Download Quantum computation and cryptography: an overview

Nat Comput (2009) 8:663–679
DOI 10.1007/s11047-008-9094-8
Quantum computation and cryptography: an overview
Manuel Calixto
Published online: 15 August 2008
Ó Springer Science+Business Media B.V. 2008
Abstract The new Quantum Information Theory augurs powerful machines that obey the
‘‘entangled’’ logic of the subatomic world. Parallelism, entanglement, teleportation, nocloning and quantum cryptography are typical peculiarities of this novel way of understanding computation. In this article, we highlight and explain these fundamental
ingredients that make Quantum Computing potentially powerful and Quantum Communications reliable.
Keywords Quantum computing Logic gates Algorithms Cryptography Entanglement Parallelism Teleportation
1 Introduction
Quantum Computing combines two of the main scientific achievements of the 20th century: Information Theory and Quantum Mechanics. Its interdisciplinary character is one of
the most stimulating and appealing attributes.
The big success of Computer Science and Artificial Intelligence is linked to the vertiginous technological progress of the last decades. Essentially, computer’s power doubles
every 2 years since 1970, according to Moore’s law (Scientific American 1997). Extrapolating naively to a near future, this steady exponential growth on the miniaturization of
the elementary component (the transistor) would reach the atomic scale by the year 2017.
By then, one bit of information could be stored just in one atom. However, we should also
start worrying about new and surprising quantum-mechanical effects that arise at atomic
scales. Some of them could have a disruptive effect, like the tunnel effect, that put paid to
standard computation. Although, instead of fighting against quantum effects, we would be
better off allying ourselves with them and thinking of proper alternative architectures
adapted to the nanometric scales: the would-be ‘‘quantum computer’’.
M. Calixto (&)
Departamento de Matemática Aplicada y Estadı́stica, Universidad Politécnica de Cartagena,
Paseo Alfonso XIII 56, 30203 Cartagena, Spain
e-mail: [email protected]
123
664
M. Calixto
Quantum Physics entails a way of processing information which is different from the
traditional, classical, methods. The processing of the information carried by the wave
function of a quantum physical system is the task of the new Quantum Information Theory
(Schumacher 1995), a perfect marriage between Information Theory and Quantum
Mechanics, comparable to the symbiosis between Physics and Geometry that leads to
General Relativity. In practical effects, the quantum manipulation of information offers
real applications, specially the reliable transmission of information (Quantum Cryptography) and potential applications, like the design of exponentially fast quantum algorithms
(see e.g. Calixto 2004) for an overview) that could threaten the privacy of most of actual
business transactions. In fact, the most spectacular discovery in Quantum Computing to
date is that quantum computers could efficiently perform some tasks (by efficient we mean
that its running time is a polynomial function in the input size) which are not feasible (i.e.
‘‘super-polynomial’’) on a classical computer. For example, there are cryptographic systems, such as the ‘‘public key RSA’’ (Menezes et al. 1997), whose reliability is based on
the assumption that there are no polynomial time (classical) algorithms for integer factoring. However, Shor (1994) created an algorithm, to be run on a quantum computer, that
factorizes integers in polynomial time. Also, there are efficient quantum algorithms for
searching (Grover 1997).
The advantages of Quantum Computing over the classical one rely on two quantummechanical properties par excellence, viz: superposition (interference or parallelism) and
entanglement. Quantum superposition allows the possibility of performing simultaneous
mathematical operations (equivalent to many classical computers working in parallel);
whereas entanglement provides greater quantum correlations in answers than any classical
correlation we can imagine.
Unfortunately, the more power we gain, the less stability we get. A quantum computer
turns out to be extremely vulnerable, fragile, sensitive to any kind of background noise.
Keeping the coherence of several atoms is extremely difficult with actual technology.
Other drawback is that we cannot amplify a quantum signal, due to the so-called ‘‘nocloning quantum theorem’’ (there are no perfect quantum copy machines...), thus limiting
long-range quantum communications to tens of kilometers; nevertheless, we have quantum
teleportation instead (see later). Actually, the impossibility of cloning quantum states has a
positive side: the detection of eavesdroppers and the establishment of secure (quantum)
communications. Moreover, a certain fault tolerance and quantum error correcting algorithms, together with a big effort in (nano)technology improvement, could make feasible
quantum computing in the near future.
By the time being, it is worth analysing the meaning of Quantum Information and the
abstract processing of it, disregarding the possible physical support or hardware (namely,
ion trap, nuclear magnetic resonance, laser, etc.) that could efficiently accomplish our
hypothetic computer in future.
123
Quantum computation and cryptography
665
2 Classic versus quantum: bit versus qubit
The digital processing of information out of the brain goes through the conversion of
messages and signals into sequences of binary digits. A two stable positions classical
device (like a wire carrying or not electric current) can store one bit of information.
Loosely speaking, the manipulation and processing of information comes down to swapping 0s and 1s around though logic gates (viz, NOT, AND, OR). The basic electronic
component par excellence is the transistor. It changes the state a ? a0 of electric current
from a = 0 to a0 = 1 and viceversa. Arranging transistors in different geometries (like in
Fig. 1) we get distinct logic gates. Then, assembling logic gates we can implement binary
addition, multiplication and so on.
Note that, except for NOT, classical logic gates like NAND in Fig. 1 are irreversible; that
is, knowing the result c = a + b, we cannot guess a and b. This loss of information leads
to the well known heat dissipation of classical computers (see Fig. 2). Actually, we could
make classical computation reversible by replacing traditional logic gates by the new ones:
NOT, CNOT and CCNOT, in Fig. 3, the price being perhaps a waste of memory.
