New Physics, Cambridge University Press

May 2004

QUANTA, CIPHERS AND COMPUTERS

ARTUR EKERT
Department of Applied Mathematics and Theoretical Physics,
University of Cambridge, Cambridge CB3 0WA, U.K.
and
Department of Physics, National University of Singapore.
Singapore 117542, Singapore.

Introduction

Computation is an operation on symbols. We tend to perceive symbols as abstract

entities, such as numbers or letters from a given alphabet. However, symbols are
always represented by selected properties of physical objects. The binary string
10011011010011010110101101
may represent an abstract concept, such as number 40711597, but the binary symbols 0
and 1 have also a physical existence of their own. It could be ink on paper (this is most
likely how you see them when you are reading these words), glowing pixels on a
computer screen (this is how I see them now when I am writing these words), or
different charges or voltages (this is how my word processor sees them). If symbols are
physical objects and if computation is an operation on symbols then computation is a
physical process. Thus any computation can be viewed in terms of physical
experiments which produce outputs that depend on initial preparations called inputs.
This sentence may sound very innocuous but its consequences are anything but trivial!
On the atomic scale matter obeys the rules of quantum mechanics, which are quite
different from the classical rules that determine the properties of conventional
computers. Today's advanced lithographic techniques can etch logic gates and wires
less than a micron across onto the surfaces of silicon chips. Soon they will yield even

New Physics, Cambridge University Press

May 2004

smaller parts and inevitably reach a point where logic gates are so small that they are
made out of only a handful of atoms. So, if computers are to become smaller in the
future, new, quantum technology must replace or supplement what we have now. The
point is, however, that quantum technology can offer much more than cramming more
and more bits to silicon and multiplying the clock-speed of microprocessors. It can
support entirely new kind of computation, known as quantum computation, with
qualitatively new algorithms based on quantum principles.
The potential power of quantum phenomena to perform computations was first
adumbrated in a talk given by Richard Feynman at the First Conference on the Physics
of Computation, held at MIT in 1981. He observed that it appeared to be impossible, in
general, to simulate an evolution of a quantum system on a classical computer in an
efficient way. The computer simulation of quantum evolution typically involves an
exponential slowdown in time, compared with the natural evolution, essentially
because the amount of classical information required to describe the evolving quantum
state is exponentially larger than that required to describe the corresponding classical
system with a similar accuracy. However, instead of viewing this intractability as an
obstacle, Feynman regarded it as an opportunity. He pointed out that if it requires that
much computation to work out what will happen in a quantum multi-particle
interference experiment, then the very act of setting up such an experiment and
measuring the outcome is equivalent to performing a complex computation.
The foundations of the quantum theory of computation were laid down in 1985 when
David Deutsch, of the University of Oxford, published a crucial theoretical paper in
which he described a universal quantum computer and a simple quantum algorithm.
Since then, the hunt has been on for interesting things for quantum computers to do,
and at the same time, for the scientific and technological advances that could allow us
to build quantum computers.
A sequence of steadily improving quantum algorithms led to a major breakthrough in
1994, when Peter Shor, of AT&Ts Bell Laboratories in New Jersey, discovered a

New Physics, Cambridge University Press

May 2004

quantum algorithm that could perform efficient factorisation. Since the intractability of
factorisation underpins the security of many methods of encryption, including the most
popular public key cryptosystem RSA (named after its inventors Rivest, Shamir and
Adelman).1 Shor's algorithm was soon hailed as the first `killer application' for
quantum computation -- something very useful that only a quantum computer could do.
By some strange coincidence, several of the superior features of quantum computers
have applications in cryptanalysis. Once a quantum computer is built many popular
ciphers will become insecure. Indeed, in one sense they are already insecure. For
example, any RSA-encrypted message that is recorded today will become readable
moments after the first quantum factorisation engine is switched on, and therefore RSA
cannot be used for securely transmitting any information that will still need to be secret
on that happy day. Admittedly, that day is probably decades away, but can anyone
prove, or give any reliable assurance, that it is? Confidence in the slowness of
technological progress is all that the security of the RSA system now rests on.
What quantum computation takes away with one hand, it returns, at least partially, with
the other. Quantum cryptography offers new methods of secure communication that are
not threatened by the power of quantum computers. Unlike all classical cryptography it
relies on the laws of physics rather than on ensuring that successful eavesdropping
would require excessive computational effort.

In December 1997 the British Government officially confirmed that public-key

cryptography was originally invented at the Government Communications
Headquarters (GCHQ) in Cheltenham. By 1975, James Ellis, Clifford Cocks, and
Malcolm Williamson from GCHQ had discovered what was later re discovered in
academia and became known as RSA and Diffie-Hellman key exchange.

New Physics, Cambridge University Press

May 2004

Quantum cryptography was discovered independently in the

US and Europe. The first one to propose it was Stephen
Wiesner (shown on the left), then at Columbia University in
New York, who, in the early 1970's, introduced the concept
of quantum conjugate coding. He showed how to store or
transmit two messages by encoding them in two conjugate
observables, such as linear and circular polarization of light,
so that either, but not both, of which may be received and
decoded. He illustrated his idea with a design of unforgeable
bank notes. A decade later, building upon this work, Charles
H. Bennett, of the IBM T.J. Watson Research Center, and Gilles Brassard, of the
Universit de Montral, proposed a method for secure communication based on
Wiesners conjugate observables.

