F ANG S ONG IQC, U NIVERSITY OF W ATERLOO Joint Work with: Kirsten - - PowerPoint PPT Presentation

f ang s ong iqc u niversity of w aterloo joint work with
SMART_READER_LITE
LIVE PREVIEW

F ANG S ONG IQC, U NIVERSITY OF W ATERLOO Joint Work with: Kirsten - - PowerPoint PPT Presentation

Jun 01, 2023 459 likes •782 views

F ANG S ONG IQC, U NIVERSITY OF W ATERLOO Joint Work with: Kirsten Eisentraeger (Penn State) Sean Hallgren (Penn State) Alexei Kitaev (Caltech & KITP) Which problems have faster | quantum algorithms than classical algorithms?

slide-1
SLIDE 1

Joint Work with: Kirsten Eisentraeger (Penn State) Sean Hallgren (Penn State) Alexei Kitaev (Caltech & KITP)

FANG SONG IQC, UNIVERSITY OF WATERLOO

slide-2
SLIDE 2

Which problems have faster |quantum〉 algorithms than classical algorithms?

(Number theory problems are a good source) ∃ Poly-time quantum algorithms for:

  • Factoring and discrete logarithm [Shor’94]
  • Unit group in number fields
  • Degree two fields (Pell’s equation as a special case) [Hallgren’02]
  • Constant-degree [Hallgren’05,SchmidtVollmer’05]
  • Principal Ideal Problem (PIP) and class group computation
  • Constant degree number fields [H’02’05,SV’05]

THIS WORK: arbitrary-degree

2

Best known classical algorithms need super-polynomial time

slide-3
SLIDE 3

3

All these quantum alg’s fall into the framework of

Hidden Subgroup Problem (HSP)

 Reduction & Algorithm for HSP both need to be efficient. Problem Π INPUT Solution to Π OUTPUT

HSP on a group 𝐻

(Classical) Reduction Quantum Algorithm

slide-4
SLIDE 4

4

Existing algorithms for constant-degree unit finding

[H’02’05,SV05] Difficulty of extending to high degrees

  • Reduction takes exponential time in degree.
  • HSP instance in high dimension hard to solve.

Constant degree number field INPUT Units of the number field OUTPUT

HSP on ℝ𝑑𝑝𝑜𝑡𝑢

Classical Reduction Quantum Algorithm

slide-5
SLIDE 5

5

Existing algorithms for constant-degree unit finding

[H’02’05,SV05]

Our algorithm for arbitrary-degree unit finding

Arbitrary degree 𝑜 number field INPUT Units of the number field OUTPUT Quantum Reduction New Quantum Algorithm

HSP* on ℝ𝑃(𝑜)

*New definition: Continuous HSP

HSP on ℝ𝑑𝑝𝑜𝑡𝑢

Constant degree number field INPUT Units of the number field OUTPUT Classical Reduction Quantum Algorithm

① ② ③ ④

slide-6
SLIDE 6
  • Quantum algorithms can break classical crypto-systems
  • Anything based on factoring/D-Log [Shor94]: e.g. RSA encryption…
  • Buchmann-Williams key exchange (based on degree-two PIP) [H’02]
  • OPEN QUESTION: quantum attacks on (ideal) lattice based crypto
  • Fully homomorphic encryption, code obfuscation, and more

[Gentry09,SmartV’10,GGH+13…]

  • Our alg. deals with similar objects: ideal lattices in number fields
  • A classical approach [Dan Bernstein Blog 2014]
  • A key component: computing units in classical sub-exp. time

 This part becomes (quantum) poly-time by our alg.

Quantum Attacks on Classical Cryptography

6

slide-7
SLIDE 7

Roadmap of Our Algorithm

7

HSP* on ℝ𝑷(𝒐)

Arbitrary degree 𝑜 number field INPUT Units of the number field OUTPUT Quantum Reduction New Quantum Algorithm * New definition: Continuous HSP

① ② ③ ④

slide-8
SLIDE 8

Review: Hidden Subgroup Problem (HSP)

8

𝐼 𝑦 + 𝐼 𝑔 𝐻 𝑇 𝑡0 𝑡1 𝑡𝑙 𝑧 + 𝐼

  • Finite Group 𝐻
  • Extend the definition to infinite group ℤ𝑛 
  • Extend to uncountable group ℝ𝑛: non-trivial!

