sign in sign up
<<
Home , Quantum cryptography

1

Cryptography is a foundational pillar of the global information security infrastructure

physical trust allows us to achieve security information security while using untrusted communication systems. cryptography

e.g. Do you update your software and anti- virus daily? Why do you trust the source? A foundational pillar for a complex system

Many potential weak links: • bad trust assumptions • phishing • weak passwords • bad implementations • side-channel attacks • cryptography protocol errors • etc, etc. • … including … “unknown unknowns”

CC-BY-SA 2009 John M. Kennedy T. http://en.wikipedia.org/wiki/File:CIAJMK1209.png

2 3

The problem 4

One serious problem for public- cryptography

In: Proceedings,35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, November 20–22, 1994, IEEE Computer Society Press, pp. 124–134.

Algorithms for Computation: Discrete Logarithms and Factoring

Peter W. Shor AT&T Bell Labs Room 2D-149 600 Mountain Ave. Murray Hill, NJ 07974, USA

Abstract tum mechanics and computing was done by Benioff [1, 2]. Although he did not ask whether con- Acomputerisgenerallyconsideredtobeauniversal ferred extra power to computation, he did show that a Tur- computational device; i.e., it is believed able to simulate ing machine could be simulated by the reversible unitary any physical computational device with a increase in com- evolution of a quantum process, which is a necessary pre- putation time of at most a polynomial factor. It is not requisiteforquantumcomputation. Deutsch [9, 10] was the clear whether this is still true when quantum mechanics is first to give an explicit model of quantum computation. He taken into consideration. Several researchers, starting with defined both quantum Turing machines and quantum cir- , have developed models for quantum me- cuits and investigated some of their properties. chanical computers and have investigated their computa- The next part of thispaper discusses how quantum com- tional properties. This paper gives Las Vegas algorithms putation relates to classical complexity classes. We will for finding discrete logarithms and factoring integers on thus first give a brief intuitive discussion of complexity aquantumcomputerthattakeanumberofstepswhichis classes for those readers who do not have this background. polynomial in the input size, e.g., the number of digits of There are generally two resources which limit the ability the integer to be factored. These two problems are gener- of computers to solve large problems: time and space (i.e., ally considered hard on a classical computer and have been memory). The field of analysis of algorithms considers used as the basis of several proposed . (We the asymptotic demands that algorithms make for these re- thus give the first examples of quantum .) sources as a function of the problem size. Theoretical com- puter scientists generally classify algorithms as efficient whenthenumberofstepsofthealgorithmsgrowsas apoly- 1 Introduction nomial in the size of the input. The class of problems which can be solved by efficient algorithms is known as P. This Since the discovery of quantum mechanics, people have classification has several nice properties. For one thing, it found the behavior of the laws of probability in quan- does a reasonable job of reflecting the performance of al- tum mechanics counterintuitive. Because of this behavior, gorithms in practice (although an algorithm whose running quantum mechanical phenomena behave quite differently time is the tenth power of the input size, say, is not truly than the phenomena of classical physics that we are used efficient). For another, this classification is nice theoreti- to. Feynman seems to have been the first to ask what ef- cally, as different reasonable machine models produce the fect this has on computation [13, 14]. He gave arguments same class P. We will see this behavior reappear in quan- as to why this behavior might make it intrinsically compu- tum computation, where different models for quantum ma- tationally expensive to simulate quantum mechanics on a chines will vary in running times by no more than polyno- classical (or von Neumann) computer. He also suggested mial factors. the possibility of using a computer based on quantum me- There are also other computational complexity classes chanical principles to avoid this problem, thus implicitly discussed in this paper. One of these is PSPACE, which asking the converse question: by using quantum mechan- are those problems which can be solved with an amount ics in a computer can you compute more efficiently than on of memory polynomial in the input size. Another impor- aclassicalcomputer.Otherearlyworkinthefieldofquan- tant complexity class is NP, which intuitively is the class

1 5

…on top of ever- risk of unexpected advances in classical algorithms

e.g.

Aquasi-polynomialalgorithmfordiscretelogarithm in finite fields of small characteristic

Improvements over FFS in small to medium characteristic

Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, EmmanuelThomé

1IntroductionCryptology ePrint Archive: Report 2013/400 Date: received 18 Jun 2013 The problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of DiffieandHellman[DH76].Sincethen,togetherwithfactorization,ithasbecomeoneofthetwo major pillars of public key cryptography. As a consequence, the problem of computing discrete logarithms has attracted a lot of attention. From an exponential algorithm in 1976, the fastest DLP algorithms have been greatly improved during the past 35 years. A first major progress was the realization that the DLP in finite α 1−α fields can be solved in subexponential time, i.e. L(1/2) where LN (α)=exp O((log N) (log log N) ) . The next step further reduced this to a heuristic L(1/3) running time in the full! range of finite fields, from" fixed characteristic finite fields to prime fields [Adl79, Cop84, Gor93, Adl94, JL06, JLSV06]. Recently, practical and theoretical progress have been made[Jou13a,GGMZ13,Jou13b]withanemphasis on small to medium characteristic finite fields and composite degree extensions. The most general and efficient algorithm [Jou13b] gives a complexity of L(1/4+o(1)) when the characteristic is smaller than the root of the extension degree. Among the ingredients ofthisapproach,wefindtheuseofavery particular representation of the finite field; the use of the so-called systematic equation;andtheuseof algebraic resolution of bilinear polynomial systems in the individual logarithm phase. In the present work, we present a new discrete logarithm algorithm, in the same vein as in [Jou13b] that uses an asymptotically more efficient descent approach. The main result gives a quasi-polynomial heuristic complexity for the DLP in finite field of small characteristic.Byquasi-polynomial,wemeanacomplexity of type nO(log n) where n is the bit-size of the cardinality of the finite field. Such a complexity is smaller than any L(ε)for# > 0. It remains super-polynomial in the size of the input, but offers a major asymptotic improvement compared to L(1/4+o(1)). The key features of our algorithm are the following. • We keep the field representation and the systematic equationsof[Jou13b]. arXiv:1306.4244v1 [cs.CR] 18 Jun 2013 • The algorithmic building blocks are elementary. In particular, we avoid the use of Gröbner basis algorithms. • The complexity result relies on three key heuristics: the existence of a polynomials representation of the appropriate form; the fact that the smoothness probabilities of some non-uniformly distributed polynomials are similar to the probabilities for uniformly random polynomials of the same degree; and the linear independence of some finite field elements related to the action of PGL2(Fq). The heuristics are very close to the ones used in [Jou13b]. In addition to the arguments in favor of these heuristics already given in [Jou13b], we performed some experiments to validate them on practical instances.

Although we insist on the case of finite fields of small characteristic, where quasi-polynomial complexity is obtained, our new algorithm improves the complexity discrete logarithm computations in a much larger range of finite fields.

1 6

How much of a problem is , really?? 7

How soon do we need to worry?

Depends on: § How long do you need to be secure? (x years) § How much time will it take to re-tool the existing infrastructure with large-scale quantum-safe solution? (y years) § How long will it take for a large-scale quantum computer to be built (or for any other relevant advance? (z years)

Theorem 1: If x + y > z, then worry. What do we do here??

y x z

time WHAT’S A QUANTUM COMPUTER?? Physics and Computation

§ Information is physical… • Information is stored in a physical medium and manipulated by physical processes. • A realistic model of computation must be cast in a realistic physical framework. • The “classical” paradigm for physics usually provides a good approximation to the laws of physics, but not always. Why are quantum computers apparently more powerful?

= 0.112 - 0.123

- 0.325 + 0.215

+ 0.270 - 0.173

- 0.017 - 0.847 § Classically simulating n quantum bits seems to require keeping track of 2n quantum amplitudes.

n 2 10 210 ≈ 1 000 20 220 ≈ 1 000 000 30 230 ≈ 1 000 000 000 ≈ GB 40 240 ≈ 1 000 000 000 000 ≈ TB 50 250 ≈ 1 000 000 000 000 000 ≈ PB

§ This challenges the Strong Church-Turing thesis: • A probabilistic (classical) Turing machine can efficiently simulate any realistic model of computing. What might quantum computers look like?

§ Trapped ions?

Blatt and Wineland. Nature 453, 1008-1015 (2008). NIST’s gold ion trap on an aluminum-nitride backing “This picture illustrates our vision of a future quantum computer. Strings of ions are held as separate strings above an ‘ion trap chip’. Through the antennae- effect, can be exchanged between neighbouring ion strings.”

© Harald Ritsch Y. Colombe/NIST Superconducting ?

§ Nanoelectronic circuits with linear elements and Josephson junction (non-linear inductor) E. Lucero, D. Mariantoni, and M. Mariantoni E. Lucero, D. Mariantoni, and M. Mariantoni There are many other proposals, and new ones still to be invented. 17

“Threshold theorem”

Architecture description

Threshold “ɛ” If the error rates of the basic operations of the device are below ɛ, then we can efficiently scale quantum Error model computations. Quantum computing: M. Steffen D. P. DiVincenzo An IBM perspective J. M. Chow T. N. Theis Quantum physics provides an intriguing basis for achieving M. B. Ketchen computational power to address certain categories of mathematical problems that are completely intractable with machine computation as we know it today. We present a brief overview of the current theoretical and experimental works in the emerging field of quantum computing. The implementation of a functioning quantum computer poses tremendous scientific and technological challenges, but current rates of progress suggest that these challenges will be substantively addressed over the next ten years. We provide a sketch of a quantum computing system based on superconducting circuits, which are the current focus of our research. A realistic vision emerges concerning the form of a future scalable fault-tolerant quantum computer.

