0% found this document useful (0 votes)
103 views6 pages

Quantum Operating Systems

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
103 views6 pages

Quantum Operating Systems

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Quantum Operating Systems

Henry Corrigan-Gibbs, David J. Wu, and Dan Boneh


Stanford University
ACM Reference format:
Henry Corrigan-Gibbs, David J. Wu, and Dan Boneh Stanford University. Circuit C

RAM, I/O

qFPGA
2017. Quantum Operating Systems. In Proceedings of HotOS ’17, Whistler,
BC, Canada, May 08-10, 2017, 6 pages. x86 CPU xi
https://doi.org/10.1145/3102980.3102993 C(xi )

Abstract. If large-scale quantum computers become commonplace,


the operating system will have to provide novel abstractions to Figure 1: A classical processor connected to a quantum FPGA. The classical
capture the power of this bizarre new hardware. In this paper, we processor programs the qFPGA with the a description of a quantum circuit
consider this and other systems-level issues that quantum computers C : {0, 1}n → {0, 1}n . The CPU can then send inputs xi ∈ {0, 1}n and receive
would raise, and we demonstrate that these machines would offer the output C(xi ) of the quantum circuit applied to xi .
surprising speed-ups for a number of everyday systems tasks, such
as unit testing and CPU scheduling.
What sort of computer architecture will our quantum comput-
1 INTRODUCTION ers employ, and what kind of operating systems will run on these
The last few years have seen tremendous progress towards the con- machines? In this paper, we explore the possibility of quantum op-
struction of non-trivial quantum computers [7, 23, 29]. A number erating systems by asking, and partially answering, a number of
of start-ups are working towards commercializing the technology, questions related to the design of this new type of system:
NIST is standardizing new “post-quantum” cryptosystems [41], and • What new abstractions could a quantum operating system
industry giants, including Google [20] and Microsoft [39], are tak- expose to the programmer?
ing steps today to defend their systems against quantum-enabled • How could the power of quantum computers improve the
adversaries in the future. Large-scale quantum computers may exist performance of classical software systems?
in our lifetimes. • What would a distributed system of quantum computers look
The first electronic computers—the Mark I, Colossus, and ENIAC— like? And what new functionality could such a system pro-
were expensive, cumbersome, and sluggish machines, primarily use- vide?
ful to government code-breakers and weapons designers. Much like
This paper is necessarily (and shamelessly) speculative: it is far
the first electronic computers, the first quantum computers will al-
too early to know exactly what sort of quantum computing hard-
most certainly be costly and slow and, as with the first electronic
ware will exist in 20, 50, or 100 years. Even so, we can use the
computers, the most obvious applications of quantum computers
existing models of quantum computation to project what will likely
will be to breaking classical cryptosystems, such as RSA [44], and
be possible if large-scale quantum computers come to exist in the
physical simulation.
future.
Fortunately for us, over time classical computing hardware be-
The skeptical reader may—with some cause—view this paper as
came cheaper and faster, and modern operating systems provided
a collection of negative results: as far as we know, there are not too
hardware abstractions, virtual memory, and time-sharing to make
many exciting things that one can do with a quantum computer that
computers easier, safer, and faster to use. Computers became a
one could not do with a somewhat larger or faster classical machine.
universal tool, with applications far beyond the stodgy realms of
Our purpose is to simply take the notion of quantum computing to
cryptanalysis and bomb design. If we are lucky, just as classical
its logical conclusion and ask: what would happen if we each had
computers became smaller, cheaper, and faster over time, so will
one of these magical quantum machines on our desk?
quantum computers. When they do, programmers will again look
We dedicate the bulk of the paper to sketching three possible
to the operating system to make these new and unfamiliar devices
architectures for quantum computers, arranged in order from least to
easier, safer, and faster for everyday people to use.
most fanciful: we first discuss quantum FPGAs, then quantum x86
Permission to make digital or hard copies of all or part of this work for personal or machines, and finally, quantum distributed systems. For each, we
classroom use is granted without fee provided that copies are not made or distributed consider the applications that the machine would have to common
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
systems tasks, such as fuzz testing, CPU scheduling, and parallel
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or programming. We also discuss the systems-level challenges that
republish, to post on servers or to redistribute to lists, requires prior specific permission each architecture would present.
and/or a fee. Request permissions from [email protected].
HotOS ’17, May 08-10, 2017, Whistler, BC, Canada
© 2017 Copyright held by the owner/author(s). Publication rights licensed to Association 2 BACKGROUND
for Computing Machinery.
ACM ISBN 978-1-4503-5068-6/17/05. . . $15.00 To set the scene for our discussion, let us first review a few key
https://doi.org/10.1145/3102980.3102993 results from the quantum computing literature. Quantum algorithms,

