Quantum Turing Test. Elham Kashefi


 William Hoover
 1 years ago
 Views:
Transcription
1 Quantum Turing Test Elham Kashefi
2 Feynman Vision  82 Quantum Computing as the technology for simulating quantum systems Spectacular Progress from complexity theory to cryptography from simulation to sampling from tomography to implementation from foundation to interpretation proving what we are actually performing and observing is indeed quantum
3 Quantum Algorithms  Speed Up Superpositions Nonlocal Correlations Interference &'()*'+,(./01*2+3 4(3315(,67*70+1)13*158 $;<=;!"#"$% 4(3315(,90/:(:113*158 9 C 9 E $;<=; 9 D &'()*'+8!"#"$%! C! E $;<=;! D
4 Deutsch s problem Quantum Algorithms  History DeutschJozsa demonstrated the first speed up put: Given A boolean a function f : {0, 1} n! {0, 1} determine if it is constant or balanced utput: Determine if f is constant or balanced Deutsch s problem U f : 1 p 2 n U f : xi( 0i 1i)! x2{0,1} n xi xi( 0i 1i) if f(x) =0 fi xi( 0i = 1 X p 2 n 1i) if f(x) ( =1 x2{0,1} n 1) f(x) xi 0 1 X 0i 1i p 1 X f i for any constant function is ( orthogonal 1) f(x) xia 0i to 1i p the corresponding 2 2 n state for any The balanced state for any function. constant function is orthogonal x2{0,1} 2 to n the state for any balanced function Measurement on f i which distinguishes balanced from constant H n : xi! 1 p 2 n X y2{0,1} n ( 1) x y yi
5 Deutsch s problem Quantum Algorithms  History DeutschJozsa demonstrated the first speed up Simo put: Given A boolean a function f : {0, 1} n! {0, 1} determine if it is constant or balanced utput: Determine if f is constant or balanced Simon s Algorithm Simon s Problem e are given Given function a function 2 1 f : {0,1} n {0,1} n,specifiedbyablackbox,withthepromisethat finds xi( 0i 1i) if f(x) a Forallxf(x such that + a)= f (x). =0 a {0,1} n Uwith f : xi( 0i a 0 n such 1i) that! xi( 0i 1i) if f(x) =1 Iff (x)= f (y) then either x = y or y = 0 Suppose we are given function 2 1 f : {0,1 there is an a {0,1} n with a 0 n such that 1 1) f(x) xia 0i 1i p 2 llxf(x + a)= f (x). 1 X 0i 1i U f : p xi p 1 Breakthrough X ( The challenge is to determine a. It should x)= f (y) 2 n then either x = y x2{0,1} 2 or y = x + a. 2 n n x2{0,1} (probabilistic) computer. This is because the n such that f (x)= f (y). Andthebestanalgorit nge is to determine a. Itshould 1994 be Shor s intuitively Period clearfinding thatthisproblem isadifficulttaskfor a classical birthday paradox (actually its converse), the tic) computer. Given an This nbit is because integer, the find algorithm the prime cannot factorisation. determine a until it finds two inputs x and y 2 n/2 inputs. Breaks Bythe contrast, RSA cryptosystem we will show an effi (x)= f (y). Andthebestanalgorithmcandoistryrandominputsx until it finds a match. By the radox (actually its converse), the chance of this isnegligibleif 1. Use f tof set is probed up random on many preimage fewer than state. By contrast, we will show an efficient quantum algorithm. φ = 1/
6 Quantum Algorithms  History The oo  Stephen Jordan papers BuchmanWilliams cryptosystem Elliptic curve cryptography Algebraic and Number Theoretic Algorithms Exponential Speed Up: Factoring, Discretelog, Pell's Equation, Principal Ideal, Unit Group, Class Group, Gauss Sums, Matrix Elements of Group Representations Oracular Algorithms Broad Application: Unstructured Search, Amplitude Amplification, Collision Finding, Hidden subgroup Problem, Formula Evaluation, Linear Systems, Group Isomorphism, Network Flows Approximation and Simulation Algorithms Inspired by Physic : Quantum Walk, Quantum Simulation, Knot Invariants, Partition Functions, Adiabatic Optimization, Simulated Annealing
7 Quantum Algorithms  Perspective Quantum Simulators One controllable quantum system to investigate another, less accessible one tackling problems that are too demanding for classical computers Ultracold quantum gases, Trapped ions, Photonic, Superconducting circuits Refuting the Strong ChurchTuring Thesis Our communication today is secure only if we cannot build a large scale quantum computer
8 Quantum Cryptography  Security Quantum cryptography relies on the laws of quantum mechanics to offer unconditional security Measurement perturbs the system Uncertainty Principles No Cloning No perturbation No measurement No eavesdropping
9 Quantum Cryptography  History Wiesner 1983 The first link between secrecy and quantum physics quantum money Bennett and Brassard 1984, Ekert 1991 Public key distribution problem Cleve, Gottesman and Lo, 1999; Crepeau, Gottesman and Smith, 2005 Quantum Secret Sharing