An issue with discretization

  • Assume 𝑔: ℝ → 𝑇 periodic with period 𝑠 ∈ ℝ.
  • Digital computers can only evaluate 𝑔 on a discrete grid 𝜀ℤ.

𝑔

𝜀 ≜ 𝑔|𝜀ℤ: 𝜀ℤ → 𝑇

Given: oracle function 𝑔: 𝐻 → 𝑇, s.t. ∃ 𝐼 ≤ 𝐻,

1. (Periodic on 𝐼)

𝑦 − 𝑧 ∈ 𝐼 ⇒ 𝑔 𝑦 = 𝑔 𝑧

2. (Injective on 𝐻/𝐼)

𝑦 − 𝑧 ∉ 𝐼 ⇒ 𝑔 𝑦 ≠ 𝑔(𝑧)

Goal: Find (hidden subgroup) 𝐼.

may lose HSP properties (e.g. periodic)!

𝜀

𝑔(𝑙𝑠)

𝑠 ∈ ℝ 2𝑠 3𝑠

𝑔

𝜀(⌊𝑙𝑠⌉)

slide-9
SLIDE 9

9

Define Continuous HSP on ℝ𝑛

  • Our definition (HSP on ℝ𝒏): make 𝑔 continuous
  • Previous definition: extra constraint on discrete 𝑔

𝜀

  • E.g. pseudo-periodic [H’02]: 𝑔

𝜀

𝑙𝑠 + 𝑦 = 𝑔

𝜀 𝑦 for most 𝑦.

  • Not suitable in high dimensions ℝ𝑛.

Given 𝑔: ℝ𝑛 → ℋ (quantum states), s.t.: ∃ 𝐼 ≤ ℝ𝑛,

1. (Periodic) 𝑦 − 𝑧 ∈ 𝐼 ⇒ |𝑔(𝑦)〉 = |𝑔(𝑧)〉. 2. (Pseudo-injective) min

𝑤∈𝐼 ||𝑦 − 𝑧 − 𝑤|| ≥ 𝑠 ⇒ 𝑔 𝑦 𝑔 𝑧

≤ 𝜗. “𝑦 − 𝑧 far from 𝐼 ⇒ 𝑔 𝑦 𝑔 𝑧 small” 3. (Lipschitz) |||𝑔 𝑦 〉 − |𝑔 𝑧 〉|| ≤ 𝑏 ⋅ ||𝑦 − 𝑧||. “𝑦 − 𝑧 close to 𝐼 ⇒ 𝑔 𝑦 𝑔 𝑧 big”

Goal: Find (hidden subgroup) 𝐼.

slide-10
SLIDE 10

∃ efficient quantum algorithms

10

Interesting HSP Instances

Computational Problems Abelian HSP on 𝑯 Discrete log → ℤ𝑂 × ℤ𝑂 Factoring → ℤ Unit group, PIP, class group, constant degree → ℝ𝑑𝑝𝑜𝑡𝑢 [This Work] Unit group, arbitrary degree 𝑜 → ℝ𝑃(𝑜) [New Definition] ? efficient alg.

(open question)

Computational Problems Non-abelian HSP on 𝑯 Graph isomorphism → Symmetric group 𝑇𝑜 Unique shortest vector → Dihedral group 𝐸𝑜

slide-11
SLIDE 11

Roadmap of Our Algorithm

11

HSP* on ℝ𝑷(𝒐)

Arbitrary degree 𝑜 number field INPUT Units of the number field OUTPUT Quantum Reduction New Quantum Algorithm * New definition: Continuous HSP

① ② ③ ④

`

slide-12
SLIDE 12
  • Number Field 𝐿 ⊆ ℂ: Finite field extension of ℚ.
  • Ex. 1 (Quadratic field). Take 𝑒 ∈ ℤ, ℚ

𝑒 = 𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ .

