Table Of Content

Quantum computation Samuel L. Braunstein Computer Science, University of York, York YO10 5DD, UK Introduction question of how well classical computers can simulate 1. Computing at the atomic scale quantumsystems. Heconcludedthatclassicalcomputers 2. Reversible computation invariablysufierfromanexponentialslow-downintrying tosimulatequantumsystems,butthatquantumsystems 3. Classical universal machines and logic gates could,inprinciple,simulateeachotherwithoutthisslow- 3.1. FANOUT and ERASE down. It was Deutsch [8], however, who flrst suggested 3.2. Computation without ERASE thatquantumsuperpositionmightallowquantumevolu- 4. Elementary quantum notation tion to perform many classical computations in parallel. 5. Logic gates for quantum bits To demonstrate where such capabilities may lie hid- 6. Logic gates in the laboratory den, we review an elementary quantum mechanical ex- 7. Model quantum computer and quantum code periment [9]. The two-slit experiment is prototypic for 8. Quantum parallelism: Period of a sequence observing one key feature of quantum mechanicals: A 9. The complexity of factoring source emits photons, electrons or other particles that 10. Security and RSA arrive at a pair of slits. These particles undergo unitary evolution and flnally measurement. We see an interfer- 11. Shor’s result: Factoring numbers ence pattern, with both slits open, which wholely van- 12. Quantum error correction ishesifeitherslitiscovered. Insomesense, eachparticle 13. Prospects passesthroughbothslitsinparallel. Ifsuchunitaryevo- 14. Glossary lution were to represent a calculation (or an operation Appendix withinacalculation) thenthequantum systemwouldbe Works cited performing computations in parallel. In some sense this quantum parallelism comes for free without our having to construct many copies of the ‘processing unit.’ The INTRODUCTION outputofthissystemwouldbegivenbytheconstructive interference among the parallel computations. A quantum computer is a device that can arbitrarily In this paper we give a tutorial on how quantum me- manipulate the quantum state of a part of itself. The chanics can be used to improve computation. We shall fleld of quantum computation is largely a body of the- concentrate on the only known algorithm which demon- oretical promises for some impressively fast algorithms stratesanexponentialspeeduprelativetothebestknown which could be executed on quantum computers. How- classical algorithms. Our challenge: solving an exponen- ever,sincetheflrstsigniflcantalgorithmwasproposedin tiallydi–cultproblemforaconventionalcomputer|that 1994 [1] experimental progress has been rapid with sev- of factoring a large number. As a prelude, we review the eral schemes yielding two [2, 3] and three quantum-bit standard tools of computation, universal gates and ma- manipulations [4]. At the writing of this article it does chines. Theseideasarethenappliedflrsttoclassical,dis- not seem unreasonable to expect that small quantum sipationless computers and then to quantum computers. computers capable of manipulating the quantum states A schematic model of a quantum computer is described of flve or six two-level systems will be available within aswellassomeofthesubtletiesinitsprogramming. The around flve years. In addition, with the discovery of Shor algorithm [1, 10] for e–ciently factoring numbers quantumerrorcorrectionschemes[5]suchmachineshave on a quantum computer is presented in two parts: the the promise of providing long term storage of quantum quantum procedure within the algorithm and the clas- information and possibly allowing the ability to manipi- sical algorithm that calls the quantum procedure. The late many more bits. It is still too early to tell whether mathematical structure within the factoring problem is the promises of rapid computation are achievable, nor discussed, making it clear what contribution the quan- is it yet well understood how broad a class of problems tum computer makes to the calculation. The complexity couldbesigniflcantlyspeededupbyquantumcomputers. of the Shor algorithm is compared to that of factoring QuantumcomputerswereflrstdiscussedbyBeniofi[6] on conventional machines and its relevance to public key in the context of simulating classical Turing machines cryptography is noted. In addition, we discuss the ex- (veryelementaryconventionalcomputers)withquantum perimental status of the fleld and also quantum error unitary evolution. Feynman [7] considered the converse correctionwhichmayinthelongrunhelpsolvesomethe 2 most pressing di–culties. We conclude with an outlook 2. REVERSIBLE COMPUTATION tothefeasibilityandprospectsforquantumcomputation in the coming years. What are the di–culties in trying to build a classical computing machine on such a small scale? One of the biggest problems with the program ofminiaturizing con- 1. COMPUTING AT THE ATOMIC SCALE ventional computers is the di–culty of dissipated heat. As early as 1961 Landauer studied the physical limita- Quantumcomputerswillperformcomputationsatthe tions placed on computation from dissipation [13]. Sur- atomic scale [9, 11]. We might ask at this point how prisingly, he was able to show that all but one opera- closeconventionalcomputationsaretothisscalealready? tion required in computation could be performed in a Fig. 1 shows a survey made by Keyes in 1988 [12]: The reversible manner, thus dissipating no heat! The flrst numberofdopantimpuritiesinthebasesofbipolartran- condition for any deterministic device to be reversible is sistors used for digital logic against the year. This plot that its input and output be uniquely retrievable from may be thought of as showing the number of electrons each other. This is called logical reversibility. If, in ad- required to store a single bit of information. An ex- dition to being logically reversible, a device can actually trapolation of the plot suggests that we might be within run backwards then it is called physically reversible and reach of the atomic-scale computations within the next thesecondlawofthermodynamicsguaranteesthatitdis- two decades. sipates no heat. The work on classical, reversible computation laid the 12 10 foundation for the development of quantum mechanical computers. On a quantum computer, programs are exe- 10 10 cuted by unitary evolution of an input that is given by s e thestateofthesystem. SinceallunitaryoperatorsU are uriti 108 invertible with U¡1 = Uy, we can always \uncompute" p m (reverse) a computation on a quantum computer. ofi 106 r e mb 104 3. CLASSICAL UNIVERSAL MACHINES AND u LOGIC GATES N 2 10 We now review the basic logic elements used in com- 1 putation and explain how conventional computers may 1950 1970 1990 2010 beusedforany\reasonable"computation. Areasonable Year computationisonethatmaybewrittenintermsofsome (possiblylarge)Booleanexpression,andanyBooleanex- pression may be constructed out of a flxed set of logic FIG. 1: Plot from Ref. [12] showing the number of dopant gates. Such a set (e.g., AND, OR and NOT) is called impurities involved in logic in bipolar transistors with year. universal. In fact we can get by with only two gates, (Copyright 1988 by International Business Machines Corpo- such as AND and NOT or OR and NOT. Alternatively, ration, reprinted with permission.) we may replace some of these primitive gates by others, suchastheexclusive-OR(calledXORoroftencontrolled- NOT); then AND and XOR form a universal set. The Anotherwayofviewingthisplotisperhapsevenmore truthtablesforthesegatesaredisplayedinTableI. Any relevant for the development of quantum computation: machine which can build up arbitrary combinations of Conventional computers have been improving in speed logic gates from a universal set is then a universal com- and miniaturization at an exponential rate since their puter. Further, which universal set of gates is chosen earliest days. Clearly there is a bound to our ability makes little difierence: A theorem by Muller states that to miniaturize conventional electronics and we will likely the complexity of the simplest circuits needed to com- betouchingthatlimitwithinthenexttwentyyears. The pute any reasonable Boolean function is afiected by at questionisraised,canwecontinuetoexpecttoseeanex- most a constant multiplicative factor [14]. ponential improvement in performance twenty and more Which of the above gates is reversible? Since AND, years from now? As we approach some of the physi- OR,andXORaremany-to-oneoperationsinformationis callimitstoconventionalcomputationalconstructionwe lost and they are not, as they stand, logically reversible. may begin to see a slow-down of this exponential rate. Before we discuss how these logic gates may be made A detailed study of quantum computation may help us reversible we consider some non-standard gates that we understand the fundamental physical limitations upon shall require. computation, conventional or otherwise. 3 A B AND OR XOR NOTB 0 0 0 0 0 1 0 1 0 1 1 0 1 0 0 1 1 1 1 1 1 1 0 0 TABLE I: Truth table deflning the operation of some simple logicgates. EachrowshowstwoinputvaluesAandBandthe corresponding output values for gates AND, OR and XOR. The output for the NOT gate is shown only for input B. 3.1. FANOUT and ERASE Although the above gates are su–cient for the mathe- maticsoflogic,theyarenotsu–cienttobuildamachine. A useful computer will also require the FANOUT and ERASE gates (Fig. 2). A FIG.3: Areversiblemeasurementoftheexistenceofa(light) A A ball in a trap of mirrors (dark rectangles) [15]. A (dark) ball A enters the trap from Y. In the absence of a light ball in the trap the dark ball will follow the path HN. In presence of a light ball (timed to start at X) the dark ball will de(cid:176)ect (a) FANOUT (b) ERASE the light one from its unhindered trajectory ABCDEF to ABGDEF andwillfollowthepathHIJKLM itself. (Copy- right 1988 by International Business Machines Corporation, FIG. 2: Two non-standard gates that are required to build reprinted with permission.) a computer, in addition to a universal set of logic gates, are: (a) the FANOUT gate which duplicates an input A and (b) the ERASE gate which deletes its input. temperature T, to its original size, we could obtain an amount of work equal to k T ln2 (where k is Boltz- B B FirstconsidertheFANOUTgate: Isitreversible? Cer- mann’s constant). Landauer concluded, based on simple tainly no information has been destroyed so it is at least models and more general arguments about the compres- logically reversible. Landauer showed that it could also sion of phase-space, that the erasure of a bit of informa- be physically reversible [13]. Let us describe a simple tion attemperature T requiresthedissipation ofat least model for FANOUT based on Bennett’s scheme for a re- k T ln2 heat (a result known as Landauer’s principle) B versible measurement (Fig. 3) [15] (We note, however, [13]. that the concepts involved in this scheme come from Fredkin and Tofioli [16, 17].) Here a dark ball is used to determine the presence or absence of a second (light) 3.2. Computation without ERASE ball inside a trap. The trap consists of a set of mirrors and may be thought of as a one-bit memory register. If Fortunately, the primitive ERASE is not absolutely the trap is occupied then the dark ball is re(cid:176)ected and essential in computation. To see why, consider what is leaves