Power of Quantum Computation with Few Clean Qubits

This paper investigates the power of polynomial-time quantum computation in which only a very limited number of qubits are initially clean in the |0> state, and all the remaining qubits are initially in the totally mixed state. No initializations of qubits are allowed during the computation, nor intermediate measurements. The main results of this paper are unexpectedly strong error-reducible properties of such quantum computations. It is proved that any problem solvable by a polynomial-time quantum computation with one-sided bounded error that uses logarithmically many clean qubits can also be solvable with exponentially small one-sided error using just two clean qubits, and with polynomially small one-sided error using just one clean qubit. It is further proved in the case of two-sided bounded error that any problem solvable by such a computation with a constant gap between completeness and soundness using logarithmically many clean qubits can also be solvable with exponentially small two-sided error using just two clean qubits. If only one clean qubit is available, the problem is again still solvable with exponentially small error in one of the completeness and soundness and polynomially small error in the other. As an immediate consequence of the above result for the two-sided-error case, it follows that the TRACE ESTIMATION problem defined with fixed constant threshold parameters is complete for the classes of problems solvable by polynomial-time quantum computations with completeness 2/3 and soundness 1/3 using logarithmically many clean qubits and just one clean qubit. The techniques used for proving the error-reduction results may be of independent interest in themselves, and one of the technical tools can also be used to show the hardness of weak classical simulations of one-clean-qubit computations (i.e., DQC1 computations).Comment: 44 pages + cover page; the results in Section 8 are overlapping with the main results in arXiv:1409.677

Quantum Commuting Circuits and Complexity of Ising Partition Functions

Instantaneous quantum polynomial-time (IQP) computation is a class of quantum computation consisting only of commuting two-qubit gates and is not universal in the sense of standard quantum computation. Nevertheless, it has been shown that if there is a classical algorithm that can simulate IQP efficiently, the polynomial hierarchy (PH) collapses at the third level, which is highly implausible. However, the origin of the classical intractability is still less understood. Here we establish a relationship between IQP and computational complexity of the partition functions of Ising models. We apply the established relationship in two opposite directions. One direction is to find subclasses of IQP that are classically efficiently simulatable in the strong sense, by using exact solvability of certain types of Ising models. Another direction is applying quantum computational complexity of IQP to investigate (im)possibility of efficient classical approximations of Ising models with imaginary coupling constants. Specifically, we show that there is no fully polynomial randomized approximation scheme (FPRAS) for Ising models with almost all imaginary coupling constants even on a planar graph of a bounded degree, unless the PH collapses at the third level. Furthermore, we also show a multiplicative approximation of such a class of Ising partition functions is at least as hard as a multiplicative approximation for the output distribution of an arbitrary quantum circuit.Comment: 36 pages, 5 figure

A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems

Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. For more than twenty years the two approaches have coexisted but evolved mostly independently. Recently, significant research efforts attempt to develop paradigms for cryptographic systems analysis that combines the best of both worlds. There are two broad directions that have been followed. {\em Computational soundness} aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models. The {\em direct approach} aims to apply the principles and the techniques developed in the context of symbolic models directly to computational ones. In this paper we survey existing results along both of these directions. Our goal is to provide a rather complete summary that could act as a quick reference for researchers who want to contribute to the field, want to make use of existing results, or just want to get a better picture of what results already exist

Cryptographically sound analysis of security protocols

In this thesis, we show how formal methods can be used for the cryptographically sound verification of concrete implementations of security protocols in order to obtain trustworthy and meaningful proofs, and to eliminate human inaccuracies. First, we show how to derive secure concrete implementations of a given abstract specification. The security proofs are essentially based on the well-established approach of bisimulation which can be formally verified yielding rigorous proofs. As an example, we present both a specification and a secure implementation of secure message transmission with ordered channels. Moreover, the example comprises a general methodology how secure implementation of arbitrary specifications can be obtained. Thereafter, we concentrate on the actual goals the protocol should fulfill. Thus, we define integrity properties in our underlying model and we show that logic derivations among them carry over specification to the concrete implementation, which makes them accessible for tool-assisted verification. As an example, we formally verify one concrete protocol using the theorem prover PVS yielding the first machine-aided and sound proof of a cryptographic protocol. As additional properties of security protocols, we consider liveness and noninterference. The standard definition of these properties is not suited to cope with protocols involving real cryptographic primitives, so we introduce new definitions which are restricted to polynomial runs and include error probabilities. We show that both properties carry over from the specification to the concrete implementation, and we present two examples, one for each property, which we prove to fulfill our definitions.Diese Arbeit behandelt formale Verifikation von Sicherheitsprotokollen mit dem Ziel,maschinell verifizierte Beweise zu ermöglichen, die die kryptographische Semantik respektieren, d.h., deren Aussagen bzgl. der zugrundeliegenden Kryptographie und den kryptographischen Sicherheitsdefinitionen gültig sind (engl. cryptographically sound proofs).Als erstes zeigen wir, wie formale Methoden benutzt werden können, um sichere konkrete Implementationen anhand einer gegebenen abstrakten Spezifikation herzuleiten. Wir geben dafür eine allgemeingültige Methodologie an, die auf formal verifizierten Bisimulationen basiert, was uns rigorose und glaubhafte Sicherheitsbeweise liefert. Als Beispiel geben wir eine Spezifikation und eine konkrete Implementation für sichere geordnete Nachrichtenübertragung an. Die im Sicherheitsbeispiel der Implementation auftretende Bisimulation verifizieren wir mit Hilfe des Theorembeweisers PVS. Als zweites konzentrieren wir uns auf die Ziele, die ein Sicherheitsprotokoll erfüllen soll. Wir definieren Integritätseigenschaften in unserem zugrundeliegenden Modell, und wir beweisen, dass sich logische Schlussfolgerungen bzgl. dieser Eigenschaften von der Spezifikation auf die Implementation übertragen, was eine essentielle Voraussetzung für maschinelle Verifikation darstellt. Als Beispiel verifizieren wir ein konkretes Protokoll mit Hilfe des Theorembeweisers PVS, was uns den ersten Beweis eines Sicherheitsprotokolls liefert, der sowohl maschinell verifiziert ist als auch der kryptographischen Semantik "treu'; bleibt, d.h., der wirklich ein Beweis gegen die kryptographischen Primitive und deren kryptographische Sicherheitsdefinitionen ist. Als zusätzliche Eigenschaften von Sicherheitsprotokollen betrachten wir Lebendigkeit (engl. liveness) und Unbeeinflussbarkeit (engl. non-interference). Da sich die Standarddefinition dieser wichtigen Eigenschaften als ungeeignet für echte Kryptographie herausstellt, führen wir allgemeinere Definitionen ein, die auf polynomielle Länge beschränkt sind und Fehlerwahrscheinlichkeiten berücksichtigen.Wir zeigen, dass sich diese Eigenschaften von der Spezifikation auf die Implementation übertragen,was wiederum den Bezug zu formalen Methoden herstellt. Wir präsentieren zwei Beispiele, je eines für jede Eigenschaft, von denen wir beweisen, dass sie die entsprechende Definition erfüllen