>> Krysta Svore: Okay, welcome back for the final session of the day. So now we're going to turn a little bit and we're going to hear about quantum software and quantum-safe cryptography from Mike Mosca. So welcome, Mike.
>> Michele Mosca: Thanks very much, Krysta, and thanks for the invitation to finally come visit Microsoft Research.
So I want to talk about two interrelated topics that I've been focusing on more and more in recent years. As an undergraduate, I was interested -- my background is mathematics, mostly discrete mathematics, a bit of number theory, and I started focusing on public-key cryptography and algorithms for public-key cryptography. And that's how I got lured into quantum computing when my colleagues in England were telling me that physicists think they can break these problems easily.
And after dismissing it a few times, being forced to study it a bit more by my supervisor then,
Dominic Welsh, I realized this is actually pretty serious, pretty real and deep and interesting. So
I started working with quantum algorithms, phase estimation, many other things over the years.
And in recent years, I started focusing more and more on these two topics I'm going to talk about today. So cryptography is a very fun topic to work in. There's a lot of deep mathematics.
You're solving puzzles. And it's also really important. So when you can have the marriage of something that's mathematically deep and interesting and really important, that makes it extra exciting.
And of course crypto underpins information security, the Internet and much more.
So, for example, if RSA is broken, how can you connect your laptop to the -- your computer to the Internet? You have auto updates running all the time. You're downloading new software.
How do you know that's the authentic source? How do you know it hasn't been tampered with?
And you really need to deploy a quick fix. And there's no quick fix ready right now
All the problems you hear about related to cyber -- well, I think virtually all -- you hear about today in the newspapers actually don't have a lot of to do cryptography, which is a bit of a challenge for solving the problem I'm going to mention, because people in the know say, well, the problem wasn't a weak cipher. The problem was all these other things and more.
Bad implementations. I made this list well before all the publicized stuff in the last couple years.
Even before the beast attacks. I mean, we knew these were the potential weak links in the weak links. Side channels and so on. I didn't -- you know, bad broken crypto primitives, I didn't even put it on this list. It's not the main attacks today.
>>: Should you have people on this list too?
>> Michele Mosca: Yeah, these are, you know, bad trust assumptions. That includes people --
>>: Specific people?
>> Michele Mosca: Either in their intentions or their incompetence.
>>: Well also insider attacks.

>> Michele Mosca: Trusting the untrustworthy. So people often say you need more trust. Well,
I saw this one lecture by this woman who said actually you need more trustworthiness, and you need more alignment of trust with the trustworthy. That's where value gets added. The alignment between trust and trustworthiness and just more trustworthiness. But just blind trust isn't actually necessarily a good thing.
So the problem of course we all know about and which has accelerated this field tremendously since the mid '90s is Shor's algorithm. Shor's algorithm, which compromises surprisingly at the time both of the widely deployed public-key cryptography tools in one fell swoop. I guess we sort of hope that, well, if one is broken, surprisingly we at least have the other one. But that's not going to happen with quantum computers.
So we've had 20 years to do something about it.
One of my cryptography friends was saying, you know, you're trying to scare me with your quantum computer. I go to bed every night, you know, afraid that somebody will find a classical algorithm for breaking these problems.
And there haven't been major catastrophes. There have been weaknesses uncovered here and there, but no catastrophes. But another recent really nice advance, some of my colleagues argue about how unexpected this is or isn't, but this was certainly a very impressive advance on the discrete logarithm and finite fields of low characteristic.
So which we may have used, but in the end we aren't too dependent on such schemes, so it hasn't -- not to mention there's a difference between a theoretical poly-time attack and then actually implementing them. There's still ongoing work on studying the actual practical for which instances do these attacks really make a difference
But we're not largely -- the infrastructure is not largely dependent on this problem fortunately.
But it could happen tomorrow that there is a -- and you don't need a poly-time factoring algorithm. You just need one that's a little bit better than the one we have.
And, furthermore, people might not tell you that they have it. So there's already this nervousness out there. These are qualitatively different threats. There's the well-defined quantum threat which we see moving on. And then there could always be this unexpected classical algorithmic advance.
So with regard to the quantum threat, which is very -- we know the algorithm, we have a -- getting a clearer and clearer picture of what the architectures might look like, but is it something that we can just -- thinking as a cryptographer now -- can I put the software another 20 years or another 10 years? Because the first order we've procrastinated for 20 years. Not completely.
Some very nice work has been done in the last 20 years, but it hasn't been at a very urgent pace, let's say
Can we keep waiting, or do we need to really do something now? Well, that depends, okay, because people will often say, well, you don't have a quantum computer, you haven't factored anything more than a really small number. It doesn't look like anything's happening. I'm going to just keep, you know, not worrying about it for now

But whether you should worry or not really depends on what you're in the business of. The information you're supposed to protect, how long are you supposed to protect it for? Let's say that's X years.
A really important question is how long will it take you to fix the tools you've deployed ubiquitously? How long will it take you to do that? That's Y years, let's say.
And then a question we all get asked, surely, those of us working in quantum computing: How long before you'll have a quantum computer large enough to break these public-key cryptosystems. Let's call that zed years -- I guess we should say Z years here. Okay.
And then if X plus Y is bigger than zed -- or Z, then you should worry. You have a problem.
You've already messed up. Because for the next Y years, you have to use the current tools, because you haven't deployed the new ones that are quantum resistant, quantum-safe.
And you're supposed to be providing your customers X years of security, but you're not because we'll break those codes in zed years.
So this is the question you have to ask. And X is -- depends on the business. Y I'll talk a little bit about. And zed is, you know -- we'll ask Rob what zed is. Really we want a probability distribution on zed because we don't know for certain, of course.
But let me talk a little bit about zed, say, what can I say. We don't know is the correct answer.
But that I don't know has changed a lot in the last 20 years. It's not I don't know and I have no idea, it's I don't know but there's no reason to think it's going to be too long. I can't promise you it's going to be a long time.
IBM wrote a nice perspective paper in 2011 where they said, you know, it could happen. Rapid improvements in experimental hardware suggest that a threshold for the design and the construction of fault-tolerant systems may be reached in the next five years. So another couple years to see if that prediction comes through.
Then there's a really nice paper by Rob and Michele Devoret giving their outlook on superconducting -- again, on superconducting circuit implementations of quantum computers, where they -- they track the right benchmarks. Well, certainly what the wrong benchmarks are are how big of a number have you factored. Because that's -- that's not the right -- you're asking the wrong question. Okay? I'll get back to that in a second.
But here are some of the relevant benchmarks, and they're tracking them. Things like qubit lifetimes. So this might look familiar.
[laughter]
>> Michele Mosca: So I'll use this all the time now, because it's the clearest thing in terms of communicating what's going on to cryptographers who are smart but they're also very busy solving many important problems in cryptography.
So there's these nice seven stages to building a quantum computer. They all build on each other.
Several implementations have achieved -- the first three are now working on the fourth, which may be achieved in the next two to five years with significant probability, depending who you