76
in certain settings, provide surprising speed-ups over classical algo- C that implements her computation of interest. A quantum circuit is
rithms. For example, consider the following computational problem: much like a classical Boolean circuit, except that it uses elementary
Problem 1 (Unstructured Search). Given a function f : {1, . . . , N} → quantum gates (e.g., Toffoli and Hadamard gates [3]) instead of
{0, 1} find an x∗ ∈ {1, . . . , N} such that f (x∗ ) = 1. conventional logic gates (AND, OR, NOT).
The programmer would then send the description of a quantum
If we treat the function f as a “black box,” the best classical algo- circuit C to the qFPGA over a classical bus. Once programmed
rithm for this problem is just brute-force search: compute f (1), f (2), with the circuit C, the CPU could send the qFPGA an input xi . A
f (3), and so on, until finding an x∗ such that f (x∗ ) = 1. Indeed, any classical control unit would orchestrate the quantum computation
classical algorithm for this problem must invoke f at least Ω(N) on the qFPGA by applying each quantum gates to the qFPGA’s
times to succeed with good probability. In contrast, there is a quan-
√ state registers in sequence. The qFPGA would then send the output
tum algorithm for solving this problem that invokes f only O( N) C(xi ) of the circuit applied to xi back to the CPU. The inputs xi and
times. the output C(xi ) would both be classical bitstrings, so the CPU and
I NFORMAL T HEOREM 2 (G ROVER [35]). There is a quantum qFPGA could exchange these values over a classical bus.
algorithm As far as we know, we are far far away from being able to con-
√ for the Unstructured Search Problem that invokes f at
most O( N) times and that succeeds with probability at least 2/3. struct anything resembling a quantum FPGA. The current generation
of quantum computers implement circuits that operate on just a hand-
To explain why such a speed-up is even possible: a classical ful of qubits [23, 24, 37], so we are orders of magnitude away from
algorithm that treats f as a black box can only evaluate f at a single an FPGA-like device that could perform any large-scale quantum
input at a time—the classical algorithm works locally. In contrast, a computation. But, let us imagine that we had such a device. What
quantum algorithm can essentially evaluate a “black-box” function could it do?
f at a mixture of inputs (a “superposition” of inputs) and can thus The obvious application of a qFPGA would be to running Shor’s
learns some
√ global information about f with each invocation. After algorithm for factoring integers and computing discrete logarithms [44].
only O( N) invocations of f , the quantum algorithm has explored However, by the time qFPGAs are available, the world will long
the entire domain of f , which allows it to recover the target value x∗ . have shifted to quantum-resistant cryptosystems [13]. Instead, we
Furthermore, when there are k inputs that cause fpto return 1, expect that the primary everyday application of these devices would
Grover’s algorithm finds one such input with only O( N/k) invo- be to run Grover search on programs that could compile down into
cations of f , even if k is not known in advance [19]. As we describe relatively small circuits. We give two example applications: code
in the following sections, we expect that Grover’s algorithm will be fuzzing and password cracking.
one of the most useful tools in the quantum programmer’s belt.
An important subtlety of quantum computing is that the only
operations that can be performed on a quantum state are those that 3.1 Using qFPGAs
are reversible (or invertible). Thus, to implement Grover’s algorithm Code fuzzing. The idea of code fuzzing is to run a piece of code on
on a quantum computer, we must first represent the function f in a large number of edge-case inputs to try to identify an input that
a reversible manner. Even though many classical computations are causes the program to misbehave.
irreversible (e.g., an AND operation on single-bit inputs), there are Fuzzing using a qFPGA might be useful for ensuring that tricky
standard techniques to make circuits, Turing machines, and even optimizations do not introduce correctness bugs [26]. For example,
RAM programs reversible [9, 36]. a programmer might have two Boolean circuits for multiplying n-bit
What quantum computers are not. Before diving into the body integers: a large naïve circuit Mslow compiled from native C code,
of our discussion, it is worth emphasizing that there is no evidence and an optimized hand-designed version Mfast . The programmer
that quantum computers can solve NP-hard problems in polyno- could construct a circuit C : {1, . . . , N}2 → {0, 1} that computes
mial time [1]. Applying Grover’s algorithm to 3SAT, for example,
(
yields a slightly faster-than-brute-force-classical 3SAT algorithm, 1 if Mslow (x, y) , Mfast (x, y)
but both the quantum and classical algorithms still run in exponential C(x, y) = .
0 otherwise
time [6]. Furthermore, we know that Grover’s algorithm is the best
possible quantum algorithm for the Unstructured Search Problem
The programmer could ship the qFPGA the program for running
(Problem 1) [10]. As far as we know, it is only for very specific prob-
Grover search on C.
lems, such as integer factorization [44], that quantum computers
Using the qFPGA, the programmer could essentially ensure that
dramatically outperform their classical counterparts.
the two multiplication routines behave identically on 264 possible
inputs, at the cost of 232 invocations of Mslow and Mfast . Furthermore,
3 QUANTUM FPGAS
if there is a severe bug—one that causes the optimized circuit to fail
A plausible architecture for the first generation of general-purpose on k out p of N inputs, then the qFPGA worker will only need time
quantum computers would consist of a classical processor connected roughly N/k to determine the index of the input that caused the
over a classical bus to a quantum field programmable gate array, or optimized circuit to misbehave.
qFPGA.
Like a conventional FPGA, a qFPGA would essentially be a Password cracking. By the time qFPGAs are available, the “quan-
peripheral device attached to the classical CPU (Figure 1). To use tum apocalypse” will have killed off many of today’s quantum-
the qFPGA, the programmer would first cook up a quantum circuit vulnerable cryptographic algorithms. Yet, like the stubborn insects