  • Ex. 2 (Cyclotomic field). Take 𝜕 = 𝑓2𝜌𝑗/𝑞, 𝑞 prime.

ℚ 𝜕 = 𝑏0 + 𝑏1𝜕 + ⋯ + 𝑏𝑞−2𝜕𝑞−2: 𝑏𝑗 ∈ ℚ .

  • Ring of Integers 𝒫: 𝐿 ∩ Roots of monic irreducible poly ℤ[𝑌].
  • Group of Units 𝒫∗: invertible elements in 𝒫.

12

Number Field Basics

𝐿 𝒫 𝒫∗ ℚ ℤ {±1} ℚ 𝑒 = {𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ} ℤ[ 𝑒] = {𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℤ} 𝒫∗ = {±𝑣𝑙: 𝑙 ∈ ℤ} Field Ring of integers Unit group 𝑒 = 109, 𝑣 = 158070671986249 + 15140424455100 109

  • Exercise. Verify 𝑣𝑣−1 = 1.
slide-13
SLIDE 13

13

Complexity of Computing Unit Group

ℚ 𝑒 = 𝑏 + 𝑐 𝑒: 𝑏, 𝑐 ∈ ℚ , 𝒐 = 𝟑, 𝚬 ≈ 𝒆 ℚ 𝜕 = 𝑏0 + 𝑏1𝜕 + ⋯ + 𝑏𝑞−2𝜕𝑞−2: 𝑏𝑗 ∈ ℚ , 𝒐 = 𝒒 − 𝟐, 𝚬 ≈ 𝒒𝒒 Classical Quantum (Factoring) [reduces to ℚ( 𝑒) case] exp( log Δ 1/3) poly(log Δ) ℚ 𝑒 exp( log Δ 1/2) poly(logΔ) ℚ 𝜕𝑞 exp(𝑜, log Δ) exp 𝑜 poly(log Δ)

This work poly(𝑜, log Δ)

  • Previous algorithms for computing units
  • Two parameters for measuring computational complexity
  • Degree 𝑜: dimension of 𝐿 as vector space over ℚ.
  • Discriminant Δ: “size” of ring of integers. [more to come]

Goal: computation in time poly(𝑜, log Δ).

slide-14
SLIDE 14

Roadmap of Our Algorithm

14

HSP* on ℝ𝑷(𝒐)

Arbitrary degree 𝑜 number field INPUT Units of the number field OUTPUT Quantum Reduction New Quantum Algorithm * New definition: Continuous HSP

① ② ③ ④

slide-15
SLIDE 15
  • 1. Identify 𝒫∗ as a subgroup in ℝ𝑛, 𝑛 = 𝑃(𝑜).
  • 2. Define 𝑔: ℝ𝑛 → ℋ satisfying HSP properties.
  • (Periodic) 𝑦 − 𝑧 ∈ 𝒫∗ ⇒ |𝑔(𝑦)〉 = |𝑔(𝑧)〉
  • (Pseudo-injective) 𝑦 − 𝑧 far from 𝒫∗ ⇒ 𝑔 𝑦 𝑔 𝑧 small
  • (Lipschitz) 𝑦 − 𝑧 close to 𝒫∗ ⇒ 𝑔 𝑦 𝑔 𝑧 big
  • 3. Compute 𝑔 by an efficient quantum algorithm. (omitted)

15

Outline of Quantum Reduction

slide-16
SLIDE 16

16

Set Up Units as a Subgroup

Lattice 𝑀(𝐶) = 𝑏1𝑤1 + ⋯ + 𝑏𝑜𝑤𝑜: 𝑏𝑗 ∈ ℤ ⊆ ℝ𝑜

  • Basis 𝐶: 𝑤𝑗 ∈ ℝ𝑜: 𝑗 = 1, … , 𝑜
  • 𝑀 has (infinitely) many bases
  • det 𝑀 : volume of fundamental domain