Introduction to quantum computing irreducible release of heat to the environment. As a result, In his famous 1959 after-dinner talk BThere is plenty of room whenever an irreversible logic element such as a NAND at the bottom,[ Richard Feynman challenged the scientific gate is operated, the computer must dissipate energy. community to employ quantum mechanical effects in the Later, Bennett [2], among others, showed that universal design of information processing systems: computation need not be irreversible. In principle, 18 computations could be performed without erasing BWhen we get to the very, very small world, say, circuits information and, thus, without energy dissipation. These of seven atoms, we have a lot of new things that would insights set the stage for consideration of quantum VOLUME 55, NUMBERQuantum 5, SEP./OCT. 2011 computing: M. Steffen happen that represent completely new opportunities for mechanical systems as computers. Since coherentD. P. DiVincenzo quantum design. AtomsJournal on a smallAn scale of behave IBM Research like nothing perspective on a large mechanical operations are energy conserving andJ. time M. Chow scale, for they satisfy the laws of quantum mechanics. reversible, they are a natural generalization of theT. reversible N. Theis So, as we goand down and Development fiddleQuantum around physics with provides the atoms an down intriguing basisclassical for achieving operations of Bennett. M. B. Ketchen computational power to address certain categories of mathematical there,Including we are working IBM with problemsSystems different that laws, areJournal and completely we can intractable withIn machine the 1980s, computation it was shown that a quantum mechanical expect to do different things. We can manufacture in QuantumHamiltonian can computing: represent a universal Turing machine [3]. M. Steffen as we know it today. We present a brief overview of the current D. P. DiVincenzo different ways. We can usetheoretical not just circuits and experimental but some system works in theIt emerging was further field shown of that a could involving the quantized energyquantum levels, computing. or the interactionsThe implementationAn IBM ofefficiently a functioning perspective simulate quantum other quantum physical systems. In other J. M. Chow of quantized spins, etc.[ computer poses tremendous scientific andwords, technological a quantum challenges, machine would use only polynomial T. N. Theis Quantum physics provides an intriguing basis for achieving M. B. Ketchen but current rates of progress suggest thatresources these challenges of time, will memory, be and space to simulate other substantively addressed over thecomputational next ten years. power We provide to address a sketch certain categories of mathematical However, at that time,of even a quantum Feynman computing could not system guessproblems based on thatquantum superconducting are completely systems. circuits, By intractable comparison, with the machine simulation computation of such how a quantum system couldwhich be are used the to current perform focus information ofas our we research. knowsystems it A today. realistic by Wea classical vision present machine a brief requires overview an of exponential the current processing tasks. A greateremerges understanding concerning of the the fundamental form oftheoretical a future scalablegrowth and experimental of fault-tolerant resources works for increasingly in the emerging larger problems field of [4, 5]. rules of information processingquantum was computer. first required. In thequantum computing.The notion The of a implementation quantum Turing of machine a functioning was subsequently quantum ensuing years, IBM Research significantly contributed tocomputer that posesdeveloped, tremendous and the scientific concept of and quantum technological parallelism challenges, was understanding. Landauer [1] showed that energy must bebut currentintroduced rates of progress [6]. suggest that these challenges will be dissipated in computing only when information is erasedsubstantivelyA addressed major breakthrough, over the next i.e., ten the years. true birth We provide of quantum a sketch and that erasing a bit of information must result in an of a quantumcomputing, computing came system in 1994 based when on Peter superconducting Shor showed circuits, that a which are the current focus of our research. A realistic vision Introduction to quantum computing quantumirreducible computer release could of heat factor to theinteger environment. numbers As only a result, in the emerges concerning the form of a future scalable fault-tolerant In his famous 1959 after-dinner talk BThere is plenty of room polynomialwhenever time an [7]. irreversible The element algorithm such for as a integer NAND at the bottom,[ Richard Feynman challenged thequantum scientific computer.gate is operated, the computer must dissipate energy. Digital Object Identifier: 10.1147/JRD.2011.2165678 factoring offers an exponential speedup over the best Frontierscommunity of Information to employ mechanical effects in the Later, Bennett [2], among others, showed that universal design of information processing systems: computation need not be irreversible. In principle, ÓCopyright 2011 by International Business Machines Corporation. Copying in printed form for private use is permittedcomputations without payment could of royalty be performed provided that ( without1) each reproduction erasing is done without alteration and (2) the Journal reference and IBM copyright notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied by any means or distributed royalty free withoutBWhen further we permission get to by the computer-based very, very and small other information-service world, say, circuits systems. Permissioninformation to republish any and, other thus, portion without of this paper energy must be dissipation. obtained from the These Editor. of seven atoms, we have a lot ofIntroduction new things0018-8646/11/$5.00 that to would quantumB 2011 computinginsights IBM set the stage for considerationirreducible of quantum release of heat to the environment. As a result, happen that represent completelyIn new his opportunitiesfamous 1959 for after-dinner talkmechanicalBThere systemsis plenty as of computers. room Sincewhenever coherent an quantum irreversible logic element such as a NAND design. Atoms on a small scale behaveat the like bottom, nothing[ Richard on a large Feynmanmechanical challenged operations the scientific are energy conservinggate is operated, and time the computer must dissipate energy. scale, for they satisfy the laws ofcommunity quantum mechanics. to employ quantumreversible, mechanical they effects are a in natural the generalizationLater, Bennett of the reversible [2], among others, showed that universal So, as we go down and fiddle around with the atoms down classical operations of Bennett. IBM J. RES. & DEV. VOL. 55 NO. 5 PAPER 13design SEPTEMBER/OCTOBER of information 2011 processing systems: M.computation STEFFEN ET AL. need13 not : 1 be irreversible. In principle, there, we are working with different laws, and we can In the 1980s, it was shown that a quantum mechanical computations could be performed without erasing expect to do different things. We can manufacture in Hamiltonian can represent a universal Turing machine [3]. different ways. We can use not justB circuitsWhen we but get some to system the very, veryIt was small further world, shown say, that circuits a quantuminformation machine could and, thus, without energy dissipation. These involving the quantized energy levels,of seven or the atoms, interactions we have a lot ofefficiently new things simulate that would other quantum physicalinsights systems. set the In stage other for consideration of quantum of quantized spins, etc.[ happen that represent completelywords, new opportunities a quantum machine for would usemechanical only polynomial systems as computers. Since coherent quantum design. Atoms on a small scale behaveresources like of nothing time, memory, on a large and spacemechanical to simulate operations other are energy conserving and time However, at that time, even Feynmanscale, for could they not satisfy guess the laws ofquantum quantum systems. mechanics. By comparison, thereversible, simulation they of such are a natural generalization of the reversible how a quantum system could beSo, used as to we perform go down information and fiddle aroundsystems with by a the classical atoms machine down requiresclassical an exponential operations of Bennett. processing tasks. A greater understandingthere, we of are the working fundamental with differentgrowth laws, of resources and we can for increasingly largerIn the problems 1980s, [4, it was 5]. shown that a quantum mechanical rules of information processing wasexpect first to required. do different In the things. WeThe can notion manufacture of a quantum in Turing machineHamiltonian was subsequently can represent a universal Turing machine [3]. ensuing years, IBM Research significantlydifferent ways. contributed We can to that use not justdeveloped, circuits and but the some concept system of quantumIt was parallelism further shownwas that a quantum machine could understanding. Landauer [1] showedinvolving that energy the quantized must be energy levels,introduced or the [6]. interactions efficiently simulate other quantum physical systems. In other dissipated in computing only whenof quantized information spins, is erased etc.[ A major breakthrough, i.e., the truewords, birth of a quantum quantum machine would use only polynomial and that erasing a bit of information must result in an computing, came in 1994 when Peterresources Shor showed of time, that memory,a and space to simulate other However, at that time, even Feynmanquantum computercould not could guess factor integerquantum numbers systems. only in By the comparison, the simulation of such polynomial time [7]. The for integer how a quantum system could be used to perform information systems by a classical machine requires an exponential Digital Object Identifier: 10.1147/JRD.2011.2165678 factoring offers an exponential speedup over the best processing tasks. A greater understanding of the fundamental growth of resources for increasingly larger problems [4, 5]. rules of information processing was first required. In the The notion of a was subsequently ÓCopyright 2011 by International Business Machines Corporation. Copying in printed form for private use is permitted without payment of royalty provided that (1) each reproduction is done without alteration and (2) the Journal reference and IBM copyrightensuing notice years, are included IBM on the Research first page. The significantly title and abstract, but contributed no other portions, to of this that paper may bedeveloped, copied by any means and or distributedthe concept of quantum parallelism was royalty free without further permission by computer-basedunderstanding. and other information-service Landauer [1] systems. showed Permission that to republish energy any other must portion be of this paper mustintroduced be obtained from [6]. the Editor. dissipated in computing0018-8646/11/$5.00only whenB 2011 information IBM is erased A major breakthrough, i.e., the true birth of quantum and that erasing a bit of information must result in an computing, came in 1994 when Peter Shor showed that a quantum computer could factor integer numbers only in the polynomial time [7]. The quantum algorithm for integer IBM J. RES. & DEV. VOL. 55 NO. 5 PAPER 13 SEPTEMBER/OCTOBER 2011 M. STEFFEN ET AL. 13 : 1 Digital Object Identifier: 10.1147/JRD.2011.2165678 factoring offers an exponential speedup over the best

ÓCopyright 2011 by International Business Machines Corporation. Copying in printed form for private use is permitted without payment of royalty provided that (1) each reproduction is done without alteration and (2) the Journal reference and IBM copyright notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied by any means or distributed royalty free without further permission by computer-based and other information-service systems. Permission to republish any other portion of this paper must be obtained from the Editor.