10 Quantum Cryptography  History Lo, Chau, Mayers 1997 Impossibility of quantum bit commitment Damgaard et al., 2005, 2007; Wehner, Schaffner and Terhal, 2008 New paradigms of boundedstorage models Gottesman and Chuang 2001 Quantum digital signature Kitaev 2003, Chailloux and Kerenidis 2009 Perfect quantum coin flipping is impossible, but better than classical protocols exist Broadbent, Fitzsimons and Kashefi 2009 Unconditionally secure quantum delegated computation
11 Quantum Cryptography  Perspective Quantum Key Distribution Networks SECOQC: 2008, 200 km of standard fibre optic cable to interconnect six locations across Vienna and St Poelten
12 Quantum Cryptography  Perspective Quantum Key Distribution Networks DARPA: 10node, has been running since 2004 in Massachusetts BBN Technologies, Harvard University, Boston University and QinetiQ Tokyo QKD Network: 7 partners NEC, Mitsubishi Electric, NTT and NICT, Toshiba Research Europe Ltd. (UK), Id Quantique (Switzerland) and All Vienna China and Austria Earth  Satellite QKD
13 Secure Cloud Computing How to make cloud computing safe? A model for enabling convenient, ondemand network access to a shared pool of configurable computing resources X Y Limited Client Untrusted Server Y F(Y) F(X) F(Y)
14 Secure Cloud Computing Rivest, Adleman and Dertouzos 1979 Can we process encrypted data without decrypting it first? Fully homomorphic encryption Classical: Gentry 2009 Only computational security assumption of limited computational power of the adversary Quantum: Broadbent, Fitzsimons, and Kashefi 2009 Unconditional security
15 Qcomputing + Qcryptography = Blind Q Computing Classical Communication Classical Computer random single qubit generator Unconditional Perfect Privacy Server learns nothing about client s computation
16 IG. 1: The control computer provides one bit of classical nformation (downward arrows) to each site (circles in the reource state) determining the choice of measurement basis. fter the measurement, one bit of classical information (upard arrow), such as the outcome of the binary measurement, an E. Browne 1 y, University College London, 6BT, United Kingdom. 8, 2008) Measurementbased Quantum Computing angled states exploited in measurementbased f the classical computer that controls the meaal resource power, leading naturally to a notion computation. Surprisingly, Program the Greenbergeroblems emerge naturally as Computation optimal examples. Power is encoded in the entanglement is encoded in the classical control computer the violation of local realistic models and the measurement sites measurement site control computer control computer resource state Hide Angles of measurements Results of Measurements
17 smeasurements.ifwewereto H rotocol J( 1 Universal + + r ) o reveal use information this principle 2. Bob s about for preparation Blind the blind Quantum quantum Computation computing, Alice would have to reve. iversal of Alice s ± states structure + +r Blind called Quantum of preparation J( + the the + brickwork underlying Computation graph state. We introduce a new family of st r ) s 2 {0, 1} ; X s+r 1 tsaration For andstates each thus rdo (Figure column 2.1 not require Bob 1) which x =1,...,n the creates are universal an entangled for J( ) X Y plane state measurements from all and states Universal initial Blind Quantum P Computings 1 { + for p( ) Tr (P ( 0 + } e iθ that computational do not requirebasis measurements. Other universal graph states mn For x =1,...,n each x,y row 1 ) y θapplying =1,...,m x,y =0, π/4,...,7π/4} ctrl incorrect andb( )) sendsapple y 0 1 (e i 1.1 =1,...,m X =(Ũ,{ Alice prepares + x,y}) epares ψ x,y R { ψ x,y R { gates between the qubits ]. initial computational basis measurements have appeared in [CLN05]. nctionality To + +θx,y = 2 1 ( 0 + e iθ the has best beendefinition of achieved our knowledge, 1). this is the first time that x,y 1 ) a new θ x,y functio =0, in[rhg06,ms08]). thanks to MBQC +θx,y From (other = 1theoretical 2 1 ( 0 + 1e iθ advances x,y e 1 ) i due θ x,y to=0, MBQC π/4,...,7π/4 appear in s tremendous a the conceptual qubits to Bob. 3. Interaction potential point forof the view, B 1and our its to Bob. ± 1 A contribution measurement 0 shows that MBQC has trem. all Bob s received development ± preparation + +r For qubits, each of newaccording column protocols, to x and=1,...,n their maybe indices, even of algorithms. by aration bits 2.1in 1.3 Bob order Outline 1 { + creates