ask. With there's certainly optimism by serious people that this may happen in the short term.
And then we'll move to the fifth stage, sixth stage, and seventh stage.
It's not until you're in the seventh stage that you start factoring numbers and you start tracking how big of a number have you factored. That's the only place it becomes a relevant metric.
There's other things we should be looking at in these lower stages. They're a bit harder to explain to people, but, again, they're describing them in these papers. But that's what matters.
And progress has been going I think very well. I mean, the last 20 years an amazing array of tools have been developed. We have people who are trying to -- already thinking about all the classical control hardware, all these -- all these -- all these issues which 20 years ago we thought, well, that's the last of our worries. People are starting to worry about now. And doing very impressive work.
So one of the other questions related to estimating how long it will take to break these systems, we have to -- how many qubits? A hundred isn't an enough. Will it take a billion qubits and a trillion gates? Or a million and a hundred million gates? I mean, these are important questions.
This is years of scaling.
Something else, you know, asymptotic complexity is obviously a really important tool in guiding the answer to these questions. But it gives just a very coarse-grained approximation. We need a more fine-grained study of the full tool chain between the high-level algorithms and the physical qubits. So what we -- what I'm loosely calling quantum software. Conventional software -- in the future it can be quantum software, too, but until we have quantum computers we can't use them to program themselves for controlling and optimizing the operations of our quantum bits.
And this is an area where Microsoft's research, the Kwart [phonetic] group, is playing a leading role. So I'm loosely using the term quantum compiler. I don't mean to offend anybody working in compilers. But I mean tools will need to take these high-level programs and map them down to the physical hardware. And there's been a lot of -- not a lot. How do I put it? Much foundational work has been done. Started in many of these areas. But there's a lot more to do.
We're starting to -- certainly 10, 15 years ago people thought, well, why, why is anybody bothering with that? Not everybody thought that, but it wasn't attracting a lot of attention, let's say. But as time moved on, I think it started to become clearer to people that actually we should be looking at these questions.
And experiments are already reaching a point where it's harder and harder to just have the grad students manually compile these things. It's already starting to make sense to have some sort of automated tools.
Of course it will be interesting in the future, once we have quantum computers, we can use them to better compile themselves. This is related to David's comment earlier about one of the first applications of a quantum computer might be to design a better quantum computer. But certainly we can use a quantum computer to better program a quantum computer.
So just to roughly sketch the tool chain from high-level algorithm, implicitly describes some circuits, and circuits in terms of gates. You have to compile them. You have to make these gates. You're stuck with a fault-tolerant gates. So we have friends who are building things and

trying to control them as best they can, getting effective physical qubits. And then our friends doing -- taking various approaches to fault tolerance to produce some small finite set of fault-tolerant gates.
So the kind of tools I've been -- well, so I've been working quantum algorithms, but in recent years I've been thinking more -- and our colleagues at Waterloo have been thinking more and more about how do you compile these circuits into these gates.
So one of the first things we did was an exact multi-qubit gate synthesis algorithm based on a well-known method called meet-in-the-middle. So we focused on, for the most part, in Clifford gates and the T-gate. We implemented them for up to 4-qubit operations.
And the meet-in-the-middle, it's very simple. Suppose -- suppose the unitary U you want is synthesizable, has a decomposition of depth 8. So one brute force approach is just to try -- you know, construct every depth 8 circuit and see if any of them equals U. That requires complexity.
It's some big constant of the power of 8.
An almost quadratically better way to do this is to make a list, brute force all the depth 4 circuits, multiply them by U, and then here's the list of all the depth 4 circuits. See if you see a collision between these two lists. So sort the lists and just look for collisions. You can do that relatively fast. If you get a collision, then you have something times U is equal to W. So something depth
4 times the U you want to synthesize equals something depth 4, so you just take the inverse of this and you've synthesized U.
We weren't the first to apply meet-in-the-middle. I think the first time I saw it in the literature was one of Igor's paper's I believe. And we applied many optimizations and smart data structures and so on to make these fast. Because these -- these -- it's still exponential. So you have to be smart if you want to get any reasonable instances solved.
And one thing we did is we decomposed the top of the gate, tried to minimize T depth, and we're able to -- and if you just look in Nielsen & Chuang's textbook, there's a depth 5 circuit. We're able to compress it down to depth 3. We conjectured it was optimal, because we didn't brute force every single Clifford. There was just too many for our tool at the time. But we were able to find a depth 3, and we conjectured it was optimal in terms of T depth.
Because as many of you know, many of the state-of-the-art methods for fault tolerance, the way to construct T-gates is much more expensive than the methods for constructing Cliffords. It's not always the case, but much of the main of the state-of-the-art literature has that assumption, has that property.
Selinger looked at this and manually found a way to, you know, if you really want low T depth and you're willing to buy ancillas, he was able to bring it down to depth 1. And the main idea is simply -- so, first of all, if you look at this Toffoli circuit, it's essentially just CNOTs and T-gates sandwiched between some Hadamard. So if you can focus on just the middle part, it's just
CNOT and T-gates.
If you think of a circuit consisting of just CNOT and T-gates, the CNOTs don't do -- all the
CNOTs do is take -- you have a string of bits and it replaces one bit with an XOR of other -- you know, itself plus other bits. So a CNOT circuit just takes a string of bits and maps it to, in a reversible way, a sequence of XORs of those same bits.

There's some restrictions because you have to be able to go backwards. And all the T-gates do, when you apply a T-gate, it kicks a phase of E to the I pi over 4 times the value of the bit that you apply the T-gate to. So it's either 0 or 1.
So you're picking up a phase which is a power of E to the I pi over 4. And the power is just the sum, mod 8, of these bit values that were in the register when you apply the T-gate.
And the values in the register when you apply T-gate is just an XOR of the initial bits. So the -- you know, Selinger's idea was simply, well, in depth 1 I can compute all the XORs I want, if you allow me as much ancilla space as I like. I compute all the XORs I need, I apply the T-gates, and then I uncompute all that extra garbage I computed.
So then what we did is said, well, let's suppose you have no ancilla or some other smaller number of ancilla. What you want to do is -- you have all these terms you know you want to compute. You try to pack them in. You try to do as many as you can at a time, and then you minimize the depth that way.
When we looked at what this was asking mathematically, so my master supervisor at Oxford,
Dominic Welsh, who wrote I think one of the classic textbooks in matroid theory, so fortunately
I at least learned what a matroid was. So I remember telling Matt Amy I think that's a matroid.
So indeed it was.
And this problem of trying to pack these things as low as possible turns out to be a -- what's called a matroid partitioning problem. And Edmonds, who was actually at Waterloo, did this work, developed a poly-time algorithm decades ago for solving this matroid partitioning problem in poly-time.
So we run it. So when you consider a general circuit, it's not just CNOT and Ts, there will be
Hadamards in between. So an obvious heuristic is, well, partition your circuit into everything in between the Hadamards and then just optimize those chunks.
And then also we try some heuristics which try to swap things before and after the Hadamards.
And we get some nontrivial reductions by this method.
So that was one problem we came across. Two results there.
Another nice example was related to 1-qubit synthesis. Again, in terms of Clifford and T-gates.
So a common tool you'll need is to construct a phase gate. And when you tell a physicist, you know, well, we came up with a really efficient implementation of a pi over 10 gate, they first look at you like you're crazy. But then, you know, at the physical layer, of course, the pi over 10 gate is easy -- well, usually. But you have to fault tolerantly approximate a pi over 10 gate in terms of logical -- your logical fault tolerant gates.
So, for example, a pi over 10 great with precision -- what was it? -- 10 to the minus 5 or so, if you just use the state-of-the-art Solovay-Kitaev implementations took on the order of tens of thousands, maybe over 100,000 gates, which is very frustrating to do a pi over 10 gate. Fault tolerant gates. So it's just -- so it's a nontrivial problem.