along direction M (with the light ball continuing required to compute arbitrary functions using reversible along its original trajectory); otherwise it passes unhin- logic (where the primitive ERASE is forbidden). Lan- dered towards N. Upon leaving the trap, the dark ball’s dauer showed how any function f(a) could be made one- direction is used to populate, or not, another trap. to-one by keeping a copy of the input: Let us now consider the ERASE operation, required to \clean out" the computer’s memory periodically. One f :a a;f(a) : ! type of erasure can be performed reversibly: If we have a backup copy of some information, we can erase further Here the bold parentheses¡¡¡represe¢¢¢nt an ordered set of copiesbyuncomputingtheFANOUTgate. Thedi–culty values, in this case, two. Extra \slots" will be added (or arises when we wish to erase our last copy, referred to removed) as required in our discussion below. here as the primitive ERASE. Howcanthistrickbeusedtoperformreversiblelogic? Consider a single bit represented by a pair of equally One solution, developed by Tofioli and Fredkin and probableclassicalstatesofsomeparticle. Toerasethein- known as the Tofioli gate, is shown in Fig. 4 [13, 16, 17]. formation about the particle’s state we must irreversibly The output of this gate may be decomposed into various compress phase-space by a factor of two. If we allowed this compressed phase-space to adiabatically expand, at 4 gates: 4. ELEMENTARY QUANTUM NOTATION A:C; for B =0 (AND) A simple quantum system is the two-level spin-1 par- A B; for C =1 (XOR) 2 B (A:C)=8 ' ticle. Its basis states, spin-down and spin-up , ' >><AA;; ffoorr BB ==CC ==11 (FA(NNOOTU)T) may be relabelled to represent binjar#yizero and one,ji".ei., 0 and 1 , respectively. The state of a single such par- 6 j i j i whereA:B rep>>:resentsanANDgate, A B representsan ticle is described by the wavefunction ˆ = fij0i+flj1i, ' i.e., a linear superposition amongst any of the possible XORgateandArepresentsaNOTgate. Weseethatthis ‘classical’ states of the system. The squares of the com- gate is universal, because it performs AND, XOR, NOT plex coe–cients fi2 and fl 2 represent the probabilities or FANOUT depending on its inputs. A combination of j j j j forflndingtheparticleinthecorrespondingstates. Gen- manysuchgatescouldthenbeusedforanycomputation eralizing this to a set of k spin-1 particles we flnd that and would still be reversible. 2 there are now 2k basis states (quantum mechanical vec- tors that span a Hilbert space) corresponding say to the A A 2kpossiblebit-stringsoflengthk. Freelymovingbetween decimal, binary and spin labels then we might write, for B B (A:C) example for k =5, a state 25 = 11001 = . ' j i j i j""##"i The dimensionality of the Hilbert space grows expo- C C nentially with k. In some very real sense quantum com- putations make use of this enormous size latent in even the smallest systems. FIG. 4: Three-input three-output universal reversible Tofioli gate. Thisgateisclearlyreversiblesinceasecondapplication 5. LOGIC GATES FOR QUANTUM BITS of it retrieves the original input. In this section we describe how arbitrary logic gates As noted by Landauer, this procedure leads to an im- may be constructed for quantum bits. We start by con- mediate problem because of the absence of the primitive sidering various one-bit unitary operations and a single ERASE.Themoregatesweemploy,themore\junk"bits two-bitone|theXORoperation. Combinationsofthese we accumulate: At each gate we must save input bits in aresu–cienttoconstructaTofioligateforquantumbits ordertopreservereversibility. Inotherwordsacomputer or indeed any unitary operation on a flnite number of built out of reversible logic instead of conventional, irre- bits. versible logic gates would behave like Start with a single quantum bit. If we represent the states and (i.e., 0 and 1 )asthevectors(1)and f :a a;j(a);f(a) ; j#i j"i j i j i 0 ! (0), respectively, thenthemostgeneralunitarytransfor- 1 with many extra junk bit¡¡¡s j(a). ¢¢¢ mation corresponds to a 2 2 matrix of the form £ Bennett solved this problem by showing that the junk bitscouldbereversibly erasedatintermediatestepswith ei(–+(cid:190)=2+¿=2)cos((cid:181)=2) ei(–+(cid:190)=2¡¿=2)sin((cid:181)=2) U ; minimal run-time and memory costs [18{20]. The spirit (cid:181) · ei(–¡(cid:190)=2+¿=2)sin((cid:181)=2) ei(–¡(cid:190)=2¡¿=2)cos((cid:181)=2) (cid:181)¡ ¶ of Bennett’s solution may be understood in terms of the following procedure: where we typically take – = (cid:190) = ¿ = 0 [21]. Using this operator we can (cid:176)ip bits via: f :a a;j(a);f(a) ! U 0 = 1 ; and U 1 = 0 : FANOUT: a;j(a);f(a) a;j(a);f(a);f(a) …j i ¡j i …j i j i ! ¡¡¡ ¢¢¢ fy : a;j(a);f(a);f(a) a;f(a) ; ¡¡¡ ¢¢¢ ! ¡¡¡ ¢¢¢ The extraneous sign represents a phase factor that does where f¡¡¡y denotes uncomp¢¢¢uting f¡¡¡, as op¢¢¢posed to com- not afiect the logical operation of the gates and may be removedifwewish,noworatalaterstage. Suchone-bit puting f¡1. First, f is computed, producing both junk computations areillustratedschematically asaquantum bits and the desired output. Then the FANOUT gate is circuit in Fig. 5 [21, 22]. applied to duplicate the output. Finally, we uncompute Another important one-bit gate is U which maps the original function f byrunning its computation back- ¡…=2 a spin-down particle wards. This procedure removes the junk bits and the original output. The duplicate, however, remains! 1 U 0 = (0 + 1 ); This completes our discussion of the construction of ¡…=2j i p2 j i j i classical, reversible computers. We have found that re- versibility does not bar the logical design of computing to an equal superposition of down and up. Consider a machines. Before mapping these ideas to quantum sys- string of k spin-1 particles initially spin-down. If we 2 tems, however, we introduce some elementary quantum mechanical notation. 5 which may be thought of as example of quantum com- A U U A (cid:181) (cid:181) puter code [23]. The ket-brackets are reminders that j i j i j i we are dealing with quantum rather than classical bits. The XOR gate allows us to move information around as is illustrated in Fig. 7. FIG. 5: Schematic ofthe quantum circuit diagramfora one- bit gate. The line represents a single quantum bit (such as a spin-1 particle). Initially, this bit has a state described by A A 2 j i j i jAi;afterithas\passed"throughthiscircuititcomesoutin the state U(cid:181)jAi. B A B j i j ' i apply this gate independently to each particle we obtain FIG. 6: Quantum circuit diagram for an XOR gate. The a superposition of every possible bit-string of length k: lower bit jBi is (cid:176)ipped whenever the upper bit jAi is set. q¡1 1 0 a ; A B j i¡! pq j i a=0 j i j i X B A where q = 2k. Our computer is now in a superposition j i j i of an exponentially large number of integers a from 0 to 2k 1. Suppose further, that we could construct a FIG. 7: Circuit for swapping a pair of bits. ¡ unitary operation which maps a pair of bit-strings a;0 j i into the pair a;f(a) for some function f(a). Then such How do we construct the Tofioli gate? One major j i a unitary operator acting on the superposition of states problem with this gate is that it requires three bits in andthreeout. Quantummechanically,thisseemstocor- q¡1 q¡1 1 1 respond to a scattering process involving three-particle a;0 a;f(a) ; pq j i¡! pq j i collisions [24] calling for a (possibly) unreasonable con- aX=0 aX=0 trol of the particles [9]. Fortunately, the Tofioli gate would compute f(a) in parallel an exponentially large may be constructed by two-particle scattering processes number of times for the various inputs a. This follows alone [22, 25{28]. In particular, we show a construction from the linearity of quantum mechanics. here involving the XOR gate and some one-bit gates U(cid:181) Toseehowsuchunitaryoperatorsmaybeconstructed (Fig. 8) [21]. Not only is the XOR su–cient for all logic from a few elementary ones we must also consider the operations on a quantum computer, but it can be used XOR gate [21, 22]. Writing the two-particle basis states to construct arbitrary unitary transformations on any fl- as the vectors nite set of bits. Numerous proposals for producing such gates have been considered [10, 11] and we discuss some 1 0 promising experimental results in the next section. 0 1 00 = ; 01 = ; j i 001 j i 001 jAi jAi 0 0 B C B C @0A @0A jBi U…=4 U…=4 U…¡=41 U…¡=41 jB'(A:C)i 0 0 10 = ; 11 = ; j i 011 j i 001 jCi jCi 0 1 B C B C @ A @ A we may represent the XOR gate as a unitary operator FIG. 8: Tofioli gate built from two-bit XOR gates plus some one-bitgates[9,21]. Thiscircuitintroducessomeextrasigns 1 0 0 0 intheunitarymatrixUXOR whichmayberemovedatalater U 0 1 0 0 : stage. XOR ·00 0 0 1 1 0 0 1 0 B C @ A Here the flrst particle acts as a conditional gate to (cid:176)ip 6. LOGIC GATES IN THE LABORATORY the state of the second particle. It is easy to check that thestateofthesecondparticlecorrespondstotheaction of the XOR gate given in Table I. The quantum circuit Inthissectionwebrie(cid:176)yreviewtworecentexperiments for an XOR gate is illustrated in Fig. 6. This circuit is whichdemonstrateconditionaldynamicsofatypewhich equivalent to the elementary instruction is promising for constructing quantum logic gates [2, 3]. These two results appeared back-to-back in the same is- if ( A = 1 ) B = NOT B sue of Physical Review Letters. j i j i j i 6 The flrst experiment, by Turchette et al [2], demon- However, there is another class of quantum logic pro- strated that the phase of a weak coherent optical fleld cessor which aims at communicating quantum informa- could be controlled by the intensity of a second coherent tion between various, possibly distantly, separated sub- fleld at a slightly difierent frequency. The chief result is systems. This might allow for the combining of smaller that such a high non-linear susceptibility was achieved quantum computers into larger ones operating on more that a large phase shift (up to 16–) was produced by a qubitsthroughcombination. Itislikelyalsotobeimpor- change in intensity corresponding to a single photon in tant for the area of quantum communication and poten- the second fleld. The coupling between the optical flelds tial technologies which few-bit quantum logic processors was obtained using the hyperflne level structure of ce- might enable. For such tasks the former scheme involv- sium. AstreamofCsatomswasdroppedthroughanop- ing ‘(cid:176)ying’ qubits appears a more likely direction. It is tical cavity which efiectively restrained the atomic decay possible that a mature quantum computation technol- modes to the cavity modes. This allowed the atoms to ogy would have components incorporating the positive strongly couple to the optical flelds passing through the aspects of both the above schemes. cavity with minimal incoherent emission into free space. Since coherent instead of single-photon states were used in this experiement, however, there could be no direct 7. MODEL QUANTUM COMPUTER AND demonstrationofthecoherenceretainedintheflnalstate QUANTUM CODE oftheopticalflelds. Inthisschemeaqubitwouldneedto be represented by single photon states rather than weak Inthissectionwedescribeasimple abstractmodel for coherent states, but that does not appear to be a great a quantum computer based on a classical computer