In fact, Quantum Computation must be intrinsically reversible, since it is based on a
unitary time evolution of the wave function jwi (probability must be conserved), dictated
by the Schrödinger equation
ojwi
¼ Hjwi;
i
h
ot
ð1Þ
where H denotes the Hamiltonian (an hermitian operator).
In order to introduce the concept of qubit, let me use the following classical analogy.
Suppose we drop the electric current in a wire to the limit of not being able to distinguish
between cero (0) and positive (1) voltage. We could say then that the ‘‘state of electric
current flow’’ of the wire is a statistical mixture (w) = p0(0) + p1(1) of both possibilities,
with probabilities p0 and p1. However, we would not gain anything new but just to
introduce errors and uncertainty. Quantum Computing would not have any appeal if it
wasn’t that the quantum state described by the wave function (in Dirac’s bracket notation)
jwi ¼ c0 j0i þ c1 j1i
ð2Þ
V>0
V>0
Fig. 1 Schematic representation
of the logic gates NOT, NAND, NOR
as the action of transistors on the
electric current. X denotes a
resistor and V voltage
Ω
a
0
1
0
Ω
a
a’
a (NAND) b
b
1
V=0
V=0
V>0
Ω
a
a (NOR) b
b
V=0
123
666
Fig. 2 Mechanical analogy of
heat dissipation (DQ ¼ kT ln 2)
when restricting the possible
values of one bit (namely,
‘‘particle on the right- (0) or the
left-hand side (1) of the box’’) to,
let us say, (1) with the help of a
piston
Fig. 3 Truth tables of the reversible primitive gates:
M. Calixto
a)
b)
NOT, CNOT
and
CCNOT
or Toffoli gates
(c0 and c1 are complex numbers fulfilling jc0 j2 þ jc1 j2 ¼ 1Þ is not only a statistical mixture
with probabilities p0 ¼ jc0 j2 and p1 ¼ jc1 j2 but, in addition, it incorporates two important
new ingredients: interference, or ‘‘parallelism’’, and entanglement, or ‘‘quantum correlations’’ (for the last one we actually need two or more qubits, like in the state
jwi ¼ j0ij0i þ j1ij1i). The above classical analogy has sense in that the description of
physical phenomena starts needing the Quantum Theory as the energy (or action) gap
between states (levels, possibilities, etc.) becomes smaller and smaller. This happens with
more probability in the subatomic world than in the macroscopic world. All the quantum
i
alternatives wj ehSj ; whose action gap DS ¼ Sj Sk is of the order of the Planck constant
h; coexist in some sort of quantum superposition with complex weights, like (2). These
quantum alternatives are indistinguishable for a (classical) observer, who does not have
access to that particular quantum superposition. In order to observe/measure the actual
state, he has to ‘‘amplify’’ the action/energy differences DS up to the classical level, that is,
up to the limit of being distinguishable by him. In this ‘‘amplification’’ or ‘‘measurement’’
process, the quantum superposition (2) is ‘‘destroyed’’ and only one of the alternatives
(e.g., j0i or j1i) survives the experience. This is the (standard but not free of controversy)
so-called wave-function collapse (or measurement process), which raised and keeps raising
so many philosophical and interpretation problems in Quantum Mechanics.
The coexistence of quantum alternatives gives rise to interference effects that defy the
common sense, like the well-known Young’s double slits experiment (see Fig. 4), which
highlights the particle–wave duality of the electron. The interference between the two possible paths (let us say, 0 and 1), to follow by electrons emanating from the gun F and crossing
two slits, R0 and R1, gives rise to a resulting intensity (quantum pattern) I / jc0 þ c1 j2 ; in each
point of the screen P, which is different from the sum I 0 / jc0 j2 þ jc1 j2 of the intensities
through each of the slits (classical pattern). Loosely speaking, there are some ‘‘forbidden’’
(resp. ‘‘allowed’’) areas in the screen P where the electron ‘‘refuses’’ (resp. ‘‘tends’’) to hit
when both paths, 0 and 1, are open. In fact, when we amplify the differences between the two
alternative paths (that is, when we try to measure which particular path does the electron
123
Quantum computation and cryptography
667
Fig. 4 Young’s double slit
interference experiment
P
I’
P
P
I
R0
0
F
1
R1
SLITS
SCREEN
CLASSICAL
QUANTUM
follow), only one option survives (the electron follows a certain path when we observe it) and
the quantum interference pattern is destroyed (the wave nature of the electron disappears and
its particle nature emerges).
Thus, the wave function (2) carries an information different from the classic one, which
we agree to call qubit (quantum bit). Physical devices that store one qubit of information
are two-level quantum systems like: spin 1/2 particles and atoms (electrons, silver atoms,
etc.), polarized light (photons), energy levels of some ions, etc. For example, it is possible
to prepare a quantum state like (2) striking a laser beam of proper frequency and duration
on some ions.
3 Quantum logic gates and circuits
In order to introduce the concept of quantum logic gates, let us use vector notation and
denote
1
0
j0i ; j1i :
ð3Þ
0
1
We can express the only two, single-bit, classical reversible logic gates (the identity I2 and
NOT) as 2 9 2 matrices:
1 0
0 1
I2 ¼
; NOT ¼
:
ð4Þ
0 1
1 0
For two bits we use tensor product notation and write the computational basis as:
0 1
0 1
1
0
B C
B C
1
1
1
0
B0C
B1C
j0i j0ij0i ¼
¼ B C; j1i j0ij1i ¼
¼ B C;
@0A
@0A
0
0
0
1
0
0
0 1
0 1
0
0
B C
B C
0
0
0
1
B0C
B0C
¼ B C:
j2i j1ij0i ¼
¼ B C; j3i j1ij1i ¼
@0A
@1A
1
1
1
0
0
1
ð5Þ
123
668
M. Calixto
There are 24, 2-bits, classical reversible logic gates which, in matrix notation, correspond to
the 4! possible permutations of the columns of the 4 9 4 identity matrix I4 = diag(1, 1, 1, 1).