There are known ways to do it, Solovay-Kitaev. The problem is in information theoretically we believe there should be a log 1 over epsilon depth circuit, but Solovay-Kitaev gives you almost a fourth power of log 1 over epsilon.
There's other methods, but they require an ancilla, say, or have more than linear depth.
So deep mathematics proved that these efficient circuits should exist, but now we have to find them.
So the approach we took -- and Chris and Alex actually developed some nice methods for optimally resynthesizing these circuits. So we were looking at synthesizing these circuits. But what we didn't -- you know, where do you start. So we said, well, let's see what -- let's look at exact synthesis.
And if we could figure out something nontrivial about exact synthesis, then maybe we have a shot at finding a way to round off an arbitrary unitary into the unitaries that are exactly synthesizable and then applying some exact synthesis algorithms. This was sort of the rough hope at the beginning.
And it was -- it's clear to see that if you have Clifford and T-gates, all of your unitaries are going to have coefficients in this ring. Linear combinations of power, so the A through to unity times 1 over root 2 to the N. And it's clear that the only way to get the 1 over root 2 is with a Hadamard gate.
So if you minimize -- you can always make N large by multiplying top and bottom by root N.
But pick the smallest possible N you can use to represent your matrix. That's a lower bound than the number of Hadamard gates.
So it was a bit of a clue that guided us. So we showed that -- this is Vadim and Dmitri Maslov -- we showed that -- this is if and only if -- any matrix with these elements in this ring are exactly synthesizable, which was nice. And then what was really surprising, at least for me, is that you can -- just by looking at the structure of the numbers, you can just read off the optimal synthesis.
Almost.
So, I mean, Vadim realized what you really want to look at is a square of the -- so let's just look at the first column of these matrices you want to synthesize. So let's suppose somebody hands you HT to the power of N. They don't tell you that's what it is, but they give you this matrix. It's
Hadamard times T to the power of N. You look at the first column, take the square of these values.
Again, the only way to increase this denominator is by -- is through Hadamard gate. I mean, after the initial part.
And what we're able to show is -- so you give it a matrix, you compute the smallest denominator exponent. As long as it's bigger than 4, there's always some power of T followed by H you can multiply it by to bring the denominator down by 1. So you can just deterministically walk -- reduce that denominator exponent by 1 every time at the cost of at most 1T or T inverse gate.
And then Cliffords and Hadamards. Cliffords. Hadamard is Clifford.

So that -- I'm going to -- gave us a deterministic algorithm for exactly synthesizing things H optimally. Again, in terms of optimum number of Hadamard gates. And we could also show that it's T-optimal. Chris and Alex already game up with -- had already come up with an algorithm for resynthesizing things so they're T-optimal.
So then moving on to the approximation problem. So this is great. We -- once you have something that's synthesizable, we have a deterministic algorithm for synthesizing it. What about the roundoff problem? Is this just a trivial thing, just round it off and move on with it?
Well, it turns out it was a lot harder than that. So you can suppose you want to implement the pi over 10 gate, some phase gate. You can certainly round off the diagonal elements to something in the ring. Now you're left with -- the algorithm only works if you have an exact unitary. So now you need to find a value Y so the resulting matrix is unitary.
And sometimes such a Y exists and sometimes it doesn't. But it exists with significant probability. So if it doesn't exist, just try again with a slightly different roundoff X.
But computing that Y was not so easy. It wasn't clear in the beginning, but it turned out to be a nasty number theory problem.
But we're able to make it. Vadim noticed we could make it our simple number theory problem by adding two ancilla bits initialized to 0. So I'll skip the details. But if you do that, if you just add two ancilla bits initialized to 0, you're going to bring them back to 0.
Then the roundoff problem. So you round off, just round off the first entry very naively. And then you have to find two other entries so that you have norm 1. Well, that's equal to -- so if you calculate some value M and you have to find A, B, C, D such that their squares equals M. This is -- I mean, in mathematics there's this famous Lagrange four-squares theorem that says every integer is representable by some sum of four squares.
And my colleague at Waterloo, Jeff Shallit, and Michael Rabin, the famous cryptographer, had an efficient algorithm from the '80s.
>>: I think he's famous for other things too.
>> Michele Mosca: Well, yeah, he's famous for many things. But cryptography is one of the themes of my talk, so -- okay. So this is really neat. Okay.
Now, it turns out we're able to remove the two ancilla bits. We could do it in practice. Peter
Selinger found some nice algebraic methods for in poly-time optimally -- or near optimally, sorry, synthesizing these qubit -- these gates in using other number theory methods.
We used norm -- solving norm equations.
And in practice we could achieve, you know, fidelities of 10 to the minus 15 or so. But Peter found some really nice poly-time algorithms with reasonable assumptions. Or I think his latest work, he assumes you can factor -- if you can factor efficiently, then you can synthesize these things. This is where having a quantum computer can be useful for --
>>: Peter also obviously solves [inaudible].

>>: [inaudible].
>> Michele Mosca: Okay. Anyways, so we -- you know, we started off on this work trying to improve the synthesis and optimization of these circuits. We didn't know what to expect, whether this would just be a mundane programming test or whether we would stumble upon some really interesting questions. And we have already -- certainly didn't anticipate needing matroid theory or algebraic number theory, four-squares theorem or norm equations and so on.
Another idea we had was -- because, you know, we stumbled upon this question of wanting to -- not stumbled upon, we were presented with the challenge of trying to minimize the T depth for deep reasons related to fault tolerance. So the Cliffords by definition are the unitaries that permute the Paulis when you conjugate up to a minus sign.
So and it's the T-gates that will map a Pauli to something other than another Pauli. So in fact the sum of two Paulis. So maybe an interesting way to just look at a given unitary is in the channel representation, where you look at what the unitary does to the Paulis, it maps the Paulis to a linear combination of Paulis, and just store these values in a matrix. This is the channel representation. And just look at this matrix and hope that it talks to you, it says something interesting to inspire an efficient decomposition.
So one thing we're able to do is reprove the optimal -- you know, the deterministic 1-qubit synthesis work nicely. It's the T-gates that sort of make this thing other than a signed permutation matrix. So, for example, here the colors just rep -- you know, one of these colors is
1 over root 2 and the other is a half and 1 over 2 root 2 and so on.
There's some sort of structure here. It gives us some hint. So, first of all, if the Hamming weight is 5, then you know you need at least three T-gates. Because each T-gate you apply can just double the Hamming weight of a row or column.
So I'll just summarize some of the things we discovered in this by looking at it in this picture.
Another thing, we came up with a very nice way to represent these Clifford and T-gates that
[inaudible] out a ton of symmetries and gave us -- you know, the naive -- the relatively naive brute force methods were exponential in N squared M. We were able to make it exponential in
NM.
So suddenly -- remember I said the Toffoli gate we conjectured it had T depth 3? With this method we're able to verify that indeed it has T depth 3. And also came up with optimal decompositions of the Fredkin gate.
Do I have ten minutes left? Or how much?
>> Krysta Svore: Seven minutes.
>> Michele Mosca: Seven minutes. Okay. So just to wrap up, I mean, our group, Microsoft and a number of other colleagues around the world have been developing -- this is just a few examples of some nice tools. And we have Igor in the back who had been working on this for many years. I mean, reversible computation, for example. These are all important primitives in optimizing these circuits.