in- di–culty. structing a machine to manipulate a set of spins. This The second experiment by Monroe et al [3] involved a model has some intrinsic limitations which make design- directdemonstrationofanXORgateinaradio-frequency ing algorithms in a high-level language somewhat tricky. ion trap (also known as a Paul trap). Here the lowest We discuss some of the rules for writing such quantum vibrationalexcitationofasingle9Be+ ioninthetrapand computer code as a high-level language and give an ex- its hyperflne state represented the two qubits. A pair of ample. ofi-resonant laser beams were used to drive stimulated Consider the following model for the operation of a Raman transitions between the basis states of these two quantum computer: Several thousand spin-1 particles 2 qubits. The XOR gate was executed using three laser (or two-level systems) are initially in some well deflned pulses as had been suggested by Cirac and Zoller [29]. state, such as spin-down. A classical machine takes sin- The coherence of the qubits in this system was reported glespinsorpairsofspinsandentanglesthem(performing to have survived for around to 10 to 20 XOR operations an elementary one-bit operation U or the two-bit XOR (cid:181) [30]. gate); see Fig. 9a, b and c. These stages are repeated This single-ion trap experiment was based on a the- on difierent pairs of spins according to the instructions oretical proposal for a complete quantum computer by of a conventional computer program. Since the spins are Cirac and Zoller [31]. They suggested using a linear entangled, we must not look at the spins at intermediate ion trap to hold a set of ions in a well localized man- stages: We must keep the quantum superposition intact. nerbymutualelectrostaticrepulsion. Eachionwouldbe Furthermore, nothing else may interfere with the spins ‘addressed’ separately their own lasers. By tuning the which could destroy their orientation or interrupt their lasers shining on individual ions to the approriate lev- unitary evolution. Once this well-deflned cycle of ma- els either single-qubit operations could be performed or nipulation is complete the orientations of the spins are the internal ionic state could be transferred to that of measured (Fig. 9d). This set of measured orientations is the lowest two vibrational modes of the trap. In this the output of the computation. way two-qubit gates could be simulated between even Given this paradigm for a quantum computer, what non-contiguous ions via their interactions with the traps might its high-level language (its computer code) look vibrational modes. This ability signiflcantly reduces the like? The most serious di–culty that must be dealt with complexty of elementary operations over other proposals is that the quantum information is manipulated by a [32]. The fact that this theoretical proposal was imple- conventional computer in a completely blind manner| mented within a few months, though in a slightly mod- withoutanyaccesstothevaluesofthisquantuminforma- ifled form, suggests that few qubit processors could be- tion. Thismeansthattheprogramcannotutilize\short- comearealitywithinarelativelyshortperiodoftime. In cuts" conditional on the value of a quantum variable (or section13belowwewilldiscusstheshorttermprospects register or bit). For example, loops must be iterated for such machines. through exactly the same number of times independent In quantum computation we normally aim at hav- of the values of the quantum variables. Similarly, con- ing the qubits maximally couple to eachother and min- ditional branches around large pieces of code must be imally to the outside world. This lessens the actions of broken down into repeated conditions for each step. In environment-induced decohernce. From this perspective addition, each instruction performed upon the quantum thelatterschemeinvolvingion-trapsappearsmoreideal. bits must be logically reversible. Thus, ordinary assign- 7 " # " " # # code is not reversible (neither is it very e–cient), e.g., the label 10 gives no speciflcation of which routes might be used to get to it. It can, however, be easily rewritten a) [23]. 8. QUANTUM PARALLELISM: PERIOD OF A SEQUENCE " " # # We now have su–cient ingredients to understand how b) a quantum computer can perform logical operations and # " compute just like an ordinary computer. In this section we describe an algorithm which makes use of the quan- tum parallelism that we have hinted at already: flnding the period of a long sequence. " " " # Consider the sequence c) f(0); f(1); :::; f(q 1); ¡ whereq 2k;weshallusequantumparallelismtoflndits · " # " # # # period. We start with a set of initially spin-down parti- d) cleswhichwegroupintotwosets(twoquantumregisters, or quantum variables): 0;0 = ; ; ::: ; ; ; ::: ; FIG. 9: Model quantum computer as pictured by Shor [33]. j i j# # # # i Initially all particles are spin-down. Stage a) a classical ma- the flrst set having k bits; the next having su–cient for chinetakesasingleorpairofspinsandinstageb)itperforms our needs. (In fact other registers are required, but by aselectedone-bitortwo-bitoperation;instagec)the\entan- applying Bennett’s solution to space management they gled"particlesarereturnedtotheiroriginallocations. These maybesuppressedinourdiscussionhere.) Oneachbitof three stages are repeated many times in accord with the in- theflrstregisterweperformtheU one-bitoperation, structionsgivenbyanordinaryclassicalcomputer. Whenthis ¡…=2 yielding a superposition of every possible bit-string of cycle is complete stage d) consists of measuring the state of theparticles(leavingtheminsomeparticularbit-string);this length k in this register: bit-string is the result of the computation. q¡1 1 a; 0 : ¡! pq j i ments of a value to a variable, such as a = n, are not a=0 X j i legalandmustinsteadbeperformedasincrementsonan The next stage is to break down the computation, corre- initially zeroed variable, such as a = a + n. j i j i sponding to the function f(a), into a set of one-bit and An example of such code that could run on this ma- two-bit unitary operations. The sequence of operations chine might look like this [23]: is designed to map the state a;0 to the state a;f(a) j i j i do 10 k = 1, worstdiv for any input a. Now we see that the number of bits re- a = a - n quired for this second register must be at least su–cient ijfi ( jai >= 0 ) q = q + 1 to store the longest result f(a) for any of these compu- 10 continjuie j i j i tations. When, however, this sequence of operations is do 20 k = 1, worstdiv applied to our exponentially large superposition, instead if ( k > q ) a = a + n of the single input, we obtain j i j i j i 20 continue q¡1 1 This code fragment could be used to calculate the quo- a; f(a) : ¡! pq j i tient and the remainder, placed in q and a , respec- a=0 X j i j i tively,forthedivisionof a byn; theconstantworstdiv j i An exponentially large amount of computation has been is the worst-case number of times the loop must be tra- performed essentially for free. versed. Here q is initially zero. Each instruction here j i The flnal computational step, like the flrst, is again is either a conventional computer instruction or one in- a purely quantum mechanical one. Consider a discrete volving some quantum variables. The former are direct \quantum" Fourier transform on the flrst register instructions for the external computer, while the latter must be interpreted as a sequence of manipulations to q¡1 1 be performed upon the quantum bits. As it stands, this a e2…iac=q c : j i¡! pq j i c=0 X 8 It is easy to see that this is reversible via the inverse prob(c) transform and indeed it is readily verifled to be unitary. Further, an e–cient way to compute this transform with one-bit and two-bit gates has been described by Copper- smith (Fig. 10) [11, 34, 35]. ak¡1 U…=2 j i jak¡2i X1 U…=2 0 1=r 2=r 3=r c=q ak¡3 X2 X1 U…=2 j i FIG. 11: Idealized plot of the probability of each result prob(c) versus c=q. Constructive interference produces nar- row peaks at multiples of the inverse period of the sequence 1=r. (The discrete approximation means that the peaks will actually peaks have a non-zero width [37].) 1 0 0 0 0 1 0 0 = 0 0 1 0 Xn ˆ 0 0 0 e2…i=2!n computer to flnd the period of a sequence. The point is, however, that the sequence is calculated in parallel and is exponentially long|even for a small value of say k = 270 bits in the flrst register the quantum computer FIG. 10: Circuit for the quantum Fourier transform of the variablejak¡1:::a1a0iusingCoppersmith’sfastFouriertrans- has calculated and stored more results than there are formation approach [11, 34, 35]. The two-bit \X " gate may particles in the universe. n itselfbedecomposedintovariousone-bitandXORgates[21]. This algorithm for flnding the period of an exponen- tially long sequence on a quantum computer lies at the WhenthisquantumFouriertransformisappliedtoour heartofe–cientlyfactoringnumbers. Weflrstproceedto superposition, we obtain review the computational di–culty of factoring for con- ventional computers. Then we shall discuss the implica- q¡1q¡1 tions this computational di–culty has had for the secure 1 e2…iac=q c; f(a) : transmission of private information via public key cryp- ¡! q j i a=0c=0 tosystems. We will then follow these discussions with XX Shor’s new result for e–cient factoring [1]. The computation is now complete and we retrieve the output from the quantum computer by measuring the state of all spins in the flrst register (the flrst k bits). 9. THE COMPLEXITY OF FACTORING Indeed, once the Fourier transform has been performed the second register may even be discarded [36]. Howcanwequantifythedi–cultyofsolvingaproblem What will the output look like? Suppose f(a) has pe- withaconventionalcomputer? Surelyoncethecomputer riod r so f(a+r)=f(a). The sum over a will yield con- program is written and debugged we may simply let it structive interference from the coe–cients e2…iac=q only run and wait for the answer. But this brings us to the when c=q is a multiple of the reciprocal period 1=r [37]. cruxofthedi–culty: Foragivenproblemhowlongmust All other values of c=q will produce destructive interfer- we expect to wait for the solution? When more carefully ence to a greater or lesser extent. Thus, the probability phrased this becomes the simplest measure of computa- distributionforflndingtheflrstregisterwithvariousval- tionaldi–cultyofanalgorithm,yieldingthe‘algorithmic ues is shown schematically by Fig. 11. complexity’ of the problem. One complete run of the quantum computer yields a Tobemorespeciflc,withoutgettingintotechnicalities, random value of c=q underneath one of the peaks in the letusconsidertheproblemoffactoringanumberN into probability of each result prob(c). That is, we obtain a its prime factors (e.g., the number 51688 may be decom- randommultipleoftheinverseperiod. Toextractthepe- posed as 23 7 13 71). A convenient way to quantify rioditselfweneedonlyrepeatthisquantumcomputation £ £ £ howquicklyaparticularalgorithmmaysolvethis,orany, roughlyloglogr=ktimesinordertohaveahighprobabil- problem is to ask how the number of steps to complete ityforatleastoneofthemultiplestoberelativelyprime thealgorithmscaleswiththesizeofthe\input"thealgo- to the period r|uniquely determining it [1]. Thus, this rithmisfed. Forthefactoringproblem, thisinputisjust algorithm yields only a probabilistic result. Fortunately, the number N we wish to factor; hence the length of the we can make this probability as high as we like. input is logN. (The base of the logarithm is determined All the above work may appear a little anti-climactic. We have gone to a lot of trouble to design a quantum 9 by our numbering system. Thus a base of 2 gives the message itself [42]. Such a perfect cipher was invented length in binary; a base of 10 in decimal. For example, in 1917, and is known as the Vernam cipher or one-time thenumber51688requires16binarydigits, butonlyflve pad; it requires a key equal in size to the plaintext mes- decimal digits to specify it.) ‘Reasonable’ algorithms are sage. Thus, for perfect security we have the problem of ones which scale as some small-degree polynomial in the distributing the key itself, which must be done over a inputsize(with adegreeofperhaps2or3). Onefamous secure channel such as by trusted courier. In many sit- example of a fast algorithm is the Fast Fourier Trans- uations, such as banking transactions where the volume form which requires roughly O(Mlog M) steps to per- of information is very large, this is unreasonable. 