Encryption and Decryption Systems Using Post-Quantum Technology

Home , Quantum bus

ENCRYPTION AND DECRYPTION SYSTEMS USING POST-QUANTUM

TECHNOLOGY

A Thesis

Presented to the

Faculty of

California State Polytechnic University, Pomona

In Partial Fulfillment

Of the Requirements for the Degree

Master of Science

Computer Science

Juan Rodriguez

2020

SIGNATURE PAGE

THESIS: ENCRYPTION AND DECRYPTION SYSTEMS USING POST-QUANTUM TECHNOLOGY

AUTHOR: Juan Rodriguez

DATE SUBMITTED: Spring 2020

Department of Computer Science

Dr. Gilbert S. Young ______Thesis Committee Chair Computer Science

Dr. Yu Sun ______Computer Science

Dominick Atanasio ______Computer Science

ACKNOWLEDGEMENTS

First, I would like to thank God for guiding me throughout the years here at Cal

Poly Pomona as a master student. Although it was not easy for me to achieve to this point that I am today due to the responsibilities of managing a business, working at a teaching job and going to school at the same time, God gave me the knowledge and strength for me to be overcome any obstacles that were encountered during my master’s program.

Second, I would like to thank my parents and brother for always supporting and encouraging me to always push hard to become a successful person in life. Lastly, I would like to thank all the professors at Cal Poly Pomona, especially to Dr. Young, Dr.

Sun and Prof. Atanasio for always being here for me to assist and encourage me to finish my thesis. I also want to thank to Dr. Young, Dr. Sun and Prof. Atanasio for helping me reach another milestone in life.

iii

ABSTRACT

For decades, RSA algorithm has been the leading algorithm for encryption and decryption security system. The fact of using RSA infrastructure is that everything is performed using a server system, which are classical computers meaning that there are some limitations in processing power threshold. There are many leading companies, such as governments, financial and many other industries that currently uses RSA algorithm to encrypt their data whenever is being transferred between the computer and the server.

Today, there exists a newer technology that is more powerful than the classical computer that we are currently using today, and that innovative technology is quantum computing.

This technology can perform a brute-force attack, encryption and decryption process and many more at a very fast and impressive speed that no other technologies is able to perform. Due to its outstanding speed, this will open door to vulnerabilities, which means that if hackers gets their hands on the quantum technology and has knowledge of writing

PyQuil programs, then they will be able to successfully perform brute-force attack on

RSA system meaning that RSA algorithm will no longer be the safest security standard for industries to use. For this research study, experiments will be performed on several encryption and decryption post-quantum algorithms to compare and determine which of these algorithms are the most secure for the industry to utilize them for their encryption system. The algorithms that will be used in this experiment are Diffie-Hellman Key

Exchange, Merkle Signature Scheme, Ring-LWE Signature and Rainbow. In this experiment, the advantages and disadvantages of using these four algorithms will be determined alongside of determining the best post-quantum algorithm for encryption and decryption system.

TABLE OF CONTENTS

ACKNOWLEDGEMENTS ...... iii

ABSTRACT ...... iv

LIST OF TABLES ...... ix

LIST OF FIGURES ...... x

CHAPTER 1 – INTRODUCTION ...... 1

CHAPTER 2 – LITERATURE SURVEY ...... 3

2.1 – Quantum Computing ...... 3

2.1.1 – Quantum Computations ...... 4

2.1.2 – Notions of Quantum Computing ...... 11

2.1.3 – Quantum Gates...... 14

2.1.4 – Quantum Memory ...... 15

2.1.5 – Quantum CPU ...... 16

2.1.6 – Controlling and Measurement of Quantum Computing ...... 21

2.1.7 – No Cloning, Superpositions and Measurement ...... 25

2.1.8 – Quantum Error Correction ...... 35

2.1.9 – Multi-Qubit Systems: Tensor Products ...... 39

2.1.10 – Subject Reduction ...... 48

2.1.11 – Strong Normalization ...... 64

2.2 – Large Scale Quantum Computing ...... 87

2.2.1 – Gate Model Quantum Computers ...... 88

2.2.2 – Distributed Topologies ...... 91

2.2.3 – Physical Implementations of Quantum Computing ...... 92

2.3 – Quantum Algorithm Implementations ...... 96

2.3.1 – Managing Large-Scale Quantum Computing ...... 97

2.3.2 – Computational Problems ...... 98

2.3.3 – Quantum Computing Optimization...... 104

2.4 – Quantum Cryptography ...... 107

2.4.1 – Quantum Block Encryption Algorithm ...... 109

2.4.2 – Encryption Process...... 110

2.4.3 – Decryption Process ...... 116

2.4.4 – Security Analysis and Algorithm Operations ...... 117

2.4.5 – Key Management and Circuits for Encryption and Decryption ...... 121

2.5 – Diffie-Hellman Key Exchange...... 124

2.5.1 – Preliminaries ...... 126

2.5.2 – Reduction Algorithm ...... 129

2.5.3 – Interpolation ...... 130

2.5.4 – Fast Generator ...... 132

2.5.5 – Malicious Standards ...... 134

2.5.6 – Chebyshev Chaotic Map ...... 136

2.5.7 – The Process of Wang-Zhao’s Key Agreement Protocol ...... 139

2.5.8 – Improved Key Agreement Protocol ...... 145

2.5.9 – Performance Comparisons ...... 150

2.6 – Merkle Signature Scheme ...... 150

2.6.1 – Winternitz One-Time Signature Scheme ...... 151

2.6.2 – Merkle Signature Scheme ...... 155

2.6.3 – Recovering Winternitz Signature Key XiW ...... 160

2.6.4 – Determining Next Authentication Path Ai + 1 ...... 161

2.6.5 – Chained Merkle Signature Scheme ...... 164

2.6.6 – Merkle Cryptoprocessor High-Level Architecture ...... 166

2.6.7 – Hardware/Software Partitioning ...... 166

2.6.8 – Hardware/Software Interface ...... 168

2.6.9 – Hardware Architecture ...... 170

2.6.10 – MCP Sign Unit ...... 173

2.6.11 – Leaf Generator ...... 175

2.6.12 – Winternitz Sign Module ...... 178

2.6.13 – Stack Bank ...... 179

2.6.14 – Seed Generator ...... 181

2.6.15 – Roots & Auth-Path Buffer...... 181

2.6.16 – MCP Verify Unit ...... 182

2.6.17 – Message Hash Unit ...... 183

2.7 – Ring-LWE ...... 186

2.7.1 - NTRU ...... 188

2.7.2 – R-LWE Cryptographic Scheme ...... 188

2.7.3 – R-LWE Based Signature Scheme ...... 189

CHAPTER 3 – RESEARCH GOAL ...... 191

CHAPTER 4 – METHODOLOGY ...... 192

vii

4.1 – Diffie-Hellman Key Exchange...... 192

4.2 – Merkle Signature Scheme ...... 193

4.3 – Ring-LWE Signature ...... 194

CHAPTER 5 – EXPERIMENT RESULTS ...... 196

5.1 – Diffie-Hellman Key Exchange...... 196

5.2 – Merkle Signature Scheme ...... 196

5.3 – Ring-LWE Signature ...... 198

CHAPTER 6 – EXPERIMENT CONCLUSION ...... 200

CHAPTER 7 – CONCLUSION AND FUTURE WORKS ...... 202

REFERENCES ...... 204

viii

LIST OF TABLES

Table 1 - Grammar of Terms ...... 25

Table 2 - Grammar of Types ...... 26

Table 3 - Subtyping Relation on Types ...... 27

Table 4 - Type System ...... 27

Table 5 - Rewrite System ...... 30

Table 6 - Grammar of Types ...... 40

Table 7 - Grammar of Terms ...... 41

Table 8 - Subtyping Relation ...... 42

Table 9 - Table System ...... 42

Table 10 - Rewrite System ...... 43

Table 11 - The First Encryption Transformation ...... 112

Table 12 - The Second Encryption Transformation ...... 113

Table 13 - The Third Encryption Transformation ...... 114

Table 14 - Performance Comparison Between Wang-Zhao Protocol and Proposed

Protocol ...... 150

Table 15 - Hardware vs. Security Suitability for CMSS Based on Security and Hardware

...... 167

Table 16 - Merkle Cryptoprocessor Instruction Set ...... 168

Table 17 - MCP Parameters ...... 172

Table 18 - Stack Size for Merkle Tree of Height hmax ...... 179

LIST OF FIGURES

Figure 1 - Entangled Qubits in Superposition States ...... 5

Figure 2 - Gate-Model Quantum Computer Operation...... 6

Figure 3 - Quantum Annealing Based Computer Operation ...... 7

Figure 4 - Quantum Computer Architecture ...... 9

Figure 5 - The Quantum Circuit of Factorization Algorithm ...... 18

Figure 6 - The State of Register A After M1, But Before UIQFT ...... 18

Figure 7 - The State of Register A After UIQFT...... 19

Figure 8 - Derivation from Case Using Projective ...... 62

Figure 9 - Encryption of Classical Information Using Quantum Block Encryption

Algorithm ...... 122

Figure 10 - Decryption Using Quantum Block Encryption Algorithm...... 123

Figure 11 - Wang-Zhao’s Key Agreement Protocol ...... 140

Figure 12 - Improved Key Agreement Protocol ...... 145

Figure 13 - Winterniz One-Time Signature Scheme Process ...... 151

Figure 14 - W-OTS Key Generation Algorithm...... 153

Figure 15 - W-OTS Message Sign Algorithm ...... 154

Figure 16 - W-OTS Signature Verification Algorithm ...... 155

Figure 17 - Merkle Signature Scheme Hashing Tree ...... 156

Figure 18 - MSS Tree Construction ...... 158

Figure 19 - MSS Stack Content During Tree Construction ...... 159

Figure 20 - MSS Message Sign Algorithm ...... 159

Figure 21 - Signature Key Generation Scheme ...... 160

Figure 22 - Pseudo Random Number Generator Algorithm ...... 161

Figure 23 - Authentication Path Determination ...... 162

Figure 24 - MSS Signature Verification Algorithm ...... 163

Figure 25 - Chained Merkle Signature Scheme ...... 165

Figure 26 - Merkle Cryptoprocessor Architecture ...... 171

Figure 27 - MCP Sign Unit Architecture ...... 173

Figure 28 - Leaf Generator ...... 176

Figure 29 - Generator Mapping and Scheduling...... 177

Figure 30 - Winternitz Sign Module ...... 178

Figure 31 - Stack Bank Organization ...... 180

Figure 32 - MCP Verify Unit Data Path ...... 182

Figure 33 - SHA-512 Round ...... 184

Figure 34 - Pipeline Data Flow for SHA-512 Module ...... 185

CHAPTER 1 – INTRODUCTION

Computers has been around in our life for more than a decade and it is a tool that is necessary in life in order to be able to get productivity done. There are industries that are utilizing computers in order to get some productivity done. The type of data that are stored in computers and servers can contain confidential information, which there are hackers that are very interested in getting their hands on these types of information. In order to protect data from unauthorized access, many different companies has been adopting to RSA technology, which is considered to be the leading and the most safest encryption technology out there and that it is very hard to crack it down with the technology that are accessible at the time. All the technology that consumers and hackers use are classical computers, which has processing power limitation when it comes to performance and efficiency. If hackers were to perform a brute-force attack or any other types of attack on consumer’s infrastructure using the classical computer technology that hackers has access, it would take years to be able to hack into the consumer system if the

RSA system is configured correctly and optimized for best security practices. Due to the long brute-force attack process, hacker can get discouraged from proceeding with the hacking process.

There is a new technology that has been out for public use for specific use cases that is way more powerful and efficient than classical computers. This technology is called quantum computing. There is some manufacturer that has developed their own quantum computer system, such as D-Wave, Google, MIT, Oracle, IBM, Rigetti and many other manufacturers and has been available for use for quite some time for a fee. In classical computing, CPU are used for processing power, but in quantum computing, 1 qubits are the processing power, which is much faster than traditional CPU systems.

There are some companies such as D-Wave that has more than 1000 qubits, which is like having 1000 threads in CPU systems, which is super-fast and for any calculations that would take millions of years to solve in a classical computer can be done in few hours using quantum computing. Due to its outstanding capabilities that quantum computing brings to the world, there are some damages to be caused using quantum computing if the systems are fallen into the wrong hands, which are hackers. If hackers get access to quantum computing and becomes familiar with PyQuil, quantum assembly language run under Python, hackers would be able to use this technology to successfully perform brute-force attack on RSA systems. By being able to do this kind attacks will cause the

RSA systems to become vulnerable for getting hacking easily via quantum computing and therefore, many industries will need a better solution to be able to enforce high security standard on their data whether when they are securing in their server or when they are utilizing secure communications to transfer data between their workstations and servers.

CHAPTER 2 – LITERATURE SURVEY

This section will provide a brief overview of quantum computing, quantum cryptography as well as introducing four post-quantum cryptography algorithms that will be used in this experimental report. In quantum computing section, the overview of quantum computing, the components of quantum computing, the process of the way on how quantum computing works and use cases will be discussed. From there, then quantum cryptography will be discussed such as the overview, functionality process and the use cases. Lastly, four post-quantum cryptography algorithms that will be used are

Diffie-Hellman Key Exchange, Merkle Signature Scheme and Ring-LWE Signature will be discussed.

2.1 – Quantum Computing

Quantum computing offers solutions to solve complex computational problems at a fast rate that classical computer is not capable of performing. Solving a complex computational problem can take billions of years to accomplish in a classical computer while it could take few hours to solve the same problem in quantum computer. As of now, quantum computer system is available for use for a fee, which costs $2,000 per minute with D-Wave for example. There is no standard that would enforce on how applications should be coded in quantum computing. “In 1994, the Rivest-Shamir-Adleman (RSA) algorithm caused the ‘big bang’ of quantum computations and paved the way for the development of quantum computing technology and the evaluation of quantum computers. Quantum computers integrate several different elements – from a functional

3 point of view, such elements are similar to traditional functional ones (registers, gates, memories, buses, CPUs, storage devices), but in the physical layer, the structures of classical and quantum devices are fundamentally different” [1]. In quantum computing framework, quantum operations are applied on quantum registers, which would contain quantum states that would determine quantum superposition where the quantum states would be entangled while it is being maneuvered in quantum circuits. The architecture of classical computing is different from quantum computing since quantum computing uses the no-cloning theorem for their hardware restrictions that plays a role in prohibiting quantum mechanics from creating a duplicate quantum state since it would cause corruption to value that are consisted in quantum state. “The large-scale quantum computers are realized in a distributed setting, where smaller quantum computers communicate with one another via a quantum bus. These physically large quantum computers can also be shrunken into small-sized devices via new technologies in the next few years” [1].

2.1.1 – Quantum Computations

Currently, quantum computers utilize quantum mechanics to deal with the computing logic. The fundamental unit of a quantum computer is called a qubit, which stands for quantum bits. “The quantum state of qubits can be in superposition of their basis states, setting them apart from classical bits which can be in either of the two discrete states” [3]. Every value that are being passed around in quantum computer are represented as quantum states and the results that are computed by using several quantum mechanics strategies such as superposition, entanglement, noise interference, no-cloning

4 theorem, decoherence and much more that can be performed using quantum computer hardware. Infinite quantum states can be doable for qubits, but in the end, it would collapse into one of the basis states after measurement. “Another elegant property of qubits is their ability to form entangled states with each other, allowing them to form co- relations between individually random behaviors” [3].

Figure 1 - Entangled Qubits in Superposition States

Figure 1 shows a two-qubit system, where quantum computers use the qubit properties of superposition and entanglement to perform calculations. Two quantum computing architecture with differences in operation level, such as the gate-model quantum computer and the annealing-based quantum computer, are available for use.

Figure 2 - Gate-Model Quantum Computer Operation

Figure 2 shows the gate model using the quantum gates to manage qubit states and perform calculations. Quantum gate operations are applied to qubit states by sequence to lead the problem to a solution. Also, “the annealing-based model intrinsically realizes the quantum annealing algorithm for its operation, which quantum annealing is a quantum analogue of classical simulated annealing that permits quantum tunneling” [3].

Figure 3 - Quantum Annealing Based Computer Operation

Figure 3 shows quantum annealing being used to come up with a low-cost solution and to yield a global minimum ultimately. “Quantum annealing also exhibits convergence to the optimal or ground state with larger probability than simulated annealing” [3]. Even if the quantum annealing is equivalent to the gate model, the way they operate are different to one another. Annealing-based quantum computers are closer to discrete optimization problems compared to gate-model quantum computer as a perspective in optimization due “to the fact that annealing-based devices are built explicitly for optimization facilitated by quantum annealing, while a gate-model quantum computer follows a universal computation approach” [3]. By looking the pros and cons of annealing-based and gate-model quantum computing devices, the annealing-based quantum computers are more reliable than the gate-model quantum computers when it comes to solving optimization problems. Quantum annealing is an approach to escape local minima and to overcome barriers by tunneling through them. In quantum annealing,

“the system is initialized in the lowest-energy eigenstate of the initial Hamiltonian, which is a mathematical description of the physical system in terms of its energies and corresponds to the objective function of an optimization problem” [3]. From there, then

7 the annealing process will evolve the quantum state toward the Hamiltonian problem for the system which the user defines. “The influence of the initial Hamiltonian is also reduced adiabatically to yield an eigenstate of the problem Hamiltonian when the annealing schedule ends” [3]. The initial Hamiltonian amplitude will cause quantum tunneling between various classical states or the eigenstates of the Hamiltonian problem.

If the amplitude is decreased from a large value to zero, then the system will be in optimal state, which is considered to be the ground state of the Hamiltonian problem.

Quantum annealing gives a high chance to lead to the ground state with the same conditions as in the annealing schedule and its interactions.

Quantum annealing can be implemented using quantum computing devices from

D-Wave Systems, which problems would need to be formulated as an Ising model or a quadratic unconstrained binary optimization model (QUBO) as an alternative method.

“These models can be further represented by a graph comprising a collection of nodes and edges between them while the corresponding quantum processing unit is expressed as a lattice of qubits interconnected in a design known as a Chimera graph” [3]. In Figure 3, it shows a subgraph of the Chimera lattice pattern, which is a typical operation procedure of the D-Wave quantum annealing systems. In the objective function graph, the nodes and the edges are mapped to the qubits and couplers of the Chimera lattice. “Since the

Chimera lattice is not fully connected, mapping of variables to physical qubits uses the process of minor-embedding and is crucial to problem solving” [3]. Since performing a problem in finding an optimal graph-minor is NP-Hard, there is a much more efficient embedding for many graphs that can be used with heuristic techniques to find systematically. “Mapping the objective function onto the physical quantum processing

8 unit is followed by the realization of quantum annealing process, which searches for low- energy solutions of the corresponding problem Hamiltonian” [3].

“In the physical layer, quantum systems can manifest in several different ways such as atom energy levels, spin and polarization” [1]. In quantum circuit computations, the states of every quantum computing are structured to the point where every system will depend on other quantum systems that are currently configured in the infrastructure.

Quantum computations are based on the capability of performing a reverse computation, meaning that the output state can be reversed to the initial state once the computation has been performed via unitary operations, which is achieved by utilizing a series of quantum gates. Reversible circuits can be implemented for classical computing as well. “The temporary quantum systems in a quantum computation setting are called ancilla states, which are neglected as the output is formed” [1]. Once ancilla states obtain the output, then a measurement will be performed on the quantum register to extract a classical numerical value, which could be used in other quantum algorithms.

Figure 4 - Quantum Computer Architecture

To address the requirements in physical implementations of quantum computers,

DiVincenzo guidelines is shown in Figure 4, which address the requirements of extensible quantum registers, the initialization of quantum registers to a known state, the specification of a universal gate set requirements in order to run quantum algorithms using quantum hardware and the specifications of coherence time and fidelity that will allow long process to be performed and have the results extracted from quantum computer using measurements. “In the functional layer, the aims of classical and quantum computation technology are similar, but in the physical layer, these fields are completely different. The physical foundations of quantum computing technologies are laid down by the DiVincenzo criteria, which are supplemented with particular physical layer attributes, where quantum computers are derived with particular conditions on the physical layer attributes of quantum registers, gates, circuits and memories” [1]. Laszlo Gyongyosi and

Sandor Imre decided to resolve the issue with quantum computation complexity by studying the computation complexity of linear optics since classical computing could not stimulate quantum computing stimulation. Gyongosi and Imre defined “a model of computation in which identical photons are generated, sent through a linear-optical network and then nonadaptively measured to count the number of photons in each node and also studied the prospects for realizing the model using current photonics and optics technology” [1]. Based from the studies, they have concluded that their model is able to solve complex computations as well as searching for problems that are classically intractable. A quantum state “can be characterized by using a number of measurements that grows only linearly with the number of quantum states” [1]. Gyongosi and Imre analyzed the complexity of quantum tomography and implemented a stimulation of

10 quantum one-way communication protocol.

2.1.2 – Notions of Quantum Computing

Data are expressed by normalized vectors in Hilbert in quantum computing system, meaning that vector spaces are made over complex numbers and has a norm and a notion of orthogonality. The smallest space that are in the vector spaces are qubits, which is a two-dimensional vector space ℂ2 that comes with a chosen orthonormal denoted by {|0>, |1>}. A qubit is a normalized vector 훼|0> + 훽|1> where |훼|2 + |훽|2 =

1. An unknown qubit (휓) is defined by | 휓>. “A two-qubits vector is a normalized vector in ℂ2 ⨂ ℂ2, that is, a normalized vector generated by the orthonormal basis {|00>, |01>,

|10>, |11>}, where |xy> stands for |푥> ⨂ |푦>. In the same way, an n-qubits vector is a

2 푛 푛 normalized vector in (ℂ ) (or ℂ with N = 2n)” [5]. The common notation that are seen in quantum computation are < 휓| for the transposed and conjugate of |휓>. For example,

∗ ∗ ∗ ∗ “if |휓> = [a1, a2, …, an]T, then < 휓| = [훼1, 훼2, … , 훼푛] where for any 훼 ∈ ℂ, 훼 denotes its conjugate” [5].

The qubit operator relies on quantum gates, which will be explained further in quantum gates section. “The adjoint of a given operator U is denoted by U+, and the unitary condition imposes that U+U = Id” [5], which makes it a linear function since it has sufficient information to describe the action on the base vectors. The function can also be described by matrices if the adjoint is just conjugate transpose. “A set of universal

quantum gates is the set cnot, R 휋 and had, which can be defined as follows: 4

• The controlled-not is a two-qubits gate which only charges the second qubit if the

first one is |1>:

cnot|0x> = |0x>

cnot|1x> = |1> ⨂ 푛표푡|푥>

where not|0> = |1> and not|1> = |0>.

휋 • The R gate is a single-qubit gate that modifies the phase of the qubit: 4

휋 R |0> = |0> 4

휋 휋 푖 R |1> = 푒 4 |1> 4

where 휋 is the phase shift. 4

• The Hadamard gate is a single-qubit gate which produces a 45-degree rotation of

the basis:

1 1 H|0> = |0> + |1> √2 √2

1 1 H|1> = |0> - |1>” [5] √2 √2

These gates can be assembled together with the bilinear symbol (⨂) in order to act in higher-dimension qubits. “For example, to make the Hadamard gate act only in the first qubit of a two-qubits register, it can be taken to 퐻 ⨂ 퐼푑, and to apply a Hadamard gate to both qubits, just 퐻 ⨂ 퐻.

No-cloning theorem will come into play whenever a calculus pretends to encode quantum computing. The theorem and proof of no-cloning is described below:

“Theorem 2.1.2.1 (No Cloning). There is no linear operator such that, given any qubit

|휙> ∈ ℂ푁, can clone it. That is, it does not exist any unitary operator (U) and fixed |∅> ∈

ℂ푁 such that 푈|휓휙> = |휙휙>.

Proof: Assume there exists such an operator (U), so given any |휑> amd |휙> one has

푈|휓휑> = |휑휑> and also 푈|휓휙> = |휙휙>. Then the equation would be <푈휑휓|푈휓휙> =

<휑휑|휙휙>, where <푈휑휓| is the conjugate transpose of 푈|휓휙>. However, notice that the left side of this equation can be rewritten as <휑휓|푈+푈|휓휙> = <휑휓|휓휙> = <휑|휙> while the right side of the equation can be rewritten as <휑|휙><휑|휙> = <휑|휙>2” [5].

The conclusion of this theorem when it comes to implementing the design with the capability of utilizing calculus in this theorem is that function arguments duplication must be prohibited, but it will not prohibit the duplication of some specific qubit states.

For example, the qubits of |0> and |1> can be duplicated using the cnot gate (cnot|00> =

|00> and cnot|10> = |11>). The restriction that was mentioned regarding function arguments duplication will prevent us from creating a universal cloning machine, but any known term that are part of quantum computation can be duplicated.

The other operation that can be run using qubits is measurement, which utilizes a projector (operator of the form |휙><휙|)). “For example, in the canonical base {|0>, |1>}

2 of ℂ , P0 = |0><0| is a projector and P1 = |1><1| is another projector, with respect to such a base. Indeed, 푃0(훼|0> + 훽|1>) = 훼푃0|0> + 훽푃0|1> = 훼|0><0|0> + 훽|0><0|1> =

훼|0> and 푃1(훼|0> + 훽|1>) = 훼푃1|0> + 훽푃1|1> = 훼|1><1|0> + 훽|1><1|1> = 훽|1>”

[5]. By having the projectors, we are able to define the measurement operators of M0 and

푃푖|휓> M1 as 푀푖|휓> = . For example, “푀0(훼|0> + 훽|1>) = √휓|푃푖|휓

푃0(훼|0> + 훽|1>) 훼|0> 훼|0> 훼|0> ∗ ∗ = ∗ ∗ = 2 ∗ = 2 = √(훼 <0|+ 훽 <1|)푃0(훼|0> + 훽|1>) √(훼 <0|+ 훽 <1|)(훼|0>) √|훼| <0|0> + 훽 훼<1|0> √|훼|

훼 |0 > ≡ |0>” [5]. |훼|

This quantum measurement is defined in the sets of measurements operators. For

13 example, “in the canonical base {|0>, |1>}, the set {M0, M1} is a quantum measurement”

[5]. When it runs on a qubit | 휙>, operator (Mi) along with the probability (<휓|푃푖|휓>) will be applied to the qubit.

2.1.3 – Quantum Gates

The quantum gates can perform unitary operations, “an invertible linear function preserving the norm and the orthogonality of vectors” [5], on quantum states using quantum hardware. The Toffoli and Fredkin quantum gates are three-bit gates circuit that are decomposed into a set of Toffoli gates to stimulate CNOT gates for universal quantum computations. Making reference to Figure 4 regarding the physical layer, “the quantum gates can be realized by ion traps (polarization and depolarization side), superconductors, linear optic tools, diamonds, quantum dots, donor-based systems, or topological quantum computing elements” [1]. Currently, the leading issue that is open for researchers to try to implement solutions is being able to implement an efficient quantum error-correction.

Gyongosi and Imre performed a study on the advantages of utilizing shallow circuits using quantum technology since they found the fact that the constant-depth quantum circuits are more powerful than the classical circuits. They concluded that “any classical probabilistic circuit that solves any problem must have depth logarithmic in the number of input quantum states” [1]. They also found that problems could be solved with unit certainty using a constant-depth quantum circuit. “This quantum circuit has to contain only one- and two-qubit gates acting locally on a two-dimensional grid, which represents a practically implementable gate model structure. They also did a research on the power of IQP (instantaneous quantum polynomial-time) circuits where these circuits could be

14 implemented on “a square lattice of n qubits with a particular depth, which they found that if an arbitrarily small constant amount of noise is added to each qubit there exists a polynomial-time classical algorithm that can simulate sampling from the resulting distribution” [1]. The authors also performed a study on the design methods of high- fidelity three-quibit gates, which were Toffoli, Controlled-Not_Not and Fredkin. These quantum gates are essential for handling quantum error correction and information processing. The study was proposed on performing on the model that are based on machine learning fundamentals. In the study, the authors found out that the procedures are applicable to any systems that contains three nearest-neighbor-coupled superconducting artificial atoms that would achieve 99.9% fidelity for fault-tolerant quantum computing.

2.1.4 – Quantum Memory

In quantum computing, quantum memories contain quantum states that consists of values that are stored in a quantum register for processing using various processing techniques such as topological quantum memory, where all the quantum states are organized and stored in an array. Quantum computing memory uses a quantum random access memory (qRAM), which “uses n qubits to address any quantum superposition of memory cells (N)” [1]. Currently there are a quantum computing architecture that reduces the requirements for memory calls, which would lead to power saving system as well as having a much more efficient algorithm in memory management. Gyongosi and Imre performed a study on utilizing quantum annealing for recall tasks that uses associative memory models, which has the capability to store a “sublinear number of memories in

15 some theoretical models with exponential storage capacities” [1]. They also performed a study in the optimization of dynamical decoupling for quantum memory using recurrent neural network, which they used the methods of machine learning based from recurrent neural networks to optimize dynamically decoupling sequence, which is a simple technique for error correction in quantum memory. Quantum memristors, a resistor with memory whose resistance depends on crossing charges, is utilized as a rule for quantum memory management. The decoherence mechanism is controlled by the continuous- measurement feedback scheme. They demonstrated that “memory effects actually persist in the quantum regime and the superconducting circuits are ideal for their practical implementation” [1]. It was concluded that the model of quantum memristor could be used as a building block for neuromorphic quantum computing and in simulation of non-

Markovian systems using quantum hardware. The quantum memristors are resistive quantum elements that has the capability to retain information of their past dynamics by using superconducting circuits which Gyongosi and Imre attempted study on this. They performed the study by implementing a quantum hardware device “whose memrisitve behavior arises from quasiparticle-induced tunneling when supercurrents are canceled”

[1]. They also did an analysis on qubit-based memcapacitors and meminductors, which they found that the capacitive and inductive devices offer functionality for performing quantum computations by using the superconducting charge and phase qubits as quantum memory.

2.1.5 – Quantum CPU

Quantum CPU uses a quantum bus for communicating between the components

16 of a quantum computer, which utilizes quantum adders to make the communication happen. The quantum version of classical adders could also be used for quantum computation with the capability of reversible structure and parallel systems. Quantum adders are reversible since it uses the ancilla quantum state equipped with mechanisms, circuit depths, latencies and performance. Gyongosi and Imre proposed two basic network models for the parallelization of quantum circuits. “The first network model allows long-distance communication between a set of quantum states (set of states that are involved in the quantum computations). Meanwhile, the second model allows only local communications; it is precisely possible only between the nearest neighbors in a linear layout” [1]. As a comparison between the first and second network model, it was concluded that the performance of quantum adders was closed to each other in both models that were tested on. There are couple of quantum error correction methods that can be used to implement quantum communication between the quantum CPU and the functional elements of the quantum computer itself, which would be further discussed in the Quantum Error Correction section. “By theory, the performance of a quantum circuity is denoted by 풪(·), and because of the nature of signal propagations, the latency of any circuit is limited to 풪(퐷√푛) in an n-bit system, and with D-dimensional structure” [1]. In the experiment of utilizing Quantum CPU in quantum computer architecture, “five different qubus interconnect topologies were analyzed using Shor’s prime factorization algorithm” [1], as shown in Figure 5.

Figure 5 - The Quantum Circuit of Factorization Algorithm

The goal of using the Shor’s prime factorization algorithm was to increase the probabilities of the solutions in the quantum register A as shown in Figure 6 and Figure 7.

Figure 6 - The State of Register A After M1, But Before UIQFT

Figure 7 - The State of Register A After UIQFT

In the experimentation of Shor’s prime factorization algorithm, it was concluded that the quantum carry-ripple adder has the best performance in dealing with parameters for the algorithm. It was also concluded that the “small nodes (up to five logical qubits) and a linear interconnection network provide adequate performance; more complex networks are unnecessary as the number of bits of the factorized number reaches several hundred bits” [1]. In this experiment dealing with the performance of quantum adders, it was concluded that the quantum adders have the capability of factorizing a 6000-bit number one million times and thirteen thousand times faster, which is more powerful than BCDP (Beckman-Chari-Devabhaktuni-Preskill) modular exponentiation algorithm.

There are various other experiments that involved the use of quantum CPU for instance, Gyongosi and Imre studied the properties of quantum adders in the method of protected state transfer using an approximate quantum adder. For the experiment

19 involving the properties of quantum adders, Gyongosi and Imre “defined a decoherence protected protocol for transmitting photonics quantum states over depolarizing quantum channels” [1], which was implemented by an “approximate quantum adder engineered through spontaneous parametric down converters” [1]. Gyongosi and Imre concluded in this experiment that the greater probability of being successful can be achieved by the method versus distilled quantum teleportation protocols for distances below a threshold that has less chance of the experiment being successful. Gyongosi and Imre also studied the approximate quantum adders dealing with genetic algorithms by proposing “the theoretical aspects of approximate quantum adders and defining an optimization method that is based on genetic algorithms. In the study, they found out about the possibility to improve the achievable efficiency and fidelity of some previous protocol, which they went ahead and implemented the approximate quantum adder using the IBM Quantum

Experience. After implementing and testing the approximate quantum adder, it came to the conclusion that the approximate quantum adders can be useful in enhancing quantum information processing.

In the study of a method for quantum state transfer using the noisy photonic and phononic waveguides, Gyongosi and Imre “defined a protocol in which a quantum state of photons stored in a first cavity can be faithfully transferred to a second distant cavity via an infinite one-dimensional waveguide. As Gyongosi and Imre found this transfer is possible while the transferred information being immune to arbitrary noise (e.g. thermal noise) injected into the waveguide” [1]. Gyongosi and Imre also perform a study on cavity QED setup where atomic ensembles and where single atoms represented the quantum memory. This study can be applied on phononic quantum information

20 processing fields.

In order to further expand the study of approximate quantum adders using genetic algorithms, Gyongosi and Imre decided to take this study to the next level by adding the realization of quantum autoencoders into this study involving the use of quantum adders with genetic algorithms since there is a useful connection between the approximate quantum adders and quantum encoders. This study resulted in discovering the possibility of developing optimized approximate quantum adders using genetic algorithms, but with the rule that quantum encoders can be implemented for a variety of initial state and that it must be designed via controllable quantum platforms.

Gyongosi and Imre “studied the problem of space-efficient design for reversible floating-point adder in quantum computing, where the reversible logic has crucial significance in experimental low-power computing and quantum computing” [1]. In this experiment, the authors proposed a space-efficient reversible floating-point adder for quantum computers that could be used in binary quantum computations to improve the designs of expensive units. They also proposed techniques for the cost reduction and the fault-tolerant designs for quantum circuits.

2.1.6 – Controlling and Measurement of Quantum Computing

Having an appropriate control mechanism is very crucial for quantum state manipulations, readout, error-correction processes and fault-tolerant quantum computations. The current challenge that are being faced when it comes to quantum computer is preparing quantum systems for computation as well as the experimental realization of the measurements that extracts important values from the quantum states.

The reason for the current challenge is due to the fact that quantum computer are considered to be abstract, meaning that whenever quantum computation takes place by transitioning from one quantum state to another quantum state, we cannot easily predict the final state nor can we revert it to the initial state due to many factors taking place during quantum computation.

To address the challenge that are being faced in quantum computing field,

Gyongosi and Imre had performed various study that involves in enhancing the protocol of controlling and measuring the accuracy of quantum computations. They performed a study in the practical superposing of two pure quantum states using the knowledge that were presented in that time. Every output that are generated in quantum computation is very crucial in experimental quantum information processing since generating superposition of any two unknown pure states is a challenge due to the fact that generating superposition can be achieve by using the information that we currently have about the input state only in probabilistic way. The available value is represented by the overlap between two unknown states with respect to given referential state. Gyongosi and

Imre “implemented the probabilistic protocol of superposing two pure states in a three- qubit nuclear magnetic resonance system. They also studied the feasibility of the protocol by preparing families of input states and determined the average fidelity between the prepared state” [1]. As a result, the achieved fidelity was high meaning that this implementation could be used in complex situations and complex quantum circuits.

Gyongosi and Imre also studied the problem of superposing unknown quantum states by defining a protocol to superpose multiple pure states of a dimensional (D) quantum system for this experiment. They also defined a practical realization on a two-

22 qubit NMR (nuclear magnetic resonance) quantum processor. They performed an experiment on quantum sampling problems, concentrated in boson sampling and quantum supremacy, where they “gave a summary on the arguments that are in use to deduce when sampling problems are hard for classical computers to stimulate, particularly focusing on boson sampling” [1]. They did an experiment involving the application of differential equations in photonic quantum information processing by developing a model for “the realization of photonic quantum circuits whose dynamics is determined by some differential equations” [1]. This experiment concluded with the capabilities of implementing quantum feedback and feedforward without the requirements of any measurements in the quantum circuit for the model. This experiment also resulted with the capability of implementing a chip-based integrated quantum control.

Gyongosi and Imre did an experiment in implementing a quantum computing system with machine learning model that would allow quantum system to predict qubit decoherence in a real-time setting. In this experiment, classical control theory and classical machine learning were utilized to predict the future state of a qubit. As a result of this experiment, there was significant improvements in qubit phase stability over the standard measurement-based feedback approaches. There was another experiment that was done by Gyongosi and Imre that utilized quantum artificial intelligence in the field of superconducting circuits. In that experiment, they implemented a basic protocol of quantum reinforcement learning using superconducting circuit, which are equipped with feedback-loop control, which was a very useful technique in making effective prediction regarding quantum states and measurements of quantum computations.

Gyongosi and Imre also performed a study in quantum annealers involving performance-wise since the performance was becoming an issue. In the study, they

“defined a strategy to determine and correct persistent, systematic biases between the actual values of the programmable parameters and their user-specified values” [1]. The model of the strategy was tested using D-Wave quantum computing system, which as a result, the performance was improved in the quantum system using this model. Gyongosi and Imre did a study on quantum state discrimination by using the minimum average number of copies. In this study, “during the task of discriminating between nonorthogonal quantum states from multiple copies, the key parameters are the error probability and the resources (number of copies) used” [1]. Due to the fact as stated in their framework that the average resources would be minimized for a fixed admissible error probability, they had to define a new state discrimination task. As a result, the new state discrimination task wasn’t optimal as a result and they were better off using the quantum state discrimination for calculating the average number of copies as the whole problem.

Due to the fact that during superposition generation as part of quantum computation, there will be some unknown quantum states and in order to address this issue, Gyongosi and Imre decided to do an experimentation on the problem of superposition generation by coming up with a theorem that would prevent the universal probabilistic quantum protocol from generating a superposition of two unknown quantum state. The probabilistic protocol was introduced in this experiment to take over the universal probabilistic quantum protocol in producing a superposition of two unknown states with the rule that every quantum state must have a fixed overlap with the known referential pure state in order to find the missing values of the quantum state. As a result,

24 the probabilistic protocol can be built on arbitrary Hilbert spaces to be able to use it in complex computations. As the result from this experiment had more capability to solve more complex problems, Gyongosi and Imre decided to take this experiment to the next level by focusing on a study of creating a superposition of unknown photonic quantum states by “defining a method for the creation of superposition of arbitrary two unknown photonic qubits as long as they have nonzero overlaps with the horizontal polarization state” [1]. The experiment resulted with an average fidelity of 0.99, which means that it could have an improvement in handling quantum computations in order to generate more accurate results. This model can be used in information compression using coherent superposition with this model to generate a much more accurate results on very complex problems.

2.1.7 – No Cloning, Superpositions and Measurement

Table 1 - Grammar of Terms

푏 ≔ 푥|휆푥Ψ . 푡||0 > ||1 > Base Terms (ℬ)

푣 ≔ 푏|(푣 + 푣)|0⃗ 푆(퐴)|훼. 푣 Values (풱)

푡 ≔ 푣|푡푡|(푡 + 푡)|휋푡|? 푡 ∙ 푡|훼. 푡 Terms (Λ)

According to Table 1, terms can be referred to as “variables, abstractions, two constants for base qubits (|0> and |1>), linear combinations of terms (built with addition and product by a scalar, addition being commutative and associative), a family of constants for the null vectors, one for each type of the form S(A), (0⃗⃗⃗⃗푆 (A)), and an if-then- else construction (? 푡 ∙ 푡) deciding on base vector” [5]. The notation t ? rcdots (? 푟 ∙ 푠)푡,

? 푟 ∙ 푠 being treated as a function, was used to a term (t) to produce the following statement when t becomes a basis term (if t then r else s). Pi symbol is also used for measurement in computation problems.

Table 2 - Grammar of Types

Ψ ≔ 𝔹|푆(Ψ) Qubit Types (푄)

퐴 ≔ Ψ|Ψ ⇒ A|S(A) Types (푇)

In Table 1, the grammar is split into based terms (used for non-superposed values), general values and general terms. In Table 2, types are split into qubit types and general types. The set of free variables of a term (t), denoted by FV(t), is defined in the lambda calculus. The notation ([a .]t) is used to refer in-distinctly to a . t and to t. -t is used as a shorthand notation for -1, where on the other side, t and (t – r) is used as a shorthand notation for (t + (-r)). The term of (t – t) has a type S(A) and a reduction of

(0⃗⃗⃗⃗푆 (A)), which is not considered to be a base term.

The type S(∙) being a linear type is an important property of calculus since they correspond to superpositions, preventing them from being duplicated. In tensor-free stage scenario, having a type itself, without an S(∙), on head position are considered to be a non-linear type (i.e. 𝔹) that corresponds to base terms, meaning that they can be duplicated. “A non-linear function is allowed to be applied to a linear argument, for

𝔹 1 1 example, 휆푥 . (푓푥푥) can be applied to ( ∙ |0 > + ∙| 1 >), however, it distributes in √2 √2

𝔹 1 1 1 𝔹 the following way: (휆푥 . (푓푥푥)) ( ∙ |0 > + ∙| 1 >) → ( ∙ (휆푥 . (푓푥푥)) |0 > √2 √2 √2

1 𝔹 1 1 + ∙ (휆푥 . (푓푥푥))| 1 >) → ( ∙ (푓 |0 > |0 >) + ∙ (푓| 1 > |1 >))” [5]. √2 √2 √2

Beta reduction will only occur when the argument type is the same as the expected type from the abstraction, therefore, the rewrite system will depend on types such as the type system and the rewrite system that will be described in this section. In the type system, “a type A will be interpreted as a set of vectors and S(A) as the vector space generated by the span of such a set” [5]. By looking at the interpretation of type A and S(A), we will have 퐴 ⊆ 푆(퐴) and 푆(푆(퐴)) = 푆(퐴). Table 3 shows the definition of a subtyping relation on types where we used the previous defined equation from the implementation of type A and S(A).

