quanta, ciphers and computers - arthur ekert

New Physics, Cambridge University Press May 2004

1

QUANTA, CIPHERS AND COMPUTERS

ARTUR EKERT

Department of Applied Mathematics and Theoretical Physics, University of Cambridge, Cambridge CB3 0WA, U.K.

and Department of Physics, National University of Singapore.

Singapore 117542, Singapore.

1 Introduction Computation is an operation on symbols. We tend to perceive symbols as abstract

entities, such as numbers or letters from a given alphabet. However, symbols are

always represented by selected properties of physical objects. The binary string

10011011010011010110101101

may represent an abstract concept, such as number 40711597, but the binary symbols 0

and 1 have also a physical existence of their own. It could be ink on paper (this is most

likely how you see them when you are reading these words), glowing pixels on a

computer screen (this is how I see them now when I am writing these words), or

different charges or voltages (this is how my word processor sees them). If symbols are

physical objects and if computation is an operation on symbols then computation is a

physical process. Thus any computation can be viewed in terms of physical

experiments which produce outputs that depend on initial preparations called inputs.

This sentence may sound very innocuous but its consequences are anything but trivial!

On the atomic scale matter obeys the rules of quantum mechanics, which are quite

different from the classical rules that determine the properties of conventional

computers. Today's advanced lithographic techniques can etch logic gates and wires

less than a micron across onto the surfaces of silicon chips. Soon they will yield even


2

smaller parts and inevitably reach a point where logic gates are so small that they are

made out of only a handful of atoms. So, if computers are to become smaller in the

future, new, quantum technology must replace or supplement what we have now. The

point is, however, that quantum technology can offer much more than cramming more

and more bits to silicon and multiplying the clock-speed of microprocessors. It can

support entirely new kind of computation, known as quantum computation, with

qualitatively new algorithms based on quantum principles.

The potential power of quantum phenomena to perform computations was first

adumbrated in a talk given by Richard Feynman at the First Conference on the Physics

of Computation, held at MIT in 1981. He observed that it appeared to be impossible, in

general, to simulate an evolution of a quantum system on a classical computer in an

efficient way. The computer simulation of quantum evolution typically involves an

exponential slowdown in time, compared with the natural evolution, essentially

because the amount of classical information required to describe the evolving quantum

state is exponentially larger than that required to describe the corresponding classical

system with a similar accuracy. However, instead of viewing this intractability as an

obstacle, Feynman regarded it as an opportunity. He pointed out that if it requires that

much computation to work out what will happen in a quantum multi-particle

interference experiment, then the very act of setting up such an experiment and

measuring the outcome is equivalent to performing a complex computation.

The foundations of the quantum theory of computation were laid down in 1985 when

David Deutsch, of the University of Oxford, published a crucial theoretical paper in

which he described a universal quantum computer and a simple quantum algorithm.

Since then, the hunt has been on for interesting things for quantum computers to do,

and at the same time, for the scientific and technological advances that could allow us

to build quantum computers.

A sequence of steadily improving quantum algorithms led to a major breakthrough in

1994, when Peter Shor, of AT&Ts Bell Laboratories in New Jersey, discovered a


3

quantum algorithm that could perform efficient factorisation. Since the intractability of

factorisation underpins the security of many methods of encryption, including the most

popular public key cryptosystem RSA (named after its inventors Rivest, Shamir and

Adelman).1 Shor's algorithm was soon hailed as the first `killer application' for

quantum computation -- something very useful that only a quantum computer could do.

By some strange coincidence, several of the superior features of quantum computers

have applications in cryptanalysis. Once a quantum computer is built many popular

ciphers will become insecure. Indeed, in one sense they are already insecure. For

example, any RSA-encrypted message that is recorded today will become readable

moments after the first quantum factorisation engine is switched on, and therefore RSA

cannot be used for securely transmitting any information that will still need to be secret

on that happy day. Admittedly, that day is probably decades away, but can anyone

prove, or give any reliable assurance, that it is? Confidence in the slowness of

technological progress is all that the security of the RSA system now rests on.

What quantum computation takes away with one hand, it returns, at least partially, with

the other. Quantum cryptography offers new methods of secure communication that are

not threatened by the power of quantum computers. Unlike all classical cryptography it

relies on the laws of physics rather than on ensuring that successful eavesdropping

would require excessive computational effort.

1 In December 1997 the British Government officially confirmed that public-key cryptography was originally invented at the Government Communications Headquarters (GCHQ) in Cheltenham. By 1975, James Ellis, Clifford Cocks, and Malcolm Williamson from GCHQ had discovered what was later re discovered in academia and became known as RSA and Diffie-Hellman key exchange.


4

Quantum cryptography was discovered independently in the

US and Europe. The first one to propose it was Stephen

Wiesner (shown on the left), then at Columbia University in

New York, who, in the early 1970's, introduced the concept

of quantum conjugate coding. He showed how to store or

transmit two messages by encoding them in two conjugate

observables, such as linear and circular polarization of light,

so that either, but not both, of which may be received and

decoded. He illustrated his idea with a design of unforgeable

bank notes. A decade later, building upon this work, Charles

H. Bennett, of the IBM T.J. Watson Research Center, and Gilles Brassard, of the

Universit de Montral, proposed a method for secure communication based on

Wiesners conjugate observables.