2 formthediscreteFouriertransformofM points(sofora An understanding of computational complexity allows flxedprecisiontheinputscalesasM);bycontrast,acon- usto‘circumvent’therestrictionofShannon’stheory: A ceptually simpler algorithm equivalent to matrix multi- pseudorandom number generator can be used to gener- plication would require O(M2) computational steps [38]. atealongalmostrandomkeyfromamuchsmallersecret This modest improvement from a quadratic to a roughly key. If the lack of randomness cannot be discovered ex- linear complexity has made many image processing ap- cept through an unreasonable amount of computational plications possible with even quite modest computers. efiortbytheeavesdropperthenwehaveasecureencryp- On conventional computers the best known factoring tion system. An excellecent example of such a scheme is algorithm runs in O exp[(64=9)1=3(lnN)1=3(lnlnN)2=3] the U.S. Data Encryption Standard (DES) which uses a steps [39]. This algorithm, therefore, scales exponen- 56 bit key[43]. Oneestimate ofthe securityof DESsug- ¡¡¡ ¢¢¢ tially with the input size logN. For instance, in 1994 gests that for around a million dollars a special purpose a 129 digit number (known as RSA129 [40]) was suc- machine could be built to try all 256 keys in a few hours, cessfully factored using this algorithm on approximately though security can be easily enhanced by multiple ap- 1600 workstations scattered around the world; the en- plication and a larger efiective key [44]. Clearly short tire factorization took eight months [41]. Using this to keys reduce the burden of key distribution amongst sin- estimate the prefactor of the above exponential scaling, glepairsofusers,butfornusersn(n 1)=2keyswouldbe ¡ we flnd that it would take roughly 800,000 years to fac- requiredtoallowanypairtocommunicatesecurely. This tor a 250 digit number with the same computer power; becomesunwieldyforcommercialapplicationswheremil- similarly, a 1000 digit number would require 1025 years lions of users may be involved. (signiflcantly longer than the age of the universe). This Another approach, also based on computational com- di–culty is, however, almost certainly exaggerated since plexity, is known as public key encryption. The most it takes no account of the constant improvement in fac- popular scheme, and one used in many comercial appli- toring algorithms and the constant speedup of computer cations, is RSA encryption [40]. A person wishing to hardware. In fact, both of these components have shown receive secret communications simply publishes a pair of amoreorlessexponentialimprovementoverthelastfew numbers (N; e) which form the public key. Encryption decades [39], with each contributing roughly equally to involves converting the message to numerical data and theincreasedcomputationalpower. Thedi–cultyoffac- dividing it into blocks of numbers m each smaller than j toring large numbers is crucial for public-key cryptosys- N. Each block m of the message is then encrypted by j tems,suchasonesusedbybanks. There,suchcodesrely its modular exponentiation on the di–culty of factoring numbers with around 250 digits. cj ·mej (mod N); where mod N represents modulo arithmatic (the expres- 10. SECURITY AND RSA sioniscomputedandonlytheremainderafterdivisionby N is retained). The encrypted blocks c are then trans- j mitted to the receiver via a public channel. Thus, RSA Cryptography as a discipline aims at minimizing the (and any other public key scheme) e–ciently solves the afiect of the dishonest. One such situation is the need key distribution problem. for secure communication between two parties across an Decryptionbythereceiverrequiresknowingtheinverse insecure channel. The sender encrypts a plaintext mes- operation, i.e., knowing the d such that sagewithanencryptionkeyyieldingthecyphertext. The message is sent across an insecure media where we must m cd (mod N); assume an eavesdropper may have access. The receiver j · j takes the cyphertext and uses a decryption algorithm to reconstructs the original message. The size of N makes restoretheplaintext. Ifweassumethattheeavesdropper the direct determination of d too di–cult. Instead, d has access to the decryption algorithm then the receiver is constructed along with the public key pair (N; e) in musthavesomethinginadditiontoensurethesecurityof an e–cient manner. This construction involves choosing the transmitted message; this is the decryption key. Ac- N = pq as the product of a pair of comparably sized cording to Shannon’s information theory the cyphertext primes, with e relatively prime to both p 1 and q 1, must contain some information about the plaintext mes- ¡ ¡ and solving the much simpler problem: sage unless the decyption key is at least as long as the ed 1 (mod p 1) · ¡ ed 1 (mod q 1): · ¡ 10 It is important to note that the best algorithms for flnd- This simply says that the product of the two terms on ing d proceed by flrst factoring N, thus the security of the left is a multiple of the number N we wish to factor. RSA relies on the assumed di–culty of factoring [45]. Thus, either one or the other of these terms must have a factor in common with N. The flnal step in the algo- rithm then is to calculate the greatest common divisor 11. SHOR’S RESULT: FACTORING NUMBERS of these terms individually with N (see the appendix for an e–cient classical algorithm); any non-trivial common Recently, an algorithm was developed by Peter Shor divisor will be a factor we have sought, thus completing of AT&T for factoring numbers on a quantum computer our search. which runs in O (logN)3 steps [1, 46]. This is cubic As an example, consider the number N = 91. Choos- in the input size, so factoring a 250 digit number with ing x=3 we flnd that the sequence 3a(mod91) has the such an algorithm¡¡¡would re¢¢¢quire only a few billion steps. form: The implication is that public key cryptosystems based a: 0; 1; 2; 3; 4; 5; 6; 7; ::: on factoring may be breakable. In this section we give 3a : 1; 3; 9; 27; 81; 243; 729; 2187; ::: the classical portion of Shor’s algorithm which relates 3a(mod91): 1; 3; 9; 27; 81; 61; 1; 3; ::: : factoring to flnding the period of an exponentially long sequence and hence makes the problem tractable for a A quantum computer could calculate the period in par- quantum computer. allel, however, it is su–cient here to see by eye that this We wish to factor the number N. It will be su–cient sequence has a period of r = 6 (since it is even we may to flnd even a single factor since then we can reduce proceed with the algorithm). Rearranging the expres- the problem to a simpler one. First, select a number sion36 1(mod91)asdiscussedaboveweconcludethat x. Euclid’s algorithm (see appendix) could be used to · 28 26 0(mod91). Thisimpliesthateithergcd(28;91) e–ciently compute the common factors between N and £ · orgcd(26;91)willbeanon-trivialfactorof91(wheregcd x, hence reducing our problem. We, therefore, assume is the greatest common divisor function). In fact, in this that these numbers are co-prime. Next, consider the se- case, both terms yield a difierent factor, 7 and 13, re- quence formed by the function f(a)=xa(modN). This spectively. This completes the prime factorization of 91 sequence has the form: yielding: 91=7 13. £ 1; x; :::; xr¡1; xr;xr+1; ::: 1; x; :::;xr¡1; 1; x; :::; 1; x; ::: 12. QUANTUM ERROR CORRECTION r¡terms r¡terms r¡terms Buildingaquantumcomputerisadauntingtask. Even He|re the to{zp row is}ju|st the{szequenc}e o|f pow{zers x}a ; f g within apparently small atomic-scale systems, quantum the bottom row is the same sequence written in modulo computation runs on the enormous size of Hilbert space. arithmetic, namely xa(modN) . The number r is just f g Quantum computation involves building a trajectory theflrstnon-trivialpowerwherexr 1(modN). Aclose · from a standard initial state to a complex flnal state. look at this sequence shows that it has a periodic struc- The main di–culty is keeping to this trajectory. To fail turewithperiodr. Usingstandardalgorithmsthisperiod is to be lost in Hilbert space. The largest problem is wouldnotbereadilyaccessibleforalongsequence. How- hypersensitivity to perturbations, shifting the computa- ever,withthequantumcomputeralgorithmdescribedin tional trajectory randomly from its path. Such pertur- section 8 it could be calculated e–ciently. This possibil- bations come from an unintentional coupling to external ity opens up a novel way to flnd the factors of N as we noise [48]. In this section we brie(cid:176)y touch on quantum shall now describe. errorcorrectionandfaulttolerantcomputing,bothintro- Let us suppose that we have obtained the period r duced by Shor [5, 49], which promise to greatly alleviate by the above quantum computer algorithm [47]. If this the problem associated with unwanted perturbations. period is even we may proceed with our factoring algo- Instraightquantumerrorcorrectionthestateofafrag- rithm. If not, we must select another x and start again. ile quantum system is encoded into a quantum system A randomly chosen x will yield a suitably even period r having more degrees of freedom. By choosing the map- flfty-percent of the time so not too many trials will be pingtoasuitablesubspaceofthelargersystemalimited needed [1, 10]. class of errors which occur on this larger space may be We now proceed with the algorithm: Having chosen completelyremoved. InFig.12weseeacircuitforShor’s an x so that the sequence xa(modN) has an even pe- f g original scheme. [Since then much work has been done riod r, we rewrite the expression xr 1(modN) as the · in the last year [50{55] (to cite just a few)]. The un- difierence of two squares: protected single qubit ˆ is processed by the left half of j i the circuit shown in Fig. 12 until just before the shaded (xr=2)2 1 0(modN): ¡ · region. The resulting combined 9-qubit state represents the now error protected encoded state. Any single qubit Expressingtheleft-hand-sideasaproductbetweenasum error(representedbytheshadedregion) onthisencoded and difierence we obtain (xr=2+1)(xr=2 1) 0(modN): ¡ ·

ebook img

Quantum computation PDF

14 Pages·0.229 MB·English
by  Braunstein Samuel L.