Table 3 - Subtyping Relation on Types

_ 퐴 ≺ 퐵 퐵 ≺ 퐶 퐴 ≺ 푆(퐴) 퐴 ≺ 퐶 _ _ 퐴 ≺ 퐵 퐴 ≺ 퐵 퐴 ≺ 푆(퐴) 푆(푆(퐴)) ≺ 푆(퐴) Ψ ⇒ 퐴 ≺ Ψ ⇒ 퐵 S(A) ≺ S(B)

Table 4 - Type System

_ _ _ _ 퐴푥 퐴푥0⃗⃗ 퐴푥|0> 퐴푥|1> 푥: Ψ ⊢ x: Ψ ⊢ 0⃗ 푆(퐴): 푆(퐴) ⊢ |0 > : 𝔹 ⊢ |1 > : 𝔹

Γ ⊢ t: A Γ ⊢ t: A∆⊢ u: A Γ ⊢ t: S(𝔹) 푆훼 푆+ 푆 Γ ⊢ α. t: S(A) 퐼 Γ, ∆⊢ (t + u): S(A) 퐼 Γ ⊢ πt: 𝔹 퐸

Γ ⊢ t: A(A ≺ 퐵) Γ ⊢ t: AΓ ⊢ r: A Γ, x: Ψ ⊢ t: 퐴 ≺ 퐼푓 ⇒퐼 Γ ⊢ t: 퐵 Γ ⊢? t ∙ r: 𝔹 ⇒ A Γ ⊢ λxΨ . 푡: Ψ ⇒ 퐴

Γ ⊢ t: Ψ ⇒ 퐴∆⊢ u: Ψ Γ ⊢ t: S(Ψ ⇒ 퐴)∆⊢ u: S(Ψ) ⇒ ⇒ Γ, ∆⊢ tu: 퐴 퐸 Γ, ∆⊢ tu: S(퐴) 퐸푆

Γ ⊢ t: 퐴 Γ, x: 𝔹, y: 𝔹 ⊢ t: 퐴 푊 x 퐶 Γ, x: 𝔹 ⊢ t: 퐴 Γ, x: 𝔹 ⊢ (y) 푡: 퐴

Table 4 also shows the type system where contexts Γ and ∆ have a disjoint support. Table 4 also shows that rule Ax will only allow typing variables with qubit types since the system is first order and qubits can only be passed as arguments in type system and more other options when rewrite system is used. Table 4 shows that rule 퐴푥0⃗⃗ has a null vector as a non-base term since the null vector doesn’t belong to the base of any vector space. It also shows that rules 퐴푥|0> and 퐴푥|1> has the base qubits with the base type (𝔹). In the rule of ≺ as shown in Table 4, it shows that the term |0> has type (𝔹) and

S(𝔹). “Note that ((|0> + |0>) - |0>) has type S(𝔹) and reduces to |0>, which has the same type S(𝔹)” [5]. If this term is reduced to |0> of type 𝔹, the type would not be preserved and instead would contain information that would be impossible to perform computation due to the fact that the value |0> would be a result of interference instead of a result of

훼 measurement, which is necessary value to compute. Table 4 also shows that the rule 푆퐼 states that it is not considered to be a base term if the term is multiplied by a scalar. If the scalar is just a phase, the term must have an 푆(∙) type since having a scalar indicates that the term has not been measured yet. Without having 푆(∙) as the term will cause the measurement operator to remove any scalars. Table 4 also shows that the rule SE is the

훼 analog for sum to rule 푆퐼 as well as the elimination of the superposition by performing the measurement operation using the 휋 operator. “Notice that ? 푡 ∙ 푟 is typed as a nonlinear function by rule If, and so, the if-then-else linearly distributes over superpositions, for example, “(훼. |0 > + 훽. |1 >)? 푡 ∙ 푟 = (? 푡 ∙ 푟)(훼. |0 > + 훽. |1 >) =

→∗ 훼. (? 푡 ∙ 푟)|0 > + 훽. (? 푡 ∙ 푟)|1 > = 훼. |0 >? 푡 ∙ 푟 + 훽. |1 >? 푡 ∙ 푟 →∗ 훼. 푟 + 훽. 푡”

[5]. Table 4 shows that the rule ⇒ES are the elimination for superpositions that corresponds to the linear distribution. “Notice that the type of the argument is a superposition of the argument expected by the abstraction (푆(Ψ) 푣푠. Ψ)” [5], which this abstraction is allowed to be a superposition. For example, “if we want to apply the sum of functions (f + g) to the base argument |0>, we would obtain the superposition (f|0> + g|0>). The typing is as follows:

⊢ 푓 ∶ 𝔹 ⟹ 퐴 ⊢ 푔 ∶ 𝔹 ⟹ 퐴 ⊢ 푔 ∶ 𝔹 ⟹ 퐴̅̅̅̅̅̅̅̅̅̅̅̅퐴푥|0> 푆+ ⊢|0> ∶ 𝔹 ≺ ⊢ (푓 + 푔) ∶ 푆(𝔹 ⟹ 퐴) 퐼 ⊢ |0 > ∶ 푆(𝔹) ⟹ ⊢ (푓 + 푔)|0 > ∶ 푆(퐴) 퐸푆 which reduces to

⊢ 푓 ∶ 𝔹 ⟹ 퐴̅̅̅̅̅̅̅̅̅̅̅̅퐴푥|0> ⊢ 푔 ∶ 𝔹 ⟹ 퐴̅̅̅̅̅̅̅̅̅̅̅̅퐴푥|0> ⊢|0> ∶ 𝔹 ⇒ ⊢|0> ∶ 𝔹 ⇒ ⊢ 푓 |0 > ∶ 퐴 퐸 ⊢ 푔 |0 > ∶ 퐴 퐸 푆+ ⊢ (푓|0 > +푔|0 >) ∶ 푆(퐴) 퐼

.” [5] In the equation, a linear function, ⊢ 푓 ∶ 𝔹 ⟹ 퐴, applied to a superposition (|0> + |1>) is reduced to a superposition of (f|0> + f|1>). It is showed that “

⊢ 푓 ∶ 𝔹 ⟹ 퐴 ̅̅̅̅̅̅̅̅̅̅̅̅̅̅⊢ |0 > ∶ 𝔹 퐴푥|0> ̅̅̅̅̅̅̅̅̅̅̅̅̅̅⊢ |1 > ∶ 𝔹 퐴푥|1> ≺ 푆+ ⊢ 푓 ∶ 푆(𝔹 ⟹ 퐴) ⊢ (|0 > + |1 >) ∶ 푆(𝔹) 퐼 ⟹ ⊢ 푓(|0 > + |1 >): 푆(퐴) 퐸푆 which reduces to

⊢ 푓 ∶ 𝔹 ⟹ 퐴̅̅̅̅̅̅̅̅̅̅̅̅퐴푥|0> ⊢ 푓 ∶ 𝔹 ⟹ 퐴̅̅̅̅̅̅̅̅̅̅̅̅퐴푥|1> ⊢|0> ∶ 𝔹 ⇒ ⊢|1> ∶ 𝔹 ⇒ ⊢ 푓|0 > ∶ 퐴 퐸 ⊢ 푓|0 > ∶ 퐴 퐸 푆+ ⊢ 푓(|0 > + |1 >): 푆(퐴) 퐼

” [5]. According to Table 4, rules W and C refers to weakening and contraction on the variables with base types, which the base terms can be cloned.

The null vectors (0⃗⃗⃗⃗푆 (A)) is interpreted as the null vector of the vector space (S(A)), which the null vectors should take place since the vector space of S(S(A)) is the same as

S(A). “Then, we define a function min(A) which gives us the smallest type in terms of the amounts of S it includes, that generates the vector space, so the null vector can be

29 taken from such a space. The equation is shown here: min(𝔹) = 𝔹 min(Ψ ⟹ 퐴) = Ψ ⟹ min(A) min(S(A)) = min(A)” [5].

The term (0⃗⃗⃗⃗푆 (A)) is identified through reduction with the term (0⃗⃗⃗⃗푆 (min(A))).

Table 5 - Rewrite System

If 푏 has type 𝔹 and 푏 ∈ ℬ, then (훽 ) 푏 푏 (휆푥𝔹 . 푡)푏 → ( ) 푡 (1) 푥 Beta Rules If u has type 푆(Ψ), then (훽 ) 푢 푛 (휆푥푆(Ψ) . 푡)푢 → ( ) 푡 (1) 푥

|1 > ? 푡 ∙ 푟 →(1) 푡 푖푓1 If Rules

|0 > ? 푡 ∙ 푟 →(1) 푟 푖푓0

If 푡 has type 𝔹 ⇒ 퐴, then 푡(푢 + + 푙푖푛푟 푣) →(1) (푡푢 + 푡푣)

If 푡 has type 𝔹 ⇒ 퐴, then 훼 푙푖푛푟 푡(훼 . 푢) → 훼 . 푡푢 Linear (1)

Distribution If 푡 has type 𝔹 ⇒ 퐴, then 0 푙푖푛푟 Rules 푡0⃗ 푆(𝔹) →(1) 0⃗ 푆(min(퐴))

+ (푡 + 푢)푣 →(1) (푡푣 + 푢푣) 푙푖푛푙

훼 (훼 . 푡)푢 →(1) 훼 . 푡푢 푙푖푛푙

0 0⃗ 푆(𝔹⇒퐴)푡 →(1) 0⃗ 푆(min(퐴)) 푙푖푛푙

Vector (0⃗ 푆(퐴) + 푡) →(1) 푡 Space (푛푒푢푡푟푎푙) Axioms

Rules

1. 푡 →(1) 푡 (푢푛푖푡)

If 푡 has type 퐴, then 0. 푡 →(1) 0⃗ 푆(min(퐴)) (푧푒푟표훼)

훼. 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴)) (푧푒푟표)

훼. (훽 . 푡) →(1) (훼훽) . 푡 (푝푟표푑)

훼푑푖푠푡 훼. (푡 + 푢) →(1) (훼 . 푡 + 훼 . 푢) (푑푖푠푡 )

(훼 . 푡 + 훽 . 푡) →(1) (훼 + 훽) . 푡 (푓푎푐푡)

1 (훼 . 푡 + 푡) →(1) (훼 + 1) . 푡 (푓푎푐푡 )

2 (푡 + 푡) →(1) 2 . 푡 (푓푎푐푡 )

If 퐴 ≠ min(퐴), then 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴)) (푧푒푟표푠)

(푡 + 푟) = _퐴퐶(푟 + 푡) (푐표푚푚)

((푡 + 푟) + 푠) = _퐴퐶(푡 + (푟 + 푠)) (푎푠푠표푐)

푛 Projection 휋(∑푖 =1[훼푖. ]푏퐼) →(푝) 푏푘 , where 푝 =

2 Rule |훼푘| 푛 2 ; ∀푖, 푏푖 = |0 > or 푏푖 = |1 >; ∑푖 =1| 훼푖|

푛 (푝푟표푗) ∑푖 =1 훼푖. 푏푖 is a normal term (hence 1 < n <

2 2); and if an 푎푘 is absent, |푎푘| = 1, and 1

< k < n.

푡 →(푝) 푢 푡 →(푝) 푢 푡 →(푝) 푢 Contextual 𝔹 𝔹 푡푣 →(푝) 푢푣 (휆푥 . 푣)푡 →(푝) (휆푥 . 푣)푢 푡 ? 푟푐푑표푡푠 →(푝) 푢 ? 푟푐푑표푡푠

Rules 푡 →(푝) 푢 푡 →(푝) 푢 푡 →(푝) 푢

(푡 + 푣) →(푝) (푢 + 푣) 훼 . 푡 →(푝) 훼 . 푢 휋푡 →(푝) 휋푢

In the contextual rules shown in Table 5 shows the relation ⟶(푝) where it is considered to be the probabilistic relation, where p is considered to be the probability of occurrence since the rewrite rule has a probability 1 of occurrence except for the projection rule (proj). The rewrite system depends on the implementation since the abstraction can expect a base term as argument (a nonlinear term, which can be given a superposition (linear) for the reduction to be distributed before beta-reduction) or a superposition, which has to be treated linearly.

Currently, there are two beta rules for 훽푏, which the first beta rule is that rule (훽푏)

“acts only when the argument is a base term, and the type expected by the abstraction is a base type” [5]. The second beta rule for rule (훽푏) “is call-by-base (base terms coincides with values of 휆-calculus, while values on this calculus also includes superpositions of base terms and the null vector” [5]. Usually, 훽푛 is call-by-name beta rule since they are distinguished by the type of the argument. Rule 훽푏 deals with non-linear functions while rule 훽푛 deals with linear functions. “The test on the type of the argument is due to the type system that allows an argument with a type not matching with the type expected by the abstraction (in such a case, one of the linear distribution rules applies)” [5]. The contextual rule that reduces the argument of the application is only valid when the abstraction expects an argument of type 𝔹, since there are only two beta reductions. If the argument contains the base type, it will reduce to a term that can be cloned, but the reduction must be done properly to ensure the term that needs to be cloned can be cloned.

For example, “a measure over a superposition (휋(|0> + |1>)) has a base type 𝔹, but it

32 cannot be cloned until it is reduced. Indeed, (휆푥𝔹 . (푓푥푥)) (휋(|0> + |1>)) can reduce either to f|0>|0> or f|1>|1>, but never to f|0>|1> or f|1>|0>, which would be possible only if the measure happens after the cloning machine” [5], which could be possible if a second system is prepared in the same state. The group of if-then-else also contains the tests over the base qubits |0> and |1> in the contextual rules.

“The first three of the linear distribution rules (those marked with sub index r), are the rules that are used when a non-linear abstraction is applied to a linear argument (that is, when an abstraction expecting a base term is given a superposition)” [5]. In this scenario, the beta reductions cannot be used due to the requirements of the side conditions on types not being met. For example, regarding the reduction sequence,

푙푖푛+ 𝔹 1 1 푟 𝔹 1 “(휆푥 . (푓푥푥))( ∙ |0 > + ∙| 1 >) → (1) ((휆푥 . (푓푥푥)) ∙ |0 > √2 √2 √2

𝔹 1 + (휆푥 . (푓푥푥)) ∙| 1 >) √2

푙푖푛훼2 푟 1 𝔹 1 𝔹 → (1) ( ∙ (휆푥 . (푓푥푥)) |0 > + ∙ (휆푥 . (푓푥푥))| 1 >) √2 √2

2 (훽푏) 1 1 → (1) ( ∙ 푓|0 > |0 > + ∙ 푓|1 > |1 >) √2 √2

0 ” [5]. In the Rule 푙푖푛푟, the term has to be reduced to 푂⃗ 푆(min(퐴)). If reducing is perform from 푡 푂⃗ 푆(𝔹) to 푂⃗ 푆(퐴), there would be an issue with subject reduction since by having type

𝔹 ⟹ 퐴 for t, it will not work due to not having other type. For example, “𝔹 ⟹ 퐵 reducing to 푂⃗ 푆(퐴) would break subject reduction since 푂⃗ 푆(퐴) does not have necessarily type S(B)”

[5]. There is a proof that if t has types 𝔹 ⟹ 퐴 and 𝔹 ⟹ 퐵, then min(A) ≺ B meaning that the subject reduction would be preserved.

The remaining rules for the linear distribution deal with the superposition of

+ functions. For example, “rule 푙푖푛퐼 is the sum of functions: A superposition is a sum, therefore, if an argument is given to a sum of functions, it needs to be given to each function in the sum” [5]. Weak reduction strategy is used since reduction only occurs on closed terms and the argument (v) on this rule is closed so it should be able to work with this strategy. If the argument (v) were not to be closed, it would be unable to by typed.

For example, “푥: 푆(𝔹), 푡: 𝔹 ⟹ 𝔹, 푢: 𝔹 ⟹ 𝔹 ⊢ (푡 + 푢)푥: 푆(퐵) is derivable, but

푥: 푆(𝔹), 푡: 𝔹 ⟹ 𝔹, 푢: 𝔹 ⟹ 𝔹 ⊢ (푡푥 + 푢푥): 푆(퐵) is not” [5].

“The vector space axioms rules are the direct axioms of vector spaces” [5]. The rule (zeros) will make sure for every vector space to have only one null vector as stated by the rule. The Modulo AC rules are not considered to be a proper rewrite rules, but the symbol (+) are considered to be associative and commutative, therefore the rewrite system is rewrite modulo AC. “As a consequence, the parenthesis is not needed and we

푛 may use the notation ∑ 푖=1 푡푖 ” [5] such as the rule (proj) that is the projection over weighted associative pairs, such as a generalization of multisets where the multiplicities are assigned by complex numbers. “This reduction rule is the only one with a probability different from 1 and it is given by the square of the modulus of the weights, implementing this way the quantum measurement over the computational basis” [5].

In conclusion, calculus can only represent pure states, but cannot represent mixed

1 states. “For example, let Z be an encoding of the quantum Z gate, |+> = ∙ (|0 > +|1 >) √2

1 𝔹 and |−> = ∙ (|0 > −|1 >). The terms (휆푥: 푆(𝔹)(휆푦 . 푦? (푍푥) ∙ 푥)(휋|+ >))|+ > and √2

(휆푥: 푆(𝔹)휋(푋))|+> may be considered equivalent if taking into account the density matrix representation of mixed states” [5]. The first term will reduce to either |+> or |-> with the probability of ½ of each sign. The second term will then reduce to either |0> or

1 1 |1> with the probability of ½ of each bit. “The sets of pure states ({ , |+>) , ( , |−>)} and 2 2

1 1 ({ , |0 >) , ( , |1 >)} have both density matrix I/2, and hence are indistinguishable” [5]. 2 2

Fortunately, the pure states can be distinguished once the result of the measure is known.

2.1.8 – Quantum Error Correction

The purpose of quantum error-correction methods is to satisfy the requirement on ensuring high fidelity and proper coherence times in quantum computations. The nature errors of quantum computation systems operate differently from classical system errors in the fact that quantum systems are more delicate than classical systems. In the previous section, different experimentations involving achieving a reliable and fault-tolerant quantum computation systems were introduced for a specific quantum computer hardware, it doesn’t mean that it is compatible with any quantum computer hardware so therefore, developing a model that would work universally on any quantum computer hardware is still a challenge. In any quantum error-correction method, input data that are injected into quantum states as well as the syndrome quantum states are used to identify error information. “In experimental quantum computations, a distinction exists between the logical and physical representations of quantum states in that a logical quantum system is encoded by several quantum states in the physical layer” [1]. The current quantum-error correction codes that are currently in-place for anyone to use, such as designs of topological error correction, are suitable for any compatible quantum systems to be used.

In order to take the current quantum error-correction codes to the next level of

35 making enhancements to it, there were various experiments that Gyongosi and Imre performed in optimizing and enhancing the quantum error-correction process. First,

Gyongosi and Imre addressed in researching the problem of surface code error correction on a defective lattice since by the way quantum computer are designed to be abstract in computations and the way on how data are saved in atom, quantum systems are prone to loss of data due to faulty quantum states that could occur in quantum computer hardware.

In order to minimize data loss, there must be a solution in error-correcting schemes, which they went ahead and attempted an experiment on implementing error-correcting schemes by stimulating statically placed single-fault lattices and lattices. This experiment concluded that “a static loss at the periphery of the lattice has less negative effect than a static loss at the center” [1], which this strategy of error-correction scheme is very effective in quantum computing. Gyongosi and Imre analyzed a different metric compared to the default metrics that quantum computers use as a default to predict quantum chip performance, which resulted the “deepest stabilizer circuit in the lattice giving the strongest correlation with post-correction residual error rates” [1]. Gyongosi and Imre researched on the problems of state injection, lattice surgery and dense packing of the deformation-based surface code to determine ways to address these issues. The first step of addressing the current issues was taken by defining “a deformation-based surface code using super stabilizers to detect short error chains connecting the super stabilizers” [1]. After performing this experiment, it resulted in discovering the capability of placing logical qubits close together in quantum computations, therefore, having the capability to detect error for every quantum states that are taking place in quantum computation, making it easier to detect the issues and resolve it to generate accurate

36 values versus detecting error for the whole quantum computation problem as a whole, making it more challenging to get a much more accurate computation data. Gyongosi and

Imre went ahead and took the defect-based surface code by doing an experiment in the conversion process from the defect-based surface code by coming up with a design for the deformation-based surface code. By performing this experiment, they found out that the design that they came up could be very effective in performing a large-scale quantum computation.

Now that Gyongosi and Imre have addressed the issue of error-correction detection and performance, they went ahead by doing a research on the sample complexity of learning with error to determine if quantum computer can learn the error values that they have encountered and improve the accuracy overtime. Based on the results from the research, they found out that quantum computers have an efficient quantum learning algorithm in place to address polynomial sample and time complexity problems, which can be useful in quantum cryptography field.

Gyongosi and Imre did a research on the building aspects of silicon-based surface code quantum computer focusing “on the conflict between a nanometer separation for qubit-qubit interactions and proposed a solution for the separation problem by establishing the feasibility of surface code quantum computing using solid state spins.

The proposed method utilizes probe spins that are aimed for the mechanical separation and includes a protocol for error correction due to the spins being imperfectly located”

[1]. As a result, it overcomes many solid states quantum computing challenges and provides qubit densities that are “several order of magnitude greater than other systems”

[1]. To further take this method to the next level, Gyongosi and Imre decided to study

37 majorana zero modes, which are quasiparticle excitations in condensed matter systems that could be used as a building blocks in fault-tolerant quantum computers. In Gyongosi and Imre’s model, they used the Coulomb-blockade spectroscopy in a “nanowire segment that results in a superconducting Coulomb island (Majorana island)” [1]. This model is effective in clarifying the trivial-to-topological transition of infinite systems as well as performing research in topological protection involving in the advanced properties that it has to offer. The lifetime of a quantum bit can be extended with error correction in superconducting circuits since the general rule of having data exist in an atom is to prevent error at all times in order to prevent data loss. In this research, the “implemented qubits are encoded in superpositions of Schrodingercat states of a superconducting resonator” [1]. A quantum error correction protocol was implemented in this experiment that would use a feedback control mechanism as a control mechanism to perform error- correction procedures at a corrected qubit lifetime of 320 milliseconds, which resulted in much more efficient qubit encoding system versus using the traditional quantum error correction schemes to correct any error encountered in quantum computation.

Since Gyongosi and Imre were able to come up with a better error-correction system, they decided to perform a study on quantum devices that could perform computational task beyond the capabilities that classical computers have to offer, but without error correction which is a study of so-called quantum supremacy. In this study, they “analyzed the task of sampling from the output distributions of pseudo-random quantum circuits” [1]. By performing this study in an experiment, they found out that by performing a sample distribution on classical systems requires a high-cost numerical stimulation of the circuit, which the cost would increase exponentially in the number of

38 qubits in the system. They performed the experiment with quantum circuits up to 42 qubits, which they found out that quantum supremacy can be achieved on quantum devices consisting of approximately fifty superconducting qubits.

Lastly, Gyongosi and Imre perform a study in the characterization of decohering quantum systems by adapting machine learning techniques in the process by analyzing

“the decoherence effects in adaptive characterization processes, where measurement settings are updated via data feedback” [1]. As a result, they found out that by adapting measurement of every decoherence quantum states, it can provide much more accurate measurement, therefore decreasing error exponentially for the total number of measurements. They also developed a framework for “handling high initial parameter uncertainty and for the presence of imperfection in the readout of decohering quantum states by defining quantum autoencoders for efficient compression of quantum data” [1].

“By theory, the task of an autoencoder is to map the input to a lower dimensional point such that the input can likely be recovered from the mapped point” [1]. Due to the fact of how powerful an autoencoder can become in recovering decoherence quantum states, they defined a model of integrating autoencoder with quantum systems to perform autoencoder operations on quantum data values. As a result, it was discovered that the parameters of quantum autoencoder can be trained with classical optimization algorithm and also discovered that quantum autoencoder was very efficient in compressing quantum system to recover data loss from any error encountered in quantum computation.

2.1.9 – Multi-Qubit Systems: Tensor Products

Quantum mechanics has a postulate that determines on the implementation of

39 several quantum systems. Currently, the “Hilbert space of a multi-qubit system is the tensor product between single-qubit Hilbert spaces” [5]. “If |휓 > ∈ ℋ1 and |휙 > ∈ ℋ2 represent the states of two quantum systems, the state of the full system composed by those two is |휓 > ⨂ |휙 >” [5]. If bases (ℬ1 and 퐵2) of ℋ1 and ℋ2 are chosen, then the

∑ ∑ equation can be written, which is 휓 > = 푖 ∈ ℬ1 훼푖|푖 > and |휙 > = 푗 ∈ ℬ2 훽푗|푗 > so

∑ ∑ ∑ ∑ |휓 > ⨂ |휙 > = 푖 ∈ ℬ1 푗 ∈ ℬ2 훼푖훽푗|푖 > ⨂ |푗 > = 푖 ∈ ℬ1 푗 ∈ ℬ2 훼푖훽푗|푖푗 >. “The last equity can be seen as a matter of notation, but also it is clear that |푖 > ⨂ |푗 > ≃ |푖 >

× |푗 > and so ℋ1 ⨂ ℋ2 = 푆푝푎푛(ℬ1 × ℬ2)” [5]. So far, the symbol for the span of a type and the basis type has been acknowledged up to this point, but an associative

Cartesian product needs to be introduced to the calculus system, which their role is to

1 1 recover the tensor product. For example, “the term |0 > × ( |0 > + | 1 >) have type √2 √2

1 1 𝔹 × 푆(𝔹), while ( |0 > × |0 > + |0 > × | 1 >) has type 푆(𝔹 × 𝔹). Therefore, √2 √2 the distributivity of linear combinations over tensor products is not trivially tracked in the type system, and so an explicit cast between types is also added: The term 0 >

1 1 1 1 × ( |0 > + | 1 >) does not rewrite to ( |0 > × |0 > + |0 > × | 1 >), but the √2 √2 √2 √2

1 1 term ⇑ |0 > × ( |0 > + | 1 >) does, where ⇑ casts the type 푆(𝔹 × 푆(𝔹)) into 푒 √2 √2 푒 the type 푆(𝔹 × 𝔹)” [5].

Table 6 - Grammar of Types

픅 ≔ 𝔹|픅 × 픅 Base Qubit Types (B)

Ψ ≔ 픅|푆(Ψ)|Ψ × Ψ Qubit Types (Q)

퐴 ≔ Ψ|Ψ ⇒ A|S(A)|A × A Types (T)

In Table 6, it shows the grammar of types table where the Cartesian product is added to base qubit types, qubit types and types. Looking at the base qubit types level in

Table 6, it is necessary to have it as part of grammar types since the abstractions with variables in are considered to be the non-linear ones. The notation (𝔹푛 = 𝔹 × … × 𝔹

푛 (n-times)) will be used due to = {𝔹 |푛 > 0}. The notation A × S(B0) = A can also be used.

Table 7 - Grammar of Terms

푏 ≔ 푥|휆푥Ψ . 푡||0 > ||1 > |푏 × 푏 Base Terms (ℬ)

푣 ≔ 푏|(푣 + 푣)|0⃗ 푆(퐴)|훼. 푣|푣 × 푣 Values (풱)

푡 ≔ 푣|푡푡|(푡 + 푡)|휋푗푡|? 푡 ∙ 푡|훼. 푡|푡 × 푡 Terms (Λ)

|ℎ푒푎푑 푡|푡푎푖푙 푡|⇑푟 푡| ⇑ℓ 푡

In Table 7, it shows the grammar of terms, where every level, such as base terms, values and terms, is extended with the tensor of the term in a level. In the general terms, the primitives head and tail are added to the equation. “The projector 휋 us generalized to

휋푗, where the sub index j stands for the number of qubits to be measured, which are those in the first j positions” [5]. It is possible to perform swap between qubits and place qubits

𝔹 to be measured in the beginning of the task. For example, “휆푥𝔹푥 . tail x × head x.

Finally, an explicit type cast of a term t (⇑푟 푡 and ⇑ℓ 푡) is included in the general terms”

푛 푛 [5]. ⇑ can be used to refer to any of these ⇑푟 or ⇑ℓ. The notations (∑푖 =1 푡푖 and (∑푖 =1 퐴푖 ) can be used for associative Cartesian products since the product is associative.

Table 8 - Subtyping Relation

. 퐴 ≺ 퐵 퐵 ≺ 퐶 퐴 ≺ 퐴 퐴 ≺ 퐶 . . 퐴 ≺ 퐵 퐴 ≺ 푆(퐴) 푆(푆(퐴)) ≺ 푆(퐴) Ψ ⇒ 퐴 ≺ Ψ ⇒ 퐵

퐴 ≺ 퐵 퐴 ≺ 퐵 퐴 ≺ 퐵

푆(퐴) ≺ 푆(퐵) 퐴 × 퐶 ≺ 퐵 × 퐶 퐶 × 퐴 ≺ 퐶 × 퐵

Table 8 shows the subtyping relation, which contains Cartesian products.

Table 9 - Table System

_ _ _ _ 퐴푥 퐴푥0⃗⃗ 퐴푥|0> 퐴푥|1> 푥: Ψ ⊢ x: Ψ ⊢ 0⃗ 푆(퐴): 푆(퐴) ⊢ |0 > : 𝔹 ⊢ |1 > : 𝔹

Γ ⊢ t: A Γ ⊢ t: A∆⊢ u: A Γ ⊢ t: S(𝔹) 푆훼 푆+ 푆 Γ ⊢ α. t: S(A) 퐼 Γ, ∆⊢ (t + u): S(A) 퐼 Γ ⊢ πt: 𝔹 퐸

Γ ⊢ t: A(A ≺ 퐵) Γ ⊢ t: AΓ ⊢ r: A Γ, x: Ψ ⊢ t: 퐴 ≺ 퐼푓 ⇒퐼 Γ ⊢ t: 퐵 Γ ⊢? t ∙ r: 𝔹 ⇒ A Γ ⊢ λxΨ . 푡: Ψ ⇒ 퐴

Γ ⊢ t: Ψ ⇒ 퐴∆⊢ u: Ψ Γ ⊢ t: S(Ψ ⇒ 퐴)∆⊢ u: S(Ψ) ⇒ ⇒ Γ, ∆⊢ tu: 퐴 퐸 Γ, ∆⊢ tu: S(퐴) 퐸푆

Γ ⊢ t: 퐴 Γ, x: 𝔹n , y: 𝔹n ⊢ t: 퐴 푊 n x 퐶 Γ, x: 𝔹 ⊢ t: 퐴 n Γ, x: 𝔹 ⊢ (y) 푡: 퐴

Γ ⊢ t: 퐴∆⊢ r: 퐵 푋 Γ, ∆⊢ t × r: 퐴 × 퐵 퐼

Γ ⊢ t: 𝔹n Γ ⊢ t: 𝔹n 푋 (푛 > 1) 푋 (푛 > 1) ∆⊢ head t: 𝔹 퐸푟 ∆⊢ tail t: 𝔹n−1 퐸푙

Γ ⊢ t: S(S(A) × B) Γ ⊢ t: S(A × S(B)) ⇑r ⇑ℓ Γ ⊢⇑r 푡: 푆(퐴 × 퐵) Γ ⊢⇑ℓ 푡: 푆(퐴 × 퐵)

Table 9 shows the updated table system that contains all the rules that was included in Table 4 plus it would contain new rules such as the rules for tensor, cast and

훼 + updated rule SE. The rules Ax, 퐴푥0⃗⃗ , 퐴푥|0>, 퐴푥|1>, ≺ , 푆퐼 , 푆퐼 , If, ⇒퐼, ⇒퐸 and ⇒퐸푆 will remain unchanged. “Rule SE types the generalized projection: we force the term to be measured to be typed with a type of the form S(𝔹n), and then, after measuring the first j qubits, the new type becomes 𝔹푗 × 푆(𝔹푛−푗), that is, we remove the superposition mark

푆(∙) from the first j types in the tensor product” [5]. According to Table 9, Rules W and C

푛 are only updated to execute on types 𝔹 instead of 𝔹. Rules ×퐼, ×퐸푟 and ×퐸푙 are the standard introduction and elimination for lists, but can only be used on terms with type

푛 𝔹 , which are considered to be the basis qubits. ⇑푟 and ⇑ℓ output the castings. Due to the rule of the subtyping relation, casting a superposed type into a superposed tensor product is the only type of casting that needs to be allowed. For example, “to cast 푡 × (푟 + 푠) from type A × S(B) to type S(A × B), we can use the subtyping first to assign the type

S(A × S(B)) to t × (r + s)” [5]. The function min needs to be updated in order to include products in order to update the rewrite system, which can be demonstrated with the following equations: min(𝔹) = 𝔹, min(Ψ ⇒ 퐴) = Ψ ⇒min(A), min(A × B) = min(A) × min(B) and min(S(A)) = min(A).

Table 10 - Rewrite System

If 푏 has type 𝔹푛 and 푏 ∈ ℬ, then

(훽푏) 푛 푏 Beta Rules (휆푥𝔹 . 푡)푏 → ( ) 푡 (1) 푥

If u has type 푆(Ψ), then (훽푛)

푢 (휆푥푆(Ψ) . 푡)푢 → ( ) 푡 (1) 푥

|1 > ? 푡 ∙ 푟 →(1) 푡 푖푓1 If Rules

|0 > ? 푡 ∙ 푟 →(1) 푟 푖푓0

If 푡 has type 𝔹푛 ⇒ 퐴, then 푡(푢 + + 푙푖푛푟 푣) →(1) (푡푢 + 푡푣)

If 푡 has type 𝔹푛 ⇒ 퐴, then 훼 푙푖푛푟 푡(훼 . 푢) → 훼 . 푡푢 Linear (1)

푛 Distribution If 푡 has type 𝔹 ⇒ 퐴, then 0 푙푖푛푟 Rules 푡0⃗ 푆(𝔹푛) →(1) 0⃗ 푆(min(퐴))

+ (푡 + 푢)푣 →(1) (푡푣 + 푢푣) 푙푖푛푙

훼 (훼 . 푡)푢 →(1) 훼 . 푡푢 푙푖푛푙

0 0⃗ 푆(𝔹푛⇒퐴)푡 →(1) 0⃗ 푆(min(퐴)) 푙푖푛푙

Vector Space (0⃗ 푆(퐴) + 푡) →(1) 푡 Axioms (푛푒푢푡푟푎푙)

Rules

1. 푡 →(1) 푡 (푢푛푖푡)

If 푡 has type 퐴, then 0. 푡 →(1) 0⃗ 푆(min(퐴)) (푧푒푟표훼)

훼. 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴)) (푧푒푟표)

훼. (훽 . 푡) →(1) (훼훽) . 푡 (푝푟표푑)

훼푑푖푠푡 훼. (푡 + 푢) →(1) (훼 . 푡 + 훼 . 푢) (푑푖푠푡 )

(훼 . 푡 + 훽 . 푡) →(1) (훼 + 훽) . 푡 (푓푎푐푡)

1 (훼 . 푡 + 푡) →(1) (훼 + 1) . 푡 (푓푎푐푡 )

2 (푡 + 푡) →(1) 2 . 푡 (푓푎푐푡 )

If 퐴 ≠ min(퐴), then 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴)) (푧푒푟표푠)

(푡 + 푟) = _퐴퐶(푟 + 푡) (푐표푚푚)

((푡 + 푟) + 푠) = _퐴퐶(푡 + (푟 + 푠)) (푎푠푠표푐)

If ℎ ≠ 푢 × 푣 and ℎ ∈ ℬ, ℎ푒푎푑 ℎ × (ℎ푒푎푑) Lists 푡 →(1) ℎ

If ℎ ≠ 푢 × 푣 and ℎ ∈ ℬ, 푡푎푖푙 ℎ × 푡 →(1) 푡 (푡푎푖푙)

+ ⇑푟 (푟 + 푠) × 푢 →(1) (⇑푟 푟 × 푢 +⇑푟 푠 × 푢) (푑푖푠푡푟 )

+ ⇑ℓ 푢 × (푟 + 푠) →(1) (⇑ℓ 푢 × 푟 +⇑ℓ 푢 × 푠) (푑푖푠푡ℓ )

훼 ⇑푟 (훼 . 푟) × 푢 →(1) 훼 . ⇑푟 푟 × 푢 (푑푖푠푡푟 )

훼 ⇑ℓ 푢 × (훼 . 푟) →(1) 훼 . ⇑푟 푢 × 푟 (푑푖푠푡푙 )

If 푢 has type 퐵, ⇑푟 0⃗ 푆(퐴) × 0 (푑푖푠푡푟 ) 푢 →(1) 0⃗ 푆(min(퐴×퐵)) Typing Casts

If 푢 has type 퐴, ⇑ℓ 푢 × 0 (푑푖푠푡ℓ ) 0⃗ 푆(퐵) →(1) 0⃗ 푆(min(퐴×퐵))

+ ⇑ (푡 + 푢) →(1) (⇑ 푡+⇑ 푢) (푑푖푠푡⇑ )

훼 ⇑ (훼 . 푡) →(1) 훼 . ⇑ 푡 (푑푖푠푡⇑ )

⇑ If 푢 ∈ 픅, ⇑푟 푢 × 푣 →(1) 푢 × 푣 (푛푒푢푡푟 )

⇑ If v∈ 픅, ⇑ℓ 푢 × 푣 →(1) 푢 × 푣 (푛푒푢푡ℓ )

Projection 푛 푚 푗 휋푗 (∑ [훼푖. ] ∏ 푏ℎ푖) →(푝) (∏ 푏ℎ푘) 푖=1 ℎ=1 ℎ=1 Rule 푚 훼푖 × ∑ ( ) ∏ 푏ℎ푖 2 푖∈푃 √∑푟∈푃 |훼푟| ℎ=푗+1

2 <푛 |휋푗 | Where 푘 < 푛; 푃 ⊆ ℕ s.t. ∀ℎ < 푗, 푏ℎ푖 = 푏ℎ푘; 푝 = ∑푖 ∈푃 푛 2 ; ∀푖, ∑푟=1 |훼푟 |

푛 푚 푏푖 = |0 > or 푏푖 = |1 >; ∑푖 =1[훼푖. ] ∏ ℎ=1 푏ℎ푖 is a normal term; and if

2 an 훼푘 is absent, |훼푘| = 1

If 푡 →(푝) 푢, then

𝔹푛 푡푣 →(푝) 푢푣 (휆푥 . 푣)푡 →(푝) (푡 + 푣) →(푝) (푢 + 푣)

푛 Contextual (휆푥𝔹 . 푣)푢

Rules 훼. 푡 →(푝) 훼. 푢 휋푗푡 →(푝) 휋푗푢 푡 × 푢 →(푝) 푢 × 푣

푣 × 푡 →(푝) 푣 × 푢 ⇑푟 푡 →(푝)⇑푟 푢 ⇑ℓ 푡 →(푝)⇑ℓ 푢

ℎ푒푎푑 푡 →(푝) ℎ푒푎푑 푢 푡푎푖푙 푡 →(푝) 푡푎푖푙 푢 푡? 푟푐푑표푡푠 →(푝) 푢? 푟푐푑표푡푠

Table 10 shows the updated rewrite system, which comes with the rules that was included in Table 5 along with the rules for lists ((head) and (tail)) and the typing casts rules that would normalize superpositions to sums of base terms as well as updating the types. In Table 10, the rule projection has been updated in order to be able to handle multiple qubits systems by normalizing the scalars on the term that was obtained in the computation. “The call-by-base beta rule (훽푏) and the contextual rule admitting reducing the argument on an application for the call-by-base abstraction are updated to allow for abstractions expecting arguments of type 𝔹푛 instead of just 𝔹 (that is, any base qubit type)” [5].

+ 훼 0 + The first six rules ((푑푖푠푡푟 ), (푑푖푠푡푟 ), (푑푖푠푡푟 ) as well as the analogous (푑푖푠푡푙 ),

훼 0 (푑푖푠푡푙 ) , (푑푖푠푡푙 )) in the typing cast group deals with the distributing sums, scalar product and null vector. If the type cast (⇑) is ignored for every rule, then the rules would just be the distributary rules and it is very crucial to include it in every rules in order to reduce

+ the terms without losing the subject reduction. For example, “rule (푑푖푠푡푟 ) acts on the term (r + s) × u, distributing the sum with respect to the tensor product, producing (r × u

+ s × u) (distribution to the right). However, the term (r + s) × u may have type S(A) ×

B, S(A) × S(B) or S(A × B), while, among those, the term (r × u + s × u) can only have type S(A × B)” [5]. The first term cannot be directly reduced to the second term without losing subject reduction. In order to reduce the first term to the second term, the term would need to explicitly be casted to the valid type in order for reduction to work. The

+ 훼 next two rules ((푑푖푠푡⇑ ), (푑푖푠푡⇑ )) in the typing cast group deal with distributing the cast to sums and scalars. For example, “⇑푟 ((훼 . |1 >) × |0 > + (훽 . |0 >) × |1 >) reduces

+ by rule (푑푖푠푡⇑ ) to (⇑푟 (훼 . |1 >) × |0 > + ⇑푟 (훽 . |0 >) × |1 >), and hence, the

⇑ ⇑ distributivity rule can act” [5]. The last two rules ((푛푒푢푡푟 ) and (푛푒푢푡푙 )) in the typing cast group deals with removing the cast whenever it is not needed. For example,

훼 훼 (푑푖푠푡푟 ) (푑푖푠푡푟 ) “⇑푟 (훼 . 훽 . |0 >) × |1 > → (1) 훼 . ⇑푟 (훽 . |0 >) × |1 > → (1) 훼 . 훽 . ⇑푟 |0 >

⇑ (푛푒푢푡푟 ) × |1 > → (1) 훼 . 훽 . |0 > × |1 >” [5].

The measurement rule, such as (proj), is updated to add the capability of measuring the first j qubits. “A n-qubits in normal form (that is, a sum of products of qubits with or without a scalar in front), for example, the term 2. (|0> × |1> × |1>) + |0>

× |1> × |0> + 3. (|1> × |1> × |1>) can be measured and will produce a n-qubits where the

47 first j qubits are the same and the remaining are untouched, with its scalars changed to have norm 1” [5]. Another example, when dealing with three qubits, measuring the first

2 1 two qubits will result in either |0 > × |1 > × ( ∙ |1 > + ∙| 0 >) or |1> × |1> × (1. √5 √5

|2|2 |1|2 |1>). The probability of coming up with the first qubit is + = (|2|2+|1|2+|3|2) (|2|2+|1|2+|3|2)

5 |3|2 9 and the probability of coming up with the second qubit is = . 14 (|2|2+|1|2+|3|2) 14

In conclusion, since call-by-base is a calculus concept that is present in the mechanics as part of expectation of a non-linear argument, “it avoids a well-known problem in others lambda calculus with a linear logic type system including modalities”

[5]. For instance, 푦: 푆(𝔹) ⊢ (휆푥𝔹 . 푥 × 푥)(휋푦): 푆(𝔹) × 푆(퐵). If the term perform a 훽- reduce, then it would result in (휋푦) × (휋푦), which is not typable for the y: S(𝔹) content.

Barber came up with a solution to this issue by having terms “that can be cloned distinguished by a mark and used in a let construction, while non-colon able terms are used in 휆 abstractions” [5].

2.1.10 – Subject Reduction

Due to the explicit casts, the resulting system contains the subject reduction property (more details in Theorem 5.12), which is the typing that is preserved by the weak reduction (on closed terms). The proof of this theorem varies depending on the scenario due to the complexity of the system. The two main lemma that will be covered and need to be taken as of great importance are the generation lemma (Lemma 5.7) and the substitution lemma (Lemma 5.11) with couple paradigm cases of the proof. |Γ| is denoted to the multiset of types in Γ. “For example, |푥: 𝔹, 푦: 𝔹, 퓏: 푆(𝔹) =

{𝔹, 𝔹, 푆(𝔹)}” [5]. The following lemmas will be shown below that contains rules when it

comes to dealing with the reduction on terms in quantum computation:

“Lemma 5.1. If A ≺ 𝔹푛, then A = 𝔹푛

Proof. By rule inspection.

Lemma 5.2. If S(A) ≺ 𝔹, then there exists C such that B = S(C)

Proof. Straightforward induction on the definition of ≺.

Lemma 5.3. If 푆푛(퐴 × 퐵) ≺ 퐶, then there exist m, D, E such that C = 푆푚 (퐷 × 퐸)

with 퐴 ≺ 퐷 and 퐵 ≺ 퐸.

Proof. By induction on the derivation of 푆푛 (퐴 × 퐵) ≺ 퐶.

Lemma 5.4. For any type A, we have min(A) ≺ A.

Proof. By cases over A.

Lemma 5.5. If A ≺ B, then min(A) = min(B).

Proof. By induction on the derivation of A ≺ B.

Lemma 5.6. If Γ ⊢ 푡: 퐴 and Γ ⊢ 푡: 퐵, then min(A) = min(B).

Proof. Let 휋 be the derivation tree of Γ ⊢ 푡: 퐴 and 휋′ the derivation tree of Γ ⊢ 푡: 퐵, we

proceed by induction on |π| + |휋′ |, where | ∙ | is the size of the derivation tree. Three

cases are given.

+ • If t = (r + s) and both derivations end with the rule 푆퐼 , then A = S(A’), B = S(B’),

′ ′ ′ ′ Γ1 ⊢ 푟: 퐴 , Γ2 ⊢ 푠: 퐴 , Γ1 ⊢ 푟: 퐵 and Γ2 ⊢ 푠: 퐵 where Γ1 is defined only on FV(r)

and Γ2 on FV(s). By the induction hypothesis, min(A’) = min(B’), hence min(A)

= min(B).

′ • If t = rs, 휋 ends with ⇒퐸 and 휋 with ⇒퐸푆, then Γ1 ⊢ 푟: Ψ ⇒ 퐴, Γ2 ⊢ 푠: Ψ, Γ1 ⊢

′ ′ ′ 푟: 푆(Ψ ⇒ 퐴 ) and Γ2 ⊢ 푠: 푆( Ψ ), with B = S(A’). By the induction hypothesis,

Ψ ⇒ min(퐴) = Ψ′ ⇒ min (퐴′), hence min(A) = min(A’) = min(B).

• If 휋 ends with rule ≺, then Γ ⊢ 푡: 퐴′ with A’ ≺ A. By the induction hypothesis, we

have min(A’) = min(B), and by Lemma 5.5, min(A’) = min(A). Hence, min(A) =

min(B).