There's number of groups around the world who have been developing tools over the years that will help us when we reach a stage 4, stage 5, and the Devoret-Schoelkopf hierarchy there where we're going to be doing logical, implementing logical circuits. Then you'll -- you really need these tools.
And these tools are important for determining when we will actually be able to take advantage of these chemical simulation algorithms or these other material design-type questions. Or factoring large numbers, which -- so -- so it's a very long-winded answer to the question of what is zed. I don't know, but there's reasons to, you know, think this will happen in the medium term.
There's a lot of ongoing work to determine when exactly this will happen.
How long will it take to -- yes?
>>: I had a question. How many gates for [inaudible]?
>> Michele Mosca: What's the best guess we have as to how many -- I think it's at least -- what is it? -- at least 10 million is probably the lowest guess I've heard. But I don't -- I don't know of a coherent end-to-end answer to that. It depends on a lot of things from the architecture to which fault-tolerant code you're using and so on. But it's a lot.
And I've not seen a sort of reliable end-to-end calculation lately. But even if you did, it would be -- have so many assumptions that -- so how long will it take us to retool the infrastructure? So this, you know, it's not likely to happen in five years or less than ten years, you know, depending -- even if there's a 5 or 10 percent chance of it happening, then we really should be ready for it because so much is at stake.
But how long will it take us to fix the problem? So we have ideas for how to fix it. There's been a lot of research going on since the beginning of public-key cryptography and alternative public-key cryptography. In terms of deploying alternative classical ciphers, you need to make sure they're secure against quantum attacks.
And there hasn't been, I would say, a ton of work in that direction. There's a little more lately, but that's something it would be good if we could find ways to motivate bright young quantum algorithm experts to study these problems so we can gain some degree of confidence.
And, you know, we need eventually to get the standards and practices ready. Just because there exists a code that would solve all our problems doesn't mean it's going to be there when you need it, because it takes years of engineering, implementation engineering, side-channel analysis and so on and standardize -- all the political and standardizing work necessary to actually get these things deployed.
So it will take, in fact, a new workforce, and that's one of the things helped develop at Waterloo, is a training program for our students to learn all the different areas of cryptography and security and so on, as well as some of the nontechnical skills, like learning about standards and certification, to take these tools that we're all working on and bring them to actual practice.
Because I believe that now is the time to be planning this, this transition, to a quantum-safe infrastructure.

So one of the things we looked -- one of the things we need to do is take these alternative schemes, like lattice-based cryptography or code-based crypto, and just look at them with quantum attacks.
So it's one -- here we just -- we looked at what Grover's algorithm would do to the best known lattice, short vector in the lattice algorithms. And it will help a little bit. So it means you have to increase your key a little bit. But we need to study these more intensely and try to do even more sophisticated things with our quantum algorithms. And they still need more classical scrutiny as well.
So the solutions that we know of to replace RSA and the discrete log-based systems, there's two families. They work well together. One is this what's often called post-quantum cryptography, a term coined by Dan Bernstein. They're classical codes, you don't need quantum technologies, which is very convenient.
And they're believed they're computationally secure. So we're still in the realm of, well, we hope they're secure. But you have to do all this hard work to build confidence in the key lengths and so on.
And then there's quantum cryptography which we've heard about since the early '80s, QKD, in particular, quantum crypto we've -- well, we didn't really hear about it. Existed in the '70s, but we didn't hear about it really till the '80s either.
They need some quantum technologies, but, again, QKD doesn't need a quantum computer. It's already commercially available. And the nice thing is, especially for QKD, there's no computational assumptions.
But they work well together. So for authentication, you can use the equivalent of today's signatures, which use the same kind of tools as public-key encryption. Rely on what's in complexity theory called the trap-door predicate. There's a stronger form of signature that, strictly speaking, you only need a one-way function. They historically haven't been as efficient, but people have made them more and more efficient and are implementing them.
Of course, QKD we usually -- historically he talked about symmetric key authentication. But there's no reason you can still use these other kinds of. There's a variety of alternative public-key cryptography. And quantum key establishment is another way to establish keys in the sort of public-key setting.
An important point when you're trying to compare the strengths the weaknesses of QKD -- or the alternative to QKD, which is what we currently do today, and of course I think we're going to keep doing in the future with these new post-quantum ciphers is equivalent to you establish a key through public-key encryption, you don't actually encrypt with the key, normally you just use that key in a symmetric key cipher, is from a complexity theoretic perspective it's called a trap-door predicate.
Where signatures only require a one-way function, strictly speaking. And there aren't too many -- that's Charlie Brown's Christmas tree. There aren't too many alternatives for public encryption that we sort of trust. And there's this extra mathematical structure that in general makes them extra vulnerable. Whereas, there's a plethora of good one-way functions, hash functions, in symmetric key systems.

Now, QKD will allow you to establish key. You need authentication, which in principle you can do with one of these one-way function based schemes, if you want to do it in a public-key setting. You don't need these potentially more vulnerable -- show they're more efficient, typically, that's why we like them. Signature schemes.
So there's various pros and cons to mixing and matching these different ways to authenticate, establish key, and then use the key. What we typically talk about in QKD is use, you know, a
Wegman-Carter, information-theoretically secure authentication, QKD and one-time pad. Top to bottom, it's all information-theoretically secure.
That's certainly great. It's -- but on the more practical end of the spectrum, just going -- we can slowly make stronger and stronger assumptions. So, for example, you could use a more conventional signature scheme, QKD, and then AS, for example, to encrypt.
That means you're trusting the short-term of a trap-door predicate the long-term security of a one-way function.
The classical alternative, which we'll need, because we're not going to have quantum Internet in the near and medium term, as far as what we know how to do today, trap-door -- some sort of signature scheme and a trap-door predicate-based key establishment, and then some symmetric cipher.
The long-term security of this relies on the long-term security of a trap-door predicate, which is a much stronger assumption. So this is one of the advantages I'd like to articulate to using QKD.
So just to wrap up, quantum mechanics forces us to reinvent the foundations of our cryptographic infrastructure. We don't have a choice. And it's important to emphasize to people that quantum-safe is a necessary condition to be cyber safe. Often people are hesitant to adopt or consider adopting these quantum-safe alternatives because they're not as efficient as RSA and so on. And you can't -- you're comparing something that's quantum-safe to something that isn't.
These things will be broken at some point, so you have no choice but to pick one of these alternatives and maybe make them better.
And we're very lucky that we have a head start. We have this warning. It's not like we built the quantum computer first and then realized the undermine information security, public-key cryptography as we do it. We had this 20-year head start. We still have a few more years, but we shouldn't bet on it being too many more years.
The planning at least -- I'm certainly not advocating stop using the current tools and quickly this mad rush to this new untested set of tools. They're not untested, but they haven't been tested as much as stuff that we're currently using.
But start planning. Start making the smart steps in that direction.
So to summarize, there's a lot of very interesting -- there's sort of these two interrelated areas of research I've been interested in recent years, and I like them very much because they allow me to explore some very deep mathematical questions. And they also have, you know, practical implications in the short and medium term.