In 1990, independently and initially unaware of the earlier work, Artur Ekert, then a
Ph.D. student at the University of Oxford, developed a different approach to quantum
cryptography based on peculiar quantum correlations known as quantum entanglement.
Since then quantum cryptography has evolved into a thriving experimental area and is
quickly becoming a commercial proposition.
This popular account is aimed to provide some insights into the fascinating world of
quantum phenomena and the way we exploit them for computation and secure
communication.

From bits to qubits

To explain what makes quantum computers so different from their classical

counterparts, we begin with a basic chunk of information, namely one bit. From a
physicists point of view a bit is a physical system which can be prepared in one of two

New Physics, Cambridge University Press

May 2004

different states, representing two logical values: no or yes, false or true, or simply 0 or
1. For example, in digital computers, the voltage between the plates in a capacitor
represents a bit of information: a charged capacitor denotes bit value 1 and an
uncharged capacitor bit value 0. One bit of information can be also encoded using two
different polarisations of light or two different electronic states of an atom. However, if
we choose a quantum system, such as an atom, as a physical bit then quantum
mechanics tells us that apart from the two distinct electronic states the atom can be also
prepared in a coherent superposition of the two states. This means that the atom is
both in state 0 and state 1. Such a physical object is called a quantum bit or a qubit.
To get used to the idea that a qubit can represent two bit values at once it is helpful
to consider the following experiment. Let us try to reflect a single photon off a halfsilvered mirror, i.e. a mirror which reflects exactly half of the light which impinges
upon it, while the remaining half is transmitted directly through it (Figure 1). Such a
mirror is also known as a beam-splitter.

Input 0

Output 0

Input 1

Output 1

Figure 1. Half-silvered mirror, or a beam-splitter, as a simple quantum logic gate.

Let the photon in the reflected beam represents logical 0 and the photon in the
transmitted beam the logical 1. Where is the photon after its encounter with the beam-

New Physics, Cambridge University Press

May 2004

splitter, in the reflected or in the transmitted beam? Does the photon at the output
represent logical 0 or logical 1?
One thing we know is that the photon doesn't split in two thus it seems sensible to
say that the photon is either in the transmitted or in the reflected beam with the same
probability. That is, one might expect the photon to take one of the two paths, choosing
randomly which way to go. Indeed, if we place two photodetectors behind the halfsilvered mirror directly in the lines of the two beams, the photon will be registered with
the same probability either in the detector 0 or in the detector 1. Does it really
mean that after the half-silvered mirror the photon travels in either reflected or
transmitted beam with the same probability 50% ? No, it does not! In fact the photon
takes two paths at once.
This can be demonstrated by recombining the two beams with the help of two fully
silvered mirrors and placing another half-silvered mirror at their meeting point, with
two photodectors in direct lines of the two beams (Figure 2) .

Input 0

Input 1

Output 0

Output 1

Figure 2. Two concatenated beam-splitters affect logical NOT gate. Thus each beamsplitter separately represents an inherently quantum operation called the square root
of NOT.

New Physics, Cambridge University Press

May 2004

If it was merely the case that there was a 50% chance that the photon followed one
path and a 50% chance that it followed the other, then we should find a 50%
probability that one of the detectors registers the photon and a 50% probability that the
other one does. However, that is not what happens. If the two possible paths are exactly
equal in length, then it turns out that there is a 100% probability that the photon reaches
the detector 1 and 0 per cent probability that it reaches the other detector 0. Thus the
photon is certain to strike the detector 1.
The inescapable conclusion is that the photon must, in some sense, have travelled both
routes at once, for if either of the two paths is blocked by an absorbing screen, it
immediately becomes equally probable that 0 or 1 is struck. In other words, blocking
off either of the paths illuminates 0; with both paths open, the photon somehow is
prevented from reaching 0.
Furthermore, if we insert slivers of glass of different thickness into each path (see
Figure 3) then we can observe a truly amazing quantum interference phenomenon. We can
choose the thickness of the glass, and hence the effective optical length of each path, in
such a way that the photon can be directed to any of the two detectors with any
prescribed probability.

New Physics, Cambridge University Press

Input 0

Input 1

May 2004

Output 0

Output 1

Figure 3. Quantum interference.

In particular, when the difference in the thickness of the two slivers is chosen
appropriately the photon will certainly emerge at detector 0 instead of detector 1.
The photon reacts only to the difference in the thickness of the slivers located in the
two different paths - more evidence that the photon must have travelled both paths at
once - and each path contributes to the final outcome. Thus the output of the beamsplitter does not represent either 0 or 1 but a truly quantum superposition of the
two bit values.

From a computational point of view a beam-splitter is an elementary quantum logic

gate, operating on a single qubit. It is quite a remarkable logic gate which can be called the
square root of NOT (

NOT ) because the logical operation NOT is obtained as the result

of two consecutive applications of beam-splitters (see Figure 2). This purely quantum
operation has no counterpart in classical logic and forms one of the elementary building
blocks of a quantum computer.