to } create an entangled a brickwork state state fromg n m all received (see qubits, acco ates an{ + For entangled } each of Protocols row y =1,...,m uantum The random computation outline single qubit of the given generator state main asfrom protocol all received is as qubits, according to their 1 1 e i 2 e i e i g ctrl Definition X gates =(Ũ,{ 3.1between 1). Alice computes x,y}) the qubits inφ order follows. x,y where Alice to create sx has a brickwork stat 1 2 on 1). e i 1. Interaction X =(Ũ,{ 0,y = mind s a 0,y =0. quant preparation a measurement and computation. ly from {1/ 2 ( pattern 0 + e andx,y}) iθ 1 ) on a brickwork state. There are two stages: prepa In the preparation 3.2 Alice stage, measurement chooses Alice prepares r x,y single R {0, qubits 1} and chosencomputes randomly fr all the θ =0, qubits, π/4, Bob 2π/4,...,7π/4} entangles and For each measurement column x,y =( 1) x sx x,y =1,...,n x,y + s and sends them to Bob. After receiving all t reveals upper x,y 3.3 bounds Alice on the them according to thetransmits brickwork 1 mn For x =1,...,n each row y =1,...,m s 2 {0, 1} ; X s J( ) 0. x,y =( 1) sx x,y r x,y R {0, 1} x,y + s state. δ x,y Note to Bob. that this Bob unavoidably measures reve length of the input and depth dimensions x,y 1 y 3.1 =1,...,m3.4of Bob Alice stransmits underlying graph state, it does not reveal any Alice tes δ x,y = φ computes x,y + θ x,y + πr x,y. 1 (e i mputes φ ures in basis { φ x,y where sx 0,y = x,y where thestate, sx s +δx,y, 0,y =0. 0,y = result that s 0,y =0. scorrespond x,y {0, to 1} thetolengt A stage involves the computation. interaction: 3.5 If r for However, due to universality of the brickwork stat 3.2 Alice r chooses x,y =1above,Aliceflipss x,y R δx,y {0, 1} and computes δ }. 1 e ooses r i x,y = x,y φ ;otherwise calmessagetobobtotellhim additional information on Alice s computation. The computation x,y R {0, 1}. o Alice. x,y R {0, 1} and computes δ x,y = φ x,y + θ x,y + π performs the measurement and 3.3 Alice transmits δ x,y to Bob. Bob measures x,y + θ x,y + πr x,y.. wiseshedoesnothing. ansmits δ x,y to Bob. Bob measures in the basis { in the basis { stage each layer of the brickwork state, for each qubit, Alice sendsaclassicalm swilldependonthesevalues. in which basis of X Y plane he should measure the qubit. Bob +δx,y perfor telychosensothat,nomatter 3.4communicates Bob s transmits the result s x,y {0, 1} to Alice. +δx,y, δx,y x,y := s x,y + r x,y }. The universality the outcome; Alice s of Protocol choice of angles 1 follows in future from rounds the will pattern. 3.5Importantly, IfIfAliceiscomputing r x,y =1above,Aliceflipss Alice s quantum states x,y and ;otherwiseshedoesnothing. classical messages areastutelyc applying ctrl gates between the qubits in order to create a b nsmits the result s x,y {0, 1} to Alice.
18 me as a measurement in the + φ+θ, φ+θ basis on (θ) ψ (see Appendix A), and since + θ + πr, ifr =0,Bob smeasurementhasthesameeffect J( + + r ) as Alice s target measurement; if allaliceneedstodoisfliptheoutcome. now r Blindness define and prove the security of the protocol. Intuitively, we wish to prove that whatever ooses to do (including arbitrary deviations from the protocol), his knowledge on Alice s m computation does not increase. Note, + however that Bob does learn the dimensions of the ork state, giving an upper bound on the size of Alice s computation. This is unavoidable: leadaptationoftheproofoftheorem2from[afk89],confirms ± + +r this. We incorporate tion of leakage in our definition of blindness. Aquantum delegated computation protocol rotocol by which Alice interacts quantumly { + } with Bob in order to obtain the result of a tation, U(x), where X =(Ũ,x)isAlice sinputwithũ being a description of U. ition 2. Let P be a quantum Protocol delegated P on input computation X =(Ũ,{ on x,y}) input leaks X at and most let L(X) be any function input. We say that a quantum delegated computation protocol is blind while leaking at most f, on Alice s input X, for any2. fixed Given Y = the L(X), distribution the following of classical two hold information when givendescribed Y : in The distribution of the classical obtained information by Bob obtained P is fixed by Bob andis independent of X. e distribution of the classical information obtained by Bob in P is independent of X. 2. Given the distribution of classical Definition information 2 captures described the intuitive 1, the notion statethat of the Bob s quantum view of sy obtained The quantum by Bob state in P