#Physics #Quantum Physics
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Quantum computation

Quantum computation Samuel L. Braunstein Computer Science, University of York, York YO10 5DD, UK Introduction question of how well classical computers can simulate 1. Computing at the atomic scale quantumsystems. Heconcludedthatclassicalcomputers 2. Reversible computation invariablysufierfromanexponentialslow-downintrying tosimulatequantumsystems,butthatquantumsystems 3. Classical universal machines and logic gates could,inprinciple,simulateeachotherwithoutthisslow- 3.1. FANOUT and ERASE down. It was Deutsch [8], however, who flrst suggested 3.2. Computation without ERASE thatquantumsuperpositionmightallowquantumevolu- 4. Elementary quantum notation tion to perform many classical computations in parallel. 5. Logic gates for quantum bits To demonstrate where such capabilities may lie hid- 6. Logic gates in the laboratory den, we review an elementary quantum mechanical ex- 7. Model quantum computer and quantum code periment [9]. The two-slit experiment is prototypic for 8. Quantum parallelism: Period of a sequence observing one key feature of quantum mechanicals: A 9. The complexity of factoring source emits photons, electrons or other particles that 10. Security and RSA arrive at a pair of slits. These particles undergo unitary evolution and flnally measurement. We see an interfer- 11. Shor’s result: Factoring numbers ence pattern, with both slits open, which wholely van- 12. Quantum error correction ishesifeitherslitiscovered. Insomesense, eachparticle 13. Prospects passesthroughbothslitsinparallel. Ifsuchunitaryevo- 14. Glossary lution were to represent a calculation (or an operation Appendix withinacalculation) thenthequantum systemwouldbe Works cited performing computations in parallel. In some sense this quantum parallelism comes for free without our having to construct many copies of the ‘processing unit.’ The INTRODUCTION outputofthissystemwouldbegivenbytheconstructive interference among the parallel computations. A quantum computer is a device that can arbitrarily In this paper we give a tutorial on how quantum me- manipulate the quantum state of a part of itself. The chanics can be used to improve computation. We shall fleld of quantum computation is largely a body of the- concentrate on the only known algorithm which demon- oretical promises for some impressively fast algorithms stratesanexponentialspeeduprelativetothebestknown which could be executed on quantum computers. How- classical algorithms. Our challenge: solving an exponen- ever,sincetheflrstsigniflcantalgorithmwasproposedin tiallydi–cultproblemforaconventionalcomputer|that 1994 [1] experimental progress has been rapid with sev- of factoring a large number. As a prelude, we review the eral schemes yielding two [2, 3] and three quantum-bit standard tools of computation, universal gates and ma- manipulations [4]. At the writing of this article it does chines. Theseideasarethenappliedflrsttoclassical,dis- not seem unreasonable to expect that small quantum sipationless computers and then to quantum computers. computers capable of manipulating the quantum states A schematic model of a quantum computer is described of flve or six two-level systems will be available within aswellassomeofthesubtletiesinitsprogramming. The around flve years. In addition, with the discovery of Shor algorithm [1, 10] for e–ciently factoring numbers quantumerrorcorrectionschemes[5]suchmachineshave on a quantum computer is presented in two parts: the the promise of providing long term storage of quantum quantum procedure within the algorithm and the clas- information and possibly allowing the ability to manipi- sical algorithm that calls the quantum procedure. The late many more bits. It is still too early to tell whether mathematical structure within the factoring problem is the promises of rapid computation are achievable, nor discussed, making it clear what contribution the quan- is it yet well understood how broad a class of problems tum computer makes to the calculation. The complexity couldbesigniflcantlyspeededupbyquantumcomputers. of the Shor algorithm is compared to that of factoring QuantumcomputerswereflrstdiscussedbyBeniofi[6] on conventional machines and its relevance to public key in the context of simulating classical Turing machines cryptography is noted. In addition, we discuss the ex- (veryelementaryconventionalcomputers)withquantum perimental status of the fleld and also quantum error unitary evolution. Feynman [7] considered the converse correctionwhichmayinthelongrunhelpsolvesomethe 2 most pressing di–culties. We conclude with an outlook 2. REVERSIBLE COMPUTATION tothefeasibilityandprospectsforquantumcomputation in the coming years. What are the di–culties in trying to build a classical computing machine on such a small scale? One of the biggest problems with the program ofminiaturizing con- 1. COMPUTING AT THE ATOMIC SCALE ventional computers is the di–culty of dissipated heat. As early as 1961 Landauer studied the physical limita- Quantumcomputerswillperformcomputationsatthe tions placed on computation from dissipation [13]. Sur- atomic scale [9, 11]. We might ask at this point how prisingly, he was able to show that all but one opera- closeconventionalcomputationsaretothisscalealready? tion required in computation could be performed in a Fig. 1 shows a survey made by Keyes in 1988 [12]: The reversible manner, thus dissipating no heat! The flrst numberofdopantimpuritiesinthebasesofbipolartran- condition for any deterministic device to be reversible is sistors used for digital logic against the year. This plot that its input and output be uniquely retrievable from may be thought of as showing the number of electrons each other. This is called logical reversibility. If, in ad- required to store a single bit of information. An ex- dition to being logically reversible, a device can actually trapolation of the plot suggests that we might be within run backwards then it is called physically reversible and reach of the atomic-scale computations within the next thesecondlawofthermodynamicsguaranteesthatitdis- two decades. sipates no heat. The work on classical, reversible computation laid the 12 10 foundation for the development of quantum mechanical computers. On a quantum computer, programs are exe- 10 10 cuted by unitary evolution of an input that is given by s e thestateofthesystem. SinceallunitaryoperatorsU are uriti 108 invertible with U¡1 = Uy, we can always \uncompute" p m (reverse) a computation on a quantum computer. ofi 106 r e mb 104 3. CLASSICAL UNIVERSAL MACHINES AND u LOGIC GATES N 2 10 We now review the basic logic elements used in com- 1 putation and explain how conventional computers may 1950 1970 1990 2010 beusedforany\reasonable"computation. Areasonable Year computationisonethatmaybewrittenintermsofsome (possiblylarge)Booleanexpression,andanyBooleanex- pression may be constructed out of a flxed set of logic FIG. 1: Plot from Ref. [12] showing the number of dopant gates. Such a set (e.g., AND, OR and NOT) is called impurities involved in logic in bipolar transistors with year. universal. In fact we can get by with only two gates, (Copyright 1988 by International Business Machines Corpo- such as AND and NOT or OR and NOT. Alternatively, ration, reprinted with permission.) we may replace some of these primitive gates by others, suchastheexclusive-OR(calledXORoroftencontrolled- NOT); then AND and XOR form a universal set. The Anotherwayofviewingthisplotisperhapsevenmore truthtablesforthesegatesaredisplayedinTableI. Any relevant for the development of quantum computation: machine which can build up arbitrary combinations of Conventional computers have been improving in speed logic gates from a universal set is then a universal com- and miniaturization at an exponential rate since their puter. Further, which universal set of gates is chosen earliest days. Clearly there is a bound to our ability makes little difierence: A theorem by Muller states that to miniaturize conventional electronics and we will likely the complexity of the simplest circuits needed to com- betouchingthatlimitwithinthenexttwentyyears. The pute any reasonable Boolean function is afiected by at questionisraised,canwecontinuetoexpecttoseeanex- most a constant multiplicative factor [14]. ponential improvement in performance twenty and more Which of the above gates is reversible? Since AND, years from now? As we approach some of the physi- OR,andXORaremany-to-oneoperationsinformationis callimitstoconventionalcomputationalconstructionwe lost and they are not, as they stand, logically reversible. may begin to see a slow-down of this exponential rate. Before we discuss how these logic gates may be made A detailed study of quantum computation may help us reversible we consider some non-standard gates that we understand the fundamental physical limitations upon shall require. computation, conventional or otherwise. 3 A B AND OR XOR NOTB 0 0 0 0 0 1 0 1 0 1 1 0 1 0 0 1 1 1 1 1 1 1 0 0 TABLE I: Truth table deflning the operation of some simple logicgates. EachrowshowstwoinputvaluesAandBandthe corresponding output values for gates AND, OR and XOR. The output for the NOT gate is shown only for input B. 3.1. FANOUT and ERASE Although the above gates are su–cient for the mathe- maticsoflogic,theyarenotsu–cienttobuildamachine. A useful computer will also require the FANOUT and ERASE gates (Fig. 2). A FIG.3: Areversiblemeasurementoftheexistenceofa(light) A A ball in a trap of mirrors (dark rectangles) [15]. A (dark) ball A enters the trap from Y. In the absence of a light ball in the trap the dark ball will follow the path HN. In presence of a light ball (timed to start at X) the dark ball will de(cid:176)ect (a) FANOUT (b) ERASE the light one from its unhindered trajectory ABCDEF to ABGDEF andwillfollowthepathHIJKLM itself. (Copy- right 1988 by International Business Machines Corporation, FIG. 2: Two non-standard gates that are required to build reprinted with permission.) a computer, in addition to a universal set of logic gates, are: (a) the FANOUT gate which duplicates an input A and (b) the ERASE gate which deletes its input. temperature T, to its original size, we could obtain an amount of work equal to k T ln2 (where k is Boltz- B B FirstconsidertheFANOUTgate: Isitreversible? Cer- mann’s constant). Landauer concluded, based on simple tainly no information has been destroyed so it is at least models and more general arguments about the compres- logically reversible. Landauer showed that it could also sion of phase-space, that the erasure of a bit of informa- be physically reversible [13]. Let us describe a simple tion attemperature T requiresthedissipation ofat least model for FANOUT based on Bennett’s scheme for a re- k T ln2 heat (a result known as Landauer’s principle) B versible measurement (Fig. 3) [15] (We note, however, [13]. that the concepts involved in this scheme come from Fredkin and Tofioli [16, 17].) Here a dark ball is used to determine the presence or absence of a second (light) 3.2. Computation without ERASE ball inside a trap. The trap consists of a set of mirrors and may be thought of as a one-bit memory register. If Fortunately, the primitive ERASE is not absolutely the trap is occupied then the dark ball is re(cid:176)ected