For example, the matrix of the CNOT gate in Fig. 3 is:
0
1
1 0 0 0
B0 1 0 0C
C
CNOT ¼ B
@ 0 0 0 1 A:
0 0 1 0
The CCNOT (or Toffoli) gate is one of the 8! = 40,320, 3-bits, classical reversible logic
gates, represented by permutations of the 8 9 8 identity matrix.
It can be proved that the primitive set NOT, CNOT, CCNOT is universal for classical
reversible computation. For example, a simple 1-bit reversible adder can be built by
concatenating the CCNOT and CNOT gates as in Fig. 5.
All these classical reversible logic gates are particular cases of unitary matrices (the
inverse U-1 coincides with the transpose conjugated U*). They preserve the norm
hwjwi ¼
N
2X
1
jcn j2
n¼0
of any N-qubit vector
jwi ¼
N
2X
1
cn jni:
n¼0
Of course there are infinitely many more unitary matrices than the classical reversible logic
gates. For example, a unitary single-qubit gate that plays a fundamental role in quantum
computing is the Walsh–Hadamard gate:
(
Hj0i ¼ p1ffiffi2ðj0i þ j1iÞ;
1 1 1
;
ð6Þ
H ¼ pffiffiffi
Hj1i ¼ p1ffiffi2ðj0i j1iÞ;
2 1 1
which creates quantum superposition from the (classical) computational basis (3). In the
case of N = 2 qubits initially prepared as j0i; the parallel action of two Hadamard gates
gives a register in an equal quantum superposition of all the 22 = 4 computational basis
states (5). More explicitly:
1
1
H 2 j0ij0i Hj0iHj0i ¼ pffiffiffiðj0i þ j1iÞpffiffiffiðj0i þ j1iÞ
2
2
1
1
¼ ðj00i þ j01i þ j10i þ j11iÞ ¼ ðj0i þ j1i þ j2i þ j3iÞ:
2
2
ð7Þ
In general, if we apply N Hadamard gates in parallel on N qubits initially prepared as j0i
then we obtain a register in an equal quantum superposition of all numbers from 0 up to
2N-1
Fig. 5 1-Bit reversible adder
123
Quantum computation and cryptography
669
N
1
1 2X
H N j0iN ¼ pffiffiffiffiffiffi
jxi:
2N x¼0
There are many other interesting single qubit unitary operations like, for example, the
‘‘square root of NOT’’, phase S and p/8:
pffiffiffiffiffiffiffiffiffiffi 1 þ i 1 i
1 0
1
0
:
NOT ¼
; S¼
; T¼
i 1
0 i
0 eip=4
2
It is proved that, assembling (two-qubit) CNOT and arbitrary single-qubit unitary (quantum)
gates is enough to design any algorithm (classically, they are the CNOT and CCNOT gates that
constitute a universal set). Moreover, the Solovay–Kitaev theorem (see e.g. the appendix of
Nielsen and Chuang 2000) states that any singe-qubit unitary matrix can be approximated
with error [ as a product of *O(log2(1/)) quantum logic gates of the set {H, S, T}.
Quantum parallel evaluation of a function f, like modular addition fy ðxÞ ¼ x y; with an
N bit input x and an N bit output fy(x) can thus be performed in the following manner.
Prepare the 2N qubit state j0iN j0iN ; then apply the Hadamard transform to the first N
qubits, followed by the quantum circuit implementing the unitary transform Ufy as follows
H N
j0iN j0iN !
N
2X
1
x¼0
N
1
Ufy 2X
jxij0iN !
jxijx yi:
ð8Þ
x¼0
That is, we have simultaneously computed the addition x y for 2N different values of x,
even though we apparently only evaluated fy once. This would be equivalent to 2N, N-bits,
classical computers working in parallel. This feature is called quantum parallelism.
However, we can only measure or ‘‘amplify’’ one of the 2N answers of the output
P2N 1
measure
! jx0 yi: Thus, Quantum computation requires something more
x¼0 jx yi than just quantum parallelism to be powerful; it requires the ability to extract information
about more than one value of fy(x) from the superposition (8). Next section we shall see
that it is not exactly superposition or parallelism what makes quantum computation
powerful, but it is entanglement.
Before finishing this Section, let me tell you about a physical system that displays a
CNOT behaviour. The quantum superposition (7) could be the spin state ðj #i j0i; j "i j1iÞ of carbon and hydrogen nucleus in a chloroform molecule CHCl3. This two-qubit ‘‘toy
quantum computer’’ can implement the CNOT (controlled not) gate in Fig. 3, by placing the
molecule in an external magnetic field and acting on it with radiowave pulses that flip
the spin of the nucleus. Actually, only when the spin of the carbon points in the direction of
the external magnetic field (i.e., j "i ¼ j1i), it is possible to flip the spin of the hydrogen.
That is, the carbon is the ‘‘control’’ and the hydrogen acts as a XOR gate (see Fig. 3).
In order to process more complex quantum information, it is promising to use lineal ion
traps (see e.g. Cirac and Zoller 1995), where the coupling between electron and vibrational
degrees of freedom allows (in principle) the implementation of operations in a multi-qubit
register by absorbtion and emission of photons and phonons.
