Quantum cognition wikipedia , lookup
Quantum state wikipedia , lookup
Hidden variable theory wikipedia , lookup
Nat Comput (2009) 8:663–679 DOI 10.1007/s11047-008-9094-8 Quantum computation and cryptography: an overview Manuel Calixto Published online: 15 August 2008 Ó Springer Science+Business Media B.V. 2008 Abstract The new Quantum Information Theory augurs powerful machines that obey the ‘‘entangled’’ logic of the subatomic world. Parallelism, entanglement, teleportation, nocloning and quantum cryptography are typical peculiarities of this novel way of understanding computation. In this article, we highlight and explain these fundamental ingredients that make Quantum Computing potentially powerful and Quantum Communications reliable. Keywords Quantum computing Logic gates Algorithms Cryptography Entanglement Parallelism Teleportation 1 Introduction Quantum Computing combines two of the main scientific achievements of the 20th century: Information Theory and Quantum Mechanics. Its interdisciplinary character is one of the most stimulating and appealing attributes. The big success of Computer Science and Artificial Intelligence is linked to the vertiginous technological progress of the last decades. Essentially, computer’s power doubles every 2 years since 1970, according to Moore’s law (Scientific American 1997). Extrapolating naively to a near future, this steady exponential growth on the miniaturization of the elementary component (the transistor) would reach the atomic scale by the year 2017. By then, one bit of information could be stored just in one atom. However, we should also start worrying about new and surprising quantum-mechanical effects that arise at atomic scales. Some of them could have a disruptive effect, like the tunnel effect, that put paid to standard computation. Although, instead of fighting against quantum effects, we would be better off allying ourselves with them and thinking of proper alternative architectures adapted to the nanometric scales: the would-be ‘‘quantum computer’’. M. Calixto (&) Departamento de Matemática Aplicada y Estadı́stica, Universidad Politécnica de Cartagena, Paseo Alfonso XIII 56, 30203 Cartagena, Spain e-mail: [email protected] 123 664 M. Calixto Quantum Physics entails a way of processing information which is different from the traditional, classical, methods. The processing of the information carried by the wave function of a quantum physical system is the task of the new Quantum Information Theory (Schumacher 1995), a perfect marriage between Information Theory and Quantum Mechanics, comparable to the symbiosis between Physics and Geometry that leads to General Relativity. In practical effects, the quantum manipulation of information offers real applications, specially the reliable transmission of information (Quantum Cryptography) and potential applications, like the design of exponentially fast quantum algorithms (see e.g. Calixto 2004) for an overview) that could threaten the privacy of most of actual business transactions. In fact, the most spectacular discovery in Quantum Computing to date is that quantum computers could efficiently perform some tasks (by efficient we mean that its running time is a polynomial function in the input size) which are not feasible (i.e. ‘‘super-polynomial’’) on a classical computer. For example, there are cryptographic systems, such as the ‘‘public key RSA’’ (Menezes et al. 1997), whose reliability is based on the assumption that there are no polynomial time (classical) algorithms for integer factoring. However, Shor (1994) created an algorithm, to be run on a quantum computer, that factorizes integers in polynomial time. Also, there are efficient quantum algorithms for searching (Grover 1997). The advantages of Quantum Computing over the classical one rely on two quantummechanical properties par excellence, viz: superposition (interference or parallelism) and entanglement. Quantum superposition allows the possibility of performing simultaneous mathematical operations (equivalent to many classical computers working in parallel); whereas entanglement provides greater quantum correlations in answers than any classical correlation we can imagine. Unfortunately, the more power we gain, the less stability we get. A quantum computer turns out to be extremely vulnerable, fragile, sensitive to any kind of background noise. Keeping the coherence of several atoms is extremely difficult with actual technology. Other drawback is that we cannot amplify a quantum signal, due to the so-called ‘‘nocloning quantum theorem’’ (there are no perfect quantum copy machines...), thus limiting long-range quantum communications to tens of kilometers; nevertheless, we have quantum teleportation instead (see later). Actually, the impossibility of cloning quantum states has a positive side: the detection of eavesdroppers and the establishment of secure (quantum) communications. Moreover, a certain fault tolerance and quantum error correcting algorithms, together with a big effort in (nano)technology improvement, could make feasible quantum computing in the near future. By the time being, it is worth analysing the meaning of Quantum Information and the abstract processing of it, disregarding the possible physical support or hardware (namely, ion trap, nuclear magnetic resonance, laser, etc.) that could efficiently accomplish our hypothetic computer in future. 