Potential

Integer factorization, which underpins the security of public key cryptographic systems, is believed to be computationally infeasible with an ordinary computer for large integers if they are the product of few prime numbers(e.g., products of two 300-digit primes).[15] By comparison, a quantum computer could efficiently solve this problem using Shor's algorithm to find its factors. This ability would allow a quantum computer to decrypt many of the cryptographic systems in use today, in the sense that there would be a polynomial time (in the number of digits of the integer) algorithm for solving the problem. In particular, most of the popular public key ciphers are based on the difficulty of factoring integers or the discrete logarithmproblem, both of which can be solved by Shor's algorithm. In particular the RSA, Diffie-Hellman, and elliptic curve Diffie-Hellmanalgorithms could be broken. These are used to protect secure Web pages, encrypted email, and many other types of data. Breaking these would have significant ramifications for electronic privacy and security.

However, other cryptographic algorithms do not appear to be broken by those algorithms.[16][17] Some public-key algorithms are based on problems other than the integer factorization and discrete logarithm problems to which Shor's algorithm applies, like theMcEliece cryptosystem based on a problem in coding theory.[16][18]Lattice-based cryptosystems are also not known to be broken by quantum computers, and finding a polynomial time algorithm for solving thedihedral hidden subgroup problem, which would break many lattice based cryptosystems, is a well-studied open problem.[19] It has been proven that applying Grover's algorithm to break a symmetric (secret key) algorithm by brute force requires time equal to roughly 2n/2 invocations of the underlying cryptographic algorithm, compared with roughly 2n in the classical case,[20] meaning that symmetric key lengths are effectively halved: AES-256 would have the same security against an attack using Grover's algorithm that AES-128 has against classical brute-force search (see Key size).Quantum cryptography could potentially fulfill some of the functions of public key cryptography.

Besides factorization and discrete logarithms, quantum algorithms offering a more than polynomial speedup over the best known classical algorithm have been found for several problems,[21] including the simulation of quantum physical processes from chemistry and solid state physics, the approximation of Jones polynomials, and solving Pell's equation. No mathematical proof has been found that shows that an equally fast classical algorithm cannot be discovered, although this is considered unlikely.[22] For some problems, quantum computers offer a polynomial speedup. The most well-known example of this is quantum database search, which can be solved byGrover's algorithm using quadratically fewer queries to the database than are required by classical algorithms. In this case the advantage is provable. Several other examples of provable quantum speedups for query problems have subsequently been discovered, such as for finding collisions in two-to-one functions and evaluating NAND trees.

Consider a problem that has these four properties:

1. The only way to solve it is to guess answers repeatedly and check them,
2. The number of possible answers to check is the same as the number of inputs,
3. Every possible answer takes the same amount of time to check, and
4. There are no clues about which answers might be better: generating possibilities randomly is just as good as checking them in some special order.

An example of this is a password cracker that attempts to guess the password for anencrypted file (assuming that the password has a maximum possible length).

For problems with all four properties, the time for a quantum computer to solve this will be proportional to the square root of the number of inputs. It can be used to attack symmetric ciphers such as Triple DES and AES by attempting to guess the secret key.[23]

Grover's algorithm can also be used to obtain a quadratic speed-up over a brute-force search for a class of problems known as NP-complete.

Since chemistry and nanotechnology rely on understanding quantum systems, and such systems are impossible to simulate in an efficient manner classically, many believequantum simulation will be one of the most important applications of quantum computing.[24] Quantum simulation could also be used to simulate the behavior of atoms and particles at unusual conditions such as the reactions inside a collider.[25]

Quantum supremacy

Main article: Quantum supremacy

John Preskill has introduced the termquantum supremacy to refer to the hypothetical speedup advantage that a quantum computer would have over a classical computer in a certain field.[26]Google has announced that it expects to achieve quantum supremacy by the end of 2017, and IBM says that the best classical computers will be beaten on some task within about five years.[27] Quantum supremacy has not been achieved yet, and skeptics like Gil Kalai doubt that it will ever be.[28][29] Bill Unruh doubted the practicality of quantum computers in a paper published back in 1994.[30] Paul Davies pointed out that a 400-qubit computer would even come into conflict with the cosmological information bound implied by the holographic principle.[31] Those such as Roger Schlafly have pointed out that the claimed theoretical benefits of quantum computing go beyond the proven theory of quantum mechanics and imply non-standard interpretations, such as multiple worlds and negative probabilities. Schlafly maintains that the Born rule is just "metaphysical fluff" and that quantum mechanics doesn't rely on probability any more than other branches of science but simply calculates the expected values of observables. He also points out that arguments about Turing complexity cannot be run backwards.[32][33][34] Those who prefer Bayesian interpretations of quantum mechanics have questioned the physical nature of the mathematical abstractions employed.[35]

Obstacles

There are a number of technical challenges in building a large-scale quantum computer, and thus far quantum computers have yet to solve a problem faster than a classical computer. David DiVincenzo, of IBM, listed the following requirements for a practical quantum computer:[36]

• scalable physically to increase the number of qubits;
• qubits that can be initialized to arbitrary values;
• quantum gates that are faster thandecoherence time;
• universal gate set;
• qubits that can be read easily.