4 Entanglement: EPR paradox
There are physical situations in which (quantum) particle pairs (or higher groupings) are
created as if the state of one member would ‘‘instantaneously’’ determine or influence the
123
670
M. Calixto
state of the other, though they were hundreds of kilometres apart. It is not exactly like
having couples of loaded dice that always offer the same face, but much more ‘‘intriguing’’, as we are going to see. For example, spin positron-electron entangled pairs
1
jEPi ¼ pffiffiffiðj "ie j #ip j #ie j "ip Þ
2
are created in the decay of spin cero neutral particles; also pairs of photons with orthogonal
polarizations (V means vertical and H horizontal)
1
jVHi ¼ pffiffiffiðj li1 j $i2 j $i1 j li2 Þ
2
are created by striking laser pulses on certain non-linear crystals. These are just particular
examples (the so called ‘‘singlet states’’), but more general situations are also possible.
Note that these entangled states cannot be written as a tensor product. Indeed, the
equation
j0ij1i þ j1ij0i ¼ðaj0i þ bj1iÞ ðcj0i þ dj1iÞ
¼acj0ij0i þ adj0ij1i þ bcj1ij0i þ bdj1ij1i
ð9Þ
implies that
ac ¼ 0 ¼ bd;
ad ¼ 1 ¼ bc;
which does not have a solution. Assembling Hadamard H and CNOT gates, as in Fig. 6, we
can create entangled states from the computational basis. More explicitly:
1
1
CNOTðHj0ij1iÞ ¼ CNOT pffiffiffiðj0i þ j1iÞj1i ¼ pffiffiffiðj0ij1i þ j1ij0iÞ:
2
2
The mathematical definition of entanglement is clear (at least for pure—not mixed—
states): entangled states of N qubits cannot be written as a tensor product of N qubits, as in
Eq. 9. In order to better grasp the deep physical meaning of entanglement we propose the
following ‘‘gedankenexperiment’’ (imaginary experiment like (Aspect et al. 1981))
depicted in Fig. 7. In the case of entangled spins like EP, Alice A and Bob B are equipped
each of them with magnetic fields HA and HB ; which can be oriented in the directions: :,?
and %; &; respectively, like in the Stern-Gerlach experiment for silver atoms. From the
result RA of the electron’s (E) spin in the Alice’s measurement (which can result in: either
parallel j "ie or antiparallel j #ie to the external magnetic field HA ), one can predict with
certainty the result RB of the positron’s (P) spin in Bob’s measurement, when measuring in
the same direction HB jjHA as Alice (RB ought to be antiparallel to RA in this case). This
would happen even if Alice and Bob were far away, so that no information exchange
between them could take place before each measurement, according to Einstein’s causality
principle.
In order to motivate the original Einstein–Podolsky–Rosen ‘‘paradox’’ (Einstein et al.
1935), we propose the following classic analogy: let us think of ‘‘entangled’’ pairs of green
and red balls, made of metal or wood and whose weight is 0.5 or 1 Kg. The measurement
Fig. 6 A quantum circuit, made
of Hadamard H and CNOT gates,
that creates entanglement
123
Quantum computation and cryptography
671
Fig. 7 Measuring entangled pairs |EPi
devices (the analog of the magnetic field H directions) can be a flashlight (to measure
color), fire (to distinguish metal from wood) and some weighing apparatus. Pairs of balls
are ‘‘entangled’’ as: green–red, metal–wood and 0.5–1, and sent each one to Alice and Bob,
respectively. Thus, the measurement of a given quality carried out by Alice on one member
of the pair, automatically determines the quality of the other member of the pair, even
before Bob carries out the corresponding measure. What is then the paradox? If Alice and
Bob are quite far away, so that no message can fly between them while the measures take
place, then Bob would never think that the choice of measurement apparatus (flashlight,
fire or scales) by Alice on one member of the pair would determine his results (color, fabric
and weight) on the other member of the pair. If it were so, then we should start thinking
about ‘‘telepathy’’ or ‘‘action at a distance’’, something forbidden by Einstein’s Relativity
Theory. This situation never would happen in the classic (macroscopic) world, but it is
perfectly posible in the quantum (subatomic) arena. Here we have the ‘‘esoteric’’ face of
quantum mechanics that upset Einstein. However, let us see that there is nothing mysterious in quantum mechanics when one accepts that, contrary to the classical systems,
subatomic entities have not well defined values of their properties before they are measured; instead, all posible values must coexist in a quantum superposition like in (2).
Indeed, (the following argument is a particular example of Bell’s inequalities (Bell 1966))
let us say that Bob, loyal to the classical mentality, really believes that the positron coming
to him (see Fig. 7) has a definite spin: either up (parallel) : or down (antiparallel) ; (but
never a mixture...) aligned with his magnetic field HB ; which he can choose either in the
direction % or &; at pleasure. Alice’s magnetic field directions are rotated h = p/4 radians
with respect to Bob’s. Let us say the answer is R = 1 when the spin is up and R = 0 when
the spin is down with respect to the magnetic field H: Let us suppose that Alice and Bob
start placing ðHA ; HB Þ ¼ ð!; %Þ: Quantum Mechanics predicts that the probability of
agreement between the answers (RA, RB) is sin2(h/2) = 0.15, where h is the angle between
HA and HB (that is h = p/4). Bob, who stays quite far away from Alice’s place, also thinks
that his results RB are not affected by Alice’s choice of measurement direction (either : or
?). Even more, since he thinks the spin is well defined even before any measurement takes
0
place, he also thinks that the global result would have been (RA, RB), instead of (RA, RB), if
0
the choice of measurement had been ðHA ; HB Þ ¼ ð"; %Þ instead of ðHA ; HB Þ ¼ ð!; %Þ:
0
The agreement between answers (RA, RB) would continue to be the same (15%) since the
new angle h0 is the same as before. In the same way, according to ‘‘classic’’ Bob’s
mentality, if the arrangement were ðHA ; HB Þ00 ¼ ð!; &Þ; then the agreement between
0
(RA, RB) would have been again 15%. Taking into account the previous results, and just by
simple deduction (transitive property), Bob would then conclude that the agreement
0
0
between (RA, RB), in the arrangement ðHA ; HB Þ000 ¼ ð"; &Þ would never exceed
15% + 15% + 15% = 45%. But, on the contrary, the experiment gives 85%, in accordance with Quantum Mechanics, which predicts sin2 ðh000 =2Þ ’ 0:85 for h000 ¼ 3p=4 (to be
precise, experiments are not really done with electrons and positrons, but with other spin 1/2
particles or photons, although the same argument applies). The mistake is then to think
123
672
M. Calixto
that, ‘‘like balls’’, electrons have a definite spin (up or down) before the measurement takes
place. Otherwise we should start believing in telepathy....