0018-8646/11/$5.00 B 2011 IBM

IBM J. RES. & DEV. VOL. 55 NO. 5 PAPER 13 SEPTEMBER/OCTOBER 2011 M. STEFFEN ET AL. 13 : 1 Once we consider the coupling of two or more qubits to requirements individually can be done with relative ease. construct a quantum logical gate, it becomes clear that a more Satisfying all of them simultaneously is quite experimentally sophisticated set of metrics must supplement the T2 metric. challenging and at the frontier of current research in There are three additional quantities that will certainly quantum computing. require attention. Historically, a liquid-state NMR quantum computer (NMRQC) was the first physical system demonstrating many 1. Off–on ratio RVA quantum algorithm requires a of the main concepts of quantum computing. In such a programmed sequence of quantum gate operations, i.e., system, the nuclear spins are placed in a strong magnetic specific coherent couplings between specified qubits. field, creating the Bup[ and Bdown[ states of the nuclear Obviously, when the program specifies no operation in a (similar to the north- and south-pole orientations of a particular cycle, this coherent coupling should be bar magnet) representing the logical 0 and 1 states. j i j i zero. R measures the extent to which these couplings Separately, IBM [30] and Oxford University [31] were the can be really turned off. The quantity 1 R should be as first to report an experimental realization of a quantum À close to 1 as possible. algorithm. The IBM group led by I. Chuang further 2. Gate fidelity FVThis quantity is closely related to e, in significantly contributed to this field, with the that 1 F is also an error probability. However, while implementation of a three- quantum search algorithm À T2 provides a measure of how much error occurs in [32], a five-qubit order-finding algorithm [33], the realization an uncoupled qubit, 1 F more specifically measures of an adiabatic quantum optimization algorithm [34], and a À the occurrence of error during actual coupled operation, demonstration of Shor’s factoring algorithm [35] (factoring and it is the more relevant error rate for fault-tolerant the number 15 using a seven-spin molecule). These operation. F encapsulates any type of error that demonstrations, together with those of other groups, helped could occur due, for example, to loss of transform experimental quantum computing into a growing QuantumIndeed, we envision computing: a practical quantum computing M. SteffenTze-Chiang Chen for their consistent support of this risky systemor unwanted as including coupling. a very Obviously, sophisticatedF must classical be very system D. P. DiVincenzoandfield forward-looking of research. research. Portions of IBM theoretical Anclose IBM to 1. perspective J. M. ChowBy the early 2000s, the liquid-state NMRQC had been intimately connected to the quantum computing hardware. T. N. Theisand experimental work reviewed here and described in detail 3.QuantumMeasurement physics provides fidelity an intriguing MV basisThe for achievingquantity 1 M is anotherM. B. Ketchenpushed close to some natural limits to the ability to Ascomputational presently power envisioned, to address certain the categories classical of mathematical systemÀ will have in the indicated references were supported by the National problemserror that probability are completely but intractable is related with machine to how computation well classical distinguish increasing numbers of nuclear spins in toas exchangewe know it today. signals We present with a brief the overview quantum of the current subsystem, while Science Foundation, by BBN, and by the Intelligence theoreticalinformation and experimental can be works extracted in the emerging from field a of qubit. Such an increasingly large molecules. No path was seen that would maintainingquantum computing. very The lowimplementation noise temperaturesof a functioning quantum so as not to Advanced Research Projects Agency. decoherecomputeroperation poses the tremendous is qubits. frequently scientific The size and required technological of the in classical QEC. challenges, Like dataF streams, M must allow such systems to be scaled to many qubits and large but current rates of progress suggest that these challenges will be involvedsubstantivelybe very in addressed close the diagnosis over to the1. next ten and years. the We control provide a sketch of the quantum Referencescomputations. This ultimately led to a change of direction of a quantum computing system based on superconducting circuits, hardwarewhich are the will current ultimately focus of our research. be prodigious. A realistic vision Expertise in at1. IBM. R. Landauer, BeginningBIrreversibility in 2002, a and small heat research generation group in the led computing by the emergesThe concerning community the form has of a paid future scalable some fault-tolerant attention to all of these lateprocess, Roger[ KochIBM J. began Res. & to Dev. explore, vol. 5, the no. superconducting 3, pp. 183–191, communicationsquantum computer. and packaging technology will be essential metrics, and there has been definite progress on all; however, JosephsonJul. 1961. junction technology as the basis for the fabrication at and beyond the level presently practiced in development of 2. C. H. Bennett, BLogical reversibility of computation,[ IBM J. today’sso far, there most has sophisticated been no concerted digital computers. effort to improve The hardware all of qubits.Res. & Dev.Since, vol. the 17, critical no. 6, features pp. 525–532, of a Nov. Josephson 1973. junction willof them probably in a coordinated be situated fashionin multiple in a temperature single quantum zones are3. P.defined Benioff, byBThe a lithographic computer as a process, physical it system: should A bemicroscopic possible Introduction to quantum computing irreducible release of heat to the environment. As a result, device technology. Now, by focusing on a specific device to buildquantum many mechanical of such Hamiltonian devices using model the of processes computers of as modern In his famous 1959ranging after-dinner from talk BThere 20 mK is plenty to of room room temperature.whenever an irreversible Several logic element different such as a NAND represented by Turing machines,[ J. Stat. Phys., vol. 22, no. 5, at the bottom,[technologyRichard Feynman implemented challenged the scientific in a specificgate is operated, quantum the computer computingmust dissipate energy. microelectronics manufacturing. This suggests that the community tocontrol employ mechanical technologies effects in the mayLater, be Bennett required [2], among to meet others, showed the that universal pp. 563–591, 1980. design of information processing systems: computation need not be irreversible. In principle, 4. Y. Manin, Computable and Uncomputable. Moscow, Russia: performancearchitecture, weand hope thermal to increase boundary the conditions, rate of progress. ranging from technology19 can ultimately support the construction of large computations could be performed without erasing Other circuit-oriented metrics will be, no doubt, precisely quantumSovetskoye computing Radio, 1980. systems with complex architecture and BWhen we getroom-temperature to the very, very small world, and say, cooled circuits (77-information and 4-K) and, thus, complementary without energy dissipation. These 5. R. P. Feynman, BSimulating physics with computers,[ Int. J. of seven atoms,formulated we have a lot of as new experience things that would is gained.insights We set the are stage still for consideration a long way of quantum comprised of many qubits. happen that representmetal–oxide–semiconductors completely new opportunities for tomechanical 4- and systems 20-mK as computers. analog Since and coherent quantum Theor. Phys., vol. 21, no. 6/7, pp. 467–488, 1982. design. Atomsdigitalfrom on a small building scale Josephson behave likea practical nothing technologies. on a large quantummechanical computer, operations but are energy the conserving path and time 6.While D. Deutsch, we focusBQuantum on this theory, approach the Church-Turing to quantum principle computing in scale, for they satisfy the laws of quantum mechanics. reversible, they are a natural generalization of the reversible toward this goal is becoming clearer. theand remainder the universal of this quantum paper, computer, we note[ Proc. that other R. Soc. approaches So, as we go down and fiddle around with the atoms down classical operations of Bennett. Lond. A, Math. Phys. Sci., vol. 400, no. 1818, pp. 97–117, there, we are working with different laws, and we can In the 1980s, it was shown that a quantum mechanicalmay ultimately be used. After all, commercially viable expect to do differentConclusion things. We can manufacture in Hamiltonian can represent a universal Turing machine [3]. Jul. 1985. different ways.WhileChoosing We can use we not juststill thecircuits have qubitbut some a long system wayIt to was go further and shown many that a details quantum machine to could classical7. P. Shor, computersBAlgorithms have for beenquantum built computation: from several Discrete log involving the quantized energy levels, or the interactions efficiently simulate other quantum physical systems. In other and factoring,[ in Proc. 35th Annu. Symp. Found. Comput. Sci., of quantized spins,workMany etc.[ out, very we different can see physical the broad systems formwords, a of have quantum tomorrow’s been machine proposed would quantum use only for polynomial fundamentallyLos Alamitos, different CA, 1994, types pp. 124–134. of devices over the years, the instantiation of qubits. Publishedresources proposals of time, memory, include and space to simulate other and we are still searching for new devices with which to However, atcomputers. that time, even Feynman The markedcould not guess progressquantum in the systems. theory By comparison, of QEC the has simulation of such 8. L. K. Grover, BQuantum mechanics helps in searching for a needle how a quantumrelaxedsilicon-based system could the be used device nuclear to perform error information spins rate [21], thatsystems trapped must by be a classical ions achieved machine [22], requiresfor cavity an exponential buildin such a haystack, computers.[ Phys. Rev. By analogy, Lett., vol. we79, no. can 2, expect pp. 325–328, the processing tasks. A greater understanding of the fundamental growth of resources for increasingly larger problems [4, 5]. Jul. 1997. rules of informationfault-tolerantquantum processing electrodynamics was computing.first required. In the Rapid [23], nuclearThe improvements notion of spins a quantum [24], in Turing machine was subsequentlycontinued9. P. Shor, explorationBScheme for and reducing the future decoherence development in quantum of several ensuing years, IBMspins Research in quantum significantly contributed dots [25], to that superconductingdeveloped, and the concept loops of quantum and parallelism was potentiallycomputer competing memory,[ Phys. types Rev. of A,quantum Gen. Phys. devices., vol. 52, Today, no. 4, understanding.experimental Landauer [1] showed quantum that energy must hardware be introduced suggest [6]. that a threshold dissipated in computingforJosephson theonly designwhen junctions information and the is [26], erased construction liquid-stateA major of nuclear fault-tolerant breakthrough, magnetic i.e., the systems true birth of quantum in additionpp. 2493–2496, to various Oct. 1995. approaches based on superconducting and that erasing a bit of information must result in an computing, came in 1994 when Peter Shor showed that10. a A. M. Steane, BError correcting codes in quantum theory,[ mayresonance be reached (NMR) in [27, the next 28], andfivequantum years. computer At suspended that could point, factor integer above the numbers only inqubits, the Phys. the Rev. most Lett. active, vol. 77, areas no. , of pp. research 793–797, involve Jul. 1996. trapped goalthe surface of building of liquid a useful helium and [29], reliablepolynomial among quantum time others. [7]. The computer Thequantum ultimate algorithm will for integer11.ions D. and Gottesman, quantumBStabilizer dots. The codes largest and quantum quantum error computer correction, built[ Digital Object Identifier: 10.1147/JRD.2011.2165678 factoring offers an exponential speedup over the best besuccess within of our any reach. of such proposal will depend on the degree in anyPh.D. of dissertation, these systems California to date Inst. consists Technol., of Pasadena, about ten CA, qubits, ÓCopyright 2011 by International Business Machines Corporation. Copying in printed form for private use is permitted without payment of royalty provided that (1) each reproduction is done without 1997. alteration and (2) the Journalto referencewhich and IBM the copyright chosen notice are included system on the first page. can The title and be abstract, engineered but no other portions, of to this paper satisfy may be copied by any means or distributedand most implementations are focused on the demonstration royalty free without further permission by computer-based and other information-service systems. Permission to republish any other portion of this paper must be obtained from the Editor.12. D. Aharonov and M. Ben-Or, BFault-tolerant quantum computation Acknowledgmentsthe five DiVincenzo criteria.0018-8646/11/$5.00 SatisfyingB 2011 IBM any of these of awith specific constant quantum error,[ in algorithmProc. 29th or Annu. quantum ACM Symp. state. Theory The authors dedicate this paper to Nabil Amer and to the Comput., El Paso, TX, May 4–6, 1997, pp. 176–188. 13. D. Aharonov and M. Ben-Or, BFault-tolerant of Roger Koch. In the early 1990s, Amer convened IBM J. RES. & DEV. VOL. 55 NO. 5 PAPER 13 SEPTEMBER/OCTOBER 2011 M. STEFFEN ET AL. 13 : 1 computation with constant error,[ SIAM J. Comput., a group of theoretical scientists and asked the question BHow vol. 38, no. 4, pp. 1207–1282, 2008. 14. A. Y. Kitaev, BFault-tolerant quantum computation by anyons,[ wouldIBM J. RES. God & compute DEV. VOL. if 55 he NO. had 5 not PAPER made 13 silicon? SEPTEMBER/OCTOBER[ IBM’s 2011 M. STEFFEN ET AL. 13 : 3 Ann. Phys., vol. 303, no. 1, pp. 2–30, 2003, arXiv preprint, theoretical research effort in quantum information further quant-ph/9707021. strengthened and grew in response to those discussions. 15. A. Y. Kitaev, BQuantum computations: Algorithms and error Amer also championed the NMRQC project at Almaden and correction,[ Russ. Math. Surv., vol. 52, no. 6, pp. 1191–1249, 1997. helped to convince Koch to found our ongoing program 16. R. Raussendorf and J. Harrington, BFault-tolerant quantum based on superconducting quantum electronics. The authors computation with high threshold in two dimensions,[ would like to recognize the many advances over the years by Phys. Rev. Lett., vol. 98, no. 19, pp. 190504-1–190504-4, 2007. members of the theory and experimental teams engaged in 17. R. Jozsa, BEntanglement and quantum computation,[ in Geometric various aspects of quantum computing research at IBM. Issues in the Foundations of Science, S. Huggett, L. Mason, They particularly wish to acknowledge Antonio Corcoles, P. Tod, T. Sheung Tsun, and N. Woodhouse, Eds. London, U.K.: Oxford Univ. Press, 1997. Kent Fung, Jay Gambetta, George Keefe, Stefano Poletto, 18. J. S. Bell, BOn the Einstein Podolsky Rosen paradox,[ Physics, Chad Rigetti, John Rohrs, Mary Beth Rothwell, and vol. 1, no. 3, pp. 195–200, 1964. Jim Rozen who contributed to the recent experimental 19. M. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge, U.K.: breakthroughs. They would like to thank Chris Lirakis and Cambridge Univ. Press, 2010. John Clarke for their very helpful suggestions for improving 20. D. P. DiVincenzo, BThe physical implementation of quantum an early and rough draft of this manuscript. The authors computation,[ Fortschr. Phys., vol. 48, no. 9–11, pp. 771–783, 2000. would also like to thank past and present executives 21. B. Kane, BA silicon-based nuclear spin quantum computer,[ Paul Horn, Randall Isaac, John E. Kelly, III, and Nature, vol. 393, no. 6681, pp. 133–137, May 1998.