is fixed (when and given independent Y 5 ); since of X. his view consists of classical and quant distribution of the classical information should not depend on Definition 2 captures the intuitive choice notion of the classical that Bob s information, view of the protocol the stateshould of thenot quantum dependsy o (when given Y ); since his viewand consists not depend of classical on X and (given quantum Y ). We information, are now ready this means to state tha distribution of the classical information that Protocol should not 1, (n, depend m) isonx the dimension (given Y ) and of the that brickwork for any choice of the classical information, the state of the quantum system should be uniquely determ and not depend on X (given Theorem Y ). We are3 now (Blindness). ready to state Protocol and prove 1 is our blindmain while theorem. leaking Ra that in Protocol 1, (n, m) is the dimension of the brickwork state. Proof. Let (n, m) (the dimension of the brickwork state) be Theorem 3 (Blindness). Protocol the brickwork 1 is blind state while guarantees leaking atthat most Bob s (n, m). creating of the gra
19 Quarter/Halfwave Plate BBO crystal Experimental Implementation Polarization Controller Polarizing Beam Splitter Filter Barz, Kashefi, Broadbent, Fitzsimons, eilinger, Walther, Science a b c d 2 θ 3 θ 2 3 Alice Bob
20 Experimental Implementation Client: limited computational power Quantum server: full power of Quantum Computation Prepares random qubits Entangles qubits Measurement instruction for server Initial rotation of the qubit Target rotation Computes measurement angles Random bit flip
21 Experimental Implementation Client: limited computational power Quantum server: full power of Quantum Computation Entangles qubits Prepares random qubits Y X Measurement in XY plane Computes measurement angles Decryption: Output of the computation 0 0, 1
22 Quantum Cloud Quantum computing could head to 'the cloud', study says Girls lockup quantum security Almost as intriguingly, the research has been carried out by a team three of them being women. The Blind Quantum Security Eschaton Quantum computers "can decrypt any nonquantum method nearinstantly, in theory, rendering all existing forms of encryption obsolete," Enderle pointed out. "This will make the concerns surrounding Iran's nuclear efforts seem trivial by comparison if a [foreign] country gets there first."
23 Blind Q Computing World CC Other approaches D. Aharonov, M. BenOr, and E. Eban, ICS 10 (2010) A. Childs, Quant. Inf. Compt. (2005) P. Arrighi and L. Salvail, Int. J. Quant. Inf. (2006) Approximate Protocol Dunjko, Kashefi, Leverrier, PRL, 2012 Robust Protocol Morimae, Dunjko, Kashefi, arxiv: Morimae, Fujii, Nature Communications, 2012 Morimae, PRL, 2012 Minimal Protocol Dunjko, Kashefi, Markham Composable Protocol Dunjko, Fitzsimons, Portmann, Renner, arxiv: (2013) Other Models Datta, Kapourtionis, Kashefi, Oneclean qubit
24 Big Picture n Still requires 2 parameters for a classical computer to simulate it How do we verify the Solution? Can we verify it with a classical Computer? BQP BPP NP Blind Computation with BPP* Alice Not all the problem in NP can be computed blindly with a BPP Alice Abadi, Feigenbaum and Kilian
25 The Ultimate Challenge Quantum Verification
26 Should we pay $ for a quantum computer That kind of tests work only for a specific problem. We don t know if all the questions that quantum computer can solve are classically testable Simple test: We ask the box to factor a big number
27 Exponential World Hilbert space is a huge place. What makes quantum not classical makes its verification not classical either n particles = 2 n parameters
28 Quantum Turing Test
29 ± + +r Proof System { + } X =(Ũ,{ x,y}) x,y =( 1) sx x,y x,y + s x,y Verifier Prover r x,y R {0, 1} Yes X satisfies some property x,y R {0, NP  problems, 7 /4} s x,y := s x,y + r x,y
30 ± + +r Interactive Proofs { + } All problems X =(Ũ,{ x,y}) x,y =( 1) sx x,y x,y + s x,y Verifier Prover r x,y R {0, 1} Prover can cheat with exponentially small probability Yes X satisfies some property x,y R {0,, 7 /4} s x,y := s x,y + r x,y
31 { + } Can we Classically test Quantum Mechanics? X =(Ũ,{ x,y}) x,y =( 1) sx x,y x,y + s x,y Classical Verifier Quantum Prover Yes X satisfies some property r x,y R {0, 1} x,y R {0,, 7 /4} Gottesman (04)  Vazirani (07) Aaronson $25 Challenge (07) Does every language in the class BQP admit an interactive protocol s x,y := s x,y + r x,y where the prover is in BQP and the verifier is in BPP?