So thanks a lot for your attention.
[applause].
>> Michele Mosca: Questions?
>>: Yeah, so Michelle, I think you raise a very important issue. In some ways I'm thinking about quantum mechanics or quantum computing as being Y2K of cyber security. But there is this big issue of how much software is currently involved in cyber security and how many lines of code would have to be changed in order to make our global information infrastructure secure?
Have you looked at any estimates? How much --
>> Michele Mosca: It scares me, but, you know, just replacing DES with AS took like ages, right? And that's a trivial --
>>: Well, the reason I asked --
>> Michele Mosca: -- well, from a mathematician -- you know, it's -- in relative scale, an easy thing to do.
>>: Most people don't realize how much software the world [inaudible] to run its affairs today.
And the numbers are staggering. And if you look at the cost of changing software or writing software, it's enormous. You know, I had guesstimated that maybe a trillion lines of software
[inaudible]. So where's -- how much do we have to change and how much is it going to cost and who's going to pay for it?
>> Michele Mosca: Well, that's what scares me about that Y parameter. It's not -- it doesn't suffice for there to exist a solution. It has to actually be implemented, tested, battle tested, side-channel tested, everything, and then standardize -- and it's just years and years. And of course it would move faster if we had -- or as we see the quantum computer approaching. But it's just so many years of engineering. I don't know if, Greg, if you have a -- you want to even try to guess that, the answer to that question. But it's enormous as far as.
>>: [inaudible] I'll give you some numbers in terms of years [inaudible] past decade or so. It took us [inaudible]. We started in 2005. By 2010 we were not done. And this does not include
[inaudible]. Even today we have [inaudible] authorities still use [inaudible] is a rough estimate.
You move [inaudible] shipping your product, making it available. People purchasing it, people deploying it and then finally using it [inaudible].
>>: You're making it sound hopeless.
>>: And in 2006 we shipped [inaudible] cryptography. There's only one company using it today. That's Google. And we started using [inaudible] recently [inaudible].
>> Krysta Svore: Let's take one more question from [inaudible].
>>: [inaudible] transport of quantum state [inaudible] which strikes me as being absolutely radical in terms of the infrastructure [inaudible]. The first talk today was very interesting, though, it was about bootstrapping of quantum-derived entropy. Multiple sites. It may be that --
I mean, it would be interesting to sort of look at to what extent can we use the Internet as much

as possible, use the [inaudible] use all these tricks and figure out a way that -- some of these that provide Web services do the final transport and the rest of the world can live on something simpler. Has anybody looked at this as sort of a hierarchical approach to --
>> Michele Mosca: So QKD can in principle work on deployed optimal networks.
>>: I'm talking about -- yeah, the deployed optical networks to everybody's multiple phone --
>> Michele Mosca: So I don't -- so like when I gave that -- I think we're going to need, you know, conventional post-quantum tools deployed ubiquitously, and that will sort of be the backbone. But -- and then -- but QKD does offer some advantages for customers who are able and interested in having those advantages.
>>: Yeah. What I'm wondering is is there some way of using QKD to get the place to where you're going and then bootstrap from that, generate randomness, for example --
>> Michele Mosca: Oh, I see. Yeah.
>>: Locally, or more locally. So that your mobile phone doesn't need to have a coherent
[inaudible].
>> Michele Mosca: Interesting.
>>: I don't know. But, I mean, it's a direction to work in [inaudible].
>> Michele Mosca: Thanks.
>>: Might work, might not.
>> Michele Mosca: Well, good to meet you.
>>: Yeah.
>> Michele Mosca: [inaudible].
>> Krysta Svore: Let's thank Mike one more time.
[applause]
>> Krysta Svore: Okay. So now we have our final speaker of the day. We have Matthias
Troyer. Matthias is going to speak to us about quantum high-performance computing or high-performance quantum computing. I think this one he's going to talk about quantum algorithms for materials. So let's welcome Matthias.
>> Matthias Troyer: Thank you. And I changed the title a bit because [inaudible] talk about the
[inaudible] methods already. So I wanted to focus more on the high-performance aspect of quantum computing, and I still don't know whether it should be quantum HPC or HPQC
[inaudible] too important to help us decide.

But let me to step back in time. And we've seen the Antikythera mechanism shown multiple times already. So we've come a long way for classical, like the harmonic analyzer by Kelvin.
Those machines were analog, just like the quantum machines that we have now that are analog.
They're simpler but they suffer from scaling problems, they suffer from calibration problems.
The digital machines came later. They are harder to build, but now we have some amazing thing in the machines, and the question is do we need anything beyond that.
And so let me show you the scaling of the fastest machines in the world according to the top 500 list and how it increase exponentially for more than 20 years.
In red the speed of the fastest machine; in yellow the number of 500 on the list, and in blue the sum of the top 500. Some people are starting to say, hey, it starts to bend other, there seems to be an end now. The fact that the faster machine has been the same for three lists in a row, that is for a year, doesn't matter much, that has happened a few times.
So we're still on track I think to reach at least an exaflop, but the question is being asked what do we do once this scaling, Moore's law ends and it stops, what should we do then.
My first answer is write better software and invent better algorithm. But let's focus first on the hardware side.
And we can go to quantum devices. And some we've seen already, like quantum random number generator. Of course when you open it, it's not so clear how much that is quantum. We have quantum key distribution systems, but there are also quantum hackers that can break them.
We have quantum simulators. We have the machine by D-Wave that I should not talk about.
And in the future we might have some quantum computer, but the only thing we know is it will run a version of liquid which will then probably be named into Windows Q.
Now, last week I've been at conference in Italy on high-performance computing where Paul
Messina from Argonne organized a session about enabling technologies for beyond exascale computing.
And the goal is when he defines it, it means he doesn't mean something that yet to flop, he mean something that finally changes totally from the mentally how we compute.
And with that in mind, if that is a context in which these people feel quantum technology, then we should not compare is a D-Wave machine faster than my laptop or not, but we should compare it against the fastest special-purpose machines that we might be able to build classically in 10 to 20 years. And that is beyond exascale.
So that's kind of tough, the reference. It's not about beating my laptop by factor of ten or a thousand. I don't care about this. This is much more.
So let's look at those devices with that in mind. Quantum random number [inaudible]. They don't compute, so let's stop them. Quantum encryption is a different problem. Let's stop with the
D-Wave device. At the moment it's roughly like my laptop and it doesn't scale better, so that is clearly not a candidate. Building that machine better with better qubits might change the game.
We don't know yet. But currently it's not.

Let's look at quantum simulators, at the analog ones first. And they've been vital [inaudible] physics to solve some -- the quantum problems. And they've been chosen a few years back by science magazines to be one of the [inaudible] for the year.
So what is the problem? The problem is that basically this quantum chemistry, it's material simulations. When we want to solve a material problem exactly, the problem is exponentially hard on classical hardware. However, Kohn and [inaudible] invented density functional theory, where the basic idea is that if you want to know most of the properties of a material, like the
Gaussian energy, the Gaussian total density [inaudible] preparation, spectra and so on, you don't need the note the weight functions but you can actually calculate it just using the density. And the density is just the density in space. It lives in three space dimension. The weight function of the [inaudible] problem lives in three N spaces, space dimension, that's what makes it exponential.
Now, the problem is only one knows that one can do that way, but there's a little problem that you need a certain of functional of the density that gives you the Gaussian energy and that is known exactly.
So it has to approximate it, and that works amazingly well in practice. You can calculate the spectra of semiconductors just like silicon, the band structure comes out nicely, here's the
[inaudible] band gap. It just works beautifully. For most simple metals, insulators, semiconductors, proteins and so on. For most problems we can calculate well enough.
And so Walter Kohn and John Pople go the Nobel Prize in chemistry in 1998 for that.
So what's the problem? The problem then that there exists some classes of materials where this breaks down. You can, for example, look at the negative cuprate room temperature to superconductor. They have been very interesting because the position temperature of the best known negative superconductor remain low at about 20 Kelvin for decades. And there's been one law in finding a new negative superconductor; that is, never talk to a theorist.
Now, in 1986, [inaudible] and Miller had a theory that turned out to be wrong. Based on their theory, they looked at a material and found the superconducting position temperature is much higher than before. It jumped up by quite a bit. And then soon after it jumped to about near liquid [inaudible] temperatures jumped up soon to about 140 Kelvin, so a factor of 2 below room temperature and is stuck there since there. So we really want to find out, for example, why is it stuck and can we push it higher by a factor of two and we have room temperature for the semiconductors.
At this time there was a big [inaudible] and so on and what we can have when we have it. But then they didn't find it in the lab.
Now the question is can we simulate it. And, yes, one can. One can use the same density function in theory. And what you get when you simulate the undoped material is you find that the band structure here, that's the Fermi level, and it cuts beautifully through this conduction band which is half filled. This is a metal. According to all the calculation, it's a metal. When you actually build it, it's an insulator.
So the problem is that for density function in the theory here is not even qualitatively right. And this is an insulated which when you dope it it becomes a superconductor. And we want to