77
// Type signature of a qthread worker. a universal quantum instruction [3] that would, for example, apply
typedef int worker(char *args, size_t arglen);
a quantum operator to the co-processor’s eax register. Using these
// Initialize a pool of qthreads. All qthreads instructions, and a large enough qx86 computer, the quantum assem-
// in the pool run the same worker routine. bly programmer could implement any efficient quantum algorithm
qpool_t qpool_init(worker *start_routine);
and could, for example, evaluate an x86 program on a quantum state
// Feed the specified arguments to a qthread worker consisting of a superposition of many program inputs.
// in the specified pool.
qthread_t qthread_create(qpool_t pool, Building a qx86 machine seems much harder than building a
char *args, size_t arglen); qFPGA. To support general x86 programs, the machine would have
// Get the ID of a worker that returned > 0.
to implement not only the logic necessary to execute x86 instructions,
qthread_t qthread_join(qpool_t pool); but it would also have to somehow implement a quantum RAM [34].
To give some sense of why this would be difficult to implement: in
// Get the ID of the qthread that returned the
// largest value. an n-qubit quantum circuit, the state of the circuit is essentially a
qthread_t qthread_join_max(qpool_t pool); mixture (a “superposition”) of n-bit strings. A qFPGA might support
on the order of n = 210 qubits or so.
// Count how many qthreads returned values > 0.
int qthread_join_count(qpool_t pool); In contrast, the state of a qx86 machine would be described by
int qthread_join_count_approx(qpool_t pool); a superposition of M-bit states, such that the entire state of the
// Get the sum of the qthread return values. machine (RAM contents, caches, registers, error flags, etc.) could be
int qthread_join_sum(qpool_t pool); described in M bits. To be able to run interesting x86 programs, a
int qthread_join_sum_approx(qpool_t pool); modestly-sized qx86 processor would need to support superpositions
over states of size M = 220 or so, which would make the machine
Figure 2: The qthreads API. orders of magnitude larger than a qFPGA.
Even assuming that one could build a qx86 processor, program-
ming it would be a nightmare: it is unlikely that the average program-
that survived the extinction of the dinosaurs, we expect the hum- mer would have any idea how to put a universal quantum instruction
ble human-chosen password to remain a ubiquitous (if universally to good use in her programs. This latter problem, however, seems
loathed) feature of computer systems into the quantum era [18]. relatively easy to solve: ideally, future operating systems would pro-
One nefarious application of qFPGAs, which we have not seen vide a higher-level interface that would allow the programmer to
discussed before, would be to the task of password cracking [17, 40]. exploit the “quantumness” of her computer without having to get
In a password-cracking attack, an attacker has the image h of a user’s her hands dirty.
password under a cryptographic hash function H and the attacker In particular, we introduce the qthreads API as one convenient
wants to find a password p such that h = H ( p). Since users often pick way to abstract away the complexity of quantum hardware while
passwords from a small dictionary of popular phrases D, the attacker still enabling a programmer to avail herself of the power of quan-
can typically recover the user’s password by hashing each word in tum computation. We first describe the qthreads API and then we
the dictionary until she finds a word d ∗ ∈ D such that h = H (d ∗ ). describe how to use qthreads to solve common systems problems
While a conventional password-cracking attack takes time linear more efficiently.
in the size of the dictionarypD, a qFPGA-backed password-cracking
attack would require only |D| invocations of the hash function. In
concrete terms: there are 95 printable ASCII characters, and there
are 9510 ≈ 266 possible ten-character printable ASCII passwords.
4.1 The qthreads API
Even if every user picked her password from this unrealistically Figure 2 lists the routines in our proposed API. The API allows the
high-entropy distribution, √ an attacker with a qFPGA could invert a programmer to create a pool of qthreads, where each qthread (like
password hash with only 266 = 233 invocations of the password- a pthread) takes in an arbitrary blob of data, does some classical
hashing function H. The existence of low-cost qFPGAs would render computation, and returns an integer. Each qthread executes the same
hashed passwords crackable at low cost. piece of code but each qthread takes a different argument as input.
Modern “memory-hard” password-hashing functions [5, 15, 16, Once the programmer has created a pool of qthreads, she can ask
33, 43] require large classical circuits and thus may be less succepti- general questions of the pool. For example, the programmer can ask:
ble to this attack. An interesting open question is whether there are “Which qthread returned a non-zero value?” or “How many qthreads
special-purpose better-than-Grover quantum attacks against these in the pool returned a non-zero value?” or “Which qthread in the
hash functions. pool returned the largest integer?”
A quantum computer can answer these questions much faster than
4 THE QX86 MACHINE a classical computer can. For example, to find a qthread that returns
a non-zero value, a classical computer would have to execute the
The qFPGA architecture described in the prior section would be
qthread worker routine on each candidate argument until it discov-
suitable for running quantum computations that are easy to represent
ered a qthread that returned something other than zero. In a pool of N
as small quantum circuits.
threads, with each qthread running for at most T time steps (cycles),
For more ambitious computing tasks, it would be ideal to have
a classical computer using this strategy would require Θ(NT ) time
an x86 processor connected to a quantum x86 co-processor. The
in the worst case. In contrast, a quantum operating system could use
qx86 processor would implement the x86 instruction set, along with