In 1990, independently and initially unaware of the earlier work, Artur Ekert, then a

Ph.D. student at the University of Oxford, developed a different approach to quantum

cryptography based on peculiar quantum correlations known as quantum entanglement.

Since then quantum cryptography has evolved into a thriving experimental area and is

quickly becoming a commercial proposition.

This popular account is aimed to provide some insights into the fascinating world of

quantum phenomena and the way we exploit them for computation and secure

communication.

2 From bits to qubits To explain what makes quantum computers so different from their classical

counterparts, we begin with a basic chunk of information, namely one bit. From a

physicists point of view a bit is a physical system which can be prepared in one of two


5

different states, representing two logical values: no or yes, false or true, or simply 0 or

1. For example, in digital computers, the voltage between the plates in a capacitor

represents a bit of information: a charged capacitor denotes bit value 1 and an

uncharged capacitor bit value 0. One bit of information can be also encoded using two

different polarisations of light or two different electronic states of an atom. However, if

we choose a quantum system, such as an atom, as a physical bit then quantum

mechanics tells us that apart from the two distinct electronic states the atom can be also

prepared in a coherent superposition of the two states. This means that the atom is

both in state 0 and state 1. Such a physical object is called a quantum bit or a qubit.

To get used to the idea that a qubit can represent two bit values at once it is helpful

to consider the following experiment. Let us try to reflect a single photon off a half-

silvered mirror, i.e. a mirror which reflects exactly half of the light which impinges

upon it, while the remaining half is transmitted directly through it (Figure 1). Such a

mirror is also known as a beam-splitter.

Figure 1. Half-silvered mirror, or a beam-splitter, as a simple quantum logic gate. Let the photon in the reflected beam represents logical 0 and the photon in the

transmitted beam the logical 1. Where is the photon after its encounter with the beam-

0 Input 0

Input 1

Output 0

1 Output 1


6

splitter, in the reflected or in the transmitted beam? Does the photon at the output

represent logical 0 or logical 1?

One thing we know is that the photon doesn't split in two thus it seems sensible to

say that the photon is either in the transmitted or in the reflected beam with the same

probability. That is, one might expect the photon to take one of the two paths, choosing

randomly which way to go. Indeed, if we place two photodetectors behind the half-

silvered mirror directly in the lines of the two beams, the photon will be registered with

the same probability either in the detector 0 or in the detector 1. Does it really

mean that after the half-silvered mirror the photon travels in either reflected or

transmitted beam with the same probability 50% ? No, it does not! In fact the photon

takes two paths at once.

This can be demonstrated by recombining the two beams with the help of two fully

silvered mirrors and placing another half-silvered mirror at their meeting point, with

two photodectors in direct lines of the two beams (Figure 2) .

0

1

Input 0

Input 1

Output 0

Output 1

Figure 2. Two concatenated beam-splitters affect logical NOT gate. Thus each beam-splitter separately represents an inherently quantum operation called the square root of NOT.


7

If it was merely the case that there was a 50% chance that the photon followed one

path and a 50% chance that it followed the other, then we should find a 50%

probability that one of the detectors registers the photon and a 50% probability that the

other one does. However, that is not what happens. If the two possible paths are exactly

equal in length, then it turns out that there is a 100% probability that the photon reaches

the detector 1 and 0 per cent probability that it reaches the other detector 0. Thus the

photon is certain to strike the detector 1.

The inescapable conclusion is that the photon must, in some sense, have travelled both

routes at once, for if either of the two paths is blocked by an absorbing screen, it

immediately becomes equally probable that 0 or 1 is struck. In other words, blocking

off either of the paths illuminates 0; with both paths open, the photon somehow is

prevented from reaching 0.

Furthermore, if we insert slivers of glass of different thickness into each path (see

Figure 3) then we can observe a truly amazing quantum interference phenomenon. We can

choose the thickness of the glass, and hence the effective optical length of each path, in

such a way that the photon can be directed to any of the two detectors with any

prescribed probability.


8

Figure 3. Quantum interference.

In particular, when the difference in the thickness of the two slivers is chosen

appropriately the photon will certainly emerge at detector 0 instead of detector 1.

The photon reacts only to the difference in the thickness of the slivers located in the

two different paths - more evidence that the photon must have travelled both paths at

once - and each path contributes to the final outcome. Thus the output of the beam-

splitter does not represent either 0 or 1 but a truly quantum superposition of the

two bit values.

From a computational point of view a beam-splitter is an elementary quantum logic

gate, operating on a single qubit. It is quite a remarkable logic gate which can be called the

square root of NOT ( NOT ) because the logical operation NOT is obtained as the result of two consecutive applications of beam-splitters (see Figure 2). This purely quantum

operation has no counterpart in classical logic and forms one of the elementary building

blocks of a quantum computer.