Lemma 5.7 (Generation lemmas).

• If Γ ⊢ 푥: 퐴, then 푥: Ψ ∈ Γ, |Γ| \ {Ψ} ⊆, and Ψ ≺ 퐴.

• If Γ ⊢ 0⃗ 푆(퐵): 퐴, then 푆(퐵) ≺ 퐴 and |Γ| ⊆.

• If Γ ⊢ |0 >: 퐴, then 𝔹 ≺ 퐴 and |Γ| ⊆.

• If Γ ⊢ |1 >: 퐴, then 𝔹 ≺ 퐴 and |Γ| ⊆.

• If Γ ⊢ 훼 . 푡: 퐴, then Γ′ ⊢ 푡: 퐵 with Γ′ ⊆ Γ, |Γ\ Γ′ | ⊆ and 푆(퐵) ≺ 퐴.

• If Γ ⊢ (푡 + 푢): 퐴, then Γ1 ⊢ 푡: 퐵 and Γ2 ⊢ 푢: 퐵, with 푆(퐵) ≺ 퐴 and Γ1 ∪ Γ2 ⊆ Γ,

|Γ\ (Γ1 ∪ Γ2)| ⊆.

′ 푛 ′ ′ 푗 • If Γ ⊢ 휋푗푡: 퐴, then Γ ⊢ 푡: 푆(𝔹 ), with Γ ⊆ Γ, |Γ\ Γ | ⊆ and 𝔹 ×

푆(𝔹푛−푗) ≺ 퐴.

• If Γ ⊢ ? 푡 ∙ 푟: 퐴, then Γ ⊢ 푡: 퐵, Γ ⊢ 푟: 퐵, with 𝔹 ⇒ 퐵 ≺ 퐴 and |Γ| ⊆. Moreover,

the derivation trees of Γ ⊢ 푡: 퐵 and Γ ⊢ 푟: 퐵 are strictly smaller than the

derivation tree of Γ ⊢ ? 푡 ∙ 푟: 퐴.

• If Γ ⊢ 휆푥Ψ . 푡: 퐴, then Γ′′, 푥: Ψ ⊢ 푡: 퐵, with Γ′ ⊆ Γ, Ψ ⟹ 퐵 ≺ 퐴 and

| Γ\ Γ′| ⊆. Moreover, the derivation tree of Γ′′, 푥: Ψ ⊢ 푡: 퐵 is strictly smaller than

the derivation tree of Γ ⊢ 휆푥Ψ . 푡: 퐴.

• If Γ ⊢ 푡푢: 퐴, then one of the following possibilities happens:

o Γ1 ⊢ 푡: Ψ ⟹ 퐵 and Γ2 ⊢ 푢: Ψ, with 퐵 ≺ 퐴, or

o Γ1 ⊢ 푡: 푆(Ψ ⟹ 퐵) and Γ2 ⊢ 푢: 푆(Ψ), with 푆(퐵) ≺ 퐴. In both cases,

Γ1 ∪ Γ2 ⊆ Γ and |Γ|\ |Γ1 ∪ Γ2| ⊆.

• If Γ ⊢ 푡 × 푢: 퐴, then Γ1 ⊢ 푡: 퐵 and Γ2 ⊢ 푢: 퐶, with Γ1 ∪ Γ2 ⊆ Γ, |Γ\ (Γ1 ∪ Γ2| ⊆

and 퐵 × 퐶 ≺ 퐴.

• If Γ ⊢ ℎ푒푎푑 푡: 퐴, then Γ′ ⊢ 푡: 𝔹푛, with Γ ′ ⊆ Γ, | Γ\ Γ′| ⊆ and 𝔹 ≺ 퐴.

• If Γ ⊢ 푡푎푖푙 푡: 퐴, then Γ′ ⊢ 푡: 𝔹푛, with Γ ′ ⊆ Γ, | Γ\ Γ′| ⊆ and 𝔹푛−1 ≺ 퐴.

′ ′ ′ • If Γ ⊢ ⇑푟 푡: 퐴, then Γ ⊢ 푡: 푆(푆(퐵) × 퐶), with Γ ⊆ Γ, | Γ\ Γ | ⊆ and

푆(퐵 × 퐶) ≺ 퐴.

′ ′ ′ • If Γ ⊢ ⇑ℓ 푡: 퐴, then Γ ⊢ 푡: 푆(퐵 × 푆(퐶)), with Γ ⊆ Γ, | Γ\ Γ | ⊆ and

푆(퐵 × 퐶) ≺ 퐴.

Corollary 5.8 (Simplification).

1. If ⊢ (푡 + 푢): 퐴, then ⊢ 푡: 퐴 and ⊢ 푢: A.

2. If ⊢ (푡 + 푢): 퐴, then If 퐴 = 푆(퐵).

3. If ⊢ 훼 . 푡: 퐴, then ⊢ 푡: 퐴.

4. If ⊢ 훼 . 푡: 퐴, then ⊢ 훽 . 푡: 퐴.

5. If ⊢ 훼 . 푡: 퐴, then 퐴 = 푆(퐵).

Proof:

1. By Lemma 5.7, ⊢ 푡: 퐵 and ⊢ 푢: 퐵 with 퐵 ≺ 푆(퐵) ≺ 퐴, then, we conclude by

rule ≺.

2. By Lemma 5.7, ⊢ 푡: 퐶 and ⊢ 푢: 퐶 with 퐶 ≺ 푆(퐶) ≺ 퐴, but then, by Lemma 5.2,

A = S(B) for some type B.

3. By Lemma 5.7, ⊢ 푡: 퐵, with 푆(퐵) ≺ 퐴, then, we conclude by rule ≺.

훼 4. By Lemma 5.7, ⊢ 푡: 퐵, with 푆(퐵) ≺ 퐴, then we conclude by rules 푆퐼 and ≺.

5. By Lemma 5.7, ⊢ 푡: 퐶 with 푆(퐶) ≺ 퐴, but then, by Lemma 5.2, A = S(B) for

some type B.

Corollary 5.9. If 푏 ∈ ℬ and ⊢ 푏: 푆(퐴), then ⊢ 푏: 퐴.

Proof. By cases analysis on b.

• Let 푏 = 휆푥Ψ . 푡. Then, by Lemma 5.7, 푥: Ψ ⊢ 푡: 퐵, with Ψ ⟹ B ≺ 푆(퐴), and so

Ψ ⟹ B ≺ 퐴, and we conclude by rule ≺.

• Let 푏 = |0 >. Then, by Lemma 5.8, 𝔹 ≺ 푆(퐴), hence 𝔹 ≺ 퐴 and we conclude

by rule ≺.

• Let rule 푏 = |1 >. Analogous to previous case.

• Let rule 푏 = 푏1 × 푏2. Then, by Lemma 5.7, ⊢ 푏1: 퐵1, ⊢ 푏2: 퐵2, and

퐵1 × 퐵2 ≺ 푆(퐴). Hence 퐵1 × 퐵2 ≺ 퐴 and we conclude by rule ≺.

Lemma 5.10. If Γ ⊢ 푡: 퐴 and FV(t) = ∅, then |Γ| ⊆.

Proof. If FV(t) = ∅ then ⊢ 푡: 퐴. If Γ ≠ ∅, the only way to derive ⊢ 푡: 퐴 is by using rule W to form Γ, hence |Γ| ⊆.

Lemma 5.11 (Substitution lemma). Let FV(u) = ∅, then if Γ, 푥: Ψ ⊢ 푡: 퐴, ∆⊢ 푢: Ψ,

푢 where if Ψ = 𝔹푛 then 푢 ∈ ℬ, we have Γ, ∆⊢ ( ) 푡: 퐴. 푥

Proof. Notice that due to Lemma 5.10, |∆| ⊆, hence, it suffices to consider ∆= ∅. By structural induction on t. Since the strategy is weak, subject reduction is proven for closed

52 terms.

The set of terms can be divided in the following groups:

• unclassified ≔ 푥|휆푥Ψ . 푡

• arity0 ≔ 0⃗ 푆(퐴)||0 > ||1 >

• arity1(r) ≔ 휋푗푟|훼. 푟|ℎ푒푎푑 푟|푡푎푖푙 푟| ⇑푟 푡| ⇑ℓ 푡

• arity2(r)(s) ≔ 푟푠|(푟 + 푠)|푟 × 푠|? 푟 ∙ 푠

Hence, we can consider the terms by groups:

푢 • By Lemma 5.7, |Γ| ⊆ and Ψ ≺ A. Since (u/x)x = u, we have ⊢ ( ) 푥: Ψ. Hence, 푥

푢 since Ψ ≺ 퐴, by rule ≺ , ⊢ ( ) 푥: 퐴. Finally, since |Γ| ⊆, by rule W, we have Γ ⊢ 푥

푢 () 푥: 퐴. 푥

• By Lemma 5.7, 푦: Ψ′ ∈ Γ, (|Γ| ∪ {Ψ}) {Ψ′} ⊆ and Ψ′ ≺ A. Hence, by rule ≺,

푦: Ψ′ ⊢ 푦: 퐴. Since |Γ| ⊆, by rule W, we have Γ ⊢ 푦: 퐴. Finally, since (u/x)y = y,

푢 we have Γ ⊢ () 푦: 퐴. 푥

• Without loss of generality, assume y is does not appear free in u. By Lemma 5.7,

Γ′, 푦: Ψ′ ⊢ 푣: 퐵, with Γ′ ⊆ Γ ∪ {x: Ψ}, Ψ′ ⇒ 퐵 ≺ 퐴 and (|Γ| ∪ {Ψ}) |Γ′| ⊆. By

푢 the induction hypothesis, Γ′′, 푦: Ψ′ ⊢ ( ) 푣: 퐵, with Γ′′ = Γ′ {푥: Ψ}. Notice that if 푥

푥: Ψ ∈ Γ′, the induction hypothesis applies directly, in other case, Ψ ∈ and so by

rule W the context can be enlarged to include 푥: Ψ, hence the induction

′ 푢 hypothesis applies in any case. Therefore, by rule ⇒ , Γ′′ ⊢ 휆푦Ψ . ( ) 푣: Ψ′ ⟹ 퐼 푥

′ 푢 퐵. Since Ψ′ ⟹ 퐵 ≺ 퐴, by rule ≺, Γ′′ ⊢ 휆푦Ψ . ( ) 푣: A. Hence, since |Γ| |Γ′′ | ⊆, 푥

′ 푢 by rule W, Γ ⊢ 휆푦Ψ . ( ) 푣: 퐴. Since y does not appear free in u, 푥

′ 푢 푢 ′ ′ 푢 휆푦Ψ . ( ) 푣 = ( ) (휆푦Ψ ∙ 푣). Therefore, Γ ⊢ 휆푦Ψ . ( ) 푣: 퐴. 푥 푥 푥

• All of these terms are typed by an axiom with a type B which, by Lemma 5.7,

퐵 ≺ 퐴. Also, by the same Lemma, | Γ, x: Ψ| ⊆. So, we can type with the axiom,

and empty content, ⊢ 푎푟푖푡푦0 : 퐵, and so, by rule W, Γ ⊢ 푎푟푖푡푦0 : 퐵. Notice that

arity0 = (u/x)arity0. We conclude by rule ≺.

• By Lemma 5.7, Γ′ ⊢ 푟: 퐵, such that by a derivation tree T, Γ′ ⊢ 푎푟푖푡푦1(푟): 퐶,

where Γ′ ⊆ (Γ ∪ {x: Ψ}), (|Γ| ∪ Ψ) \ |Γ′| ⊆ and 퐶 ≺ 퐴. If 푥: Ψ ∉ Γ′ , then Ψ = B

and so we can extend Γ′ with 푥: Ψ. Hence, in any case, by the induction

푢 hypothesis, Γ′ \ {푥: Ψ} ⊢ ( ) 푟: 퐶. Then, using the derivation tree T, 푥

푢 푢 푢 Γ′ \ {푥: Ψ} ⊢ 푎푟푖푡푦1 (( ) 푟) : 퐶. Notice that 푎푟푖푡푦1 (( ) 푟) = ( ) 푎푟푖푡푦1 (푟). 푥 푥 푥

We conclude by rules W and ≺.

• By Lemma 5.7, Γ1 ⊢ 푟: 퐶 and Γ2 ⊢ 푠: 퐷, such that by a typing rule R, Γ1, Γ2 ⊢

2 푎푟푖푡푦 (푟)(푠): 퐸, with 퐸 ≺ 퐴, and where (Γ1 ∪ Γ2) ⊆ (푇 ∪ {x: Ψ}) and

(|Γ| ∪ Ψ)\ (|Γ1| ∪ |Γ2|) ⊆. Therefore, if 푥: Ψ ∉ Γ푖, 푖 = 1, 2, we can extend Γ푖 with

푥: Ψ using rule W. Hence, by the induction hypothesis, Γ1 setminus {푥: Ψ} ⊢

푢 푢 푢 ( ) 푟: 퐶 and Γ \ {푥: Ψ} ⊢ 푎푟푖푡푦2 (( ) 푟) (( ) 푠) : 퐸. Notice that 푥 2 푥 푥

푢 푢 푢 푎푟푖푡푦2 (( ) 푟) (( ) 푠) = ( ) 푎푟푖푡푦2(푟)(푠). We conclude by rules W and ≺. 푥 푥 푥

Theorem 5.12 (Subject reduction on closed terms). For any closed terms t and u and type A, if 푡 →(푝) 푢 and ⊢ 푡: 퐴, then ⊢ 푢: 퐴.

Proof. By induction on the rewrite relation. 54

• Let ⊢ (휆푥Ψ . 푡)푢: 퐴, with ⊢ 푢: Ψ, where, if Ψ = 𝔹n, then 푢 ∈ ℬ. Then by Lemma

5.7, one of the following possibilities happens:

o (a) ⊢ 휆푥Ψ . 푡: Ψ′ ⇒ B and ⊢ 푢: Ψ′, with 퐵 ≺ 퐴, or

o (b) ⊢ 휆푥Ψ . 푡: 푆(Ψ′ ⇒ B) and ⊢ 푢: S(Ψ′), with 푆(퐵) ≺ 퐴.

Thus, in any case, by Lemma 5.7 again, 푥: Ψ ⊢ 푡: 퐶, with, in case Proof, Ψ ⇒

C ≺ Ψ′ ⇒ B and in case Proof, Ψ ⇒ C ≺ S(Ψ′ ⇒ B). Hence, Ψ = Ψ′ and in the

first case 퐶 ≺ 퐵 ≺ 퐴, while in the second, 퐶 ≺ 퐵 ≺ 푆(퐵) ≺ 퐴, so, in general

푢 퐶 ≺ 퐴. Since ⊢ 푢: Ψ, where if Ψ = 𝔹n, then 푢 ∈ ℬ, by Lemma 5.11, ⊢ ( ) 푡: 퐶, 푥

푢 and by rule ≺, ⊢ ( ) 푡: 퐴. 푥

• Let ⊢ |1 > ? 푢 ∙ 푣: 퐴. Then, by Lemma 5.7, one of the following possibilities

happens:

o ⊢? 푢 ∙ 푣: Ψ ⇒ B and ⊢ |1 > : Ψ, with 퐵 ≺ 퐴. Then, by Lemma 5.7 again,

⊢ 푢: 퐶, ⊢ 푣: 퐶 and 𝔹 ⇒ C ≺ Ψ ⇒ B. Hence, Ψ = B and 퐶 ≺ 퐵 ≺ 퐴.

o ⊢? 푢 ∙ 푣: 푆(Ψ ⇒ B) and ⊢ |1 > : 푆(Ψ), with 푆(퐵) ≺ 퐴. Then, by Lemma

5.7 again, ⊢ 푢: 퐶, ⊢ 푣: 퐶 and 𝔹 ⇒ C ≺ S(Ψ ⇒ B). Hence, Ψ = B and

퐶 ≺ 퐵 ≺ 푆(퐵) ≺ 퐴.

So, by rule ≺, ⊢ 푢: 퐴.

• Analogous to case if1.

• Let ⊢ 푡 (푢 + 푣): 퐴, with ⊢ 푡: 𝔹n ⇒ B. Then, by Lemma 5.7, one of the following

cases happens:

o (a) ⊢ 푡: Ψ ⇒ C and ⊢ (푢 + 푣): Ψ, with 퐶 ≺ 퐴. However, since ⊢ 푡: 𝔹n ⇒

B, we have Ψ ∈, which is impossible due to Corollary 5.8.

o (b) ⊢ 푡: 푆(Ψ) ⇒ C and ⊢ (푢 + 푣): Ψ, with 푆(퐶) ≺ 퐴. Then, by Corollary

5.8, ⊢ 푢: 푆(Ψ) and ⊢ 푣: 푆(Ψ). Hence,

⊢ 푡: 푆(Ψ ⇒ C) ⊢ 푢: 푆(Ψ) ⊢ 푡: 푆(Ψ ⇒ C) ⊢ 푣: 푆(Ψ) ⇒ ⇒ ⊢ 푡푢: 푆(퐶) 퐸푆 ⊢ 푡푣: 푆(퐶) 퐸푆 푆+ ⊢ (푡푢 + 푡푣) ∶ 푆(푆(퐶)) 퐼 ≺ ⊢ (푡푢 + 푡푣): 퐴

• Let ⊢ 푡(푎 . 푢): 퐴, with ⊢ 푡: 𝔹n ⇒ B. Then, by Lemma 5.7, one of the following

cases happens:

o (a) ⊢ 푡: Ψ ⇒ C and ⊢ 훼 . 푢: Ψ, with 퐶 ≺ 퐴. However, since ⊢ 푡: 𝔹n ⇒ B,

we have Ψ ∈, which is impossible due to Corollary 5.8.

o (b) ⊢ 푡: 푆(Ψ ⇒ C) and ⊢ 훼 . 푢: 푆(Ψ), with 푆(퐶) ≺ 퐴. Then, by Corollary

5.8, ⊢ 푢: 푆(Ψ). Hence,

⊢ 푡: 푆(Ψ ⇒ C) ⊢ 푢: 푆(Ψ) ⇒ ⊢ 푡푢: 푆(퐶) 퐸푆 푆훼 ⊢ 훼. 푡푢: 푆(푆(퐶)) 퐼 ≺ ⊢ 훼. 푡푢: 퐴

n • Let ⊢ 푡 0⃗ 푆(𝔹n): 퐴, with ⊢ 푡: 𝔹 ⇒ B. Then, by Lemma 5.7, one of the following

cases happens:

o (a) ⊢ 푡: Ψ ⇒ C and ⊢ 0⃗ 푆(𝔹n): Ψ, with 퐶 ≺ 퐴. Then, by Lemma 5.7 again,

푆(𝔹n) ≺ Ψ. However, since ⊢ 푡: 𝔹n ⇒ B, Ψ ∈, which is impossible by

Lemma 5.2.

⃗ o (b) ⊢ 푡: 푆(Ψ ⇒ C) and ⊢ 0푆(𝔹n): 푆(Ψ), with 푆(퐶) ≺ 퐴. By rule 퐴푥0⃗⃗ , ⊢

n 0⃗ 푆(min(퐵)): 푆(min(퐵)). Since ⊢ 푡: 𝔹 ⇒ B and ⊢ 푡: S(Ψ) ⇒ C, by Lemma

5.6, we have min(𝔹n ⇒ B) = min (푆(Ψ ⇒ C)), so min(B) = min(C).

Then, by Lemma 5.4, min(B) = min(C) ≺ 퐶, then

푆(min(퐵)) ≺ 푆(퐶) ≺ 퐴, so we conclude by rule ≺.

• Let ⊢ (푡 + 푢)푣 ∶ 퐴, with ⊢ 푡: 𝔹n ⇒ B. Then, by Lemma 5.7, one of the following

cases happens:

o (a) ⊢ (푡 + 푢): Ψ ⇒ B, which is impossible by Corollary 5.8.

o (b) ⊢ (푡 + 푢): 푆(Ψ ⇒ B) and ⊢ 푣: 푆(Ψ), with 푆(퐵) ≺ 퐴. Then, by

Corollary 5.8, ⊢ 푡: 푆(Ψ ⇒ B) and ⊢ 푣: 푆(Ψ ⇒ B). Hence,

⊢ 푡: 푆(Ψ ⇒ B) ⊢ 푣: 푆(Ψ) ⊢ 푢: 푆(Ψ ⇒ B) ⊢ 푣: 푆(Ψ) ⇒ ⇒ ⊢ 푡푣: 푆(퐵) 퐸푆 ⊢ 푢푣: 푆(퐵) 퐸푆 푆+ ⊢ (푡푣 + 푢푣) ∶ 푆(푆(퐵)) 퐼 ≺ ⊢ (푡푣 + 푢푣): 퐴

• Let ⊢ (훼 . 푡)푢: 퐴. Then, by Lemma 5.7, one of the following cases happens:

o (a) ⊢ 훼 . 푡: Ψ ⇒ B, which is impossible by Corollary 5.8.

o (b) ⊢ 훼 . 푡: 푆(Ψ ⇒ B) and ⊢ 푢: 푆(Ψ), with 푆(퐵) ≺ 퐴. Then, by Corollary

5.8, ⊢ 푡: 푆(Ψ ⇒ B). Hence,

⊢ 푡: 푆(Ψ ⇒ B) ⊢ 푢: 푆(Ψ) ⇒ ⊢ 푡푢: 푆(퐵) 퐸푆 푆훼 ⊢ 훼. 푡푢: 푆(푆(퐵)) 퐼 ≺ ⊢ 훼. 푡푢: 퐴

• Let ⊢ 0⃗ 푆(𝔹⇒B)푡: 퐴. Then, by Lemma 5.7, one of the following cases happens:

o (a) ⊢ 0⃗ 푆(𝔹⇒B): Ψ ⇒ C and ⊢ 푡: Ψ, with 퐶 ≺ 퐴. Then, by Lemma 5.7 again,

푆(𝔹 ⇒ B) ≺ Ψ ⇒ C, which is impossible by Lemma 5.2.

o (b) ⊢ 0⃗ 푆(𝔹⇒B): S(Ψ ⇒ C) and ⊢ 푡: 푆(Ψ), with 푆(퐶) ≺ 퐴. By Lemma 5.7

again, 푆(𝔹 ⇒ B) ≺ S(Ψ ⇒ C). By Lemma 5.6, 푚푖푛(𝔹 ⇒ B) =

min (Ψ ⇒ C), so min(퐵) = min(퐶), and by Lemma 5.4, min(퐶) ≺ 퐶,

hence min(퐵) ≺ 퐶, and then 푆(min(퐵)) ≺ 푆(퐶) ≺ 퐴. By rule 퐴푥0⃗⃗ , ⊢

0⃗ 푆(푚푖푛(B)): 푆(min(퐵)), hence we conclude by rule ≺.

• Let ⊢ (0⃗ 푆(A) + 푡): 퐴. Then, by Corollary 5.8, ⊢ 푡: 퐴.

• Let ⊢ 1 . 푡: 퐴. Then, by Corollary 5.8, ⊢ 푡: 퐴.

• Let ⊢ 0 . 푡: 퐴, with ⊢ 푡: 퐵. Then, we must show that ⊢ 0⃗ 푆(푚푖푛(B)): 퐴. By Lemma

5.7, ⊢ 푡: 퐶 and 푆(퐶) ≺ 퐴. By Lemma 5.4, min(퐶) ≺ 퐶. Therefore, 푆(min(퐵)) =

⃗ 푆(min(퐶)) ≺ 퐶 ≺ 퐴. By rule 퐴푥0⃗⃗ , ⊢ 0푆(푚푖푛(B)): 푆(min(퐵)), hence we can

conclude by rule ≺.

• Let ⊢ 훼. 0⃗ 푆(퐵): 퐴. By Lemma 5.7, ⊢ 0⃗ 푆(퐵): 퐶 with 푆(퐶) ≺ 퐴. Then, by Lemma 5.7

again, 푆(퐵) ≺ 퐶. In addition, by Lemma 5.4, min(퐵) ≺ 퐵. Therefore,

푆(min(퐵)) ≺ 푆(퐵) ≺ 퐶 ≺ 푆(퐶) ≺ 퐴. Since, by rule 퐴푥0⃗⃗ , ⊢

0⃗ 푆(푚푖푛(B)): 푆(min(퐵)), we conclude by rule ≺ that ⊢ 0⃗ 푆(푚푖푛(B)): 퐴.

• Let ⊢ 훼 . (훽 . 푡): 퐴. By Corollary 5.8, ⊢ 훽 . 푡: 퐴. Then, by Corollary 5.8 again, ⊢

(훼 × 훽) . 푡: 퐴.

• Let ⊢ 훼 . (푡 + 푢): 퐴. By Lemma 5.7, ⊢ (푡 + 푢): 퐵, with 푆(퐵) ≺ 퐴. Then, by

훼 Corollary 5.8, ⊢ 푡: 퐵 and ⊢ 푢: 퐵. Hence, by rule 푆퐼 , ⊢ 훼 . 푡: 푆(퐵) and ⊢

+ 훼 . 푢: 푆(퐵). We conclude the rules 푆퐼 and ≺.

• Let ⊢ (훼 . 푡 + 훽 . 푡): 퐴. By Corollary 5.8, ⊢ 훼 . 푡: 퐴. Then, by Corollary 5.8 again,

⊢ (훼 + 훽) . 푡: 퐴.

• Let ⊢ (훼 . 푡 + 푡): 퐴. By Corollary 5.8, ⊢ 훼 . 푡: 퐴. Then, by Corollary 5.8 again, ⊢

(훼 + 1) . 푡: 퐴.

훼 • Let ⊢ (푡 + 푡): 퐴. By Lemma 5.7, ⊢ 푡: 퐵 , with 푆(퐵) ≺ 퐴. Then, by rule 푆퐼 , ⊢

2 . 푡: 푆(퐵). We conclude by rule ≺.

• Let ⊢ 0⃗ 푆(퐴): 퐵. Then, by Lemma 5.7, 푆(퐴) ≺ 퐵. By Lemma 5.4, min(퐴) ≺ 퐴,

⃗ hence 푆(min(퐴)) ≺ 푆(퐴). By rule 퐴푥0⃗⃗ , ⊢ 0푆(푚푖푛(A)): 푆(min(퐴)), and since

푆(min(퐴)) ≺ 푆(퐴) ≺ 퐵, we conclude by rule ≺.

• Let ⊢ (푢 + 푣): 퐴. By Lemma 5.7, ⊢ 푢: 퐵 and ⊢ 푣: 퐵, with 푆(퐵) ≺ 퐴. So

⊢ 푣: 퐵 ⊢ 푢: 퐵 푆+ ⊢ (푣 + 푢) ∶ 푆(퐵) 퐼 ≺ ⊢ (푣 + 푢): 퐴

• Let ⊢ ((푢 + 푣) + 푤): 퐴. By Lemma 5.7, ⊢ (푢 + 푣): 퐵 and ⊢ 푤: 퐵, with

푆(퐵) ≺ 퐴. Then, by Corollary 5.8, ⊢ 푢: 퐵 and ⊢ 푣: 퐵. Hence,

⊢ 푢 ∶ 퐵 ⊢ 푣 ∶ 퐵 ⊢ 푤 ∶ 퐵 ≺ 푆+ ⊢ 푢 ∶ 푆(퐵) ⊢ (푣 + 푤) ∶ 푆(퐵) 퐼 푆+ ⊢ (푢 + (푣 + 푤)) ∶ 푆(푆(퐵)) 퐼 ≺ ⊢ (푢 + (푣 + 푤)): 퐴

푛 • Let ⊢ head (푣 × 푢): 퐴, with 푣 ≠ 푡1 × 푡2. Hence, by Lemma 5.7, ⊢ 푣 × 푢: 𝔹 ,

with 𝔹 ≺ 퐴. Then, by Lemma 5.7 again, ⊢ 푣: 퐵 and ⊢ 푢: 퐶, with 퐵 × 퐶 ≺ 𝔹푛 .

Lemma 5.1 퐵 × 퐶 = 𝔹푛 , so 퐵 = 𝔹푚. Since 푣 ∈ 풱, by Lemma 5.7, 퐵 is not a

product, and so 퐵 = 𝔹 ≺ 퐴. Therefore, we conclude by rule ≺.

• Analogous to case (head).

• Let ⊢⇑푟 ((푟 + 푠) × 푢): 퐴. By Lemma 5.7, 푆(퐵 × 퐶) ≺ 퐴 and ⊢ (푟 + 푠) ×

푢: 푆(푆(퐵) × 퐶). Then, by the same Lemma, ⊢ (푟 + 푠): 퐷 and ⊢ 푢: 퐸, with

퐷 × 퐸 ≺ 푆(푆(퐵) × 퐶), so by Lemma 5.3, there exists 퐹, 퐺, 푛 such that

푆(푆(퐵) × 퐶) = 푆푛(퐹 × 퐺) and 퐷 ≺ 퐹 and 퐸 ≺ 퐺. Therefore, 푛 = 1 and

푆(퐵) × 퐶 = 퐹 × 퐺. Since ⊢ (푟 + 푠): 퐷, by Lemma 5.7, there exists 퐻 such that

푆(퐻) ≺ 퐷, so by transitivity 푆(퐻) ≺ 퐹. Then, by Lemma 5.2, 퐹 has the form

푆(퐼). Therefore, neither 퐹 nor 푆(퐵) are products, and hence 푆(퐵) = 퐹 and 퐶 =

퐺. Hence, 퐷 ≺ 푆(퐵) and 퐸 ≺ 퐶, and hence ⊢ (푟 + 푠): 푆(퐵) and ⊢ 푢: 퐶. Then, by

Corollary 5.8, ⊢ 푟: 푆(퐵) amd ⊢ 푠: 푆(퐵). Therefore,

⊢ 푟: 푆(퐵) ⊢ 푢 ∶ 퐶 ⊢ 푠 ∶ 푆(퐵) ⊢ 푢 ∶ 퐶 푥 ⊢푟×푢∶푆(퐵)×퐶 퐼 ⊢푠×푢∶푆(퐵)×퐶 푥퐼 ≺ ≺ ⊢ 푟 × 푢 ∶ 푆(푆(퐵) × 퐶) ⊢ 푠 × 푢 ∶ 푆(푆(퐵) × 퐶) ⇑ ⇑ ⊢⇑ (푟 × 푢) ∶ 푆(퐵 × 퐶) 푟 ⊢⇑ (푠 × 푢) ∶ 푆(퐵 × 퐶) 푟 푟 푟 푆+ ⊢ (⇑ (푟 × 푢) + ⇑ (푠 × 푢)) ∶ 푆(푆(퐵 × 퐶)) 퐼 푟 푟 ≺ ⊢ (⇑푟 (푟 × 푢) + ⇑푟 (푠 × 푢)): 퐴

+ • Analogous to case (푑푖푠푡푟 ).

• Let ⊢⇑푟 ((훼 . 푟) × 푢): 퐴. By Lemma 5.7, 푆(퐵 × 퐶) ≺ 퐴 and ⊢ ((훼 . 푟) × 푢) ∶

푆(푆(퐵) × 퐶). Then, by the same Lemma, ⊢ 훼 . 푟: 퐷 and ⊢ 푢: 퐸, with

퐷 × 퐸 ≺ 푆(푆(퐵) × 퐶), so by Lemma 5.3, there exists 퐹, 퐺, 푛 such that

푆(푆(퐵) × 퐶) = 푆푛(퐹 × 퐺) and 퐷 ≺ 퐹 and 퐸 ≺ 퐺. Therefore, 푛 = 1 and

푆(퐵) × 퐶 = 퐹푠 × 퐺.Since ⊢ 훼 . 푟: 퐷, by Lemma 5.7, there exists 퐻 such that

푆(퐻) ≺ 퐷, so by transitivity 푆(퐻) ≺ 퐹. Then, by Lemma 5.2, 퐹 has the form

푆(퐼). Therefore, neither 퐹 nor 푆(퐵) are products, and hence 푆(퐵) = 퐹 and 퐶 =

퐺. Hence, 퐷 ≺ 푆(퐵) and 퐸 ≺ 퐶, so by rule ≺, ⊢ 훼 . 푟: 푆(퐵) and ⊢ 푢: 퐶. By

Corollary 5.8, ⊢ 푟: 푆(퐵). Therefore,

⊢ 푟 ∶ 푆(퐵) ⊢ 푢 ∶ 퐶 푥 ⊢ 푟 × 푢 ∶ 푆(퐵) × 퐶 퐼 ≺ ⊢ 푟 × 푢 ∶ 푆(푆(퐵) × 퐶) ⇑ ⊢⇑ (푟 × 푢) ∶ 푆(퐵 × 퐶) 푟 푟 푆훼 ⊢ 훼. ⇑ (푟 × 푢) ∶ 푆(푆(퐵 × 퐶)) 퐼 푟 ≺ ⊢ 훼. ⇑푟 (푟 × 푢): 퐴

훼 • Analogous to case (푑푖푠푡푟 ).

• Let ⊢⇑푟 (0⃗ 푆(퐵) × 푢): 퐴. By Lemma 5.7, 푆(퐵 × 퐶) ≺ 퐴. By Lemma 5.4,

min(퐵 × 퐶) ≺ 퐵 × 퐶, hence 푆(min(퐵 × 퐶)) ≺ 푆(퐵 × 퐶). By rule 퐴푥0⃗⃗ , ⊢

0⃗ 푆(푚푖푛(B×C)): 푆(min(퐵 × 퐶)). Hence, since 푆(min(퐵 × 퐶)) ≺ 푆(퐵 × 퐶) ≺ 퐴, we

conclude by rule ≺.

0 • Analogous to case (푑푖푠푡푟 ).

• Let ⊢⇑ (푡 + 푢): 퐴. Then, by Lemma 5.7, 푆(퐶 × 퐷) ≺ 퐴, ⊢⇑ 푡: 푆(퐶 × 퐷) and ⊢⇑

+ 푢: 푆(퐶 × 퐷). We conclude by rules 푆퐼 and ≺.

• Let ⊢⇑ (훼 . 푡): 퐴. Then, by Lemma 5.7, 푆(퐶 × 퐷) ≺ 퐴, ⊢⇑ 푡: 푆(퐶 × 퐷) . We

훼 conclude by rules 푆퐼 and ≺.

• Let ⊢⇑푟 (푏 × 푟): 퐴, with 푏 ∈ ℬ. Then, by Lemma 5.7, ⊢ 푏 × 푟 ∶ 푆(푆(퐵) × 퐶) and

푆(퐵 × 퐶) ≺ 퐴. Then, by Lemma 5.7 again, ⊢ 푏: 퐷 and ⊢ 푟: 퐸, with

푛 퐷 × 퐸 ≺ 푆(푆(퐵) × 퐶). Without loss of generality, let 푏 = ∏푖=1 푏푖 where each 푏푖

푛 is not a product. Then, by Lemma 5.7, ⊢ 푏푖: 퐷푖 with ∏ 푖=1 퐷푖 ≺ 퐷, and by the

푛 same lemma, 퐷푖 are not products. Therefore, 퐷1 × ∏푖=2 퐷푖 × 퐸 ≺ 푆(푆(퐵) × 퐶),

so by Lemma 5.3, there exists 퐹, 퐺, 푛 such that 푆(푆(퐵) × 퐶) = 푆푛(퐹 × 퐺) and

푛 퐷1푝푟푒푐푒푞 퐹 and ∏푖=1 퐷푖 × 퐸 ≺ 퐺. Therefore, 푛 = 1 and 푆(퐵) × 퐶 = 퐹 × 퐺.

Since 퐷1 is not a product, 퐹 is not a product. Hence, since neither 퐹 nor 푆(퐵) are

푛 products, we have 푆(퐵) = 퐹 and 퐶 = 퐺. 퐷1푝푟푒푐푒푞 푆(퐵) and ∏ 푖=2 퐷푖 × 퐸 ≺ 퐶,

푛 푛 hence, ⊢ 푏1 : 푆(퐵) and ⊢ ∏ 푖=2 푏푖 × 푟: ∏푖=2 퐷푖 × 퐸 . Therefore, by Corollary 5.9,

⊢ 푏1: 퐵, and so, by rule 푋퐼, ⊢ 푏 × 푟 ∶ 퐵 × 퐶, and by rule ≺, ⊢ 푏 × 푟 ∶ 푆(퐵 × 퐶).

⇑ • Analogous to case (푛푒푢푟 ).

푛 푚 • Let ⊢ 휋푗(∑푖 =1[훼푖. ] ∏ ℎ=1 푏ℎ푖 ): 퐴. Then, by Lemma 5.7, we have that

𝔹푗 × 푆(𝔹푚−1) ≺ 퐴. Figure 8 will show the derivation from the projective case.

Figure 8 - Derivation from Case Using Projective

• Let 푡 →(푝) 푢. Then,

o Let ⊢ 푡푣 ∶ 퐴. By Lemma 5.7, one of the following cases happens:

⊢ 푡: Ψ ⇒ 퐵 and ⊢ 푣: Ψ, with 퐵 ≺ 퐴. Then, by the induction

hypothesis, ⊢ 푢: Ψ ⇒ 퐵. We conclude by rules ⇒퐸 and ≺.

⊢ 푡: 푆(Ψ ⇒ 퐵) and ⊢ 푣: 푆(Ψ), with 푆(퐵) ≺ 퐴. Then, by the

induction hypothesis, ⊢ 푢: 푆(Ψ ⇒ 퐵). We conclude by rules ⇒퐸푆

퐵 퐵 퐵 and ≺. ((휆푥 . 푣)푡 →(푝) (휆푥 . 푣)푢) Let ⊢ (휆푥 . 푣)푡: 퐴. By

Lemma 5.7, one of the following cases happens:

• ⊢ (휆푥퐵 . 푣): Ψ ⇒ 퐵 and ⊢ 푡: Ψ, with 퐵 ≺ 퐴. Then, by

induction hypothesis, ⊢ 푢: Ψ. We conclude by rules ⇒퐸

and ≺.

• ⊢ (휆푥퐵 . 푣): 푆(Ψ ⇒ 퐵) and ⊢ 푡: 푆(Ψ), with 푆(퐵) ≺ 퐴.

Then, by induction hypothesis, ⊢ 푢: 푆(Ψ). We conclude by

rules ⇒퐸푆 and ≺. ((푡 + 푣) →(푝) (푢 + 푣)) Let ⊢ (푡 + 푣): 퐴.

By Lemma 5.7, ⊢ 푡: 퐵 and ⊢ 푣: 퐵, with 푆(퐵) ≺ 퐴. Then,

by the induction hypothesis, ⊢ 푢: 퐵. We conclude by rules

+ 푆퐼 and ≺. o Let ⊢ 훼 . 푡: 퐴. By Lemma 5.7, ⊢ 푡: 푆(퐵), with 푆(퐵) ≺ 퐴. Then, by the

훼 induction hypothesis, ⊢ 푢: 푆(퐵). We conclude by rules 푆퐼 and ≺.

푛 푗 푛−푗 o Let ⊢ 휋푗푡: 퐴. By Lemma 5.7, ⊢ 푡: 푆(𝔹 ), and 𝔹 × 푆(𝔹 ) ≺ 퐴. Then,

푛 by the induction hypothesis, ⊢ 푢: 푆(𝔹. ) We conclude by rules 푆퐸 and ≺. o Let ⊢ 푡 × 푣: 퐴. By Lemma 5.7, ⊢ 푡: 퐵 and ⊢ 푣: 퐶, with 퐵 × 퐶 ≺ 퐴. Then,

by the induction hypothesis, ⊢ 푢: 퐵. We conclude by rules ×퐼 and ≺. o Analogous to previous case. o Let ⊢⇑푟 푡: 퐴. By Lemma 5.7, ⊢ 푡: 푆(푆(퐵) × 퐶), and 푆(퐵 × 퐶) ≺ 퐴. Then,

by the induction hypothesis, ⊢ 푢: 푆(푆(퐵) × 퐶), and so, by rule ⇑푟, ⊢

⇑푟 푢: 푆(퐵 × 퐶). We conclude by rule ≺.

o Let ⊢⇑ℓ 푡: 퐴. By Lemma 5.7, ⊢ 푡: 푆(푆(퐵) × 퐶), and 푆(퐵 × 퐶) ≺ 퐴. Then,

by the induction hypothesis, ⊢ 푢: 푆(푆(퐵) × 퐶), and so, by rule ⇑ℓ, ⊢

⇑ℓ 푢: 푆(퐵 × 퐶). We conclude by rule ≺.

o ⊢ ℎ푒푎푑 푡 ∶ 퐴. By Lemma 5.7, ⊢ 푡: 𝔹푛, with 𝔹 ≺ 퐴. Then, by the

푛 induction hypothesis, ⊢ 푢: 𝔹 . We conclude by rules ×퐸푟 and ≺.

o ⊢ 푡푎푖푙 푡 ∶ 퐴. By Lemma 5.7, ⊢ 푡: 𝔹푛, with 𝔹 푛−1 ≺ 퐴. Then, by the

푛 induction hypothesis, ⊢ 푢: 𝔹 . We conclude by rules ×퐸푟 and ≺” [5].

2.1.11 – Strong Normalization

Tait’s proof of strong normalization will be used when it comes to dealing with lambda calculus to have an efficient computation when normalizing vectors, quantum states and any other components that are dealt in quantum computing. “Let |t| be the size of the longest reduction sequence stated in t and SN = {t |t| < ∞}. Also, let t of type A, then Red(t) = {r : A|t (p)r}” [5]. Normalization is very crucial for determining the probability of each problem to satisfy the result since all the probability in the equation must sum to 1. The following theorems will be shown to explain the rules of dealing with normalization.

“Definition 6.1. We define the following measure ||푡|| on terms:

||푥|| = 0

| | | | | | ||0⃗ 푆(퐴)|| = 0 | 푡 × 푢 | = | 푡 | + | 푢 |

|||0 >|| = 0 ||ℎ푒푎푑 푡|| = ||푡|| + 1

|||1 >|| = 0 ||푡푎푖푙 푡|| = ||푡|| + 1

Ψ ||휆푥 . 푡|| = ||푡|| ||휋푗푡|| = ||푡||

||(푡 + 푟)|| = ||푡|| + ||푟|| + 2 ||? 푡 ∙ 푟|| = ||푡|| + ||푟||

||훼. 푡|| = 2||푡|| + 1 ||⇑ 푡|| = ||푡||

Lemma 6.2. If 푡 →(1) 푟 by any of the rules in the group’s linear distribution, vector space

axioms or lists, or their contextual closure, then ||푟|| ≥ ||푡||. Moreover, ||푟|| = ||푡|| if and only if the rule is (zeroS).