78
Grover’s algorithm
√ (Informal Theorem 2) to answer
√ this question in failure. The programmer would then ask the operating system for a
roughly O( N · T ) time—roughly a factor of N speedup. qthread if any tests returned a non-zero value.
The importance of abstraction. Using the qthreads API, the pro-
grammer can write the code for the qthread worker as if it were a 4.3 Implementing qthreads
classical program, and the OS takes care of running the qthreads Although the qthreads API gives the programmer the illusion of
on the quantum hardware. Avoiding the need to write quantum pro- running many threads of execution in parallel, this is not at all what
grams directly is important, since quantum programming would be a qthreads implementation would actually do. Instead, to imple-
much trickier than classical programming. Normal techniques for ment the qthreads API, the operating system would reframe each
finding bugs in programs, such as using gdb or printf debugging, qthread_join* operation as a problem that it could feed to Grover’s
would corrupt the state of the quantum machine so debugging the algorithm (Informal Theorem 2). The OS would then load the code
program could itself change the behavior of the program. (This fol- for the appropriate variant of Grover’s algorithm into the quantum
lows from the principle that observing a quantum state causes it to co-processor, it would send the x86 code for the worker to the quan-
collapse down into a classical state.) Note that qthreads cannot have tum co-processor, and it would load each worker’s arguments into
side-effects, so they would have to run in an environment without the co-processor’s quantum RAM (qRAM) [34]. The qx86 CPU
shared memory or I/O. would then execute Grover’s algorithm and return the result to the
OS.
4.2 Applications of qthreads By Grover’s algorithm, implementing qthread_join requires
√ √
“Most-interesting-job-first” scheduling. Qthreads would, for some O( N) queries to qRAM and O( N) invocations of the worker
types of computations, allow the programmer to effectively imple- function once. In contrast, executing qthread_join on a classical
ment a “most-interesting-job-first” (MIJF) scheduler: each qthread processor would require invoking √ the worker Θ(N) times, so the
worker returns an integer describing how “interesting” the result of quantum computer provides a N speed-up in this case.
its computation turned out to be. The scheduler can then return the The qthread_join_count and qthread_join_max routines would
result of the “most interesting” qthread to the programmer without invoke the variants of Grover’s algorithm for computing the COUNT
explicitly running all of the qthreads. In a pool of N jobs, a classical and MAX functions [4, 21]. We provide an approximate and exact
scheduler would require time N to find the most interesting one. A version of the COUNT API: if there are k non-zero qthreads, the ap-
quantum qthreads-based scheduler could perform the same task in proximate versionpreturns an approximation within a factor of 10%