0

1

Input 0

Input 1

Output 0

Output 1


9

3 Entanglement The idea of superposition of numbers can be pushed further. Consider a register

composed of three physical bits. Any classical register of that type can store, in a given

moment of time, only one out of eight different numbers i.e. the register can be in only

one out of eight possible configurations such as 000, 001, 010, ... 111. A quantum

register composed of three qubits can store, in a given moment of time, all eight

numbers in a quantum superposition. It is quite remarkable that all eight numbers are

physically present in the register but it should be no more surprising than a qubit being

both in state 0 and 1 at the output of a beam-splitter. If we keep adding qubits to the

register we increase its storage capacity exponentially i.e. three qubits can store 8

different numbers at once, four qubits can store 16 different numbers at once, and so

on; in general L qubits can store 2 L numbers at once.

Some superposition of numbers can be easily obtained by operating on individual

qubits, some require joint operations on two qubits. For example, a superposition of 00

and 10 can be generated by starting with two qubits in state 00 and applying the square

root of NOT to the first qubit. If we subsequently apply the same operation to the

second qubit we will turn the 00 component into a superposition 00 and 01, and the 10

component into a superposition of 10 and 11, which all together gives an equally

weighted superposition of the four numbers: 00, 10, 01, 11. Each of the two qubits is in

a superposition of 0 and 1, and the register made out of the two qubits is in a

superposition of all possible binary strings of length 2. In general, a register of L

qubits can be prepared in a superposition of all binary strings of length L by applying

the square root of NOT to each qubit in the register. However, operations on individual

qubits will never turn a quantum register in state 00 into, say, an equally weighted

superposition of 00 and 11, or a superposition of 01 and 10. Such superpositions are

special and their generation requires special quantum logic gates operating on two


10

qubits at a time. Qubits in such superpositions are said to be entangled. They cannot be

described by specifying the state of individual qubits and they may together share

information in a form which cannot be accessed in any experiment performed on either

of them alone. Erwin Schrdinger, who was probably the first to be baffled by this

quantum phenomenon, writing for the Cambridge Philosophical Society in 1935,

summarized it as follows

``When two systems, of which we know the states by their respective representatives, enter into temporary physical interaction due to known forces between them, and when after a time of mutual influence the systems separate again, then they can no longer be described in the same way as before, viz. by endowing each of them with a representative of its own. I would not call that one but rather the characteristic trait of quantum mechanics, the one that enforces its entire departure from classical lines of thought. By the interaction the two representatives [the quantum states] have become entangled.''

Figure 4. Schrdingers note on quantum states of interacting subsystems dating back to 1932-33. This seems to be the first known reference to the concept of quantum entanglement. It has been discovered recently by Matthias Christandl and Lawrence Ioannou, of Cambridge University, in the Schrdinger archive in Vienna. There are many entangling operation on two qubits. They require some form of

interaction between the qubits. One of them, analogous to the square root of NOT, is

the square root of SWAP. The classical SWAP operation interchanges the bit values of

two bits, e.g. 00 00, 01 10, 10 01, 11 11. However, there is no classical two-bit logic gate such that its two consecutive applications result in the logical operation

SWAP. Still, the square root of SWAP does exist. It is an inherently quantum logic


11

gate and can be obtained by switching on for a prescribed period of time the exchange

interaction between qubits. The resulting quantum dynamics takes the input state 01

half way towards the swapped state 10 and effectively generates a superposition of 01

and 10.

4 Quantum Boolean networks and their complexity The square root of SWAP together with the square root of NOT and phase shifters

(operations equivalent to those induced by the slivers of glass in Figure 3) allow

constructing arbitrary superpositions of binary strings of any length. They form an

adequate (universal) set of quantum gates. Once we can implement these operations

with sufficient precision we can perform any quantum computation. This is very

reminiscent of constructing classical computation out of simple primitives such as

logical NOT, AND, OR etc.

For example, if you need a superposition of 00 and 11 you can construct it using only

the square root of NOT and the square root of SWAP. Start with two qubits in state 00,

apply the square root of NOT twice to the first qubit, this gives state 10. (Of course,

this is just applying logical NOT, but the point is to use only the prescribed adequate

gates.) Then apply the square root of SWAP to obtain the superposition of 10 and 01.

Now comes an interesting part; once the register is prepared in an initial superposition

of different numbers quantum gates perform operations which affect all numbers in the

superposition. Thus if we apply the square root of NOT twice to the second qubit it will

turn 10 into 11 and 01 into 00, which gives the superposition of 00 and 11. It is

convenient to illustrate this sequence of operations in a diagram, shown in Figure 5.


12

Figure 5. An example of a quantum Boolean network operating on two qubits. The qubits are represented by the horizontal lines and quantum logic gates by rectangular icons. The operations are performed from the left to the right. The input consists of two qubits in state 00. The output is an entangled state of the two qubits an equally weighted superposition of 00 and 11. Such graphical representations are called quantum Boolean networks or quantum

circuits. Quantum computers, for all practical purposes, can be viewed as quantum

Boolean networks operating on many qubits.