IBM J. RES. & DEV. VOL. 55 NO. 5 PAPER 13 SEPTEMBER/OCTOBER 2011 M. STEFFEN ET AL. 13 : 9 SPECIALSECTION

may lead to even larger quantum computers that 8. J. Benhelm, G. Kirchmair, C. F. Roos, R. Blatt, Nat. Phys. 33. J. Labaziewicz et al., Phys. Rev. Lett. 101,180602(2008). can ultimately be put to use in materials design, 4,463(2008). 34. D. A. Hite et al., Phys. Rev. Lett. 109,103001(2012). 9. J. J. García-Ripoll, P. Zoller, J. I. Cirac, Phys. Rev. Lett. 91, 35. F. Schmidt-Kaler et al., Nature 422,408(2003). communications, and high-performance compu- 157901 (2003). 36. D. D. Yavuz et al., Phys. Rev. Lett. 96,063001(2006). tation. As quantum systems are made ever larger, 10. . A. Turchette et al., Phys. Rev. A 61,063418(2000). 37. C. Knoernschild et al., Appl. Phys. Lett. 97,134101(2010). they ultimately tend toward classical behavior 11. H. Häffner, C. Roos, R. Blatt, Phys. Rep. 469,155(2008). 38. C. Weitenberg et al., Nature 471,319(2011). because the quantum nature of the system quickly 12. S.-L. Zhu, C. Monroe, L.-M. Duan, Europhys. Lett. 73,485 39. C. Monroe et al., http://arxiv.org/abs/1208.0391 (2012). (2006). 40. J. Kim et al., IEEE . Technol. Lett. 15,1537(2003). disappears even at the presence of tiny amounts 13. J. Ignacio Cirac, P. Zoller, Nat. Phys. 8,264(2012). 41. H.-J. Briegel, W.Dür, J. I. Cirac, P. Zoller, Phys. Rev. Lett. of dissipation. Whether we find that the strange 14. D. Kielpinski, C. Monroe, D. J. Wineland, Nature 417, 81,5932(1998). rules of quantum physics indeed persist to much 709 (2002). 42. K. De Greve et al., Nature 491,421(2012). larger systems, or perhaps a new order emerges, 15. M. D. Barrett et al., Phys. Rev. A 68, 042302 (2003). 43. P. F. Herskind et al., Opt. Lett. 36,3045(2011). the trapped ion platform for quantum information 16. A. Walther et al., Phys. Rev. Lett. 109,080501(2012). 44. A. Jechow, E. W. Streed, B. G. Norton, M. J. Petrasiunas, 17. R. Bowler et al., Phys. Rev. Lett. 109,080502(2012). D. Kielpinski, Opt. Lett. 36,1371(2011). processing is expected to provide the leading ex- 18. R. B. Blakestad et al., Phys. Rev. A 84,032314(2011). 45. M. Steiner, H. M. Meyer, C. Deutsch, J. Reichel, M. Köhl, perimental playground in which to explore the 19. D. L. Moehring et al., New J. Phys. 13,075018(2011). http://arxiv.org/abs/1211.0050 (2012). evolution of complex quantum systems. 20. D. Gottesman, I. L. Chuang, Nature 402,390(1999). 46. L.-M. Duan, C. Monroe, Rev. Mod. Phys. 82, 1209 (2010). 21. C. , W. T. M. Irvine, Phys. Rev. Lett. 91,110405(2003). 22. D. L. Moehring et al., Nature 449, 68 (2007). Acknowledgments: This work was supported by the U.S. Army References and Notes Research Office (ARO) award W911NF0710576 with funds from 1. M. A. Nielsen, I. L. Chuang, Quantum Computation and 23. C. Cabrillo, J. I. Cirac, P. Garcia-Fernandez, P. Zoller, the Defense Advanced Research Projects Agency (DARPA) Quantum Information (Cambridge Univ. Press, Phys. Rev. A 59,1025(1999). Emulator Program, ARO award W911NF0410234 Cambridge, 2000). 24. L. Slodicka et al., http://arxiv.org/abs/1207.5468 (2012). with funds from the Intelligence Advanced Research Projects 2. C. R. Monroe, D. J. Wineland, Sci. Am. 299,64(2008). 25. T. Kim, P. Maunz, J. Kim, Phys. Rev. A 84, 063423 (2011). Activity Multi-Qubit Coherent Operations program, ARO 3. T. D. Ladd et al., Nature 464, 45 (2010). 26. P. O. Schmidt et al., Science 309,749(2005). Multidisciplinary University Initiative award W911NF0910406 4. D. Leibfried, R. Blatt, C. Monroe, D. Wineland, Rev. Mod. 27. J. Chiaverini et al., Quant. Inf. Comp. 5,419(2005). on Hybrid Quantum Optical Circuits, Army Contracting Phys. 75,281(2003). 28. S. Seidelin et al., Phys. Rev. Lett. 96,253003(2006). Command award W31P4Q1210017 with funds from the 5. J. I. Cirac, P. Zoller, Phys. Rev. Lett. 74,4091(1995). 29. J. Kim et al., Quant. Inf. Comput. 5,515(2005). DARPA Quiness Program, and the NSF Physics Frontier 6. A. Sørensen, K. Mølmer, Phys. Rev. Lett. 82,1971 30. J. Amini et al., New J. Phys. 12,033031(2010). Center at JQI. (1999). 31. J. T. Merrill et al., New J. Phys. 13,103005(2011). 7. R. Blatt, D. Wineland, Nature 453,1008(2008). 32. L. Deslauriers et al., Phys. Rev. Lett. 97,103007(2006). 10.1126/science.1231298 on September 5, 2013