understand that. So we want to know what causes superconductivity here and we want to know whether we can design a room temperature superconductor or not. It might not be possible. It might be -- if it's possible, then, yes, we should try and do it.
So what do we do now? Because we can't simulate it exactly, we simplify it. We make a model.
We start from the superconductor, we look at the crystal structure in 3D that one finds that is the important features of single 2D planes here of copper oxide but focuses just on those 2D planes of copper oxide. We are still too complex to solve for negative exactly.
And you look closer and you can find you can focus just on that one single band that cuts the
Fermi surface. So you focus on a single D orbital of the copper. And you make your model just for that and you make a simple, effective model and you try to solve this model.
Now, this model in its simplest form is called the Hubbard model. This is a model in 2D on a
[inaudible]. You have the electrons popping or spin up or down. You have two terms. We want them T here at the top of the electron. In the Coulomb repulsion which gives rise to this, into the four terms in quantum chemistry. You simplify it. You only take the local term of two electrons being in the same orbital. And that costs energy U locally. So it's kind of the simplest model that you can take.
If you drop the hopping term, then it becomes trivial. If you top the U term, then it becomes
[inaudible]. But this is the simplest model you can have for strong interacting thing -- thing, electrons. And it's immediately obvious also why those materials are insulators. Although you can have up to two electrons per lattice side. If you have a strong repulsion U, you only want to have a single one. If you then put one on each side, it's just stuck insulating.
Now we want to dope it a bit and we want to solve it. And here's the simplest model. I have only four states per lattice site. But the problem is still exponentially hard to solve in 2D. So far we have some ideas of what the physics is, but basically nobody has really solved it yet.
This is something that we might be able to do in the next ten years to learn something about it, transition temperatures, maybe be end up having mechanisms. But we can't really solve it on classical hardware.
And so the idea then was to follow Feynman's suggestion and use a quantum device to solve such a quantum problem that we can't solve yet on the exascale machine.
They use about $2 million worth of equipment, mostly lasers, lenses, mirrors. Work for three years. Control noise to nano-Kelvin levels, cool it down. So this is really the coldest place in the universe. It's a few nano-Kelvin.
And then the atoms they place in there start behaving like the quantum objects and they build and they form a Hubbard model. So they take atoms which they cool down, they place those atoms in like optic lattices from the laser waves.
And the effective model that describes the physics of these very cold atoms is the Hubbard model. The atoms sit at [inaudible] the laser lights for the dipole moment. They want to sit at the maxima of the laser light. That's the potential minimum. The atoms can hop. When there's two items nearby, there's some repulsion. That's the U-turn.

So basically take hardware and build a Hubbard model from quantum layers. And then one has the Hubbard model realized, one can tune the hoppings by changing the laser negative amplitudes and replacing it to 1D, 2D, 3D lattices, super lattices and all just using lasers.
And you can use bosons and fermions and so on. And the claim is now we can solve all models of quantum metaphysics. We have [inaudible] metaphysics.
Now, there are two problems. First of all, you have to build it and then show that it works. So that's the first problem. But then one can actually test. So what we did is we asked them what exactly have you built, and we asked them the question for bosons because bosons we can simulate.
And so using bosons, we ask them what have you built, which atoms, which track, which lasers and so on, and then we just simulate it for the bosonic version of the Hubbard model what they should see. And we measure the mow momentum distribution function. And what one sees is that at high temperatures, it's pretty broad. When you're to low temperatures, some spikes appear at the [inaudible] and that is an indication of the onset of [inaudible] the condensation. The bosons condense, and one sees clearly that's just the negative onset what happens, and it looks the same in the experiment and in the simulation.
Those simulations take for each plot one day on a PC on a single core. This simulation in the lab take for each image a few minutes, an hour in the lab.
And the agreement is excellent. Once we really understood what really appeared in the lab and how they calibrate things and so on.
Now, these things work. But this is the problem that we do have to solve. What about the fermionic Hubbard model. The good news is that they're getting to the machine where it's hard for us to simulate it.
One looks at dynamics of the atoms. If one just looks at the finite temperature properties, the static ones, then one sees that a limitation because these are analog devices. One problem is calibration. Another problem is cooling. We want to cool these atoms down, and the problem is how do you cool something that's a nano-Kelvin temperatures. You don't have a cryostat to cool them lower. So we have a problem with cryostats.
So you need to remove entropy, and that's been hard. So the scales, what we understand, is the
Fermi energy is about up here. These gases come down to about 1/10 of the Fermi energy.
These are pretty quantum. But compared to the temperature scale in the [inaudible] this is 5,000
Kelvin.
The first simple magnetism that we can simulate sends in at three times lower temperatures.
Superconductivity, one needs to go another factor of 10 below. It's a huge challenge reaching these points. And then if one manages to reach it and manages to simulate it, it's only for the
Hubbard model because using those atoms, these quantum layers, I can build a Hubbard model but not much more.
So what we really want, we want to build a quantum computer. But the quantum computer should be useful. It will cost a lot of money, as we know. It will take decades to develop.

So the question that comes up that we've been discussing [inaudible] is what do we do with quantum -- what do we do that's beyond exascale. So what are the important applications.
Okay. That we know that we can solve on a quantum computer, that gets harder, and that at the same time we cannot solve it on the best special-purpose post-exascale machine in 10 to 20 years.
But this is the yardstick and that's what we should think about. And I've asked that many people and got immediate answers. Shor's algorithm for factoring. I'm not sure this is a killer app because once we can build such a machine, that will be [inaudible] and then there might be a few users who still want it, but I'm not interested anymore.
Grover search is what one hears next. And it's often described as searching in a database. But this not replication as we know because if I have a real-world [inaudible] database I need to implement the query lookup, and that needs access to all the data, so I cannot do it faster than with O(N) gates, a single lookup.
And with O(N) effort I can solve it already classically. So it's only useful if you have an Oracle that you can compute efficiently. And nobody so far has told me what is the real killer app that meets this.
Then I want to go into more details on three methods now, quantum PageRank, linear systems, and material simulations to just show that in the literature there are many claims that one has to question and check carefully.
Quantum PageRank was a paper by some people at the USC. They've shown how you can solve the PageRank problem in log(N) time. You get exponential speedup over a classic machine.
But in order to do that, they don't encode the vector in log(N) qubits as one could because then it's hard to write the code, but they use unary encoding using N qubits and they just use the states where one qubit is 1 and the others are 0.
And then they develop a nice adiabatic method to solve the problem. And basically one has to evolve the system adiabatically to find the ground state of a simple spin model that one can build.
But if you look, the closer the spin model has all-to-all couplings. So for the N Web page
PageRank problem, you need to implement N qubits and you have N squared couplings.
And if you do all of those couplings in an analog device, for example [inaudible] in parallel using N squared couplers, then one can solve it in polylog time.
Let us compare to classical hardware. If I don't go parallel, if I do it serially, then classically I solve it using [inaudible] power method with a few iterations of the matrix [inaudible] multiplication. The matrix is sparse. So anytime that this is order N, I need hardware -- okay, so
I want to -- what do I show here? I just want to look at the general purpose. I need memory that is linear in the problem size. I need to store the vector. The quantum device has the same. The time is linear if you do one term after the other. It's actually quadratic. I should fix that because it's N-squared terms. It's quadratic. So serial is worse.