time roughly N. in time roughly N/k,√while the exact version returns a correct
One possible application of a MIJF scheduler is in computational answer in time roughly kN [21].
genomics. A pervasive problem in that field is the edit-distance prob- The OS would implement the qthread_join_sum routine using
lem: given two strings find the minimum number of one-character qthread_join_count. To see how, suppose that the output of each
edits (insertions, deletions, and substitutions) necessary to transform qthread instance is a t-bit integer. We can represent the sum of N
one string into the other [47]. A biologist might need to run tens integers as ∑ti=1 2i−1 · zi , where each zi is the sum of the ith -least
of thousands of edit-distance calculations (e.g., to look for many significant bits of each of the N integers. The SUM problem now
different genes in a genome) but might be primarily interested in reduces to computing each of the zi ’s. But computing a sum of bits
finding likely matches—pairs of input strings with low edit distance. (i.e., 0/1 values) is precisely the same as counting the number of 1s
The biologist could run each of N edit-distance calculations that occur. This operation is supported by the qthreads API.
in a qthread worker. The ith worker would return as output the To compute the sum of t-bit integers, we run qthread_join_count
(negated) edit distance of the ith pair of input strings. By invoking t times. On the ith run, we modify the qthread workers to return only
the qthread_join_max routine, the biologist could find the index the ith -least significant bit of their output. This process yields the
of the pair of strings with the smallest edit distance much faster than values z1 , . . . , zt (where zi is the count from the ith thread pool) Fi-
running all N edit distance calculations. nally, we compute ∑ti=1 2i−1 · zi to obtain the sum of the qthread
MapReduce jobs. MapReduce [27, 28] is a popular programming return values. Approximate sums can be computed similarly (using
model for distributed data analysis. In scenarios where the reduce qthread_join_count_approx).
function computes a sum of mapper outputs, the qthreads API (using
qthread_join_sum) enables a programmer to locally execute a 4.4 Persistent storage
MapReduce computation over a pool of N mapper √ instances while Ideally, it would be possible to take the state of a qx86 program
only running the map function a total of O(t · N) times, where t and save it to disk in a way that would allow restoring the state
is the bit-length of each mapper’s output value. In contrast, on a of the program later on. Unfortunately, many complications arise
classical computer, running a local MapReduce algorithm would in the quantum setting. The “no-cloning theorem” [31, 48] says
require N invocations of the map algorithm. that it is impossible to make copies of an unknown quantum state.
Unit testing. Using Thus, even a basic task such as backing up your quantum data, by
√ qthreads, a programmer could run N unit tests
for the price of N tests. To do so, the programmer would write saving a copy of it in a safe location, would be essentially impossible.
a qthread worker routine that takes as input a test case—written Moreover, writing a quantum state out to a classical disk won’t fly
in a scripting language, for example—and executes it against the either: there is no way to read out the entire quantum state, since
codebase. The programmer would then spin up one qthread for each measuring a quantum state causes it to immediately collapse back
test case. Each test qthread would return a non-zero status code on into a classical one. And even if you could somehow read the state