It is clear that these kind of experiences at subatomic level, utterly uncommon in the
macroscopic world, could be efficiently used in a future to create really surprising situations. Let us imagine a World-Wide-Web of entangled quantum computers that cooperate
performing tasks which are impossible even via satellite. Nowadays, this is just speculation, although there are actual and future applications of entanglement in the field of
telecommunications. Let us see some of these implementations of entanglement.
5 Entanglement and teleportation
One of the most spectacular applications of entanglement is the possibility of transporting a
quantum system from one place to another without carrying matter, but just information.
Teleporting the polarization state of one photon is nowadays physically realizable thanks to
the original idea of the authors in Bennett et al. (1993) and the Innsbruck experiment
(Bouwmeester et al. 1997). However, there is a long way to cover before we can teleport a
macroscopic (even a mesoscopic) system. Before we must fight ‘‘quantum decoherence’’
(qubits a fragile and sensitive to any kind of external noise).
A typical electromagnetic wave, such as a light beam from the sun, a flashlight or a laser
pointer, vibrates in all directions perpendicular to the beam direction. When we pass it
through a polarizer (like the lens from a pair of polarizing sunglasses), we select a particular vibration direction (let us say: horizontal $ or vertical lÞ absorbing the rest. In
general, the polarization state of one photon is a quantum superposition like:
jwi ¼ ch j $i þ cv j li;
ð10Þ
where jcv i2 (resp. jch i2 ) is the probability that the photon goes through a vertically (resp.
horizontally) oriented polarizer. Moreover, some birefringent crystals (like calcite crystals)
can be used to separate photons (beam splitters) based on their polarization. If the photon
striking the crystal is in a state like (10), it will emerge in one direction, vertically polarized
j li; with probability jcv i2 and in another direction, horizontally polarized j $i;with
probability jch i2 :
Teleportation of one photon goes as follows (see Fig. 8). A ultraviolet laser pulse strikes
0
a Barium b-Borate crystal, creating an entangled pair of photons (F1, F1) like
j $iF1 j liF0 j liF1 j $iF 0
1
0
1
ð11Þ
and other entangled pair (F2, F2) after reflection in a mirror M1. The polarizer P prepares
F2 in the state (10), which joins F1 through a beam splitter (BS). Then Alice makes a twoqubit measure (also, ‘‘coincidence’’ or Bell’s measure) with the photon detectors D1, D2.
The measurement can have four different answers: ðRD1 ; RD2 Þ ¼ ð1; 1Þ; ð1; 0Þ; ð0; 1Þ; ð0; 0Þ:
If both detectors are struck (i.e. if the answer is (1,1)), Alice tells Bob (through a classic
0
message) that the photon F1 has ‘‘transmuted’’ to the state w, which Bob can verify by
using a beam splitter polarizer (BSP), consisting in a calcite crystal. In the other three
0
cases, Alice can always indicate Bob the operation to rotate F1 to W:Thus, we need a twobits classic message to teleport one qubit (this is some sort of dense information coding).
Quantum information cannot be cloned (no-cloning quantum theorem). Indeed, let us
assume that there exists a unitary transformation U that clones two orthogonal states jai
and jbi with hajbi ¼ 0; that is:
123
Quantum computation and cryptography
673
ALICE
D1
D2
CLASSIC
Ψ
P
MESSAGE
BS
M3
M2
F2
F1
M1
UV PULSE
F2’
D3
F1’
Ψ
CRYSTAL
β BB
BSP
D5
SOURCE OF
ENTANGLED PAIRS
D4
BOB
Fig. 8 Quantum teleportation of the polarization state of one photon
Ujaij0i ¼ jaijai;
Ujbij0i ¼ jbijbi:
ð12Þ
Let us consider the superposition jci ¼ p1ffiffi2ðjai þ jbiÞ: On the one hand, using the linearity property of U, we should have:
1
1
Ujcij0i ¼ pffiffiffiðUjaij0i þ Ujbij0iÞ ¼ pffiffiffiðjaijai þ jbijbiÞ:
2
2
ð13Þ
However, on the other hand, the cloning operator U should clone jcias:
1
Ujcij0i ¼ jcijci ¼ ðjaijai þ jaijbi þ jbijai þ jbijbiÞ;
2
ð14Þ
which is different from (13). This means that it is impossible to (perfectly) clone an
unknown quantum state like jci:
The impossibility of cloning quantum information can limit long-range quantum
communications due to decoherence of quantum signals. However, intermediary teleporting stations can save this obstruction.
However, the no-cloning quantum theorem has a positive side: the detection of
eavesdroppers and the establishment of reliable quantum communications.
6 Quantum cryptography
The Fig. 9, borrowed from Doyle and Hodgson (1994), reproduces the bait that the famous
detective Sherlock Holmes puts down to the criminal Abe Slaney, who uses a secret
language consisting of dancing figures. The mistake of Abe is to use always the same
123
674
M. Calixto
Fig. 9 Come here at once (Sherlock Holmes)
cryptographic system. Sherlock Holmes gathers several messages and identifies the letter E
(the most common in english writing) and, with his characteristic intuition, the rest.