What about if I do it parallel? If I do it parallel, those people did check the literature and they didn't find any classical logarithmic time method. And we talked about it, and I said it should be possible they should write down the parallel classical algorithm. If I use N nodes, for example, then it should do it faster. I finally found out it depends on the [inaudible] panels of your network. If you use the typical 3D, the crossbar network, then the [inaudible] panel is limited and the scaling goes from N down to the cube root of N.
You can go to log(N), but in order to go to log(N), you need an all-to-all network. Which we wouldn't want to build. But with an all-to-all network, we could do it. It's better here because the matrix is sparse. We don't need it at all, it just need it -- it build like the connectivity of the
Web graph.
But what the quantum algorithm proposes is to build such an all-to-all network in hardware, and then the time goes to log(N). If we do the same on the classical machine, it's also log(N). The hardware requirements are better for my classical special-purpose hardware, although I think we would never want to build it.
Another thing nice about, we build this. So you have to really compare not just [inaudible]. You have here an idea how something can be done in log(N) time, but you have to compare that you compare to classically to something where the hardware requirements scaling the same way. If not, it's just not true.
So the quantum speedup here vanishes when compared to parallel quantum hardware, and it's not the quantum speedup, it's parallel speedup. Yeah.
>>: There's a lower bound for classical computation in two or three dimensions, so if you assume that the time to connect it from point A to point B goes at least linear with distance, then you get the N, let's say the power of 1 over 3 for 2D and N to the power of 1 over 4 [inaudible].
>> Matthias Troyer: How about [inaudible]?
>>: I have not seen it, but I suspect that it also [inaudible].
>>: It should be the same, yeah.
>> Matthias Troyer: Okay. So don't get fooled by the parallel speedup.
Now, solving linear systems of equations. Is that a killer app? I'm not sure, but at least it can be solved in log(N) times, but we have to be careful it requires that I only need to know log(N) bits of the answer that can be done. The problem has to be well conditioned. And in order to apply this algorithm, we have to evolve the right-hand side with the exponential of the matrix, which can be assumed to be [inaudible].
So for general time evolution, if the matrix has N squared N [inaudible] it cannot do it with less than N-squared case because you need to get at least each of those data points in. The complexity can't be better than that.
And classically if I can use an iterative solver, I do my [inaudible] multiplications there N squared. It looks like the same scaling.

Now, the group of Lloyd proposed a quantum algorithm to do the time evolution with a general matrix in log(N) time. But this needs something called QRAM, the [inaudible] of the memory addresses. And into that QRAM you have to load a square root of the matrix.
Now, I need N-squared gates and qubits to implement it. And to calculate the square root of a matrix, I have to do that before I use it. Classically, that needs N cubes. In N-cube time, that can solve anything linear problem.
Now, let's assume I don't get the matrix but I get the square root. Does this help? So then it could beat Gaussian elimination, but if you give me N-squared hardware, I can't just make a special-purpose device where the memory not only stores the matrix but it does matrix vector multiplication, it can do the matrix vector multiplication in memory in log(N) time. So then I do -- so then I get to a scaling that is very similar.
It now depends on which algorithm converges in few iterations. But if I have to store the matrix, again there's no speedup, and that means that for many linear problems that depend on data, this might not be a good approach either.
One can solve it efficiently if you can implement that evolution by [inaudible] short circuit. That was shown in a nice paper by Clader, et al., that was shown by the [inaudible] yesterday. They look at the wave scattering problem. And here the finite difference [inaudible] of the [inaudible] can be implemented easily.
The shapes where you use scatter of the implement [inaudible] splines. So they can calculate the matrix on the fly. They've done it. They have checked what are the resource requirement and it can beat a current generation supercomputer for problems that it need more than a million years.
Sorry -- a thousand years.
So this is again something where we need to see can we speed this up like method for the quantum chemistry. But this is going to be hard.
And so maybe one should look at the problem of what do we do with a quantum machine, not by looking at something that we can do, quantum mechanically and then hoping that it's hard classically.
But let us just look at what are the main applications that run on the linear peta scale machines.
And I have a slightly outdated slide from my colleague Thomas Schulthess. He made a list of the top performing codes that ran on the Jaguar machine, which was the first machine to break through the petaflop barrier.
And all of the codes that reached more than a petaflop are material simulation and chemistry problems. So this is the big challenge. This is what computers are used for but what really stressing them out. This is what brings up the power consumption. The climate models need much less power because they're memory bound and not compute bound.
So this might be the killer app, and we heard from Krysta and from Dave already what one would do with it. We look for superconductors [inaudible]. And there would be many things to do if we had such a machine.

And let me skip over this because I think Matt probably showed how one does it on a quantum machine. And we now know how to do or how we could potentially do a quantum simulation of a molecule with about a hundred electrons. So if we had a quantum computer.
But now we want to tackle that question not of the catalyst, the molecule, but we want to find this room temperature superconductor.
And the challenge there is I need to now model this lab [inaudible]. It's not just a simple molecule, it's the big crystal. Need to look at least at maybe ten times -- ten unicells, I have at least 10,000 electrons. It's about a factor bigger of a hundred bigger than those molecules. The scaling is still at least N to the 5. The runtime is a factor of 10 to the 10 longer, and we're back at midline here and more. Although we have not much faster algorithms.
So what do we do there? We do the same as what we've done with the analog quantum simulators. We go back to effective models. We should just not solve the material put forth but let us simplify it classically first. Let us go down again to the Hubbard model, and then the question is this Hubbard model which was still hard classically, can we solve it efficiently on a quantum computer.
And that one can. That has been proposed since nearly 20 years. Abrams and Lloyd proposed that one can use the quantum computer to simulate the time evolution under the Hubbard
Hamiltonian. That's great, but they didn't show more. They didn't show how to do it, how hard it would be.
There was more in a paper by Ortiz, et al. They showed how one maps the fermions to qubits, but they did not show the circuits and they did not calculate the gates one needs, so they did not look at the runtime.
And when showing how to measure things, they were cheating. Because in their plots, they showed the expectation value under the wave function and made beautiful plots of what one would get and that it's what it should be.
But if you have a quantum computer, you can't just read out the wave function but you can only sample and then you get a single bit per measurement and not a nice average, and so you have to sample, and it's much, much harder [inaudible]. So those are things that be work on now.
The advantage of the Hubbard model is that the Coulomb terms drops down from N to the 4 terms to just a single term. The hopping terms and the Coulomb terms you can all apply in parallel. The Hubbard use just locally, so it's easy. Those you use [inaudible] parallel.
The hopping terms [inaudible] also do them in constant time. You can do a time step using the
Hubbard model in constant time independent of the problem size. I still have to prepare it. That takes time N squared, since we think that the gaps might close like 1 over N.
But it's still a beautifully nice scaling. And so the Hubbard model will be much easier than doing molecules. One still has to find out how do we prepare the constant, how does one find the constant, how long does it take, how do we measure [inaudible] functions. If we look at superconductivity, we have pair correlation functions that are N to the 4 terms here. The scaling goes up again and one needs to see how to do it nicely.