and essential in computation. To see why, consider what is leaves along direction M (with the light ball continuing required to compute arbitrary functions using reversible along its original trajectory); otherwise it passes unhin- logic (where the primitive ERASE is forbidden). Lan- dered towards N. Upon leaving the trap, the dark ball’s dauer showed how any function f(a) could be made one- direction is used to populate, or not, another trap. to-one by keeping a copy of the input: Let us now consider the ERASE operation, required to \clean out" the computer’s memory periodically. One f :a a;f(a) : ! type of erasure can be performed reversibly: If we have a backup copy of some information, we can erase further Here the bold parentheses¡¡¡represe¢¢¢nt an ordered set of copiesbyuncomputingtheFANOUTgate. Thedi–culty values, in this case, two. Extra \slots" will be added (or arises when we wish to erase our last copy, referred to removed) as required in our discussion below. here as the primitive ERASE. Howcanthistrickbeusedtoperformreversiblelogic? Consider a single bit represented by a pair of equally One solution, developed by Tofioli and Fredkin and probableclassicalstatesofsomeparticle. Toerasethein- known as the Tofioli gate, is shown in Fig. 4 [13, 16, 17]. formation about the particle’s state we must irreversibly The output of this gate may be decomposed into various compress phase-space by a factor of two. If we allowed this compressed phase-space to adiabatically expand, at 4 gates: 4. ELEMENTARY QUANTUM NOTATION A:C; for B =0 (AND) A simple quantum system is the two-level spin-1 par- A B; for C =1 (XOR) 2 B (A:C)=8 ' ticle. Its basis states, spin-down and spin-up , ' >><AA;; ffoorr BB ==CC ==11 (FA(NNOOTU)T) may be relabelled to represent binjar#yizero and one,ji".ei., 0 and 1 , respectively. The state of a single such par- 6 j i j i whereA:B rep>>:resentsanANDgate, A B representsan ticle is described by the wavefunction ˆ = fij0i+flj1i, ' i.e., a linear superposition amongst any of the possible XORgateandArepresentsaNOTgate. Weseethatthis ‘classical’ states of the system. The squares of the com- gate is universal, because it performs AND, XOR, NOT plex coe–cients fi2 and fl 2 represent the probabilities or FANOUT depending on its inputs. A combination of j j j j forflndingtheparticleinthecorrespondingstates. Gen- manysuchgatescouldthenbeusedforanycomputation eralizing this to a set of k spin-1 particles we flnd that and would still be reversible. 2 there are now 2k basis states (quantum mechanical vec- tors that span a Hilbert space) corresponding say to the A A 2kpossiblebit-stringsoflengthk. Freelymovingbetween decimal, binary and spin labels then we might write, for B B (A:C) example for k =5, a state 25 = 11001 = . ' j i j i j""##"i The dimensionality of the Hilbert space grows expo- C C nentially with k. In some very real sense quantum com- putations make use of this enormous size latent in even the smallest systems. FIG. 4: Three-input three-output universal reversible Tofioli gate. Thisgateisclearlyreversiblesinceasecondapplication 5. LOGIC GATES FOR QUANTUM BITS of it retrieves the original input. In this section we describe how arbitrary logic gates As noted by Landauer, this procedure leads to an im- may be constructed for quantum bits. We start by con- mediate problem because of the absence of the primitive sidering various one-bit unitary operations and a single ERASE.Themoregatesweemploy,themore\junk"bits two-bitone|theXORoperation. Combinationsofthese we accumulate: At each gate we must save input bits in aresu–cienttoconstructaTofioligateforquantumbits ordertopreservereversibility. Inotherwordsacomputer or indeed any unitary operation on a flnite number of built out of reversible logic instead of conventional, irre- bits. versible logic gates would behave like Start with a single quantum bit. If we represent the states and (i.e., 0 and 1 )asthevectors(1)and f :a a;j(a);f(a) ; j#i j"i j i j i 0 ! (0), respectively, thenthemostgeneralunitarytransfor- 1 with many extra junk bit¡¡¡s j(a). ¢¢¢ mation corresponds to a 2 2 matrix of the form £ Bennett solved this problem by showing that the junk bitscouldbereversibly erasedatintermediatestepswith ei(–+(cid:190)=2+¿=2)cos((cid:181)=2) ei(–+(cid:190)=2¡¿=2)sin((cid:181)=2) U ; minimal run-time and memory costs [18{20]. The spirit (cid:181) · ei(–¡(cid:190)=2+¿=2)sin((cid:181)=2) ei(–¡(cid:190)=2¡¿=2)cos((cid:181)=2) (cid:181)¡ ¶ of Bennett’s solution may be understood in terms of the following procedure: where we typically take – = (cid:190) = ¿ = 0 [21]. Using this operator we can (cid:176)ip bits via: f :a a;j(a);f(a) ! U 0 = 1 ; and U 1 = 0 : FANOUT: a;j(a);f(a) a;j(a);f(a);f(a) …j i ¡j i …j i j i ! ¡¡¡ ¢¢¢ fy : a;j(a);f(a);f(a) a;f(a) ; ¡¡¡ ¢¢¢ ! ¡¡¡ ¢¢¢ The extraneous sign represents a phase factor that does where f¡¡¡y denotes uncomp¢¢¢uting f¡¡¡, as op¢¢¢posed to com- not afiect the logical operation of the gates and may be removedifwewish,noworatalaterstage. Suchone-bit puting f¡1. First, f is computed, producing both junk computations areillustratedschematically asaquantum bits and the desired output. Then the FANOUT gate is circuit in Fig. 5 [21, 22]. applied to duplicate the output. Finally, we uncompute Another important one-bit gate is U which maps the original function f byrunning its computation back- ¡…=2 a spin-down particle wards. This procedure removes the junk bits and the original output. The duplicate, however, remains! 1 U 0 = (0 + 1 ); This completes our discussion of the construction of ¡…=2j i p2 j i j i classical, reversible computers. We have found that re- versibility does not bar the logical design of computing to an equal superposition of down and up. Consider a machines. Before mapping these ideas to quantum sys- string of k spin-1 particles initially spin-down. If we 2 tems, however, we introduce some elementary quantum mechanical notation. 5 which may be thought of as example of quantum com- A U U A (cid:181) (cid:181) puter code [23]. The ket-brackets are reminders that j i j i j i we are dealing with quantum rather than classical bits. The XOR gate allows us to move information around as is illustrated in Fig. 7. FIG. 5: Schematic ofthe quantum circuit diagramfora one- bit gate. The line represents a single quantum bit (such as a spin-1 particle). Initially, this bit has a state described by A A 2 j i j i jAi;afterithas\passed"throughthiscircuititcomesoutin the state U(cid:181)jAi. B A B j i j ' i apply this gate independently to each particle we obtain FIG. 6: Quantum circuit diagram for an XOR gate. The a superposition of every possible bit-string of length k: lower bit jBi is (cid:176)ipped whenever the upper bit jAi is set. q¡1 1 0 a ; A B j i¡! pq j i a=0 j i j i X B A where q = 2k. Our computer is now in a superposition j i j i of an exponentially large number of integers a from 0 to 2k 1. Suppose further, that we could construct a FIG. 7: Circuit for swapping a pair of bits. ¡ unitary operation which maps a pair of bit-strings a;0 j i into the pair a;f(a) for some function f(a). Then such How do we construct the Tofioli gate? One major j i a unitary operator acting on the superposition of states problem with this gate is that it requires three bits in andthreeout. Quantummechanically,thisseemstocor- q¡1 q¡1 1 1 respond to a scattering process involving three-particle a;0 a;f(a) ; pq j i¡! pq j i collisions [24] calling for a (possibly) unreasonable con- aX=0 aX=0 trol of the particles [9]. Fortunately, the Tofioli gate would compute f(a) in parallel an exponentially large may be constructed by two-particle scattering processes number of times for the various inputs a. This follows alone [22, 25{28]. In particular, we show a construction from the linearity of quantum mechanics. here involving the XOR gate and some one-bit gates U(cid:181) Toseehowsuchunitaryoperatorsmaybeconstructed (Fig. 8) [21]. Not only is the XOR su–cient for all logic from a few elementary ones we must also consider the operations on a quantum computer, but it can be used XOR gate [21, 22]. Writing the two-particle basis states to construct arbitrary unitary transformations on any fl- as the vectors nite set of bits. Numerous proposals for producing such gates have been considered [10, 11] and we discuss some 1 0 promising experimental results in the next section. 0 1 00 = ; 01 = ; j i 001 j i 001 jAi jAi 0 0 B C B C @0A @0A jBi U…=4 U…=4 U…¡=41 U…¡=41 jB'(A:C)i 0 0 10 = ; 11 = ; j i 011 j i 001 jCi jCi 0 1 B C B C @ A @ A we may represent the XOR gate as a unitary operator FIG. 8: Tofioli gate built from two-bit XOR gates plus some one-bitgates[9,21]. Thiscircuitintroducessomeextrasigns 1 0 0 0 intheunitarymatrixUXOR whichmayberemovedatalater U 0 1 0 0 : stage. XOR ·00 0 0 1 1 0 0 1 0 B C @ A Here the flrst particle acts as a conditional gate to (cid:176)ip 6. LOGIC GATES IN THE LABORATORY the state of the second particle. It is easy to check that thestateofthesecondparticlecorrespondstotheaction of the XOR gate given in Table I. The quantum circuit Inthissectionwebrie(cid:176)yreviewtworecentexperiments for an XOR gate is illustrated in Fig. 6. This circuit is whichdemonstrateconditionaldynamicsofatypewhich equivalent to the elementary instruction is promising for constructing quantum logic gates [2, 3]. These two results appeared back-to-back in the same is- if ( A = 1 ) B = NOT B sue of Physical Review Letters. j i j i j i 6 The flrst experiment, by Turchette et al [2], demon- However, there is another class of quantum logic pro- strated that the phase of a weak coherent optical fleld cessor which aims at communicating quantum informa- could be controlled by the intensity of a second coherent tion between various, possibly distantly, separated sub- fleld at a slightly difierent frequency. The chief result is systems. This might allow for the combining of smaller that such a high non-linear susceptibility was achieved quantum computers into larger ones operating on more that a large phase shift (up to 16–) was produced by a qubitsthroughcombination. Itislikelyalsotobeimpor- change in intensity corresponding to a single photon in tant for the area of quantum communication and poten- the second fleld. The coupling between the optical flelds tial technologies which few-bit quantum logic processors was obtained using the hyperflne level structure of ce- might enable. For such tasks the former scheme involv- sium. AstreamofCsatomswasdroppedthroughanop- ing ‘(cid:176)ying’ qubits appears a more likely direction. It is tical cavity which efiectively restrained the atomic decay possible that a mature quantum computation technol- modes to the cavity modes. This allowed the atoms to ogy would have components incorporating the positive strongly couple to the optical flelds passing through the aspects of both the above schemes. cavity with minimal incoherent emission into free space. Since coherent instead of single-photon states were used in this experiement, however, there could be no direct 7. MODEL QUANTUM COMPUTER AND demonstrationofthecoherenceretainedintheflnalstate QUANTUM CODE oftheopticalflelds. Inthisschemeaqubitwouldneedto be represented by single photon states rather than weak Inthissectionwedescribeasimple abstractmodel for coherent states, but that does not appear to be a great a