32 Verification Correctness: in the absence of any interference, client accepts and the output is correct Soundness: Client rejects an incorrect output, except with probability at most exponentially small in the security parameter Fitzsimons and Kashefi, arxiv: , 2012
33 m Authentication =2d +1. In this case, the code can detect d errors. Also, C k is self dual [BOCG + 06], namely, the cod s equal to the dual code subspace. ij nsverification = Mi J( ) vs s i Authentication = X s i M i j i J( ) E ij antum Authentication adapted G + 02]). from A quantum Barnum authentication et. al. [BCG + scheme 02]). A(QAS) quantum is aauthenticatio pair of finitions her quantum with aalgorithms set of classical A and keys B together KEve such that: with a set of classical keys K suc 3.1 (adapted from Barnum et. al. [BCG + 02]). A quantum authentication scheme (QAS) is a pair o M l(qas) time input and quantum is ana key mqubit algorithms a pair Alice of Bob k K A message and and B together outputs system with a set transmitted M of and classical a key keys system K k such K that: Tand of m outputs + d a t kes as input an mqubit ( message ) system M and a key k K and outputs a transmitted system T of m + its. system T of m + d kes ted input assystem input the the (possibly T andaltered) aaltered) classical transmitted transmitted key system k T and Ksystem and outputs T andtwo a classical systems: key a k Barnum, a classical Crepeau, keygottesman, k K andsmith outputs and Tapp, two systems: FOCS02 ubit message state M, and a single qubit V which indicate whether the state is considered valid or erroneou essage whichstate indicate M, J( ) and whether a single the state qubitis Vconsidered which indicate validwhether or erroneous. the state is basis states of V are called VAL, ABR. Forafixedk we denote the corresponding superoperators b tputs two systems: a d valid or erroneous.. g superoperators by Detect error and states R. B k Forafixedk. of V are called we denote VAL the, ABR. corresponding Forafixedk superoperators we denote the by cor a pure state ψ, consider the following test on the joint system M,V : output a 1 if the first m qubits are i r if the last qubit is in state ABR, otherwise, output 0. The corresponding projections are: s i state on the ψ, joint consider systemthem,v following : output testaon 1 if the the joint firstsystem m qubits M,V are: inoutpu P ψ 1 = ψ ψ I V +(I M ψ ψ ) ABR ABR (2 first last ise, m qubit output qubits is0. inthe state corresponding ABR, otherwise, projections output are: 0. The corresponding pr P ψ 0 are= in (I M ψ ψ ) 1 VAL VAL (3 are: e is secure if for all +(I M ψ ψ ) P ψ possible input states ψ and for all possible interventions by the adversary, the expecte 1 ( ) = ABR ABR ψ ψ 1 0 I (2) 1 V +(I M ψ ψ ) ABR ABR B s output 2 to the space defined by P 1 2 is high: 0
34 m Authentication y(n) length uniformly at random. The map from k to the group element represented as a product of Cliffo erators =2d +1. can be In computed this case, the code can detect d errors. Also, C k is self dual [BOCG + 06], namely, the cod k in s equal to the dual code subspace. 1 classical f(α 1 nsverification vs P 0 ). polynomial..k m time. Tr f(α m ) (1) aux [U I J( out = P O c E Authentication G ( in J( in ) E + + aux 0)I i ij = M J U i J( ) s ] V ri ) E G P O ci = X s i ef(f) d,f(0)=a Signed = Polynomial Tr M i j aux [U( Codes in aux 0)U ] i antum Authentication adapted n background G detect + on 02]). from d polynomial Aerrors. quantum Barnum Also, quantum authentication et. C codes k al. is see self Appendix [BCG dual + A. scheme 02]). [BOCG A(QAS) + quantum 06], is aauthenticatio pair of finitions Tr aux [U I J( her quantum with aalgorithms set of classical A and keys B together KEve in aux 0)I J namely, U code ] 2.3 ([BOCG + 06]) TheP signed + polynomial = M code with such that: with a set of classical keys K suc 3.1 (adapted= fromtr Barnum et. al. [BCG + 02]). A quantum authentication scheme (QAS) is a pair o M l(qas) time input and quantum is ana key mqubit algorithms a pair Alice aux [U( in aux 0)U respect to a string k {±1} m (denoted C k ) i i i s i i ] of Bob S k K A k def a message and= and B together 1 outputs system with a set transmitted M of and classical k 1 f(α a key keys 1 )...k system K k m such f(α K that: q d T m ) and of m outputs + d a t kes as input an mqubit message system P + f:def(f) d,f(0)=a P + E and = a M key k K and outputs ( a transmitted ) system T of m + i s i i ij = M i X s i E j ij X s i j Detect error its. use m =2d +1. In this case, the code i can detect d errors. i Also, C k is self dual [BOCG + 06], namely, space system is equal T toof them dual + code d subspace. kes ted input assystem input the the (possibly T andaltered) aaltered) classical transmitted transmitted key system k T and Ksystem anda classical outputs T key and k two Ka and classical systems: outputs twokey asystems: k ubit 0 message state M, and a single qubit V which indicate whether the state is considered valid or erroneou essage whichstate indicate M, and whether a single state qubitis Vconsidered which indicate validwhether or erroneous. the state is basis states of V are called P + VAL E J( ), ABR. Forafixedk we denote the corresponding superoperators b and tputs states R. B k Forafixedk. two systems: i ij = M a i X s i E j ij X