New Physics, Cambridge University Press

May 2004

Entanglement

The idea of superposition of numbers can be pushed further. Consider a register

composed of three physical bits. Any classical register of that type can store, in a given
moment of time, only one out of eight different numbers i.e. the register can be in only
one out of eight possible configurations such as 000, 001, 010, ... 111. A quantum
register composed of three qubits can store, in a given moment of time, all eight
numbers in a quantum superposition. It is quite remarkable that all eight numbers are
physically present in the register but it should be no more surprising than a qubit being
both in state 0 and 1 at the output of a beam-splitter. If we keep adding qubits to the
register we increase its storage capacity exponentially i.e. three qubits can store 8
different numbers at once, four qubits can store 16 different numbers at once, and so
on; in general L qubits can store 2

numbers at once.

Some superposition of numbers can be easily obtained by operating on individual

qubits, some require joint operations on two qubits. For example, a superposition of 00
and 10 can be generated by starting with two qubits in state 00 and applying the square
root of NOT to the first qubit. If we subsequently apply the same operation to the
second qubit we will turn the 00 component into a superposition 00 and 01, and the 10
component into a superposition of 10 and 11, which all together gives an equally
weighted superposition of the four numbers: 00, 10, 01, 11. Each of the two qubits is in
a superposition of 0 and 1, and the register made out of the two qubits is in a
superposition of all possible binary strings of length 2. In general, a register of L
qubits can be prepared in a superposition of all binary strings of length L by applying
the square root of NOT to each qubit in the register. However, operations on individual
qubits will never turn a quantum register in state 00 into, say, an equally weighted
superposition of 00 and 11, or a superposition of 01 and 10. Such superpositions are
special and their generation requires special quantum logic gates operating on two

New Physics, Cambridge University Press

May 2004

qubits at a time. Qubits in such superpositions are said to be entangled. They cannot be
described by specifying the state of individual qubits and they may together share
information in a form which cannot be accessed in any experiment performed on either
of them alone. Erwin Schrdinger, who was probably the first to be baffled by this
quantum phenomenon, writing for the Cambridge Philosophical Society in 1935,
summarized it as follows
``When two systems, of which we know the states by their respective representatives, enter
into temporary physical interaction due to known forces between them, and when after a
time of mutual influence the systems separate again, then they can no longer be described
in the same way as before, viz. by endowing each of them with a representative of its own. I
would not call that one but rather the characteristic trait of quantum mechanics, the one
that enforces its entire departure from classical lines of thought. By the interaction the two
representatives [the quantum states] have become entangled.''

Figure 4. Schrdingers note on quantum states of interacting subsystems dating back

to 1932-33. This seems to be the first known reference to the concept of quantum
entanglement. It has been discovered recently by Matthias Christandl and Lawrence
Ioannou, of Cambridge University, in the Schrdinger archive in Vienna.
There are many entangling operation on two qubits. They require some form of
interaction between the qubits. One of them, analogous to the square root of NOT, is
the square root of SWAP. The classical SWAP operation interchanges the bit values of
two bits, e.g. 00 00, 01 10, 10 01, 11 11. However, there is no classical twobit logic gate such that its two consecutive applications result in the logical operation
SWAP. Still, the square root of SWAP does exist. It is an inherently quantum logic

10

New Physics, Cambridge University Press

May 2004

gate and can be obtained by switching on for a prescribed period of time the exchange
interaction between qubits. The resulting quantum dynamics takes the input state 01
half way towards the swapped state 10 and effectively generates a superposition of 01
and 10.

Quantum Boolean networks and their complexity

The square root of SWAP together with the square root of NOT and phase shifters
(operations equivalent to those induced by the slivers of glass in Figure 3) allow
constructing arbitrary superpositions of binary strings of any length. They form an
adequate (universal) set of quantum gates. Once we can implement these operations
with sufficient precision we can perform any quantum computation. This is very
reminiscent of constructing classical computation out of simple primitives such as
logical NOT, AND, OR etc.
For example, if you need a superposition of 00 and 11 you can construct it using only
the square root of NOT and the square root of SWAP. Start with two qubits in state 00,
apply the square root of NOT twice to the first qubit, this gives state 10. (Of course,
this is just applying logical NOT, but the point is to use only the prescribed adequate
gates.) Then apply the square root of SWAP to obtain the superposition of 10 and 01.
Now comes an interesting part; once the register is prepared in an initial superposition
of different numbers quantum gates perform operations which affect all numbers in the
superposition. Thus if we apply the square root of NOT twice to the second qubit it will
turn 10 into 11 and 01 into 00, which gives the superposition of 00 and 11. It is
convenient to illustrate this sequence of operations in a diagram, shown in Figure 5.