123 Quantum computation and cryptography 665 2 Classic versus quantum: bit versus qubit The digital processing of information out of the brain goes through the conversion of messages and signals into sequences of binary digits. A two stable positions classical device (like a wire carrying or not electric current) can store one bit of information. Loosely speaking, the manipulation and processing of information comes down to swapping 0s and 1s around though logic gates (viz, NOT, AND, OR). The basic electronic component par excellence is the transistor. It changes the state a ? a0 of electric current from a = 0 to a0 = 1 and viceversa. Arranging transistors in different geometries (like in Fig. 1) we get distinct logic gates. Then, assembling logic gates we can implement binary addition, multiplication and so on. Note that, except for NOT, classical logic gates like NAND in Fig. 1 are irreversible; that is, knowing the result c = a + b, we cannot guess a and b. This loss of information leads to the well known heat dissipation of classical computers (see Fig. 2). Actually, we could make classical computation reversible by replacing traditional logic gates by the new ones: NOT, CNOT and CCNOT, in Fig. 3, the price being perhaps a waste of memory. In fact, Quantum Computation must be intrinsically reversible, since it is based on a unitary time evolution of the wave function jwi (probability must be conserved), dictated by the Schrödinger equation ojwi ¼ Hjwi; i h ot ð1Þ where H denotes the Hamiltonian (an hermitian operator). In order to introduce the concept of qubit, let me use the following classical analogy. Suppose we drop the electric current in a wire to the limit of not being able to distinguish between cero (0) and positive (1) voltage. We could say then that the ‘‘state of electric current flow’’ of the wire is a statistical mixture (w) = p0(0) + p1(1) of both possibilities, with probabilities p0 and p1. However, we would not gain anything new but just to introduce errors and uncertainty. Quantum Computing would not have any appeal if it wasn’t that the quantum state described by the wave function (in Dirac’s bracket notation) jwi ¼ c0 j0i þ c1 j1i ð2Þ V>0 V>0 Fig. 1 Schematic representation of the logic gates NOT, NAND, NOR as the action of transistors on the electric current. X denotes a resistor and V voltage Ω a 0 1 0 Ω a a’ a (NAND) b b 1 V=0 V=0 V>0 Ω a a (NOR) b b V=0 123 666 Fig. 2 Mechanical analogy of heat dissipation (DQ ¼ kT ln 2) when restricting the possible values of one bit (namely, ‘‘particle on the right- (0) or the left-hand side (1) of the box’’) to, let us say, (1) with the help of a piston Fig. 3 Truth tables of the reversible primitive gates: M. Calixto a) b) NOT, CNOT and CCNOT or Toffoli gates (c0 and c1 are complex numbers fulfilling jc0 j2 þ jc1 j2 ¼ 1Þ is not only a statistical mixture with probabilities p0 ¼ jc0 j2 and p1 ¼ jc1 j2 but, in addition, it incorporates two important new ingredients: interference, or ‘‘parallelism’’, and entanglement, or ‘‘quantum correlations’’ (for the last one we actually need two or more qubits, like in the state jwi ¼ j0ij0i þ j1ij1i). The above classical analogy has sense in that the description of physical phenomena starts needing the Quantum Theory as the energy (or action) gap between states (levels, possibilities, etc.) becomes smaller and smaller. This happens with more probability in the subatomic world than in the macroscopic world. All the quantum i alternatives wj ehSj ; whose action gap DS ¼ Sj Sk is of the order of the Planck constant h; coexist in some sort of quantum superposition with complex weights, like (2). These quantum alternatives are indistinguishable for a (classical) observer, who does not have access to that particular quantum superposition. In order to observe/measure the actual state, he has to ‘‘amplify’’ the action/energy differences DS up to the classical level, that is, up to the limit of being distinguishable by him. In this ‘‘amplification’’ or ‘‘measurement’’ process, the quantum superposition (2) is ‘‘destroyed’’ and only one of the alternatives (e.g., j0i or j1i) survives the experience. This is the (standard but not free of controversy) so-called wave-function collapse (or measurement process), which raised and keeps raising so many philosophical and interpretation problems in Quantum Mechanics. The coexistence of quantum alternatives gives rise to interference effects that defy the common sense, like the well-known Young’s double slits experiment (see Fig. 4), which highlights the particle–wave duality of the electron. The interference between the two possible paths (let us say, 0 and 1), to follow by electrons emanating from the gun F and crossing two slits, R0 and R1, gives rise to a resulting intensity (quantum pattern) I / jc0 þ c1 j2 ; in each point of the screen P, which is different from the sum I 0 / jc0 j2 þ jc1 j2 of the intensities through each of the slits (classical pattern). Loosely speaking, there are some ‘‘forbidden’’ (resp. ‘‘allowed’’) areas in the screen P where the electron ‘‘refuses’’ (resp. ‘‘tends’’) to hit when both paths, 0 and 1, are open. In fact, when we amplify the differences between the two alternative paths (that is, when we try to measure which particular path does the electron 123 Quantum computation and cryptography 667 Fig. 4 Young’s double slit interference experiment P I’ P P I R0 0 F 1 R1 SLITS SCREEN CLASSICAL QUANTUM follow), only one option survives (the electron follows a certain path when we observe it) and the quantum interference pattern is destroyed (the wave nature of the electron disappears and its particle nature emerges). Thus, the wave function (2) carries an information different from the classic one, which we agree to call qubit (quantum bit). Physical devices that store one qubit of information