In order to solve a particular problem, computers, be it classical or quantum, follow a

precise set of instructions that can be mechanically applied to yield the solution to any

given instance of the problem. A specification of this set of instructions is called an

algorithm. Examples of algorithms are the procedures taught in elementary schools for

adding and multiplying whole numbers; when these procedures are mechanically

applied, they always yield the correct result for any pair of whole numbers. Any

algorithm can be represented by a family of Boolean networks N1, N2, N3,... , where the

network Nn acts on all possible input instances of size n bits. Any useful algorithm

should have such a family specified by an example network, Nn, and a simple rule

explaining how to construct the network Nn+1 from the network Nn. These are called

uniform families of networks

NOT

SWAP

NOT

NOT NOT

0

0


13

The big issue in designing algorithms or their corresponding families of networks is the

optimal use of physical resources required to solve a problem. Complexity theory is

concerned with the inherent cost of computation in terms of some designated

elementary operations such as the number of elementary gates in the network (the size

of the network). An algorithm is said to be fast or efficient if the number of elementary

operations taken to execute it increases no faster than a polynomial function of the size

of the input. We generally take the input size to be the total number of bits needed to

specify the input (for example, a number N requires log2N bits of binary storage in a

computer). In the language of network complexity - an algorithm is said to be efficient

if it has a uniform and polynomial-size network family. Problems which do not have

efficient algorithms are known as hard problems.

From the computational complexity point of view, quantum networks are more

powerful than their classical counterparts. This is because individual quantum gates

operate not just on one number but on superpositions of many numbers. During such

evolution each number in the superposition is affected and as a result we generate a

massive parallel computation albeit in one piece of quantum hardware. This means that

a quantum gate, or a quantum network, can in only one computational step perform the

same mathematical operation on different input numbers encoded in coherent

superpositions of L qubits. In order to accomplish the same task any classical device

has to repeat the same computation 2L times or one has to use 2L processors working in

parallel. In other words a quantum computer offers an enormous gain in the use of

computational resources such as time and memory.

Here we should add that this gain is more subtle than the description above might

suggest. If we simply prepare a quantum register of L qubits in a superposition of 2L

numbers and then try to read a number out of it then we get only one, randomly chosen,

number. This is exactly like in our experiment in Figure 1 where a half-silvered mirror

prepares a photon in a superposition of the two paths but when the two photodetectors

are introduced we see the photon in only one of the two paths. This kind of situation is


14

of no use to us for although the register now holds all the 2L numbers, the laws of

physics only allow us to see one of them. However, recall the experiments from Figure

2 and Figure 3 where just the single answer 0 or 1 depends on each of the two

paths. In general quantum interference allows us to obtain a single, final result that

depends logically on all 2L of the intermediate results. One can imagine that each of the

2L computational paths is affected by a process which has an effect similar to that of

the sliver of glass in Figure 3. Thus each computational path contributes to the final

outcome. It is in this way, by quantum interference of many computational paths, a

quantum computer offers an enormous gain in the use of computational resources ---

though only in certain types of computation.

5 Quantum algorithms What types? As we have said, ordinary information storage is not one of them, for

although the computer now holds all the outcomes of 2L computations, the laws of

physics only allow us to see one of them. However, just as the single answer in the

experiments of Figure 2 and Figure 3 depends on information that travelled along each

of two paths, quantum interference now allows us to obtain a single, final result that

depends logically on all 2L of the intermediate results. This is how Shors algorithm

achieves the mind-boggling feat of efficient factorization of large integers.

5.1 Shors Algorithm As is well known, a naive way to factor an integer number N is based on checking the

remainder of the division of N by some number p smaller than N . If the remainder is 0, we conclude that p is a factor. This method is in fact very inefficient: with a

computer that can test for 10 10 different ps per second (this is faster than any

computer ever built), the average time to find the factor of a 60-digit long number

would exceed the age of the universe.


15

Rather than this naive division method, Shors algorithm relies on a slightly different

technique to perform efficient factorisation. The factorisation problem can be related to

evaluating the period of a certain function f which takes N as a parameter. Classical

computers cannot make much of this new method: finding the period of f requires

evaluating the function f many times. In fact mathematicians tell us that the average number of evaluation required to find the period is of the same order of the number of

divisions needed with the naive method we outlined first. With a quantum computer,

the situation is completely different quantum interference of many qubits can

effectively compute the period of f in such a way that we learn about the period without

learning about any particular value f (0), f (1), f(2), The algorithm mirrors our

simple interference experiment shown in Figure 3. We start by setting a quantum

register in a superposition of states representing 0, 1, 2, 3, 4 This operation is

analogous to the action of the first beam-splitter in Figure 3 which prepares a

superposition of 0 and 1. The next step is the function evaluation. The values f(0), f

(1), f(2), are computed in such a way that each of them modifies one computational

path by introducing a phase shift. This operation corresponds to the action of the

slivers of glass in Figure 3. Retrieving the period from a superposition of f (0), f (1),

f(2), requires bringing the computational paths together. In Figure 3 this role is

played by the second beam-splitter. In Shors algorithm the analogous operation is

known as a quantum Fourier transform. Subsequent bit by bit measurement of the

register gives a number, in the binary notation, which allows the period of f to be

estimated with a low probability of error. The most remarkable fact is that all these can

be accomplished with a uniform quantum network family of polynomial size!

