Applying Grover's algorithm to AES: quantum resource estimates

We present quantum circuits to implement an exhaustive key search for the Advanced Encryption Standard (AES) and analyze the quantum resources required to carry out such an attack. We consider the overall circuit size, the number of qubits, and the circuit depth as measures for the cost of the presented quantum algorithms. Throughout, we focus on Clifford$+T$ gates as the underlying fault-tolerant logical quantum gate set. In particular, for all three variants of AES (key size 128, 192, and 256 bit) that are standardized in FIPS-PUB 197, we establish precise bounds for the number of qubits and the number of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.Comment: 13 pages, 3 figures, 5 tables; to appear in: Proceedings of the 7th International Conference on Post-Quantum Cryptography (PQCrypto 2016

Layered architecture for quantum computing

We develop a layered quantum computer architecture, which is a systematic framework for tackling the individual challenges of developing a quantum computer while constructing a cohesive device design. We discuss many of the prominent techniques for implementing circuit-model quantum computing and introduce several new methods, with an emphasis on employing surface code quantum error correction. In doing so, we propose a new quantum computer architecture based on optical control of quantum dots. The timescales of physical hardware operations and logical, error-corrected quantum gates differ by several orders of magnitude. By dividing functionality into layers, we can design and analyze subsystems independently, demonstrating the value of our layered architectural approach. Using this concrete hardware platform, we provide resource analysis for executing fault-tolerant quantum algorithms for integer factoring and quantum simulation, finding that the quantum dot architecture we study could solve such problems on the timescale of days.Comment: 27 pages, 20 figure

Concrete resource analysis of the quantum linear system algorithm used to compute the electromagnetic scattering cross section of a 2D target

We provide a detailed estimate for the logical resource requirements of the quantum linear system algorithm (QLSA) [Phys. Rev. Lett. 103, 150502 (2009)] including the recently described elaborations [Phys. Rev. Lett. 110, 250504 (2013)]. Our resource estimates are based on the standard quantum-circuit model of quantum computation; they comprise circuit width, circuit depth, the number of qubits and ancilla qubits employed, and the overall number of elementary quantum gate operations as well as more specific gate counts for each elementary fault-tolerant gate from the standard set {X, Y, Z, H, S, T, CNOT}. To perform these estimates, we used an approach that combines manual analysis with automated estimates generated via the Quipper quantum programming language and compiler. Our estimates pertain to the example problem size N=332,020,680 beyond which, according to a crude big-O complexity comparison, QLSA is expected to run faster than the best known classical linear-system solving algorithm. For this problem size, a desired calculation accuracy 0.01 requires an approximate circuit width 340 and circuit depth of order $10^{25}$ if oracle costs are excluded, and a circuit width and depth of order $10^8$ and $10^{29}$, respectively, if oracle costs are included, indicating that the commonly ignored oracle resources are considerable. In addition to providing detailed logical resource estimates, it is also the purpose of this paper to demonstrate explicitly how these impressively large numbers arise with an actual circuit implementation of a quantum algorithm. While our estimates may prove to be conservative as more efficient advanced quantum-computation techniques are developed, they nevertheless provide a valid baseline for research targeting a reduction of the resource requirements, implying that a reduction by many orders of magnitude is necessary for the algorithm to become practical.Comment: 37 pages, 40 figure

Measurement-free fault-tolerant quantum error correction in near-term devices

Logical qubits can be protected from decoherence by performing QEC cycles repeatedly. Algorithms for fault-tolerant QEC must be compiled to the specific hardware platform under consideration in order to practically realize a quantum memory that operates for in principle arbitrary long times. All circuit components must be assumed as noisy unless specific assumptions about the form of the noise are made. Modern QEC schemes are challenging to implement experimentally in physical architectures where in-sequence measurements and feed-forward of classical information cannot be reliably executed fast enough or even at all. Here we provide a novel scheme to perform QEC cycles without the need of measuring qubits that is fully fault-tolerant with respect to all components used in the circuit. Our scheme can be used for any low-distance CSS code since its only requirement towards the underlying code is a transversal CNOT gate. Similarly to Steane-type EC, we coherently copy errors to a logical auxiliary qubit but then apply a coherent feedback operation from the auxiliary system to the logical data qubit. The logical auxiliary qubit is prepared fault-tolerantly without measurements, too. We benchmark logical failure rates of the scheme in comparison to a flag-qubit based EC cycle. We map out a parameter region where our scheme is feasible and estimate physical error rates necessary to achieve the break-even point of beneficial QEC with our scheme. We outline how our scheme could be implemented in ion traps and with neutral atoms in a tweezer array. For recently demonstrated capabilities of atom shuttling and native multi-atom Rydberg gates, we achieve moderate circuit depths and beneficial performance of our scheme while not breaking fault tolerance. These results thereby enable practical fault-tolerant QEC in hardware architectures that do not support mid-circuit measurements.Comment: 24 pages, 19 figure