are two-level quantum systems like: spin 1/2 particles and atoms (electrons, silver atoms, etc.), polarized light (photons), energy levels of some ions, etc. For example, it is possible to prepare a quantum state like (2) striking a laser beam of proper frequency and duration on some ions. 3 Quantum logic gates and circuits In order to introduce the concept of quantum logic gates, let us use vector notation and denote 1 0 j0i ; j1i : ð3Þ 0 1 We can express the only two, single-bit, classical reversible logic gates (the identity I2 and NOT) as 2 9 2 matrices: 1 0 0 1 I2 ¼ ; NOT ¼ : ð4Þ 0 1 1 0 For two bits we use tensor product notation and write the computational basis as: 0 1 0 1 1 0 B C B C 1 1 1 0 B0C B1C j0i j0ij0i ¼ ¼ B C; j1i j0ij1i ¼ ¼ B C; @0A @0A 0 0 0 1 0 0 0 1 0 1 0 0 B C B C 0 0 0 1 B0C B0C ¼ B C: j2i j1ij0i ¼ ¼ B C; j3i j1ij1i ¼ @0A @1A 1 1 1 0 0 1 ð5Þ 123 668 M. Calixto There are 24, 2-bits, classical reversible logic gates which, in matrix notation, correspond to the 4! possible permutations of the columns of the 4 9 4 identity matrix I4 = diag(1, 1, 1, 1). For example, the matrix of the CNOT gate in Fig. 3 is: 0 1 1 0 0 0 B0 1 0 0C C CNOT ¼ B @ 0 0 0 1 A: 0 0 1 0 The CCNOT (or Toffoli) gate is one of the 8! = 40,320, 3-bits, classical reversible logic gates, represented by permutations of the 8 9 8 identity matrix. It can be proved that the primitive set NOT, CNOT, CCNOT is universal for classical reversible computation. For example, a simple 1-bit reversible adder can be built by concatenating the CCNOT and CNOT gates as in Fig. 5. All these classical reversible logic gates are particular cases of unitary matrices (the inverse U-1 coincides with the transpose conjugated U*). They preserve the norm hwjwi ¼ N 2X 1 jcn j2 n¼0 of any N-qubit vector jwi ¼ N 2X 1 cn jni: n¼0 Of course there are infinitely many more unitary matrices than the classical reversible logic gates. For example, a unitary single-qubit gate that plays a fundamental role in quantum computing is the Walsh–Hadamard gate: ( Hj0i ¼ p1ffiffi2ðj0i þ j1iÞ; 1 1 1 ; ð6Þ H ¼ pffiffiffi Hj1i ¼ p1ffiffi2ðj0i j1iÞ; 2 1 1 which creates quantum superposition from the (classical) computational basis (3). In the case of N = 2 qubits initially prepared as j0i; the parallel action of two Hadamard gates gives a register in an equal quantum superposition of all the 22 = 4 computational basis states (5). More explicitly: 1 1 H 2 j0ij0i Hj0iHj0i ¼ pffiffiffiðj0i þ j1iÞpffiffiffiðj0i þ j1iÞ 2 2 1 1 ¼ ðj00i þ j01i þ j10i þ j11iÞ ¼ ðj0i þ j1i þ j2i þ j3iÞ: 2 2 ð7Þ In general, if we apply N Hadamard gates in parallel on N qubits initially prepared as j0i then we obtain a register in an equal quantum superposition of all numbers from 0 up to 2N-1 Fig. 5 1-Bit reversible adder 123 Quantum computation and cryptography 669 N 1 1 2X H N j0iN ¼ pffiffiffiffiffiffi jxi: 2N x¼0 There are many other interesting single qubit unitary operations like, for example, the ‘‘square root of NOT’’, phase S and p/8: pffiffiffiffiffiffiffiffiffiffi 1 þ i 1 i 1 0 1 0 : NOT ¼ ; S¼ ; T¼ i 1 0 i 0 eip=4 2 It is proved that, assembling (two-qubit) CNOT and arbitrary single-qubit unitary (quantum) gates is enough to design any algorithm (classically, they are the CNOT and CCNOT gates that constitute a universal set). Moreover, the Solovay–Kitaev theorem (see e.g. the appendix of Nielsen and Chuang 2000) states that any singe-qubit unitary matrix can be approximated with error [ as a product of *O(log2(1/)) quantum logic gates of the set {H, S, T}. Quantum parallel evaluation of a function f, like modular addition fy ðxÞ ¼ x y; with an N bit input x and an N bit output fy(x) can thus be performed in the following manner. Prepare the 2N qubit state j0iN j0iN ; then apply the Hadamard transform to the first N qubits, followed by the quantum circuit implementing the unitary transform Ufy as follows H N j0iN j0iN ! N 2X 1 x¼0 N 1 Ufy 2X jxij0iN ! jxijx yi: ð8Þ x¼0 That is, we have simultaneously computed the addition x y for 2N different values of x, even though we apparently only evaluated fy once. This would be equivalent to 2N, N-bits, classical computers working in parallel. This feature is called quantum parallelism. However, we can only measure or ‘‘amplify’’ one of the 2N answers of the output P2N 1 measure ! jx0 yi: Thus, Quantum computation requires something more x¼0 jx yi than just quantum parallelism to be powerful; it requires the ability to extract information about more than one value of fy(x) from the superposition (8). Next section we shall see that it is not exactly superposition or parallelism what makes quantum computation powerful, but it is entanglement. Before finishing this Section, let me tell you about a physical system that displays a CNOT behaviour. The quantum superposition (7) could be the spin state ðj #i j0i; j "i j1iÞ of carbon and hydrogen nucleus in a chloroform molecule CHCl3. This two-qubit ‘‘toy quantum computer’’ can implement the CNOT (controlled not) gate in Fig. 3, by placing the molecule in an external magnetic field and acting on it with radiowave pulses that flip the spin of the nucleus. Actually, only when the spin of the carbon points in the direction of the external magnetic field (i.e., j "i ¼ j1i), it is possible to flip the spin of the hydrogen. That is, the carbon is the ‘‘control’’ and the hydrogen acts as a XOR gate (see Fig. 3). In order to process more complex quantum information, it is promising to use lineal ion traps (see e.g. Cirac and Zoller 1995), where the coupling between electron and vibrational degrees of freedom allows (in principle) the implementation of operations in a multi-qubit register by absorbtion and emission of photons and phonons. 