Proof. By induction and rule by rule analysis:

• 푡(푢 + 푣) →(1) 푡푢 + 푡푣.

||푡(푢 + 푣)|| = (3||푡|| + 2)(3||푢 + 푣|| + 2)

= (3||푡|| + 2)(3(2 + ||푢|| + ||푣||) + 2)

= (3||푡|| + 2)(8 + 3||푢|| + 3||푣||)

= 4(3||푡|| + 2) + (3||푡|| + 2)(4 + 3||푢|| + 3||푣||)

= 12||푡|| + 8 + (3||푡|| + 2)(4 + 3||푢|| + 3||푣||)

= 12||푡|| + 8 + (3||푡|| + 2) ((3||푢|| + 2) + (3||푣|| + 2))

= 12||푡|| + 8 + (3||푡|| + 2)(3||푢|| + 2) + (3||푡|| + 2)(3||푣|| + 2)

= 12||푡|| + 8 + ||푡푢|| + ||푡푢||

= 12||푡|| + 6 + ||푡푢 + 푡푣|| > ||푡푢 + 푡푣||

• 푡(훼 . 푢) →(1) 훼 . 푡푢

||푡(훼 . 푢)|| = (3||푡|| + 2)(3||훼 . 푢|| + 2)

= (3||푡|| + 2)(3(1 + 2||푢||) + 2)

= (3||푡|| + 2)(6||푢|| + 5)

= 3||푡|| + 2 + (3||푡|| + 2)(6||푢|| + 4)

= 3||푡|| + 2 + 2(3||푡|| + 2)(3||푢|| + 2)

= 3||푡|| + 2 + 2||푡푢||

= 3||푡|| + 1 + ||훼 . 푡푢|| > ||훼 . 푡푢||

• 푡0⃗ 푆(𝔹) →(1) 0⃗ 푆(min(퐴))

||푡0⃗ 푆(𝔹)|| = (3||푡|| + 2) (3 ||0⃗ 푆(𝔹)|| + 2) > 0 = ||0⃗ 푆(min(퐴))||

• (푡 + 푢)푣 →(1) 푡푣 + 푢푣

||(푡 + 푢)푣|| = (3||푡 + 푢|| + 2)(3||푣|| + 2)

= (3(2 + ||푡|| + ||푢||) + 2)(3||푣|| + 2)

= (3||푡|| + 3||푢|| + 8)(3||푣|| + 2)

= (3||푡|| + 3||푢|| + 4)(3||푣|| + 2) + 4(3||푣|| + 2)

= ((3||푡|| + 3||푢|| + 4)(3||푣|| + 2) + 2) + 12||푣|| + 6

= ||푡푣 + 푢푣|| + 12||푣|| + 6 > ||푡푣 + 푢푣||

• (훼 . 푡)푢 →(1) 훼 . 푡푢

||(훼 . 푡)푢|| = (3||훼 . 푡|| + 2)(3||푢|| + 2)

= (3(1 + 2||푡||) + 2)(3||푢|| + 2)

= (6||푡|| + 5)(3||푢|| + 2)

= (6||푡|| + 4)(3||푢|| + 2) + (3||푢|| + 2)

= 2(3||푡|| + 2)(3||푢|| + 2) + 3||푢|| + 2

= ||훼 . 푡푢|| + 3||푢|| + 1 > ||훼 . 푡푢||

• 0⃗ 푆(𝔹⇒퐴)푡 →(1) 0⃗ 푆(min(퐴))

||0⃗ 푆(𝔹⇒퐴)푡|| = (3 ||0⃗ 푆(𝔹⇒퐴)|| + 2) (3||푡|| + 2) = 6||푡|| + 4 > 0 = ||0⃗ 푆(min(퐴))||

• 0⃗ 푆(퐴) + 푡 →(1) 푡

||0⃗ 푆(퐴) + 푡|| = 2 + ||0⃗ 푆(퐴)|| + ||푡|| = 2 + ||푡|| > ||푡||

• 1 . 푡 →(1) 푡

||1 . 푡|| = 1 + 2||푡|| > ||푡||

• 0 . 푡 →(1) 0⃗ 푆(min(퐴))

||0 . 푡|| = 1 + 2||푡|| > 0 = ||0⃗ 푆(min(퐴))||

• 훼. 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴))

||훼. 0⃗ 푆(퐴)|| = 1 + 2 ||0⃗ 푆(퐴)|| = 1 > 0 = ||0⃗ 푆(min(퐴))||

• 훼 . (훽 . 푡) →(1) (훼 × 훽) . 푡

||훼 . (훽 . 푡)|| = 1 + 2||훽 . 푡||

= 1 + 2(1 + 2||푡||)

= 3 + 4||푡|| > 1 + 2||푡||

= ||(훼 × 훽) . 푡||

• 훼 . (푡 + 푢) →(1) (훼 . 푡 + 훼 . 푢)

||훼 . (푡 + 푢)|| = 1 + 2||푡 + 푢||

= 5 + 2||푡|| + 2||푢||

= 3 + ||훼 . 푡|| + ||훼 . 푢||

= 1 + ||훼 . 푡 + 훼 . 푢|| > ||훼 . 푡 + 훼 . 푢||

• 훼 . 푡 + 훽 . 푡 →(1) (훼 + 훽) . 푡

||훼 . 푡 + 훽 . 푡|| = 2 + ||훼 . 푡|| + ||훽 . 푡||

= 4 + 4||푡|| > 1 + 2||푡||

= ||(훼 + 훽) . 푡||

• 훼 . 푡 + 푡 →(1) (훼 + 1) . 푡

||훼 . 푡 + 푡|| = 2 + ||훼 . 푡|| + ||푡||

= 3 + 3||푡|| > 1 + 2||푡||

= ||(훼 + 1). 푡||

• 푡 + 푡 →(1) 2 . 푡

||푡 + 푡|| = 2 + 2||푡|| > 1 + 2||푡|| = ||2 . 푡||

• 0⃗ 푆(퐴) →(1) 0⃗ 푆(min(퐴))

||0⃗ 푆(퐴)|| = 0 = ||0⃗ 푆(min(퐴))||

• ℎ푒푎푑 푡 × 푟 →(1) 푡

||ℎ푒푎푑 푡 × 푟|| = 1 + ||푡 × 푟|| = 1 + ||푡|| + ||푟|| > ||푡||

• 푡푎푖푙 푡 × 푟 →(1) 푟

||푡푎푖푙 푡 × 푟|| = 1 + ||푡 × 푟|| = 1 + ||푡|| + ||푟|| > ||푟||

• If 푡 →(1) 푟, then by the induction hypothesis, ||푡|| ≥ ||푟||, and hence, ||퐶[푡]|| ≥

||퐶[푟]||, where 퐶[∙] is a context with one hole.

푛 Lemma 6.3. If for every 푖 ∈ {1, … , 푛} we have 푟푖 ∈ 푆푁, then ||∑푖 =1[ 훼. ]푟푖 || ∈ 푆푁

푛 푛 Proof. Induction on the lexicographic order of (∑푖=1 |푟푖 |, ||∑ 푖=1[ 훼. ]푟푖||) to show that

푛 푛 Red(∑푖=1[훼. ]푟푖 ) ⊆ 푆푁. Let 푡 ∈ Red(∑푖 =1[ 훼. ]푟푖). The possibilities are:

푛 푛 • 푡 = ∑푖=1[훼. ]푠푖 where for all 푖 ≠ 푘, 푠푖 = 푟푖 and 푟푘 →(푝) 푠푘. Since ∑푖=1 |푠푖| <

푛 ∑푖=1 |푟푖|, we conclude by the induction hypothesis.

푛 • 푡 = ∑푖=1 푠푖 where for all 푖 ≠ 푘, 푠푖 = [훼. ]푟푖 and 푎푘 ∙ 푟푘 →(1) 푠푘. Then, the

reduction 푎푘 ∙ 푟푘 →(1) 푠푘, is by one of the following rules: (푢푛푖푡), (푧푒푟표훼),

훼푑푖푠푡 푛 푛 (푧푒푟표), (푝푟표푑) or (푑푖푠푡 ). In any of these cases ∑푖=1 |푠푖| < ∑ 푖=1 |푟푖| and, by

푛 Lemma 6.2, ||푡|| < ||∑푖 =1[ 훼. ]푟푖 ||. Hence, we conclude by the induction

hypothesis.

• 푡 = ∑푖 ≠푗 푖≠푘 [훼. ]푟푖 + ([훼푗] + [훼푘])푟푗, where 푟푗 = 푟푘 (rule (fact), (fact1), or

(fact2)). In this case (∑푖 ≠푗 |푟푖|) + |푟푗| ≤ ∑ 푖 |푟푖| and by Lemma 6.2, ||푡|| <

푛 ||∑ 푖=1 [훼. ]푟푖 ||. Hence, we conclude by the induction hypothesis.

Lemma 6.4. If 푡 ∈ 푆푁, then 휋푗푡 ∈ 푆푁.

Proof. We show by induction on |t| that 푅푒푑(휋푗푡). The possibilities are:

′ ′ • 푟 = 휋푗푡′ where 푡 →(푝) 푡′. Since |푡 | < |푡| and 푡 ∈ 푆푁, we conclude by the induction

hypothesis.

∏푗 ∑ 훼푖 ∏ 푚 ∑푛 ∏푚 • 푟 = ℎ=1 푏ℎ푘 × 푖∈푃 ( 2 ) ℎ=푗+1 푏ℎ푖 , 푡 = 푖=1[훼. ] ℎ=1 푏ℎ푖. Any sequence √∑ 푟∈푃| 훼푟|

starting on r will only use vector space axioms rules, which, by Lemma 6.2 reduce

the size of the term, except for (zeroS), which anyway can be used only a finite

number of times. Therefore, 푟 ∈ 푆푁” [5].

0 Now that we know this Lemma, we can infer that ∑푖 =1 푡푖 = 0⃗ 푆(퐴) where A can be determined by the context. Every type A would need to be associated to a set of strongly normalized term (A). The set will then need to be on a set of typed terms since it is

69 dependent on types. Otherwise, ill-typed reductions would need to be used, which would make the proof more complicated to solve.

“Definition 6.5. For each type A we define a set of strongly normalizing terms as follows:

(B) = {푡: 푆(𝔹)|푡 ∈ 푆푁

(A × B) = {푡: 푆(푆(퐴) × 푆(퐵))|푡 ∈ 푆푁

(Ψ ⇒ A) = {푡: 푆(Ψ ⇒ A)|∀ 푟 ∈ (Ψ), 푡 푟 (퐴)}

(S(A)) = {푡: 푆(퐴)|푡 ∈ 푆푁” [5].

Now, a set of neutral terms will be defined in Definition 6.6 where it would become very useful when proving the terms for every type in order to get much more accurate probability of conditional procedure.

“Definition 6.6. The set of neutral terms (N) is defined by the following grammar, 푛 ∶=

푡푡|ℎ푒푎푑 푡|푡푎푖푙 푡, where t is any term produced by the grammar as shown in Table 7.

Lemma 6.7. For all A, the following properties hold:

• If 푡 ∈ (퐴), then 푡 ∈ 푆푁.

• If 푡 ∈ (퐴), then 푅푒푑(푡) ⊆ (퐴).

• If 푡 ∈ N, t has the same type as all the terms in (퐴) and 푅푒푑(푡) ⊆ (퐴) then 푡 ∈ (퐴).

• For all 푥퐴 , 푥 ∈ (퐴).

• If 푡 ∈ (퐴) and 푟 ∈ (퐴), then 푡 + 푟 ∈ (퐴).

• If 푡 ∈ (퐴) then 훼 . 푡 ∈ (퐴).

• 0⃗ 푆(퐴) ∈ (퐴)

Proof. By induction over A.

• Let 퐴 = 𝔹.

o Let 푡 ∈ (𝔹). By definition, (𝔹) ⊆ 푆푁, so 푡 ∈ 푆푁.

o Let 푡 ∈ (𝔹). By definition, (𝔹) ⊆ 푆푁, so 푡 ∈ 푆푁 and Red(t) ⊆ 푆푁.

Furthermore, since 푡 ∈ (𝔹), we have 푡: 푆(𝔹). Let 푟 ∈ 푅푒푑(푡), then

푟: 푆(𝔹). Therefore, by definition, Red(t) ⊆ (𝔹).

o Let 푡 ∈ N and 푡: 푆(𝔹) where Red(t) ⊆ (𝔹). Since Red(t) ⊆ (𝔹) ⊆ 푆푁, we

have 푡 ∈ 푆푁. Therefore, by definition, 푡: (𝔹).

o Since 푥𝔹 ∈ 푆푁 and 푥𝔹 : 𝔹 ≺ 푆(𝔹), we have, by definition, 푥𝔹 ∈ (𝔹).

o Since 푡 ∈ (𝔹) and 푟 ∈ (𝔹), we have, by definition of (𝔹), that 푡: 푆(𝔹),

푟: 푆(𝔹), 푡 ∈ 푆푁 and 푟 ∈ 푆푁. Then, 푡 + 푟: 푆(푆(𝔹)) ≺ 푆(𝔹) and, by

Lemma 6.3, 푡 + 푟 ∈ 푆푁. Therefore, by definition, 푡 + 푟 ∈ (𝔹).

o Since 푡 ∈ (𝔹), we have, by definition of (𝔹) that 푡: 푆(𝔹) and 푡 ∈ 푆푁.

Then, 훼. 푡: 푆(푆(𝔹)) ≺ 푆(𝔹) and, by Lemma 6.3, 훼. 푡 ∈ 푆푁. Therefore,

by definition, 훼. 푡 ∈ (𝔹).

o Since 0⃗ 푆(𝔹): 푆(𝔹) and 0⃗ 푆(𝔹) ∈ 푆푁, we have by definition of (𝔹) that

0⃗ 푆(𝔹) ∈ (𝔹).

• Let 퐴 = 퐵 × 퐶

o Since 푡 ∈ (퐵 × 퐶), we have by definition that 푡 ∈ 푆푁.

o Since 푡 ∈ (퐵 × 퐶), we have 푡: 푆(푆(퐵) × 푆(퐶)). Let 푡′ ∈ 푅푒푑(푡). Since

푡′ ∈ 푅푒푑(푡), we have that 푡′ ∈ 푆(푆(퐵) × 푆(퐶)). On the other hand, since

푡 ∈ (퐵 × 퐶), we have that 푡 ∈ 푆푁. Then, 푡′ ∈ 푆푁. Therefore, by definition,

푡′ ∈ (퐵 × 퐶), which means 푅푒푑(푡) ⊆ (퐵 × 퐶).

o Let 푡 ∈ N and 푡: 푆(푆(퐵) × 푆(퐶)) where 푅푒푑(푡) ⊆ (퐵 × 퐶). Since (퐵 × 퐶)

⊆ 푆푁, we have 푡 ∈ 푆푁. Therefore, by definition, 푡 ∈ (퐵 × 퐶).

o Since 푥퐵×퐶 ∶ 퐵 × 퐶 ≺ 푆(푆(퐵) × 푆(퐶)) and 푥퐵×퐶 ∈ 푆푁, we have by

definition that 푥퐵×퐶 ∈ (퐵 × 퐶).

o Since 푡 ∈ (퐵 × 퐶), we have that 푡: 푆(푆(퐵) × 푆(퐶)) and 푡 ∈ 푆푁. Similarly,

we have that 푟: 푆(푆(퐵) × 푆(퐶)) and 푟 ∈ 푆푁. Then, 푡 + 푟 ∶

푆(푆(퐵) × 푆(퐶)) and, by Lemma 6.3, 푡 + 푟 ∈ 푆푁. Therefore, by

definition, 푡 + 푟 ∈ (퐵 × 퐶).

o Since 푡 ∈ (퐵 × 퐶), we have that 푡: 푆(푆(퐵) × 푆(퐶)) and 푡 ∈ 푆푁. Then,

훼. 푡: 푆 (푆(푆(퐵) × 푆(퐶))) ≺ 푆(푆(퐵) × 푆(퐶)) and, by Lemma 6.3, 훼. 푡 ∈

푆푁. Therefore, by definition, 훼. 푡 ∈ (퐵 × 퐶).

o 푂⃗ 푆(퐵×퐶): 푆(퐵 × 퐶) ≺ 푆(푆(퐵) × 푆(퐶)) and 푂⃗ 푆(퐵×퐶) ∈ 푆푁, we have by

definition that 푂⃗ 푆(퐵×퐶) ∈ (퐵 × 퐶).

• Let 퐴 = Ψ ⇒ 퐵

o Given 푡 ∈ (Ψ ⇒ 퐵), we want to show that 푡 ∈ 푆푁. Let 푡 ∈ (Ψ) (note that

by induction hypothesis (HAB), such r exists). By definition, we have that

푡푟 ∈ (퐵). And by induction hypothesis, we have that 푡푟 ∈ 푆푁, which

means, |푡푟| is finite. And since |푡| ≤ |푡푟|, we have that |푡| is finite, and

therefore, 푡 ∈ 푆푁.

o Given 푡 ∈ (Ψ ⇒ 퐵), we want to show that Red(t) ⊆ (Ψ ⇒ 퐵), which

means that given 푡′ ∈ Red(t), 푡′ ∈ (Ψ ⇒ 퐵). By definition of (Ψ ⇒ 퐵),

this is the same as showing that 푡′ ∈ S(Ψ ⇒ 퐵) and, for all 푟 ∈ (Ψ), 푡′푟 ∈

(퐵). Since 푡 ∈ (Ψ ⇒ 퐵), we have by definition that, for all 푟 ∈ (Ψ), 푡푟 ∈

(퐵). And by induction hypothesis, this implies that, for all 푟 ∈ (Ψ),

Red(tr) ⊆ (퐵). In particular, given 푡′ ∈ Red(t), we have that, for all 푟 ∈

(Ψ), 푡푟 ∈ 푅푒푑(푡푟) ⊆ (퐵). And since 푡 ∈ (Ψ ⇒ 퐵), we have by definition

that 푡: S(Ψ ⇒ 퐵). Since 푡′ ∈ 푅푒푑(푡), we have that 푡 ′ : 푆(Ψ ⇒ 퐵). o Given 푡 ∈ N and 푡: S(Ψ ⇒ 퐵) where Red(t) ⊆ (Ψ ⇒ 퐵), we want to show

that 푡 ∈(Ψ ⇒ 퐵). By definition, this is the same than showing that for

all 푟 ∈(Ψ), 푡푟 ∈(퐵). By induction hypothesis, it suffices to show that for

all 푟 ∈(Ψ), 푅푒푑(푡푟) ∈ (퐵). Notice that if 푟 ∈(Ψ), then 푟 ∶ S(Ψ), and since

푡 ∶ 푆(Ψ ⇒ 퐵), we have 푡푟 ∶ 푆(퐵). Let 푟 ∈(Ψ). By induction hypothesis

(CR1), we have that 푟 ∈ 푆푁, which means |푟| exists. Therefore, we can

proceed by induction over (|푟|, ||푟||). We analyze the reducts of tr:

푡푟 → 푡′푟 where 푡 → 푡′. Since 푡′ ∈ 푅푒푑(푡), we have that 푡′ ∈ (Ψ ⇒

퐵). And since 푟 ∈(Ψ), we have by definition that 푡′푟 ∈ (퐵).

푡푟 = (? 푢 ∙ 푣)푟 → (? 푢 ∙ 푣)푟′ where 푟 → 푟′. Since 푟 ∈(Ψ), we have

by induction hypothesis (CR2) that 푟′ ∈(Ψ). And since |푟′| < |푟|,

we have by induction hypothesis that (? 푢 ∙ 푣)푟′ ∈ (퐵).

푡푟 = 푡(푟1 + 푟2) → 푡푟1 + 푡푟2. Since ||푟1|| ≤ ||푟||, we have by

induction hypothesis that 푡푟1 ∈ (퐵). Similarly, we have that 푡푟2 ∈

(퐵). Therefore, by Lemma 6.7 (LIN1), we have that 푡푟1 + 푡푟2 ∈

(퐵).

푡푟 = 푡(훼 . 푟1) → 훼 . 푡푟1. Since ||푟1|| ≤ ||푟||, we have by

induction hypothesis that 푡푟1 ∈ (퐵). Therefore, by Lemma 6.7

(LIN2), we have that 훼 . 푡푟1 ∈ (퐵).

푡푟 = 푡0⃗ 푆(Ψ) → 0⃗ 푆(min(퐵)). By Lemma 6.7 (NULL), we have that

0⃗ 푆(min(퐵)) ∈ (min(퐵)). By Lemma 5.4, min(퐵) ≺ 퐵, and

0⃗ 푆(min(퐵)) ∈ 푆푁, hence, by definition, 0⃗ 푆(min(퐵)) ∈ (퐵). o By definition of (Ψ ⇒ 퐵), and since 푥Ψ⇒퐵 ∶ S(Ψ ⇒ 퐵), it suffices to show

that, for all 푡 ∈() Ψ , we have that 푥Ψ⇒퐵푡 ∈ (퐵). Let 푡 ∈(Ψ). Since

Ψ⇒퐵 Ψ⇒퐵 푥 푡 ∈ N, it suffices to show that 푅푒푑(푥 ) ⊆ (퐵). Since 푡 ∈(Ψ), we

have by induction hypothesis (CR1) that 푡 ∈ 푆푁. Therefore, we can

proceed by induction over (|푡|, ||푡||). We analyze the possible reducts of

푥Ψ⇒퐵푡:

Ψ⇒퐵 Ψ⇒퐵 Ψ⇒퐵 Ψ⇒퐵 푥 푡 = 푥 (푡1 + 푡2) → 푥 푡1 + 푥 푡2. Since |푡1| ≤ |푡|

and, by Lemma 6.2, ||푡1|| < ||푡||, we have by induction hypothesis

Ψ⇒퐵 Ψ⇒퐵 that 푥 푡1 ∈ (퐵). Similarly, we have that 푥 푡2 ∈ (퐵).

Therefore, by induction hypothesis (LIN1), we have that

Ψ⇒퐵 Ψ⇒퐵 푥 푡1 + 푥 푡2 ∈ (퐵).

Ψ⇒퐵 Ψ⇒퐵 Ψ⇒퐵 푥 푡 = 푥 (훼 . 푡1) → 훼 . 푥 푡1. Since |푡1| ≤ |푡| and, by

Lemma 6.2, ||푡1|| < ||푡||, we have by induction hypothesis that

Ψ⇒퐵 푥 푡1 ∈ (퐵). Therefore, by induction hypothesis (LIN2), we

Ψ⇒퐵 have that 훼 . 푥 푡1 ∈ (퐵).

Ψ⇒퐵 Ψ⇒퐵 푥 푡 = 푥 (0⃗ 푆(Ψ)) → ⃗0 푆(min(퐵)). By induction hypothesis

(NULL), we have that 0⃗ 푆(min(퐵)) ∈ (min(퐵)). By Lemma 5.4,

min(퐵) ≺ 퐵, and 0⃗ 푆(min(퐵)) ∈ 푆푁, hence, by definition,

0⃗ 푆(min(퐵)) ∈ (퐵). o By definition of (Ψ ⇒ 퐵), it suffices to show that 푡 + 푟: S(Ψ ⇒ 퐵) and,

for all 푠 ∈(Ψ), (푡 + 푟)푠 ∈ (퐵). Since 푡 ∈ (Ψ ⇒ 퐵) and 푟 ∈ (Ψ ⇒ 퐵), we

have that 푡: S(Ψ ⇒ 퐵), 푟: S(Ψ ⇒ 퐵) and, for all 푠 ∈(Ψ), 푡푠 ∈(퐵) and

푟푠 ∈(퐵). Therefore, 푡 + 푟 ∶ 푆(푆(Ψ ⇒ 퐵)) ≺ 푆(Ψ ⇒ 퐵) and (푡 + 푟)푠 ∶

푆(퐵). It remains to show that, for all 푠 ∈(Ψ), (푡 + 푟)푠 ∈ (퐵). Since

(푡 + 푟)푠 ∈ N and, by type derivation, (푡 + 푟)푠 ∶ 푆(퐵), we have by

induction hypothesis (CR3) that it is sufficient to show that, for all 푠 ∈(Ψ),

푅푒푑((푡 + 푟)푠) ⊆ (퐵). Since 푡푠 ∈ (퐵), 푟푠 ∈ (퐵), 푠 ∈ (Ψ), we have by

induction hypothesis (CR1) that 푡 ∈ 푆푁, 푟 ∈ 푆푁, 푠 ∈ 푆푁. Therefore, we

can proceed by induction over (|푡| + |푟| + |푠|, ||(푡 + 푟)푠||). We analyze

the possible reducts of (푡 + 푟)푠:

(푡 + 푟)푠 → (푡′ + 푟)푠 where 푡 → 푡′. Since |푡′| < |푡|, we have by

induction hypothesis that (푡′ + 푟)푠 ∈ (퐵).

(푡 + 푟)푠 → (푡 + 푟′)푠 where 푟 → 푟′ . Analogous to the previous

case.

(푡 + 푟)(푠1 + 푠2) → (푡 + 푟)푠1 + (푡 + 푟)푠2. Since |푠1| ≤ |푠| and

||(푡 + 푟)푠1|| < ||(푡 + 푟)푠||, we have by induction hypothesis that

(푡 + 푟)푠1 ∈ (퐵). Similarity, we have that (푡 + 푟)푠2 ∈ (퐵).

Therefore, by induction hypothesis, we have that (푡 + 푟)푠1 +

(푡 + 푟)푠2 ∈ (퐵).

(푡 + 푟)(훼 . 푠1) → 훼 . (푡 + 푟)푠1. Since |푠1| ≤ |푠| and

||(푡 + 푟)푠1|| < ||(푡 + 푟)푠||, we have by induction hypothesis that

(푡 + 푟)푠1 ∈ (퐵). Therefore, by induction hypothesis (LIN2), we

have that 훼 . (푡 + 푟)푠1 ∈ (퐵).

(푡 + 푟)0⃗ 푆(Ψ) → ⃗0 푆(min(퐵)). By induction hypothesis (NULL), we

have that 0⃗ 푆(min(퐵)) ∈ (min(퐵)). By Lemma 5.4, min(퐵) ≺ 퐵, and

0⃗ 푆(min(퐵)) ∈ 푆푁, hence, by definition, 0⃗ 푆(min(퐵)) ∈ (퐵).

(푡 + 푟)푠 → 푡푠 + 푟푠. Since 푡푠 ∈ (퐵) and 푟푠 ∈ (퐵), we have by

induction hypothesis that 푡푠 + 푟푠 ∈ (퐵). o By definition of (Ψ ⇒ 퐵), it suffices to show that 훼 . 푡: 푆(Ψ ⇒ 퐵) and, for

all 푠 ∈(Ψ), (훼 . 푡)푠 ∈ (퐵). Since 푡 ∈ (Ψ ⇒ 퐵), we have that 푡: 푆(Ψ ⇒ 퐵)

and, for all 푠 ∈(Ψ), 푡푠 ∈ (퐵). Therefore, 훼 . 푡: 푆(푆(Ψ ⇒ 퐵)) ≺ 푆(Ψ ⇒ 퐵)

and (훼 . 푡)푠 ∶ 푆(퐵). It remains to show that, for all 푠 ∈(Ψ), (훼 . 푡)푠 ∈ (퐵).

Since (훼 . 푡)푠 ∈ N, we have by induction hypothesis (CR3) that is

sufficient to show that, for all 푠 ∈(Ψ), 푅푒푑((훼 . 푡)푠) ⊆ (퐵). Since 푡푠 ∈ (퐵)

and 푠 ∈ (Ψ), we have by induction hypothesis (CR1) that 푡 ∈ 푆푁 and 푠 ∈

푆푁. Therefore, we can proceed by induction over (|푡| +

|푠|, ||(훼 . 푡)푠||). We analyze the possible reducts of (훼 . 푡)푠:

(훼 . 푡)푠 → (훼 . 푡′)푠 where 푡 → 푡′. Since |푡′| < |푡|, we have by

induction hypothesis that (훼 . 푡)푠 ∈ (퐵).

(훼 . 푡)푠 = (훼 . 푡)(푠1 + 푠2) → (훼 . 푡)푠1 + (훼 . 푡)푠2. Since |푡| +

|푠1| ≤ |푡| + |푠| and ||(훼 . 푡)푠1|| < ||(훼 . 푡)푠||, we have by

induction hypothesis that (훼 . 푡)푠1 ∈ (퐵). Similarly, (훼 . 푡)푠2 ∈ (퐵).

Therefore, by induction hypothesis (LIN1), (훼 . 푡)푠1 + (훼 . 푡)푠2 ∈

(퐵).

(훼 . 푡)푠 = (훼 . 푡)(훽 . 푠1) → 훽 . (훼 . 푡)푠1. Since |푡| + |푠1| ≤ |푡| + |푠|

and ||(훼 . 푡)푠1|| < ||(훼 . 푡)푠||, we have by induction hypothesis

that (훼 . 푡)푠1 ∈ (퐵).Therefore, by induction hypothesis,

훽 . (훼 . 푡)푠1 ∈ (퐵).

(훼 . 푡)푠 = (훼 . 푡)0⃗ 푆(Ψ) → 0⃗ 푆(min(퐵)). By induction hypothesis

(NULL), we have that 0⃗ 푆(min(퐵)) ∈ (min(퐵)). By Lemma 5.4,

min(퐵) ≺ 퐵, and 0⃗ 푆(min(퐵)) ∈ 푆푁, hence, by definition,

0⃗ 푆(min(퐵)) ∈ (퐵).

(훼 . 푡)푠 → 훼 . 푡푠. Since 푡푠 ∈ (퐵), we have by induction hypothesis

that 훼 . 푡푠 ∈ (퐵). o We want to show that 0⃗ 푆(Ψ⇒B) ∈ (Ψ ⇒ 퐵). By definition of (Ψ ⇒ 퐵), this

is equivalent to showing that, for all 푡 ∈(Ψ), 0⃗ 푆(Ψ⇒B)푡 ∈ (퐵). Since

0⃗ 푆(Ψ⇒B)푡 ∈ N and 0⃗ 푆(Ψ⇒B)푡: 푆(퐵), we have by induction hypothesis (CR3)

that this is equivalent to showing that 푅푒푑(0⃗ 푆(Ψ⇒B)푡) ⊆ (퐵). Since the

only possible reduct of 0⃗ 푆(Ψ⇒B)푡 is 0⃗ 푆(min(퐵)), it suffices to show that

0⃗ 푆(min(퐵)) ∈ (퐵). By induction hypothesis, we have that 0⃗ 푆(min(퐵)) ∈

(min(퐵)). By Lemma 5.4, min(퐵) ≺ 퐵, and 0⃗ 푆(min(퐵)) ∈ 푆푁, hence, by

definition, 0⃗ 푆(min(퐵)) ∈ (퐵).

• Let 퐴 = 푆(퐵)

o Since 푡 ∈ (푆(퐵)), we have by definition that 푡 ∈ 푆푁.

o Given 푡 ∈ (푆(퐵)), we want to show that 푅푒푑(푡) ⊆ (푆(퐵)). By definition,

푡 ∈ 푆푁, and so, 푅푒푑(푡) ⊆ 푆푁. Therefore, 푅푒푑(푡) ⊆ (푆(퐵)).

o Given 푡 ∈ N where 푡 ∶ 푆(퐵) and 푅푒푑(푡) ⊆ (푆(퐵)), we want to show that

푡 ∈(푆(퐵)). By definition, 푅푒푑(푡) ⊆ (푆(퐵)) ⊆ 푆푁, and so 푡 ∈ 푆푁.

Therefore, by definition, 푡 ∈(푆(퐵)).

o Since 푥푆(퐵) ∶ 푆(퐵) and 푥푆(퐵) ∈ 푆푁, we have by definition that 푥푆(퐵) ∈

(푆(퐵)).

o Since 푡 ∈(푆(퐵)) and 푟 ∈(푆(퐵)), we have by definition of (푆(퐵)) that 푡 ∶

푆(퐵), 푟 ∶ 푆(퐵), 푡 ∈ 푆푁 and 푟 ∈ 푆푁. Therefore, 푡 + 푟: 푆(푆(퐵)) ≺ 푆(퐵)

and, by Lemma 6.3, 푡 + 푟 ∈ 푆푁. Therefore, by definition, 푡 + 푟 ∈ (푆(퐵)).

o Since 푡 ∈(푆(퐵)), we have by definition of (푆(퐵)) that 푡: 푆(퐵) and 푡 ∈ 푆푁.

Then, 훼 . 푡: 푆(푆(퐵)) ≺ 푆(퐵) and 훼 . 푡 ∈ 푆푁. Therefore, by definition,

훼 . 푡 ∈ (푆(퐵)).

⃗ ⃗ o We want to show 0푆(S(B)) ∈ (푆(퐵)). Since 0푆(S(B)): 푆(푆(퐵)) ≺ 푆(퐵) and

⃗ ⃗ 0푆(S(B)) ∈ 푆푁, we have by definition that 0푆(S(B)) ∈ (푆(퐵)).

Lemma 6.8. If 퐴 < 퐵, then (퐴) ⊆ (퐵).

Proof. By induction on the relation ≺.

• 퐴 ≺ A. Trivial by the reflexivity of set inclusion.

• 퐴≺B B≺C. Trivial by the transitivity of set inclusion. 퐴≺C

• 퐴 ≺ S(A). Let 푡 ∈ (퐴). By definition: 푡: 푆(퐴) ≺ 푆(푆(퐴)). And by Lemma 6.7

(CR1), 푡 ∈ 푆푁. Therefore, by definition, 푡 ∈(푆(퐴)).

• 푆(푆(퐴)) ≺ S(A). Let 푡 ∈ (S(푆(퐴))). By definition, 푡: 푆(푆(퐴)) ≺ 푆(퐴) and 푡 ∈

푆푁. Therefore, by definition, 푡 ∈(푆(퐴)).

퐴≺B • . Let 푡 ∈ (Ψ ⇒ 퐴). By definition, 푡: 푆(Ψ ⇒ 퐴) and, for all 푡 ∈ (Ψ), 푡푟 ∈ Ψ⇒퐴 ≺ Ψ⇒퐵

(퐴). By induction hypothesis, 푡푟 ∈ (퐴) ⊆ (퐵). And since 퐴 ≺ 퐵, 푡: 푆(Ψ ⇒

퐴) ≺ 푆(Ψ ⇒ 퐵). Therefore, by definition, 푡 ∈ (Ψ ⇒ 퐵).

퐴≺B • . Let 푡 ∈(푆(퐴)). By definition, 푡: 푆(퐴) and 푡 ∈ 푆푁. And since 퐴 ≺ 퐵, we S(A)≺ 푆(퐵)

have that 푆(퐴) ≺ 푆(퐵). Therefore, by definition, 푡 ∈(푆(퐵)).

퐴≺B • . Let 푡 ∈ (퐴 × 퐶). By definition, 푡 ∈ 푆푁 and 푡: 푆(푆(퐴) × 푆(퐶)). And A×C≺ 퐵×퐶

since 퐴 ≺ 퐵, we have that 푆(퐴) ≺ 푆(퐵), and so, 푡 ∶ 푆(푆(퐵) × 푆(퐶)). Therefore,

by definition, 푡 ∈ (퐵 × 퐶).

• 퐴≺B . Analogous to previous case. A×C≺ 퐵×퐶

Lemma 6.9 (Adequacy). If Γ ⊢ 푡: 퐴 and 휃 ⊨ Γ then 휃(푡) ∈ (퐴).

Proof. By induction in the derivation of Γ ⊢ 푡: 퐴. We proceed by cases.

_ • 퐴푥. Since 휃 ⊨ 푥Ψ, we have 휃(푥) ∈ (Ψ). 푥Ψ ⊢푥: Ψ

_ ⃗ ⃗ • 퐴푥0⃗⃗ . By Lemma 6.7 (NULL) and Lemma 6.8, 휃(0푆(퐴)) = 0푆(퐴) ∈ ⊢0⃗⃗ 푆(퐴):푆(퐴)

(푆(퐴)).

_ • 퐴푥 . By definition, 휃(|0 >) = |0 > ∈ 푆푁. And since |0 >∶ 푆(𝔹), we ⊢|0> ∶ 𝔹 |0>

have by definition that |0 > ∈ (𝔹).

_ • 퐴푥 . Analogous to the previous case. ⊢|1> ∶ 𝔹 |1>

Γ ⊢푡 ∶퐴 • 푆훼. By the induction hypothesis, 휃(푡) ∈ (퐴), and by Lemma 6.7 Γ ⊢ 훼 . 푡 ∶ 푆(퐴) 퐼

(LIN2), 훼 . 휃(푡) = 휃(훼 . 푡) ∈ (퐴). Finally, by Lemma 6.8, 휃(훼 . 푡) ∈ (푆(퐴)).

Γ ⊢푡 ∶ 퐴∆ ⊢푢 ∶퐴 • 푆 +. By the induction hypothesis, 휃 (푡) ∈ (퐴) and 휃 (푢) ∈ (퐴), Γ,∆⊢(푡+푢) ∶ 푆(퐴) 퐼 1 2

with 휃1푣푑푎푠ℎΓ and 휃2 ⊢ ∆. Then, since Γ and ∆ are disjoint, 휃1 ∪ 휃2(푡 + 푢) =

휃1(푡) + 휃2(푢). And by Lemma 6.7 (LIN1), 휃1(푡) + 휃2(푢) ∈ (퐴). Therefore, by

Lemma 6.8, 휃1(푡) + 휃2(푢) ∈ (푆(퐴)).

Γ ⊢푡 ∶ 푆(𝔹푛) • 푗 푛−푗 푆퐸. We want to show that if 휃 ⊨ Γ, then 휃(휋푗푡) = 휋푗휃(푡) ∈ Γ ⊢휋푗푡: 𝔹 ×푆(𝔹 )

푗 푛−푗 푗 (𝔹 × 푆(𝔹 )). By definition, it suffices to show that 휋푗휃(푡): 푆(푆(𝔹 ) ×

푛−푗 푛 푆 (푆(𝔹 )) and 휋푗휃(푡) ∈ 푆푁. By induction hypothesis, 휃(푡) ∈ (푆(𝔹 )), which

푛 푛 푗 implies that 휃(푡): 푆(푆(𝔹 )) ≺ 푆(𝔹 ). Therefore, 휋푗휃(푡): 𝔹 ×

푆(𝔹푛−푗) ≺ 푆 (푆(𝔹푗) × 푆 (푆(𝔹푛−푗))). On the other hand, since 휃(푡) ∈ (푆(𝔹푛))

∈ 푆푁, we have by Lemma 6.4 that 휋푗휃(푡) ∈ 푆푁. Therefore, 휋푗휃(푡) ∈

(𝔹푗 × 푆(𝔹푛−푗)).

Γ ⊢푡 ∶ 퐴 퐴 ≺ 퐵 • ≺. By the induction hypothesis 휃(푡) ∈ (퐴), and by Lemma 6.8, (퐴) ⊆ Γ ⊢푡 ∶ 퐵

(퐵).

Γ ⊢푡 ∶ 퐴 Γ ⊢푟 ∶ 퐴 • 퐼푓. We want to show that if 휃 ⊨ Γ, then 휃(? 푡 ∙ 푟) =? 휃(푡) ∙ 휃(푟) ∈ Γ ⊢ ? 푡∙푟 ∶ 𝔹⇒퐴

(𝔹 ⇒ 퐴). By definition, this is equivalent to showing that ? 휃(푡) ∙ 휃(푟) ∶ 푆(𝔹 ⇒

퐴) and, for all 푠 ∈ (𝔹), 푠? 휃(푡) ∙ 휃(푟) ∈ (퐴). By induction hypothesis, we have that 휃(푡) ∈ (퐴) and 휃(푟) ∈ (퐴), which implies that 휃(푡) ∶ 푆(퐴) and 휃(푟) ∶ 푆(퐴).

Therefore, ? 휃(푡) ∙ 휃(푟) ∶ 𝔹 ⇒ 푆(퐴) ≺ 푆(𝔹 ⇒ 퐴) and 푠? 휃(푡) ∙ 휃(푟) ∶ 푆(퐴).

And since 푠? 휃(푡) ∙ 휃(푟) ∈ N (because such a term is actually an application), we have by Lemma 6.7 (CR3) that it suffices to show that 푅푒푑(푠? 휃(푡) ∙ 휃(푟))) ⊆

(퐴). We proceed by induction over (|푠|, || 푠? 휃(푡) ∙ 휃(푟)|| ). We analyze each of the reducts of 푠? 휃(푡) ∙ 휃(푟):

o 푠 ? 휃(푡) ∙ 휃(푟) → 푢 ? 휃(푡) ∙ 휃(푟) where 푠 → 푢. Since |푢| < |푠|, we have

by induction hypothesis that 푢 ? 휃(푡) ∙ 휃(푟) ∈ (퐴).

o 푠 ? 휃(푡) ∙ 휃(푟) → 휃(푡) where 푠 = |1 >. By induction hypothesis 휃(푡) ∈

(퐴).

o 푠 ? 휃(푡) ∙ 휃(푟) → 휃(푟) where 푠 = |0 >. By induction hypothesis, 휃(푟) ∈

(퐴).

o 푠 ? 휃(푡) ∙ 휃(푟) = (푠1 + 푠2) ? 휃(푡) ∙ 휃(푟) → 푠1? 휃(푡) ∙ 휃(푟) + 푠2? 휃(푡) ∙

휃(푟). Since |푠1| ≤ |푠| and ||푠1 ? 휃(푡) ∙ 휃(푟)|| < ||푠 ? 휃(푡) ∙ 휃(푟)||, we

have by induction hypothesis that 푠1 ? 휃(푡) ∙ 휃(푟) ∈ (퐴). Similarly,

푠2 ? 휃(푡) ∙ 휃(푟) ∈ (퐴). Therefore, by Lemma 6.7 (LIN1), 푠1? 휃(푡) ∙

휃(푟) + 푠2? 휃(푡) ∙ 휃(푟) ∈ (퐴).

o 푠 ? 휃(푡) ∙ 휃(푟) = (훼 . 푠1) ? 휃(푡) ∙ 휃(푟) → 훼 . 푠1 ? 휃(푡) ∙ 휃(푟). Since

|푠1| ≤ |푠| and ||푠1 ? 휃(푡) ∙ 휃(푟)|| < ||푠 ? 휃(푡) ∙ 휃(푟)||, we have by

induction hypothesis that 푠1 ? 휃(푡) ∙ 휃(푟) ∈ (퐴). Therefore, by Lemma 6.7

(LIN2), 훼 . 푠1 ? 휃(푡) ∙ 휃(푟) ∈ (퐴).

o 푠 ? 휃(푡) ∙ 휃(푟) = 0⃗ 푆(𝔹) ? 휃(푡) ∙ 휃(푟) → ⃗0 푆(퐴). By Lemma 6.7 (NULL),

0⃗ 푆(퐴) ∈ (퐴).

Γ,x ∶ Ψ ⊢푡 ∶ 퐴 • ⇒ . We want to show that if 휃′ ⊨ Γ, then 휃(휆푥Ψ . 푡) = Γ ⊢ 휆푥Ψ . 푡 ∶ Ψ⇒퐴 퐼

(휆푥Ψ . 휃′(푡)) ∈ (Ψ ⇒ 퐴), which is equivalent to showing that (휆푥Ψ . 휃′(푡)) ∶

푆(Ψ ⇒ 퐴) and, for all 푟 ∈ (Ψ), (휆푥Ψ . 휃′(푡))푟 ∈ (퐴). By induction hypothesis,

휃(푡) ∈ (퐴), which implies that 휃(푡) ∶ 푆(퐴). Therefore, (휆푥Ψ . 휃′(푡)) ∶ Ψ ⇒

Ψ ′ Ψ ′ 푆(퐴) ≺ 푆(Ψ ⇒ 퐴) and (휆푥 . 휃 (푡))푟 ∶ 푆(퐴). And since (휆푥 . 휃 (푡))푟 ∈ N,

Lemma 6.7 (CR3) tells us that if 푅푒푑 ((휆푥Ψ . 휃′(푡))푟) ∈ (퐴), then

(휆푥Ψ . 휃′(푡))푟 ∈ (퐴). We are going to show that in fact 푅푒푑 ((휆푥Ψ . 휃′(푡))푟) ⊆

(퐴). Since 푟 ∈ (Ψ), we have by Lemma 6.7 (CR2) that 푟 ∈ 푆푁. Therefore, we can

proceed by induction over (|푟|, ||(휆푥Ψ . 휃′(푡))푟||. We analyze each of the

reducts of (휆푥Ψ . 휃′(푡))푟:

푟 푟 o (휆푥Ψ . 휃′(푡))푟 → 휃′(푡) [ ]. We want to show that 휃′(푡) [ ] = 휃(푡), and 푥 푥

푟 by induction hypothesis, 휃(푡) ∈ ()퐴 . Therefore, 휃′(푡) [ ] ∈ (퐴). 푥

o (휆푥Ψ . 휃′(푡))푟 → (휆푥Ψ . 휃′(푡))푟′ where 푟 → 푟′. By induction

hypothesis, (휆푥Ψ . 휃′(푡))푟′ ∈ (퐴).

Ψ ′ Ψ ′ Ψ ′ o (휆푥 . 휃 (푡))푟 = (휆푥 . 휃 (푡))(푟1 + 푟2) → (휆푥 . 휃 (푡))푟1 +

Ψ ′ Ψ ′ (휆푥 . 휃 (푡))푟2. Since |푟1| ≤ |푟| and ||(휆푥 . 휃 (푡))푟1|| <

||(휆푥Ψ . 휃′(푡))푟||, we have by induction hypothesis that

Ψ ′ Ψ ′ (휆푥 . 휃 (푡))푟1 ∈ (퐴). Similarly, we have that (휆푥 . 휃 (푡))푟2 ∈ (퐴).

Ψ ′ Therefore, by Lemma 6.7 (LIN1), we have that (휆푥 . 휃 (푡))푟1 +

Ψ ′ (휆푥 . 휃 (푡))푟2 ∈ (퐴).

Ψ ′ Ψ ′ Ψ ′ o (휆푥 . 휃 (푡))푟 = (휆푥 . 휃 (푡))(훼 . 푟1) → 훼 . (휆푥 . 휃 (푡))푟1. Since

Ψ ′ Ψ ′ |푟1| ≤ |푟| and ||(휆푥 . 휃 (푡))푟1|| < ||(휆푥 . 휃 (푡))푟||, we have by

Ψ ′ induction hypothesis that (휆푥 . 휃 (푡))푟1 ∈ (퐴). Therefore, by Lemma

Ψ ′ 6.7 (LIN2), we have that 훼 . (휆푥 . 휃 (푡))푟1 ∈ (퐴).