11

New Physics, Cambridge University Press

NOT

May 2004

NOT
SWAP

NOT

NOT

Figure 5. An example of a quantum Boolean network operating on two qubits. The

qubits are represented by the horizontal lines and quantum logic gates by rectangular
icons. The operations are performed from the left to the right. The input consists of
two qubits in state 00. The output is an entangled state of the two qubits an equally
weighted superposition of 00 and 11.
Such graphical representations are called quantum Boolean networks or quantum
circuits. Quantum computers, for all practical purposes, can be viewed as quantum
Boolean networks operating on many qubits.
In order to solve a particular problem, computers, be it classical or quantum, follow a
precise set of instructions that can be mechanically applied to yield the solution to any
given instance of the problem. A specification of this set of instructions is called an
algorithm. Examples of algorithms are the procedures taught in elementary schools for
adding and multiplying whole numbers; when these procedures are mechanically
applied, they always yield the correct result for any pair of whole numbers. Any
algorithm can be represented by a family of Boolean networks N1, N2, N3,... , where the
network Nn acts on all possible input instances of size n bits. Any useful algorithm
should have such a family specified by an example network, Nn, and a simple rule
explaining how to construct the network Nn+1 from the network Nn. These are called
uniform families of networks

12

New Physics, Cambridge University Press

May 2004

The big issue in designing algorithms or their corresponding families of networks is the
optimal use of physical resources required to solve a problem. Complexity theory is
concerned with the inherent cost of computation in terms of some designated
elementary operations such as the number of elementary gates in the network (the size
of the network). An algorithm is said to be fast or efficient if the number of elementary
operations taken to execute it increases no faster than a polynomial function of the size
of the input. We generally take the input size to be the total number of bits needed to
specify the input (for example, a number N requires log2N bits of binary storage in a
computer). In the language of network complexity - an algorithm is said to be efficient
if it has a uniform and polynomial-size network family. Problems which do not have
efficient algorithms are known as hard problems.
From the computational complexity point of view, quantum networks are more
powerful than their classical counterparts. This is because individual quantum gates
operate not just on one number but on superpositions of many numbers. During such
evolution each number in the superposition is affected and as a result we generate a
massive parallel computation albeit in one piece of quantum hardware. This means that
a quantum gate, or a quantum network, can in only one computational step perform the
same mathematical operation on different input numbers encoded in coherent
superpositions of L qubits. In order to accomplish the same task any classical device
has to repeat the same computation 2L times or one has to use 2L processors working in
parallel. In other words a quantum computer offers an enormous gain in the use of
computational resources such as time and memory.
Here we should add that this gain is more subtle than the description above might
suggest. If we simply prepare a quantum register of L qubits in a superposition of 2L
numbers and then try to read a number out of it then we get only one, randomly chosen,
number. This is exactly like in our experiment in Figure 1 where a half-silvered mirror
prepares a photon in a superposition of the two paths but when the two photodetectors
are introduced we see the photon in only one of the two paths. This kind of situation is

13

New Physics, Cambridge University Press

May 2004

of no use to us for although the register now holds all the 2L numbers, the laws of
physics only allow us to see one of them. However, recall the experiments from Figure
2 and Figure 3 where just the single answer 0 or 1 depends on each of the two
paths. In general quantum interference allows us to obtain a single, final result that
depends logically on all 2L of the intermediate results. One can imagine that each of the
2L computational paths is affected by a process which has an effect similar to that of
the sliver of glass in Figure 3. Thus each computational path contributes to the final
outcome. It is in this way, by quantum interference of many computational paths, a
quantum computer offers an enormous gain in the use of computational resources --though only in certain types of computation.

Quantum algorithms

What types? As we have said, ordinary information storage is not one of them, for
although the computer now holds all the outcomes of 2L computations, the laws of
physics only allow us to see one of them. However, just as the single answer in the
experiments of Figure 2 and Figure 3 depends on information that travelled along each
of two paths, quantum interference now allows us to obtain a single, final result that
depends logically on all 2L of the intermediate results. This is how Shors algorithm
achieves the mind-boggling feat of efficient factorization of large integers.

5.1

Shors Algorithm

As is well known, a naive way to factor an integer number N is based on checking the
remainder of the division of N by some number p smaller than

N . If the remainder is

0, we conclude that p is a factor. This method is in fact very inefficient: with a

computer that can test for 10

10

different ps per second (this is faster than any

computer ever built), the average time to find the factor of a 60-digit long number
would exceed the age of the universe.

14

New Physics, Cambridge University Press

May 2004

Rather than this naive division method, Shors algorithm relies on a slightly different
technique to perform efficient factorisation. The factorisation problem can be related to
evaluating the period of a certain function f which takes N as a parameter. Classical
computers cannot make much of this new method: finding the period of f requires
evaluating the function f many times. In fact mathematicians tell us that the average
number of evaluation required to find the period is of the same order of the number of
divisions needed with the naive method we outlined first. With a quantum computer,
the situation is completely different quantum interference of many qubits can
effectively compute the period of f in such a way that we learn about the period without
learning about any particular value f (0), f (1), f(2), The algorithm mirrors our
simple interference experiment shown in Figure 3. We start by setting a quantum
register in a superposition of states representing 0, 1, 2, 3, 4 This operation is
analogous to the action of the first beam-splitter in Figure 3 which prepares a
superposition of 0 and 1. The next step is the function evaluation. The values f(0), f
(1), f(2), are computed in such a way that each of them modifies one computational
path by introducing a phase shift. This operation corresponds to the action of the
slivers of glass in Figure 3. Retrieving the period from a superposition of f (0), f (1),
f(2), requires bringing the computational paths together. In Figure 3 this role is
played by the second beam-splitter. In Shors algorithm the analogous operation is
known as a quantum Fourier transform. Subsequent bit by bit measurement of the
register gives a number, in the binary notation, which allows the period of f to be
estimated with a low probability of error. The most remarkable fact is that all these can
be accomplished with a uniform quantum network family of polynomial size!
Mathematicians believe (firmly, though they have not actually proved it) that in order
to factorise a number with L binary digits, any classical computer needs a number of
steps that grows exponentially with L: that is to say, adding one extra digit to the
number to be factorised generally multiplies the time required by a fixed factor. Thus,
as we increase the number of digits, the task rapidly becomes intractable. No one can
even conceive of how one might factorise, say, thousand-digit numbers by classical