So let's assume we are there now and we have built a beautiful quantum computer with 2,000 qubits, we solved the Hubbard model in half a second.
What have we gained? And I ask the question to one of my material colleagues, the simulations, if she's excited if a gate for a machine to solved the Hubbard model, and she said no, she would be totally unexcited, she would be totally bored and would not even look at it. Why? Because the Hubbard model doesn't describe anything in nature except what are called atoms in optic lattices.
[laughter]
>> Matthias Troyer: So it might be useful to teach us fundamental mechanisms about the physics of the systems when they will not give us quantitative predictive power.
Now, it got my colleague interested in the Hubbard model, but telling her if the Hubbard model doesn't describe the material and you like designing materials, why don't you design Hubbard material. Why don't you look for a material that is well described by the Hubbard model. She liked is challenge. She found one now that might be. And [inaudible] she does is solid state quantum simulators for what we call quantum gases.
But what she would really like to have is quantitatively predictive power. She would really like to say, okay, if I build this material, if I mix it in [inaudible] it has these properties to see if --
200 Kelvin now or something. And we cannot yet do a full ab initio simulation because using near 10,000 spin orbitals or more. It's just too hard. We will never do that unless somebody gives us a really, really fast [inaudible] K time quantum computer.
So the solution that I see is that we go hybrid. That we use classical algorithms to find effective models that are more quantitative than the Hubbard model that can quantitatively describe the material and then use the quantum machine to solve those effective models and then get quantitative answers out and try to iterate that. And those methods we are just working on.
So if we view quantum computing not just as a nice mathematical gain but as a post exascale technology, then it's hard to find those killer apps because the problem has to be too hard for a future exascale machine. We have to have a quantum algorithm to actually solve it faster.
The crossover scale has to be shorter than our lifetime, and it's just extremely hard to compete against. [inaudible] they build special-purpose classical hardware. But that's our competitor.
Factoring and code breaking is of limited use. Quantum chemistry I think is one of the clear applications. Solving linear systems, well, I don't know yet which ones we can solve well enough yet. There might be others. Machine learning is one hope. But we don't know yet how to do it.
But I think having one killer app is already great. And what I want to basically say here is, somebody, it's time that we view quantum algorithms and quantum algorithm research not just as theoretical computer science field but in the context of classical HPC, which are the really hard application problems that people want to solve but people in [inaudible] and can we really compete there. And that's the challenge we need to address. Thank you.
[applause]

>>: So I have a question. If the Fermi Hubbard model is insufficient for designing these materials, what would the proper model be and what's the actual complexity simulated?
>> Matthias Troyer: The proper model would have to include at least all the bands of the
[inaudible] and that maybe is enough to take the five P orbitals. We have three P locally, we have one S, so that's about nine orbitals locally, then we have [inaudible] we need at least two of the P bits there.
So we need at least about a 20-band model per unicell. Maybe one can bring that down to a
10-band model or a five-band model. I don't know.
But then that's just a single unicell and then you need to go that -- go that -- to a negative
[inaudible] system you can do that exactly. That might be challenging. Or you can once more mix that with some hybrid approaches [inaudible] like and find something that's better. So it will be hybrid in the end I think.
But it's well beyond one-band model. It's at least a three-band model, probably more of a five- or a ten-band model.
>>: If one built a quantum memory to hold the cell, each cell, just move the circuitry on top of -- bring the cell out from memory, do a time step, put it away, bring another one out and do a time step, put it away --
>> Matthias Troyer: That's doable if we have short [inaudible] actions. The Coulomb action is screened but not at the length scale of one unicell.
And there's also one problem with the Hubbard model. It just has the local part of the Coulomb energy. We think that's not enough to explain the physics quantitatively. But you might be able to truncate it after three, and then the scaling is not too bad for defective model.
If you want to do the full one, then you need to also have the screening of the Coulomb action emerge from the simulation. It's much better to estimate the screed one classically and then solve the effective model with the screened interaction.
>>: So this is a very thought-provoking talk to end the session on. But have you looked at or talked to, say, biologists that this biology gives some potential applications where quantum computers would be good. And certainly one area where I can think you need an enormous amount of computation is verifying software.
>> Matthias Troyer: Yes. So let's first talk about biology. At the same session on [inaudible] exascale computing one talk was by people from [inaudible] two machine for code enfolding.
And that's really nice special purpose hardware that shows what one might be able to do. But they say they would love to have a quantum computer, if we could build them, because -- not because they can't solve the problem, they can, easily, the problem is that you need to know the forces occurred enough in the classical force field, so they do just not good enough.
So I wouldn't calculate the force on the big protein quantum mechanically because then things get far too slow. But one needs to look at bits and pieces, polarizations of [inaudible] and get better classical force fields on the quantum hardware and use them then in this hybrid approach.

>>: This is interesting because these -- the forces get inaccurate in N time when they're very short in range. And so one could imagine doing molecular dynamics [inaudible] generating a configuration of the atoms. You know where the coordinates of all the nuclei and all that stuff, you know where the orbitals [inaudible] computer problem, compute grabs that energy and go in that direction and then go back and forth. Now, we've seen MDN and chemistry used together but not quite that way. And that might be --
>> Matthias Troyer: Well, the N scales that Anton wants to go to, the millisecond scales, you need to be able to calculate the force in microseconds. So you need to do those things not in hours but in microseconds.
That's challenging. I don't think we'll do it. I think when we look at the typical near configuration, do them offline, parameterize it, find out what happens, and then improve it. Find out it doesn't do what nature does, so one checks again what would have to move. But, yes, they would be a customer for such a machine to help them get the force fields better.
>>: And they can afford it too.
>> Matthias Troyer: Oh, yeah.
>>: Good.
>> Matthias Troyer: Well, it depends on what you sell it for in the end. Maybe cloud service.
But then there was a question --
>>: [inaudible]
>> Matthias Troyer: [inaudible] mostly clustering of data machine learning problems. I don't know. When you get -- the second question --
>>: There's a lot of work particularly in Europe on verifying software, proving software correct.
>> Matthias Troyer: That's by [inaudible] machine. It's just you -- yes, we want to look for quantum algorithms to solve hard [inaudible] problems. We don't know if quantum hardware helps them or not.
>>: So I think your talk is a testimonial to importance of computational thinking. You want to find the attractions and models for the problem at hand that are amenable to define the computational device that you have.
>> Krysta Svore: One more question.
>>: Okay. So let us suppose some theoretical computer scientist is going to take your advice.
So here is [inaudible] question. So what are new problems to look for? So we know [inaudible] but then what are the other quantum problem that are [inaudible]?
>> Matthias Troyer: Okay. So the first advice I have to theoretical computer scientist is to talk to application people. I found some very -- I found a huge gap there often, even classically.

So then the other big question is quantum mechanics is intrinsically linear. How easy is it to solve nonlinear problems. Linear ones, no, but nonlinear problems might be hard.
But you need to know a range of application problems to then be able to match your quantum algorithms, maybe something somebody wants to solve.
So my advice is talk to application people. Talk to people in supercomputing and what they do.
>>: I'd like to make a quibble about the linear area. Certainly military operations are linear, for sure, but when you start mixing classical control operations, then you can be --
>> Matthias Troyer: Don't give away all our ideas.
[laughter]
>> Krysta Svore: Let's thank Matthias again for a great final talk.
[applause]