4 Entanglement: EPR paradox There are physical situations in which (quantum) particle pairs (or higher groupings) are created as if the state of one member would ‘‘instantaneously’’ determine or influence the 123 670 M. Calixto state of the other, though they were hundreds of kilometres apart. It is not exactly like having couples of loaded dice that always offer the same face, but much more ‘‘intriguing’’, as we are going to see. For example, spin positron-electron entangled pairs 1 jEPi ¼ pffiffiffiðj "ie j #ip j #ie j "ip Þ 2 are created in the decay of spin cero neutral particles; also pairs of photons with orthogonal polarizations (V means vertical and H horizontal) 1 jVHi ¼ pffiffiffiðj li1 j $i2 j $i1 j li2 Þ 2 are created by striking laser pulses on certain non-linear crystals. These are just particular examples (the so called ‘‘singlet states’’), but more general situations are also possible. Note that these entangled states cannot be written as a tensor product. Indeed, the equation j0ij1i þ j1ij0i ¼ðaj0i þ bj1iÞ ðcj0i þ dj1iÞ ¼acj0ij0i þ adj0ij1i þ bcj1ij0i þ bdj1ij1i ð9Þ implies that ac ¼ 0 ¼ bd; ad ¼ 1 ¼ bc; which does not have a solution. Assembling Hadamard H and CNOT gates, as in Fig. 6, we can create entangled states from the computational basis. More explicitly: 1 1 CNOTðHj0ij1iÞ ¼ CNOT pffiffiffiðj0i þ j1iÞj1i ¼ pffiffiffiðj0ij1i þ j1ij0iÞ: 2 2 The mathematical definition of entanglement is clear (at least for pure—not mixed— states): entangled states of N qubits cannot be written as a tensor product of N qubits, as in Eq. 9. In order to better grasp the deep physical meaning of entanglement we propose the following ‘‘gedankenexperiment’’ (imaginary experiment like (Aspect et al. 1981)) depicted in Fig. 7. In the case of entangled spins like EP, Alice A and Bob B are equipped each of them with magnetic fields HA and HB ; which can be oriented in the directions: :,? and %; &; respectively, like in the Stern-Gerlach experiment for silver atoms. From the result RA of the electron’s (E) spin in the Alice’s measurement (which can result in: either parallel j "ie or antiparallel j #ie to the external magnetic field HA ), one can predict with certainty the result RB of the positron’s (P) spin in Bob’s measurement, when measuring in the same direction HB jjHA as Alice (RB ought to be antiparallel to RA in this case). This would happen even if Alice and Bob were far away, so that no information exchange between them could take place before each measurement, according to Einstein’s causality principle. In order to motivate the original Einstein–Podolsky–Rosen ‘‘paradox’’ (Einstein et al. 1935), we propose the following classic analogy: let us think of ‘‘entangled’’ pairs of green and red balls, made of metal or wood and whose weight is 0.5 or 1 Kg. The measurement Fig. 6 A quantum circuit, made of Hadamard H and CNOT gates, that creates entanglement 123 Quantum computation and cryptography 671 Fig. 7 Measuring entangled pairs |EPi devices (the analog of the magnetic field H directions) can be a flashlight (to measure color), fire (to distinguish metal from wood) and some weighing apparatus. Pairs of balls are ‘‘entangled’’ as: green–red, metal–wood and 0.5–1, and sent each one to Alice and Bob, respectively. Thus, the measurement of a given quality carried out by Alice on one member of the pair, automatically determines the quality of the other member of the pair, even before Bob carries out the corresponding measure. What is then the paradox? If Alice and Bob are quite far away, so that no message can fly between them while the measures take place, then Bob would never think that the choice of measurement apparatus (flashlight, fire or scales) by Alice on one member of the pair would determine his results (color, fabric and weight) on the other member of the pair. If it were so, then we should start thinking about ‘‘telepathy’’ or ‘‘action at a distance’’, something forbidden by Einstein’s Relativity Theory. This situation never would happen in the classic (macroscopic) world, but it is perfectly posible in the quantum (subatomic) arena. Here we have the ‘‘esoteric’’ face of quantum mechanics that upset Einstein. However, let us see that there is nothing mysterious in quantum mechanics when one accepts that, contrary to the classical systems, subatomic entities have not well defined values of their properties before they are measured; instead, all posible values must coexist in a quantum superposition like in (2). Indeed, (the following argument is a particular example of Bell’s inequalities (Bell 1966)) let us say that Bob, loyal to the classical mentality, really believes that the positron coming to him (see Fig. 7) has a definite spin: either up (parallel) : or down (antiparallel) ; (but never a mixture...) aligned with his magnetic field HB ; which he can choose either in the direction % or &; at pleasure. Alice’s magnetic field directions are rotated h = p/4 radians with respect to Bob’s. Let us say the answer is R = 1 when the spin is up and R = 0 when the spin is down with respect to the magnetic field H: Let us suppose that Alice and Bob start placing ðHA ; HB Þ ¼ ð!; %Þ: Quantum Mechanics predicts that the probability of agreement between the answers (RA, RB) is sin2(h/2) = 0.15, where h is the angle between HA and HB (that is h = p/4). Bob, who stays quite far away from Alice’s place, also thinks that his results RB are not affected by Alice’s choice of measurement direction (either : or ?). Even more, since he