The basic ingredients to encrypt a secret message M are: a key K (known only by the
sender, Alice, and the receiver, Bob) and a cryptographic algorithm E that assigns a
cryptogram C = EK(M) to M through K. The decryption process consists in applying the
inverse algorithm M = E-1
K (C). For example, the ‘‘one-time pad’’ algorithm assigns a qdigits C = {c1,...,cq} (with cj = 0,...,25-1 the alphabet symbols) to M = {m1,...,mq}
though K = {k1,...,kq} by using the addition cj ¼ mj kj mod 32. For example:
M ¼ fs e c r e tg
¼ f18 04 02 17 04 19g;
K ¼ f29 17 31 25 04 14g;
C ¼ f15 20 01 11 08 02g
¼ fp
u
b
l
i
ð15Þ
cg:
The reliability of this simple cryptographic system is guaranteed as long as the key K is
randomly generated and not used more than once (actually, this was Abe’s mistake...). The
problem is then when Alice and Bob, who are far apart, run out of keys. How to generate
new keys overcoming the presence of eavesdroppers?
6.1 Secure quantum private key distribution
6.1.1 Secure key distribution using entanglement
One possibility is to use entangled pairs (Ekert 1991). Both, Alice and Bob, can choose the
direction of their magnetic fields H: : or ?, at pleasure. After measuring n pairs, they
broadcast the direction choice of H each time, but not the answer, which can be: 1 = : or
0 = ;. In average, they should coincide n/2 times in the direction choice, for which the
answers are perfectly (anti-)correlated (RA, RB) = (1,0) : 0 or (RA, RB) = (0,1) : 1.
Then Alice and Bob keep only these approximately n/2 (anti-)correlated answers (RA,
RB) = 0,1 and construct the key K = 00101... One can prove that (RA, RB) are indeed anticorrelated if and only if there has been no eavesdroppers tapping the quantum channel,
which can be verified by sacrificing a small part of the key, for high values of n (see
(Preskill 1998) for a simple proof). The reliability of this key distribution algorithm lies in
the fact that the observation taken by eavesdroppers destroys the quantum entanglement.
6.1.2 Secure key distribution using polarized photons
Other possibility is to use polarized photons, according to the key distribution protocol
devised by Bennett and Brassard (1984). Two Pockels cells rotate the polarization plane of
the photon 0, p/4, p/2 and 3p/4 depending whether they are on or off. Alice encodes n bits
as polarized photons, choosing at pleasure the directions : and % (0 and p/4 radians) to
123
Quantum computation and cryptography
675
encode 0 and the directions ? and & (p/2 and 3p/4 radians) to encode 1, and sends them
to Bob. Bob uses a beam splitter (calcite crystal) to decode the n polarized photons. He
randomly locates the beam splitter in rectilinear (+) or diagonal (9) positions, that is, he
uses a rectilinear basis fj li; j $ig or a diagonal basis
1
1
j%
.i ¼ pffiffiffiðj li þ j $i; j &i ¼ pffiffiffiðj li j $i
2
2
at pleasure. Next, Bob broadcasts the sequence of basis, (+) or (9 ), he used to measure
the photons (see the central line in the simulation of Table 1). Alice broadcasts which of
Bob’s bases were the same ones she used. Alice and Bob discard the measurements for
which Bob used a different basis than Alice and keep the rest as the key (namely, 11101 in
Table 1). They should agree in the value of these approximately n/2 bits if no eavesdropping takes place (i.e. Bob guesses the correct basis 50% of the time in average).
The information made public by Alice and Bob does not give the actual value of the key
to any eavesdropper (let us call her Eve) because Alice’s polarizations were chosen randomly. Actually, if Bob guessed + as the correct polarization, Eve does not know whether
Alice sent a ? (1) or a : (0) polarized photon.
Imagine now that Eve intercepts the photons that Alice sent to Bob and tries to decode
them, sending them later to Bob using whatever orientation she had picked. Eve will guess
the correct basis 50% of the time in average, just as Bob does. But when Eve measures a
photon like (10), she collapses it to one of the vectors of the basis she uses for the
measurement. Thus, when Bob decodes the photons unaware of Eve’s presence, he will get
a wrong result in about half of the cases where he and Alice would expect an agreement
(namely, the bit marked as 0* in Table 2), that is, in some of those cases where they both
have chosen the same basis and different from Eve’s.
Since Alice and Bob choose the same basis half of the time, Eve’s measurement adds an
error rate of 25%. Alice and Bob can always compare a subset of those bits to test for the
presence of eavesdropping. It can be proved that, for m bits tested, the probability P of
detecting eavesdroppers goes like PðmÞ ¼ 1 ð34Þm ; which is high enough even for low
values of m. Once Alice and Bob see that the channel is highly secure, they use the rest of
bits to generate the key, otherwise they abandon communication and try it later. The
Table 1 Simulation of quantum key distribution in the absence of eavesdropping
Alice encodes bits
as polarized photons
1
1
1
1
1
0
0
1
0
1
-
?
-
-
-
%
%
?
:
-
Bob uses the basis
and gets the result
+
+
9
+
9
9
+
9
9
9
"
?
-
?
-
%
:
%
%
-
1
1
1
0
Key
1
Table 2 Simulation of quantum key distribution in the presence of eavesdropping
Alice sends polarized photons
-
?
-
-
-
%
%
?
Eve intercepts, uses the basis
and gets the result
9
+
+
+
9
+
+
9
9
9
-
?
:
?
-
?
?
%
-
-
+
+
9
+
9
9
+
9
9
9
:
?
%
?
-
%
?