ficiently to hold one bit of quantum information Quantum InformationREVIEW Processing long enough for it to be written, manipulated, and to characterize a system of entangled qubits ap- and perform correctly, it is required that there force scaling. The second advantage is that the read. In the second stage, small quantum algo- pears to grow exponentially with their number, so should be less than one error on average during a allowable error rates are appreciably higher, even rithms can be performed; these two stages require the new techniques for “debugging” quantumSuperconducting cir- single pass of the QEC. For a large calculation, Circuitson the order for of current Quantum performance levels (a cou- cuits (55)willhavetobefurtherdeveloped.Inthe the codes must then be concatenated, with each ple of percent). However, there are two draw- that the first five DiVincenzo criteria be satisfied stages ahead, one must design, build, and operate qubit again being replaced by a redundant regis- backs: (i) the resource requirements (between (15). The following, more complexSPECIAL stages, how-SECTION systems with more than a few dozenInformation: degrees of ter, in a treelike hierarchy. An The so-called Outlook error- 100 and 10,000 physical qubits per logical qubit) ever, introduce and require QEC (3–6). In the www.sciencemag.org freedom, which, as a corollary to themay power lead of tocorrection1,2 even larger threshold, quantum where the computers resources1 required that are8. perhaps J. Benhelm, even higher G. Kirchmair, than in C. the F. QEC Roos, codes R. Blatt, thirdNat. Phys. stage, some33. errors J. Labaziewicz can beet corrected al., Phys. Rev.by quan- Lett. 101,180602(2008). quantum computation, are not evenM. possible H. Devoret to for thisand process R. J. of Schoelkopfexpansion begin* to converge, is (58), and (ii) the desired emergent properties of can ultimately be put to use in materials design, 4,463(2008). tum nondemolition34. D. A. readout Hite et ofal., errorPhys. syndromes Rev. Lett. 109,103001(2012). simulate classically. This suggests that large quan- usually estimated (26)tolieintherangeoferror this9. fabric J. J. García-Ripoll, are obtained only P. Zoller, after hundreds, J. I. Cirac, ifPhys. not Rev. Lett. 91, 35. F. Schmidt-Kaler et al., Nature 422,408(2003). The performance of superconducting−3 −4 qubits has improved3 by several orders of magnitude in the past such as parity. It also becomes possible to sta- tum processors should perhaps consistcommunications, of smaller rates of 10 andto high-performance 10 ,requiringvaluesof10 compu-to thousands,157901 of (2003).qubits have been assembled and 36. D. D. Yavuz et al., Phys. Rev. Lett. 96,063001(2006). modules whose operation and functionalitydecade. can These10 circuits4 for the benefit elements from of Table the robustness 1. Although ofsuperconductivityandtheJosephsoneffect,and these tested. bilize the qubit by feedback into any arbitrary tation. As quantum systems are made ever larger, 10. Q. A. Turchette et al., Phys. Rev. A 61,063418(2000). 37. C. Knoernschild et al., Appl. Phys. Lett. 97,134101(2010). be separately tested and characterized. performance levels and complexity requirements Athirdstrategyisbasedonmodulesofnested state (16, 17), including dynamical ones (18–21). at present they have not encountered any hard physical limits.11. However, H. Häffner, building C. Roos, an R. error-corrected Blatt, Phys. Rep. 469,155(2008). 38. C. Weitenberg et al., Nature 471,319(2011). AsecondchallengeinHamiltoniancontrolthey ultimatelymight no tend longer toward be inconceivable, classical they behavior are none- complexity. The basic element is a small register This stage was reached first by trapped ions (22), information processor with many such qubits will require solving12. specific S.-L. Zhu, architecture C. Monroe, L.-M. problems Duan, Europhys. that Lett. 73,485 39. C. Monroe et al., http://arxiv.org/abs/1208.0391 (2012). (or circuit cross-talk) is posed by thebecause need to thetheless quantum beyond nature the current of the state system of the quickly art, and (50)consistingofalogicalmemoryqubit,which constitute a new field of research. For the first time, physicists will(2006). have to master quantum error by Rydberg atoms40. J. Kim (16et), al and., IEEE most Photon. recently Technol. by Lett. 15,1537(2003). combine long-lived qubits with the fastdisappears readout, rather even daunting. at the presence of tiny amounts stores quantum information while performing the superconducting qubits (23–25). In the next correction to design and operate complex active systems that13. are J.dissipative Ignacio Cirac, in nature, P. Zoller, yetNat. remain Phys. 8,264(2012). 41. H.-J. Briegel, W.Dür, J. I. Cirac, P. Zoller, Phys.Downloaded from Rev. Lett. qubit reset or state initialization, and high-speedof dissipation.Anewerapproach( Whether we find56– that58)isthe the strange“surface usual kind of local error correction, and some (fourth) stage, the goal is to realize a quantum controls necessary to perform errorcoherent correction. indefinitely.code” model We of offer quantum a view computing, on some where directions a large foradditional the14. field D. Kielpinski, communication and speculate C. Monroe, qubits on its D. that future. J. Wineland, can interactNature 417, 81,5932(1998). This means that modes with much lowerrulesQ (~1000 of quantumnumber of physics identical indeed physical qubitspersist are to connected much with the709 memory (2002). and with other modules. By memory, where42. QEC K. De realizesGreve et al a., coherenceNature 491 time,421(2012). for a 50-ns measurement channel) willlarger need tohe besystems, conceptin a type or of perhapssolving of rectangular problems a new grid order with (or “fabric emerges, the ”).tum By informationentangling15. M. D. the processing Barrett communicationet al., (QIP)Phys. qubits, such Rev. A as one68 quan-, can042302that (2003). is longer43. than P. any F. Herskind of the individualet al., Opt. Lett. compo-36,3045(2011). intimately mixed with the long-lived qubitsthe trapped withuse ofhavingquantum ion platform specific algorithms, linkages for quantum between introduced information groups in of fourtum simulationdistribute16. A. Walther the(7, 8 entanglement)andlong-distanceet al., Phys. and Rev. eventually Lett.quantum109,080501(2012). per- nents. This goal44. is A. as Jechow, yet unfulfilled E. W. Streed, in B. any G. Norton, sys- M. J. Petrasiunas, 6 9 17. R. Bowler et al., Phys. Rev. Lett. 109,080502(2012). D. Kielpinski, Opt. Lett. 36,1371(2011). very high Q (~10 to 10 ), which requiresTprocessingthe ex- earlyadjacent is 1990sexpected qubits, (1, 2 to), and was provide fast welcomed QND the measurements leading as a ex-communication of form a general (9), computation appear reachable between modules. within tem. The final two stages in reaching the ultimate quisite isolation and shielding betweenrevolutionary the parts their change parity, in the the entire theory fabric of is computa- protected againstour lifetime,Here,18. R.the even B. operations Blakestad if many betweenet discoveries al., Phys. the communication Rev. and A 84 tech-,032314(2011).goal of fault-tolerant45. M. Steiner, quantum H. M. information Meyer, C. Deutsch, pro- J. Reichel, M. Köhl, of our high-frequency integrated circuit.tionalperimental If inter- complexity,errors. playground but One the appeal feat in of ofwhich this actually strategy to explore build- is that it thenological re- bits19. innovations can D. have L. Moehring relatively areet still high al., toNew error be J. made. rates, Phys. or13 even,075018(2011).cessing (26)requiretheabilitytodoallsingle-http://arxiv.org/abs/1211.0050 (2012). 46. L.-M. Duan, C. Monroe, Rev. Mod. Phys. 82, 1209 (2010). actions between a qubit and its surroundingsingevolution a cause quantum ofquires computer complex a minimum was quantum then number thought systems. of different to be types ofBelow,be20. probabilistic we D. Gottesman, discuss and the sometimes I. L. specific Chuang, fail physicalNature entirely,402 pro-im-,390(1999).qubit operations on one logical qubit (which is an even 0.1% of the energy of a qubit to leak into a elements, and once the development of the ele- vided21. C.that Simon, the communication W. T. M. Irvine, schemesPhys. Rev. have Lett. some91,110405(2003). impossible. The invention of quantum error cor- plementation of general-purpose QIP with super- effective on September 5, 2013 qubit protected by active error correc- low-Q mode, we completely spoil its lifetime. mentary cell is successful, the subsequent stages modest22. D. redundancy L. Moehring andet al robustness.., Nature 449 The, 68 adop- (2007). Acknowledgments: This work was supported by the U.S. Army Although the required levels of isolationrection are prob-References (QEC)of (3 development–6 and)introducedhopethataquan- Notes (the fourth, fifth, and sixth stagesconductingtion of qubits techniques (10). from A comprehensive cavity quantum review electro- tion mechanisms),Research and Office the (ARO) ability award to perform W911NF0710576 gate with funds from 1. M. A. Nielsen, I. L. Chuang, Quantum Computation and 23. C. Cabrillo, J. I. Cirac, P. Garcia-Fernandez, P. Zoller, ably feasible, these challenges have nottum yet computer been in might Fig. 1) one might day besimply built, be most achieved likely by brute-of the historydynamics and (QED) current ( status59)andtheadvantagesfor of the field is beyond operations betweenthe Defense several Advanced logical Research qubits; Projects in both Agency (DARPA) Quantum Information (Cambridge Univ. Press, Phys. Rev. A 59,1025(1999). faced or solved by conventional superconductingby future generations of physicists and engineers. the scope of this article. Several detailed reviews on stages the enhancedOptical Lattice coherence Emulator Program, lifetime ARO of the award W911NF0410234 Cambridge, 2000). 24. L. Slodicka et al., http://arxiv.org/abs/1207.5468 (2012). or semiconducting circuit designers. In our view, with funds from the Intelligence Advanced Research Projects However,2. C. R. less Monroe,Table than D. 1. 20 J.Superconducting yearsWineland, later,Sci. we Am. qubits: have299 Desired,64(2008). wit- parameterthe principles25. margins T. and Kim, for operations P. scalability Maunz, ofJ. Kim, and these thePhys. circuits corresponding Rev. already A 84, 063423qubits (2011). should be preserved. the next stages of development will require ap- demonstrated values. Desired capability margins are numbers of successful operations or realizations of a Activity Multi-Qubit Coherent Operations program, ARO nessed3. T. so D. many Ladd et advances al., Nature that464 successful, 45 (2010). quantum exist (1126.–14 P.). Here, O. Schmidt we raiseet al only., Science a few309 important,749(2005). preciable advances, both practical and concep- component before failure. For the stability of the Hamiltonian, capability is the number of Ramsey shots Multidisciplinary University Initiative award W911NF0910406 computations,4. D. Leibfried, and R. Blatt, other C. applications Monroe, D. Wineland, of quan-Rev. Mod.aspects needed27. J. Chiaverini for the discussionet al., Quant. before Inf. Comp. proceed-5,419(2005).Superconducting Circuits: tual, in all aspects of Hamiltonian design and that meaningfully would provide one bit of information on a parameter (e.g., the qubit frequency) during on Hybrid Quantum Optical Circuits, Army Contracting Phys. 75,281(2003). ing to some28. S. speculations Seidelin et al on., Phys. future Rev. directions. Lett. 96,253003(2006).Hamiltonians by Design control. the time when this parameter has not drifted. Estimated current capability is expressed as number of 20 Command award W31P4Q1210017 with funds from the 5. J. I. Cirac, P. Zoller, Phys. Rev. Lett. 74,4091(1995). 29. J. Kim et al., Quant. Inf. Comput. 5,515(2005).Unlikewww.sciencemag.org microscopic entities—electrons, atoms, 1Departments ofsuperconducting and qubits, Physics, given Yale best University, decoherence times and success probabilities. Demonstrated successful DARPA Quiness Program, and the NSF Physics Frontier What Will We Learn About Active 6. A. Sørensen, K. Mølmer, Phys. Rev. Lett. 82,1971 Toward30. a Quantum J. Amini et Computer al., New J. Phys. 12,033031(2010). New Haven, CT 06520,performance USA. 2College is given de , in terms Place ofMarcelin the main performance characteristic of successful operation or ions, and photonsCenter— aton JQI. which other qubits are Architectures During the Next Stage? 31. J. T. Merrill et al., New J. Phys. 13,103005(2011). Berthelot,(1999). F-75005Hamiltonian , France. control (various units). A reset qubitDeveloping operation forces a quantum a qubit to computer take a particular involves state. several A Rabi based, superconducting quantum circuits are How long might it take to realize robust7. R. and Blatt,flop D. Wineland, denotes aNature single-qubit453,1008(2008).p rotation. A swapoverlapping to bus is32. an operation L. and Deslauriers interconnecting to makeet al a., two-qubitPhys. stages Rev. entanglement Lett. (Fig.97,103007(2006). 1). based on the10.1126/science.1231298 electrical (LC) oscillator (Fig. 2A) practical error correction with superconducting*ToRecent whom correspondencebetween progress distant should qubits. be addressed. In a readout in E-mail: qubit superconducting operation, the readout must be QND or must qubits operate on an on September 5, 2013 [email protected] First, a quantum system has to be controlled suf- and are macroscopic systems with a large number circuits? This will depend on how rapidly the ancilla without demolishing any memory qubit of the computer. Stability refers to the time scale during experimental techniques and capabilities (Fig. 3, which a Hamiltonian parameter drifts by an amount corresponding to one bit of information, or the time AandB)continuetoadvance,butalsoonthe scale it would take to find all such parameters in a complex system to this precision. Accuracy can refer to