Ψ ′ Ψ ′ o (휆푥 . 휃 (푡))푟 = (휆푥 . 휃 (푡))0⃗ 푆(𝔹푛 ) → 0⃗ 푆(퐴). By Lemma 6.7 (NULL),

we have that 0⃗ 푆(퐴) ∈ (퐴).

Γ ⊢푡 ∶ Ψ⇒퐴∆ ⊢푢 ∶Ψ o ⇒ . We must show that if 휃 ⊨ Γ, ∆, then 휃(푡푢) ∈ (퐴). Γ,∆⊢푡푢 ∶ 퐴 퐸

Since Γ and ∆ are disjoint, we have that 휃(푡푢) = (휃1 ∪ 휃2)(푡푢) =

휃1(푡)휃2(푢), where 휃1 ⊨ Γ and 휃2 ⊨ ∆. Therefore, it suffices to show

휃1(푡)휃2(푢) ∈ (퐴). By induction hypothesis and definition of (Ψ ⇒ 퐴), we

have that 휃1(푡)휃2(푢) ∈ (퐴).

Γ ⊢푡 ∶ 푆(Ψ⇒퐴)∆ ⊢푢 ∶푆(Ψ) o ⇒ . We want to show that if 휃 ⊨ Γ, ∆, then 휃(푡푢) ∈ Γ,∆⊢푡푢 ∶ 푆(퐴) 퐸푆

(푆(퐴)). Since Γ and ∆ are disjoint, we have that 휃(푡푢) = (휃1 ∪ 휃2)(푡푢) =

휃1(푡)휃2(푢), where 휃1 ⊨ Γ and 휃2 ⊨ ∆. Therefore, it suffices to show

휃1(푡)휃2(푢) ∈ (푆(퐴)). Since 휃1(푡) ∈ (푆(Ψ ⇒ 퐴)) and 휃2(푢) ∈ (푆(Ψ)).

Therefore, 휃1(푡)휃2(푢) ∶ 푆(퐴). On the other hand, we need to show that 83

휃1(푡)휃2(푢) ∈ 푆푁. To do that, it is sufficient to show that

푅푒푑(휃1(푡)휃2(푢)) ⊆ 푆푁. Since 휃1(푡) ∈ (푆(Ψ ⇒ 퐴)) ⊆ 푆푁 and 휃2(푢) ∈

(푆(Ψ)) ⊆ 푆푁, we can proceed by induction over (|휃1(푡)| +

|휃2(푢)|, ||휃1(푡)휃2(푢)||). We analyze the possible reducts of 휃1(푡)휃2(푢):

′ ′ ′ 휃1(푡)휃2(푢) → 푡 휃2(푢) where 휃1(푡) → 푡 . Since |푡 | < |휃(푡)|, we

have by induction hypothesis that 푡′휃2(푢) ∈ 푆푁.

′ ′ 휃1(푡)휃2(푢) → 휃1(푡)푢 where 휃2(푢) → 푢 . Analogous to the

previous case.

휃 (푢) 휃 (푡)휃 (푢) = (휆푥𝔹푛푡 )휃 (푢) → 푡 [ 2 ]. Since 휃 (푡) = 1 2 1 2 1 푥 1

푛 (휆푥𝔹 푡1): 푆(Ψ ⇒ 퐴), we have by Lemma 5.7 that 푡1 : 퐴 with a

smaller derivation tree. Then, by induction hypothesis (Adequacy),

we have that 푡1 ∈ (퐴), and therefore, by Lemma 6.7 (CR1), we

have that 푡1 ∈ 푆푁.

휃 (푢) 휃 (푡)휃 (푢) = (휆푥푆(Ψ) . 푡 )휃 (푢) → 푡 [ 2 ]. Analogous to the 1 2 1 2 1 푥

previous case.

휃1(푡)휃2(푢) = |1 > ? 푡1 ∙ 푡2 → 푡1. Since 휃1(푡) = (? 푡1 ∙ 푡2) ∶

푆(Ψ ⇒ 퐴), we have by Lemma 5.7 that 푡1 ∶ 퐴 with a smaller

derivation tree. Then, by induction hypothesis (Adequacy), we

have that 푡1 ∈ (퐴), and therefore, by Lemma 6.7 (CR1), we have

that 푡1 ∈ 푆푁.

휃1(푡)휃2(푢) = |0 > ? 푡1 ∙ 푡2 → 푡2. Analogous to the previous case.

휃1(푡)휃2(푢) = 휃1(푡)(푢1 + 푢2) → 휃1(푡)푢1 + 휃1(푡)푢2. Since |푢1| ≤

|휃2(푢)| and, by Lemma 6.2, ||휃1(푡)푢1|| < ||휃1(푡)휃2(푢)||, we have

by induction hypothesis that 휃1(푡)푢1 ∈ 푆푁. Similarly, we have

that 휃1(푡)푢2 ∈ 푆푁. Therefore, by Lemma 6.3, we have that

휃1(푡)푢1 + 휃1(푡)푢2 ∈ 푆푁.

휃1(푡)휃2(푢) = (푡1 + 푡2)휃2(푢) → 푡1휃2(푢) + 푡2휃2(푢). Analogous to

the previous case.

휃1(푡)휃2(푢) = 휃1(푡)(훼 . 푢1) → 훼 . 휃1(푡)푢1. Since |푢1| ≤ |휃2(푢)|

and, by Lemma 6.2, ||휃1푡푢1|| < ||휃1(푡)휃2(푢)||, we have by

induction hypothesis that 휃1(푡)푢1 ∈ 푆푁. Therefore, by Lemma 6.3,

we have that 훼 . 휃1(푡)푢1 ∈ 푆푁.

휃1(푡)휃2(푢) = (훼 . 푡1)휃2(푢) → 훼 . 푡1휃2(푢). Analogous to the

previous case.

휃1(푡)휃2(푢) = 휃1(푡)0⃗ 푆(𝔹푛) → 0⃗ 푆(퐴). By definition, 0⃗ 푆(퐴) ∈

(푆(퐴)) ⊆ 푆푁.

휃1(푡)휃2(푢) = ⃗0 푆(𝔹푛⇒퐴)휃2(푢) → ⃗0 푆(퐴). Analogous to the previous

case.

Γ ⊢푡 ∶ A 푛 o 푊. By definition of 휃, we have that if 휃 ⊨ Γ, 푥𝔹 , then 휃 ⊨ Γ. Γ,x 𝔹푛 ⊢푡 ∶ 퐴

And by induction hypothesis, 휃(푡) ∈ (퐴).

푛 푛 Γ,x ∶ 𝔹 , 푦 ∶ 𝔹 ⊢푡 ∶ 퐴 ′ 푥 o 푥 퐶.By definition, 휃 (푡 [ ]) = 휃(푡). And by induction Γ,x ∶ 𝔹푛 ⊢( )푡 ∶ 퐴 푦 푦

푥 hypothesis, 휃(푡) ∈ (퐴). Therefore, 휃′ (푡 [ ]) ∈ (퐴). 푦

Γ ⊢ 푡 ∶ 퐴Δ ⊢ 푢 ∶ 퐵 o 푋 . Since Γ and Δ are disjoint, 휃(푡 × 푢) = (휃 ∪ Γ,Δ ⊢ 푡×푢 ∶ 퐴×퐵 퐼 1

휃2)(푡 × 푢) = 휃1(푡) × 휃2(푢), where 휃1 ⊨ Γ and 휃2 ⊨ Δ. Therefore, it

suffices to show that 휃1(푡) × 휃2(푢) ∈ (퐴 × 퐵). Since 휃1(푡) ∈ (퐴), we

have by definition that 휃1(푡) ∶ 푆(퐴) and, by Lemma 6.7 (CR1), 휃1(푡) ∈

푆푁. Similarly, 휃2(푢) ∶ 푆(퐵) and 휃2(푢) ∈ 푆푁. Then 휃1(푡) × 휃2(푢) ∶

푆(퐴) × 푆(퐵) ≺ 푆(푆(퐴) × 푆(퐵)) and 휃1(푡) × 휃2(푢) ∈ (퐴 × 퐵).

Γ ⊢ 푡 ∶ 𝔹푛 o 푋 . Since ℎ푒푎푑 푡 ∶ 𝔹, we have by Lemma 5.11 that Γ ⊢ℎ푒푎푑 푡 ∶ 𝔹 퐸푟

휃(ℎ푒푎푑 푡) = ℎ푒푎푑 휃(푡) ∶ 𝔹 ≺ 푆(퐵). And by induction hypothesis,

휃(푡) ∈ (𝔹풏) ⊆ 푆푁. Then, ℎ푒푎푑 휃(푡) ∈ 푆푁. Therefore, by definition,

ℎ푒푎푑 휃(푡) ∈ (𝔹).

Γ ⊢ 푡 ∶ 𝔹푛 o 푋 . Since 푡푎푖푙 푡 ∶ 𝔹푛 , we have by Lemma 5.11 that Γ ⊢푡푎푖푙 푡 ∶ 𝔹푛−1 퐸푙

휃(푡푎푖푙 푡) = 푡푎푖푙 휃(푡) ∶ 𝔹푛 = 𝔹 × 𝔹푛−1 ≺ 푆(푆(𝔹) × 푆(𝔹푛−1)).

Furthermore, by induction hypothesis, 휃(푡) ∈ (𝔹풏), and by Lemma 6.7

(CR1), 휃(푡) ⊆ 푆푁. Then, 푡푎푖푙 휃(푡) ∈ 푆푁. Therefore, by definition,

푡푎푖푙 휃(푡) ∈ (𝔹).

Γ ⊢ 푡 ∶ 푆(푆(퐴)×퐵) o ⇑푟. Since (푆(푆(퐴) × 퐵)), we have 휃(푡) ∶ 푆(푆(퐴) × 퐵) and Γ ⊢ ⇑푟 푡 ∶ 푆(퐴×퐵)

휃(푡) ∈ 푆푁. Then, ⇑푟 휃(푡) ∶ 푆(퐴 × 퐵) and ⇑푟 휃(푡) ∈ 푆푁. Therefore, by

definition, ⇑푟 휃(푡) ∈ (푆(푆(퐴) × 퐵)).

Γ ⊢ 푡 ∶ 푆(퐴×푆(퐵)) o ⇑ℓ. Analogous to the previous case. Γ ⊢ ⇑ℓ 푡 ∶ 푆(퐴×퐵)

Theorem 6.10 (Strong normalization). If Γ ⊢ 푡 ∶ 퐴 then 푡 ∈ 푆푁.

Proof. By Lemma 6.9, if 휃 ⊢ Γ, then 휃(푡) ∈ (퐴). By Lemma 6.7 (CR1), (퐴) ⊆ 푆푁.

Finally, by Lemma 6.7 (HAB), 퐼푑 ⊢ Γ, hence 푡 ∈ 푆푁” [5].

2.2 – Large Scale Quantum Computing

A large-scale quantum computer comes into play whenever complex calculations need to be performed on a very complex quantum algorithms, which involves in having a much more efficient error-correction, measurements and quantum states computation algorithms when the current implemented algorithms are no use for complex problems.

“Compared to traditional transistor technologies, the structural properties of quantum devices require larger physical distances (because of the physical position of quantum states in the space) and therefore larger building blocks in the physical layer” [1].

Keeping the structural properties of quantum devices in mind, several micro-architecture of quantum computers would communicate with each other in a network when performing distributed computations instead of using macro-architecture quantum computers to perform distributed computations since there are several components of quantum computers that can be extended into components and have a dedicated component perform tasks and work together as a team with other components of quantum computers to solve a very complex problem versus having a nodes of full set of components in quantum computers, which would not be efficient in performing distributed computations. In the physical layers, choosing the appropriate model to implement an efficient and optimal error-correction model is dependent on theoretical architectures and design that can make up a large-scale quantum computer with the proper architectures necessary to solve very complex problems. Since making the appropriate architectures for a large-scale quantum computer would be designed for a

87 specific hardware that are being implemented on, the challenge of implementing an optimal and efficient architecture model for all quantum computer hardware that can be universal remains open.

2.2.1 – Gate Model Quantum Computers

In gate model quantum computers, quantum computation is performed by several layers of quantum gates. “Each quantum ate performs a unitary operation on the input quantum systems” [1]. The gates are applied in several rounds due to the hardware restriction that quantum computing system have, such as the no-cloning theorem that prevent quantum system from participating in more than one quantum gate at the same time. Currently, Google and MIT have their own implementation of gate model quantum computers that are based on “qubit systems with a particular qubit-to-qubit coupling topology, and the achievable circuit depth depends on the fidelity of the quantum gates”

[1].

Gyongosi and Imre decided to take gate model quantum computer to the next level by performing experiments to improve efficiency and optimization algorithms for these systems. They came up with Quantum Approximate Optimization Algorithm, a quantum algorithm that offers efficiency in combinatorial optimization problems, to determine approximate solutions with the general rule that the algorithm depends on a positive integer for the whole algorithm to be effective in their results. In this algorithm, as the positive integer increases, the quality of the approximation for the algorithm will improve. Gyongosi and Imre defined that “the quantum circuit consists of unitary gates whose locality is at most the locality of the objective function (the goal is to find the

88 optimum of the objective functions)” [1]. They showed that the depth of the quantum circuit grows linearly according to their framework by analyzing the performance of quantum algorithm on regular graphs, which resulted in advantageous over classical algorithms in performance and efficiency wise. The algorithm was demonstrated in a well-defined combinatorial problem by first going through the input system, which is “a set of linear equations each of which contains exactly three Boolean variables and each equation outputs that the sum of the variables mod 2 is 0 or is 1” [1]. In the demonstration, this quantum algorithm is able to solve the input problem efficiently and is very optimal versus the classical algorithm. By seeing the capability that the Quantum

Approximate Optimization Algorithm has to offer, Gyongosi and Imre decided to use this algorithm in quantum supremacy since the algorithm is designed to run on gate-model quantum computers. The way this algorithm works is by taking a combinatorial optimization problem as the input value and outputting a string value as the end result, which would satisfy “a high fraction of the maximum number of clauses” [1]. Gyongosi and Imre proved “that for certain problems, this quantum algorithm has well- characterized performance bounds” [1]. If the algorithm were to be executed in classical system, the output of most quantum algorithm would not be able to be efficiently stimulated, meaning that the result will not generate the same level of accuracy compared to the results if executed through quantum system. Fortunately, this algorithm can be executed on near term quantum computers to demonstrate quantum supremacy.

Gyongosi and Imre also studied the quantum algorithms theory for fixed qubit architecture by using the gate-model quantum computers as the quantum hardware to develop a method for programming gate-model quantum computers without error

89 correction. In this study, it was concluded that the number of logical qubits was equal to the number of qubits on the quantum device. The study was accomplished by using a

“sequence of parameterized unitaries that sit on the qubit layout to produce quantum states depending on those parameters” [1]. They also came up with strategies for parameter optimization and perform research on improving the performance for quantum algorithms. The outcome of every quantum experiment is very crucial when it comes to developing an optimal and efficient quantum computer so that is why the gate-model qubit quantum computer can be well played in this scenario.

By keeping this fact in mind, an architecture of a quantum multicomputer was developed, which was optimized to be used for Shor’s factoring algorithm. “In the proposed model, the quantum multicomputer is realized via a large number of nodes that are communicating through a quantum-bus (qubus). They stated that the primary metric chosen was the performance of the factorization process” [1]. Gyongosi and Imre found that the quantum modular exponentiation step has a computational overload in the development of quantum architecture. In order to solve this problem, they proposed in reducing the latency and circuit depth to reduce the computational overload, which resulted in the possibility of “achieving the modular exponentiation of an n-bit number with latency 풪(푛2 log2 푛) or 풪(푛2 logn), while the initial latency was 풪(푛3)” [1]. By performing analysis of the proposed solution for the quantum architecture, it resulted in running more than one million times faster than other solution in handing calculation overhead as it was tested with 6000-bit number in the experiment. The quantum multicomputer study also “defined five different qubus interconnect topologies for the construction of quantum computer network as well as the different forms of quantum

90 adder circuits” [1]. Gyongosi and Imre concluded that “the serial links in the quantum multicomputer structure represent an optimal solution, since the parallel links would provide only very modest improvements in system reliability and performance” [1].

2.2.2 – Distributed Topologies

Large-scale quantum computers rely on distributed topology due to the requirement of physical distance between the quantum states in the model. In a distributed topology, micro-quantum computers are communicated with each other via a quantum bus, which are connected via optical fibers, wireless quantum channels and any other network communication protocols. Every quantum computer is connected through system area network (SAN), where quantum computers “could have an arbitrary quantum hardware with diverse quantum coding approaches, which are handled and controlled by some appropriate protocols (the model also implements classical protocols)” [1]. SAN is considered to be equivalent to LAN in terms of classical networking. For larger distances, quantum metropolitan area networks (Q-MAN, equivalent to MAN in classical computing) or quantum wide area networks (Q-WAN, equivalent to WAN in classical computing) are to be used in networking infrastructure implementation of quantum systems. Quantum algorithms and error-correction processes are executed in a distributed system as part of the distributed topology. In order to take advantage of distributed topology, having a strong infrastructure, distributed quantum computation protocols, distributed quantum applications and quantum error correction, including control and measurements, is a requirement.

In order to put distributed topology into good use, Gyongosi and Imre performed

91 a study on the models of local and distributed quantum computers by coming up with a model of implementing a million-qubit quantum computer. As they were implementing the system, they found out that “an appropriate balance is needed between the large-scale integration of components in quantum computers and the reliability of hardware technology of quantum computers” [1], which can be evaluated by using the appropriate modeling tools. Gyongosi and Imre went ahead and “modeled the execution of quantum logic operations on a realistic quantum hardware with limited computational resources and provided a performance stimulation” [1]. The model stimulated the Shor algorithm by factoring a 1,024 bit number with a baseline budget of 1.5 million qubits, which resulted in unrevealing the capability for a trapped-ion quantum computer to factor 2048- bit integer in less than five months due to the outstanding performance that the model can produce versus the performance of the classical computing, which could take millions of years to produce an output.

2.2.3 – Physical Implementations of Quantum Computing

Currently, there are seven quantum technologies implemented, which are ion traps, distributed and monolithic diamonds, superconductors, linear optics, quantum dots, donor systems and topological quantum computing. These quantum technologies that are very crucial in making up quantum computers can be broken down into four generations.

The first generation of quantum computers are implemented by ion traps with KhZ as the physical speed and Hz as the logical speed. “The foot-print ranges of these quantum computers are in mm-cm” [1]. The second generation of quantum computers are implemented by the distributed diamonds, superconducting quantum circuits and linear

92 optical technologies. The second generation of quantum computer can produce MhZ ranges as the physical speed and kHz as the logical speed with the footprint sizes in µm- mm. The third generation of quantum are implemented by monolithic diamonds, quantum dots or donor technology, which uses GhZ as the physical layer speed and MhZ as the logical layer speed with the footprint sizes in nm- µm. Lastly, the fourth generation of quantum computers are implemented by the topological quantum computing technology

(equivalent to anionic quantum computing), which is currently in continuous development phase. In the fourth generation of quantum computers, quantum error correction no longer becomes necessary for quantum computations since quantum computers are designed to be naturally protected from decoherence that would make a much more reliable quantum computers to rely on quantum computation without the dedicated quantum error correction. Although the fourth generation of quantum computer can be very advantageous, the only challenge that this generation is facing is the fact of handling a distributed quantum computer between the distant point through the anionic particles.

Since several implementation of the Shor factorization algorithm has been demonstrated on couple of different quantum computer architectures, the scalability of the algorithm remains an open challenge. To solve this issue, Gyongosi and Imre

“proposed a practical realization of a scalable Shor algorithm on quantum computers”

[1]. They demonstrated their solution by factoring fifteen by seven qubits with four cache-qubits, which as a result, this scalable Shor algorithm can “be realized by an ion- trap quantum computer with success probabilities of 90%” [1]. Gyongosi and Imre also proposed a design of superconducting flux qubit to provide “broad-frequency tunability,

93 strong anharmonicity, high reproducibility and relaxation times in excess of 40 microseconds at its flux-insensitive point” [1]. In the framework that they have developed, “the qubit dephasing at the flux-insensitive point is dominated by residual thermal-photons in the readout resonator” [1]. As a result, flux qubit became an integral part for quantum computing for enhancing coherence and expanding in quantum circuits and quantum computer implementations. Keeping the result in mind, Gyongosi and Imre went ahead and showed a modular quantum computer of any size from ion crystals.

“Since trapped atomic ions have great importance for the practical development of first- generation quantum computers, the study of ion crystals-based solutions has a crucial significance from the perspective of near-future practical quantum computing” [1]. In proposing the solution, they also perform research on wiring between ion trap qubits and quantum computing protocols by coming up with a hardware platform to solve the challenge of integrating various quantum elements into a quantum computer. By coming up with a solution to the challenge, this solution “fuses the methods of integrated circuit fabrication and three-dimensional circuit quantum electrodynamics (3D cQED)” [1].

Gyongosi and Imre came up with the multilayer microwave integrated quantum circuit

(MMIQC) platform to study scalable quantum computing, which they began by studying the quantum dots in electrically controlled cavity structures. The purpose of the study

“was to achieve the simultaneous generation of near-unity indistinguishability and pure single photons with high brightness” [1]. Gyongosi and Imre were able to accomplish their studies by demonstrating a single photon generation that was on-demand, bright and ultra-pure generator, which would have the power to deal with the complexity and the scalability of optical quantum manipulation.

By enhancing the MMIQC platform, Gyongosi and Imre went ahead and developed a model of semiconductor quantum dots to improve the operation of the exchanging process performance-wise as well as reducing the sensitivity of exchange operations and the dephasing effect of charge noise when performing quantum operations. Later in this study, “an addressable fault-tolerant qubit model has been introduced that uses a natural silicon double quantum dot with a micromagnet optimally designed for fast spin control” [1]. After performing the model, it results to high qubit fidelity of 99.6%, which is the highest reported compared to any other solutions that they have performed in the study and is very high for natural silicon qubits compared to the results that was obtained by using isotopically purified silicon quantum-dot-based qubits.

Gyongosi and Imre also demonstrated a solution of handling two-qubit entangled states that is dependent and available at any time. The two-qubit entangled states are

“based on electron and the nuclear spin of a single phosphorus atom embedded in a silicon nanoelectronics device” [1]. “By sequentially reading the electron and the nucleus, the generated entangled states violate the Bell/CHSH inequality” [1], which by extending their model would have an implementation of a high-fidelity quantum non- demolition measurement (QND). By using this model, it is possible to have a complete control on the two-qubit Hilbert space of a phosphorus atom. Since the realization was made about the control capabilities of the model, Gyongosi and Imre decided to perform to study the method of Hamiltonian stimulation by qubitization. In this method, “for a specifically given Hermitian operator the problem of Hamiltonian simulation is approximating the time evolution operator at a particular time with a specified error” [1].

Gyongosi and Imre found out that Hamiltonian stimulation that they are performing in

95 the method can work out with optimal query complexity. Gyongosi and Imre also showed that “if multiple copies of a quantum system with particular density matrix are given, then one can create quantum coherence among different copies of the system to perform quantum principal component analysis” [1]. This algorithm results in a very fast performance in revealing the eigenvectors that corresponds to the large eigenvalues of the unknown quantum state. From there, Gyongosi and Imre decided to enhance the study by making advances in quantum metrology, which is “the study of quantum techniques that allow one to gain advantages over purely classical approaches” [1]. In the study, they proposed a solution in implementing an efficient generation of quantum circuits and quantum gates for quantum computers by studying the method of quantum-assisted

Gaussian process regression. In theoretical setting, Gaussian process model are most widely used in supervised machine learning when dealing with regression problem. By keeping in mind on how Gaussian process regression works, it can be used in quantum linear systems algorithm, which can greatly improve efficiency and performance of the algorithm computational time.

2.3 – Quantum Algorithm Implementations

Shor’s prime factorization algorithm has always become of the most important quantum algorithm to use in a quantum computing device for characterizing quantum computing performance. According to several statements that Gyongosi and Imre have established in the previous sections, they have mentioned that Shor’s prime factorization algorithm has been implemented in various conditions on scalability level for specific quantum hardware, whereas several experiments of designing a universal version of

Shor’s prime factorization algorithm has been attempted. Currently, quantum teleportation, quantum Fourier transform, quantum key distribution, quantum communication protocols and quantum error-correction methods play a huge aspect in realizing distributed quantum computing. In the next couple sections, the process of handling quantum algorithms will be revealed.

2.3.1 – Managing Large-Scale Quantum Computing

There exists classical algorithmic tools that are implemented to control large-scale quantum computers, which includes “the mechanism and process of distributed quantum computing such as quantum error correction in the nodes, protocols for communication between the quantum nodes, information transfer between the nodes and the quantum bus, decoding processes, optimization procedures and many more” [1]. In the design of quantum algorithms and quantum communication protocols, classical information will be available in the system as auxiliary elements, meaning that methods will be mixed into quantum-classical systems since there will be classical information processing instead of pure quantum information processing.

Gyongosi and Imre came up with strategies for performing stimulations in quantum computing molecular energies by utilizing the variational quantum eignesolver

(VQE) algorithm to stimulate molecular energies. “The VQE algorithm utilizes quantum computers to efficiently determine values with a classical optimization routine in order to approximate ground state energies of quantum systems” [1]. In conclusion to the strategies result, it has the capability to reduce the quantum circuit depth for algorithm implementation while improving the optimization of the wavefunction.

Next, Gyongosi and Imre performed a study on optimization of hybrid quantum- classical algorithm by “analyzing the required number of repetitions that are required for a precise estimation, since the state preparation and measurement phases have to be repeated multiple times” [1] since the analysis was based from a class of hybrid quantum- classical algorithms that was previously implemented. This class was chosen due to the well-matched solution in the field of quantum chemistry and combinatorial problems.

2.3.2 – Computational Problems

In this section, there are different types of computational problems that will be discussed regarding the experiments that they have implemented as well as the result that they have obtained from the experiment. Gyongosi and Imre performed a research on the quantum gradient descent for linear systems and least squares by implementing a quantum linear system solver to perform the methods for large families of matrices, which is based in improved procedure of singular value estimation. They “provided the quantum method for performing gradient descent for cases where the gradient is an affine function, and in this case the cost of the method can be exponentially smaller than the cost of performing the step classically” [1]. From there, Gyongosi and Imre did a study on the problem of quantum gradient descent and Newton’s method for constrained polynomial optimization by using the quantum gradient descent algorithm. The function of gradient descent algorithm is to “determine a local minima by moving along the direction of steepest descent” [1]. In Newton’s problem, it uses curvature information as a solution to improve the convergence process. For this research, Gyongosi and Imre defines the quantum versions of iterative optimization algorithms where they would

98 apply it to the optimization problem that would result in providing an exponential speedup on quantum algorithms versus classical algorithms.

Gyongosi and Imre also performed a study on the unified quantum no-go theorems and the transform of quantum states when dealing with restricted set by defining the rule for general quantum transformations that would either allow or deny an operation as stated by the superposition principle. They came up with the no-encoding theorem to “forbid linearly superposing of an unknown pure state and a fixed state in

Hilbert space of finite dimension” [1]. They defined a universal scheme for determining perfect and imperfect quantum tasks that deals with cloning and deleting tasks.

Gyongosi and Imre “demonstrated a five-qubit trapped-ion quantum computer that can be programmed in software to implement arbitrary quantum algorithms by executing any sequence of universal quantum logic gates” [1]. In this demonstration, it was shown that the gate sequences reconfiguration has the capability to implement the algorithm without touching any hardware component. They went ahead and come up with

Deutsch-Jozsa and Bernstein-Vazirani quantum algorithm, which resulted in the success rates between 90% to 95%. Gyongosi and Imre also “performed a coherent quantum

Fourier transform (QFT) on five trappedion qubits for phase estimation and period finding” [1]. Based on these experiments that they performed, they conclude that the model can be expanded to larger number of qubits and also be integrated with several modules.

Gyongosi and Imre performed a study on fast graph operations in quantum computation that utilizes the connection between entangled states and graph theory, which could be used in a reverse graph operation to generate a graph data structures.

They came up with more efficient algorithms for dealing with transformations and comparison operations on graphs. This study concludes with a fact that classical data structure cannot achieve similar performance for fast graph operations compared to quantum computer that has that kind of performance to achieve it.

Gyongosi and Imre also performed a study on automated search method by introducing a “scheme for the development of an algorithm that can determine new experimental implementations for the creation and manipulation of quantum systems”

[1]. The experiment results in output data ranging from high-dimensional Greenberger-

Horne-Zeilinger (GHZ) state to asymmetrically entangled quantum states.

Gyongosi and Imre came up with a protocol to model the biological behaviors of individuals in a natural selection setting, which resulted in the discovery of quantum living units representing the fundamental feature of life. Therefore, this model can be useful in the realization of artificial life and embodied evolution with quantum technologies. They also came up with a method for utilizing “quantum singular value decomposition of non-sparse low-rank metrices” [1]. They came up a quantum algorithm to “exponentiate non-sparse indefinite low-rank matrices on a quantum computer” [1]. As a result, from this model experiment, finding the singular values and associated singular vector is exponentially faster in quantum algorithms than in classical algorithms.

Gyongosi and Imre also came up with quantum algorithms for analyzing topological and geometric data. They also developed quantum algorithms for identifying topological features for performing information extraction process on large data sets as well as finding eigenvectors and eigenvalues. As a result, these quantum algorithms provide exponential speedup on analyzing topological data versus with classical

100 algorithms.

Gyongosi and Imre performed a study on the efficient phase estimation methods by coming up with an algorithm for phase estimation that would execute efficiently and adaptively. In the phase estimation algorithm, it does not require the user to infer the bits of eigen phase in the reverse order since this method will infer the phase and perform an estimation of any unknown data that are encountered in the phase. They concluded that this algorithm can “be applied in the presence of substantial decoherence with the same speed as the original phase estimation methods” [1]. Gyongosi and Imre also performed a research on the quantum perception models by using two quantum algorithms to analyze on “how quantum computation can provide improvements in the computational and statistical complexity of the perception model” [1]. This research resulted in improvements to the application of quantum amplitude amplification and the version space interpretation of the perception model. They used “the Instantaneous Quantum

Polynomial time class of commuting quantum computations to strengthen the conjecture that quantum computers are hard to stimulate classically” [1]. They found that “if either of two plausible average-case hardness conjectures holds, then these class of computations are hard to stimulate classically up to constant additive error” [1].

Gyongosi and Imre analyzed quantum algorithms to solve two problems related to stochastic process by having the first algorithm initialize the thermal Gibbs state of a quantum system and have the second algorithm perform an estimation of the hitting time of a Markov chain. These algorithms conclude with the fact of being useful for

Hamiltonian stimulation, spectral gap amplification and solving linear systems of equations. They also studied the digital quantum simulation of many-body non-

101

Markovian dynamics by defining a framework for their open quantum systems for solving problems. As a result, this “method provides a tool for an experimental realization for a variety of problems” [1]. They performed a study in the Stimulated

Quantum Annealing algorithm that will sample the equilibrium thermal state of a

Quantum Annealing Hamiltonian. In the study, they concluded that stimulated quantum annealing can perform exponentially faster than classical simulated annealing.

Gyongosi and Imre performed a study on the “impossibility of classically simulation the so-called one-clean-qubit Computation. By theory, in the model of one- qubit quantum computation, the input state is a completely mixed state except for a single clean qubit and only a single output qubit is measured at the end of the computing. The proposed results weaken the complexity assumption necessary for the existing impossibility results on classical simulation of various sub-universal quantum computing models” [1].

Gyongosi and Imre takes the experimental results and improves the model by studying the fundamental limits to computation that deals with manufacturing, energy, physical space, design and verification efforts as well as the algorithms. They also studied the fault-tolerant operation problems dealing with universal blind quantum computing, which is the use of quantum information technology to conceal the client’s data and the algorithm from the server. They “defined a protocol to reduce the client’s computational load by transferring the qubit preparation to the server” [1]. “In the proposed model, for each logical qubit used in the computation, the client is only required to receive eight logical qubits via teleportation then buffer two logical qubits before returning one” [1].

They concluded that this protocol can protect client’s fault-tolerant of logical qubits from

102 any malicious attacks.

Gyongosi and Imre performed a research on addressing the problems of simulating chemistry efficiently on fault-tolerant quantum computers by coming up with some chemical simulation algorithms since quantum computers can stimulate quantum physics at a very fast rate compared to classical computers. They discussed “some methods for constructing arbitrary gates which perform substantially faster than some circuits” [1]. They concluded that the arbitrary single-qubit gates can produce fault- tolerant in a very efficient way. They also analyzed Metropolis algorithm implementation on quantum computers that would “permit to sample directly from the eigenstates of the

Hamiltonian and thus evades some problems that crucial in classical simulations” [1].

Gyongosi and Imre defined a quantum algorithm for data fitting that can

“determine the quality of a least-square fit over an exponentially large data set” [1] in a more efficient way. This quantum algorithm is based on solving systems of linear equation problems. They found that this quantum algorithm can “efficiently find a concise function that approximates the data to be fitted and bound the approximation error” [1]. They concluded that the quantum algorithm can be used to determine an efficient parametric estimation of the quantum state since the input data would come out to be a pure quantum state. Since this quantum algorithm has the capability of coming up with pure quantum states, it could be used as an alternative to full quantum state tomography in a fault-tolerant quantum computer.

Gyongosi and Imre decided to expand the data fitting quantum algorithm by defining another quantum algorithm for linear system of equation since there is a potential that the whole computation process can be improved with the help of quantum

103 computer. They “considered the case where it is not needed to know the solution itself, but rather an approximation of the expectation value of some operator associated with the solution” [1]. This quantum algorithm showed an exponential improvement over the best classical algorithm as a result.

2.3.3 – Quantum Computing Optimization

Quantum Computing Optimization is an ongoing model that has been a very popular research topic in academia and industry focusing in science and engineering field. In chemical engineering applications specializing in process system engineering, optimization is a very important components for synthesis, design, operations and control. “Large-scale optimization problems with complex economic and performance interactions could be computationally intractable to solve through off-the-shelf methods and might require specialized solution algorithms” [3]. In this section, we will explore computational models and strategies that can address the complex and large-scale optimization problems.

Computational modeling and search algorithms are currently the primary components of the optimization process since it requires the efficiency and computationally tractable of the search algorithms to obtain an optimal solution when it comes to using the optimization techniques. “Over the past years, deterministic optimization techniques, especially nonlinear programming and mixed integer nonlinear programming (MINLP) algorithms, have received growing attention from academia and industry” [3]. When it comes to solving the problems of the deterministic global optimization algorithms, performing the procedure using large-scale nonconvex MINLP

104 is a resource intensive algorithm that would require a powerful system to be able to perform the computations smoothly. “Deterministic algorithms for solving large-scale

MINLP problems need to deal with the growing size of sub-problems and/or exponential growth of branch-and-bound tree, leading to enumeration of many more alternative in the feasible space” [3]. “Heruistic techniques such as simulated annealing, genetic algorithms, tabu search and others have also grown popular owing to their easy implementation and little prior knowledge requirement of the optimization problem” [3], but they are suitable for unconstrained optimization problems and doesn’t have any convergence properties. However, in classical systems, “the ever-increasing complexity of combinational optimization problem accompanied by a quickly growing search space, results in the optimization process being more time-consuming” [3], due to the limits that classical computing system has with Moore’s law which is why quantum computing comes into big play to exceed the limits of computing power and performance that classical computing don’t have.

Currently, there are couple quantum techniques, such as Shor’s algorithm (integer factorization), Grover’s search algorithm (unstructured databases), quantum algorithm for linear system of equations and much more, that are capable of running efficiently at the same time giving fast performance to it. Quantum adiabatic algorithm has the capability, as the optimization strategy, of performing search of the solution spaces in a very fast and efficient way. “Quantum computers perform computation by inducing quantum speedups, which scaling far exceeds the capability of the most powerful classical computers” [3].

Currently, the quantum systems have limitations in the functionality in the context of optimization, such as the QC hardware and algorithm having issues in handling large-

105 scale optimization problems. Although the quantum computers have the capability of solving optimizations problems regarding energy systems, having a much more complex computation problem can degrade performance due to the lack of quantum memory and network connectivity. In this case, optimizing complex large-scale quantum computing algorithms is an open question that remain for researcher to find an effective solution to this issue.

Gyongosi and Imre decided to improve the theory of the quantum-classical hybrid optimization algorithm by using quantum variational eigensolver algorithm as the framework. In the process of making the improvement, they came up with the quantum variational error suppression method that will prevent errors in quantum devices. They also defined free optimization techniques, which resulted in reducing the computational costs up to three orders of magnitude, which is very effective compared to other optimization techniques.

Gyongosi and Imre also studied a method to perform prediction using linear regression model with least squares optimization on quantum computers. The output of the method is accessible with single qubit measurement and “the runtime is logarithmic in the dimension of the input space” [1]. They also came up with genetic algorithm to improve the digital quantum simulations as well as “increasing the fidelity of quantum state and optimizing the resource requirements of some digital quantum simulation protocols” [1]. This algorithm was demonstrated with a modular gate that was made out of imperfect quantum gates.

Gyongosi and Imre also came up with a quantum support vector machine, an optimized binary classifier, for big data classification to be implemented on quantum

106 computer. “The complexity of the quantum algorithm is logarithmic in the size of the vectors and the number of training examples” [1]. They concluded that “the quantum algorithm in some cases (if classical sampling algorithms require polynomial time) achieves an exponential speed-up compared to the classical algorithms” [1]. They also focused on the optimization method of the Solovay-Kitaev algorithms to be implemented on quantum computer since it is a very useful tool for determining the approximation of arbitrary single-qubit gates for fault-tolerant quantum computer. For the optimization method of the Solovay-Kitaev algorithm, they came up with search space expansion approach to modify the initial state of this algorithm, which is very crucial in reducing the requirements of quantum error correction for quantum algorithms.

2.4 – Quantum Cryptography

Information security has become an important aspect of computing to secure communication systems of intranets. Cryptography plays a role in hiding the key information from the secure channels to protect from malicious attacks. Cryptography uses a cipher to produce a cryptogram with the key in order to perform encryption and decryption of data information. “Classical cryptosystems come in two main classes depending on whether communicators, e.g. Alice and Bob use the same key” [2].

Asymmetrical systems are based on the computational complexity for security measures, which uses one key for encrypting and another key for decrypting. On the other side, symmetrical systems use only one key that will work for both encryption and decryption.

“The symmetric cryptosystem, including stream ciphers and block ciphers, is a typical way of implementing the encryption and decryption with the same key so that the high

107 communication efficiency and security lead to wide applications in military defense, finance and society” [4]. In order to perform cryptographic attacks, every attack requires different properties such as nonlinearity, balance and correlation immunity. “The performance of core cryptographic components that offer high security as the filter model, the combiner model and S-box relies on the availability of Boolean functions” [4].

Currently, resiliency and high nonlinearly are very important criteria for achieving fast correlation attack and best affine approximation attacks (BAA). The low-order resilient

Boolean function properties with high nonlinearity are important in stream ciphers.

Although there are ways to find low-resilient and highly nonlinear Boolean functions, there are limitations in classical computers with the current search procedure and the functions with certain properties that are available to them. “Although the size of the 1-

푛 resilient Boolean function with high nonlinearity is exponentially smaller than 22 , it is still difficult for classical computers in the sub-exponential space” [4]. To solve this issue, quantum cryptography has been an interesting topic since 1984 when quantum key distribution was initially proposed and when the quantum key distribution concept was demonstrated in 1992. Since then, quantum cryptography is becoming a driven factor in mainstream computer science and physics for the last four decades. There are several proposed solutions for post-quantum cryptography such as hash-based, code-based, lattice-based and multivariate quadratic equation-based cryptosystem, but performance can be limited when it comes to hardware which could be solved by designing a hardware architecture that is optimized for it. The current open problem in quantum cryptography are in quantum key distribution, quantum secret sharing and quantum bit commitment.

The purpose of having encryption algorithm for either quantum system or classical

108 systems is to keep sensitive information secure as well as keeping communications private. The difference between quantum encryption algorithm and classical encryption algorithm is that quantum encryption algorithm uses quantum laws to execute while classical encryption algorithm uses pure mathematics principle to execute.

Although quantum computer is powerful than classical computer, utilizing quantum encryption systems as a general practice will pose a threat to classical encryption systems. “For example, the powerful Shor’s quantum factoring algorithms for factoring and discrete logarithm, and the quantum Grover’s searching algorithm are subtly designed according to the principle of quantum mechanics” [2]. Currently, the open problem for research regarding data protection is on finding ways to design an algorithm that will resist quantum attack. “Fortunately, the currently proposed quantum cryptology is thought to be helpful not only because the existence of the eavesdropper can be detected in the quantum situation but also because the non-orthogonal quantum states cannot be reliably distinguished, which are quite different from the classical situation” [2]. Quantum cryptography is a must in order for any sensitive communication protocols and data to be protected from future invasion using quantum systems into a classical computing device.

2.4.1 – Quantum Block Encryption Algorithm

For the current standard encryption protocol, we can encrypt a message by using either classical algorithm, such as Vernam algorithm since it is the most secure and effective algorithm for classical computing, or quantum algorithm. However, the Vernam algorithm hasn’t been used widely due to the intractable difficulty in key management,

109 such as key distribution and key storage. “In the quantum situation, most encryption algorithms are based on the communicators pre-sharing quantum states, such as EPR pairs” [2]. Nanrun Zhou, Guihua Zeng, Yiyou Nie, Jin Xiong and Fuchen Zhu come up with a quantum block encryption algorithm that would run off from the quantum computation, which would require “communicators to pre-share four groups of classical keys: one for the choice of quantum ancilla bits, one for the choice of the Controlled-

NOT operation, one for the bits permutation and another one for the choice of the quantum logic operation making the ciphertext non-orthogonal” [2]. Since each

“encryption process is under the control of the key and the final ciphertext states are non- orthogonal, the eavesdropper cannot acquire fixed ciphertext without the keys, so eavesdropping attack is invalid or fruitless, which is guaranteed by the no-cloning theorem in quantum mechanics” [2]. Due to the fact that whenever the ciphertext is non- orthogonal, it becomes impossible for any computing device to perform any strategy of

Trojan horse attack to encrypted quantum devices.

2.4.2 – Encryption Process

For the encryption process, there are four steps that deals with the encryption of the ith classical plaintext bit using the corresponding ith key element of each group of keys” [2]. For the steps below, we will be describing communicators as Alice and Bob.

The encryption process is done in the following order:

1 2 • Step 1 - Preparation: “Alice prepares the quantum ancilla state |푘1 푘1 >

1 2 according to the first group of key element k1, where 푘1 and 푘1 are two key

elements of the ith key pair in k1 (In the following context, the i is left out).

110

When the classical key element pair are 00, 01, 10 and 11, Alice prepares the

corresponding quantum states |00>, |01>, |10> and |11>. Provided the classical

binary message bit to be encrypted is m ∈ {0, 1}, Alice prepares the message

1 2 quantum state |m> and generates the tensor product state |푘1 푘1 푚 > of the

ancilla quantum state and the message quantum state. The result of this step

may be one of the possible state |000>, |010>, |100>, |110>, |001>, |011>,

1 2 |101> and |111>, thus the result C1 can be expressed as 퐶1 = {|푘1푘1 푚 >

1 2 |푘1 푘1 , 푚 ∈ {0,1}}, where {…} denotes a set” [2].

• Step 2 – Controlled-NOT Operation: “Alice performs a Controlled-NOT

operation according to the second group of key element k2. The classical key

elements 0 and 1 represent taking the first qubit and the second qubit as the

control qubit. The third qubit (message qubit) always acts as the target qubit.

1 2 After processing Alice gets the result 퐶푘2+1,3|푘1푘1 푚 >, where 퐶푘2+1,3

represents the Controlled-NOT gate with the k2 + 1 qubit as the control qubit

and the third qubit as the target qubit. For example, provided the result in C1 is

|000m>(|001m>), regardless of what the key element is, in terms of the

definition of the Controlled-NOT gate, the resulting state is |000m>(|001m>).