79
without destroying it, a quantum state would require exponentially classical bits of information to the client by sending a single qubit to
many classical bits to store on disk. the client.
Given that classical disks are not an option, one might be tempted
To implement prefetching using superdense coding, the server
to ask for some sort of quantum persistent storage. This would be
would continuously produce pairs of entangled qubits and would
asking for a lot: today’s physical qubits remain coherent only for
send one of the two entangled qubits to the client. When the client
small fractions of a second, and these storage media are nowhere
wants to download some data from to the server, the server could
near non-volatile [42]. Yet, since we are optimists, let us consider
use the entangled qubits it has preshared with the client to transmit
one interesting application that persistent quantum storage would
data to the client at twice the bitrate of the network link.
enable.
Superdense coding could improve network performance even
Tamper-evident storage. Say that a computer owner Alice drops off when the client is downloading data from a server at a constant rate.
her laptop at the tech support desk at her workplace. The technicians Say that the client and server are connected over a network link
may need to access arbitrary files on Alice’s computer, but Alice that has a maximum transfer rate of 100 Mbps in either direction.
wants to be able to detect after the fact whether they have accessed Using superdense coding, the client could download data from the
any of her family photos. With a conventional computer, there is server at 200 Mbps. To do so, the client would send entangled qubits
no way for Alice to detect whether the officials have copied the to the server at the rate of 100 Mbps while the server would send
files off of her hard drive. On a conventional file system, Alice can coded qubits back to the client at a rate of 100 Mbps. The client
inspect the file’s last-read timestamp (atime) to check whether a file could extract information from the channel at 200 Mbps, turning a
was accessed. Of course, a clever administrator could just alter the 100 Mbps bidirectional link into a 200 Mbps unidirectional link.
timestamp to hide her tracks. When using a quantum hard drive, we Remote search. Computers connected by a quantum link could run
can ensure that Alice can detect that someone else has accessed her Grover’s algorithm across a network. To see one possible application
files. of this idea: let us say that a client wants to search for a special
We borrow an idea from quantum key-distribution protocols [11], element in a large dataset of N items (x1 , . . . , xN ) stored at a server
whose security rests on the principle that it is infeasible to clone (e.g., terabytes of video data). In particular, the client has a classifier
an arbitrary unknown quantum state [48]. To sketch the idea: when f : {0, 1}∗ → {0, 1} and wants to find an index i∗ on the server such
creating a file, Alice chooses two 256-bit keys: kenc and ktamper . that f (xi∗ ) = 1. The client does not want to download the entire
Alice encrypts her file with kenc (using AES, for example). Then, dataset from the server, nor does the client want to upload the code
using ktamper , she encodes the bits of the encryption key kenc into a for its classifier to the server—the classifier f might be too large to
quantum state, which she stores in the file header. (We assume here send or it could involve some secret inputs or algorithms.
that the disk can maintain a quantum state over a period of time.) The client and server could run Grover search over a network
Now, access to the file requires reading all of kenc . Anyone who to allow the√client to find the matching value xi∗ while exchanging
reads the header can decrypt the file, but when anyone other than a mere Õ( N) qubits, instead of Ω(N) classical bits. Of course,
Alice—i.e., anyone who does not know ktamper —measures the quan- the computational burden at both the client and server would√be
tum state of kenc , they will collapse the quantum state and will not be substantial: the client would have to run the classifier roughly N
able to restore it (with high probability). When Alice later inspects times and the server would have to execute a qRAM query roughly

the file header, she will, using ideas from quantum key distribu- N times. Even so, the network traffic savings might be worth the
tion [11], be able to detect that someone other than her tried to computational cost.
measure kenc .
6 RELATED WORK
5 DISTRIBUTED SYSTEMS Richard Feynman initiated the study of quantum computers by point-
The last architecture we consider, which is by far the most specu- ing out that classical computers seem too weak to efficiently simulate
lative, is one in which we have a network of quantum computers quantum physical systems [32]. Computer scientists have demon-
connected by qubit-carrying network links. In this section, we ex- strated that quantum computers can provide speedups for a number
plore what we could build with such systems. of problems [14, 30, 45], including factorization of integers [44],
Prefetching with superdense coding. Many network workloads inversion of one-way functions [35], and certain machine learning
are bursty. For example, a web browser spends most of its time problems [38] (though these latter algorithms come with caveats [2]).
transferring nothing over the network, but on every page load, the Known applications of distributed quantum computing systems in-
browser downloads megabytes of content as quickly as possible. clude unconditionally secure key agreement over authenticated quan-
One technique to make traffic less bursty is to use link prefetch- tum channels [11] and superdense coding [12] (see Section 5). More
ing [46]: the browser tries to guess the next link the user will click recent work has investigated quantum consensus [8] and quantum
and downloads that content in the background before the user clicks secure multi-party computation [25]. Broadbent and Tapp survey
the link. A quantum phenomenon known as superdense coding al- these and related results [22].
lows a quantum client to prefetch data from a quantum server, even
if the client has no idea what data it will need in the future. 7 CONCLUSION
If quantum computers are indeed on their way, the operating system
Fact 3 (Superdense coding [12]). If a client and server share a single will have an important role in enabling constructive applications of
entangled qubit (i.e., a preshared qubit), the server can transmit two this potentially destructive technology. As Richard Feynman said of