%
-
-
1
0*
1
0
Bob uses the basis
and gets the result
Key
:
-
1
123
676
M. Calixto
interested reader can consult Williams and Clearwater (1997) for more information which
comes with simulations using the Mathematica package.
Summarizing: unlike classical communications, quantum communications detect the
presence of eavesdroppers. Actually, there are prototypes of tens of kilometers long.
6.2 Quantum cracking of public key cryptographic systems
Nowadays, the reliability of the RSA (Rivest, Shamir and Adleman) public key cryptographic system is based on the difficulty of integer factoring on classical computers. The
protocol is the following.
6.2.1 Encryption
Alice broadcasts her key, consisting of two big integers (k, N), with N = pq the product of
two big prime numbers p and q only known by her. Anyone wanting to send her a message
M (when properly digitalized) can encrypt it by computing
C ¼ M k ðmod NÞ:
Let us assume that M \ N and g.c.d. (M,N) = 1 (i.e., M and N are co-primes). This is
highly probable since the Euler function of N, which gives the number of co-primes with N,
is uðNÞ ¼ ðp 1Þðq 1Þ ¼ N p q / N: The value of uðNÞ is known only by Alice
since p and q are secret. Euler–Fermat theorem states that M uðNÞ ¼ 1ðmod NÞ: Let us
assume that g.c.d. ðk; uðNÞÞ ¼ 1; then At such that kt = 1(mod u(N)), i.e., kt = 1 + nu(N)
for some n 2 Z: Thus, tðk; uðNÞÞ is the inverse of kðmod uðNÞÞ: The inverse t of k could be
efficiently calculated by the Euclides algorithm if someone, other than Alice, knew uðNÞ:
6.2.2 Decryption
In order to decrypt the message, Alice uses the formula
M ¼ C t ðmod NÞ:
Indeed, using the Euler–Fermat theorem at an intermediate step, we have
Ct ðmod NÞ ¼M kt ðmod NÞ ¼ M 1þnuðNÞ ðmod NÞ
¼MM nuðNÞ ðmod NÞ ¼ Mðmod NÞ ¼ M:
ð16Þ
Any eavesdropper who wants to decrypt the message, firstly has to factorize N = pq. To
make oneself an idea of the difficulty of this
for N*1050, and with a rough
pffiffiffiffi operation,
25
algorithm, we should make the order of N ’ 10 divisions. A quite good classical
computer capable to perform 1010 divisions per second would last 1015 seconds in finding p
and q. Knowing that the universe is about 3, 81017 s, this discourages any eavesdropper.
Actually, there are more efficient algorithms that reduce the computational time, although
it keeps exponentially growing with the input size anyway.
6.2.3 Shor’s quantum factoring algorithm
Shor (1994) designed an algorithm, to be run on a quantum computer, that factors in
polynomial time t*(log N)n, making factoring a tractable problem in the quantum arena
123
Quantum computation and cryptography
677
and threatening the security of most of business transactions. The efficiency of the algorithm lies in the quantum mechanical resources: entanglement and parallelism.
Essentially, the factoring problem of N reduces to finding the period r of the function
FN(x) = ax (mod N), where a must be co-prime with N. Indeed, if I know r for some a and
we assume that r is even and ar/2=-1(mod N) (which turns out to be highly probable),
then
FN ðx þ rÞ ¼FN ðxÞ ) ar ðmod NÞ ¼ 1ðmod NÞ )
ðar 1Þ ¼0ðmod NÞ ) ðar=2 1Þðar=2 þ 1Þ ¼ 0ðmod NÞ:
ð17Þ
Thus, p and q are found among g.c.d.(ar/2-1, N) and g.c.d.(ar/2 + 1, N), which can be
efficiently computed using the Euclid algorithm (see e.g. Hirvensalo 2001 for technical
details). In short, knowing r is equivalent to knowing p and q.
Quantum computation of periods turns out to be a tractable (polynomial) problem.
Without entering into details, applying the unitary transformation UF that implements the
exponential function FN (remember the case (8)) to a superposition of x r numbers x in
the first register and storing the values FN(x) in the second register, as
x1
X
UF
jxij0i !
x¼0
x1
X
jxijFN ðxÞi;
ð18Þ
x¼0
we entangle both registers. Then measuring the second register,
x1
X
FN ðxÞ¼u
jxijFN ðxÞi !
x¼0
j’x=r1
X
jxu þ jrijui;
ð19Þ
j¼0
we leave the first register in a superposition of z ^ x/r numbers that differ from each other
in multiples jr of the period r, which can be obtained by a quantum Fourier transform (see
e.g. Hirvensalo 2001; Preskill 1998 for more details). It is the entanglement between jxi
and jFN ðxÞiwhich makes possible the ‘‘massive scanning’’ of the function FN.
Like RSA protocol, reliability of the U.S. Digital Signature Algorithm lies also in the
fact that, like factoring, the computation of the discrete logarithm is an intractable problem
in classical computers. Both RSA and U.S. Digital Signature are just particular instances of
the so-called Hidden Subgroup Problem (see e.g. Calixto 2004 for an overview). This
problem encompasses all known ‘‘exponentially fast’’ applications of the quantum Fourier
transform.