thinks the spin is well defined even before any measurement takes 0 place, he also thinks that the global result would have been (RA, RB), instead of (RA, RB), if 0 the choice of measurement had been ðHA ; HB Þ ¼ ð"; %Þ instead of ðHA ; HB Þ ¼ ð!; %Þ: 0 The agreement between answers (RA, RB) would continue to be the same (15%) since the new angle h0 is the same as before. In the same way, according to ‘‘classic’’ Bob’s mentality, if the arrangement were ðHA ; HB Þ00 ¼ ð!; &Þ; then the agreement between 0 (RA, RB) would have been again 15%. Taking into account the previous results, and just by simple deduction (transitive property), Bob would then conclude that the agreement 0 0 between (RA, RB), in the arrangement ðHA ; HB Þ000 ¼ ð"; &Þ would never exceed 15% + 15% + 15% = 45%. But, on the contrary, the experiment gives 85%, in accordance with Quantum Mechanics, which predicts sin2 ðh000 =2Þ ’ 0:85 for h000 ¼ 3p=4 (to be precise, experiments are not really done with electrons and positrons, but with other spin 1/2 particles or photons, although the same argument applies). The mistake is then to think 123 672 M. Calixto that, ‘‘like balls’’, electrons have a definite spin (up or down) before the measurement takes place. Otherwise we should start believing in telepathy.... It is clear that these kind of experiences at subatomic level, utterly uncommon in the macroscopic world, could be efficiently used in a future to create really surprising situations. Let us imagine a World-Wide-Web of entangled quantum computers that cooperate performing tasks which are impossible even via satellite. Nowadays, this is just speculation, although there are actual and future applications of entanglement in the field of telecommunications. Let us see some of these implementations of entanglement. 5 Entanglement and teleportation One of the most spectacular applications of entanglement is the possibility of transporting a quantum system from one place to another without carrying matter, but just information. Teleporting the polarization state of one photon is nowadays physically realizable thanks to the original idea of the authors in Bennett et al. (1993) and the Innsbruck experiment (Bouwmeester et al. 1997). However, there is a long way to cover before we can teleport a macroscopic (even a mesoscopic) system. Before we must fight ‘‘quantum decoherence’’ (qubits a fragile and sensitive to any kind of external noise). A typical electromagnetic wave, such as a light beam from the sun, a flashlight or a laser pointer, vibrates in all directions perpendicular to the beam direction. When we pass it through a polarizer (like the lens from a pair of polarizing sunglasses), we select a particular vibration direction (let us say: horizontal $ or vertical lÞ absorbing the rest. In general, the polarization state of one photon is a quantum superposition like: jwi ¼ ch j $i þ cv j li; ð10Þ where jcv i2 (resp. jch i2 ) is the probability that the photon goes through a vertically (resp. horizontally) oriented polarizer. Moreover, some birefringent crystals (like calcite crystals) can be used to separate photons (beam splitters) based on their polarization. If the photon striking the crystal is in a state like (10), it will emerge in one direction, vertically polarized j li; with probability jcv i2 and in another direction, horizontally polarized j $i;with probability jch i2 : Teleportation of one photon goes as follows (see Fig. 8). A ultraviolet laser pulse strikes 0 a Barium b-Borate crystal, creating an entangled pair of photons (F1, F1) like j $iF1 j liF0 j liF1 j $iF 0 1 0 1 ð11Þ and other entangled pair (F2, F2) after reflection in a mirror M1. The polarizer P prepares F2 in the state (10), which joins F1 through a beam splitter (BS). Then Alice makes a twoqubit measure (also, ‘‘coincidence’’ or Bell’s measure) with the photon detectors D1, D2. The measurement can have four different answers: ðRD1 ; RD2 Þ ¼ ð1; 1Þ; ð1; 0Þ; ð0; 1Þ; ð0; 0Þ: If both detectors are struck (i.e. if the answer is (1,1)), Alice tells Bob (through a classic 0 message) that the photon F1 has ‘‘transmuted’’ to the state w, which Bob can verify by using a beam splitter polarizer (BSP), consisting in a calcite crystal. In the other three 0 cases, Alice can always indicate Bob the operation to rotate F1 to W:Thus, we need a twobits classic message to teleport one qubit (this is some sort of dense information coding). Quantum information cannot be cloned (no-cloning quantum theorem). Indeed, let us assume that there exists a unitary transformation U that clones two orthogonal states jai and jbi with hajbi ¼ 0; that is: 123 Quantum computation and cryptography 673 ALICE D1 D2 CLASSIC Ψ P MESSAGE BS M3 M2 F2 F1 M1 UV PULSE F2’ D3 F1’ Ψ CRYSTAL β BB BSP D5 SOURCE OF ENTANGLED PAIRS D4 BOB Fig. 8 Quantum teleportation of the polarization state of one photon Ujaij0i ¼ jaijai; Ujbij0i ¼ jbijbi: ð12Þ Let us consider the superposition jci ¼ p1ffiffi2ðjai þ jbiÞ: On the one hand, using the linearity property of U, we should have: 1 1 Ujcij0i ¼ pffiffiffiðUjaij0i þ Ujbij0iÞ ¼ pffiffiffiðjaijai þ jbijbiÞ: 2 2 ð13Þ However, on the other hand, the cloning operator U should clone jcias: 1 Ujcij0i ¼ jcijci ¼ ðjaijai þ jaijbi þ jbijai þ jbijbiÞ; 2 ð14Þ which is different from (13). This means that it is impossible to (perfectly) clone an unknown quantum state like jci: The impossibility of cloning quantum information can limit long-range quantum communications due to decoherence of quantum signals. However, intermediary teleporting stations can save this obstruction. However, the no-cloning quantum theorem has a positive side: the detection of eavesdroppers and the establishment of reliable quantum communications. 