COS 433: CryptographySlide 2Double-Slit ExperimentMathematical FormalismSlide 5World ViewQuantum Computation – State of the ArtQuantum Computation And CryptographyQuantum Key DistributionSlide 10Unitary OperationsSlide 12Slide 13Slide 14Princeton University • COS 433 • Cryptography • Fall 2005 • Boaz BarakCOS 433: Cryptography Princeton University Fall 2005Boaz BarakLecture 12: Idiot’s Guide to Quantum Computing & CryptoDisclaimer2"Do not take the lecture too seriously . . . just relax and enjoy it. I am going to tell you what nature behaves like. If you will simply admit that maybe she does behave like this, you will find her a delightful, entrancing thing. Do not keep saying to yourself "But how can it be like that?" because you will get . . . into a blind alley from which nobody has yet escaped. Nobody knows how it can be like that." Richard Feynmann on Quantum Mechanics.Strange aspects of quantum mechanics: Superposition – object doesn’t have definite properties (location, speed) but has probabilities over them. Interference – probabilities can be negative. Entanglement – properties of many particles can be correlated. Measurement – object’s properties collapse to definite value when measured, collapsing also properties of other entangled objects.3Double-Slit ExperimentIf we place detector then pattern turns to be as expected.We can never catch an electron “red-handed” behaving bizarrely How does electron passing thru top slit know to avoid mid point if bottom slit is open?4Mathematical FormalismConsider object/system that can be in one of two states.State |1> - electron hit mid pointState |0> - electron did not hit mid point.Deterministic view: System is either in state |0> or state |1>Probabilistic view: System is in state |0> w.prob p and state |1> w.prob q with p+q=1Quantum view: System is in state p|0>+q|1> with |p|+|q|=1 (p,q can be negative!)In fact, to make the math work nicely, assume:p,q can be arbitrary complex numbers.p2+q2=1 (prob of system measuring to |0> is p2=|p|2)bb5Mathematical FormalismConsider object/system that can be in one of two states.State |1> - electron hit mid pointState |0> - electron did not hit mid point.Quantum view: System is in state p|0>+q|1> with |p|2+|q|2=1 (p,q complex)Suppose system consists of two bits – has four possible states: |00> , |01> , |10> , |11>Quantum view: System is in state p1|00>+p2|01>+p3|10>+p4|11> where |p1|2+|p2|2+|p3|2+|p4|2=1When measured, system will collapse to ith state w.prob |pi|2.Note: Need 2n numbers to keep track of state of n-bit system.bb1b26World ViewDemocritos  Newton  Einstein:Underlying everything are small particles interacting locally using simple well-defined rules (“billiard balls”).Quantum Mechanics:Nature has a secret HUGE piece of paper containing >210000000000000000 complex numbers, keeping track of a superposition of all particles in the world, but allows us only to make some specific measurements of these numbers.“Corollary”: We do not know how to simulate quantum system of n particles for t time units in time poly(n.t).Rephrase: There are some computations performed by quantum systems of n particles and t time units that we don’t know to perform in a classical computer in time poly(n,t)Maybe can use quantum system to solve hard computational problems??7Quantum Computation – State of the ArtThere is a mathematical model for computing devices exploiting quantum mechanics – “quantum computers”. Many technical difficulties (and maybe fundamental difficulties?) in building such machines.(Unsurprisingly) there is no proof that quantum computers are more powerful than classical computers/Boolean circuits/Turing machines.There are polynomial algorithms for quantum computers solving problems unknown to be solvable classically in poly-time:Simulation of quantum systemFactoring integers and discrete logs.There are hard problems with no quantum poly-time algorithms:SAT, 3COL and all the NP-complete problems.Inverting many candidate one-way functions and permutations, private key encryption and signature schemes.Problems on lattices (can be used for public-key encryption).8Quantum Computation And CryptographyIf quantum computers can be built, then many popular encryption and signature schemes can be broken (RSA,Diffie-Hellman)However, there are still other candidates for encryption schemes not known to be broken. This is especially true for private key cryptography and signature schemes. Many (but not all) of the proofs of security in crypto carry over from the classical model to the quantum model, as long as the underlying hard problem is assumed hard for quantum computers. Exciting possibilities of using quantum mechanics to obtain perfectly unconditionally secure cryptography. Does not require full fledged quantum computers – prototype systems already being built.Quantum Key Distribution (QKD)9Quantum Key DistributionConsider system of two bits initialized to 1/p2 |00> + 1/p2 |11> |00>+|11>b1b2Give b1 to Alice and b2 to Bob.According to QM until Alice measures b1, it is completely random, but once she measures it system collapses to either |00> or |11>Thus Bob will measure the same value as Alice.First idea for key exchange using QM:Alice Eve Bobb1b2= |00>+|11>Measure b1Measure b2Transfer qubit b210First idea for key exchange using QM:Alice Eve Bobb1b2= |00>+|11>Measure b1Measure b2Problem: What if Eve measures b2 on the way and learns it?We can’t stop Eve from doing so, but we need a way for Bob to find out.Problem can be solved but we need: Learn more about operations allowed in QM. Assume Bob and Alice can exchange authenticated but not secret classical messages.Transfer qubit b211Unitary OperationsConsider system of one bit. Classically, there are not many operations we can perform on it – keep it the same or invert it. bIn QM, system’s state is described as p|0>+q|1> - i.e., vector (p,q)2C2According to QM, we can perform any operation A on system that is: Linear: A(p+p’,q+q’) = A(p,q) + A(p’,q’) Norm-preserving: If ||(p,q)||=pp2+q2 =1 then ||A(p,q)||=1Orthogonal: A(1,0)=A|0> is perpendicular to A(0,1)=A|1>Example:H|0> = 1/p2 |0> + 1/p2 |1> ~ |0> + |1> = (1,1)H|1> = 1/p2 |0> - 1/p2 |1> ~ |0> - |1> = (1,-1)H(p,q) ? (p’,q’) if pp’+qq’=012Key exchange using QM:Alice Eve Bobb1b2= |00>+|11>Transfer qubit b2With prob ½,