7 Grover’s quantum searching algorithm
Whereas classical searching algorithms need of the order of P/2 trials to find an item x~ in a
unstructured list of P items, Grover
pffiffiffi (1997) designed a quantum algorithm that brings the
number of trials down to about P iterations (with success probability of *(P-1)/P) on
the quantum superposition
N
1
1 2X
cosðh0 Þ X
jxi ¼ sinðh0 Þj~
xi þ pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
jxi
jwðh0 Þi ¼ H N j0iN ¼ pffiffiffiffiffiffi
N
2 x¼0
2N 1 x6¼x~
ð20Þ
and we are taking P = 2N without
of all items (parallel searching), where sinðh0 Þ ¼ p1ffiffiffiffi
2N
loss of generality. Without entering into detail, the searching process consists of enhancing
123
678
M. Calixto
the probability amplitude of j~
xi and dimming the rest in the superposition (20) through
consecutive unitary operations G, made of ‘‘inversions and diffusions’’ (see e.g. Nielsen
and Chuang (2000) for more information), that transform
G
G
jwðh0 Þi ! jwðh1 Þi ! jwðh2 Þi. . .:
The resultpisffiffiffia subtle interference effect that determines x~ as jwðht Þi; for ht p=2; in about
t ðp=4Þ P iterations. For P = 4 (two qubits) the situation is even more surprising: we
xi! Figure 10 gives a geometrical interpretation of
just need a single trial to turn jwðh0 Þi to j~
this case. Grover iteration consists here of an inversion of j10i around cero, followed by
another inversion around the amplitude average
1 1 1 1
¼
3 4 4 2 2
8 Prospects
Since Deutsch (1985) proposed the first quantum algorithm, many other algorithms have
arisen, although most of them use the same principle as Shor and Grover. This copious
production of ‘‘quantum software’’ contrasts with the enormous technological difficulty in
the design of ‘‘quantum hardware’’ to run quantum algorithms efficiently and error free.
Now we can hope to manipulate small quantities of quantum information (teens of qubits)
using techniques borrowed from Magnetic Resonance, Ion traps, etc. Maybe these ‘‘toy
quantum computers’’ cannot do sensible computation yet, although they could be interesting to simulate other quantum systems (as Feynman pointed out time ago Feynman
1982), something that is computationally hard to do in a classical computer. Before
building of a real-world, commercial quantum computer with, for example, a few million
qubits, we should be able to develop efficient ‘‘vaccines’’ against decoherence (degradation
of quantum information in noisy environments). We have not talked about interesting
subjects like quantum error correction and fault-tolerant quantum computation (see e.g.
Preskill 1998). Alternative strategies, like topological quantum computation (based, for
example, in the fractional quantum Hall effect), do not try to make the system noiseless
but, instead, makes it deaf—that is, immune to the usual sources of quantum decoherence.
These are interesting subjects but we have no room to develop them here.
For pessimistic people, let me remind them a discussion on the 1949 March edition of
the journal ‘‘Popular Mechanics’’ that said something like: ‘‘... whereas ENIAC (Electronic
Numerical Integrator and Calculator) is equipped with 18.000 vacuum valves and weights
30 tons, computers in future will have just 1000 vacuum valves and weight 1.5 tons...’’.
Incredible laptop!
Fig. 10 Enhancement of the probability of finding the third item |10i after a Grover iteration on a quantum
equal superposition of four items
123
Quantum computation and cryptography
679
Acknowledgements Work partially supported by the spanish MCYT and Fundación Séneca under projects FIS2005-05736-C03-01 and 03100/PI/05.
References
Aspect A, Grangier P, Roger G (1981) Experimental tests of realistic local theories via Bell’s theorem. Phys
Rev Lett 47:460–463
Bell JS (1966) On the problem of hidden variables in quantum mechanics. Rev Mod Phys 38:447–452
Bennett CH, Brassard G (1984) Quantum cryptography: public-key distribution and coin tossing. In: Proceedings IEEE international conference on computers, systems and signal processing, Bangalore,
India, (IEEE, New York), pp 175–179
Bennett CH, Brassard G, Crepeau C, Jozsa R, Peres A, Wootters WK (1993) Teleporting an unknown
quantum state via dual classical and EPR channels. Phys Rev Lett 70:1895–1899
Bouwmeester D, Pan JW, Mattle K, Eibl M, Weinfurter H, Zeilinger A (1997) Experimental quantum
teleportation. Nature 390:575–579
Calixto M (2004) On the hidden subgroup problem and efficient quantum algorithms. In: Alvarez-Estrada
RF, Dobado A, Fernández LA, Martı́n-Delgado MA, Munoz Sudupe A (eds) Fundamental physics
workshop in honor to A. Galindo, Aula Documental de Investigación, Madrid
Cirac JI, Zoller P (1995) Quantum computation with cold trapped ions. Phys Rev Lett 74:4091–4094
Deutsch D (1985) Quantum theory, the Church-Turing hypothesis and universal quantum computers. Proc
Roy Soc Lond A400:97–116
Doyle AC, Hodgson JA (1994) Sherlock Holmes. Basingstoke, Macmillan
Einstein A, Podolsky B, Rosen N (1935) Can quantum-mechanical description of physical reality be considered complete? Phys Rev 47:777–780
Ekert A (1991) Quantum cryptography based on Bell’s theorem. Phys Rev Lett 67:661–663
Feynman RP (1982) Simulating physics with computers. Int J Theor Phys 21:467–488
Grover LK (1997) Quantum mechanics helps in searching for needle in a haystack. Phys Rev Lett 79:325–
328
Hirvensalo M (2001) Quantum computing, natural computing series. Springer-Verlag, New York
Menezes A, van Oorschot P, Vanstone S (1997) Handbook of applied cryptography. CRC Press, Baco Raton
Nielsen MA, Chuang IL (2000) Quantum computation and quantum information. Cambridge University
Press, Cambridge
Preskill J (1998) Quantum computation. Lecture notes for physics 229
Schumacher B (1995) Quantum coding. Phys Rev A51:2738; Schumacher B, Nielsen MA (1996) Quantum
data processing and error correction. Phys Rev A54:2629
Scientific American, special edition Solid state century (December 1997)
Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring, 35th Annual
Symposium of Foundations of Computer Science, pp 124–134
Williams CP, Clearwater SH (1997) Explorations in quantum computing. Springer-Verlag, New York
123