6 Quantum cryptography The Fig. 9, borrowed from Doyle and Hodgson (1994), reproduces the bait that the famous detective Sherlock Holmes puts down to the criminal Abe Slaney, who uses a secret language consisting of dancing figures. The mistake of Abe is to use always the same 123 674 M. Calixto Fig. 9 Come here at once (Sherlock Holmes) cryptographic system. Sherlock Holmes gathers several messages and identifies the letter E (the most common in english writing) and, with his characteristic intuition, the rest. The basic ingredients to encrypt a secret message M are: a key K (known only by the sender, Alice, and the receiver, Bob) and a cryptographic algorithm E that assigns a cryptogram C = EK(M) to M through K. The decryption process consists in applying the inverse algorithm M = E-1 K (C). For example, the ‘‘one-time pad’’ algorithm assigns a qdigits C = {c1,...,cq} (with cj = 0,...,25-1 the alphabet symbols) to M = {m1,...,mq} though K = {k1,...,kq} by using the addition cj ¼ mj kj mod 32. For example: M ¼ fs e c r e tg ¼ f18 04 02 17 04 19g; K ¼ f29 17 31 25 04 14g; C ¼ f15 20 01 11 08 02g ¼ fp u b l i ð15Þ cg: The reliability of this simple cryptographic system is guaranteed as long as the key K is randomly generated and not used more than once (actually, this was Abe’s mistake...). The problem is then when Alice and Bob, who are far apart, run out of keys. How to generate new keys overcoming the presence of eavesdroppers? 6.1 Secure quantum private key distribution 6.1.1 Secure key distribution using entanglement One possibility is to use entangled pairs (Ekert 1991). Both, Alice and Bob, can choose the direction of their magnetic fields H: : or ?, at pleasure. After measuring n pairs, they broadcast the direction choice of H each time, but not the answer, which can be: 1 = : or 0 = ;. In average, they should coincide n/2 times in the direction choice, for which the answers are perfectly (anti-)correlated (RA, RB) = (1,0) : 0 or (RA, RB) = (0,1) : 1. Then Alice and Bob keep only these approximately n/2 (anti-)correlated answers (RA, RB) = 0,1 and construct the key K = 00101... One can prove that (RA, RB) are indeed anticorrelated if and only if there has been no eavesdroppers tapping the quantum channel, which can be verified by sacrificing a small part of the key, for high values of n (see (Preskill 1998) for a simple proof). The reliability of this key distribution algorithm lies in the fact that the observation taken by eavesdroppers destroys the quantum entanglement. 6.1.2 Secure key distribution using polarized photons Other possibility is to use polarized photons, according to the key distribution protocol devised by Bennett and Brassard (1984). Two Pockels cells rotate the polarization plane of the photon 0, p/4, p/2 and 3p/4 depending whether they are on or off. Alice encodes n bits as polarized photons, choosing at pleasure the directions : and % (0 and p/4 radians) to 123 Quantum computation and cryptography 675 encode 0 and the directions ? and & (p/2 and 3p/4 radians) to encode 1, and sends them to Bob. Bob uses a beam splitter (calcite crystal) to decode the n polarized photons. He randomly locates the beam splitter in rectilinear (+) or diagonal (9) positions, that is, he uses a rectilinear basis fj li; j $ig or a diagonal basis 1 1 j% .i ¼ pffiffiffiðj li þ j $i; j &i ¼ pffiffiffiðj li j $i 2 2 at pleasure. Next, Bob broadcasts the sequence of basis, (+) or (9 ), he used to measure the photons (see the central line in the simulation of Table 1). Alice broadcasts which of Bob’s bases were the same ones she used. Alice and Bob discard the measurements for which Bob used a different basis than Alice and keep the rest as the key (namely, 11101 in Table 1). They should agree in the value of these approximately n/2 bits if no eavesdropping takes place (i.e. Bob guesses the correct basis 50% of the time in average). The information made public by Alice and Bob does not give the actual value of the key to any eavesdropper (let us call her Eve) because Alice’s polarizations were chosen randomly. Actually, if Bob guessed + as the correct polarization, Eve does not know whether Alice sent a ? (1) or a : (0) polarized photon. Imagine now that Eve intercepts the photons that Alice sent to Bob and tries to decode them, sending them later to Bob using whatever orientation she had picked. Eve will guess the correct basis 50% of the time in average, just as Bob does. But when Eve measures a photon like (10), she collapses it to one of the vectors of the basis she uses for the measurement. Thus, when Bob decodes the photons unaware of Eve’s presence, he will get a wrong result in about half of the cases where he and Alice would expect an agreement (namely, the bit marked as 0* in Table 2), that is, in some of those cases where they both have chosen the same basis and different from Eve’s. Since Alice and Bob choose the same basis half of the time, Eve’s measurement adds an error rate of 25%. Alice and Bob can always compare a subset of those bits to test for the presence of eavesdropping. It can be proved that, for m bits tested, the probability P of detecting eavesdroppers goes like PðmÞ ¼ 1 ð34Þm ; which is high enough even for low values of m. Once Alice and Bob see that the channel is highly secure, they use the rest of bits to generate the key, otherwise they abandon communication and try it later. The Table 1 Simulation of quantum key distribution in the absence of eavesdropping Alice encodes bits as polarized photons 1 