80
quantum computing, “It’s a wonderful problem, because it doesn’t [29] S. Debnath, N. M. Linke, C. Figgatt, K. A. Landsman, K. Wright, and C. Monroe.
look so easy” [32]. 2016. Demonstration of a small programmable quantum computer with atomic
qubits. Nature 536, 7614 (08 2016), 63–66.
[30] David Deutsch and Richard Jozsa. 1992. Rapid solution of problems by quantum
computation. In Proceedings of the Royal Society of London, Vol. 439. The Royal
REFERENCES Society, 553–558.
[1] Scott Aaronson. 2008. The limits of quantum computers. Scientific American 298, [31] DGBJ Dieks. 1982. Communication by EPR devices. Physics Letters A 92, 6
3 (2008), 62–69. (1982), 271–272.
[2] Scott Aaronson. 2015. Read the fine print. Nature Physics 11, 4 (2015), 291–293. [32] Richard P Feynman. 1982. Simulating physics with computers. International
[3] Dorit Aharonov. 2003. A simple proof that Toffoli and Hadamard are quantum Journal of Theoretical Physics 21, 6 (1982), 467–488.
universal. arXiv preprint quant-ph/0301040 (2003). [33] Christian Forler, Stefan Lucks, and Jakob Wenzel. 2014. Memory-demanding
[4] Ashish Ahuja and Sanjiv Kapoor. 1999. A quantum algorithm for finding the password scrambling. In ASIACRYPT. Springer, 289–305.
maximum. arXiv preprint quant-ph/9911082 (1999). [34] Vittorio Giovannetti, Seth Lloyd, and Lorenzo Maccone. 2008. Quantum random
[5] Joël Alwen, Binyi Chen, Chethan Kamath, Vladimir Kolmogorov, Krzysztof access memory. Physical Review Letters 100, 16 (2008), 160501.
Pietrzak, and Stefano Tessaro. 2016. On the Complexity of scrypt and Proofs of [35] Lov Grover. 1996. A fast quantum mechanical algorithm for database search. In
Space in the Parallel Random Oracle Model. In EUROCRYPT 2016. Springer, STOC. ACM, 212–219.
358–387. [36] Rolf Landauer. 1961. Irreversibility and heat generation in the computing process.
[6] Andris Ambainis. 2004. Quantum search algorithms. ACM SIGACT News 35, 2 IBM journal of research and development 5, 3 (1961), 183–191.
(2004), 22–35. [37] Chris Lee. 2016. How IBM’s new five-qubit universal quan-
[7] R. Barends, J. Kelly, A. Megrant, A. Veitia, D. Sank, E. Jeffrey, T. C. White, J. tum computer works. https://arstechnica.com/science/2016/05/
Mutus, A. G. Fowler, B. Campbell, Y. Chen, Z. Chen, B. Chiaro, A. Dunsworth, C. how-ibms-new-five-qubit-universal-quantum-computer-works/. (May 4
Neill, P. O/’Malley, P. Roushan, A. Vainsencher, J. Wenner, A. N. Korotkov, A. N. 2016).
Cleland, and John M. Martinis. 2014. Superconducting quantum circuits at the [38] Seth Lloyd, Masoud Mohseni, and Patrick Rebentrost. 2013. Quantum al-
surface code threshold for fault tolerance. Nature 508, 7497 (04 2014), 500–503. gorithms for supervised and unsupervised machine learning. arXiv preprint
[8] Michael Ben-Or and Avinatan Hassidim. 2005. Fast quantum Byzantine agreement. arXiv:1307.0411 (2013).
In STOC. ACM, 481–485. [39] Microsoft 2016. Microsoft Lattice Cryptography Library. https://www.microsoft.
[9] Charles H Bennett. 1973. Logical reversibility of computation. IBM journal of com/en-us/research/project/lattice-cryptography-library/. (April 19, 2016). Ac-
Research and Development 17, 6 (1973), 525–532. cessed 21 January 2017.
[10] Charles H Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. 1997. [40] Robert Morris and Ken Thompson. 1979. Password security: A case history.
Strengths and weaknesses of quantum computing. SIAM journal on Computing Commun. ACM 22, 11 (1979), 594–597.
26, 5 (1997), 1510–1523. [41] National Institute of Standards and Technology. 2016. Post-Quantum Crypto
[11] Charles H. Bennett and Gilles Brassard. 1984. Quantum Cryptography: Public Project. http://csrc.nist.gov/groups/ST/post-quantum-crypto/. (December 15,