s i Quantum J( ) E i Authentication ij = M j [BCG of + i J( ) s i = X s i M i j i ) E ij V02]). are called A we quantum denote VAL authentication, ABR. corresponding Forafixedk scheme superoperators (QAS) we denote is a the pair by cor of d valid Definitions or erroneous. ogether a. pure state ψ, consider the following test on the joint system M,V : output a 1 if the first m qubits are i gr ifsuperoperators the last qubit is in state by P 0 with a set of classical keys K J( ) E ABR, otherwise, output 0. The corresponding sprojections are: i ij = Mi J( ) s such that: Eve i = X s = i M i j Server finition 3.1 (adapted from Client Barnum et. al. [BCG + 02]). A quantum authentication i i J( ) scheme E (QAS) is a ynomial ij tem state onm time the ψ, and quantum joint consider a key algorithms system k the M,V K A and following and B together : outputs with testa a set on 1transmitted of classical keys if the the joint firstsystem msystem K such that: qubits M,V Tare of: m inoutpu + d Atakes as input P ψ 1 an mqubit = ψ ψ message I V system +(I M and ψ ψ ) a key k ABR ABR K and outputs a transmitted system T (2 o first last ise, m qubit output qubits is0. inthe state corresponding ABR, otherwise, projections output are: 0. The corresponding pr qubits. P ψ 0 are= in (I M ψ ψ ) ( U VAL VAL 1 (3 ) are: esmitted is secure ifsystem for all +(I M ψ ψ ) P ψ Detect possible T error Btakes as input the (possibly and input altered) astates classical transmitted ψ and for key system all possible k1 T and Kinterventions anda classical outputs key by the k two adversary, K the expecte = ABR ABR ψ ψ I (2) 1 V +(I M ψ ψ ) ABR ABR B s output to the space defined by P ( ) = 1 and systems: outputs 0 twoasy mqubit message state M, and a single bit V which indicate whether 1 is qubit high: V which indicate whether the state is considered the state 2 is considered valid or 2 erroneous. valid 0 or er The basis states of V are called VAL, ABR. Forafixedk we denote the corresponding superoper
35 x,y R {0, x,y 0,, 7 /4} =( 1 1) sx x,y x,y + s x,y Adding Traps s x,y := s x,y + r x,y BPP QNC NC 2 QNC 1 r x,y R {0, 1} 0, 1 +, x,y Trap R {0, Measurements, 7 /4} BPP QNC s x,y := s x,y + r x,y NC 2 QNC 1 0, 1 +, 0, 1 M + s =0 M s =1 BPP QNC NC 2 QNC 1 M + +, s =0 M + s =0 M s =1 3 Trap positions and Measurement angles remain hidden
36 εverification ting an incorrect outcome density operator. Any outcome density operato r is contained within the subspace of correct and incorrect outcome state babilistically Aliceprojected intobob a correct or an incorrect state. Hence intuitiv to be verifiable if the corresponding outcome state is far from any inco owing P p( ) Tr (P incorrect B( )) apple the approach of [28], we first define the notion of correctness 9. random parameters.. For any server s strategy the probability of client accepting an incorrect outcome density operator is bounded by ε: 8. Let Pincorrect beb( ) the projection onto the subspace of all the possible inc rator for the fixed density choice operator of classical Alice s and random quantum output variables denoted with, thati P incorrect =(I ideal ih ideal ) r t ihr t eal ih ideal = Tr i62{o[{t}} (B 0 ( )). Let p( ) be the probability Accept of Alice Key ch arameterized by, that is the probability of choosing a position i amo the graph to be the trap position (denoted as a random variable t) and P p( ) Tr (P incorrect B( )) apple random variables,r,x, (as defined in Definition 6). Given 0 apple < be verifiable, if for any choice of Bob s strategy (denoted by j) the prob
37 Verification with single trap Theorem. Protocol is (1 1/2N)verifiable in general, and in the case of purely classical output it is (1 1/N)verifiable, where N is the total number of qubits in the protocol.
38 Probability Amplification To increase the probability of any local error being detected O(N) many traps in random locations To increase the minimum weight of any operator which leads to an incorrect outcome FaultTolerance
39 P P1 H P= MComp Challenge: Traps break the graph Y 5. Y Y Y P H MComp P= MReduce MComp = K 5 2. Y Y 3. Y MReduce Y MP MReduce P1 M6. P P1 7. MA MA 7. P2 MP MP K 5 P3 P3 P Required 3D lattice for Raussendorf, Harrington Topological and Goyal errorcorrecting code with defect thickness d 6. MP K 5 4. Y 3. Y Y K 5 P K 5 3. Y P1 Y P 6. P MReduce P1 6. Y Y 2. P1 Y H = MComp Probability Amplification 1. H P3 P3
40 Probability Amplification P 3 K K 5 P 1 P 1 K 5 P 2 P 2 M P 7. P 3 P 3 K 5 K15 K5 K 5
41 P 2 Probability Amplification M P P 3 K5 7. M ocol 8. In this figure we replace the RaussendorfHarringtona simpler computation, as to include a full encoding yields
42 Off to Vienna P 3 7. M
43 2 What can we do with 4qubits FIG. 1: Concept of a quantum prover interactive proof system based on blind quantum computing. The verifier wants to find out if the prover can indeed perform quantum computations. While the question if a classical verifier can test a quantum system is still open, it was shown that a verifier that has access to certain quantum resources can verify quantum computations. Here, in the framework of blind quantum computing, the verifier needs the ability to generate single qubits and to transmit them to the prover. After the transmission of the qubits, the verifier and the prover exchange twoway classical communication.