1 1 1 1 0 0 1 0 1 - ? - - - % % ? : - Bob uses the basis and gets the result + + 9 + 9 9 + 9 9 9 " ? - ? - % : % % - 1 1 1 0 Key 1 Table 2 Simulation of quantum key distribution in the presence of eavesdropping Alice sends polarized photons - ? - - - % % ? Eve intercepts, uses the basis and gets the result 9 + + + 9 + + 9 9 9 - ? : ? - ? ? % - - + + 9 + 9 9 + 9 9 9 : ? % ? - % ? % - - 1 0* 1 0 Bob uses the basis and gets the result Key : - 1 123 676 M. Calixto interested reader can consult Williams and Clearwater (1997) for more information which comes with simulations using the Mathematica package. Summarizing: unlike classical communications, quantum communications detect the presence of eavesdroppers. Actually, there are prototypes of tens of kilometers long. 6.2 Quantum cracking of public key cryptographic systems Nowadays, the reliability of the RSA (Rivest, Shamir and Adleman) public key cryptographic system is based on the difficulty of integer factoring on classical computers. The protocol is the following. 6.2.1 Encryption Alice broadcasts her key, consisting of two big integers (k, N), with N = pq the product of two big prime numbers p and q only known by her. Anyone wanting to send her a message M (when properly digitalized) can encrypt it by computing C ¼ M k ðmod NÞ: Let us assume that M \ N and g.c.d. (M,N) = 1 (i.e., M and N are co-primes). This is highly probable since the Euler function of N, which gives the number of co-primes with N, is uðNÞ ¼ ðp 1Þðq 1Þ ¼ N p q / N: The value of uðNÞ is known only by Alice since p and q are secret. Euler–Fermat theorem states that M uðNÞ ¼ 1ðmod NÞ: Let us assume that g.c.d. ðk; uðNÞÞ ¼ 1; then At such that kt = 1(mod u(N)), i.e., kt = 1 + nu(N) for some n 2 Z: Thus, tðk; uðNÞÞ is the inverse of kðmod uðNÞÞ: The inverse t of k could be efficiently calculated by the Euclides algorithm if someone, other than Alice, knew uðNÞ: 6.2.2 Decryption In order to decrypt the message, Alice uses the formula M ¼ C t ðmod NÞ: Indeed, using the Euler–Fermat theorem at an intermediate step, we have Ct ðmod NÞ ¼M kt ðmod NÞ ¼ M 1þnuðNÞ ðmod NÞ ¼MM nuðNÞ ðmod NÞ ¼ Mðmod NÞ ¼ M: ð16Þ Any eavesdropper who wants to decrypt the message, firstly has to factorize N = pq. To make oneself an idea of the difficulty of this for N*1050, and with a rough pffiffiffiffi operation, 25 algorithm, we should make the order of N ’ 10 divisions. A quite good classical computer capable to perform 1010 divisions per second would last 1015 seconds in finding p and q. Knowing that the universe is about 3, 81017 s, this discourages any eavesdropper. Actually, there are more efficient algorithms that reduce the computational time, although it keeps exponentially growing with the input size anyway. 6.2.3 Shor’s quantum factoring algorithm Shor (1994) designed an algorithm, to be run on a quantum computer, that factors in polynomial time t*(log N)n, making factoring a tractable problem in the quantum arena 123 Quantum computation and cryptography 677 and threatening the security of most of business transactions. The efficiency of the algorithm lies in the quantum mechanical resources: entanglement and parallelism. Essentially, the factoring problem of N reduces to finding the period r of the function FN(x) = ax (mod N), where a must be co-prime with N. Indeed, if I know r for some a and we assume that r is even and ar/2=-1(mod N) (which turns out to be highly probable), then FN ðx þ rÞ ¼FN ðxÞ ) ar ðmod NÞ ¼ 1ðmod NÞ ) ðar 1Þ ¼0ðmod NÞ ) ðar=2 1Þðar=2 þ 1Þ ¼ 0ðmod NÞ: ð17Þ Thus, p and q are found among g.c.d.(ar/2-1, N) and g.c.d.(ar/2 + 1, N), which can be efficiently computed using the Euclid algorithm (see e.g. Hirvensalo 2001 for technical details). In short, knowing r is equivalent to knowing p and q. Quantum computation of periods turns out to be a tractable (polynomial) problem. Without entering into details, applying the unitary transformation UF that implements the exponential function FN (remember the case (8)) to a superposition of x r numbers x in the first register and storing the values FN(x) in the second register, as x1 X UF jxij0i ! x¼0 x1 X jxijFN ðxÞi; ð18Þ x¼0 we entangle both registers. Then measuring the second register, x1 X FN ðxÞ¼u jxijFN ðxÞi ! x¼0 j’x=r1 X jxu þ jrijui; ð19Þ j¼0 we leave the first register in a superposition of z ^ x/r numbers that differ from each other in multiples jr of the period r, which can be obtained by a quantum Fourier transform (see e.g. Hirvensalo 2001; Preskill 1998 for more details). It is the entanglement between jxi and jFN ðxÞiwhich makes possible the ‘‘massive scanning’’ of the function FN. Like RSA protocol, reliability of the U.S. Digital Signature Algorithm lies also in the fact that, like factoring, the computation of the discrete logarithm is an intractable problem in classical computers. Both RSA and U.S. Digital Signature are just particular instances of the so-called Hidden Subgroup Problem (see e.g. Calixto 2004 for an overview). This problem encompasses all known ‘‘exponentially fast’’ applications of the quantum Fourier transform. 