The power of quantum computers

Integer factorization is believed to be computationally infeasible with an ordinary computer for large numbers that are the product of two prime numbers of roughly equal size (e.g., products of two 300-digit primes). By comparison, a quantum computer could solve this problem relatively easily. If a number has n bits (is n digits long when written in the binary numeral system), then a quantum computer with just over 2n qubits can use Shor’s algorithm to find its factors. It can also solve a related problem called the discrete logarithm problem. This ability would allow a quantum computer to “break” many of the cryptographic systems in use today, in the sense that there would be a relatively fast (polynomial time in n) algorithm for solving the problem. In particular, most of the popular public key ciphers could be much more quickly broken, including forms of RSA, ElGamal and Diffie-Hellman. These are used to protect secure Web pages, encrypted email, and many other types of data. Breaking these would have significant ramifications for electronic privacy and security. The only way to increase the security of an algorithm like RSA would be to increase the key size and hope that an adversary does not have the resources to build and use a powerful enough quantum computer. It seems plausible that it will always be possible to build classical computers that have more bits than the number of qubits in the largest quantum computer. If that’s true, then algorithms like RSA could be made secure by ensuring that keylengths exceed the storage capacities of quantum computers.

There is one digital signature scheme that is secure against quantum computers: Lamport signatures.

Perhaps not as surprisingly, quantum computers could also be useful for running simulations of quantum mechanics. This idea goes back to Richard Feynman (1982) who observed that there is no known algorithm for simulating quantum systems on a classical computer and suggested to study the use of quantum computer for this purpose. The speedup achieved by quantum computers could be just as large as for factoring. This could be a great boon to physics, chemistry, materials science, nanotechnology, biology and medicine, all of which are limited today by the slow speed of quantum mechanical simulations. For example, some modern simulations that are taking IBM’s Blue Gene supercomputer years would only take a quantum computer a matter of seconds.

This dramatic advantage of quantum computers is currently known to exist for only those three problems: factoring, discrete logarithm, and quantum physics simulations. However, there is no proof that the advantage is real: an equally fast classical algorithm may still be discovered (though some consider this unlikely). There is one other problem where quantum computers have a smaller, though significant (quadratic) advantage. It is quantum database search, and can be solved by Grover’s algorithm. In this case the advantage is provable. This establishes beyond doubt that (ideal) quantum computers are superior to classical computers for at least one problem.

Consider a problem that has these four properties:

- The only way to solve it is to guess answers repeatedly and check them,
- There are n possible answers to check,
- Every possible answer takes the same amount of time to check, and
- There are no clues about which answers might be better: generating possibilities randomly is just as good as checking them in some special order.

An example of this is a password cracker that attempts to guess the password for an encrypted file (assuming that the password has a maximum possible length).

For problems with all four properties, it will take an average of (n + 1)/2 guesses to find the answer using a classical computer. The time for a quantum computer to solve this will be proportional to the square root of n. That can be a very large speedup, reducing some problems from years to seconds. It can be used to attack symmetric ciphers such as Triple DES and AES by attempting to guess the secret key. But it is also easy to defend against, by doubling the size of this key. There are also more complicated methods for secure communication, such as using quantum cryptography.

Regardless of whether any of these problems can be shown to have an advantage on a quantum computer, they nonetheless will always have the advantage of being an excellent tool for studying quantum mechanical interactions, which of itself is an enormous value to the scientific community.

There are currently no other practical problems known where quantum computers give a large speedup over classical computers. Research is continuing, and more problems may yet be found.