15

New Physics, Cambridge University Press

May 2004

means; the computation would take many times as long the estimated age of the
universe. In contrast, quantum computers could factor thousand-digit numbers in a
fraction of a second --- and the execution time would grow at most as the cube of the
number of digits.

5.2

Grovers Algorithm

In Shors algorithm all computational paths are affected by a single act of quantum
function evaluation. This generates an interesting quantum interference that gives
observable effects at the output. If a computational step affects just one computational
path it has to be repeated several times. This is how another popular quantum
algorithm, discovered in 1996 by Lov Grover of AT&Ts Bell Laboratories in New
Jersey, searches an unsorted list of N items in only

N or so steps.

Consider, for example, searching for a specific telephone number in a directory

containing a million entries, stored in the computer's memory in alphabetical order of
names. It is easily proved (and obvious) that no classical algorithm can improve on the
brute-force method of simply scanning the entries one by one until the given number is
found, which will, on average, require 500,000 memory accesses. A quantum computer
can examine all the entries simultaneously, in the time of a single access. However, if it
is merely programmed to print out the result at that point, there is no improvement over
the classical algorithm: only one of the million computational paths would have
checked the entry we are looking for, so there would be a probability of only one in a
million that we would obtain that information if we measured the computer's state. But
if we leave that quantum information in the computer, unmeasured, a further quantum
operation can cause that information to affect other paths, just as in the simple
interference experiment described above. It turns out that if this interference-generating
operation is repeated about 1000 times, (in general,

N times) the information about

which entry contains the desired number will be accessible to measurement with
probability 50% - i.e. it will have spread to more than half the terms in the

16

New Physics, Cambridge University Press

May 2004

superposition. Therefore repeating the entire algorithm a few more times will find the
desired entry with a probability overwhelmingly close to 1.
One important application of Grovers algorithm might be, again, in cryptanalysis,
to attack classical cryptographic schemes such as DES (the Data Encryption Standard).
Cracking DES essentially requires a search among

2 56 | 7 u 1016 possible keys. If

these can be checked at a rate of, say, one million keys per second, a classical computer
would need over a thousand years to discover the correct key while a quantum
computer using Grovers algorithm would do it in less than four minutes.

Building quantum computers

In principle we know how to build a quantum computer: we can start with simple

quantum logic gates, such as the square root of NOT, the square root of SWAP, and
phase gates, and try to integrate them together into quantum networks (circuits).
However, subsequent logical operations usually involve more complicated physical
operations on more than one qubit. If we keep on putting quantum gates together into
circuits we will quickly run into some serious practical problems. The more interacting
qubits are involved the harder it tends to be to engineer the interaction that would
display the quantum interference. Apart from the technical difficulties of working at
single-atom and single-photon scales, one of the most important problems is that of
preventing the surrounding environment from being affected by the interactions that
generate quantum superpositions. The more components the more likely it is that
quantum computation will spread outside the computational unit and will irreversibly
dissipate useful information to the environment. This process is called decoherence.

17

New Physics, Cambridge University Press

May 2004

Without any additional stabilization mechanism building a quantum computer is

like building a house of cards: we can build a layer or two, but when one contemplates
building a really tall house, the task seems hopeless. Not quite!
In principle we know how to handle errors due to decoherence provided that they
satisfy some assumptions, e.g. that errors occur independently on each of the qubits,
that the performance of gate operations on some qubits do not cause decoherence in
other qubits, that reliable quantum measurements can be made so that error detection
can take place, and that systematic errors in the operations associated with quantum
gates can be made very small. If all these assumptions are satisfied, then the faulttolerant quantum computation is possible. That is, efficient, reliable quantum-coherent
quantum computation of arbitrarily long duration is possible, even with faulty and
decohering components. Thus, errors can be corrected faster than they occur, even if
the error correction machinery is faulty.
The first models of quantum computers, proposed in the 1980s, were,
understandably, very abstract and in many ways totally impractical. In 1993 progress
towards a practical model took an encouraging turn when Seth Lloyd, then at Los
Alamos National Laboratory, and subsequently Adriano Barenco, David Deutsch and
Artur Ekert, of the University of Oxford, proposed a scheme for a potentially realizable
quantum computer. Lloyd considered a one-dimensional heteropolymer with three
types of weakly coupled qubits, which were subjected to a sequence of electromagnetic
pulses of well defined frequency and length. Barenco, Deutsch and Ekert showed how
to implement quantum computation in an array of single-electron quantum dots (see
Figure 6 ).