Downloaded from ficiently to hold one bit of quantum information REVIEW www.sciencemag.org SCIENCE VOL 339 8 MARCH 2013 1169 architectural approach to QEC, which might con- the degree to which a certain Hamiltonian symmetryorpropertycanbedesignedandknowninadvance, long enough for it to be written, manipulated, and siderably modify both the necessary circuit com- the ratio by which a certain coupling can be turned on and off during operation, or the ratio of desired to plexity and the performance limits (elements of undesired couplings. Yield is the number of quantum objects with one degree of freedom that can be read. In the second stage, small quantum algo- made without failing or being out of specification to the degree that the function of the whole is Table 1) that are required. Several different ap- rithms can be performed; these two stages require compromised. Complexity is the overall number of interacting, but separately controllable, entangled proaches exist that are theoretically wellSuperconducting devel- Circuits for Quantum degrees of freedom in a device. Question marks indicate that more experiments are needed for a that the first five DiVincenzo criteria be satisfied oped (1, 2)butremainrelativelyuntestedinthe conclusive result. Values given in rightmost column are compiled from recently published data and (15). The following, more complex stages, how- real world. improve on a yearly basis. The canonical models for QEC areInformation: the sta- An Outlook ever, introduce and require QEC (3–6). In the www.sciencemag.org bilizer codes (3–6). Here, information is redun- 1,2 Desired1 capability Estimated Demonstrated third stage, some errors can be corrected by quan- M. H. DevoretRequirementand for R. scalability J. Schoelkopf * dantly encoded in a register of entangled physical margins current capability successful performance tum nondemolition readout of error syndromes qubits (typically, at least seven) to create a single QI operation logical qubit. Assuming that errors occurThe singly, performance of superconducting qubits has improved by several orders of magnitude in the past such as parity. It also becomes possible to sta- Reset qubit 102 to 104 50 Fidelity ≥ 0.995 (17) one detects them by measuring a set of certain bilize the qubit by feedback into any arbitrary decade. TheseRabi circuits flop benefit from the10 robustness2 to 104 ofsuperconductivityandtheJosephsoneffect,and1000 Fidelity ≥ 0.99 (69, 70) collective properties (known as stabilizer oper- at present theySwap have to bus not encountered any102 to hard 104 physical limits.100 However, buildingFidelity ≥ 0.98 an error-corrected (71) state (16, 17), including dynamical ones (18–21). ators) of the qubits, and then applies appropriate Readout qubit 102 to 104 1000 Fidelity ≥ 0.98 (51) This stage was reached first by trapped ions (22), additional gates to undo the errors beforeinformation the de- processor with many such qubits will require solving specific architecture problems that System Hamiltonian sired information is irreversibly corrupted. Thus, by Rydberg atoms (16), and most recently by constitute a newStability field of research. For the106 firstto 109 time, physicists? will havedf/f toin 1master day < 2 quantum× 10−7 (43) error an experiment to perform gates between a pair of 2 4 superconducting qubits (23–25). In the next correction toAccuracy design and operate complex 10 activeto 10 systems10 that to 100 are dissipative1 in to 10% nature, (43) yet remain Downloaded from logically encoded qubits might take a few dozen Yield >104 ?? (fourth) stage, the goal is to realize a quantum qubits, with hundreds to thousands ofcoherent individual indefinitely. We offer a view on some directions for the field and speculate on its future. Complexity 104 to 107 10? 1 to 10 qubits (61) operations. To reach a kind of “break-even” point memory, where QEC realizes a coherence time he concept of solving problems with the tum information processing (QIP) such as quan- that is longer than any of the individual compo- use of quantum algorithms, introduced in tum simulation (7, 8)andlong-distancequantum nents. This goal is as yet unfulfilled in any sys- 1172 8MARCH2013 VOL339 SCIENCE www.sciencemag.org Tthe early 1990s (1, 2), was welcomed as a communication (9), appear reachable within tem. The final two stages in reaching the ultimate revolutionary change in the theory of computa- our lifetime, even if many discoveries and tech- goal of fault-tolerant quantum information pro- tional complexity, but the feat of actually build- nological innovations are still to be made. cessing (26)requiretheabilitytodoallsingle- ing a quantum computer was then thought to be Below, we discuss the specific physical im- qubit operations on one logical qubit (which is an impossible. The invention of quantum error cor- plementation of general-purpose QIP with super- effective qubit protected by active error correc- rection (QEC) (3–6)introducedhopethataquan- conducting qubits (10). A comprehensive review tion mechanisms), and the ability to perform gate tum computer might one day be built, most likely of the history and current status of the field is beyond operations between several logical qubits; in both by future generations of physicists and engineers. the scope of this article. Several detailed reviews on stages the enhanced coherence lifetime of the However, less than 20 years later, we have wit- the principles and operations of these circuits already qubits should be preserved. nessed so many advances that successful quantum exist (11–14). Here, we raise only a few important computations, and other applications of quan- aspects needed for the discussion before proceed- Superconducting Circuits: ing to some speculations on future directions. Hamiltonians by Design