quantum computer based on a classical computer in- di–culty. structing a machine to manipulate a set of spins. This The second experiment by Monroe et al [3] involved a model has some intrinsic limitations which make design- directdemonstrationofanXORgateinaradio-frequency ing algorithms in a high-level language somewhat tricky. ion trap (also known as a Paul trap). Here the lowest We discuss some of the rules for writing such quantum vibrationalexcitationofasingle9Be+ ioninthetrapand computer code as a high-level language and give an ex- its hyperflne state represented the two qubits. A pair of ample. ofi-resonant laser beams were used to drive stimulated Consider the following model for the operation of a Raman transitions between the basis states of these two quantum computer: Several thousand spin-1 particles 2 qubits. The XOR gate was executed using three laser (or two-level systems) are initially in some well deflned pulses as had been suggested by Cirac and Zoller [29]. state, such as spin-down. A classical machine takes sin- The coherence of the qubits in this system was reported glespinsorpairsofspinsandentanglesthem(performing to have survived for around to 10 to 20 XOR operations an elementary one-bit operation U or the two-bit XOR (cid:181) [30]. gate); see Fig. 9a, b and c. These stages are repeated This single-ion trap experiment was based on a the- on difierent pairs of spins according to the instructions oretical proposal for a complete quantum computer by of a conventional computer program. Since the spins are Cirac and Zoller [31]. They suggested using a linear entangled, we must not look at the spins at intermediate ion trap to hold a set of ions in a well localized man- stages: We must keep the quantum superposition intact. nerbymutualelectrostaticrepulsion. Eachionwouldbe Furthermore, nothing else may interfere with the spins ‘addressed’ separately their own lasers. By tuning the which could destroy their orientation or interrupt their lasers shining on individual ions to the approriate lev- unitary evolution. Once this well-deflned cycle of ma- els either single-qubit operations could be performed or nipulation is complete the orientations of the spins are the internal ionic state could be transferred to that of measured (Fig. 9d). This set of measured orientations is the lowest two vibrational modes of the trap. In this the output of the computation. way two-qubit gates could be simulated between even Given this paradigm for a quantum computer, what non-contiguous ions via their interactions with the traps might its high-level language (its computer code) look vibrational modes. This ability signiflcantly reduces the like? The most serious di–culty that must be dealt with complexty of elementary operations over other proposals is that the quantum information is manipulated by a [32]. The fact that this theoretical proposal was imple- conventional computer in a completely blind manner| mented within a few months, though in a slightly mod- withoutanyaccesstothevaluesofthisquantuminforma- ifled form, suggests that few qubit processors could be- tion. Thismeansthattheprogramcannotutilize\short- comearealitywithinarelativelyshortperiodoftime. In cuts" conditional on the value of a quantum variable (or section13belowwewilldiscusstheshorttermprospects register or bit). For example, loops must be iterated for such machines. through exactly the same number of times independent In quantum computation we normally aim at hav- of the values of the quantum variables. Similarly, con- ing the qubits maximally couple to eachother and min- ditional branches around large pieces of code must be imally to the outside world. This lessens the actions of broken down into repeated conditions for each step. In environment-induced decohernce. From this perspective addition, each instruction performed upon the quantum thelatterschemeinvolvingion-trapsappearsmoreideal. bits must be logically reversible. Thus, ordinary assign- 7 " # " " # # code is not reversible (neither is it very e–cient), e.g., the label 10 gives no speciflcation of which routes might be used to get to it. It can, however, be easily rewritten a) [23]. 8. QUANTUM PARALLELISM: PERIOD OF A SEQUENCE " " # # We now have su–cient ingredients to understand how b) a quantum computer can perform logical operations and # " compute just like an ordinary computer. In this section we describe an algorithm which makes use of the quan- tum parallelism that we have hinted at already: flnding the period of a long sequence. " " " # Consider the sequence c) f(0); f(1); :::; f(q 1); ¡ whereq 2k;weshallusequantumparallelismtoflndits · " # " # # # period. We start with a set of initially spin-down parti- d) cleswhichwegroupintotwosets(twoquantumregisters, or quantum variables): 0;0 = ; ; ::: ; ; ; ::: ; FIG. 9: Model quantum computer as pictured by Shor [33]. j i j# # # # i Initially all particles are spin-down. Stage a) a classical ma- the flrst set having k bits; the next having su–cient for chinetakesasingleorpairofspinsandinstageb)itperforms our needs. (In fact other registers are required, but by aselectedone-bitortwo-bitoperation;instagec)the\entan- applying Bennett’s solution to space management they gled"particlesarereturnedtotheiroriginallocations. These maybesuppressedinourdiscussionhere.) Oneachbitof three stages are repeated many times in accord with the in- theflrstregisterweperformtheU one-bitoperation, structionsgivenbyanordinaryclassicalcomputer. Whenthis ¡…=2 yielding a superposition of every possible bit-string of cycle is complete stage d) consists of measuring the state of theparticles(leavingtheminsomeparticularbit-string);this length k in this register: bit-string is the result of the computation. q¡1 1 a; 0 : ¡! pq j i ments of a value to a variable, such as a = n, are not a=0 X j i legalandmustinsteadbeperformedasincrementsonan The next stage is to break down the computation, corre- initially zeroed variable, such as a = a + n. j i j i sponding to the function f(a), into a set of one-bit and An example of such code that could run on this ma- two-bit unitary operations. The sequence of operations chine might look like this [23]: is designed to map the state a;0 to the state a;f(a) j i j i do 10 k = 1, worstdiv for any input a. Now we see that the number of bits re- a = a - n quired for this second register must be at least su–cient ijfi ( jai >= 0 ) q = q + 1 to store the longest result f(a) for any of these compu- 10 continjuie j i j i tations. When, however, this sequence of operations is do 20 k = 1, worstdiv applied to our exponentially large superposition, instead if ( k > q ) a = a + n of the single input, we obtain j i j i j i 20 continue q¡1 1 This code fragment could be used to calculate the quo- a; f(a) : ¡! pq j i tient and the remainder, placed in q and a , respec- a=0 X j i j i tively,forthedivisionof a byn; theconstantworstdiv j i An exponentially large amount of computation has been is the worst-case number of times the loop must be tra- performed essentially for free. versed. Here q is initially zero. Each instruction here j i The flnal computational step, like the flrst, is again is either a conventional computer instruction or one in- a purely quantum mechanical one. Consider a discrete volving some quantum variables. The former are direct \quantum" Fourier transform on the flrst register instructions for the external computer, while the latter must be interpreted as a sequence of manipulations to q¡1 1 be performed upon the quantum bits. As it stands, this a e2…iac=q c : j i¡! pq j i c=0 X 8 It is easy to see that this is reversible via the inverse prob(c) transform and indeed it is readily verifled to be unitary. Further, an e–cient way to compute this transform with one-bit and two-bit gates has been described by Copper- smith (Fig. 10) [11, 34, 35]. ak¡1 U…=2 j i jak¡2i X1 U…=2 0 1=r 2=r 3=r c=q ak¡3 X2 X1 U…=2 j i FIG. 11: Idealized plot of the probability of each result prob(c) versus c=q. Constructive interference produces nar- row peaks at multiples of the inverse period of the sequence 1=r. (The discrete approximation means that the peaks will actually peaks have a non-zero width [37].) 1 0 0 0 0 1 0 0 = 0 0 1 0 Xn ˆ 0 0 0 e2…i=2!n computer to flnd the period of a sequence. The point is, however, that the sequence is calculated in parallel and is exponentially long|even for a small value of say k = 270 bits in the flrst register the quantum computer FIG. 10: Circuit for the quantum Fourier transform of the variablejak¡1:::a1a0iusingCoppersmith’sfastFouriertrans- has calculated and stored more results than there are formation approach [11, 34, 35]. The two-bit \X " gate may particles in the universe. n itselfbedecomposedintovariousone-bitandXORgates[21]. This algorithm for flnding the period of an exponen- tially long sequence on a quantum computer lies at the WhenthisquantumFouriertransformisappliedtoour heartofe–cientlyfactoringnumbers. Weflrstproceedto superposition, we obtain review the computational di–culty of factoring for con- ventional computers. Then we shall discuss the implica- q¡1q¡1 tions this computational di–culty has had for the secure 1 e2…iac=q c; f(a) : transmission of private information via public key cryp- ¡! q j i a=0c=0 tosystems. We will then follow these discussions with XX Shor’s new result for e–cient factoring [1]. The computation is now complete and we retrieve the output from the quantum computer by measuring the state of all spins in the flrst register (the flrst k bits). 9. THE COMPLEXITY OF FACTORING Indeed, once the Fourier transform has been performed the second register may even be discarded [36]. Howcanwequantifythedi–cultyofsolvingaproblem What will the output look like? Suppose f(a) has pe- withaconventionalcomputer? Surelyoncethecomputer riod r so f(a+r)=f(a). The sum over a will yield con- program is written and debugged we may simply let it structive interference from the coe–cients e2…iac=q only run and wait for the answer. But this brings us to the when c=q is a multiple of the reciprocal period 1=r [37]. cruxofthedi–culty: Foragivenproblemhowlongmust All other values of c=q will produce destructive interfer- we expect to wait for the solution? When more carefully ence to a greater or lesser extent. Thus, the probability phrased this becomes the simplest measure of computa- distributionforflndingtheflrstregisterwithvariousval- tionaldi–cultyofanalgorithm,yieldingthe‘algorithmic ues is shown schematically by Fig. 11. complexity’ of the problem. One complete run of the quantum computer yields a Tobemorespeciflc,withoutgettingintotechnicalities, random value of c=q underneath one of the peaks in the letusconsidertheproblemoffactoringanumberN into probability of each result prob(c). That is, we obtain a its prime factors (e.g., the number 51688 may be decom- randommultipleoftheinverseperiod. Toextractthepe- posed as 23 7 13 71). A convenient way to quantify rioditselfweneedonlyrepeatthisquantumcomputation £ £ £ howquicklyaparticularalgorithmmaysolvethis,orany, roughlyloglogr=ktimesinordertohaveahighprobabil- problem is to ask how the number of steps to complete ityforatleastoneofthemultiplestoberelativelyprime thealgorithmscaleswiththesizeofthe\input"thealgo- to the period r|uniquely determining it [1]. Thus, this rithmisfed. Forthefactoringproblem, thisinputisjust algorithm yields only a probabilistic result. Fortunately, the number N we wish to factor; hence the length of the we can make this probability as high as we like. input is logN. (The base of the logarithm is determined All the above work may appear a little anti-climactic. We have gone to a lot of trouble to design a quantum 9 by our numbering system. Thus a base of 2 gives the message itself [42]. Such a perfect cipher was invented length in binary; a base of 10 in decimal. For example, in 1917, and is known as the Vernam cipher or one-time thenumber51688requires16binarydigits, butonlyflve pad; it requires a key equal in size to the plaintext mes- decimal digits to specify it.) ‘Reasonable’ algorithms are sage. Thus, for perfect security we have the problem of ones which scale as some small-degree polynomial in the distributing the key itself, which must be done over a inputsize(with adegreeofperhaps2or3). Onefamous secure channel such as by trusted courier. In many sit- example of a fast algorithm is the Fast Fourier Trans- uations, such as banking transactions where the volume form which requires roughly O(Mlog M) steps to per- of information is very large, this is unreasonable. 