18

New Physics, Cambridge University Press

May 2004

Figure 6. One of the first experimental schemes for quantum computation used an
array of single-electron quantum dots. A dot is activated by applying suitable
voltage to the two metal wires that cross at that dot. Similarly, several dots may be
activated at the same time. Because the states of an active dot are asymmetrically
charged, two adjacent active dots are each exposed to an additional electric field that
depends on the others state. This way the resonant frequency of one dot depends on
the state of the other. Light at carefully selected frequencies will selectively excite only
adjacent, activated dots that are in certain states. Such conditional quantum dynamics
are needed to implement quantum logic gates.

Although these early schemes showed how to translate mathematical prescriptions into
physical reality they were difficult to implement and to scale up, due to decoherence. In
1994 Ignacio Cirac and Peter Zoller, from the University of Innsbruck, came up with a
model that offered the possibility of fault tolerant quantum computation. It was quickly
recognized as a conceptual breakthrough in experimental quantum computation. They
considered a trap holding a number of ions in a straight line. The ions would be laser
cooled and then each ion could be selectively excited by a pulse of light from a laser
beam directed specifically at that ion. The trap would therefore act as a quantum
register with the internal state of each ion playing the role of a qubit. Pulses of light
can also induce vibrations of ions. The vibrations are shared by all of the ions in the trap

19

New Physics, Cambridge University Press

May 2004

and they enable the transfer of quantum information in between distant ions and the
implementation of quantum logic gates (Figure 7). In mid-1995 Dave Wineland and his
colleagues at NIST (National Institute of Standards and Technology) in Boulder, Colorado,
used the idea of Cirac and Zoller to build the worlds first quantum gate operating on two
qubits.

0.2 mm

Figure 7. Photograph of five beryllium ions in a linear ion trap. The separation
between ions is approximately 10 microns. Pulses of light can selectively excite
individual ions and induce vibrations of the whole line of ions. The vibrations
inform other ions in the trap that a particular ion was excited; they play the same
role as a data bus in conventional computers. This picture was taken in Dave
Winelands laboratory at National Institute of Standards and Technology in Boulder,
U.S.

Today there are many interesting approaches to experimental quantum computation and
related quantum technologies. The requirements for quantum hardware are simply

20

New Physics, Cambridge University Press

May 2004

stated but very demanding in practice. Firstly, a quantum register of multiple qubits
must be prepared in an addressable form, and isolated from environmental influences,
which cause the delicate quantum states to decohere. Secondly, although weakly
coupled to the outside world, the qubits must nevertheless be strongly coupled together
through an external control mechanism, in order to perform logic gate operations.
Thirdly, there must be a read-out method to determine the state of each qubit at the end
of the computation. There are many beautiful experiments which show that these
requirements, at least in principle, can be met. They involve technologies such linear
optics,

nuclear

magnetic

resonance

(NMR),

trapped

ions,

cavity

quantum

electrodynamics (QED), neutral atoms in optical lattices, interacting quantum dots,

superconducting devices, and many others. They are but a sample of the emerging field
of quantum information technology. At the moment it is not clear which particular
technology will be the ultimate winner.

The art of secure communication.

We have mentioned that several of the superior features of quantum computers have
applications in cryptanalysis i.e. in the art of breaking ciphers. The quantum answer to
quantum cryptanalysis is quantum cryptography.

Despite a long and colourful history, cryptography became part of mathematics and
information theory only in the late 1940s, mainly as a result of the work of Claude
Shannon of Bell Laboratories in New Jersey. Shannon showed that truly unbreakable
ciphers do exist and, in fact, they had been known for over 30 years. The one time pad,
devised in about 1918 by an American Telephone and Telegraph engineer named
Gilbert Vernam, is one of the simplest and most secure encryption schemes. The
message, also known as a plaintext, is converted to a sequence of numbers using a
publicly known digital alphabet (e.g. ASCII code) and then combined with another

21

New Physics, Cambridge University Press

May 2004

sequence of random numbers called a key to produce a cryptogram. Both sender and
receiver must have two exact copies of the key beforehand; the sender needs the key to
encrypt the plaintext, the receiver needs the exact copy of the key to recover the
plaintext from the cryptogram. The randomness of the key wipes out various frequency
patterns in the cryptogam that are used by code-breakers to crack ciphers. Without the
key the cryptogram looks like a random sequence of numbers.

01011100
11001010
10010110

plaintext
KEY
cryptogram

1 0 0 1 0 1 1 0
cryptogram
KEY
plaintext

10010110
11001010
01011100

Figure 8. One time pad. The modern version ``one-time pad" is based on binary
representation of messages and keys. The message is converted into a sequence of 0's
and 1's and the key is another sequence of 0's and 1's of the same length. Each bit of
the message is then combined with the respective bit of the key using addition in base
2, which has the rules 0+0=0, 0+1=1+0=1, 1+1=0. Because the key is a random string
of 0's and 1's the resulting cryptogram---the plaintext plus the key---is also random
and therefore completely scrambled unless one knows the key. The message is
recovered by adding (in base 2 again) the key to the cryptogram.
There is a snag, however. All one-time pads suffer from a serious practical
drawback, known as the key distribution problem. Potential users have to agree
secretly, and in advance, on the key---a long, random sequence of 0's and 1's. Once

22

New Physics, Cambridge University Press

May 2004

they have done this, they can use the key for enciphering and deciphering and the
resulting cryptograms can be transmitted publicly such as by radio or in a newspaper
without compromising the security of messages. But the key itself must be established
between the sender and the receiver by means of a very secure channel---for example, a
very secure telephone line, a private meeting or hand-delivery by a trusted courier.
Such a secure channel is usually available only at certain times and under certain
circumstances.

