Asymptotically faster quantum algorithms to solve multivariate quadratic equations

This paper designs and analyzes a quantum algorithm to solve a system of $m$ quadratic equations in $n$ variables over a finite field ${\bf F}_q$. In the case $m=n$ and $q=2$, under standard assumptions, the algorithm takes time $2^{(t+o(1))n}$ on a mesh-connected computer of area $2^{(a+o(1))n}$, where $t\approx 0.45743$ and $a\approx 0.01467$. The area-time product has asymptotic exponent $t+a\approx 0.47210$. For comparison, the area-time product of Grover\u27s algorithm has asymptotic exponent $0.50000$. Parallelizing Grover\u27s algorithm to reach asymptotic time exponent $0.45743$ requires asymptotic area exponent $0.08514$, much larger than $0.01467$

Fast Quantum Algorithm for Solving Multivariate Quadratic Equations

In August 2015 the cryptographic world was shaken by a sudden and surprising announcement by the US National Security Agency NSA concerning plans to transition to post-quantum algorithms. Since this announcement post-quantum cryptography has become a topic of primary interest for several standardization bodies. The transition from the currently deployed public-key algorithms to post-quantum algorithms has been found to be challenging in many aspects. In particular the problem of evaluating the quantum-bit security of such post-quantum cryptosystems remains vastly open. Of course this question is of primarily concern in the process of standardizing the post-quantum cryptosystems. In this paper we consider the quantum security of the problem of solving a system of {\it $m$ Boolean multivariate quadratic equations in $n$ variables} (\MQb); a central problem in post-quantum cryptography. When $n=m$, under a natural algebraic assumption, we present a Las-Vegas quantum algorithm solving \MQb{} that requires the evaluation of, on average, $O(2^{0.462n})$ quantum gates. To our knowledge this is the fastest algorithm for solving \MQb{}

04401 Abstracts Collection -- Algorithms and Complexity for Continuous

From 26.09.04 to 01.10.04, the Dagstuhl Seminar ``Algorithms and Complexity for Continuous Problems\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available

Another Look at the Cost of Cryptographic Attacks

This paper makes the case for considering the cost of cryptographic attacks as the main measure of their efficiency, instead of their time complexity. This allows, in our opinion, a more realistic assessment of the "risk" these attacks represent. This is half-and-half a position and a technical paper. Cryptographic attacks described in the literature are rarely implemented. Most exist only "on paper", and their main characteristic is that their estimated time complexity is small enough to break a given security property. However, when a cryptanalyst actually considers implementing an attack, she soon realizes that there is more to the story than time complexity. For instance, Wiener has shown that breaking the double-DES costs 2 6n/5 , asymptotically more than exhaustive search on n bits. We put forward the asymptotic cost of cryptographic attacks as a measure of their practicality. We discuss the shortcomings of the usual computational model and propose a simple abstract cryptographic machine on which it is easy to estimate the cost. We then study the asymptotic cost of several relevant algorithm: collision search, the three-list birthday problem (3XOR) and solving multivariate quadratic polynomial equations. We find that some smart algorithms cost much more than what their time complexity suggest, while naive and simple algorithms may cost less. Some algorithms can be tuned to reduce their cost (this increases their time complexity). Foreword A celebrated High Performance Computing paper entitled "Hitting the Memory Wall: Implications of the Obvious" [47] opens with these words: This brief note points out something obvious-something the authors "knew" without really understanding. With apologies to those who did understand, we offer it to those others who, like us, missed the point. We would like to do the same-but this note is not so short

A Hamiltonian Monte Carlo method for Bayesian Inference of Supermassive Black Hole Binaries

We investigate the use of a Hamiltonian Monte Carlo to map out the posterior density function for supermassive black hole binaries. While previous Markov Chain Monte Carlo (MCMC) methods, such as Metropolis-Hastings MCMC, have been successfully employed for a number of different gravitational wave sources, these methods are essentially random walk algorithms. The Hamiltonian Monte Carlo treats the inverse likelihood surface as a "gravitational potential" and by introducing canonical positions and momenta, dynamically evolves the Markov chain by solving Hamilton's equations of motion. We present an implementation of the Hamiltonian Markov Chain that is faster, and more efficient by a factor of approximately the dimension of the parameter space, than the standard MCMC.Comment: 16 pages, 8 figure

Quantum attacks on Bitcoin, and how to protect against them

The key cryptographic protocols used to secure the internet and financial transactions of today are all susceptible to attack by the development of a sufficiently large quantum computer. One particular area at risk are cryptocurrencies, a market currently worth over 150 billion USD. We investigate the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum computers. We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers. On the other hand, the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates. We analyze an alternative proof-of-work called Momentum, based on finding collisions in a hash function, that is even more resistant to speedup by a quantum computer. We also review the available post-quantum signature schemes to see which one would best meet the security and efficiency requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum devices and prognostications on time from now to break Digital signatures, see https://www.quantumcryptopocalypse.com/quantum-moores-law

Coherent quantum LQG control

Based on a recently developed notion of physical realizability for quantum linear stochastic systems, we formulate a quantum LQG optimal control problem for quantum linear stochastic systems where the controller itself may also be a quantum system and the plant output signal can be fully quantum. Such a control scheme is often referred to in the quantum control literature as "coherent feedback control.'' It distinguishes the present work from previous works on the quantum LQG problem where measurement is performed on the plant and the measurement signals are used as input to a fully classical controller with no quantum degrees of freedom. The difference in our formulation is the presence of additional non-linear and linear constraints on the coefficients of the sought after controller, rendering the problem as a type of constrained controller design problem. Due to the presence of these constraints our problem is inherently computationally hard and this also distinguishes it in an important way from the standard LQG problem. We propose a numerical procedure for solving this problem based on an alternating projections algorithm and, as initial demonstration of the feasibility of this approach, we provide fully quantum controller design examples in which numerical solutions to the problem were successfully obtained. For comparison, we also consider the case of classical linear controllers that use direct or indirect measurements, and show that there exists a fully quantum linear controller which offers an improvement in performance over the classical ones.Comment: 25 pages, 1 figure, revised and corrected version (mainly to Section 8). To be published in Automatica, Journal of IFAC, 200