1 Unlike microscopic entities—electrons, atoms, Departments of Applied Physics and Physics, Yale University, Toward a Quantum Computer New Haven, CT 06520, USA. 2College de France, Place Marcelin ions, and —on which other qubits are Berthelot, F-75005 Paris, France. Developing a quantum computer involves several based, superconducting quantum circuits are *To whom correspondence should be addressed. E-mail: overlapping and interconnecting stages (Fig. 1). based on the electrical (LC) oscillator (Fig. 2A) [email protected] First, a quantum system has to be controlled suf- and are macroscopic systems with a large number

www.sciencemag.org SCIENCE VOL 339 8 MARCH 2013 1169 SPECIALSECTION routing microwave photons with transmission noncomputational states beyond the first two lev- onstrated most of the basic functionality with lines [now known as circuit QED (12, 44, 60)] els is of course known in atomic physics, and has reasonable (or even surprising) levels of perform- might make on-chip versions of these schemes already been used as a shortcut to two- and three- ance. Remarkably, we have not yet encountered with superconducting circuits an attractive alter- qubit gates in superconducting circuits (23, 61). any fundamental physical principles that would native. Although this strategy can be viewed as Under the right conditions, the use of nonlinear prohibit the building of quite large quantum pro- less direct and requires a variety of differing parts, oscillators with many accessible energy levels cessors. The demonstrated capabilities of super- its advantage is that stringent quality tests are easier could replace the function of several qubits conducting circuits, as in trapped ions and cold to perform at the level of each module, and hid- without introducing new error mechanisms. As atoms, mean that QIP is beginning what may den design flaws might be recognized at earlier aconcreteexampleofthepowerofthisapproach, be one of its most interesting phases of devel- stages. Finally, once modules with sufficient per- arecentproposal(62)forusingacavityasa opment. Here, one enters a true terra incognita formance are in hand, they can then be programmed protected memory requires only one ancilla for complex quantum systems, as QEC becomes to realize any of the other schemes in an addi- and one readout channel—a real decrease in more than a theoretical discipline. As in the past, tional “software layer” of error correction. complexity. this era will include new scientific innovations Finally, the best strategy might include ideas How architectural choices like these affect and basic questions to be answered. Even if this that are radically different from those considered our ability to perform error-corrected information stage is successful, there will remain many further standard fare in quantum information science. processing will be a key scientific question occu- stages of development and technical challenges Much may be gained by looking for shortcuts pying this field in the near future, and will prob- to be mastered before useful quantum informa- that are hardware-specific and optimized for the ably take several years to resolve. The knowledge tion processing could become a reality. However, particular strengths and weaknesses of a partic- garnered in this process has the potential to sub- we think it is unlikely to become a purely techno- ular technology. For instance, all of the schemes stantially change the resources required for build- logical enterprise, like sending a man to the Moon, described above are based on a “qubit register ing quantum computers, quantum simulators, or in the foreseeable future. After all, even the Moore’s model,” where one builds the larger Hilbert space quantum communication systems that are actual- law progression of CMOS integrated circuits over and the required redundancy from a collection of ly useful. the past four decades has not brought the end of many individual two-level systems. But for su- such fields as semiconductor physics or nano- perconducting circuits, the “natural units” are os- The Path Forward science, but rather enabled, accelerated, and steered cillators with varying degrees of nonlinearity, The field of QIP with superconducting circuits them in unanticipated directions. We feel that fu- on September 5, 2013 rather than true two-level systems. The use of has made dramatic progress, and has already dem- ture progress in quantum computation will always 21

AB 10,000 107 3D cavities T1 100,000 T2 3D-+JPC+P-filter 106 Tcav www.sciencemag.org 1000 10,000 105 cQED Fluxonium Improved 1000 104 Quantronium 3D transmon 100 100 Transmon+JBA 103 3D transmon Transmon CPB+HEMT Qubit lifetime (ns) 10 Downloaded from

2 Operations per error 10 CPB 10 1 101 Charge echo Number of bits per qubit lifetime

100 1 2000 2004 2008 2012 2004 2006 2008 2010 2012 2014 Year Year

Fig. 3. Examples of the “Moore’slaw” type of exponential scaling in performance from the qubit during its T1 lifetime (this number combines signal-to-noise ratio of superconducting qubits during recent years. All types have progressed, but we and speed). This quantity can also be understood as the number of measurements, focus here only on those in the leftmost part of Fig. 2C. (A)Improvementof each with one bit of precision, that would be possible before an error occurs. Data coherence times for the “typical best” results associated with the first versions of points correspond to the following innovations in design: a Cooper-pair box read major design changes. The blue, red, and green symbols refer to qubit relaxation, by off-resonance coupling to a cavity whose frequency is monitored by a micro- qubit decoherence, and cavity lifetimes, respectively. Innovations were introduced wave pulse analyzed using a semiconductor high–electron mobility transistor to avoid the dominant decoherence channel found in earlier generations. So far amplifier (CPB+HEMT) [also called dispersive circuit QED (68)], an improved an ultimate limit on coherence seems not to have been encountered. Devices amplification chain reading a transmon using a superconductor preamplifier other than those in Fig. 2C: charge echo (63), circuit QED (44), 3D transmon (43), derived from the Josephson bifurcation amplifier (transmon+JBA) (49), and fur- and improved 3D transmon (64, 65). For comparison, superconducting cavity ther improvement with another superconductor preamplifier derived from the lifetimes are given for a 3D transmon and separate 3D cavities (66). Even longer Josephson parametric converter (51)combinedwithfilterin3Dtransmoncavity times in excess of 0.1 s have been achieved in similar 3D cavities for Rydberg atom eliminating Purcell effect (3D-transmon+JPC+P-filter). Better amplifier efficiency, experiments [e.g., (67)]. (B)EvolutionofsuperconductingqubitQNDreadout.We optimal signal processing, and longer qubit lifetimes are expected to maintain plot versus time the main figure of merit, the number of bits that can be extracted the rapid upward trend.