Mathematicians believe (firmly, though they have not actually proved it) that in order

to factorise a number with L binary digits, any classical computer needs a number of

steps that grows exponentially with L: that is to say, adding one extra digit to the

number to be factorised generally multiplies the time required by a fixed factor. Thus,

as we increase the number of digits, the task rapidly becomes intractable. No one can

even conceive of how one might factorise, say, thousand-digit numbers by classical


16

means; the computation would take many times as long the estimated age of the

universe. In contrast, quantum computers could factor thousand-digit numbers in a

fraction of a second --- and the execution time would grow at most as the cube of the

number of digits.

5.2 Grovers Algorithm In Shors algorithm all computational paths are affected by a single act of quantum

function evaluation. This generates an interesting quantum interference that gives

observable effects at the output. If a computational step affects just one computational

path it has to be repeated several times. This is how another popular quantum

algorithm, discovered in 1996 by Lov Grover of AT&Ts Bell Laboratories in New

Jersey, searches an unsorted list of N items in only N or so steps.

Consider, for example, searching for a specific telephone number in a directory

containing a million entries, stored in the computer's memory in alphabetical order of

names. It is easily proved (and obvious) that no classical algorithm can improve on the

brute-force method of simply scanning the entries one by one until the given number is

found, which will, on average, require 500,000 memory accesses. A quantum computer

can examine all the entries simultaneously, in the time of a single access. However, if it

is merely programmed to print out the result at that point, there is no improvement over

the classical algorithm: only one of the million computational paths would have

checked the entry we are looking for, so there would be a probability of only one in a

million that we would obtain that information if we measured the computer's state. But

if we leave that quantum information in the computer, unmeasured, a further quantum

operation can cause that information to affect other paths, just as in the simple

interference experiment described above. It turns out that if this interference-generating

operation is repeated about 1000 times, (in general, N times) the information about which entry contains the desired number will be accessible to measurement with

probability 50% - i.e. it will have spread to more than half the terms in the


17

superposition. Therefore repeating the entire algorithm a few more times will find the

desired entry with a probability overwhelmingly close to 1.

One important application of Grovers algorithm might be, again, in cryptanalysis,

to attack classical cryptographic schemes such as DES (the Data Encryption Standard).

Cracking DES essentially requires a search among 1656 1072 u| possible keys. If these can be checked at a rate of, say, one million keys per second, a classical computer

would need over a thousand years to discover the correct key while a quantum

computer using Grovers algorithm would do it in less than four minutes.

6 Building quantum computers

In principle we know how to build a quantum computer: we can start with simple

quantum logic gates, such as the square root of NOT, the square root of SWAP, and

phase gates, and try to integrate them together into quantum networks (circuits).

However, subsequent logical operations usually involve more complicated physical

operations on more than one qubit. If we keep on putting quantum gates together into

circuits we will quickly run into some serious practical problems. The more interacting

qubits are involved the harder it tends to be to engineer the interaction that would

display the quantum interference. Apart from the technical difficulties of working at

single-atom and single-photon scales, one of the most important problems is that of

preventing the surrounding environment from being affected by the interactions that

generate quantum superpositions. The more components the more likely it is that

quantum computation will spread outside the computational unit and will irreversibly

dissipate useful information to the environment. This process is called decoherence.


18

Without any additional stabilization mechanism building a quantum computer is

like building a house of cards: we can build a layer or two, but when one contemplates

building a really tall house, the task seems hopeless. Not quite!

In principle we know how to handle errors due to decoherence provided that they

satisfy some assumptions, e.g. that errors occur independently on each of the qubits,

that the performance of gate operations on some qubits do not cause decoherence in

other qubits, that reliable quantum measurements can be made so that error detection

can take place, and that systematic errors in the operations associated with quantum

gates can be made very small. If all these assumptions are satisfied, then the fault-

tolerant quantum computation is possible. That is, efficient, reliable quantum-coherent

quantum computation of arbitrarily long duration is possible, even with faulty and

decohering components. Thus, errors can be corrected faster than they occur, even if

the error correction machinery is faulty.

The first models of quantum computers, proposed in the 1980s, were,

understandably, very abstract and in many ways totally impractical. In 1993 progress

towards a practical model took an encouraging turn when Seth Lloyd, then at Los

Alamos National Laboratory, and subsequently Adriano Barenco, David Deutsch and

Artur Ekert, of the University of Oxford, proposed a scheme for a potentially realizable

quantum computer. Lloyd considered a one-dimensional heteropolymer with three

types of weakly coupled qubits, which were subjected to a sequence of electromagnetic

pulses of well defined frequency and length. Barenco, Deutsch and Ekert showed how

to implement quantum computation in an array of single-electron quantum dots (see

Figure 6 ).