7 Grover’s quantum searching algorithm Whereas classical searching algorithms need of the order of P/2 trials to find an item x~ in a unstructured list of P items, Grover pffiffiffi (1997) designed a quantum algorithm that brings the number of trials down to about P iterations (with success probability of *(P-1)/P) on the quantum superposition N 1 1 2X cosðh0 Þ X jxi ¼ sinðh0 Þj~ xi þ pffiffiffiffiffiffiffiffiffiffiffiffiffiffi jxi jwðh0 Þi ¼ H N j0iN ¼ pffiffiffiffiffiffi N 2 x¼0 2N 1 x6¼x~ ð20Þ and we are taking P = 2N without of all items (parallel searching), where sinðh0 Þ ¼ p1ffiffiffiffi 2N loss of generality. Without entering into detail, the searching process consists of enhancing 123 678 M. Calixto the probability amplitude of j~ xi and dimming the rest in the superposition (20) through consecutive unitary operations G, made of ‘‘inversions and diffusions’’ (see e.g. Nielsen and Chuang (2000) for more information), that transform G G jwðh0 Þi ! jwðh1 Þi ! jwðh2 Þi. . .: The resultpisffiffiffia subtle interference effect that determines x~ as jwðht Þi; for ht p=2; in about t ðp=4Þ P iterations. For P = 4 (two qubits) the situation is even more surprising: we xi! Figure 10 gives a geometrical interpretation of just need a single trial to turn jwðh0 Þi to j~ this case. Grover iteration consists here of an inversion of j10i around cero, followed by another inversion around the amplitude average 1 1 1 1 ¼ 3 4 4 2 2 8 Prospects Since Deutsch (1985) proposed the first quantum algorithm, many other algorithms have arisen, although most of them use the same principle as Shor and Grover. This copious production of ‘‘quantum software’’ contrasts with the enormous technological difficulty in the design of ‘‘quantum hardware’’ to run quantum algorithms efficiently and error free. Now we can hope to manipulate small quantities of quantum information (teens of qubits) using techniques borrowed from Magnetic Resonance, Ion traps, etc. Maybe these ‘‘toy quantum computers’’ cannot do sensible computation yet, although they could be interesting to simulate other quantum systems (as Feynman pointed out time ago Feynman 1982), something that is computationally hard to do in a classical computer. Before building of a real-world, commercial quantum computer with, for example, a few million qubits, we should be able to develop efficient ‘‘vaccines’’ against decoherence (degradation of quantum information in noisy environments). We have not talked about interesting subjects like quantum error correction and fault-tolerant quantum computation (see e.g. Preskill 1998). Alternative strategies, like topological quantum computation (based, for example, in the fractional quantum Hall effect), do not try to make the system noiseless but, instead, makes it deaf—that is, immune to the usual sources of quantum decoherence. These are interesting subjects but we have no room to develop them here. For pessimistic people, let me remind them a discussion on the 1949 March edition of the journal ‘‘Popular Mechanics’’ that said something like: ‘‘... whereas ENIAC (Electronic Numerical Integrator and Calculator) is equipped with 18.000 vacuum valves and weights 30 tons, computers in future will have just 1000 vacuum valves and weight 1.5 tons...’’. Incredible laptop! Fig. 10 Enhancement of the probability of finding the third item |10i after a Grover iteration on a quantum equal superposition of four items 123 Quantum computation and cryptography 679 Acknowledgements Work partially supported by the spanish MCYT and Fundación Séneca under projects FIS2005-05736-C03-01 and 03100/PI/05. References Aspect A, Grangier P, Roger G (1981) Experimental tests of realistic local theories via Bell’s theorem. Phys Rev Lett 47:460–463 Bell JS (1966) On the problem of hidden variables in quantum mechanics. Rev Mod Phys 38:447–452 Bennett CH, Brassard G (1984) Quantum cryptography: public-key distribution and coin tossing. In: Proceedings IEEE international conference on computers, systems and signal processing, Bangalore, India, (IEEE, New York), pp 175–179 Bennett CH, Brassard G, Crepeau C, Jozsa R, Peres A, Wootters WK (1993) Teleporting an unknown quantum state via dual classical and EPR channels. Phys Rev Lett 70:1895–1899 Bouwmeester D, Pan JW, Mattle K, Eibl M, Weinfurter H, Zeilinger A (1997) Experimental quantum teleportation. Nature 390:575–579 Calixto M (2004) On the hidden subgroup problem and efficient quantum algorithms. In: Alvarez-Estrada RF, Dobado A, Fernández LA, Martı́n-Delgado MA, Munoz Sudupe A (eds) Fundamental physics workshop in honor to A. Galindo, Aula Documental de Investigación, Madrid Cirac JI, Zoller P (1995) Quantum computation with cold trapped ions. Phys Rev Lett 74:4091–4094 Deutsch D (1985) Quantum theory, the Church-Turing hypothesis and universal quantum computers. Proc Roy Soc Lond A400:97–116 Doyle AC, Hodgson JA (1994) Sherlock Holmes. Basingstoke, Macmillan Einstein A, Podolsky B, Rosen N (1935) Can quantum-mechanical description of physical reality be considered complete? Phys Rev 47:777–780 Ekert A (1991) Quantum cryptography based on Bell’s theorem. Phys Rev Lett 67:661–663 Feynman RP (1982) Simulating physics with computers. Int J Theor Phys 21:467–488 Grover LK (1997) Quantum mechanics helps in searching for needle in a haystack. Phys Rev Lett 79:325– 328 Hirvensalo M (2001) Quantum computing, natural computing series. Springer-Verlag, New York Menezes A, van Oorschot P, Vanstone S (1997) Handbook of applied cryptography. CRC Press, Baco Raton Nielsen MA, Chuang IL (2000) Quantum computation and quantum information. Cambridge University Press, Cambridge Preskill J (1998) Quantum computation. Lecture notes for physics 229 Schumacher B (1995) Quantum coding. Phys Rev A51:2738; Schumacher B, Nielsen MA (1996) Quantum data processing and error correction. Phys Rev A54:2629 Scientific American, special edition Solid state century (December 1997) Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring, 35th Annual Symposium of Foundations of Computer Science, pp 124–134 Williams CP, Clearwater SH (1997) Explorations in quantum computing. Springer-Verlag, New York 123