Key Distribution and Coin Tossing. In International Conference on Computers, 2016). Accessed 21 January 2017.
Systems & Signal Processing. [42] Nissim Ofek, Andrei Petrenko, Reinier Heeres, Philip Reinhold, Zaki Leghtas,
[12] Charles H Bennett and Stephen J Wiesner. 1992. Communication via one-and Brian Vlastakis, Yehan Liu, Luigi Frunzio, SM Girvin, L Jiang, et al. 2016.
two-particle operators on Einstein-Podolsky-Rosen states. Physical Review Letters Extending the lifetime of a quantum bit with error correction in superconducting
69, 20 (1992), 2881. circuits. Nature (2016).
[13] Daniel J. Bernstein. 2009. Introduction to post-quantum cryptography. In Post- [43] Colin Percival. 2009. Stronger key derivation via sequential memory-hard func-
quantum cryptography, Daniel J. Bernstein, Johannes Buchmann, and Erik Dah- tions. In BSDCan.
men (Eds.). Springer, 1–14. [44] Peter W. Shor. 1997. Polynomial-Time Algorithms for Prime Factorization and
[14] Ethan Bernstein and Umesh Vazirani. 1997. Quantum complexity theory. SIAM J. Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 26, 5 (1997),
Comput. 26, 5 (1997), 1411–1473. 1484–1509.
[15] Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2016. Argon2: new [45] Daniel R Simon. 1997. On the power of quantum computation. SIAM J. Comput.
generation of memory-hard functions for password hashing and other applications. 26, 5 (1997), 1474–1483.
In European Symposium on Security and Privacy. IEEE, 292–302. [46] W3C. 2016. Resource hints. https://www.w3.org/TR/resource-hints/#prefetch.
[16] Dan Boneh, Henry Corrigan-Gibbs, and Stuart Schechter. 2016. Balloon Hashing: (Dec. 2016). Accessed 21 January 2017.
a Provably Memory-Hard Function with a Data-Independent Access Pattern. In [47] Robert A Wagner and Michael J Fischer. 1974. The string-to-string correction
ASIACRYPT. problem. J. ACM 21, 1 (1974), 168–173.
[17] Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus [48] William K Wootters and Wojciech H Zurek. 1982. A single quantum cannot be
of 70 million passwords. In Symposium on Security and Privacy. IEEE, 538–552. cloned. Nature 299, 5886 (1982), 802–803.
[18] Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2012.
The quest to replace passwords: A framework for comparative evaluation of web
authentication schemes. In Symposium on Security and Privacy. IEEE, 553–567.
[19] Michel Boyer, Gilles Brassard, Peter HÃÿyer, and Alain Tapp. 1998. Tight Bounds
on Quantum Searching. Fortschritte der Physik 46, 4-5 (1998), 493–505.
[20] Matt Braithwaite. 2016. Experimenting with Post-Quantum Cryptography. https:
//security.googleblog.com/2016/07/experimenting-with-post-quantum.html. (July
7, 2016). Accessed 21 January 2017.
[21] Gilles Brassard, Peter Høyer, and Alain Tapp. 1998. Quantum counting. In
International Colloquium on Automata, Languages, and Programming. Springer,
820–831.
[22] Anne Broadbent and Alain Tapp. 2008. Can quantum mechanics help distributed
computing? ACM SIGACT News 39, 3 (2008), 67–76.
[23] Davide Castelvecchi. 2016. Quantum computers ready to leap out of the lab in
2017. Nature News 541, 7635 (January 3, 2016).
[24] Jamie Condliffe. 2016. Google’s Quantum Dream May Be Just
Around the Corner. https://www.technologyreview.com/s/602283/
googles-quantum-dream-may-be-just-around-the-corner/. (September 1
2016).
[25] Claude Crépeau, Daniel Gottesman, and Adam Smith. 2002. Secure multi-party
quantum computation. In STOC. ACM, 643–652.
[26] CVE-2014-3570 2014. CVE-2014-3570: Bignum squaring may produce incorrect
results. (May 2014).
[27] Jeffrey Dean and Sanjay Ghemawat. 2004. MapReduce: Simplified Data Process-
ing on Large Clusters. In OSDI. 137–150.
[28] Jeffrey Dean and Sanjay Ghemawat. 2008. MapReduce: simplified data processing
on large clusters. Commun. ACM 51, 1 (2008), 107–113.

81

You might also like