19

Figure 6. One of the first experimental schemes for quantum computation used an array of single-electron quantum dots. A dot is activated by applying suitable voltage to the two metal wires that cross at that dot. Similarly, several dots may be activated at the same time. Because the states of an active dot are asymmetrically charged, two adjacent active dots are each exposed to an additional electric field that depends on the others state. This way the resonant frequency of one dot depends on the state of the other. Light at carefully selected frequencies will selectively excite only adjacent, activated dots that are in certain states. Such conditional quantum dynamics are needed to implement quantum logic gates.

Although these early schemes showed how to translate mathematical prescriptions into

physical reality they were difficult to implement and to scale up, due to decoherence. In

1994 Ignacio Cirac and Peter Zoller, from the University of Innsbruck, came up with a

model that offered the possibility of fault tolerant quantum computation. It was quickly

recognized as a conceptual breakthrough in experimental quantum computation. They

considered a trap holding a number of ions in a straight line. The ions would be laser

cooled and then each ion could be selectively excited by a pulse of light from a laser

beam directed specifically at that ion. The trap would therefore act as a quantum

register with the internal state of each ion playing the role of a qubit. Pulses of light

can also induce vibrations of ions. The vibrations are shared by all of the ions in the trap


20

and they enable the transfer of quantum information in between distant ions and the

implementation of quantum logic gates (Figure 7). In mid-1995 Dave Wineland and his

colleagues at NIST (National Institute of Standards and Technology) in Boulder, Colorado,

used the idea of Cirac and Zoller to build the worlds first quantum gate operating on two

qubits.

Figure 7. Photograph of five beryllium ions in a linear ion trap. The separation between ions is approximately 10 microns. Pulses of light can selectively excite individual ions and induce vibrations of the whole line of ions. The vibrations inform other ions in the trap that a particular ion was excited; they play the same role as a data bus in conventional computers. This picture was taken in Dave Winelands laboratory at National Institute of Standards and Technology in Boulder, U.S.

Today there are many interesting approaches to experimental quantum computation and

related quantum technologies. The requirements for quantum hardware are simply

0.2 mm


21

stated but very demanding in practice. Firstly, a quantum register of multiple qubits

must be prepared in an addressable form, and isolated from environmental influences,

which cause the delicate quantum states to decohere. Secondly, although weakly

coupled to the outside world, the qubits must nevertheless be strongly coupled together

through an external control mechanism, in order to perform logic gate operations.

Thirdly, there must be a read-out method to determine the state of each qubit at the end

of the computation. There are many beautiful experiments which show that these

requirements, at least in principle, can be met. They involve technologies such linear

optics, nuclear magnetic resonance (NMR), trapped ions, cavity quantum

electrodynamics (QED), neutral atoms in optical lattices, interacting quantum dots,

superconducting devices, and many others. They are but a sample of the emerging field

of quantum information technology. At the moment it is not clear which particular

technology will be the ultimate winner.

7 The art of secure communication.

We have mentioned that several of the superior features of quantum computers have

applications in cryptanalysis i.e. in the art of breaking ciphers. The quantum answer to

quantum cryptanalysis is quantum cryptography.

Despite a long and colourful history, cryptography became part of mathematics and

information theory only in the late 1940s, mainly as a result of the work of Claude

Shannon of Bell Laboratories in New Jersey. Shannon showed that truly unbreakable

ciphers do exist and, in fact, they had been known for over 30 years. The one time pad,

devised in about 1918 by an American Telephone and Telegraph engineer named

Gilbert Vernam, is one of the simplest and most secure encryption schemes. The

message, also known as a plaintext, is converted to a sequence of numbers using a

publicly known digital alphabet (e.g. ASCII code) and then combined with another


22

sequence of random numbers called a key to produce a cryptogram. Both sender and

receiver must have two exact copies of the key beforehand; the sender needs the key to

encrypt the plaintext, the receiver needs the exact copy of the key to recover the

plaintext from the cryptogram. The randomness of the key wipes out various frequency

patterns in the cryptogam that are used by code-breakers to crack ciphers. Without the

key the cryptogram looks like a random sequence of numbers.

01011100 1100101010010110

plaintext

KEY

cryptogram

100101101100101001011100

01101001

KEY

cryptogram

plaintext

Figure 8. One time pad. The modern version ``one-time pad" is based on binary representation of messages and keys. The message is converted into a sequence of 0's and 1's and the key is another sequence of 0's and 1's of the same length. Each bit of the message is then combined with the respective bit of the key using addition in base 2, which has the rules 0+0=0, 0+1=1+0=1, 1+1=0. Because the key is a random string of 0's and 1's the resulting cryptogram---the plaintext plus the key---is also random and therefore completely scrambled unless one knows the key. The message is recovered by adding (in base 2 again) the key to the cryptogram.

There is a snag, however. All one-time pads suffer from a serious practical

drawback, known as the key distribution problem. Potential users have to agree

secretly, and in advance, on the key---a long, random sequence of 0's and 1's. Once


23

they have done this, they can use the key for enciphering and deciphering and the

resulting cryptograms can be transmitted publicly such as by radio or in a newspaper

without compromising the security of messages. But the key itself must be established

between the sender and the receiver by means of a very secure channel---for example, a

very secure telephone line, a private meeting or hand-delivery by a trusted courier.