Quantum decoherence

Main article: Quantum decoherence

One of the greatest challenges is controlling or removing quantum decoherence. This usually means isolating the system from its environment as interactions with the external world cause the system to decohere. However, other sources of decoherence also exist. Examples include the quantum gates, and the lattice vibrations and background thermonuclear spin of the physical system used to implement the qubits. Decoherence is irreversible, as it is effectively non-unitary, and is usually something that should be highly controlled, if not avoided. Decoherence times for candidate systems, in particular the transverse relaxation time T2 (for NMR andMRI technology, also called the dephasing time), typically range between nanoseconds and seconds at low temperature.[14] Currently, some quantum computers require their qubits to be cooled to 20 millikelvins in order to prevent significant decoherence.[37]

As a result, time consuming tasks may render some quantum algorithms inoperable, as maintaining the state of qubits for a long enough duration will eventually corrupt the superpositions.[38]

These issues are more difficult for optical approaches as the timescales are orders of magnitude shorter and an often-cited approach to overcoming them is optical pulse shaping. Error rates are typically proportional to the ratio of operating time to decoherence time, hence any operation must be completed much more quickly than the decoherence time.

If the error rate is small enough, it is thought to be possible to use quantum error correction, which corrects errors due to decoherence, thereby allowing the total calculation time to be longer than the decoherence time. An often cited figure for required error rate in each gate is 10−4. This implies that each gate must be able to perform its task in one 10,000th of the coherence time of the system.

Meeting this scalability condition is possible for a wide range of systems. However, the use of error correction brings with it the cost of a greatly increased number of required qubits. The number required to factor integers using Shor's algorithm is still polynomial, and thought to be between L andL2, where L is the number of qubits in the number to be factored; error correction algorithms would inflate this figure by an additional factor of L. For a 1000-bit number, this implies a need for about 104 bits without error correction.[39] With error correction, the figure would rise to about 107 bits. Computation time is about L2 or about 107steps and at 1 MHz, about 10 seconds.

A very different approach to the stability-decoherence problem is to create atopological quantum computer with anyons, quasi-particles used as threads and relying on braid theory to form stable logic gates.[40][41]

Developments

There are a number of quantum computing models, distinguished by the basic elements in which the computation is decomposed. The four main models of practical importance are:

• Quantum gate array (computation decomposed into sequence of few-qubitquantum gates)
• One-way quantum computer(computation decomposed into sequence of one-qubit measurements applied to a highly entangled initial state or cluster state)
• Adiabatic quantum computer, based onquantum annealing (computation decomposed into a slow continuous transformation of an initial Hamiltonianinto a final Hamiltonian, whose ground states contain the solution)[42]
• Topological quantum computer[43](computation decomposed into the braiding of anyons in a 2D lattice)

The quantum Turing machine is theoretically important but direct implementation of this model is not pursued. All four models of computation have been shown to be equivalent; each can simulate the other with no more than polynomial overhead.

For physically implementing a quantum computer, many different candidates are being pursued, among them (distinguished by the physical system used to realize the qubits):

• Superconducting quantum computing[44][45] (qubit implemented by the state of small superconducting circuits (Josephson junctions))
• Trapped ion quantum computer (qubit implemented by the internal state of trapped ions)
• Optical lattices (qubit implemented by internal states of neutral atoms trapped in an optical lattice)
• Quantum dot computer, spin-based (e.g. the Loss-DiVincenzo quantum computer[46]) (qubit given by the spin states of trapped electrons)
• Quantum dot computer, spatial-based (qubit given by electron position in double quantum dot)[47]
• Nuclear magnetic resonance on molecules in solution (liquid-state NMR) (qubit provided by nuclear spins within the dissolved molecule)
• Solid-state NMR Kane quantum computers (qubit realized by the nuclear spin state of phosphorusdonors in silicon)
• Electrons-on-helium quantum computers (qubit is the electron spin)
• Cavity quantum electrodynamics(CQED) (qubit provided by the internal state of trapped atoms coupled to high-finesse cavities)
• Molecular magnet[48] (qubit given by spin states)
• Fullerene-based ESR quantum computer (qubit based on the electronic spin of atoms or molecules encased in fullerenes)
• Linear optical quantum computer(qubits realized by processing states of different modes of light through linear elements e.g. mirrors, beam splittersand phase shifters)[49]
• Diamond-based quantum computer[50][51][52] (qubit realized by electronic or nuclear spin of nitrogen-vacancy centers in diamond)
• Bose–Einstein condensate-based quantum computer[53]
• Transistor-based quantum computer – string quantum computers with entrainment of positive holes using an electrostatic trap
• Rare-earth-metal-ion-doped inorganic crystal based quantum computers[54][55](qubit realized by the internal electronic state of dopants in optical fibers)
• Metallic-like carbon nanospheres based quantum computers[56]

The large number of candidates demonstrates that the topic, in spite of rapid progress, is still in its infancy. There is also a vast amount of flexibility.