www.sciencemag.org SCIENCE VOL 339 8 MARCH 2013 1173 Quantum Information Processing of (usually aluminum) atoms assembled in the within 5 to 50 ns (a/2p ≈ 200 MHz) and two- ize this type of readout. The first is QND-ness, shape of metallic wires and plates. The operation qubit entangling gate times within 50 to 500 ns the probability that the qubit remains in the same of superconducting qubits is based on two robust (c/2p ≈ 20 MHz). We have neglected here the state after the measurement, given that the qubit phenomena: superconductivity, which is the weak induced anharmonicity of the cavity modes. is initially in a definite state |g〉 or |e〉.Thesecond frictionless flow of electrical fluid through the Proper design of the qubit circuit to minimize is the intrinsic fidelity, the difference between the metal at low temperature (below the supercon- dissipation coming from the dielectrics surround- probabilities—given that the qubit is initially in a ducting phase transition), and the Josephson ef- ing the metal of the qubit, and to minimize radia- definite state |g〉 or |e〉—that the readout gives the fect, which endows the circuit with nonlinearity tion of energy into other electromagnetic modes correct and wrong answers (with this definition, without introducing dissipation or dephasing. or the circuit environment, led to qubit transition the fidelity is zero when the readout value is un- The collective motion of the electron fluid quality factors Q exceeding 1 million or coherence correlated with the qubit state). The last and most around the circuit is described by the flux F times on the order of 100 ms, which in turn make subtle readout figure of merit is efficiency, which threading the inductor, which plays the role of the possible hundreds or even thousands of opera- characterizes the ratio of the number of controlled center-of-mass position in a mass-spring mechan- tions in one coherence lifetime (see Table 1). One and uncontrolled information channels in the read- ical oscillator (27). A Josephson tunnel junction example of this progression, for the case of the out. Maximizing this ratio is of utmost importance transforms the circuit into a true artificial atom, Cooper-pair box (28)anditsdescendants,isshown for performing remote entanglement by measure- for which the transition from the to in Fig. 3A. Spectacular improvements have also ment (50). the (|g〉-|e〉)canbeselectivelyex- been accomplished for transmission line reso- Like qubit coherence, and benefiting from it, cited and used as a qubit, unlike in the pure LC nators (45) and the other types of qubits, such progress in QND performance has been spectac- harmonic oscillator (Fig. 2B). The Josephson junc- the (35)orthefluxqubit(46). Rather ular (Fig. 3B). It is now possible to acquire more tion can be placed in parallel with the inductor, stringent limits can now be placed on the in- than N =2000bitsofinformationfromaqubit or can even replace the inductor completely, as trinsic capacitive (47)orinductive(43)lossesof before it decays through dissipation (Fig. 3A), or, in the case of the so-called “charge” qubits. Potential the junction, and we construe this to mean that to phrase it more crudely, read a qubit once in a energy functions of various shapes can be ob- junction quality is not yet the limiting factor in time that is a small fraction (1/N )ofitslifetime. tained by varying the relative strengths of three the further development of superconducting This is a crucial capability for undertaking QEC characteristic circuit energies associated with the qubits. in the fourth stage of Fig. 1, because in order to inductance, capacitance, and tunnel element (Fig. Nonetheless, it is not possible to reduce dis- fight errors, one has to monitor qubits at a pace on September 5, 2013 2, B and C). Originally, the three basic types were sipation in a qubit independently of its readout faster than the rate at which they occur. Effi- known as charge (28, 29), flux (30–33), and phase and control systems (39). Here, we focus on the ciencies in QND superconducting qubit readout (34, 35). The performance of all types of qubits most useful and powerful type of readout, which are also progressing rapidly and will soon rou- has markedly improved as the fabrication, mea- is called a “quantum nondemolition” (QND) mea- tinely exceed 0.5, as indicated by recent experi- surement, and materials issues affecting coher- surement. This type of measurement allows a ments (25, 51). ence have been tested, understood, and improved. continuous monitoring of the qubit state (48, 49). In addition, there has been a diversification of After a strong QND measurement, the qubit is Is It Just About Scaling Up? other design variations, such as the quantronium left in one of two computational states, |g〉 or |e〉, Up to now, most of the experiments have been (36, 37), transmon (38, 39), fluxonium (40), and depending on the result of the measurement, relatively small scale (only a handful of interact- www.sciencemag.org “hybrid” (41)qubits;alloftheseareconstructed which has a classical binary value indicating g or ing qubits or degrees of freedom; see Table 1). from the same elements but seek to improve per- e.Therearethreefiguresofmeritthatcharacter- Furthermore, almost all the experiments so far are 22 formance by reducing their sensitivity to de- coherence mechanisms encountered in earlier designs. The continuing evolution of designs is a sign of the robustness and future potential of Fault-tolerant quantum computation the field. Downloaded from When several of these qubits, which are non- Algorithms on multiple logical qubits linear oscillators behaving as artificial atoms, are coupled to true oscillators (photons in a micro- Operations on single logical qubits wave cavity), one obtains, for low-lying excita- tions, an effective multiqubit, multicavity system Logical memory with longer lifetime than physical qubits Hamiltonian of the form Complexity QND measurements for error correction and control 2 H eff q aj bjþbj ∑ wj bjþbj ð Þ Algorithms on multiple physical qubits ℏ ¼ j þ 2 r ∑ wmamþam ∑ cj,mbjþbjamþam 1 Operations on single physical qubits þ m þ j,m ð Þ describing anharmonic qubit mode amplitudes Time indexed by j coupled to harmonic cavity modes indexed by m (42). The symbols a, b,andw refer Fig. 1. Seven stages in the development of quantum information processing. Each advancement requires to the mode amplitudes and frequency, respec- mastery of the preceding stages, but each also represents a continuing task that must be perfected in tively. When driven with appropriate microwave parallel with the others. Superconducting qubits are the only solid-state implementation at the third signals, this system can perform arbitrary quan- stage, and they now aim at reaching the fourth stage (green arrow). In the domain of atomic physics and tum operations at speeds determined by the non- , the third stage had been previously attained by trapped ions and by Rydberg atoms. No linear interaction strengths a and c, typically implementation has yet reached the fourth stage, wherealogicalqubitcanbestored,viaerrorcorrection, (43, 44) resulting in single-qubit gate times for a time substantially longer than the decoherence time of its physical qubit components.

1170 8MARCH2013 VOL339 SCIENCE www.sciencemag.org 23

How long to re-tool the cryptographic infrastructure? Cryptographers are studying possible quantum-safe codes. Quantum information experts are researching the power of quantum algorithms, and their impact on computationally secure cryptography. How easy is it to change from one cryptographic algorithm to a quantum-secure one? Are the standards and practices ready?

Sept. 18th - 23rd 2011, Dagstuhl Seminar 11381 Sept. 8th - 13th 2013, Dagstuhl Seminar 13371 TBD 2015

Workshop on Cybersecurity in a Post- Quantum World, 2-3 April 1-3 October, 2014, Waterloo, Canada 2015 24

About Cryptography Research Training Apply

○ "

News & Events Cryptography Research Cryptography leaders guide the What is cryptography? What are we working on? future to new information security standards Cryptography is about keeping data and Quantum technologies are communications secure. People around revolutionizing our world, Cryptography experts and decision the world depend on cryptography to simultaneously posing new challenges makers met in France last week to set keep their data and communication and providing new tools for the future out a plan for a global quantum-safe secure and reliable. Information of information security. Quantum-safe cryptographic ... security lets us communicate, work, cryptography harnesses these tools to 25

The solutions 26

Quantum-safe cryptographic infrastructure “post-quantum” cryptography + quantum cryptography § classical codes deployable § quantum codes requiring without quantum technologies some quantum § believed/hoped to be secure technologies (typically less against quantum computer than a large-scale quantum attacks of the future computer) § typically no computational assumptions and thus known to be secure against quantum attacks

Both sets of cryptographic tools can work very well together in quantum-safe cryptographic ecosystem 27

Overview of options Quantum-safe key Quantum-safe authentication establishment § Trap-door predicate based § “Alternative” public-key- public-key signatures encryption based key § Hash-function based public-key establishment signatures • Lattices § Symmetric-key authentication • Codes • Multi-variate functions • Other § Quantum key establishment 28

Some comments about QKD

Quantum communication can provide “information theoretically” secure key establishment through an untrusted (quantum) authenticated channel.

Canary Islands: Longest Free Space distance for QKD 29

§ New technologies will achieve reliable quantum QL B communication on global QL A

distances, well beyond the Final Key current range of about 100 km • Quantum repeaters, , and satellites can be used someday to span the globe Network A Network B Quantum repeaters § A quantum satellite in LEO can § interconnect ground networks located anywhere on Earth. • Active research in Canada (QEYSSAT), USA, Europe (Space-QUEST), , China, Singapore. Reviews on Quantum Repeaters: Sangouard et al, Rev. Mod. Phys. 83, 33 (2011); Kimble, NATURE, 453 (2008). 30

§ One advantage of quantum key-exchange combined with public-key signatures

Public-key encryption requires a “trapdoor predicate”. Signatures only require a “one-way function”.

n Few known potentially quantum-safe alternatives for PKE

n Many likely quantum-safe alternatives for OWF

n A big advantage of QKD is that it allows key establishment with public-key authentication, but does not need a trap-door predicate 31

Complexity assumptions for long-term confidentiality Signature/ key-establishment/ encryption combination Strongest computational assumption § Symmetric key authentication + § No computational assumptions. QKD+OTP § Hash-based signatures + QKD § Short-term security of OWF +OTP § Hash-based signatures + QKD § Long-term security of OWF +AES

§ Trapdoor based signatures + § Short-term security of trapdoor QKD+AES predicate + long-term security of OWF § Trapdoor based signatures + § Long-term security of trapdoor trapdoor based key establishment +AES predicate 32

Overcoming obstacles to quantum-proofing Challenges Potential approaches

§ Performance § Benchmarking/challenges § Battle-testing: § Hybridize conventional • Implementation errors signatures and key • Protocol errors establishment with quantum-safe • Side-channel attacks signatures and key • etc establishment § Availability § Offer open-source reference § Resistance to replacing implementations something that currently works § Engage in dialogue with § Interoperability and standards organizations, white- standardization papers, etc. Quantum mechanics forces us to reinvent the foundations of our cryptographic infrastructure.

Quantum-safe is a necessary condition to be cyber-safe We need to take advantage of the head-start we have been given, and make the next generation ICT infrastructure as secure and robust as we can. The planning needs to start now. Suggestions 34

• Get quantum-safe options on vendor roadmaps • Routinely ask about vulnerability of systems to quantum attacks • Include quantum-safe options in RFPs • Keep switching costs low • (If appropriate) request the necessary standards for the quantum-safe tools needed • Request the information/studies needed to make wise decisions going forward 35

Thank you!

• Feedback welcome: [email protected] 36 Our supporters…

Pantone 144

Pantone 390

Pantone 631

Pantone 307

Pantone 130

Pantone 7738