2 formthediscreteFouriertransformofM points(sofora An understanding of computational complexity allows flxedprecisiontheinputscalesasM);bycontrast,acon- usto‘circumvent’therestrictionofShannon’stheory: A ceptually simpler algorithm equivalent to matrix multi- pseudorandom number generator can be used to gener- plication would require O(M2) computational steps [38]. atealongalmostrandomkeyfromamuchsmallersecret This modest improvement from a quadratic to a roughly key. If the lack of randomness cannot be discovered ex- linear complexity has made many image processing ap- cept through an unreasonable amount of computational plications possible with even quite modest computers. efiortbytheeavesdropperthenwehaveasecureencryp- On conventional computers the best known factoring tion system. An excellecent example of such a scheme is algorithm runs in O exp[(64=9)1=3(lnN)1=3(lnlnN)2=3] the U.S. Data Encryption Standard (DES) which uses a steps [39]. This algorithm, therefore, scales exponen- 56 bit key[43]. Oneestimate ofthe securityof DESsug- ¡¡¡ ¢¢¢ tially with the input size logN. For instance, in 1994 gests that for around a million dollars a special purpose a 129 digit number (known as RSA129 [40]) was suc- machine could be built to try all 256 keys in a few hours, cessfully factored using this algorithm on approximately though security can be easily enhanced by multiple ap- 1600 workstations scattered around the world; the en- plication and a larger efiective key [44]. Clearly short tire factorization took eight months [41]. Using this to keys reduce the burden of key distribution amongst sin- estimate the prefactor of the above exponential scaling, glepairsofusers,butfornusersn(n 1)=2keyswouldbe ¡ we flnd that it would take roughly 800,000 years to fac- requiredtoallowanypairtocommunicatesecurely. This tor a 250 digit number with the same computer power; becomesunwieldyforcommercialapplicationswheremil- similarly, a 1000 digit number would require 1025 years lions of users may be involved. (signiflcantly longer than the age of the universe). This Another approach, also based on computational com- di–culty is, however, almost certainly exaggerated since plexity, is known as public key encryption. The most it takes no account of the constant improvement in fac- popular scheme, and one used in many comercial appli- toring algorithms and the constant speedup of computer cations, is RSA encryption [40]. A person wishing to hardware. In fact, both of these components have shown receive secret communications simply publishes a pair of amoreorlessexponentialimprovementoverthelastfew numbers (N; e) which form the public key. Encryption decades [39], with each contributing roughly equally to involves converting the message to numerical data and theincreasedcomputationalpower. Thedi–cultyoffac- dividing it into blocks of numbers m each smaller than j toring large numbers is crucial for public-key cryptosys- N. Each block m of the message is then encrypted by j tems,suchasonesusedbybanks. There,suchcodesrely its modular exponentiation on the di–culty of factoring numbers with around 250 digits. cj ·mej (mod N); where mod N represents modulo arithmatic (the expres- 10. SECURITY AND RSA sioniscomputedandonlytheremainderafterdivisionby N is retained). The encrypted blocks c are then trans- j mitted to the receiver via a public channel. Thus, RSA Cryptography as a discipline aims at minimizing the (and any other public key scheme) e–ciently solves the afiect of the dishonest. One such situation is the need key distribution problem. for secure communication between two parties across an Decryptionbythereceiverrequiresknowingtheinverse insecure channel. The sender encrypts a plaintext mes- operation, i.e., knowing the d such that sagewithanencryptionkeyyieldingthecyphertext. The message is sent across an insecure media where we must m cd (mod N); assume an eavesdropper may have access. The receiver j · j takes the cyphertext and uses a decryption algorithm to reconstructs the original message. The size of N makes restoretheplaintext. Ifweassumethattheeavesdropper the direct determination of d too di–cult. Instead, d has access to the decryption algorithm then the receiver is constructed along with the public key pair (N; e) in musthavesomethinginadditiontoensurethesecurityof an e–cient manner. This construction involves choosing the transmitted message; this is the decryption key. Ac- N = pq as the product of a pair of comparably sized cording to Shannon’s information theory the cyphertext primes, with e relatively prime to both p 1 and q 1, must contain some information about the plaintext mes- ¡ ¡ and solving the much simpler problem: sage unless the decyption key is at least as long as the ed 1 (mod p 1) · ¡ ed 1 (mod q 1): · ¡ 10 It is important to note that the best algorithms for flnd- This simply says that the product of the two terms on ing d proceed by flrst factoring N, thus the security of the left is a multiple of the number N we wish to factor. RSA relies on the assumed di–culty of factoring [45]. Thus, either one or the other of these terms must have a factor in common with N. The flnal step in the algo- rithm then is to calculate the greatest common divisor 11. SHOR’S RESULT: FACTORING NUMBERS of these terms individually with N (see the appendix for an e–cient classical algorithm); any non-trivial common Recently, an algorithm was developed by Peter Shor divisor will be a factor we have sought, thus completing of AT&T for factoring numbers on a quantum computer our search. which runs in O (logN)3 steps [1, 46]. This is cubic As an example, consider the number N = 91. Choos- in the input size, so factoring a 250 digit number with ing x=3 we flnd that the sequence 3a(mod91) has the such an algorithm¡¡¡would re¢¢¢quire only a few billion steps. form: The implication is that public key cryptosystems based a: 0; 1; 2; 3; 4; 5; 6; 7; ::: on factoring may be breakable. In this section we give 3a : 1; 3; 9; 27; 81; 243; 729; 2187; ::: the classical portion of Shor’s algorithm which relates 3a(mod91): 1; 3; 9; 27; 81; 61; 1; 3; ::: : factoring to flnding the period of an exponentially long sequence and hence makes the problem tractable for a A quantum computer could calculate the period in par- quantum computer. allel, however, it is su–cient here to see by eye that this We wish to factor the number N. It will be su–cient sequence has a period of r = 6 (since it is even we may to flnd even a single factor since then we can reduce proceed with the algorithm). Rearranging the expres- the problem to a simpler one. First, select a number sion36 1(mod91)asdiscussedaboveweconcludethat x. Euclid’s algorithm (see appendix) could be used to · 28 26 0(mod91). Thisimpliesthateithergcd(28;91) e–ciently compute the common factors between N and £ · orgcd(26;91)willbeanon-trivialfactorof91(wheregcd x, hence reducing our problem. We, therefore, assume is the greatest common divisor function). In fact, in this that these numbers are co-prime. Next, consider the se- case, both terms yield a difierent factor, 7 and 13, re- quence formed by the function f(a)=xa(modN). This spectively. This completes the prime factorization of 91 sequence has the form: yielding: 91=7 13. £ 1; x; :::; xr¡1; xr;xr+1; ::: 1; x; :::;xr¡1; 1; x; :::; 1; x; ::: 12. QUANTUM ERROR CORRECTION r¡terms r¡terms r¡terms Buildingaquantumcomputerisadauntingtask. Even He|re the to{zp row is}ju|st the{szequenc}e o|f pow{zers x}a ; f g within apparently small atomic-scale systems, quantum the bottom row is the same sequence written in modulo computation runs on the enormous size of Hilbert space. arithmetic, namely xa(modN) . The number r is just f g Quantum computation involves building a trajectory theflrstnon-trivialpowerwherexr 1(modN). Aclose · from a standard initial state to a complex flnal state. look at this sequence shows that it has a periodic struc- The main di–culty is keeping to this trajectory. To fail turewithperiodr. Usingstandardalgorithmsthisperiod is to be lost in Hilbert space. The largest problem is wouldnotbereadilyaccessibleforalongsequence. How- hypersensitivity to perturbations, shifting the computa- ever,withthequantumcomputeralgorithmdescribedin tional trajectory randomly from its path. Such pertur- section 8 it could be calculated e–ciently. This possibil- bations come from an unintentional coupling to external ity opens up a novel way to flnd the factors of N as we noise [48]. In this section we brie(cid:176)y touch on quantum shall now describe. errorcorrectionandfaulttolerantcomputing,bothintro- Let us suppose that we have obtained the period r duced by Shor [5, 49], which promise to greatly alleviate by the above quantum computer algorithm [47]. If this the problem associated with unwanted perturbations. period is even we may proceed with our factoring algo- Instraightquantumerrorcorrectionthestateofafrag- rithm. If not, we must select another x and start again. ile quantum system is encoded into a quantum system A randomly chosen x will yield a suitably even period r having more degrees of freedom. By choosing the map- flfty-percent of the time so not too many trials will be pingtoasuitablesubspaceofthelargersystemalimited needed [1, 10]. class of errors which occur on this larger space may be We now proceed with the algorithm: Having chosen completelyremoved. InFig.12weseeacircuitforShor’s an x so that the sequence xa(modN) has an even pe- f g original scheme. [Since then much work has been done riod r, we rewrite the expression xr 1(modN) as the · in the last year [50{55] (to cite just a few)]. The un- difierence of two squares: protected single qubit ˆ is processed by the left half of j i the circuit shown in Fig. 12 until just before the shaded (xr=2)2 1 0(modN): ¡ · region. The resulting combined 9-qubit state represents the now error protected encoded state. Any single qubit Expressingtheleft-hand-sideasaproductbetweenasum error(representedbytheshadedregion) onthisencoded and difierence we obtain (xr=2+1)(xr=2 1) 0(modN): ¡ ·

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users