44 Restricting to Classical Input and Output trapification trapification
45 A Complete new proof of verification was required Pauli ( i ) Trap Stabilizer Measurement Overall X I Y Y Y X X Y Y Y I X C C C C C C C A C C A C C C A A C A C C C A C A C A A C C A A A A C C C A C C A A C A C A C A A A A C C A A C A A A A C A A A A Table 4: Pauli terms in the deviation operator U and whether or not they are detected by a particular trap setup or not. Although there are 256 distinct 4qubit Pauli operators, including the identity, these can be grouped into 16
46 Summery Only 4 qubit computation can be verified and a particular type of attack cannot be detected! What about DWave Problem Verification of 2qubit entanglement Blind Verification of Entanglement
47 Blind Verification of Entanglement Barz, Fitzsimons, Kashefi, Walther, Nature Physics 2013
48 Quantum Turing Test We can test eﬃciently a quantum computer But we need quantum randomness
49 Perspective What is the lower bound Model independent Verification Is Nature Classically verifiable
50 Quantum Turing Test Quantum eroknowledge Proof; Adiabatic UBQC; BBP vs BQP theory Computational practice lab Unconditionally Secure Cloud Computing; Hybrid QuantumClassical Homomorphic Encryption Efficient Process Tomography;Testing Commercial Qubits with Scientific Qubits UBQC with superconducting qubits UBQC and Verification Implementation with Photonic Qubits and Coherent Pulses lab Blind Bell Test; Blind Contextuality Test; Distinguishing Relativistic Effects from Quantum Effects practice theory Physical Interactive Proof Quantum Turing Test Blind Trapification Measurementbased QC
Closed Timelike Curves Make Quantum and Classical Computing Equivalent
Closed Timelike Curves Make Quantum and Classical Computing Equivalent Scott Aaronson MIT John Watrous University of Waterloo Abstract While closed timelike curves (CTCs) are not known to exist, studying
More informationPRIVACY AMPLIFICATION BY PUBLIC DISCUSSION*
SIAM J. COMPUT. Vol. 17, No. 2, April 1988 (C) 1988 Society for Industrial and Applied Mathematics O03 PRIVACY AMPLIFICATION BY PUBLIC DISCUSSION* CHARLES H. BENNETT?, GILLES BRASSARD$ AND JEANMARC ROBERT
More informationRobust Set Reconciliation
Robust Set Reconciliation Di Chen 1 Christian Konrad 2 Ke Yi 1 Wei Yu 3 Qin Zhang 4 1 Hong Kong University of Science and Technology, Hong Kong, China 2 Reykjavik University, Reykjavik, Iceland 3 Aarhus
More informationOur Data, Ourselves: Privacy via Distributed Noise Generation
Our Data, Ourselves: Privacy via Distributed Noise Generation Cynthia Dwork 1, Krishnaram Kenthapadi 2,4,5, Frank McSherry 1, Ilya Mironov 1, and Moni Naor 3,4,6 1 Microsoft Research, Silicon Valley Campus,
More informationCAPTCHA: Using Hard AI Problems For Security
CAPTCHA: Using Hard AI Problems For Security Luis von Ahn 1, Manuel Blum 1, Nicholas J. Hopper 1, and John Langford 2 1 Computer Science Dept., Carnegie Mellon University, Pittsburgh PA 15213, USA 2 IBM
More informationFairplay A Secure TwoParty Computation System
Fairplay A Secure TwoParty Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem Email:
More informationCLoud Computing is the long dreamed vision of
1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,
More informationLearning Deep Architectures for AI. Contents
Foundations and Trends R in Machine Learning Vol. 2, No. 1 (2009) 1 127 c 2009 Y. Bengio DOI: 10.1561/2200000006 Learning Deep Architectures for AI By Yoshua Bengio Contents 1 Introduction 2 1.1 How do
More informationPrivate Set Intersection: Are Garbled Circuits Better than Custom Protocols?
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang David Evans University of Virginia Jonathan Katz University of Maryland http://mightbeevil.org Abstract Cryptographic
More informationProvable Data Possession at Untrusted Stores
Provable Data Possession at Untrusted Stores Giuseppe Ateniese Randal Burns Reza Curtmola Joseph Herring Lea Kissner Zachary Peterson Dawn Song ABSTRACT We introduce a model for provable data possession
More informationCan quantum computing solve classically unsolvable problems?