 Discriminant of 𝒫: Δ = det2(𝒫)

𝒫∗ ≤ ℝ𝑜−1 = 𝑣1, … , 𝑣𝑜 ∈ ℝ𝑜: ∑𝑣𝑗 = 0

  • Log coordinates of units: 𝑨 ∈ 𝒫∗ → 𝑨𝑗 ≠ 0 → write 𝑣𝑗 ≔ log|𝑨𝑗|
  • Fact: units have algebraic norm 1

𝑨 ∈ 𝒫∗ → 𝒪 𝑨 = Π 𝑨𝑗 = 1 → ∑𝑣𝑗 = 0.

  • 𝒫 is identified with a lattice 𝒫 in ℝ𝑜.
  • 𝑨 ∈ 𝒫 ↦ 𝑨: = 𝑨1, … , 𝑨𝑜 ∈ ℝ𝑜 (conjugate vector representation)

N.B.: Not precise; sign/phase info. missing!

slide-17
SLIDE 17

17

Define Hiding Function: Classical Part

lattices in ℝ𝑜 ℝ𝑜−1

𝑔:

𝑔

𝑑

{quantum states} 𝑔

𝑟

𝑔

𝑑

Output: 𝑀𝑦 = 𝑓𝑦

𝒫

Input: 𝑦 = 𝑦1, … , 𝑦𝑜 𝑈, ∑𝑦𝑗 = 0

  • Obs. 𝑔

𝑑 preserves algebraic norm 𝒪 𝑨 = Π𝑨𝑙.

  • Example. 𝐿 = ℚ

𝑒 , 𝑒 ∈ ℤ+, 𝑜 = 2, 𝒫 ⊆ ℝ2. ∀ 𝑤 = 𝑤1, 𝑤2 𝑈 ∈ 𝒫 𝑓𝑦

𝑤 ≔ 𝑓𝑦𝑤1, 𝑓−𝑦𝑤2 𝑈

𝑔

𝑑: 𝑦, −𝑦 ↦ 𝑓𝑦 𝒫

  • Stretch/Squeeze each coordinate
slide-18
SLIDE 18

18

Real Quadratic Example

Courtesy of Hallgren.

𝑀𝑦 ⊆ ℝ2 𝑦 ∈ ℝ

𝑔

𝑑

102 , 𝑜 = 2, 𝑔

𝑑: ℝ → {lattices in ℝ2}

slide-19
SLIDE 19

19

Properties of 𝑔

𝑑

  • 𝒫∗-Periodic. (Fact: 𝑣 ∈ 𝒫∗ ⇒ 𝑣𝒫 = 𝒫)
  • If 𝑓𝑧 ∈ 𝒫∗, then 𝑓𝑦

+𝑧𝒫 = 𝑓𝑦 𝒫.

  • (Lipschitz) “Small” shift in inputs  “Similar” lattices in outputs
  • (Pseudo-inj) “Big” shift in inputs  “Far-apart” (small overlap) lattices

! Computing 𝑔

𝑑 delicate: 𝑓𝑦 doubly-exp. large & precision loss.

𝑔

𝑑: 𝑦 ↦ 𝑀 = 𝑓𝑦𝒫

lattices in ℝ𝑜 ℝ𝑜−1

𝑔:

𝑔

𝑑

{quantum states} 𝑔

𝑟

slide-20
SLIDE 20
  • Issue: no unique representation for lattices in ℝ𝑜
  • 𝑓𝑦

𝒫 = 𝑓𝑧𝒫 same lattice, but 𝑔 𝑑(𝑦

) and 𝑔

𝑑(𝑧

) different bases.

