5 Search algorithms

Given the value s of some boolean function f whose structure we cannot access, a search algorithm finds at least one pre-image. Classically this is only possible if we evaluate f a number of times which is proportional to the

quotient between the cardinalities N and M of domain, and f−1_{(s), corre-}

spondingly. The ingenious quantum algorithm by Grover succeeds in lowering

the classical complexity by a factor ofN/M .

The algorithm in its simplest form requires a priori knowledge of M. A slight modification allows for the determination of M in conjunction with the search.

The algorithm can also be employed to determine whether a given value lies in the image of f. This can be used to search for collisions of one or two functions, i.e. to search for differing values x and y for which f(x) = f(y), or, respectively, f(x) = g(y) if two functions f and g are given.

We now give the basic version of Grover’s algorithm.

The crucial effect of Grover’s operator G (cf. Algorithm 5.1) is to rotate

Algorithm 5.1 Grover’s search algorithm Input: Boolean function f : Fn

2 → F2 given by the associated operator Uf : Fn2 ×

F_{2→ F}n_{2 × F}s_{2 : |x|y −→ |x|y ⊕ f(x), and M = cardf}−1_(1). Output: Some y ∈ Fn

2 with f(y) = 1.

1: If M > 3/4 · 2n_{, then choose y randomly and uniformly from F}n

2 and return y.

2: Compute θ satisfying sin2_{θ = M/2}n_{, and set r ← ⌊π/(4θ)⌋.}

3: Transform |0|1−−−−−−→H⊗(n+1) √1 2n+1 x∈Fn 2 |x(|0 − |1)−−→Gr √1 2n+1 x∈Fn 2 αx|x(|0 − |1), where G = Uf · (H⊗n(2 |0 0| − 1)H⊗n) ⊗ Id.

4: Measure and output the first n bits of the result.

whole domain of f towards ω = M−1/2_{|y where the sum is only over those}

y which are mapped to 1 by f . The angle of the rotation is computed in step 2 of the algorithm. The number r of iterations in step 3 minimizes the angle between the final state before measurement, and ω.

Run-time and success probability of the algorithm are given by the follow- ing proposition.

Proposition 3. Suppose we are given a classical circuit consisting of no more

than K gates which computes the boolean function f : Fn

2 → F2. Let M =

cardf−1_{(1), and N = 2}n_{. Then Grover’s algorithm runs in time O(K·}_{N/M )}

and succeeds in finding a pre-image of 1 with probability greater 1/4. Proofs of this and the following propositions can be found e.g. in [33] Remark 3. If Grover’s operator G is applied only r/l times, for some l > 1, instead of r times as specified, then the success probability of the algorithm

drops to O(1/l2_).

This remark shows that it seems crucial to know the number M of elements

in f−1_{(1) to find one element in it. One approach to circumvent this problem}

is to guess in a binary search manner a sufficiently good approximation for M. It is, however, also possible to apply Grover’s technique to find M directly.

Quantum counting. Successive applications of the Grover operator first increase the amplitude of the elements in the pre-image of 1, then decrease it when the state vector is rotated beyond ω, then increase it again when approaching −ω, and so forth. We can employ QFT to measure the period of this evolution. The equations in step 2 of the algorithms allow the extraction of the cardinality of the pre-image from the obtained period.

Proposition 4. There is a quantum algorithm which computes for a boolean

function f on Fn

2 with values in F2 the cardinality M of f−1(1) in time

Now it is clear that we can first apply the counting algorithm to a boolean

function for which cardf−1_{(1) is not known, and then Grover’s original algo-}

rithm to actually find a pre-image of 1. Indeed, it is possible to combine these two steps.

Quantum collision search. A special, cryptanalytically highly relevant type of search is that of collisions of a function, i.e. the search of two arguments yielding the same function value. Like in the classical situation, there is a time memory trade-off which allows us to speed up such a search in comparison to simple searches for the pre-image of a random function value.

For this purpose one selects a subset M of the domain of the given function

f . Let M denote its cardinality. The set_{M is then put into memory (read-only}

access suffices), and the Grover algorithm is applied to the function g : Fn2 → F2 : x−→

1 if there is a y ∈ M with x = y and f(x) = f(y),

0 else .

Proposition 5. For all k, M ∈ N there is a quantum algorithm with the fol-

lowing properties. Suppose f is a function on Fn

2 which can be computed in

time K for which we have cardf−1_{(x) = M for all x. Then the algorithm}

finds (with success probability larger than 1/4) two distinct x1 and x2 with

f (x1) = f (x2) in time O(K(k +



N/(kM ))).

Remark 4. For collision search we have the same run-time success probability trade-off we had for general quantum searches: If the run-time is shortened

by a factor c < 1, then the success probability is lowered by a factor c2_.

6 Outlook

Quantum computation forces us to reexamine the cryptosystems we use. Some systems have been broken, and other systems need to be examined for secu- rity. Some new systems may be special cases of existing systems that are more efficient, or they may be quantum inspired from the particular quantum problems. In any case, it will be some time before we can feel confident that quantum computers cannot break any given system. Given that this chapter has been about breaking systems, we have perhaps taken a more cautious ap- proach to what is secure. However, the rest of this book provides alternatives which may very well be immune to quantum attacks.

Lattice based systems provide a good alternative since they are based on a long-standing open problem for classical computation. Efforts to make it more secure may make it a reasonable alternative. Or, it may make the system vulnerable to classical or quantum attacks.

Another option is security assumptions coming from the hidden subgroup problem. This has probably been the most widely studied problem for more than a decade. It represents a generalization of most existing exponential

speedups by quantum computing, and a solution for the nonabelian case would result in an efficient quantum algorithm for graph isomorphism. Based on this hardness, it was recently suggested for use as a cryptographic primitive. However, it is not known how to embed a trap-door yet, so this is still a open area also. The code based systems may be related to the nonabelian HSP.