The subscript m denotes the bit related to the original message bit. Another

example is that if the result in Step 1 is |010m>, the resulting state is |010m>

when the second group of key element is 0 or else |011m>” [2].

111

Table 11 - The First Encryption Transformation

푘2 퐶2 푘2 퐶2 퐶1

0 |000푚 > 1 |000푚 > |000푚 >

|010푚 > |011푚 > |010푚 >

|101푚 > |100푚 > |100푚 >

|111푚 > |111푚 > |110푚 >

|001푚 > |001푚 > |001푚 >

|011푚 > |010푚 > |011푚 >

|100푚 > |101푚 > |101푚 >

|110푚 > |110푚 > |111푚 >

In Table 11, there are sixteen resulting state but only eight are different from

one another. “Therefore, the resulting ciphertext states can be formulated as

1 2 1 2 1 퐶2 = {|푘1푘1 훼푚 > |푘1푘1 , 푚 ∈ {0,1}}, where 훼푚 = |훼 >푚= [(훿0,푘2|푘1 +

2 1 훿1,푘2푘1 ) ⊕ 푚]푚. The third qubit in each state of C is the original information

qubit, but in each state of C2 it is the result of the Controlled-NOT

transformation and is no longer the original information qubit itself” [2].

• Step 3 – Permutation: “The existing algorithms usually fix a qubit position to

represent the private information qubit, which may pose threats to the security

of the encryption system in some special cases. Alice can permutate two

112

qubits in the resulting state C2 according to the third group of key elements k3.

If k3 is 0, leave the state alone, otherwise swap the second and the third qubits.

For example, suppose one state in C2 is |000m> when the key element is 0 or

else |00m0>. And suppose one state in C2 is |010m>, the resulting state is

|010m> as the key element is 0 or else |00m1>” [2].

Table 12 - The Second Encryption Transformation

푘2 퐶2 푘2 퐶2 퐶1

0 |000푚 > 1 |00푚0 > |000푚 >

|001푚 > |01푚0 > |001푚 >

|010푚 > |00푚1 > |010푚 >

|011푚 > |01푚1 > |011푚 >

|100푚 > |10푚0 > |100푚 >

|101푚 > |11푚0 > |101푚 >

|110푚 > |10푚1 > |110푚 >

|111푚 > |11푚1 > |111푚 >

Table 12 shows other ciphertext states can possibly be obtained from C2. “The

set of the possible ciphertext states C3 is given as follows: 퐶3 =

1 2 1 2 1 2 {{훿0,푘3|푘1 푘1 훼푚 > + 훿1,푘3|푘1훼푚푘1 >}|푘1 , 푘1 , 푘2, 푘3, 푚 ∈ {0,1}}. Ciphertext

states in C3 are different in form from those in C1, the second and the third

qubits of each state of C3 may involve information about the message

113

(plaintext), unlike those of C1 where the information about the plaintext is just

confined to the third qubit. Thus, the ciphertext space is doubled” [2].

• Step 4 – Non-Orthogonality: “Up to now, the intermediate ciphertext state

Alice obtained are orthogonal, which can be distinguished and are not suitable

for propagating on the channel. To overcome this weakness, Alice carries out

quantum computation on the ciphertext states in C3 under the control of the

fourth group of key element k4 in order to make the final ciphertext states non-

orthogonal. If the key element is 00 or 11, then leave the third qubit of state C3

alone, i.e. the third qubit remains in the state |0> or |1>; but if the key element

is 01 or 10, certain computation needs to be made on the third qubit. When the

key element is 01, Alice applies H gates to the third qubit and the resulting

output state will be |+> if the input state is |0>, or |-> if the input state is |1>.

On the other hand, when the key element is 10, Alice applies ZH gate to the

third qubit and the resulting output state is |-> corresponding to the input state

|0>, or |+> corresponding to the input state |1>” [2].

Table 13 - The Third Encryption Transformation

퐶3 푘4 퐶4 푘4 퐶4 푘4 퐶4

|000푚 > 00 or 11 |000푚 > 01 |00 +푚> 10 |00 −푚>

|001푚 > |001푚 > |00 −푚> |00 +푚>

|010푚 > |010푚 > |01 +푚> |01 −푚>

|011푚 > |011푚 > |01 −푚> |01 +푚>

|100푚 > |100푚 > |10 +푚> |10 −푚>

114

|101푚 > |101푚 > |10 −푚> |10 +푚>

|110푚 > |110푚 > |11 +푚> |11 −푚>

|111푚 > |111푚 > |11 −푚> |11 +푚>

|00푚0 > |00푚0 > |00푚+> |00푚−>

|01푚0 > |01푚0 > |01푚−> |01푚−>

|00푚1 > |00푚1 > |00푚−> |00푚+>

|01푚1 > |01푚1 > |01푚−> |01푚+>

|10푚0 > |10푚0 > |10푚+> |10푚−>

|11푚0 > |11푚0 > |11푚+> |11푚−>

|10푚1 > |10푚1 > |10푚−> |10푚+>

|11푚1 > |11푚1 > |11푚−> |11푚+>

In Table 13, it shows the possible ciphertext states in C4 that are obtained

from this step. “This step can be expressed as 퐶4 = {{훿00,푘4 +

1 2 훿11,푘4 + 훿01,푘4퐻 + 훿10,푘4푍퐻}{훿0,푘3|푘1푘1 훼푚 >

1 2 1 2 { } 2 + 훿1,푘3|푘1훼푚푘1 >}|푘1, 푘1 , 푘2, 푘3, 푚 ∈ 0,1 , 푘4 ∈ {0,1} }. Thus, the whole

encryption process comes to the end. This equation shows that the ciphertext

states are non-orthogonal, and the message bits do not hide in the fixed

position. Furthermore, the ciphertext space is doubled again. Some quantum

computations such as Controlled-NOT gate, bit swapping, Hadamard gate and

Z gate are involved during the encryption process. The definition of the

Controlled-NOT gate is 퐶퐴,퐵|퐴 > |퐵 > → |퐴 > |퐴 ⊕ 퐵 >, where A, B ∈ {0,

115

퐼 0 1} and the matrix form of this transformation is 퐶 = [ ], where 푋 = 퐴,퐵 0 푋

0 1 1 0 [], 퐼 = [ ]. The function of the bit-swapping circuit can be written as 1 0 0 1

1 |A>|B> |B>|A>. Hadamard gate can be written as 퐻 = [|0 > +|1 >) < √2

1 1 1 1 0| + (|0 > −|1 >) < 1|] or in matrix form 퐻 = [ ] = (푋 + 푍) √2 1 −1 √2 1 0 with 푍 = [ ]. It is easy to obtain H|0> = |+>, H|1> = |->, where |+> = 0 −1

1 (|0 > ±|1 >)” [2]. √2

2.4.3 – Decryption Process

The decryption process simply involves in performing the right inverse of the encryption process. Due to the quantum operations being unitary, the decryption process can be done by using the pre-shared keys. The decryption process is as follows:

• Step 1 – Decrypting C4 with k4: “If the key element is 01, i.e. the H gate is

applied while encrypting, one applies the same H gate to the ciphertext while

decrypting. If the key element is 10, i.e. the ZH gate is applied while

encrypting, one applies the HZ gate to the ciphertext while decrypting. If the

key element is 00 or 11, let the ciphertext stay put” [2].

• Step 2 – Decrypting C3 with k3: “If the key element is 0, leave it alone. If the

key element is 1, permute the second and the third qubits with the bit swap

circuit” [2].

116

• Step 3 – Decrypting C2 with k2: “The decryption is described as |퐴 > |퐴 ⊕

퐵 >→ |퐴 > |퐴 ⊕ (퐴 ⊕ 퐵) ≥ |퐴 > |퐵 >, where A, B ∈ {0, 1}, and this

transformation is still a Controlled-NOT transformation. So, if the key

element is 0, Bob applies the gate C1,3 to the ciphertext states, otherwise he

applies the gate to the gate C2,3 to the ciphertext states” [2].

• Step 4 – Transforming C1: “The third bit of each 3-bit quantum state in the

result derived in Step 3 corresponds to initial classical message bit. Cascading

all the initial classical message bits, Bob gets the bit string of plaintext” [2].

During the encryption process, all quantum computations are managed by the pre- shared keys. To speed up the encryption and decryption process, quantum operations should only be applied to some intermediate states instead of all. For example, “in Step 3 of the encryption process, provided the key element is 0, no operation acts, and in Step 4 of the encryption process, provided the key element is 00 or 11, no operation functions either” [2]. The efficiency of the decryption algorithm should still be functional for various scenario.

2.4.4 – Security Analysis and Algorithm Operations

There were some important points that was made in the analysis of the encryption and decryption procedure of quantum cryptography. Firstly, “Let 휓푡푖> be the linear combinations of all the possible quantum states with equal probability in the ciphertext set Ct (t = 1, 2, 3, 4), which corresponds to the ith bit” [2]. Density matrices is very simple to calculate and the results for performing that calculation with the ciphertext set are |휓1푖><휓1푖| = I, |휓2푖><휓2푖| = I, |휓3푖><휓3푖| = I, |휓4푖><휓4푖| = I. “The density matrix 117 of n ciphertext states |휓4> related to the n bits classical message is |휓4><휓4| =

|휓41><휓41| ⨂ |휓42><휓42| … ⨂ |휓4푛><휓4푛| = I” [2]. This equation shows that the ciphertext is homogeneous and does not contain any plaintext information, which is very effective of having full privacy with this quantum cryptographic algorithm.

Secondly, when dealing with multiple ciphertext states, they cannot be distinguished between each other. One ciphertext can calculate with the following

1+ 2 equation: <휓 |휓 > = √ > 0. This equation shows that every different ciphertext 4푖 4푖 16 states are non-orthogonal since the non-orthogonality computation was accomplished in

Step 4 during the encryption process. Due to the fact that non-orthogonal states cannot be distinguished due to the general rule of quantum mechanics, it would make the ciphertext states non-orthogonal for this algorithm, resulting in a very secure algorithm to prevent eavesdropping attacks.

Thirdly, there are no useful information when running the Trojan horse attack strategy. For instance, “suppose an attacker has pre-lurked a Trojan horse (Υ) in Alice or

Bob’s apparatus, which can identify the quantum states |0> and |1>, the ciphertext state

1 influenced by the Trojan horse is given as “|휓 (Υ)> = (0||0||0|| > +|0||0||1⊥ > 4푖 32 푚 푚

|| ⊥ || || ⊥ ⊥ ⊥ || || ⊥ || ⊥ ⊥ ⊥ || ⊥ ⊥ || +|0 1 0푚> +|0 1 1푚> +|1 0 0푚> +|1 0 1푚> +|1 1 0푚> +|1 1 1푚 >

|| || || || ⊥ || || || ⊥ || ⊥ ⊥ ⊥ || || ⊥ ⊥ || +|0 0푚0 > +|0 1푚0 > +|0 0푚1 > +|0 1푚1 > +|1 0푚0 > +|1 1푚0 >

⊥ || ⊥ ⊥ ⊥ ⊥ || || ? || || ? || ⊥ ? || ⊥ ? +|1 0푚1 > +|1 1푚1 > +|0 0 +푚> +|0 0 −푚> +|0 1 +푚> +|0 1 −푚>

⊥ || ? ⊥ || ? ⊥ ⊥ ? ⊥ ⊥? || || ? || ⊥ ? +|1 0 +푚> +|1 0 −푚> +|1 1 +푚> +|1 1 푚> +|0 0푚 − > +|0 1푚 − >

|| || ? || ⊥ ? ⊥ || ? ⊥ ⊥ ? ⊥ || ? ⊥ ⊥ ? +|0 0푚+ > +|0 1푚+ > +|1 0푚− > +|1 1푚− > +|1 0푚+ > +|1 1푚+ >)” [2].

This equation mention that if the qubits are in the quantum state of either |0> or |1>, the

118

Trojan horse will either give the information of || or ⊥. This equation also mentions that if the qubits are in the quantum state of either |+> or |->, then the Trojan horse will not return any information which is the reason on why “?” is shown in the equation since the

Trojan horse cannot distinguish non-orthogonal states as quantum mechanics rules out.

“Furthermore, since the message bit is hidden in either the second or the third qubit of the

3-bit quantum states, the Trojan horse has no idea of which qubit is related to the plaintext message bit and which qubit is related to the ancilla qubit” [2], which the strategy of performing Trojan horse attack doesn’t become useful.

After analyzing the encryption process and ciphertext property (|휓4푖>), Zhou,

Zeng, Nie, Xiong and Zhu found out that the first qubit of every 3-bit quantum state stays as the ancilla qubit. They also found out that in the decryption process of quantum cryptography, Step 1 and 2 becomes irrelevant to the first qubit, but Step 3 of the same process become useful since it needs help regarding the first qubit value, which is determined by the pre-shared key element (k1) between communicators and it is not necessary to send the first qubits as a parameter of the ciphertext. “The ciphertext state

1 (|휓 >) transmitted in the circuitry or channel can be written as |휓 > = (|00 > 퐶푖 퐶푖 16 푚

+ |01푚> + |10푚> + |11푚> + |0푚0> + |0푚1> + |1푚0> + |1푚1> + |0−푚> + |1−푚>

+ |0+푚> + |1+푚> + |0푚 −> + |1푚 −> + |0푚 +> + |1푚 +>)” [2]. From this equation,

1+ 2 a state can follow with the following equation: “<휓 |휓 > =√ = 2<휓 |휓 > > 0” 퐶푖 퐶푖 8 4푖 4푖

[2]. This equation shows that it very tedious to distinguish every cipher state in |휓퐶푖> compared to |휓4푖>, which has a value of four in the initial point. The Trojan horse can

1 obtain information about the state of the first qubit by using this equation: “|휓 (Υ)> = 퐶푖 16

119

|| || || ⊥ ⊥ || ⊥ ⊥ || || || ⊥ ⊥ || (? 0 0푚> +|? 0 1푚> +|? 1 0푚> +|? 1 1푚> +|? 0푚0 > +|? 0푚1 > +|? 1푚 0 >

⊥ ⊥ || ? ⊥ ? || ? ⊥ ? || ? ⊥ ? +|? 1푚 1 > +|? 0 −푚> +|? 1 −푚> +|? 0 +푚> +|? 1 +푚> +|? 0푚− > +|? 1푚 − >

|| ? ⊥ ? +|? 0푚 + > +|? 1푚+ >)” [2]. In this equation, the “?”, located in the first position of every quantum state in the equation, means that the attacker is unable to determine the right state without the key. “Since the length of the transmitted ciphertext |휓퐶> reduces to

2/3 of the ciphertext |휓4>, the efficiency of the algorithm is enhanced” [2]. For the decryption process, Step 1 and 2 remains unchanged since the equation mentioned so far are the same as the equation from the decryption process. In Step 3 of the decryption process, “Bob can choose the right Controlled-NOT operation according to the first group of keys that he pre-knows and acquire the correct plaintext all the same” [2].

In the decryption process, Zhou, Zeng, Nie, Xiong and Zhu found out that without the fourth key, the decryption process will fail. Usually after completing the first step of the decryption process, the output can be measured. From there along with the second and third groups of keys, Bob will be able to obtain the right plaintext by performing a search in the Tables of Encryption Transformation. “The rate of decryption can be largely enhanced because only one quantum computation (under the control of the fourth group of key), one measurement and two searching procedures in the Tables of Encryption

Transformation (according to the third and second groups of keys are necessary, if we replace the quantum computation in decryption process with searches in the tables” [2].

This way, the quantum encryption and decryption process can be improved in performance and security wise to ensure efficient operation.

120

2.4.5 – Key Management and Circuits for Encryption and Decryption

The block encryption algorithm consists of multiple group of keys with the general rule that the ciphertext quantum states has to be non-orthogonal on the fourth group of keys. If the fourth group of keys were to be insecure, then the ciphertext states that are transmitted through the communication channel can be compromised by the attacker. For this case, “the quantum block encryption algorithm degenerates to a classical block cryptographic algorithm, which cannot keep the perfect privacy since here the length of the key is finite and is unlike the Vernam algorithm” [2]. Currently, an open problem in quantum cryptography field is when it comes to dealing with the pre-sharing multi-group of keys in the key management. While trying to keep security to the highest standards, the group of keys pre-shared can be reduced by the communicators. “The algorithm can realize theoretically secure communications with just two-group of keys: one for the choice of ancilla qubits, and the other for the non-orthogonalization of the ciphertext states. The other two groups of keys exploited here can be derived from the pre-shared two group of keys with a determinate algorithm” [2].The pre-shared keys can be split into parts to make it easier to manage key management system, where the pre- shared keys can be operated in either classical or quantum systems. To take the advantage of the features that quantum key distribution system has to offer, BB84 protocol could be used to maximize the security.

The five steps to reuse the secure pre-shared keys in quantum block encryption algorithm is as follows:

1. “Alice inserts some random check bits into the message bits and encrypts them

with the proposed block encryption algorithm” [2].

121

2. “Bob decrypts all the ciphertext states sent from Alice” [2].

3. “Alice announces the check bits and their corresponding positions to Bob” [2].

4. “Bob compares his received check bits with the bits Alice announced. If the error

rate is acceptable, they keep the two remaining strings to generate a same key.

Otherwise, abolish the pre-shared keys and start a new quantum key distribution”

[2].

5. “Alice and Bob perform information reconciliation and privacy amplification on

the remaining key bits to obtain finally shared secure key bits” [2].

Whenever an intruder is present, the check bits has to be different in order to detect

the intruder. Otherwise, Alice and Bob should be able to reuse the shared key using a

block encryption algorithm with the security system similar to BB84 protocol.

Figure 9 - Encryption of Classical Information Using Quantum Block Encryption

Algorithm

122

Figure 10 - Decryption Using Quantum Block Encryption Algorithm

In Figure 9 and 10, it shows S1, S2 and S3 as the three quantum switches that are controlled by k2, k3 and k4, which are the elements. “When the element of k2 is 0, S1 switches onto 1, otherwise S1 switches onto 2. When the element of k3 is 0, S2 puts through 1 or else 2. When the element of k4 is 00 or 11, S3 links to 2 and when the element is 01, S3 links to 1, or else 3” [2]. You can also see in Figure 9 that the quantum cryptographic algorithm involves the use of quantum logic gates. It also shows that every message that are being encrypted at the same time as adopting keys in the duration of the process are classical since the process was introduced in classical system and enhanced into quantum as we are now. “The ciphertext states are directly sent to Bob through optical fiber channel or via air after all the encryption process are finished by Alice” [2].

When Bob receives the ciphertext state, he decrypts it and he is not required to store the quantum states. This algorithm can use the existing technology such as the classical systems and integrate with the quantum error-correcting technology to improve its performance.

123

2.5 – Diffie-Hellman Key Exchange

Diffie-Hellman agreement protocol is a method of having two parties (e.g. Alice and Bob) agree on a secret key to establish communication over an insecure communication channel. When establishing a secret key for two parties on the agreement protocol, computations are performed for two parties by using some previously fixed cyclic group (G) with an agreed generator (g). The protocol is defined to function in the following order: “(1) Alice chooses a random 푎 ∈ {1, … , |퐺| − 1}, and sends ga to Bob.

(2) Bob chooses a random 푏 ∈ {1, … , |퐺| − 1}, and sends gb to Alice” [7]. The agreed key

푏 푎 for both parties is gab. For instance, the agreed key can be computed by Alice ((푔 ) ) and Bob ((푔푎)푏). In Diffie-Hellman, the order of the group should be based on prime due to the Pohlig-Hellman attack that occurred a long time ago. For example, in the case of

∗ 푔 ∈ 픽푞, where q is considered to be a prime and p is considered to be the prime order for

∗ the generated group (퐺 =< 푔 >≼ 픽푞, “Computing gx for 푥 ∈ {1, … , 푝 − 1} consists of squaring and multiplying. If 푔 = 2, then the multiplication operation amounts to shifting

푞 2ℎ ℎ < , ∗ 2 and taking modular reduction. For ℎ ∈ 픽푞, 2ℎ 푚표푑 푞 = { 푞 which is 2ℎ − 푞 ≼ ℎ 2 computationally negligible in comparison to multiplying by a random g” [7]. By utilizing the standard square-and-multiply implementation will reduce 33% of computational complexity when it comes to evaluating 푔푥 since squaring is the most efficient way to perform computation versus general multiplication. If 2 ∈ 퐺, then it could be used as a generator. Otherwise, if 2 ∉ 퐺, then other generators can be chosen as long it will work for the computation process.

Eike Kiltz and Arne Winterhof created P-Diffie-Hellman function as the

124 cryptographic functions that are related to the original Diffie-Hellman function. In P-

Diffie-Hellman function, by having a low-degree polynomial in existence as part of the problem would lead in having a much more efficient algorithm to solve the Diffie-

Hellman problem. By having a very interesting result from this algorithm, Kiltz and

Winterhof went ahead and proved lower bound on the degree of interpolation polynomials by coming up with a class of functions that are related to the discrete logarithm that would show similar reduction and interpolation results in a much more efficient way.

픽푞 will represent the finite field of order (q) with a prime power (q) while 0 ≠

훾 ∈ 픽푞 will represent an element of order (t). “The security of the Diffie-Hellman key exchange for the group generated by 훾 depends on the intractability of the Diffie-Hellman mapping DH defined by 퐷퐻(훾푥 , 훾푦) = 훾푥푦 , 0 ≼ 푥, 푦 ≼ 푡 − 1. For breaking the Diffie-

Hellman cryptosystem, it would be sufficient to have a low-degree polynomial that coincides with the mapping DH on a large subset of {0, 1, … , 푡 − 1}2" [6]. Well, there are several types of subnets where polynomials do not currently exist. Due to this equation

2 2 2 (훾2푥푦 = 훾(푥+푦) 훾−푥 훾−푦 ) and square roots in finite fields can be calculated in a much

2 more efficient way, univariate mapping (푑ℎ(훾푥) = 훾푥 , 0 ≼ 푥 ≼ 푡 − 1) will be considered instead of bivariate mapping DH. “The Diffie-Hellman key exchange depends also on the hardness of the discrete logarithm (ind) defined by 푖푛푑(훾푥) = 푥, 0 ≼ 푥 ≼

푡 − 1 “ [6]. Kiltz and Winterhof considered “mappings of the forms (푃 − 푑ℎ(훾푥) =

푃(푥) 훾 , 0 ≼ 푥 ≼ 푡 − 1) for a nonlinear polynomial 푃(푋) ∈ ℤ푡[푋] of small degree, with respect to t, say, 2 ≼ deg (푃) ≼ log (푡)” [6]. Kiltz came up with P-Diffie-Hellman (dh) function, a toolbox of cryptographic functions, that contains mappings. The purpose of P-

125

Diffie-Hellman was to prove that by performing computations on P-dh is equivalent to performing computations on dh. Kiltz showed that Diffie-Hellman problem can be solved by a low-degree polynomial of P-dh. In P-Diffie-Hellman, whenever q = p is considered to be a prime, the equation (푄 − 푖푛푑(훾푥) = 푄(푥), 0 ≼ 푥 ≼ 푡 − 1 will be considered for a non-constant polynomial (푄(푋) ∈ 픽푝[푋]) assuming that deg(푄) is small and is inferenced as 1 ≼ deg (푄) ≼ log (푝).

In the Preliminaries section, it will be shown that dh can be evaluated with an algorithm that uses 푂(log2(푡) log2(푞)) bit operations. The evaluation of deg(푃) − 1 in

P-dh will be shown in reduction algorithm section when it comes to utilizing it in Diffie-

Hellman problem, which an improved result will be shown versus to performing it using the original Diffie-Hellman algorithm. In the Interpolation section, the proof of the lower bounds on the degree and the sparsity of interpolation polynomials when dealing in P-dh will also be shown. “The sparsity spr(f) (or weight) of a polynomial 푓(푋) ) ∈ 픽푞[푋] is the number of its non-zero coefficients” [6]. Then, the reduction and interpolation results will be shown for mapping Q-ind. Lastly, methods such as the Fast Generator and

Malicious Diffie-Hellman will be unrevealed to show how powerful the encryption algorithm really is.

2.5.1 – Preliminaries

The following lemmas will show Newton’s interpolation formula being utilized in the theorem, which is very crucial for implementing reduction algorithms and showing proofs of the interpolation results.

“Lemma 1. Let 𝔻 be a commutative ring with identity 1. Let 𝔹 ≽ 0 be an integer and

126

푃(푋) ∈ 𝔻[푋] a polynomial of degree 퐷 ≽ 퐵 with leading coefficient 푎퐷. Then we have

퐷−퐵 퐷 − 퐵 푎퐷퐷! ∑ ( ) (−1)퐷−퐵−푑푃(푋 + 푑) = 푋퐵 + 푇 (푋), 푑 퐵! 퐵−1 푑=0 where 푇퐵−1(푋) is a polynomial of degree at most 퐵 − 1 with the convention that the degree of the zero polynomial is -1.

Proof. Fix 𝔹 ≽ 0. For 퐷 = 퐵, the result is trivial. For 퐷 ≽ 퐵 + 1 with the convention

퐷 − 1 − 퐵 ( ) = 0, we have −1

퐷−퐵 퐷 − 퐵 푆 ≔ ∑ ( ) (−1)퐷−퐵−푑푃(푋 + 푑) 푑 푑=0

퐷−퐵 퐷 − 1 − 퐵 퐷 − 1 − 퐵 = ∑ (( ) + ( )) (−1)퐷−퐵−푑푃(푋 + 푑) 푑 푑 − 1 푑=0

퐷−1−퐵 퐷 − 1 − 퐵 = ∑ ( ) (−1)퐷−1−퐵−푑(푃(푋 + 1 + 푑) − 푃(푋 + 푑)) 푑 푑=0

퐷−1−퐵 퐷 − 1 − 퐵 = ∑ ( ) (−1)퐷−1−퐵−푑푄(푋 + 푑), 푑 푑=0 where 푄(푋) ≔ 푃(푋 + 1) − 푃(푋) has degree 퐷 − 1 and leading coefficient 푎퐷퐷. By

푎 퐷(퐷−1)! induction, we get 푆 = 퐷 푋퐵 + 푇 (푋), where 푇 (푋) is a polynomial of degree 퐵! 퐵−1 퐵−1 at most 퐵 − 1” [6]. More results regarding different scenario in Lemma 1 will be provable whenever 𝔻 = 핂 is a field of positive characteristic.

“Lemma 2. Let 핂 be a field of characteristic 푝 > 0 and 푃(푋) ∈ 핂[푋] a polynomial of degree 퐷 < 푝. Let 0 ≼ 퐵 ≼ 퐷 be an integer, 퐼 = {푎0, 푎1, … , 푎퐷−퐵}, a set of pairwise distinct elements from 핂 of cardinality |퐼| = 퐷 − 퐵 + 1 and 푏 ∈ 핂. Then, there are

퐷−퐵 퐵 coefficients 푐푖 ∈ 핂, 0 ≼ 푖 ≼ 퐷 − 퐵 with ∑푖=0 푐푖푃(푋 + 푎푖) = 푏푋 + 푇퐵−1(푋), where

127

푇퐵−1 ∈ 핂[푋] is a polynomial of degree 퐵 − 1.

퐷 푛 Proof. Put 푃(푋) ≔ ∑ 푛=0 푤푛푋 with 푤퐷 ≠ 0. For any 푎푖 ∈ 퐼, it obviously holds true that

퐷 푛 푛 푃(푋 + 푎 ) = ∑ 푤 ∑ ( ) 푎푛−푘푋푘 . 푖 푛 푘 푖 푛=0 푘=0

Thus, for any 푐0, 푐1, …, 푐퐷−퐵 ∈ 핂, we have

퐷−퐵 퐷 퐷−퐵 퐷 푛 ∑ 푐 푃(푋 + 푎 ) = ∑ 푑 푋푘 , 푤ℎ푒푟푒 푑 ≔ ∑ 푐 ∑ 푤 ( ) 푎푛−푘 , 0 ≼ 푘 ≼ 퐷 − 퐵. 푖 푖 푘 푘 푖 푛 푘 푖 푖=0 푘=0 푖=0 푛=푘

푡 Now, it is shown the existence of a vector 푐 ≔ (푐0, 푐1, … , 푐퐷−퐵) such that 푑푘 = 0 for

퐵 + 1 ≼ 푘 ≼ 퐷 and 푑퐵 = 푏. By writing it in matrix form, it obtains 퐸 ∙ 푐 =

푡 (0,0, … ,0, 푏) ,. where 퐸 = (퐸푘,푖) with entries

퐷 푛 퐸 = ∑ 푤 ( ) 푎푛−푘 ,퐵≼푘≼퐷,0≼푖≼퐷−퐵. 푘,푖 푛 푘 푖 푛=푘

Note that since 퐷 < 푝, all occurring binomial coefficients are non-zero in 핂. Therefore, after some simple algebraic transformations the set of linear equations is equivalent to

푡 ′ 푏 퐸 ∙= (0, … ,0, 퐷 ) , where 퐸′ is the Vandermonde Matrix of 퐼 = {푎0, 푎1, … , 푎퐷−퐵}. 푤 ( ) 퐷 퐵

Since

′ det(퐸 ) = ∏ (푎푖 − 푎푗) ≠ 0 푎푖,푎푗 ∈퐼 푖>푗 where the equation (퐸 ∙ 푐 = (0,0, … ,0, 푏)푡 has a solution of c” [6].

Lemma 3 will show the relationship between the number of zeros and the sparsity of a polynomial in a finite field.

“Lemma 3. Let 훾 ∈ 픽푞 be an element of order t and 푓(푥) ∈ 픽푞[푋], a non-zero

128 polynomial of degree at most 푡 − 1 with at least b zeros of the form 훾푥 with 0 ≼ 푥 ≼ 푡 −

푡 1. Then for the sparsity of 푓(푋), we have 푠푝푟(푓) ≽ . 푡−푏

Proof. Put 푤 = 푠푝푟(푓), let 푁 ≼ 푡 − 푏 be the number of 0 ≼ 푥 ≼ 푡 − 1 with 푓(훾푥 ) ≠ 0 and 푇, the number of pairs (푦, 푖), 0≼푦≼푡−1,0≼푖 ≼ 푤 − 1 with 푓(훾푦+푖) ≠ 0. Since

훾푥 = 훾푥+푡 , we have 푇 = 푤푁. Using properties of Vandermonde matrices, we can verify that for every 0 ≼ 푦 ≼ 푡 − 1, there exists an 0 ≼ 푖 ≼ 푤 − 1 with 푓(훾푦+푖 ) ≠ 0 and thus,

푤(푡 − 푏) ≽ 푤푁 = 푇 ≽ 푡” [6].

2.5.2 – Reduction Algorithm

When going over the theorems that applies to reduction algorithm, cases when the order (t) of (훾) is considered to be a prime will be kept in the rule of the theorems. The interpolation polynomials of P-dh will be analyzed to show that a polynomial of 푓(푋) will coincide with P-Diffie-Hellman on fixed and known points (휁) that will be used to perform efficient computations of Diffie-Hellman.

“Theorem 1. Let 0 ≠ 훾 ∈ 픽푞 be an element of prime order t, 푃(푋) ∈ ℤ푡[푋], a

푥 polynomial of degree 퐷 with 2 ≼ 퐷 ≼ 푡 − 1, and 푓(푋) ∈ 픽푞[푋] such that 푓(훾 ) =

훾푃(푥), 푥 ∈ 푆, for a set 푆 ⊆ {푁 + 1, … , 푁 + 퐻} of cardinality |푆| = 퐻 − 푠 with 1 ≼ 퐻 ≼

푡. Then, there exist a subset 푅 ⊆ 푆 of cardinality |푅| ≽ 퐻 − 퐷 + 2 − (퐷 − 1)푠 and a deterministic algorithm 𝒜 that computes 𝒜(훾푥) = 훾푥2, for all 푥 ∈ 푅, with

푂(퐷푙표푔(푡) max(퐷, log2(푞))) bit operations and 퐷 − 1 evaluations of 푓(푋).

Proof. Let R be the set of 푥 ∈ {푁 + 1, … , 푁 + 퐻} for which 푥 + 푖 ∈ 푆 for 0 ≼ 푖 ≼ 퐷 − 2.

Then obviously |푅| ≽ 퐻 − 퐷 + 2 − (퐷 − 1)푠. Let 훾푥 be given for fixed 푥 ∈ 푅. The

129 algorithm 𝒜 proceeds as follows. We evaluate 푓(푋) in 훾푥+푑 , 0 ≼ 푑 ≼ 퐷 − 2, and put

푥+푑 푃(푥+푑) 휂푑 = 푓(훾 ) = 훾 , 0 ≼ 푑 ≼ 퐷 − 2. Then, we get by Lemma 1 with 퐵 = 2

퐷−2 퐷−2 퐷−푑 퐷−2 ( )(−1) ∑퐷−2 ( )(−1)퐷−푑푃(푥+푑) 2 푑 푑=0 푑 푒푥 +푐1푥+푐0 휁 ≔ ∏ 휂푑 = 훾 = 훾 푑=0

푎 ! with some constants 푐 and 푐 and 푒 ≔ 퐷 . This needs 푂(퐷2 ) additions in ℤ for 1 0 2 푡 determining recursively all binomial coefficients modulo t, 푂(퐷) powers, inversions, and

2 multiplications in 픽푞, i.e.,푂(퐷 log(푡) max(퐷, log (푞))) bit operations. Next, we

2 eliminate the term by computing 휁 ≔ 휁 ∙ (훾푥) −퐶1훾 −퐶0 = 훾 푒푥 . Finally, we determine the

2 −1 unique root of 푋푒 − 휁 , i.e., 훾푥 = 휁푒 , where 푒−1 denotes the inverse of 푒 modulo 푡, in

푂(log(푡) log2(푞)) bit operations” [6].

2.5.3 – Interpolation

The order (t) of (훾) is considered to be a prime (similar to Reduction Algorithm section) will be used to prove lower bounds on degree and sparsity of interpolation polynomial when mapping P-Diffie-Hellman, where it will be demonstrated in the theorems.

“Theorem 2. Let 0 ≠ 훾 ∈ 픽푞 be an element of prime order t, 푃(푋) ∈ ℤ푡[푋], a polynomial of degree 퐷 with 2 ≼ 퐷 ≼ 푡 − 1, and leading coefficient 푎퐷, and 푓(푋) ∈

푥 푃(푥) 픽푞[푋] such that 푓(훾 ) = 훾 , 푥 ∈ 푆, for a set 푆 ⊆ {푁 + 1, … , 푁 + 퐻} of cardinality

|푆| = 퐻 − 푠 with 1 ≼ 퐻 ≼ 푡. Then, we have

퐻 − (퐷 + 1)(푠 + 1) + 1 퐻 − 퐷(푠 + 1) + 1 − 푟 deg(푓) ≽ max ( , ), 2퐷−1 2퐷−2

130 where r denotes the last residue of 푎퐷퐷! modulo 푡. For the sparsity of 푓(푋), we have

푠푝푟(푓)

푡 21−퐷 푡 22−퐷 ≽ max (( ) ,( ) ). 2(푡 − 퐻 + (퐷 + 1)(푠 + 1) − 1) 2(푡 − 퐻 + 퐷(푠 + 1) − 1)

Proof. We construct a set R of high cardinality and a non-zero polynomial 퐹(푋) having

(by construction) at least |푅| zeros. Since 퐹(푋) is non-zero and we are working in a finite

푡 field, we can derive that deg (퐹) ≽ |푅| and 푠푝푟(퐹) ≽ . Furthermore, we show that 푡−|푅| deg(퐹) and deg(푓) and 푠푝푟(퐹) and 푠푝푟(푓), respectively, are related, i.e., that a lower bound on deg(퐹) implies a lower bound on deg(푓) and a lower bound on 푠푝푟(퐹) implies a lower bound on 푠푝푟(푓). We describe two slightly different constructions which yield results that complement each other.

Construction of 푅1: Let 푅1 be the set of 푥 ∈{푁+1,…,푁+퐻} for which 푥 + 푖 ∈ 푆 for

0 ≼ 푖 ≼ 퐷. We see that |푅1| ≽ 퐻 − 퐷 − (퐷 + 1)푠. By Lemma 1 with 퐵 = 0, we have

퐷 퐷 퐷 ( )(−1)퐷−푑 ∑퐷 ( )(−1)퐷−푑푃(푥+푑) 푥+푑 푑=0 푎퐷퐷! ∏ 푓(훾 ) 푑 = 훾 푑 = 훾 , 푥 ∈ 푅1. 푑=0

Construction of 퐹1(푋): The polynomial

퐷 퐷 퐷 퐷 () () 푑 푎퐷퐷! 푑 퐹1(푋) = ∏ 푓(훾 푋) 푑 − 훾 ∏ 푓(훾 푋) 푑 푑=0 푑=0 퐷−푑 푒푣푒푛 퐷−푑 표푑푑

푥 has at least |푅1| zeros, namely 훾 with 푥 ∈ 푅1. Analogously to Lemma 1, we get

퐷 퐷 퐷 퐷 ∑ 푑 ( ) = ∑ 푑 ( ) 푑 푑 푑=0 푑=0 퐷−푑 푒푣푒푛 퐷−푑 표푑푑 and the leading coefficient of 퐹1(푋) is not zero. 퐹1(푋) is not identical to zero and this deg (퐹1) ≽ |푅1|. Now we have

131

퐷 퐷 퐷 1 퐷 deg(퐹 ) = ∑ ( ) deg(푓) = ∑ ( ) deg(푓) = 2퐷−1 deg(푓) 1 푑 2 푑 푑=0 푑=0 퐷−푑 표푑푑

|푅 | and thus deg(푓) ≽ 1 . Note that 푠푝푟(푔 + ℎ) ≼ 푠푝푟(푔) + 푠푝푟(ℎ) and 푠푝푟(푔ℎ) ≼ 2퐷−1

2퐷−1 푠푝푟(푔)푠푝푟(ℎ). Hence, 푠푝푟(퐹1) ≼ 2푠푝푟(푓) . On the other hand, Lemma 3 yields

푡 푠푝푟(퐹1) ≽ . 푡−|푅1|

Construction of 푅2: Now let 푅2 be the set of 푥 ∈ {푁 + 1, … , 푁 + 퐻}, for which 푥 + 푖 ∈ 푆 for 0 ≼ 푖 ≼ 퐷 − 1. We see that |푅2| ≽ 퐻 − 퐷 + 1 − 퐷푠. By Lemma 1 with 퐵 = 1, we have

퐷−1 퐷−1 퐷−1 ( )(−1)퐷−1−푑 ∑퐷−1( )(−1)퐷−1−푑푃(푥+푑) 푥+푑 푑=0 푎퐷퐷!푥+푏 ∏ 푓(훾 ) 푑 = 훾 푑 = 훾 , 푥 ∈ 푅2 푑=0 for some integer b.

Construction of 퐹2(푋): The polynomial

퐷−1 퐷−1 퐷−1 퐷−1 푑 () 푏 푟 푑 () 퐹2(푋) = ∏ 푓(훾 푋) 푑 − 훾 푋 ∏ 푓(훾 푋) 푑 푑=0 푑=0 퐷−1−푑 푒푣푒푛 퐷−1−푑 표푑푑

푥 is a non-zero and it has at least |푅2| zeros, namely 훾 with 푥 ∈ 푅2. We have deg(퐹2) =

|푅 |−푟 퐷−2 2퐷−2 deg(푓) + 푟 and thus deg(푓) ≽ 2 . Moreover, we have 푠푝푟(퐹 ) ≼ 2푠푝푟(푓)2 2퐷−2 2

푡 and 푠푝푟(퐹2) ≽ , from which the lower bound on 푠푝푟(푓) follows” [6]. 푡−|푅2|

2.5.4 – Fast Generator

퐺 =< 푔 > can be utilized as the cyclic group of prime order (p), while 푓 ∈ 퐺 can be any element with the exception of the identity. 푓 (Fast Generator) would be a

132 generator of G. For the most parts, 푓 is chosen due to the computation of 푓푥 being efficient. By taking a look on ℎ ∈ 퐺, an algorithm DHh, which the output is dependent on base h, will solve the Diffie-Hellman problem for base h if for every 푥, 푦 ∈

푥 푦 푥푦 −1 {1, . . , 푝 − 1}, 퐷퐻ℎ(ℎ , ℎ ) = ℎ . “Henceforth, for a number 푟 ∈ {1, … , 푝 − 1}, 푟 mod

푝 denotes the element s of {1, … , 푝 − 1} such that 푠푟 = 1(푚표푑 푝)” [7]. The following theorem will show the standard of proof for scenario process when it comes to using fast generator in a Diffie-Hellman problem.

“Theorem 1. Assume that for some 푓 ∈ 퐺 \ {1}, there exists an algorithm 퐷퐻푓 to solve the Diffie-Hellman problem for base f, in running time 푇(푓). Then for each 푔 ∈ 퐺 \ {1}, there is an algorithm 퐷퐻푔, which solves the Diffie-Hellman problem for base g in running time 푂(푇(푓) ∙ log 푝).

Proof. Given g, there exists a unique 푟 ∈ {1, … , 푝 − 1} such that 푔 = 푓푟 .

푟 푟−1 푚표푑 푝 Lemma 2. Given 푓 , we can compute 푓 using at most 2 log 푝 queries to 퐷퐻푓.

Proof. By Fermat’s Little Theorem, 푟푝−1 = 1(푚표푑 푝), and therefore 푟푝−2 =

−1 −1 푟푝−2 푟 (푚표푑 푝). We can compute 푓푟 = 푓 using 퐷퐻푓 in a square-and-multiply

푛 manner: Write 푝 − 2 in base 2 as 푏0 + 푏1 ∙ + ⋯ + 푏푛 ∙ 2 , 푏푛 ≠ 0 (then 푛 ≼ log2 푝). Let

푟 푓0 = 푓 . For each 푖 = 1,2, … , 푛, compute ℎ푖 = 퐷퐻푓(푓푖−1, 푓푖−1), and let 푓푖 = ℎ푖 if 푏푛−푖 =

푟푝−2 푥 1, and 푓푖 = 퐷퐻푓(ℎ푖, 푓0) otherwise. Then 푓푛 = 푓 ” [7]. Let say that we have 푔 and

−1 푔푦, but we want to find 푔푥푦. Remember that 푔 = 푓푟. In order to find 푔푥푦 , 푓푟 will need to be compute and then the following formula will need to be used to find 푔푥푦:

푟−1 푦 푟−1 푟푦 푟−1푟푦 푦 푥 푦 푟푥 푦 퐷퐻푓(푓 , 푔 ) = 퐷퐻푓(푓 , 푓 ) = 푓 = 푓 and 퐷퐻푓(푔 , 푓 ) = 퐷퐻푓(푓 , 푓 ) =

푓푟푥푦 = 푔푥푦 .

133

“Remark 3 (Amplification). Theorem 1 generalizes to various other settings. For example, assume that 퐷퐻푓 only solves the Diffie-Hellman problem with probability (휀),

푥 푦 푥푦 푥 푦 푧 i.e., for each 푧 ≠ 푥푦 (푚표푑 푝), Pr[퐷퐻푓(푓 , 푓 ) = 푓 ] ≽ Pr[퐷퐻푓(푓 , 푓 ) = 푓 ] + 휀.

Then 퐷퐻푓 can be transformed to an algorithm which succeeds in probability arbitrarily close to 1: Choose random 푟, 푠 ∈ {1, … , 푝 − 1}, compute 푓푥푟 = (푓푥)푟, 푓푦푠 = (푓푠)푦, and

푥푟 푦푠 푥푟푦푠 푥푦푟푠 ℎ = 퐷퐻푓(푓 , 푓 ). If the output h was correct, then ℎ = 푓 = 푓 . Let 푡 =

(푟푠)−1(푚표푑 푝). Then, in the case of correct output ℎ, ℎ푡 = 푓푥푦 . We can repeat this

1 푂 ( ) times to get 푓푥푦 as the most frequent value almost certainly. Having the algorithm 휀2 transformed to one which succeeds in probability very close to 1, the arguments in the proof of Theorem 1 apply. The algorithm 퐷퐿ℎ is capable of solving the Discrete

푥 Logarithm Problem for base h if, for each 푥 ∈ {1, … , 푝 − 1}, 퐷퐿ℎ(ℎ ) = 푥.

Theorem 4. Assume that 푓 ∈ 퐺 \ {1}, and there exists an algorithm 퐷퐿푓 to solve the

Discrete Logarithm Problem (DLP) for base 푓, in running time 푇(푓). Then for each 푔 ∈

퐺 \ {1}, there is an algorithm 퐷퐿푔, which solves the DLP for base g in running time

푂(푇(푓)).