  • Fix: encode lattices in quantum states!
  • Superposition over all lattice points

20

Define Hiding Function: Quantum Encoding

needed for Quantum HSP alg.

lattices in ℝ𝑜 ℝ𝑜−1

𝑔:

𝑔

𝑑

{quantum states} 𝑔

𝑟

  • 𝜍𝑡 ⋅ = 𝑓−𝜌||⋅||2/𝑡2: wide Gaussian envelope
  • |str𝜀(𝑤)〉: straddle encoding of 𝑤 ∈ ℝ𝑜
  • Goal: str𝜀 𝑤

≈ |str𝜀(𝑤′)〉 iff. 𝑤 ≈ 𝑤′

  • Naïve approach fails: .0001 .0002 = 0

𝑔

𝑟: 𝑀 ↦ 𝑀 = 𝛿∑𝑤∈𝑀𝜍𝑡(𝑤)|str𝜀(𝑤)〉

slide-21
SLIDE 21
  • Straddle encoding a real number in a quantum state.

21

Quantum Straddle Encoding

𝑙𝜀 𝜀 (𝑙 + 1)𝜀

𝑤

𝒖 str𝜀 𝑤 = cos 𝑢 𝑙 + sin 𝑢 |𝑙 + 1〉

𝑤′

𝑙𝜀 𝜀 (𝑙 + 1)𝜀

𝑤

𝑢

𝑤′

𝑙𝜀 𝜀 (𝑙 + 1)𝜀

𝑤

𝑢

𝑤′

  • 𝑤 − 𝑤′ ≥ 2𝜀

⇒ 〈str𝜀 𝑤′ str𝜀 𝑤 = 0

  • 𝑤 − 𝑤′ small

⇒ 〈str𝜀 𝑤′ str𝜀 𝑤 ≈ 1

𝑙 = 𝑦 𝜀 , 𝑢 = 𝑦 − 𝑙𝜀

  • Encode a vector in ℝ𝑜: coordinate-wise straddle encoding
slide-22
SLIDE 22

22

Quantum Straddle Encoding: An Animation

slide-23
SLIDE 23

23

Properties of 𝑔

𝑟

𝑔

𝑟: 𝑀 ↦ 𝑀 = 𝛿∑𝜍𝑡 𝑤 str𝜀 𝑤

  • 𝑀′ 𝑀 ∝ ∑

〈str𝜀 𝑤′ str𝜀 𝑤

𝑤∈𝑀,𝑤′∈𝑀′

  • 𝑀 ≈ 𝑀′ ⇒ 𝑀′ 𝑀 ≈ 1
  • 𝑀 & 𝑀′ small overlap ⇒ 𝑀′ 𝑀 small
  • ||𝑤 − 𝑤′|| small ⇒ 〈str𝜀 𝑤′ str𝜀 𝑤

≈ 1

  • ||𝑤 − 𝑤′|| ≥ 2𝜀 ⇒ 〈str𝜀 𝑤′ str𝜀 𝑤

= 0

lattices in ℝ𝑜 ℝ𝑜−1

𝑔:

𝑔

𝑑

{quantum states} 𝑔

𝑟

slide-24
SLIDE 24

24

Establish HSP Properties

  • Theorem. 𝑔 = 𝑔

𝑟 ∘ 𝑔 𝑑 is periodic over 𝒫∗ with HSP properties.

  • (Lipschitz) 𝑦 − 𝑦′ close to 𝒫∗

𝑔

𝑑

→ 𝑀 ≈ 𝑀′

𝑔

𝑟

→ 𝑀′ 𝑀 ≈ 1

  • (P-Inj.) 𝑦 − 𝑦′ far from 𝒫∗ 𝑔

𝑑

→ 𝑀 & 𝑀′ small overlap

𝑔

𝑟

→ 𝑀′ 𝑀 small

lattices in ℝ𝑜 ℝ𝑜−1

𝑔:

𝑔

𝑑

{quantum states} 𝑔

𝑟

  • Applications of quantum straddle encoding
  • A canonical representation for real-valued lattices.
  • Can reduce existing (abelian) HSP to our HSP on ℝ𝑛.

 Invoke quantum HSP algorithm (next), we find 𝒫∗ efficiently!

slide-25
SLIDE 25

Roadmap of Our Algorithm

25

HSP* on ℝ𝑷(𝒐)

Arbitrary degree 𝑜 number field INPUT Units of the number field OUTPUT Quantum Reduction New Quantum Algorithm * New definition: Continuous HSP

① ② ③ ④

slide-26
SLIDE 26
  • Ideal world: 𝑔

peaked at dual of 𝐼, i.e. 𝑙/𝑠.