Can quantum computing solve classically unsolvable problems? Andrew Hodges Wadham College University of Oxford Oxford OX1 3PN, U.K. andrew.hodges@wadh.ox.ac.uk Abstract: T. D. Kieu has claimed that a quantum
More informationRevealing Information while Preserving Privacy
Revealing Information while Preserving Privacy Irit Dinur Kobbi Nissim NEC Research Institute 4 Independence Way Princeton, NJ 08540 {iritd,kobbi }@research.nj.nec.com ABSTRACT We examine the tradeoff
More informationCoin Flipping of Any Constant Bias Implies OneWay Functions
Coin Flipping of Any Constant Bias Implies OneWay Functions Extended Abstract] Itay Berman School of Computer Science Tel Aviv University Israel itayberm@post.tau.ac.il Iftach Haitner School of Computer
More informationThe Predecessor Attack: An Analysis of a Threat to Anonymous Communications Systems
The Predecessor Attack: An Analysis of a Threat to Anonymous Communications Systems MATTHEW K. WRIGHT, MICAH ADLER, and BRIAN NEIL LEVINE University of Massachusetts Amherst and CLAY SHIELDS Georgetown
More informationCommunication Theory of Secrecy Systems
Communication Theory of Secrecy Systems By C. E. SHANNON 1 INTRODUCTION AND SUMMARY The problems of cryptography and secrecy systems furnish an interesting application of communication theory 1. In this
More informationOracles Are Subtle But Not Malicious
Oracles Are Subtle But Not Malicious Scott Aaronson University of Waterloo Abstract Theoretical computer scientists have been debating the role of oracles since the 1970 s. This paper illustrates both
More informationPhysik Department. Matrix Product Formalism
Physik Department Matrix Product Formalism Diplomarbeit von María Gracia Eckholt Perotti Angefertigt an der Technische Universität München und am MaxPlanckInstitut für Quantenoptik Garching, September
More informationGeneralized compact knapsacks, cyclic lattices, and efficient oneway functions
Generalized compact knapsacks, cyclic lattices, and efficient oneway functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 920930404, USA daniele@cs.ucsd.edu
More informationThe Best of Both Worlds: Combining InformationTheoretic and Computational PIR for Communication Efficiency
The Best of Both Worlds: Combining InformationTheoretic and Computational PIR for Communication Efficiency Casey Devet and Ian Goldberg University of Waterloo, ON, Canada {cjdevet,iang}@cs.uwaterloo.ca
More informationNew Directions in Cryptography
644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT22, NO. 6, NOVEMBER 1976 New Directions in Cryptography Invited Paper WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE AbstractTwo kinds of contemporary
More informationShake Them Up! A movementbased pairing protocol for CPUconstrained devices
Shake Them Up! A movementbased pairing protocol for CPUconstrained devices Claude Castelluccia INRIA and University of California, Irvine claude.castelluccia@inria.fr Pars Mutaf INRIA pars.mutaf@inria.fr
More informationObliviStore: High Performance Oblivious Cloud Storage
ObliviStore: High Performance Oblivious Cloud Storage Emil Stefanov University of California, Berkeley emil@cs.berkeley.edu Elaine Shi University of Maryland, College Park elaine@cs.umd.edu Abstract. We
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION. A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT
ON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT A numerical study of the distribution of spacings between zeros
More informationRobust Deanonymization of Large Sparse Datasets
Robust Deanonymization of Large Sparse Datasets Arvind Narayanan and Vitaly Shmatikov The University of Texas at Austin Abstract We present a new class of statistical deanonymization attacks against highdimensional
More informationMaximizing the Spread of Influence through a Social Network
Maximizing the Spread of Influence through a Social Network David Kempe Dept. of Computer Science Cornell University, Ithaca NY kempe@cs.cornell.edu Jon Kleinberg Dept. of Computer Science Cornell University,
More informationHaggar Physicists Develop Quantum Slacks, read a headline
INFORMATION TECHNOLOGY THE LIMITS OF Quantum By Scott Aaronson Quantum computers would be exceptionally fast at a few specific tasks, but it appears that for most problems they would outclass today s computers
More informationProofs that Yield Nothing But Their Validity All Languages in NP Have ZeroKnowledge Proof Systems
Proofs that Yield Nothing But Their Validity All Languages in NP Have ZeroKnowledge Proof Systems or ODED GOLDREICH Technion, Haifa, Israel SILVIO MICALI Massachusetts Institute of Technology, Catnbridge,
More informationAnalysis of dynamic sensor networks: power law then what?
Analysis of dynamic sensor networks: power law then what? (Invited Paper) Éric Fleury, JeanLoup Guillaume CITI / ARES INRIA INSA de Lyon F9 Villeurbanne FRANCE Céline Robardet LIRIS / CNRS UMR INSA de
More informationHypercomputation: computing more than the Turing machine
Hypercomputation: computing more than the Turing machine Abstract: Toby Ord Department of Philosophy * The University of Melbourne t.ord@pgrad.unimelb.edu.au In this report I provide an introduction to
More information