Such a secure channel is usually available only at certain times and under certain

circumstances.

So users who are far apart, in order to guarantee perfect security of subsequent

crypto-communication, have to carry around with them an enormous amount of secret

and meaningless (as such) information (cryptographic keys), equal in volume to all the

messages they might later wish to send. For perfect security the key must be as long as

the message, in practice, however, in order not to distribute keys too often, much

shorter keys are used. For example, the most widely used commercial cipher, the Data

Encryption Standard, depends on a 56-bit secret key, which is reused for many

encryptions over a period of time. This simplifies the problem of secure key

distribution and storage, but it does not eliminate it.

Mathematicians tried very hard to eliminate the problem. The seventies brought a

clever mathematical discovery of the so-called public-key cryptosystems. They avoid the

key distribution problem but unfortunately their security depends on unproved

mathematical assumptions, such as the difficulty of factoring large integers.

8 Quantum key distribution

Physicists view the key distribution problem as a physical process associated with sending

information from one place to another. From this perspective eavesdropping is a set of

measurements performed on carriers of information. Until now, such eavesdropping has

depended on the eavesdropper having the best possible technology. Suppose an

eavesdropper is tapping a telephone line. Any measurement on the signal in the line may


24

disturb it and so leave traces. Legitimate users can try to guard against this by making their

own measurements on the line to detect the effect of tapping. However, the tappers will

escape detection provided the disturbances they cause are smaller than the disturbances that

the users can detect. So given the right equipment, eavesdropping can go undetected. Even

if legitimate users do detect an eavesdropper, what do they conclude if one day they find no

traces of interception? Has the eavesdropping stopped? Or has the eavesdropper acquired

better technology? The way round this problem of key distribution may lie in quantum

physics.

We have already mentioned that when two qubits representing logical 0 and 1 enter the

square root of SWAP gate they interact and emerge in an entangled state which is a

superposition of 01 and 10. They remain entangled even when they are separated and

transported, without any disturbance, to distant locations. Moreover, results of

measurements performed on the individual qubits at the two distant locations are

usually highly correlated.

For example, in a process called parametric down conversion we can entangle two

photons in such a way that their polarizations are anti-correlated. If we choose to test

linear polarization then one photon will be polarized vertically and the other one horizontally . The same is true if we choose to test circular polarization, one photon will carry left-handed and the other right-handed polarization. In general, the perfect anti-correlation appears if we carry out the same test on the two photons. The

individual results are completely random e.g. it is impossible to predict in advance if

we will get or on a single photon. Moreover, the laws of quantum physics forbid a simultaneous test of both linear and circular polarization on the same photon. Once the

photon is tested for linear polarization and we find out that it is, say, vertical then all information about its circular polarization is lost. Any subsequent test for circular

polarization will reveal either left-handed or right-handed with the same probability.


25

Both linear and circular polarization can be used for encoding the bits of information.

For example, we can agree that for linearly polarized photons stands for 0 and for 1, and for circularly polarized photons 0 is represented by and 1 by . However, for the decoding of these bits to be meaningful the receiver must know in

advance which type of test, or measurement, to carry out for each incoming photon.

Testing linear (circular) polarization on a photon that carries one bit of information

encoded in circular (linear) polarization will reveal nothing.

The quantum key distribution which we are going to discuss here is based on

distribution of photons with such anti-correlated polarizations. Imagine a source that

emits pairs of photons in an entangled state which can be viewed both a superposition

of and , and a superposition of and . The photons fly apart towards the two legitimate users, called Alice and Bob, who, for each incoming photon, decide

randomly and independently from each other whether to test linear or circular

polarization. A single run of the experiment may look like this

Alice

Bob

For the first pair both Alice and Bob decided to test circular polarization and their

results are perfectly anti-correlated. For the second pair Alice measured linear

polarization whilst Bob measured circular. In this case their results are not correlated at

all. In the third instant they both measured linear polarization and obtained perfectly

anti-correlated results, etc.

After completing all the measurements, Alice and Bob discuss their data in public

so that anybody can listen including their adversary, an eavesdropper called Eve, but


26

nobody can alter or suppress such public messages. Alice and Bob tell each other

which type of polarization they measured for each incoming photon but they do not

disclose the actual outcomes of the measurements. For example, for the first pair Alice

may say I measured circular polarization and Bob may confirm So did I. At this

point they know that the results in the first measurement are anti-correlated. Alice

knows that Bob registered because she registered , and vice versa. However, although Eve learns that the results are anti-correlated she does not know whether it is

for Alice and Bob, or for Alice and Bob. The two outcomes are equally likely, so the actual values of bits associated with different results are still secret.

Alice and Bob then discard instances in which they made measurement of different

types (shaded columns in the table below).

Alice

Bob

They end up with shorter strings which should now contain perfectly anti-correlated

entries. They check whether the two strings are indeed anti-correlated by comparing, in

public, randomly selected entries (shaded columns in the table below).