  • Reality: need to truncate and discretize 𝑔.

26

Solving HSP on ℝ𝑛: Main Idea

Input: oracle function 𝑔 that hides 𝐼 ⊆ ℝ𝑛 Real Domain

  • Goal: get samples that approximate the ideal Fourier spectrum

Output: (Generators of) 𝐼?

𝜀

𝑔: ℝ → ℋ

Fourier Spectrum

ℱℝ

0 1/𝑠 −1/𝑠

𝑔 : ℝ → ℂ

−𝑠 𝑠

slide-27
SLIDE 27

27

Effect of Truncation

ℱℝ 𝑋 Real Domain Fourier Spectrum

  • Mult./Convolution Duality: ℱ 𝑔𝑕 = 𝑔

∗ 𝑕

  • Truncation: multiply 𝑔 by window function 𝑋.

Need a smooth window: 𝑥 𝑦 =

1 𝑋/2 sin 𝜌𝑦/𝑋 , 𝑦 ∈ [0, 𝑋]

0, otherwise

slide-28
SLIDE 28

28

Effect of Discretization

𝐸𝜀 Real Domain Fourier Spectrum

ℝ/𝜀ℤ

𝑔 = 1 𝑔 = 𝜀(𝑦)

Wrapping only causes small disturbance

  • 𝑔 Lipschitz  𝑔

small tail

𝑔

𝜀

z = 𝑔 (𝑨 + 𝑙𝜀−1)

𝑙∈ℤ

  • Poisson Summation Formula

Discretization: restrict 𝑔 on grid 𝜀ℤ, 𝑔

𝜀 ≜ 𝑔|𝜀ℤ.

𝜀

slide-29
SLIDE 29

29

Quantum Algorithm for HSP on ℝ𝑛

ℱℝ Ideal World

𝐸𝜀 ∘ 𝑋

ℱℤ  Our alg. samples from this spectrum (by phase estimation). Reality

 Get “clean” sample w.p. 𝒫(

1 2𝑛).

  • Previous Algorithms
  • Our Algorithm

𝑋𝑔

𝜀: ℤ → ℋ

i.e. view it as an infinite sequence

ℱℤ𝑂

(Quantum Fourier transform)

𝜀

𝑋𝑔

𝜀: ℤ𝑂 → ℋ, 𝑂 = 𝑋𝜀−1

𝜀

slide-30
SLIDE 30

30

Quantum Algorithm for HSP on ℝ𝑛

Input: oracle function 𝑔 that hides 𝐼 ⊆ ℝ𝑛 Output: (Generators of) 𝐼.

  • Our Algorithm:
  • Create ∑

𝑦 ⊗ sin(𝜀𝑦

𝑋)|𝑔 𝜀𝑦 〉 𝑦∈ℤ

, 𝑂 = 𝑋𝜀−1

  • ℱℤ: 𝑦 ↦

𝑓2𝜌i𝑦𝑧

𝑧∈ℝ

|𝑧〉 and measure. Implement by Phase Estimation.

  • Classical post-processing.
  • Existing Algorithm:
  • ℱℤ𝑂: |𝑦〉 ↦ ∑

𝑓2𝜌𝑗𝑦⋅𝑧

𝑂 𝑧

𝑧∈ℤ𝑂

and measure.

slide-31
SLIDE 31

Discussion

31

  • Future Directions
  • Other problems in number fields, function fields…
  • Harness the power the continuous (abelian) HSP framework
  • Solve (ideal) lattice problems

Breaking lattice-based crypto?

 Update: PIP and class group in arb. degree solved [BiasseSong’14]

Thank you!

HSP* on ℝ𝑷(𝒐) Arbitrary degree 𝑜 number field Units of the number field

Quantum Reduction New definition: Continuous HSP New Algorithm