푥 Proof. Given 푔 , find x using the following sequence of computations: 푟 = 퐷퐿푓(푔),

푟푥 푥 −1 푟푥 = 퐷퐿푓(푓 ) = 퐷퐿푓(푔 ), 푠 = 푟 푚표푑 푝 푎푛푑 푥 = 푠푟푥” [7]. The algorithm 퐷퐷퐻ℎ role is to solve the Diffie-Hellman Problem (DDH) for base h if for every 푥, 푦, 푧 ∈

푥 푦 푧 {1, … , 푝 − 1}, 퐷퐷퐻ℎ(ℎ , ℎ , ℎ ) = 1 if and only if 푧 = 푥푦.

2.5.5 – Malicious Standards

Menezes has shown that by utilizing certain discrete logarithm bases signatures

134 schemes can be vulnerable to outside attacks compared to random generator, which he states that it is much more secure. To put this into play, Boaz Tsaban came up with a random generator version of Diffie-Hellman, called Malicious Diffie-Hellman (MDH), which has the following functions: “(1) There exist 푓 ∈ 퐺 {1}, a function 퐹, and an

푥 푦 푥푦 efficient algorithm 퐷퐻푓 such that for each 푥, 푦 ∈ {1, … , 푝 − 1}, 퐷퐻푓(푓 , 푓 ) = 퐹(푓 ).

(2) For a random 푔 ∈ 퐺 {1}, 퐹(푔푥푦) cannot be efficiently extracted from 푔푥 and 푔푦. (3)

For random 푥, 푦, 퐹(푓푥푦) has enough entropy to generate a key for symmetric encryption

(e.g., 80 bits)” [7]. “If MDH holds, then 퐷퐻푓 reveals some information on the agreed key obtained by the Diffie-Hellman protocol using 푓 as a generator” [7]. In this scenario, the function 퐹 can be utilized as the hash function that is used by two parties (such as Alice and Bob) to derive from 푓푎푏 key for symmetric encryption. “However, in general, it is

푎푏 not clear how to use 퐷퐻푓 to reveal the same information 푔 for a random generator 푔”

푟 푎푏 [7]. If a random (푟 ∈ {1, … , 푝 − 1} and 푔 = 푓 , buy utilizing 퐷퐻푓 to find 푔 , it will

푎 푏 푟푎 푟푏 푟2푎푏 푟푎푏 result in 퐷퐻푓(푔 , 푔 ) = 퐷퐻푓(푓 , 푓 ) = 퐹(푓 ) = 퐹(푔 ), which the result would be useless since 푟푎푏 is a random element of {1, … , 푝 − 1} and is independent of ab. By making assumptions of MDH holds, the authority of standards can choose a random trapdoor 푡 ∈ {1, … , 푝 − 1} that are uniform. From there, 푔 = 푓푡 will be computed and

퐺, 푝, 푔 will be suggested as the standard parameters for Diffie-Hellman key agreement protocol. “As t was uniformly random, g is a uniformly random generator of G, so there is no way to know that it was chosen in a malicious way” [7]. By assuming that Alice send Bob 푔푎 and Bob send Alice 푔푏, tracing information on the agreed key is impossible for anyone except for the authority of standards. The following theorem will show how the authority of standards can compute 푔푎푏 .

135

“Claim 9. For all 푎, 푏 ∈ {1, … , 푝 − 1}, the authority of standards can compute 퐹(푔푎푏) efficiently.

−1 Proof. Using the trapdoor t, compute 푡−1 mod 푝, and (푔푏)푡 , which is the same as

푡푏푡−1 푏 푟푎푏 푟푎 푏 푟푎푏 푎푏 푓 = 푓 . Now, compute 퐹(푓 ) = 퐷퐻푓(푓 , 푓 ), which 푓 = 푔 ” [7].

By looking at the claim, it shows that the authority of standards can decrypt the messages sent by two parties, which would make the communication channel not private.

2.5.6 – Chebyshev Chaotic Map

Kocarev and Tasev came up with an idea of a public key encryption scheme using

Chebyshev chaotic maps that utilizes the semi-group property of Chebyshev chaotic map.

Bergamo mentioned that the public key encryption scheme utilizing Chebyshev chaotic maps are not considered to be secure due to the periodicity of cosine function that can cause the plaintext to be recoverable from a given ciphertext by the attacker without the use of private key. Bose also “proposed a methodology to use multiple chaotic systems and a set of linear functions for key exchange over an insecure channel; however, Wang pointed out the fundamental weakness of the Bose’s cryptosystem and then proved a successful attack” [9] due to the fact that it was implemented inefficiently. Xiao proposed a key agreement protocol using chaotic maps that would utilize the semi-group property of Chebyshev chaotic map, which Han was able to successfully perform two attacks on

Xiao’s key agreement protocol. Then, Chang and Han came up with a new key agreement using passphrase with the integration of the clock synchronization environment, which from there, they came up with a chaotic map based key agreement that had the option to either include or exclude the clock synchronization environment as an improvement from

136 their first attempt in establishing a key agreement utilizing the passphrase.

Wang-Zhao discovered some disadvantages of utilizing key agreement protocols that are listed as follows: “

1. Some protocols are vulnerable to Bergamo’s proposed attack because the

periodicity of the cosine function of the Chebyshev chaotic map makes public

encryption.

2. Some protocols cannot resist man-in-the-middle attack or replay attack.

3. Some protocols did not provide mutual authentical of both communication sides.

4. Clock synchronization is difficult in some cases.

5. Sharing secret key between every two parties makes it difficult to distribute keys

in a big network” [9].

Since Wang-Zhao discovered the disadvantages for utilizing the key agreement protocols that was already in place, he proceeded in implementing an improved key agreement protocol that utilizes Chebyshev chaotic map that would provide the capability to overcome the limitations that were faced by the previous key agreement protocols while providing the highest level of security. However, there were several disadvantage of

Wang-Zhao’s key agreement protocols, which were: “

1. The protocol still requires timestamp information to check the freshness of the

received message by the receiver.

2. The protocol has some redundant computations (e.g., symmetric encryptions and

decryptions) for authentication and key agreement.

3. The protocol can be vulnerable to illegal message modification attack due to the

unbalanced authentication and key confirmation” [9].

137

To overcome the issues that were faced in Wang-Zhao’s key agreement protocol, an efficient and secure Diffie-Hellman key agreement protocol will be utilized that uses the

Chebyshev chaotic map, utilizing the semi-group property of Chebyshev polynomials as the process of establishing a Diffie-Hellman session key when attempting to establish a secure communication channel. The Diffie-Hellman key agreement protocol does not require any information based on timestamp and reducing computational costs for two parties.

The following definitions will describe the general rule when dealing with the

Chebyshev chaotic map that utilizes semi-group property to perform computations in establishing a secure communication channel.

“Definition 1 (Chebyshev polynomials). Let 푛 be an integer and let 푥 be a variable taking values over the interval [-1, 1]. Chebyshev polynomial maps 푇푛: 푅 → 푅 of degree 푛 is defined using the following recurrent relation: 푇푛(푥) = 2푥푇푛−1(푥) − 푇푛−2(푥), where

푛 ≽ 2, 푇0(푥) = 1 and 푇1(푥) = 푥. The first few Chebyshev polynomials are 푇2(푥) =

2 3 4 2 2푥 − 1, 푇3(푥) = 4푥 − 3푥 and 푇4(푥) = 8푥 − 8푥 + 1. The interval [−1,1] is invariant under the action of the map 푇푛 ∶ 푇푛([−1, 1]) → [−1,1]. Therefore, the

Chebyshev polynomial restricted to the interval [−1,1] is a well-known chaotic map for all 푛 > 1. It has a unique continuous invariant measure with positive Lyapunov exponent ln 푛. For 푛 = 2, the Chebyshev map reduced to the well-known logistic map.

Definition 2. Let 푛 be an integer and let 푥 be a variable taking values over the interval

[−1,1]. The polynomial 푇푛(푥): [−1,1] → [−1,1] is defined as 푇푛(푥) = cos(푛 푎푟푐푐표푠(푥)).

Definition 3 (Semi-group property). The semi-group property, a very important

138 properties of Chebyshev polynomials, establish that 푇푟(푇푠(푥)) = 푇푟푠(푥). An immediate consequence of this property is that Chebyshev polynomials commute under composition

푇푟(푇푠(푥)) = 푇푠(푇푟(푥)).

Definition 4 (Enhanced Chebyshev Polynomials). In order to enhance the property of the

Chebyshev chaotic map, Zhang proved that the semi-group property holds for Chebyshev polynomials defined on interval (−∞, +∞). The enhanced Chebyshev polynomials utilizes that 푇푛(푥) = 2푥푇푛−1(푥) − 푇푛−2(푥)(푚표푑 푁) when 푛 ≽ 2, 푥 ∈ (−∞, +∞), and 푁 is a large prime number. 푇푟푠(푥) = 푇푟(푇푠(푥)) = 푇푠(푇푟(푥)) will cause the semi-group property to hold and the enhanced Chebyshev polynomials commute under composition”

[9].

2.5.7 – The Process of Wang-Zhao’s Key Agreement Protocol

The following notations will be defined for the explanation of the whole process for Wang-Zhao’s key agreement protocol, which are: “

• 퐴, 퐵: Identifiers of Alice and Bob.

• 푇퐴, 푇퐵: Shared secret key between Alice and Bob with Trent.

• 푇퐵: Timestamp chosen by Bob.

• 퐸푟(∙): Encryption algorithm of the secret key 푇.

• ℎ푘(∙): Collision restistant secure one-way chaotic hash function.

• 푟, 푠 : Fresh chaotic random integers chosen by Alice and Bob” [9].

139

Figure 11 - Wang-Zhao’s Key Agreement Protocol

Figure 11 shows the whole process of Wang-Zhao’s key agreement protocol. Let make an assumption of Trent being a reliable third party in the network as KDC (key distribution center) for instance where Trent would generate and share a secret key to every participant. When participants receive a secret key from Trent, they are different from other participants. Once every participant has a secret key, then the protocol will perform the following steps: “

1. 퐴푙푖푐푒 → 퐵표푏 ∶ 퐴, 푥, 푁, 푇푟(푥)

a. Alice select a large integer 푟, a large prime number 푁 and a random

number 푥 ∈ (−∞, +∞) and then calculate 푇푟(푥). She concatenates 퐴, 푥, 푁

and 푇푟(푥) and sends them to bob, where 퐴 is her name.

140

2. 퐵표푏 → 푇푟푒푛푡 ∶ 퐵, 퐸푇퐵(퐴, 푥, 푁, 푇퐵, 푇푠(푥))

a. Bob generates a large integer 푠 and calculates 푇푠(푥). Then he concatenates

퐴, 푥, 푁, 푇푠(푥) and a timestamp 푇퐵 and encrypts with the key he shares with

Trent. He sends it to Trent along with his name B. Now, Bob could

calculate the shared session key 푘 = 푇푠(푇푟(푥)).

3. 푇푟푒푛푡 → 퐴푙푖푐푒 ∶ 퐸푇퐴(퐵, 푥, 푁, 푇퐵, 푇푠(푥)), 퐸푇퐵(퐴, 푇퐵)

a. Trent creates two messages. The first is Bob’s name 퐵, 푥, 푁, 푇퐵 and 푇푠(푥),

all encrypted with the key he shared with Alice. The second is Alice’s

name 퐴 and 푇퐵, all encrypted with the key he shared with Bob. Trent

sends both messages to Alice.

4. 퐴푙푖푐푒 → 퐵표푏 ∶ 퐸푇퐵(퐴, 푇퐵), 퐸푘(푇퐵, 푇푠(푥))

a. Alice decrypts the message encrypted with her key and checks whether 푥

and 푁 have the same values as they did in the first step. If not, Alice stops

here; otherwise, Alice calculates the shared session key 푘 = 푇푟(푇푠(푥))

and sends Bob two messages. The first is the message received from

Trent, encrypted with Bob’s key. The second is 푇퐵 and 푇푠(푥), encrypted

with the session key 푘.

5. Bob decrypts the message encrypted with his key and checks whether 푇퐵 and

푇푠(푥) have the same values as they did in the second step. If not, Bob stops here;

otherwise, he could communicate with Alice with the session key 푘” [9].

By checking out the Wang-Zhao’s key agreement protocol, there were some disadvantages for utilizing it. The first disadvantage is that timestamp is required in this key agreement protocol to check the freshness of the received message by receiver Bob, 141 which is performed in step two through four where Bob checks the timestamp (푇퐵) to determine if it is valid. When Bob checks the timestamp, we relies on the timestamp that was generated by himself instead of utilizing the synchronized clocks although the timestamp is not secure in this key agreement protocol and requires large storage and resources since the system would be storing every timestamp and performing timestamp verification throughout the session. If the timestamp is invalid due to the expiration date and time set by the agreement protocol, Bob will stop communicating. “The preclusion of adversarial modification of local timeclocks is difficult to guarantee in many distributed environments; in this case, the security provided must be re-evaluated” [9]. Instead of utilizing this key agreement protocol to check the freshness of the received message, a random number could be used for the same purpose.

The second disadvantage is that throughout the key agreement protocol process, there are redundant computations performed such as three heavy symmetric key encryptions and decryption. For instance, “Trent has to compute and send 퐸푇퐵(퐴, 푇퐵) to

Bob through Alice in step three; Bob has to verify correctness of the received 퐸푇퐵(퐴, 푇퐵) for Trent authentication in step five. However, these symmetric encryption and decryption do not need because Bob can check the freshness of its generated timestamp

푇퐵 by using the received 퐸푘(푇퐵, 푇푠(푥)) from Alice in step five” [9]. Without the information of Alice’s secret key (푇퐴) and Bob’s secret key (푇퐵), it is impossible to perform decryption on the received message (퐸푇퐵(퐴, 푥, 푁, 푇퐵, 푇푠(푥))) from Bob and calculate the valid encryption message (퐸푇퐴(퐵, 푥, 푁, 푇퐵, 푇푠(푥))), which is performed in step three. According to the Wang-Zhao’s key agreement protocol process, due to the fact that Trent is considered to be a key distribution center, he is the only party that knows

142

Alice and Bob’s secret key in order to compute the encryption message and Trent will not need to compute 퐸푇퐵(퐴, 푇퐵) in step three while Bob won’t need to perform multiple verification of 푇퐵, which redundancy will be eliminated from this key agreement protocol since the timestamp 푇퐵 would be included in 퐸푇퐴(퐵, 푥, 푁, 푇퐵, 푇푠(푥)).

The third disadvantage is that Alice is unable to confirm Bob’s shared session key

(푘 = 푇푟푠(푥)) to ensure that it was computed correctly. In step two, Bob would compute the shared session key (푘 = 푇푠(푇푟(푥))), but once the computation is finished, Bob won’t send any output regarding the session key to Alice and would instead confirm that Alice made a correct computed shared session key (푘 = 푇푟푠(푥)) using the received

퐸푘(푇퐵, 푇푠(푥)) performed in step five. In order to maintain high security standards in authentication and key agreement systems, the two parties (Alice and Bob) must be able to perform a two-way confirmation of the session key implicitly or explicitly in order to prevent intrusion. For instance, “the attacker Eve interposes the communication between

Alice, Trent and Bob. Then, Eve can perform the illegal modification attack as follows:

1. Eve intercepts the message 퐴, 푥, 푁, 푇푟(푥) sent by Alice in step one.

2. Eve selects a random number 푒 ∈ (−∞, +∞) and then calculate 푇푒(푥).

3. Eve replaces the intercepted message 퐴, 푥, 푁, 푇푟(푥) with 퐴, 푥, 푁, 푇푒(푥).

4. Eve sends the modified message 퐴, 푥, 푁, 푇푒(푥) to Bob” [9].

When Bob receives the modified message (퐴, 푥, 푁, 푇푒(푥)), Bob will then calculate the

∗ shared session key (푘 = 푇푠(푇푒(푥)). From there, Bob will send the output

(퐵, 퐸푇퐵(퐴, 푥, 푁, 푇퐵, 푇푠(푥))) to Trent as well as his name (B) where two messages will be created by Trent. The first message created will be Bob’s name (퐵, 푥, 푁, 푇퐵 and 푇푠(푥))

143 that will be encrypted with the key that will be shared with Alice. The second messaged created will be Alice’s name (퐴 and 푇퐵) that will be encrypted with the key that will be shared with Bob. From there, Trent will send two messages to Alice where she will perform the decryption of the message that are encrypted with her key to check to see if x and N persist, which in the case that x and N are always in the message, Alice will perform the calculation on the shared session key (푘 = 푇푟(푇푠(푥))) and will send the output to Bob, which will contain the two messages 퐸푇퐵(퐴, 푇퐵) and 퐸푘(푇퐵, 푇푠(푥)). Bob will then perform decryption on the message by using his secret key (푇퐵) and will check to see if 푇퐵 holds, which in most cases it will hold, Bob will decrypt the received message

∗ (퐸푘(푇퐵, 푇푠(푥))) using his session key (푘 ) and will check to determine whether 푇퐵 and

푇푠(푥) has the same values as they did in step two. Due to the fact that this will return false, Bob will end the session and will assume that the session was unexpectedly ended due to Alice’s miscalculated session key (푘 = 푇푟(푇푠(푥))). Therefore, the session was

∗ ended due to the incorrect Bob’s session key (푘 = 푇푠(푇푒(푥))) as Eve modified 푇푟(푥) with 푇푒(푥), but unfortunately, Bob is unable to detect Eve’s modification, making Wang-

Zhao’s protocol insecure. In order to have a much more secure key agreement protocols, a message authentication code (MAC) is the way to go in securing one-way hash function to prevent attack by using the MAC algorithm to “provide explicit key confirmation between Alice and Bob” [9], which will be discussed in the next section.

144

2.5.8 – Improved Key Agreement Protocol

Figure 12 - Improved Key Agreement Protocol

Figure 12 shows the improved version of the key agreement protocol. Let make an assumption of Trent being a reliable third party in the network as KDC (key distribution center) for instance where Trent would generate and share a secret key to every participant. When participants receive a secret key from Trent, they are different from other participants. Once every participant has a secret key, then the protocol will perform the following steps: “

145

1. 퐴푙푖푐푒 → 푇푟푒푛푡 ∶ 퐴, 퐸푇퐴(퐴, 퐵, 푥, 푁, 푇푟(푥))

a. Alice select a large integer 푟, a large prime number 푁 and a random

number 푥 ∈ (−∞, +∞) and then calculate 푇푟(푥). She concatenates

퐴, 푥, 푁 and 푇푟(푥) and encrypts them with the key she shares with

Trent. She sends them to Trent, where 퐴 is her name.

2. 푇푟푒푛푡 → 퐵표푏 ∶ 퐸푇퐵(퐵, 퐴, 푥, 푁, 푇푟(푥))

a. Trent decrypts the message encrypted with the key he shared with

Alice and checks whether 퐴 is valid identity. If not, Trent stops here;

otherwise, Trent concatenates 퐵, 퐴, 푥, 푁 and 푇푟(푥) and encrypts them

with the key he shares with Bob. Trent sends the encrypted messages

to Bob, where 퐵 is his name.

3. 퐵표푏 → 퐴푙푖푐푒 ∶ 푇푠(푥), 푀퐴퐶퐵

a. Bob decrypts the message encrypted with his key and checks whether

퐵 is his identity. If not, Bob stops here; otherwise, Bob generates a

large integer 푠 and calculates 푇푠(푥), the shared session key 푘 =

푇푠(푇푟(푥)), and the message authentication code 푀퐴퐶퐵 =

ℎ푘(퐵, 퐴, 푇푟(푥)) for mutual authentication and session key

confirmation. Bob sends 푇푠(푥) and 푀퐴퐶퐵 to Alice.

4. 퐴푙푖푐푒 → 퐵표푏 ∶ 푀퐴퐶퐴

a. Alice calculates the shared session key 푘 = 푇푟(푇푠(푥)) and the same

′ message authentication code 푀퐴퐶퐵 = ℎ푘(퐵, 퐴, 푇푟(푥)). Alice checks

′ whether 푀퐴퐶퐵 is equal to 푀퐴퐶퐵. If not, Alice stops here; otherwise,

she believes that the corresponding party is real Bob and calculates the

146

message authentication code 푀퐴퐶퐴 = ℎ푘(퐴, 퐵, 푇푠(푥)) for mutual

authentication and session key confirmation. Alice sends 푀퐴퐶퐴 to

Bob.

′ 5. Bob calculates the same message authentication code 푀퐴퐶퐴 =

′ ℎ푘(퐴, 퐵, 푇푠(푥)) and then checks whether 푀퐴퐶퐴 is equal to 푀퐴퐶퐴. If not,

Alice stops here; otherwise, he believes that the corresponding party is real

Alice and could communicate with Bob with the session key 푘” [9].

From there, both Alice and Bob would use the shared session key (푘 = 푇푟(푇푠(푥)) to encrypt information exchanged throughout the session. There are couple points in the analysis that can show that this proposed key agreement protocol can effectively resist common attack and considered to be efficient and practical. The point in the analysis are:

“

1. Security resistant to Bergamo’s attack

a. Bergamo’s attack is based on two conditions. The first is the attackers

could obtain the related elements 푥, 푇푟(푥) and 푇푠(푥) and the second is

several Chebyshev polynomials passing through the same point due to

the periodicity of the cosine function. In step three of the proposed key

agreement protocol, although attackers could obtain 푇푠(푥) easily, they

cannot obtain 푇푟(푥) because it is encrypted in all the messages and

only the sender and the receiver know the decryption key. The

proposed protocol utilizes the enhanced Chebyshev polynomials, in

which the periodicity of the cosine function is avoided by extending

147

the interval of 푥 to (−∞, +∞). As a result, Bergamo’s method does

not work.

2. Secure mutual authentication and key agreement

a. The proposed protocol provides mutual authentication between Alice

and Bob so that no one can impersonate any of them. Trent is a

reliable third party, for example, Trent may be a KDC. In step two,

Alice is authenticated by Trent because they share the same secret key

푇퐴. In step 3, Bob trusts ‘Trent’ messages because they share the same

secret key 푇퐵. In step four, Alice authenticates Bob by checking the

message authentication code 푀퐴퐶퐵 = ℎ푘(퐵, 퐴, 푇푟(푥)) Bob sent to her.

In step five, Bob authenticates Alice by checking the message

authentication code 푀퐴퐶퐴 = ℎ푘(퐴, 퐵, 푇푠(푥)) Alice sent to him, where

both 푀퐴퐶퐴 and 푀퐴퐶퐵 are included by the shared common session key

푘 = 푇푟(푇푠(푥)) between Alice and Bob. Only if both Alice and Bob

have mutually authenticated each other, they could communicate with

the session key 푘 to protect further information exchanged in the

session. As a result, the proposed protocol provides secure mutual

authentication and key agreement.

3. Security resistant to replay attack

a. Replaying attack means that an adversary first intercepts some

communication data in the current key agreement protocol run and

then the adversary replay the intercepted data with the receiver in a

future key agreement protocol run. The replay attacks fail because the

148

freshness of the messages transmitted in the proposed protocol is

provided by the random nonces 푟 and 푠. Except for Alice (or Bob),

only Bob (or Alice) can embed the shared common session key 푘 =

푇푟(푇푠(푥)) and the random nonce in the message authentication code

푀퐴퐶퐵 = ℎ푘(퐵, 퐴, 푇푟(푥)) of step three (or 푀퐴퐶퐴 = ℎ푘(퐴, 퐵, 푇푠(푥)) of

step four. The proposed protocol does not require the timestamp

information to prevent replay attack. So, the timestamp usage problem

of Wang-Zhao’s protocol can easily be eliminated because the

proposed protocol does not require any timestamp information to

prevent replay attack unlike Wang-Zhao’s protocol and as a result,

eliminates the timestamp usage problem.

4. Security resistant to man-in-the-middle attack

a. A man-in-the-middle attack means that an attacker can intercept, relay,

substitute or modify the information communicated between the

sender and the receiver and try to derive some private information that

is significant to the communication parties. In the proposed protocol,

the attackers cannot forge a meaningful message because they do not

know the secret key (푇퐴 or 푇퐵) shared by the sender and the receiver.

In addition, both Alice and Bob could judge whether the received

message is replayed, substituted or modified by checking the

decrypted information. In step four, Alice checks 푀퐴퐶퐵 =

ℎ푘(퐵, 퐴, 푇푟(푥)). In step five, Bob checks 푀퐴퐶퐴 = ℎ푘(퐴, 퐵, 푇푠(푥)). As

a result, the proposed protocol prevents man-in-the-middle attack” [9].

149

2.5.9 – Performance Comparisons

Table 14 - Performance Comparison Between Wang-Zhao Protocol and Proposed

Protocol

Computations/Protocols Wang-Zhao’s Protocol Proposed Protocol

Symmetric Key Encryptions 1/2/1 1/1/0

Symmetric Key Decryptions 1/1/2 0/1/1

Chebyshev Polynomials 2/0/2 2/0/2

Hash Operations 0/0/0 2/0/2

Random Numbers 1/0/1 1/0/1

Timestamp Generations 0/0/1 0/0/0

Communication Rounds 5 5

Table 14 shows the comparison of the Wang-Zhao’s protocol and the proposed protocol. Note that x/y/z means the number of operations of Alice/Trent/Bob. Table 14 also shows the computation costs in the proposed protocol is low compared to the Wang-

Zhao’s protocol due to the requirement of having two symmetric key encryption and two symmetric key decrypting computation, which is a very neat feature to eliminated redundant computations. The proposed protocol provides the same security level without using Bob’s timestamp compared to the Wang-Zhao’s protocol encryption process.

2.6 – Merkle Signature Scheme

Merkle signature scheme is a hash-based digital signature scheme that contains

150 two components, which the first component is the one-time signature scheme (OTS) that would be used to sign messages and the second component is a hash tree for authenticating verification keys. Merkle Cryptoprocessor (MCP) was proposed by

Abdulhadi Shoufan, Nico Huber and H. Gregor Molter that would perform key generation, message signing and signature verification. MCP was implemented on

Xilinux Virtex 5 platform and was tested through their API system. Before Merkle signature scheme became an efficient hash-based signature, it first started as a Winternitz one-time signature scheme, which will be discussed in the next section.

2.6.1 – Winternitz One-Time Signature Scheme

Winternitz One-Time Signature Scheme (W-OTS) is an add-on to the Lamport-

Diffie Scheme, which serves as a purpose of signing messages bitwise that would result in short signature.

Figure 13 - Winterniz One-Time Signature Scheme Process

151

Figure 13 shows the process of the W-OTS. For example, if Alice were to sign an 8-bit message (푚 = 10110111) to Bob, Alice would first come up with a checksum (푐), which would come up to be 1110 in this example. Alice has to keep in mind that the checksum has to be signed as well in order to keep the message secure. From there, the message and the checksum will be divided into blocks of the width (represented as

Winternitz parameter 푤), which in this example, it would be w=4. By having three blocks

(referring to Figure 13) signed as the next step, three random numbers (푥0, 푥1 푥2) of length (푛) will then be generated, which will be deemed as the signature subkeys. All the generated signature sub-keys will form the signature key (푋푤), which must be kept secure from any outside attack as this is considered to be the private key. “A hash function is applied 15 times to each 푥푖 to determine the corresponding verification sub- key 푦푖 ” [10]. According to the interior of the block in Figure 13, 15 corresponds to the maximal represented by the bit vector of width (푤 = 4). All 푦푖 will be concatenated and hashed to generate a verification key (푌푊) where Alice will apply the hash function eleven times to 푥0, seven times to 푥1 and fourteen times to 푥2 in order to sign the message and the checksum, which the number of times that the hash function is applied to every variables correspond to the decimals that are represented by the message and the checksum blocks. From there, the digital signature (푆푊), consisting of three sub- signatures (푠0, 푠1 and 푠2) is sent to Bob, which the signature gets altered to 푠̃0, 푠̃1 푎푛푑 푠̃2 when Bob receives the message, verification key and the signature. From there, Bob will come up with the checksum and then divide the message and the checksum into three blocks (since it was initially defined by Alice in the beginning of the process). Bob will then proceed to apply the hash function four times to 푠̃0, eight times to 푠̃1 and one time to

152

푠̃2. By applying the hash function, it will result in the verification of the subkeys

푦̃0, 푦̃1 푎푛푑 푦̃2 where it would be concatenated and has function would be re-executed.

From there, Bob will compare the resulting key (푌̃푤) with the received verification key

(푌푊) and see if the signature is valid by being identical to each other.

Digital signature schemes are applied to the hash value instead to the message directly in order to have a much more efficient system, which the hash value would only be signed in a message. The functions of hashing the message, keys and signature in W-

′ OTS will be utilized in the scheme. “The message, the sub-keys (푥′푠 and 푦푖 푠), the sub-

′ 푊 signatures (푠푖 푠) and the verification key (푌 ) are all of same length 푛. The signature key

푋푊 and the entire signature 푆푊 have each the length 푣 × 푛, where 푣 refers to the number of blocks to be signed” [10]. In order to perform attack on the signature scheme, the attacker has to falsify the message or the signature (the way most attacker aims when attacking the encryption).

Figure 14 - W-OTS Key Generation Algorithm

153

In Figure 14, it shows the W-OTS algorithm that deals with the key generation.

The number of blocks that are to be signed depends on the message length (푛) and the

Winternitz parameter (푤). In Figure 14, it shows that 푣1 and 푣2 are the number of blocks needed to represent the message and the checksum.

Figure 15 - W-OTS Message Sign Algorithm

Figure 15 shows the W-OTS algorithm that deals with message sign. Algorithm 1 indicates the W-OTS key generation algorithm as shown in Figure 14. The W-OTS message sign algorithm deals with the process of signing an 푛-bit message (푚). The block numbers (푣1 and 푣2) that represent the message and the checksum will be determined where the message (푚) will be covered only if the length is not a multiple of

푤 and it is represented as 푤-bit blocks (푏0, … , 푏푣1−1). From there, the checksum (푐) will

154 be calculated and will represent as 푤-bit blocks (푏푣1, … , 푏푣−1). “For each 푏푖, the hash function is applied to 푥푖 as often as the integer value of 푏푖. The resulting hash values

(푠1, … , 푠푣) represent the sub-signatures” [10].

Figure 16 - W-OTS Signature Verification Algorithm

Figure 16 shows the W-OTS algorithm that deals with the signature verification.

Algorithm 2 indicates the W-OTS message sign algorithm as shown in Figure 15. Figure

16 shows the process of performing a signature (푆̃푊) verification of a message (푚), which is similar to the signing process.

2.6.2 – Merkle Signature Scheme

The Winternitz signature scheme security relies on the signature key (푋푊) used to sign one message and the verification key (푌푊) that needs to be authentic. The signature

155 key property states that in order to sign a new message, a new key pair has to be generated and verification key has to be authentic when delivered, which is a difficult task to accomplish in delivering the verification key and the message in an authentic way.

The limitation of the Winternitz signature scheme shows that it is not an efficient and feasible way to perform digital signature and that is when Merkle signature scheme comes into play as a proposal to solve the issues using hashing trees.

“The Merkle signature scheme (MSS) bases the authenticity of all the verification keys on the authenticity of only one public key, which is assumed to have been delivered in an authentic way, e.g., using a public key infrastructure (PKI)” [10], which is represented as Merkle Key (푌푀) that will be placed in the root of the hash tree as shown in Figure 17.

Figure 17 - Merkle Signature Scheme Hashing Tree

The tree leaves shown in Figure 17 are the Winternitz verification keys 푌푊푠, which every internal node is an auxiliary verification key that is obtained from hashing its children

ℎ푚푎푥 keys. “A hash tree of height ℎ푚푎푥 can be used to sign 2 messages as it includes

2ℎ푚푎푥 Winternitz verification keys in its leaves” [10]. The authentication path is very

156 crucial component in MSS since the path makes a reference to all keys, which are siblings of the keys that belongs to the path from used leaf to the root. “The authentication path is sent to the receiver along with the leaf index, the Winternitz signature and the current Winternitz verification key. Figure 17 also shows a Merkle hash tree at a height of ℎ푚푎푥 = 4, which includes sixteen Winternitz verification keys

푊 푊 (푌0 , … , 푌15 ) that is generated from the W-OTS key generator that would enable the

푊 푊 singing of sixteen messages in this tree. “In this tree, it holds that 푌0−1 = 퐻(푌0 || 푌1 )

푀 and 푌 = 퐻(푌0−7 || 푌8−15), for instance. To sign the fourth message, for example, the

푊 sender submits the leaf index 푖 = 4, the Winternitz signature 푆퐴 and the authentication

푊 푊 path 퐴4 = (푌5 , 푌6−7, 푌0−3, 푌8−15)” [10]. The receiver will then determine 푌̃4 using the rules from W-OTS signature verification algorithm, where the Merkle Key would be

푊 푊 determined in this procedure: 푌̃4−5 = 퐻(푌̃4 || 푌5 ) , 푌̃4−7 = 퐻(푌̃4−5 || 푌6−7), 푌̃0−7 =

푀 퐻(푌0−3 || 푌̃4−7) and 푌̃ = 퐻(푌̃0−7 || 푌8−15). When determining the concatenation direction, the receiver will need the index (i), where 푌̃푀 would be compared with 푌푀 to see if they are equal, which is required for the signature to be valid.

157

Figure 18 - MSS Tree Construction

Figure 18 shows the MSS tree construction algorithm process, which is based on a stack of size ℎ푚푎푥 + 1 nodes. Index is referred to as the current leaf (Winternitz verification key). The Winternitz signature keys (푋푊푠) is generated during step two and three of W-

OTS key generation algorithm for the purpose of generating the verification keys, which is to be deleted after finish using it. In Figure 18, it shows the MergeCount, which refers

158 to the number of merging options that is performed in step four.

Figure 19 - MSS Stack Content During Tree Construction

Figure 19 shows the MSS stack content during tree construction, which this algorithm can be applied to the tree as shown in the Figure 17. In the duration of the tree construction, the first verification path is determined, where the most-left leaf and node on every level is pushed to a special stack for the level that they reside in.

Figure 20 - MSS Message Sign Algorithm

Figure 20 shows the MSS message sign algorithm, which deals with the process of signing the ith message with high abstraction. Algorithm 1 represents W-OTS Key

Generation that can be referred to Figure 14, while algorithm 2 represents W-OTS

159

Message Sign that can be referred to Figure 15. According to Figure 20, the authentication path will be determined during tree construction, where in this algorithm, it will use the determined authentication path to determine the next authentication path.

푾 2.6.3 – Recovering Winternitz Signature Key 푿풊

In the duration of the tree construction, when signature keys are generated, they

푊 are not saved. “Recall that a Winternitz signature key 푋푖 is an array of v-sub-keys

푊 (푥1, … , 푥푣). A straightforward approach to make 푋푖 reproducible is to use a random

푊 푊 number chain starting from one secret seed 푆퐸퐸퐷푖 , which is stored for recovering 푋푖 ”

[10]. In MSS, 2ℎ푚푎푥 Winternitz signature key is needed for recovering the signature key.

30 “For ℎ푚푎푥 = 30, a total of 2 512-bit seeds would have to be saved, which demands a memory space of ½ terabit” [10]. There is an approach where the recovery of all

푀 signature keys based on one initial seed (푆퐸퐸퐷0 ) as shown in Figure 21.

Figure 21 - Signature Key Generation Scheme

160

In Figure 21, G represent a pseudo random number generator (PRNG), which would take an input speed (푆퐸퐸퐷푖푛) to produce a random number (푅) and a new seed (푆퐸퐸퐷표푢푡 ) as shown in Figure 22.

Figure 22 - Pseudo Random Number Generator Algorithm

2.6.4 – Determining Next Authentication Path 푨풊+ퟏ

Since determining the authentication path is a very tedious procedure in MSS, there were some proposal to address the process. Shoufan, Huber and Molter used the approach that are used in Merkle due to the simplicity in hardware implementation. The authentication path contains the ℎ푚푎푥 keys that are located on the tree levels from 0 to

ℎ푚푎푥 − 1, which can be seen as the root of the subtree (푌0−3), which is the root of the

푊 푊 subtree that contains the leaves from 푌0 to 푌3 . “Determining the authentication path can be reduced to finding these roots in a way similar to finding the Merkle Key 푌푀 using the

MSS Tree Construction Algorithm” [10] (algorithm can be referred in Figure 17), which the ℎ푚푎푥 subtrees must be constructed when finding the authentication path.

Merkle came up with the successive pre-construction of the subtrees so the authentication path (퐴푖) will be available whenever the ith message gets signed, which is made possible by a successive execution of ℎ푚푎푥 processes that are based from the MSS

161

Tree Construction Algorithm, which it can be referred in Figure 17. Successive execution refers to the fact that after every signing operation, it will trigger either generating new

Winternitz key pair or merging two nodes on the stack. Every process will operate on one tree level from ℎ = 0 to ℎ푚푎푥 − 1 with their own dedicated stack. Figure 23 will show the authentication path process that can be applied to the hash tree.

Figure 23 - Authentication Path Determination

The procedure of the approach is based on the following assumptions: “

1. The first authentication path must be pre-computed during the initial tree

construction.

2. The stack of each level must be initialized with the most-left node/leaf on that

level as the tacks contents for index = 0 is shown in Figure 23.

162

3. The subtree construction process on each level must be re-initialized with a new

start leaf at the right time. This is because several subtree roots are available on

each level. On the level h, the right time for a reinitialization is when

(푖푛푑푒푥 + 1)푚표푑 2ℎ = 0. The index of the new start leaf is determined by 푠푡푎푟푡 =

(푖푛푑푒푥 + 1 + 2ℎ) ⨁ 2ℎ” [10].

For example, by looking at the level ℎ = 2 in Figure 17, whenever the index becomes 67, the subtree construction with the root of 푌8−11 must have the process started. “The index of the start leaf of this subtree is determined by applying the second formula” [10], which

푊 would result in 8 that would correspond to the index of the leaf 푌8 .

Figure 24 - MSS Signature Verification Algorithm

163

Figure 24 shows the procedure of verifying the Merkle signature. In order to verify a

푀 푊 Merkle signature (푆̃푖 ), the Winternitz verification key (푌̃푖 ) would be determined via the

푊 W-OTS Signature Verification algorithm (refer to Figure 16) that would be applied to 푆̃푖 and the received message. The potential Merkle Key (푌̃푀) would be calculated and

푀 ̃ 푊 compared with the authentic Merkle Key (푌 ) using the information from 푌푖 and the received verification path 퐴푖.

2.6.5 – Chained Merkle Signature Scheme

The Chained Merkle Signature Scheme was proposed as a plan of solving performance issues when it comes to dealing with the construction of large tables due to large memory usage and computation overhead. CMSS consists of several smaller tree on different levels, called CMSS levels, which is more efficient than using one tree like in

Figure 17. The leaves on the tree on the lowest CMSS level are Winternitz verification key where signature keys are utilized in signing messages, which the signing process work similar to the original Merkle Signature Scheme where on the other side, the leaves on the tree on the highest CMSS level are also Winternitz verification key, but the signature key will sign the root of the corresponding tree on the lower CMSS level.

164

Figure 25 - Chained Merkle Signature Scheme

In Figure 25, it will show you an example of how Chained Merkle Signature Scheme works. “

1. In this example, three CMSS levels are available.

2. The lowest level (t=0) includes a total of 64 leaves, which are assigned to 16 trees

of height 2. The level with t=1 contains 4 trees and the highest level contains only

a single tree.

3. The root key of the highest level 푌퐶 represents the public key which must be

published in an authentic way, e.g., using PKI.

4. In the set-up phase, only the expanded tree in Figure 25 need to be constructed.

5. The leaves of a CMSS level are completely independent of the tree roots of the

lower CMSS level. Therefore, three seeds are saved to recover the leaves.

165

6. In the signing phase, a message is signed with the Winternitz signature key of the

lowest level. Additionally, the root of the current tree on that level is signed with

the corresponding Winternitz signature key of the higher level. In this example,

푀 푊 푀 ′′푊 푌 is signed using 푋0 of the second level and 푌 using 푋0 , for instance” [10].

2.6.6 – Merkle Cryptoprocessor High-Level Architecture

Cryptographic systems must have high security, flexibility and performance in order to be implemented on platforms with adjustable parameters (key size, acceptable time behavior, resource usage and power consumptions) in order to have a high quality.

By designing an efficient hardware architecture to support a cryptographic system brings up a challenge in hardware/software partitioning, interface and the architecture, which will be discussed further in the next section.

2.6.7 – Hardware/Software Partitioning

The goal of implementing a public-key cryptosystem into the hardware architecture is to offer functionality, but at the same time, offering performance and security which would relate to the generation, storage and the usage of the private keys on the hardware device to prevent external access to it, but only through the hardware.

166

Table 15 - Hardware vs. Security Suitability for CMSS Based on Security and

Hardware

Security Performance

Software Hardware Software Hardware

Key Critical Noncritical Critical Noncritical

Generation

Signing Critical Noncritical Critical Noncritical

Verification Noncritical Noncritical Critical Noncritical

Table 15 shows how the system security and performance for all CMSS cryptosystem (such as key generation, signing and signature verification) components are dependent on the hardware and software. Hardware provides very secure system for the key generation and the singing processes due to the hardware designer enforcing the storage and the private key processes on the hardware and blocking any external access to these keys. Verification process doesn’t use any private keys, meaning that it is not critical for the verification component to be either on software or hardware. Due to the fact that hardware has the capability of parallelization, pipelining, supporting wide data paths, using specific functional units and employing on-chip memories, it will perform way better than software based on the latency and throughput of every CMSS operation.

An example of utilizing CMSS on hardware based can be utilized on high-end servers, such as banking servers since they serve millions of users and everyone need to have the shortest latency and highest throughput for the singing and verification processes in order to prevent lag on the platform.

167

The hardware architecture would provide all the cryptosystem functions in order to support CMSS on the high-end servers. “Due to its clear software interface, its modularity and its FPGA target, our cryptoprocessor allows other configurations where the verification processes are executed on software for example” [10]. The performance of signing and verification process is dependent on the performance of hash value determination, although only message hash values are the only ones to be signed. The performance of the signing and verification process would skyrocket if the message hash value determination also skyrocket. Hardware architecture has the capability for the message hash value to be determine on software and then once it is determined, it would send it to the hardware for signing and verification process and also has the capability for the message hash value to be determined on the hardware.

2.6.8 – Hardware/Software Interface

“As an application-specific architecture, the Merkle cryptoprocessor operates as a coprocessor in a master/slave communication model, where the server host is the master”

[10]. In order to support the CMSS cryptosystem operation, the coprocessor is an instruction set architecture that can execute all the instructions that are shown in Table 16.

Table 16 - Merkle Cryptoprocessor Instruction Set

Instruction Input Output Involved Units

Construct Trees Master Seed None MCP Sign Unit

Get Root Key None 푌퐶 MCP Sign Unit

Sign Message Message m 푆퐶 Message Hash Unit

168

and MCP Sign Unit

Sign Hash Value Message Hash 푆퐶 MCP Sign Unit

Value 퐻(푚)

Load Root Key 푌퐶 None MCP Verify Unit

Verify Message 푆̃퐶, Message m True/False Message Hash Unit

Signature and MCP Verify

Unit

Verify Hash Value 푆̃퐶, Message Hash True/False MCP Verify Unit

Signature Value 퐻(푚)

In Table 16, it shows that during the execution of the first four commands, the cryptoprocessor will play the role as the signer, while the cryptoprocessor will play the role as the verifier when executing the last three instructions. When executing the

Construct Trees command, all the necessary trees on the CMSS levels are generated and the server public key (푌퐶) is provided and read during execution of the Get Root Key command. When executing the command Load Root Key with an authentic public key available in the system, it will verify some message that are signed by the client. The

Sign Message and Verify Message Signature command will come up with a message (푚) of arbitrary length, which is given as part of the command. In the command, the message will be hashed and then the hash value will be signed or verified. “Data is transferred between hardware and software using FIFOs to simplify the communication protocol, one the one hand, and to decouple the clock domain of the hardware core from that of the communication interface, on the other” [10]. FIFO capacity depends on the data size that

169 needs to be transferred since it would buffer long messages from the software side.

2.6.9 – Hardware Architecture

The first step in hardware architecture implementation is to allocate resources needed to execute the instructions as well as mapping the instructions to the allocated resources and to manage job scheduling for processes execution. The instruction mapping issue is defined only if several instructions share the same unit (term resource), which can be justified in CMSS in two cases: “

1. The instructions Sign Message and Verify Message Signature demand the

hashing of messages before signing or verification. As these two instructions

are not executed simultaneously because of the hardware/software interface,

they can share one unit for hashing the message.