So users who are far apart, in order to guarantee perfect security of subsequent
crypto-communication, have to carry around with them an enormous amount of secret
and meaningless (as such) information (cryptographic keys), equal in volume to all the
messages they might later wish to send. For perfect security the key must be as long as
the message, in practice, however, in order not to distribute keys too often, much
shorter keys are used. For example, the most widely used commercial cipher, the Data
Encryption Standard, depends on a 56-bit secret key, which is reused for many
encryptions over a period of time. This simplifies the problem of secure key
distribution and storage, but it does not eliminate it.

Mathematicians tried very hard to eliminate the problem. The seventies brought a
clever mathematical discovery of the so-called public-key cryptosystems. They avoid the
key distribution problem but unfortunately their security depends on unproved
mathematical assumptions, such as the difficulty of factoring large integers.

Quantum key distribution

Physicists view the key distribution problem as a physical process associated with sending
information from one place to another. From this perspective eavesdropping is a set of
measurements performed on carriers of information. Until now, such eavesdropping has
depended on the eavesdropper having the best possible technology. Suppose an
eavesdropper is tapping a telephone line. Any measurement on the signal in the line may

23

New Physics, Cambridge University Press

May 2004

disturb it and so leave traces. Legitimate users can try to guard against this by making their
own measurements on the line to detect the effect of tapping. However, the tappers will
escape detection provided the disturbances they cause are smaller than the disturbances that
the users can detect. So given the right equipment, eavesdropping can go undetected. Even
if legitimate users do detect an eavesdropper, what do they conclude if one day they find no
traces of interception? Has the eavesdropping stopped? Or has the eavesdropper acquired
better technology? The way round this problem of key distribution may lie in quantum
physics.
We have already mentioned that when two qubits representing logical 0 and 1 enter the
square root of SWAP gate they interact and emerge in an entangled state which is a
superposition of 01 and 10. They remain entangled even when they are separated and
transported, without any disturbance, to distant locations. Moreover, results of
measurements performed on the individual qubits at the two distant locations are
usually highly correlated.
For example, in a process called parametric down conversion we can entangle two
photons in such a way that their polarizations are anti-correlated. If we choose to test
linear polarization then one photon will be polarized vertically and the other one
horizontally . The same is true if we choose to test circular polarization, one photon
will carry left-handed and the other right-handed polarization. In general, the
perfect anti-correlation appears if we carry out the same test on the two photons. The
individual results are completely random e.g. it is impossible to predict in advance if
we will get or on a single photon. Moreover, the laws of quantum physics forbid a
simultaneous test of both linear and circular polarization on the same photon. Once the
photon is tested for linear polarization and we find out that it is, say, vertical then all
information about its circular polarization is lost. Any subsequent test for circular
polarization will reveal either left-handed or right-handed with the same
probability.

24

New Physics, Cambridge University Press

May 2004

Both linear and circular polarization can be used for encoding the bits of information.
For example, we can agree that for linearly polarized photons stands for 0 and
for 1, and for circularly polarized photons 0 is represented by and 1 by .
However, for the decoding of these bits to be meaningful the receiver must know in
advance which type of test, or measurement, to carry out for each incoming photon.
Testing linear (circular) polarization on a photon that carries one bit of information
encoded in circular (linear) polarization will reveal nothing.

The quantum key distribution which we are going to discuss here is based on
distribution of photons with such anti-correlated polarizations. Imagine a source that
emits pairs of photons in an entangled state which can be viewed both a superposition
of and , and a superposition of and . The photons fly apart towards the
two legitimate users, called Alice and Bob, who, for each incoming photon, decide
randomly and independently from each other whether to test linear or circular
polarization. A single run of the experiment may look like this

Alice

Bob

For the first pair both Alice and Bob decided to test circular polarization and their
results are perfectly anti-correlated. For the second pair Alice measured linear
polarization whilst Bob measured circular. In this case their results are not correlated at
all. In the third instant they both measured linear polarization and obtained perfectly
anti-correlated results, etc.

After completing all the measurements, Alice and Bob discuss their data in public
so that anybody can listen including their adversary, an eavesdropper called Eve, but

25

New Physics, Cambridge University Press

May 2004

nobody can alter or suppress such public messages. Alice and Bob tell each other
which type of polarization they measured for each incoming photon but they do not
disclose the actual outcomes of the measurements. For example, for the first pair Alice
may say I measured circular polarization and Bob may confirm So did I. At this
point they know that the results in the first measurement are anti-correlated. Alice
knows that Bob registered because she registered , and vice versa. However,
although Eve learns that the results are anti-correlated she does not know whether it is
for Alice and Bob, or for Alice and Bob. The two outcomes are equally likely,
so the actual values of bits associated with different results are still secret.

Alice and Bob then discard instances in which they made measurement of different
types (shaded columns in the table below).