Alice

Bob


27

The publicly revealed entries are discarded and the remaining results can be translated

into a binary string, following the agreed upon encoding e.g. as in the table below.

Alice

Bob

KEY 1 0 0 0 0 0 1 1

In order to analyse security of the key distribution let us adopt the scenario that is most

favourable for eavesdropping, namely we will allow Eve to prepare all the photons and

send them to Alice and Bob!

Eves objective is to prepare the pairs in such a way that she can predict Alices and

Bobs results and that the pairs pass the anti-correlation test. This is impossible.

Suppose Eve prepares a pair of photons choosing randomly on of the four states: , , or . She then sends one photon to Alice and one to Bob. Let us assume that Alice and Bob measure the same type of polarization on their respective photons. If

Alice and Bob choose to measure the right type of polarization then they obtain anti-

correlated results but Eve knows the outcomes; if they choose to measure the wrong

type of polarization then, although the outcomes are random, they can still obtain anti-

correlated results with probability 50%. This will result in 25% of errors in the anti-

correlation test and in Eve knowing, on average, every second bit of the key. Eve may

want to reduce the error rate by entangling the photons. She can prepare them in a

state that is a superposition of and and also of and . In this case the pairs will pass the test without any errors but Eve has no clue about the results. Once


28

and (or and ) are locked in a superposition there is no way of knowing which component of the superposition will be detected in a subsequent measurement.

More technical eavesdropping analysis shows that all, however sophisticated,

eavesdropping strategies are doomed to fail, even if Eve has access to superior

technology, including quantum computers. The more information Eve has about the

key, the more disturbance she creates.

The key distribution procedure described above is somewhat idealised. The

problem is that there is, in principle, no way of distinguishing errors due to

eavesdropping from errors due to spurious interaction with the environment, which is

presumably always present. This implies that all quantum key distribution protocols

which do not address this problem are, strictly speaking, inoperable in the presence of

noise, since they require the transmission of messages to be suspended whenever an

eavesdropper (or, therefore, noise) is detected. Conversely, if we want a protocol that is

secure in the presence of noise, we must find one that allows secure transmission to

continue even in the presence of eavesdroppers. Several such protocols were designed.

They are based on two approaches, namely on purification of quantum entanglement,

proposed in this context by Deutsch, Ekert, Jozsa, Macchiavello, Popescu, and

Sanpera, and on classical error correction, pioneered by Dominic Mayers. More recently the two approaches have been unified and simplified by Peter Shor and John

Preskill.

Experimental quantum cryptography has rapidly evolved from early

demonstrations at the IBM T.J. Watson Research Laboratory in Yorktown Heights in

the U.S. and the Defence Research Agency in Malvern, in the U.K. to several beautiful

experiments that demonstrated full fledged quantum key distribution both in optical

fibres and free space. Quantum cryptography today is a commercial alternative to

more conventional, classical cryptography (see, for example, www.idQuantique.com or

www.MagiQtech.com ).


29

9 Concluding remarks

When the physics of computation was first investigated systematically in the

1970s, the main fear was that quantum-mechanical effects might place fundamental

bounds on the accuracy with which physical objects could realise the properties of bits,

logic gates, the composition of operations, and so on, which appear in the abstract and

mathematically sophisticated theory of computation. Thus it was feared that the power

and elegance of that theory, its deep concepts such as computational universality, its

deep results such as Turings halting theorem, and the more modern theory of

complexity, might all be mere figments of pure mathematics, not really relevant to

anything in nature.

Those fears have not only been proved groundless by the research we have been

describing, but also, in each case, the underlying aspiration has been wonderfully

vindicated to an extent that no one even dreamed of just twenty years ago. As we have

explained, quantum mechanics, far from placing limits on what classical computations

can be performed in nature, permits them all, and in addition provides whole new

modes of computation. As far as the elegance of the theory goes, researchers in the

field have now become accustomed to the fact that the real theory of computation

hangs together better, and fits in far more naturally with fundamental theories in other

fields, than its classical approximation could ever have been expected to.

Experimental and theoretical research in quantum computation and quantum

cryptography is now attracting increasing attention from both academic researchers and

industry worldwide. The idea that nature can be controlled and manipulated at the

quantum level is a powerful stimulus to the imagination of physicists and engineers.

There is almost daily progress in developing ever more promising technologies for


30

realising quantum information processing. There is potential here for truly

revolutionary innovations.

10 Further reading

For a lucid exposition of some of the deeper implications of quantum computing

see The Fabric of Reality by David Deutsch (Allen Lane, The Penguin Press, 1997).

For popular introduction to quantum information technology see Schrdinger's

Machines by Gerard Milburn, (W.H. Freeman & Company). Julian Brown in his

Minds, machines, and the multiverse (Simon & Schuster), gives a very readable

account of quantum information science. The Centre for Quantum Computation

(http://cam.qubit.org) has several WWW pages and links devoted to quantum

computation and cryptography.

quanta, ciphers and computers - arthur ekert

Documents

quantum computation

physics of computation

quantum system

quantum technology

quantum principles

new physics

new kind of computation

introduction computation