2. In the initialization phase of CMSS, one tree on each CMSS level is

constructed. Subsequently, for each signing operation, some steps are taken to

prepare other trees, which are utilized as soon as former trees are consumed.

Thus, all the instructions, such as Construct Trees, Sign Hash Value and Sign

Message, require similar resource for tree management. Additionally, these

instructions share the pseudo random generator responsible for producing or

recovering the private keys” [1].

By keeping these conditions in mind, the Merkle cryptoprocessor architecture were designed that had the Message Hash Unit, MCP Sign Unit and MCP Verify Unit as the three main functional unit on the instruction level as shown in Figure 26.

170

Figure 26 - Merkle Cryptoprocessor Architecture

On the right column of Table 16, it shows the instruction-to-unit mapping, where the processor will either receive the message or hash value. “In the first case, the

Message Hash determines the hash value of the message, which is then sent to the MCP

Sign Unit for signing or to the MCP Verify Unit for verification” [10]. Job scheduling in the instruction level is simple as the master (the host software) defines scheduling. This architecture has the capability to execute some instructions in parallel or pipeline mode to enhance the system throughput. During couple messages signing in the MCP Sign Unit, the hash value of the next message in the Message Hash Unit. In the duration of the tree construction in the MCP Sign Unit, any verification command can be executed in the

MCP Verify Unit. “The data path has a width of 64 bit, which is enforced on the one hand by the PCI bridge’s local bus of the hardware card, and by the word width of the employed hash function SHA-512 on the other” [5]. The data transfer in and out of FIFO

171 is performed through DMA while the command and status registers are access as memory-mapped registers due to performance reasons. “The Master Controller (MC) is composed of several finite state machines which control the overall operation of the MCP on different levels. On the hardware level, the MC controls the data transfer from and to the local bus of the FPGA card, on the one hand, and between the different units of the

MCP including the FIFOs, on the other” [1]. On the upper level, the MC has a role of decoding the instruction of the MPC and performing the execution using the MCP units.

Table 17 - MCP Parameters

Parameter Meaning Size(Bit)

푛 Hash value width. 푛 also 512

corresponds to the width of

all the seeds, all the

Winternitz signature sub-

keys (푥′푠), all the

verification sub-keys (푦 ′ 푠)

and keys (푌′푠) and all the

sub-signatures (푠′푠)

푤 Winternitz parameter Adjustable (2,4,6,8)

푣1 No. of blocks representing Depends on 푤

the message

푣2 No. of blocks representing Depends on 푤

the checksum

172

푇 No. of CMSS levels Adjustable (3)

ℎ푚푎푥 Maximal tree height on a Adjustable (10)

CMSS level

퐶 ℎ푚푎푥 Total height on all CMSS 푇 × ℎ푚푎푥(30)

levels

Table 17 shows the parameters and data sizes that are supported in CMSS by the cryptoprocessor. “The adjustability of the parameters w, T and ℎ푚푎푥 is enabled by using a reconfigurable platform for the cryptoprocessor” [10]. Adjusting any parameter in the cryptoprocessor will require a new synthesis and new bitstream generation.

2.6.10 – MCP Sign Unit

Figure 27 - MCP Sign Unit Architecture

Figure 27 shows the data path of MCP Sign Unit, which plays a role in perform

173 instruction execution for Construct Trees, Get Root Key and Sign Hash Value by using the instructions from Table 16. This unit also performs the Sign Message instruction with the assistance from the Message Hash Unit. “Mapping all these instructions to the MCP

Sign Unit is justified by two aspects:

1. Both the tree construction and the digital signature determination generate or

recover Winternitz private keys based on three seeds, which are generated

using a master seed.

2. Both the tree construction and the digital signature determination process the

hash tress and share the memories used to realize the stack and the buffer for

the tree roots and the authentication paths” [10].

Performing the execution of Construct Trees command is required in order to set up trees and to provide the root of the highest tree (푌퐶), which is set up by the host. “For this purpose, the module Seed Generator generates and saves three seeds, one for each

CMSS level. Based on these seeds, the modules Leaf Generator, Stack Bank and SHA512 interact with each other to generate three trees of height ℎ푚푎푥 = 10, one on each CMSS level” [10]. This will cause three roots (푌푀 , 푌′푀 and 푌퐶) to be generated according to the

Figure 25, which would be stored in the Roots & Auth-Path Buffer that is managed by a dedicated controller using MSS Tree Construction Algorithm, which can be referred to

Figure 17, for each CMSS level. The dedicated controller belongs in the MCP Sign Unit.

“For ℎ푚푎푥 = 10, a tree on the lowest CMSS level helps to sign 1024 messages. For signing further messages, a new tree on that level must be generated” [10], which MCP

Sign Unit would prepare in generating a new tree during its no-operation phases instead of waiting until a tree is consumed completely. The cryptoprocessor manages three

174 current tree and two reserve trees. On the highest CMSS level, one tree is only available and does not require reserve trees. Get Root Key command is executed by reading 푌퐶 from Roots & Auth-Path Buffer.

In order to execute the Sign Hash Value command, MSS Message Sign

Algorithm, which can be referred in Figure 20, will be applied to each CMSS level.

푊 “First, the Winternitz Sign Module reads the current 푆퐸퐸퐷푖 from the Seed Generator

푊 and the corresponding Winternitz signature key 푋푖 is recovered. Depending on the

CMSS level, the Winternitz Sign Module then computes the Winternitz signature of the

푊 message 푆푖 (푚) (more accurately the signature of the message hash value), and the

푊 푀 푊 ′푀 accurately signatures of the roots 푆푖 (푌 ) and 푆푖 (푌 ) based on W-OTS Message Sign algorithm” [10], which the algorithm can be referred to Figure 15. Consider that the authentication path is already prepared and written into the Roots & Auth-Path Buffer.

The Leaf Generator, Stack Bank and SHA512 modules will be interacted with each other in determining the next authentication path on every CMSS level. From there, the authentication paths will be stored in the Roots & Auth-Path Buffer for the next message signature.

2.6.11 – Leaf Generator

A large number of Winternitz verification keys 푌푊푠 must be generated during the tree construction process. “Each of these keys is the hash value of 푣 Winternitz verification sub-keys y’s. One Winternitz verification sub-key results from a (2푊 − 1)- fold hashing of a Winternitz signature sub-key x” [10]. The 푣 signature sub-keys x’s will form a Winternitz signature key 푋푊, where the x will be randomly generated depending

175 on a seed that represent as 푆퐸퐸퐷푊 . A generated 푋푊 during tree construction or authentication path will assist in coming up with the 푌, but it won’t be used for message singing.

A leaf generator is a high-performance module that is dedicated in generating tree leaves (푌푊푠) on every CMSS levels as shown in Figure 28.

Figure 28 - Leaf Generator

The high performance in the leaf generator is due to the signature sub-key that are generated in the unit is only used to compute the corresponding verification sub-key and the new seed in the system without exchanging it to other units. The submodules that is represented as the Feedback Hash Modules (FHM) runs in parallel to perform the leaf generation acceleration since the number of modules can affect the performance of the cryptoprocessor and the modules can be chosen depending on the resource availability on the target platform. Cryptoprocessor is implemented with keeping the number of FHM in

176 mind, which can be given as a parameter that is generic to VHDL. The modules generation and the data path are accomplished through the synthesis program. “Besides the data to be hashed, an FHM receives the number of times these data must be hashed.

In the Leaf Generator, this number is either 2푤 − 1, as an x is hashed 2푤 − 1 times to determine y, or 1” [10]. The value will then be needed to generate x itself since x is a random value that is obtained from hashing the seed in the duration of Pseudo Random

Number Generator Algorithm, where it can be referred to Figure 22. The hash module of

FHM are exploited for the purpose of generating a value instead of utilizing an extra hash module for the PRNG.

Figure 29 - Generator Mapping and Scheduling

Figure 29 shows the “generation of signature and verification sub-keys schematically: After receiving 푆퐸퐸퐷0, FHM-0 computes 푥0 by applying the hash function once to 푆퐸퐸퐷0. One the one hand, 푥0 is then fed back inside FHM-0, which is

푤 started again to hash 푥0 a total of 2 − 1 times to compute 푦0. On the other, 푥0 is fed to the PRNG to compute the new seed (푆1)” [10]. From there, the output is sent to FHM-1 to calculate 푥1 and 푦1. When FMH-0 finish calculating 푦0, then the seed (푆4) will be available for FHM-0 to compute 푥4 without any holdups. The hash module of SHA-512

177

푊 will come up with a verification key 푌푖 using the v sub-keys of y’s. Since the hash function of SHA-512 will be working on 1024-bit blocks, SHA-512 will process two

512-bit verification of the sub-keys at the same time. “Assuming that resource usage is not constrained, the parallelization degree in the Leaf Generator, i.e., the number of the

FHM’s, should be adjusted under the consideration of the load of SHA-512” [10]. Having a high parallelization degree will cause module overload, which will cause some FHM to delay its operations until SHA-512 is ready to take on processes. Coming up with the optimal number of FHM will depend on the Winternitz parameter (w). If the Winternitz parameter has a higher value, FHM need to perform long calculation to determine a verification sub-key, while on the other side, if the Winternitz parameter has a lower value, FHM will be able to quickly calculate a verification sub-key.

2.6.12 – Winternitz Sign Module

Figure 30 - Winternitz Sign Module

178

Figure 30 shows the Winternitz Sign Module architecture that implemented W-

OTS Message Sign Algorithm, where it can be referred in Figure 15. “The data left shift register (DLSR) shifts the message block-wise to the left and provides the hashing number (k) for each block” [10] during step two of the W-OTS Message Sign Algorithm.

Then, the checksum will be predicted during step two of the W-OTS Message Sign

Algorithm and will be accumulated in the checksum left shift register (CLSR). The

Winternitz parameter (w) in the Winternitz Sign Module can be adjusted during design process as long as the parameter is equal to the value in the Leaf Generator. FHM and

PRNG does not share the same hash module of SHA-512. If FHM and PRNG were to utilize the same hash module of SHA-512, a new signature sub-key (푥푖+1) would be

푊 generated when FHM finishes computing the current sub-signature 푠푖 .

2.6.13 – Stack Bank

We currently know that stack is mandatory for every tree level from ℎ = 0 to ℎ =

ℎ푚푎푥 − 1 in order to set up the authentication path.

Table 18 - Stack Size for Merkle Tree of Height hmax

Level height 풉 Stack Size

ℎ푚푎푥 − 1 1

ℎ푚푎푥 − 2 ℎ푚푎푥 + 2

1 … ℎ푚푎푥 − 3 ℎ + 1

0 1

179

Table 18 shows the stack size on every tree level from ℎ = 0 to ℎ푚푎푥 − 1, where the unit of the stack size represents as a verification key that contains the width of 512-bit. “The stack size for the two borderlines level equals one each. Although these two stacks may be realized as a simple register, we adhere to unified generic form for all levels” [10]. The stack size for each tree level of height (h) can range from 1 to ℎ푚푎푥 − 3 which is equal to

ℎ + 1 while the height level of ℎ푚푎푥 − 2 is equal to ℎ푚푎푥 + 2. The stack is to be used as part of tree initialization where it would perform the calculation of the root 푌푀 of the tree that would require ℎ푚푎푥 + 1 stack entries. Additional stack entries can also be used to store the most-left node/leaf of the height level of ℎ푚푎푥 − 2. The maximal tree height for a CMSS level is ℎ푚푎푥 = 10 in MCP, which ten stacks would be required with 49 entries size.

The cryptoprocessor could manage five trees due to the support of three CMSS level and the setup of two reserve trees. “The Stack Bank includes 50 stacks with a total size of 245 entries, which are accessed using 50 stack pointers” [10] as shown in Figure

31.

Figure 31 - Stack Bank Organization

180

Figure 31 above shows the functionality of the Stack Bank that contains the stack of a current tree on CMSS level 0 and tree height level of h=2. “A stack pointer is accessed by a logical address, which is compound of two sections t and h. Section t is a 3-bit section referring to the CMSS level and whether the corresponding tree is a current or a reserve tree” [10]. MCP processes three trees on three CMSS levels as well as prepares two reserve trees on CMSS level 0 and 1. Section h is a 4-bit section that refers to a height level in a tree. A stack entry contains 512-bit of verification key which a stack pointer looks only into the first 64-bit word of a key in address lines of A10-A3 as shown in

Figure 31. The MCP data path has a width of bit. The other words are dealt by three additional address lines A2-A0 that are stem from the controller as shown in Figure 31.

2.6.14 – Seed Generator

The role of the Seed Generator module is to read the master seed and generate three semi-master seeds for every CMSS level. Looking back in Figure 29, the seed that

푀 is represented as 푆퐸퐸퐷0 is a semi-master seed, which are saved into the system and are

푊 utilized to generate the seeds for every Winternitz signature keys 푆퐸퐸퐷푖 . In Figure 29, it shows the G blocks of the first row where the Winternitz seed is sent to the Leaf

Generator and the Winternitz Sign Module.

2.6.15 – Roots & Auth-Path Buffer

The Roots & Auth-Path Buffer serves as a purpose to perform data transfer to the

Out FIFO in parallel to all the tasks that are performed in MCP Sign Unit, where the

181 authentication path would be computed and then saved into the Roots & Auth-Path

Buffer. While message signing is in progress, this path can be read from the buffer while the next path is in the process of calculating using the Stack Bank. “The size of the Roots

& Auth-Path Buffer is equal to 55 512-bit entries. This results from processing five trees of height ℎ푚푎푥 = 0” [10]. The authentication path of the tree contains ten keys and the first authentication path will always be saved during the tree construction; therefore, the roots of all current and reserve trees are also saved in the buffer.

2.6.16 – MCP Verify Unit

Figure 32 - MCP Verify Unit Data Path

Figure 32 shows the data path of MCP Verify Unit as the MCP main component, which has the role of executing the instructions of Load Root Key and Verify Hash Value

Signature. MCP Verify Unit implements the CMSS verification process with is an expansion from MSS Signature Verification algorithm. MCP Verify Unit data path can

182 also perform the Verify Message Signature instruction with the help from the Message

Hash Unit. “Recall that this algorithm helps to verify a Merkle signature, where only the message is signed by the Winternitz scheme” [10]. In CMSS, the Winternitz signature scheme is apply to the message as well as the roots (푌푀 and 푌′푀) of the first two CMSS levels, which are not delivered by the signer. “The MCP Verify Unit must reconstruct them based on the authentication paths” [10].

The Winternitz Verification Module differs from the Winternitz Sign Module by that the verification module does not have PRNG and SHA-512 (extra hash module) is

푊 used for hashing Winternitz verification sub-keys (푦̃푖 ) to implement the Winternitz verification key (푦̃푊). The verification procedure that utilizes shift registers (DLSR and

CLSR) and feedback hash module runs similar to the signing case. “After determining a

Winternitz verification key, i.e., a leaf of some tree, the root of that tree is computed with the aid of the authentication path using the hash module SHA-512” [10]. After computing

푦̃퐶, it performs comparison with 푌퐶 to double check and make sure that it is written to the relating register by Load Root Key command. If both keys are identical, the signature is considered to be valid.

2.6.17 – Message Hash Unit

The role of the Message Hash Unit is to read a message of an arbitrary length to determine the hash value, which would be sent to MCP Sign Unit for signing or MCP

Verify Unit for verification. The Message Hash Unit include a hardware version of SHA-

512 (hash function), belonging to the SHA-2 family and is also considered as important component in the crptoprocessor for performing digital signature. “SHA-512 operates on

183

1024-bit data blocks, which are extended to 80 64-bit words 푊푖’s by applying some shift, rotation and xor operation. A data block is hashed through 80 processing rounds, which are applied to an 8 × 64-bit register (A, B, C, D, E, F, G, H)” [10]. In the initialization process, this register will initialize with a constant value. “In each round, one word of the extended message block 푊푖 and an additional round-specific constant 퐾푖 are incorporated and the extended message words are given this way:

푀(푖) 푖푓 0 ≼ 푖 ≼ 15 푖 ” [10]. 푊푖 = { {512} {512} } 휎1 (푊푖−2) + 푊푖−7 + 휎0 (푊푖−15) + 푊푖−16 푖푓 16 ≼ 푖 ≼ 79

The first 16 words represent the message words while the rest of the other words are

{512} {512} computed using the functions 휎0 (푥) and휎1 (푥), “which are given as

{512} 19 61 6 follows: 휎1 (푥) = 푅푂푇푅 (푥) ⨁ 푅푂푇푅 (푥) ⨁ 푆퐻푅 (푥).

Figure 33 - SHA-512 Round

Figure 33 shows the SHA-512 Round algorithm that shows on how the register words (A, B, C, D, E, F, G, H) are updated in every round where ∑0 () , ∑1 () , 퐶ℎ() and

푀푎푗() are logical functions including negation, AND, XOR shift and rotation:

184

퐶ℎ(푥, 푦, 푧) = (푥 ∧ 푦) ⨁ (¬푥 ∧ 푧)

푀푎푗(푥, 푦, 푧) = (푥 ∧ 푦) ⨁ (푥 ∧ 푧) ⨁ (푦 ∧ 푧)

{512} 28 34 39 휎0 (푥) = 푅푂푇푅 (푥) ⨁ 푅푂푇푅 (푥) ⨁ 푆퐻푅 (푥)

{512} 14 18 41 휎1 (푥) = 푅푂푇푅 (푥) ⨁ 푅푂푇푅 (푥) ⨁ 푆퐻푅 (푥)

The calculation of register word A and E are more time consuming due to the additional tasks that needs to undergo in determining the words. In order to improve the performance of the algorithm, the round path was divided into four pipeline stages as shown in Figure 34

Figure 34 - Pipeline Data Flow for SHA-512 Module

185

In the pipeline stages, no more than three words are summed in a stage and as a result, duplication of the functions ∑1 () , 퐶ℎ() and stage three addition becomes necessary in the hardware design. “With the aid of this pipelining structure, the SHA-512 module takes 86 clock cycles to hash one data block and works at a clock frequency of 190 MHz for a stand-alone implementation” [10], which shows a processing throughput of 2.4 Gbit/s.

2.7 – Ring-LWE

Ring-LWE Signature (lattice-based cryptography) is a computation problem designed to protect against middle-man attack using quantum computing and to provide the basis of homomorphic encryption by using algorithms that contains encryption functions, digital signature schemes and one-way has functions features. This algorithm is specialized to polynomial rings over finite fields. “A lattice is a set of points in hi- dimensional space and arranged in periodic order. Lattice can be represented as 퐿 = {푎1 ∙

푣1 + 푎2 ∙ 푣2 + ⋯ + 푎푛 ∙ 푣푛|푎1 is integer} for linearly independent vectors (푣1, 푣2, … , 푣푛)

푛×푚 in the real vector space (푅푛)” [14]. In the lattice equation (푎 ∈ 푍푞 ), the equation is

푛 × 푚 matrix, where n takes small matrix while m takes large matrix and every entry are

푛 over finite field of 푍푞. In this equation (푠 ∈ 푍푞 ), b = a.s can be computed.

By having (a,b), it is hard to find s, which is the reason on why lattice cryptography is used to tackle down complex problems. The complexity of the lattice cryptography can become more complex by coming up with error values in the equation.

In this equation (푎, 푎. 푠 + 푒), the lattice (a), secret vendor (s) and the error vector (e) are unknown values and would need to be solved, but the entries are chosen from the distribution function. In Learning With Errors (LWE), it can deal with problems

186 involving in the N-th degree truncated polynomial ring (NTRU) and Learning With

Errors Over Rings (R-LWE), which will be discussed in the next few sections.

R-LWE distribution is pseudorandom since this algorithm would generate a sequence of numbers while at the same time approximating the properties of random number sequence. The basic elements for R-LWE is 푓(푥) = 푥푛 + 1 ∈ 푍[푥] where n is a

푍[푥] power of 2, which makes f(x) irreducible over the rational. The equation (푅 = ) is <푓(푥)> the ring of integer polynomial modulo of f(x). The equation (푞 = 1 푚표푑 2푛) is a large

푅 푍 [푥] public prime modulus since it is bounded by a polynomial in n. “Let 푅 = = 푞 푞 <푞> <푓(푥)>

푛 be the ring of integer polynomials modulo for both f(x) and q. The 푞 elements of 푅푞 can be represented by polynomials of degree less than n” [14] since the coefficients can range from 0 to q-1.

The advantage of using R-LWE are: “

1. Each noisy product 푏 = 푎. 푠 gives 푛 pseudo-random values over 푍푞, rathen

than just one scalar, yet the cost of generating is very small.

2. Polynomial multiplications required for the calculation can be done in

푂(푛 log 푛) time. Additionally, by employing Fast Fourier Transform, the

same procedure can be accomplished using in 푂(log 푛) with highly optimized

way.

3. Each sample (푎, 푏) ∈ 푅푞 ∗ 푅푞 from R-LWE distribution can replace 푛

samples (푎, 푏) ∈ 푅푞 ∗ 푅푞 from the standard LWE distribution, which reduces

the secret key size as well as the public key size by the factor of 푛” [14].

187

4. “The size of public key is around 7000 bits in length for 128-bits of security,

which is larger than the key sizes for RSA and Elliptic Curve Diffie-Hellman,

which requires public key sizes of 3072 bits and 256 bits to achieve a 128-bit

level of security” [15].

2.7.1 - NTRU

푍[푥] NTRU deals with the algebraic structures of polynomial ring (푅 = ), which 푥푛 −1 the operation when dealing with NTRU deals with convolution multiplications where all the polynomial rings contain integer coefficient where most degree is at 푛 − 1. NTRU cryptosystem uses three parameters (n, p, q), where n is a prime, q is a coprime that is larger than p that is also a coprime. NTRU cryptosystem also utilizes in four sets of polynomials (퐿푓, 퐿푔, 퐿푚, 퐿푟), which is part of the private key when it comes to dealing with polynomial functions and it is also part of the message and a blinding value that contains a degree of 푛 − 1.

2.7.2 – R-LWE Cryptographic Scheme

푍[푥] In this equation (푅 = where n is the power of 2, the cryptography scheme <푥푛 +1> includes the following steps: “

1. Key generation: A uniformly random element 푎 ∈ 푅푞. Two random ‘small’

elements 푠, 푒 ∈ 푅 are chosen where 푠 works as private key and 푒 works as

188

error value. Using 푠 and 푒, parameter 푏 can be calculated as 푏 = 푎. 푠 + 푒. The

2 key pair (푎, 푏 = 푎. 푠 + 푒) ∈ 푅푞. The key pair (푎, 푏) works as the public key.

2. Encryption (푎, 푞, 푚 ∈ 0, 1푛): To encrypt an n-bit message ( 푚 ∈ 0, 1푛), which

is an element of R considering its bits as the 0-1 coefficients of a polynomial,

3 random elements 푟, 푒1, 푒2 ∈ 푅 are chosen from the error distribution 퐷휎 and

2 finds the pair (푢, 푣) ∈ 푅푞 as the encryption of 푚. The equation for encryption

푞 is 푢 = 푎. 푟 + 푒 푚표푑 푞 and 푣 = 푏. 푟 + 푒 + ( ) . 푚 푚표푑 푞. 1 2 2

3. Decryption (푖, 푣, 푠): Decryption algorithm finds 푣 − 푢. 푠 = (푟. 푒 − 푠. 푒1 +

푞 푒 ) + ( ) . 푚 푚표푑 푞. For an appropriate choice of parameters, 푟. 푒 − 푠. 푒 + 2 2 1

푒2 ∈ 푅 have magnitude less than 푞/4 and hence bits of 푚 can be recoverd by

rounding each coefficient of 푣 − 푢. 푠 to 0 or q/2, whichever is the closet

modulo of q” [14].

2.7.3 – R-LWE Based Signature Scheme

The digital signature scheme that was introduced by Wu is utilized in the R-LWE algorithm. The following steps in the digital signature scheme are: “

푛 1. Key Generation (1 ): A ring element is chosen 푎 ∈ 푅푞 with a prime number

∗ 푡 ∈ 푍푞. Select 푠, 푒 ∈ 퐷휎, where 푠 works as the secret key and 푒 is the error

value. Based on this, parameter b is computed as 푏 = 푎. 푠 + 푡. 푒. The pair

(푎, 푏) works as the public key.

189

2. Sign ((푚, 푠), 퐻(푚)): 퐻 is the collision resistant hash function 퐻: {0,1}∗ →

푅푞, 푚 is the message and 푠 is the secret key. To sign a message, select 푣 ∈ 푅푞

from the uniform distribution over 푅푞. Choose 푒1 ∈ 퐷휎 and compute 푢 =

(푣 + 퐻(푚)). 푠 + 푡. 푒1. From there, return the signature ((푢, 푣) 표푛 푚).

3. Verify ((푎, 푏), 퐻(푚), (푣, 푢)): Based on the public key (푎, 푏), the signed

message (푚, (푣, 푢)) and 퐻(푚), verification of the message can be performed.

To verify the message, check whether (푣, 푢) ∈ 푅푞 × 푅푞 and [−푎. 푢 +

푏. 푣]푚표푑 푡 == −푏. 퐻(푚) 푚표푑 푡. If both the conditions get satisfied, then the

message is verified. If both of the conditions do not get satisfied, then the

message is not valid” [14].

190

CHAPTER 3 – RESEARCH GOAL

In this study, my research goal is to compare the three post-quantum cryptography algorithms to encrypt and decrypt a ciphertext and determine which one of these algorithms is best in performance, efficiency and security-wise. The post-quantum algorithms that will be tested will be Diffie-Hellman Key Exchange, Merkle Signature

Scheme and Ring-LWE Signature. Out of this experiment that I will be conducting in this research project, my goal is to determine which one of these algorithms will be the best to utilize in quantum computing cryptography field in order to have a secure communication of exchanging sensitive information over a public network. Post-quantum algorithms will be utilized in this experiment meaning that the source code of the algorithm is designed to be run on D-Wave systems as well as classical computing. In order to run the source code on D-Wave system, it can be run through the cloud account, but they don’t give you lots of tries in the free trial and it is very expensive to purchase time to utilize it. On the other hand, D-Wave system can be purchased starting at $15 million. In this study, the algorithm will be run on my 2019 iMac with a 3 GHz 6-Core Intel i5 and 8 GB of RAM.

191

CHAPTER 4 – METHODOLOGY

For this research project, the basic algorithm source code will be implemented for

Diffie-Hellman Key Exchange, Merkle Signature Scheme and Ring-LWE algorithms which will have the capability to have a predefined cyphertext to perform the algorithm to encrypt, decrypt sign and verify the certificate of the plaintext. From there, the code would be executed via terminal. The algorithm source code is designed in post-quantum techniques, meaning that the code is compatible not only in classical computing, but in quantum computing system such as D-Wave, Google, Leap, etc. During the experiment, I will be taking note of the length of time that it takes for each algorithm to fully execute, the accuracy of how effective each algorithm is and how secure each algorithm is. After the experiment, then I will take the results and use it to determine which algorithm is the best one to use in quantum computing environment under the type of scenario.

4.1 – Diffie-Hellman Key Exchange

For this experiment, it contains two files that represent Alice and Bob as two parties that will be performing exchange information based on secret key generation for both parties. This algorithm is implemented in C++ and it is considered to be a post- quantum. The source code will be executed where a random number will be generated to be shared to both of the parties. From there, Alice and Bob will use a mod p and base g.

Firstly, Alice will choose a secret private key integer (alice_priv_key) and will use the private key integer to generate a public key (alice_pub_key) with the variables of g, a, p and then send it to Bob. At the same time, Bob will choose a secret private key integer

192

(bob_priv_key) and will use the private key integer to generate a public key

(bob_pub_key) with the variables of g, b, p and then send it to Alice. Once the public key is sent to each other, Alice will go ahead and use the variables of B, a and p to compute s while Bob will use the variables of A, b and p to compute s. After the computation is finished, then they will finally have a secret number that can be shared by both parties.

4.2 – Merkle Signature Scheme

For this experiment, it contains C++ and header files that consist of predefined data that are encrypted into SHA-256 at the start of the program execution. This algorithm is implemented in C++ and it is considered to be a post-quantum. The source code will be executed where leaves will be initializes meaning that the leaves will be constructed in the program so that it will prepares for the data to be assigned into a leaf by entering the value as a null into the leaf. From there, the predefined data values will be assigned into a leaf with the value on which it has been encrypted using the SHA-256 encryption tool. In this source code, it contains the Merkle Tree library that was obtained from the internet. When assigning the values into a leaf, it will check for any adjacent blocks and then from there, the values will be combined and will hash the adjacent blocks as a whole to encrypt the whole leaf instead of encrypting the values. All the hashes that are performed in nodes will be saved in a vector. From there, it would be assigned as a child when the root is assigned. The process will then repeat until all the data values has been assigned into a leaf. From there, the program will perform garbage collection by deleting the whole tree and then the program will quit.

193

4.3 – Ring-LWE Signature

For this experiment, it is implemented in Python and is considered a post- quantum algorithm since the python source code can be converted into PyQuil, which the code can be executed in quantum systems. The purpose of Ring-LWE is to use the coefficients of polynomials to add or multiply within a finite field where the coefficients will end up being less than q. The source code will start the execution by having both parties (Alice and Bob) choose a complexity value of n where the value would the highest co-efficient power. From there, then q would be generated, which would be 2푛 −

1. From there, the polynomial operations will be managed with mod q where the largest coefficient value will come out to be 푞 − 1. Then, Alice will create a set of polynomial

푛−1 2 values (푎푖(푥)), which would be 퐴 = 푎푛−1푥 + ⋯ + 푎1푥 + 푎1푥 + 푎0. Alice will then take the equation and divide it by Φ(푥) or 푥푛 + 1 which the equation would look like

푎 푥푛−1+⋯+푎 푥+푎 푥2+푎 this: 퐴 = 푛−1 1 1 0. From there, error polynomial (e) and secret 푥푛+1 polynomial (s) will be generated for Alice, which would come out to be 푒퐴 =

푛−1 2 푛−1 2 푒푛−1푥 + ⋯ 푒2푥 + 푒1푥 + 푒0 and 푠퐴 = 푠푛−1푥 + ⋯ 푠2푥 + 푠1푥 + 푠0. Then, Alice creates a polynomial (푏퐴) using the values that she currently has from 퐴, 푒퐴 and 푠퐴, which is 푏퐴 = 퐴 × 푠퐴 + 푒퐴.

At this point, Alice has finished creating a polynomial and shares the variable A to

Bob so it is now Bob’s turn to create one using the same first step that Alice went through. Bob starts the process in creating a polynomial by generating the error

′ 푛−1 polynomial (e’) and secret polynomial (s’) which would come out to 푒퐵 = 푒푛−1푥 +

′ 2 ′ ′ ′ 푛−1 ′ 2 ′ ′ ⋯ 푒2푥 + 푒1푥 + 푒0 and 푠퐵 = 푠푛−1푥 + ⋯ 푠2푥 + 푠1푥 + 푠0. From there, Bob will use

194

Alice’s value to create a polynomial (푏퐵) by using the variable from Alice’s A, eB and sB, which will come out to be 푏퐵 = 퐴 × 푠_퐵 + 푒_퐵. Then, Alice will take Bob’s value

(푏퐵) to multiply by 푠퐴 and then will divide the result by 푥푛 + 1, which is constructed as

푏퐵×푠퐴 푠ℎ푎푟푒푑퐴푙푖푐푒 = . From there, Bob will use Alice’s value (bA) to multiply by 푠퐵 and 푥푛+1

푏퐴×푠퐵 then divide the result by 푥푛 + 1, which is constructed as 푠ℎ푎푟푒푑퐵표푏 = . Using the 푥푛+1 sharedAlice and sharedBob values, the noise will be extracted to create an array (u) with

푞 푞 the following conditions: if sharedAlicei < then 푢 = 0, else if sharedAlicei < then 4 푖 2

3푞 푢 = 1, else if sharedAlicei < then 푢 = 0 and else if sharedAlicei < q then 푢 = 1. 푖 4 푖 푖

From there, Alice and Bob will have the shared value that are the same value on both parties that can be used to create a shared key up to 256 bits of equivalent security.

195

CHAPTER 5 – EXPERIMENT RESULTS

For this section, the results of the experiments will be posted for Diffie-Hellman

Key Exchange, Merkle Signature Scheme and Ring-LWE Signature.

5.1 – Diffie-Hellman Key Exchange

Alice's Private Key: 197

Bob's Private Key: 123 p: 81154147 g: 17

Alice's Public Key: 65304175

Bob's Public Key: 47759967

Alice's Shared Secret: 61249202

Bob's Shared Secret: 61249202

Time taken to execute: 199 milliseconds

Program ended with exit code: 0

5.2 – Merkle Signature Scheme

7d1a54127b222502f5b79b5fb0803061152a44f92b37e23c6527baf665d4da9a f6ee94ecb014f74f887b9dcc52daecf73ab3e3333320cadd98bcb59d895c52f5 cffac2954b0d3bb974070c8160ced63599438cf0d69bcfb5027d8ce268ae2c01

76ce7e9f23b3c1e8940addf5b22b86a85bfb824ef249e785e0377b7228fbc2bf

8fa675cc452a44a9ca2816714f005640c53432b391b71f51f9a6cdd170eb623c

196 a5cf1aba29c602c28945b92a3028ce908ceff4148be20d06b3267ba5329d49fa

65a6cde9598daf34eeef1ddb61bc95484aebe8088ac8c0757a20977ff7eb83c6

9b6df9398983b1f4b9624d5bc2f712a187e5cb75f7ef3893a021c46dd092f094 a85f492c19143b93c5a01ca1215a6fe6afec9a994865caa4fcca4d62c976ff32

40137dac01ff7eaf8a598a2df2f80af752aa89203c1ee8424ec7821b305ea8c5 d00df388548f370ca6823410081f92ee9a2359ad6ac60ad665bc1606ed61447d

9e0c636d20872ff7a81b84515e2b5820df11db713b1fc2bbafc9543d55df5528

85e93b53607646955388de649761828f2b10b818adf7a07ec7424f340ba512a3 a85f492c19143b93c5a01ca1215a6fe6afec9a994865caa4fcca4d62c976ff32

4ccd76ca9446579a72bc2f7385964e50cf45594b48fd51657beb5957fbf03197 fdfec2f0ece8a5a6632496ab81dc8053ab374e5e5a8786f147d6371e9f8eae8f a85f492c19143b93c5a01ca1215a6fe6afec9a994865caa4fcca4d62c976ff32

cab1b317223cfbd0eba6289b0538e46e3c9ea9330aa6ddf7ce9e040856d8e602 a85f492c19143b93c5a01ca1215a6fe6afec9a994865caa4fcca4d62c976ff32

1a52443b59e3dc83fc526f1e9a08d726ddc0aa31a27a5820cfbb87e4f0e71a2f

197

Tree deleted

Time taken to execute: 674 milliseconds

Program ended with exit code: 0

5.3 – Ring-LWE Signature

A: 1024 | [3.54019601e+09 2.38757702e+09 6.89867898e+08 ... 1.81317553e+09

1.19627108e+09 3.51848625e+09]

Alice:

198

s: 1024 | [-1. 0. 0. ... -1. 0. 0.]

e: 1024 | [-3. -1. 2. ... -1. 0. -1.]

b: 1024 | [4.29496729e+09 4.29496729e+09 2.00000000e+00 ... 4.29496729e+09

0.00000000e+00 4.29496729e+09]

Bob:

s': 1024 | [-1. 1. 0. ... -2. -1. -2.]

e': 1024 | [ 1. 0. -1. ... -1. 0. -2.]

b': 1024 | [0.00000000e+00 1.00000000e+00 4.29496729e+09 ... 4.29496729e+09

4.29496729e+09 4.29496729e+09]

u : 1024 | [0 0 1 ... 1 1 1]

Alice's Shared Secret: 1024 | [0. 0. 1. ... 1. 1. 1.]

Bob's Shared Secret: 1024 | [0. 0. 1. ... 1. 1. 1.]

Time taken to execute: 150 milliseconds

199

CHAPTER 6 – EXPERIMENT CONCLUSION

For the Diffie-Hellman Key Exchange experiment, it took 199 milliseconds to execute where Diffie-Hellman Key Exchange would deal with encryption and decryption of communication channel using secure keys. The drawbacks of using the Diffie-Hellman

Key Exchange is that since there is no authentication control in the transmission process, it becomes vulnerable for being hijacked by an attacker. Another disadvantage of using the Diffie-Hellman Key Exchange is that it cannot be used for any asymmetric key exchange. The thing about Diffie-Hellman Key Exchange is that when the keys are exchanged to every member in the group, data communication can be transmitted over an insecure channel, but anyone can hack the algorithm simply by bypassing the authentication layer of the algorithm.

For the Merkle Signature Scheme experiment, it took 674 milliseconds to execute, which is the longest time this algorithm takes to execute the whole process compared to the other algorithm that was tested in this experiment. The advantage of utilizing the

Merkle Signature Scheme is that they are resistant against any attacks that are provoked by both classical and quantum computing. Another advantage of using the Merkle

Signature Scheme is that by having one public key, it can be used to generate many digital signatures. However, this will lead to an increase in computation time and signature length. The disadvantage of utilizing the Merkle Signature Scheme is the fact that due to the complexity of the whole algorithm process that are currently implemented, the file size of the key generation is large compared to other key generation file output that are generated in other algorithms.

For the Ring-LWE experiment, it took 150 milliseconds to execute, which seems

200 to be the fastest algorithm which that it takes to execute the whole process compared to the other algorithm that was tested in this experiment. The advantage of utilizing the

Ring-LWE algorithm is the outstanding speed and the flexibility in encrypting the larger size of the message without sacrificing performance. The disadvantage of utilizing the

Ring-LWE is that the modulus q and the inverse error rate will need to have a large polynomial in the output in order for the algorithm to prevent errors to the fact that the algorithm problem is very complex.

201

CHAPTER 7 – CONCLUSION AND FUTURE WORKS

The future works for this project would be to improve Diffie-Hellman algorithm by adding an authentication system that would always check the session to determine if the user is authorized to be in the communication channel. If the system detects unauthorized user, it would kick the user out from the communication channel and the user would have to go through the process of determining the secret key in order to be able to get back in the communication channel. Another works for the project is to implement the feature of asymmetric encryption for Diffie-Hellman in order to reduce the chance for attacker in hacking the communication channel. And another works for the

Merkle Signature Scheme should be to add the capability to compress key file size in order to save hard disk space.

In conclusion, quantum cryptography is very powerful when it comes to protecting not just data, but also the streaming communication channel. Microsoft came up with a Ring-LWE version of the OpenVPN, which is meant to have the capability to establish secure communication channel to the VPN server using the Ring-LWE algorithm instead of using the traditional and classical algorithm that has the most popular classical algorithm at this time. Soon, RSA and any other leading classical cryptography algorithm will become obsolete and will be vulnerable for getting attacked by the hackers. When it comes to hosting a streaming server, Ring-LWE would be the best algorithm to utilize in these types of scenario. For encrypting and decrypting data as well as adding digital signature on the data, Merkle Signature Scheme would the most recommended algorithm to use. Soon, there will be a day when quantum computing becomes widely used for cybersecurity solutions and it will get to the point that

202 government agencies and any other leading companies will need to retire their current cybersecurity system and adapt to quantum computing system in order to stay secure.

203

REFERENCES

[1]: Laszlo Gyongyosi, Sandor Imre, A Survey on quantum computing technology,

Computer Science Review, Volume 31, 2019, Pages 51-71, ISSN 1574-0137, https://doi.org/10.1016/j.cosrev.2018.11.002.

[2]: Nanrun Zhou, Guihua Zeng, Yiyou Nie, Jin Xiong, Fuchen Zhu, A novel quantum block encryption algorithm based on quantum computation, Physica A: Statistical

Mechanics and its Applications, Volume 362, Issue 2, 2006, Pages 305-313, ISSN 0378-

4371, https://doi.org/10.1016/j.physa.2005.08.053.

[3]: Akshay Ajagekar, Travis Humble, Fengqi You, Quantum computing based hybrid solution strategies for large-scale discrete-continuous optimization problems, Computers

& Chemical Engineering, Volume 132, 2020, 106630, ISSN 0098-1354, bhttps://doi.org/10.1016/j.compchemeng.2019.106630.

[4]: Feng Hu, Lucas Lamata, Mikel Sanz, Xi Chen, Xingyuan Chen, Chao Wang, Enrique

Solano, Quantum computing cryptography: Finding cryptographic Boolean functions with quantum annealing by a 2000 qubit D-wave quantum computer, Physics Letters A,

2020, 126214, ISSN 0375-9601, https://doi.org/10.1016/j.physleta.2019.126214.

[5]: Alejandro Díaz-Caro, Gilles Dowek, Juan Pablo Rinaldi, Two linearities for quantum computing in the lambda calculus, Biosystems, Volume 186, 2019, 104012, ISSN 0303-

2647, https://doi.org/10.1016/j.biosystems.2019.104012.

[6]: Eike Kiltz, Arne Winterhof, Polynomial interpolation of cryptographic functions related to Diffie–Hellman and discrete logarithm problem, Discrete Applied Mathematics,

Volume 154, Issue 2, 2006, Pages 326-336, ISSN 0166-218X, https://doi.org/10.1016/j.dam.2005.03.030.

204

[7]: Boaz Tsaban, Fast generators for the Diffie–Hellman key agreement protocol and malicious standards, Information Processing Letters, Volume 99, Issue 4, 2006, Pages

145-148, ISSN 0020-0190, https://doi.org/10.1016/j.ipl.2005.11.025.

[8]: Kim-Kwang Raymond Choo, Junghyun Nam, Dongho Won, A mechanical approach to derive identity-based protocols from Diffie–Hellman-based protocols, Information

Sciences, Volume 281, 2014, Pages 182-200, ISSN 0020-0255, https://doi.org/10.1016/j.ins.2014.05.041.

[9]: Eun-Jun Yoon, Il-Soo Jeon, An efficient and secure Diffie–Hellman key agreement protocol based on Chebyshev chaotic map, Communications in Nonlinear Science and

Numerical Simulation, Volume 16, Issue 6, 2011, Pages 2383-2389, ISSN 1007-5704, https://doi.org/10.1016/j.cnsns.2010.09.021.

[10]: Abdulhadi Shoufan, Nico Huber, H. Gregor Molter, A novel cryptoprocessor architecture for chained Merkle signature scheme, Microprocessors and Microsystems,

Volume 35, Issue 1, 2011, Pages 34-47, ISSN 0141-9331, https://doi.org/10.1016/j.micpro.2010.07.002.

[11]: Jian Xu, Laiwen Wei, Yu Zhang, Andi Wang, Fucai Zhou, Chong-zhi Gao, Dynamic

Fully Homomorphic encryption-based Merkle Tree for lightweight streaming authenticated data structures, Journal of Network and Computer Applications, Volume

107, 2018, Pages 113-124, ISSN 1084-8045, https://doi.org/10.1016/j.jnca.2018.01.014.

[12]: Ikram Ali, Mwitende Gervais, Emmanuel Ahene, Fagen Li, A blockchain-based certificateless public key signature scheme for vehicle-to-infrastructure communication in

VANETs, Journal of Systems Architecture, Volume 99, 2019, 101636, ISSN 1383-7621, https://doi.org/10.1016/j.sysarc.2019.101636.

205

[13]: Neenu Garg, Seema Bawa, RITS-MHT: Relative indexed and time stamped Merkle hash tree based data auditing protocol for cloud computing, Journal of Network and

Computer Applications, Volume 84, 2017, Pages 1-13, ISSN 1084-8045, https://doi.org/10.1016/j.jnca.2017.02.005.

[14]: Aarti Amod Agarkar, Himanshu Agrawal, LRSPPP: lightweight R-LWE-based secure and privacy-preserving scheme for prosumer side network in smart grid, Heliyon,

Volume 5, Issue 3, 2019, e01321, ISSN 2405-8440, https://doi.org/10.1016/j.heliyon.2019.e01321.

[15]: Xiao Zhang, Shengli Liu, Jiaxin Pan, Dawu Gu, Tightly secure signature schemes from the LWE and subset sum assumptions, Theoretical Computer Science, Volume 795,

2019 Pages 326-344, ISSN 0304-3975, https://doi.org/10.1016/j.tcs.2019.07.015.

206