Alice

Bob

They end up with shorter strings which should now contain perfectly anti-correlated
entries. They check whether the two strings are indeed anti-correlated by comparing, in
public, randomly selected entries (shaded columns in the table below).

Alice

Bob

26

New Physics, Cambridge University Press

May 2004

The publicly revealed entries are discarded and the remaining results can be translated
into a binary string, following the agreed upon encoding e.g. as in the table below.

Alice

Bob

KEY

In order to analyse security of the key distribution let us adopt the scenario that is most
favourable for eavesdropping, namely we will allow Eve to prepare all the photons and
send them to Alice and Bob!

Eves objective is to prepare the pairs in such a way that she can predict Alices and
Bobs results and that the pairs pass the anti-correlation test. This is impossible.
Suppose Eve prepares a pair of photons choosing randomly on of the four states: ,
, or . She then sends one photon to Alice and one to Bob. Let us assume that
Alice and Bob measure the same type of polarization on their respective photons. If
Alice and Bob choose to measure the right type of polarization then they obtain anticorrelated results but Eve knows the outcomes; if they choose to measure the wrong
type of polarization then, although the outcomes are random, they can still obtain anticorrelated results with probability 50%. This will result in 25% of errors in the anticorrelation test and in Eve knowing, on average, every second bit of the key. Eve may
want to reduce the error rate by entangling the photons. She can prepare them in a
state that is a superposition of and and also of and . In this case the
pairs will pass the test without any errors but Eve has no clue about the results. Once

27

New Physics, Cambridge University Press

May 2004

and (or and ) are locked in a superposition there is no way of knowing

which component of the superposition will be detected in a subsequent measurement.
More technical eavesdropping analysis shows that all, however sophisticated,
eavesdropping strategies are doomed to fail, even if Eve has access to superior
technology, including quantum computers. The more information Eve has about the
key, the more disturbance she creates.

The key distribution procedure described above is somewhat idealised. The

problem is that there is, in principle, no way of distinguishing errors due to
eavesdropping from errors due to spurious interaction with the environment, which is
presumably always present. This implies that all quantum key distribution protocols
which do not address this problem are, strictly speaking, inoperable in the presence of
noise, since they require the transmission of messages to be suspended whenever an
eavesdropper (or, therefore, noise) is detected. Conversely, if we want a protocol that is
secure in the presence of noise, we must find one that allows secure transmission to
continue even in the presence of eavesdroppers. Several such protocols were designed.
They are based on two approaches, namely on purification of quantum entanglement,
proposed in this context by Deutsch, Ekert, Jozsa, Macchiavello, Popescu, and
Sanpera, and on classical error correction, pioneered by Dominic Mayers. More
recently the two approaches have been unified and simplified by Peter Shor and John
Preskill.

Experimental

quantum

cryptography

has

rapidly

evolved

from

early

demonstrations at the IBM T.J. Watson Research Laboratory in Yorktown Heights in

the U.S. and the Defence Research Agency in Malvern, in the U.K. to several beautiful
experiments that demonstrated full fledged quantum key distribution both in optical
fibres and free space. Quantum cryptography today is a commercial alternative to
more conventional, classical cryptography (see, for example, www.idQuantique.com or
www.MagiQtech.com ).

28

New Physics, Cambridge University Press

May 2004

Concluding remarks
When the physics of computation was first investigated systematically in the

1970s, the main fear was that quantum-mechanical effects might place fundamental
bounds on the accuracy with which physical objects could realise the properties of bits,
logic gates, the composition of operations, and so on, which appear in the abstract and
mathematically sophisticated theory of computation. Thus it was feared that the power
and elegance of that theory, its deep concepts such as computational universality, its
deep results such as Turings halting theorem, and the more modern theory of
complexity, might all be mere figments of pure mathematics, not really relevant to
anything in nature.

Those fears have not only been proved groundless by the research we have been
describing, but also, in each case, the underlying aspiration has been wonderfully
vindicated to an extent that no one even dreamed of just twenty years ago. As we have
explained, quantum mechanics, far from placing limits on what classical computations
can be performed in nature, permits them all, and in addition provides whole new
modes of computation. As far as the elegance of the theory goes, researchers in the
field have now become accustomed to the fact that the real theory of computation
hangs together better, and fits in far more naturally with fundamental theories in other
fields, than its classical approximation could ever have been expected to.

Experimental and theoretical research in quantum computation and quantum

cryptography is now attracting increasing attention from both academic researchers and
industry worldwide. The idea that nature can be controlled and manipulated at the
quantum level is a powerful stimulus to the imagination of physicists and engineers.
There is almost daily progress in developing ever more promising technologies for

29

New Physics, Cambridge University Press

May 2004

realising quantum information processing. There is potential here for truly

revolutionary innovations.

10 Further reading
For a lucid exposition of some of the deeper implications of quantum computing
see The Fabric of Reality by David Deutsch (Allen Lane, The Penguin Press, 1997).
For popular introduction to quantum information technology see Schrdinger's
Machines by Gerard Milburn, (W.H. Freeman & Company). Julian Brown in his
Minds, machines, and the multiverse (Simon & Schuster), gives a very readable
account of quantum information science. The Centre for Quantum Computation
(http://cam.qubit.org) has several WWW pages and links devoted to quantum
computation and cryptography.

30