Post on 02-Jan-2016
Quantum Factoring
Michele Mosca
The Fifth Canadian Summer Schoolon Quantum Information
August 3, 2005
Quantum Algorithms
Quantum Algorithms should exploit quantum parallelism and quantum interference.
We have already seen some elementary algorithms.
Quantum Algorithms These algorithms have been computing
essentially classical functions on quantum superpositions
This encoded information in the phases of the basis states: measuring basis states would provide little useful information
But a simple quantum transformation translated the phase information into information that was measurable in the computational basis
Overview
Quantum Phase Estimation Eigenvalue Kick-back Eigenvalue estimation and order-
finding/factoring Shor’s approach Discrete Logarithm and Hidden
Subgroup Problem (if there’s time)
Quantum Phase Estimation
Suppose we wish to estimate a numbergiven the quantum state )1,0[
12
0y
i2n
yye
Note that in binary we can express321 xxx.0
321 xx.x2
1nn1n3211n xx.xxxx2
Quantum Phase Estimation
1e ik2 Since for any integer k, we have
...)xx.0(i2...)xx.0(i2ix2...)xx.x(i2)(i2 32321321 eeee2e
...)xx.0(i2)k(i2 2k1ke2e
Useful identity
We can show that
1e0
1e01e0
1e0
1e01e0
yye
...)xx.0(i2
...)xxx.0(i2...)xx.0(i2
)(i2
)2n2(i2)1n2(i2
12
0y
i2
21
1nn1n1nn
n
Quantum Phase Estimation
21xx.0 So if then we can do the following
H 2x
2
1e0 )xx.0(i2 21
2
1e0 )x.0(i2 2
H 1x12R
k2/i2k e0
01R
Quantum Phase Estimation
321 xxx.0 So if then we can do the following
H 3x
2
1e0 )xx.0(i2 32
2
1e0 )x.0(i2 3
H 2x12R
2
1e0 )xxx.0(i2 321H 1x1
2R 13R
Quantum Phase Estimation
Generalizing this network (and reversing the order of the qubits at the end) gives us a network with O(n2) gates that implements
xyyx
e12
0y
n2i2
n
Discrete Fourier Transform
The discrete Fourier transform maps vectors of dimension N by transforming the elementary vector according to
1N
0y
Ni2
yyx
ex
)e,,e,e,1()0,...0,1,0,...,0,0( Nx)1N(
i2Nx2
i2Nx
i2
thx
The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to
Discrete Fourier Transform
Thus we have illustrated how to implement (the inverse of) the quantum Fourier transform in a Hilbert space of dimension 2n
Estimating arbitrary What if is not necessarily of the form
for some integer x?
)1,0[
12
0x
i2n
zze The QFT will map to a
superposition
n2x
where
y
y y~
Ny
1Oy2
8N1
Ny
obPr
For any real
Quantum Phase Estimation
H
1x
2
10 22 )( ie
2
10 42 )( ie
H 2x12R
2
1e0 )(i2
H
3x
12R 1
3R
)1,0[
With high probability ω8
24 321 xxx
Recall the “trick”:
Eigenvalue kick-back
x
)x(f10
x)1( )x(f
)10(x)1(
)10()1(x)x(f
)x(f
10
)1)x(f)x(f(x)10(x
Consider a unitary operation U with eigenvalue and eigenvector
Eigenvalue kick-back
i2e 1
1e i2
1e
e1i2
i2 U11
U
Phase estimation
1e0 i2
1e0 )2(i2 1n
1e0 )2(i2
1e0 )2(i2 2n
H
1x
H
2x
12R
nn2
2n1
1n
2
xx2x2
nx
12R 1
3R
1nx
H
Eigenvalue estimation
U Given with eigenvector and eigenvalue we thus have an algorithm that maps
i2e
~0 IQFT,Uc,IQFT 1x
Eigenvalue kick-back
U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps
kki2
e
kkk~0
k
kkkk
kkk
kk~00
and therefore
Eigenvalue kick-back
Measuring the first register of
k
kkk~
is equivalent to measuring with probability
k~
2
k
kkkk
kkkk
kkkk
Tr
~~
~~ *
22
i.e.
Example
Suppose we have a group and we wish to find the order of (I.e. the smallest positive such that )
If we can efficiently do arithmetic in the group, then we can realize a unitary operator that maps
Notice that
GGa
r 1ar
aU axx I
aUaU r
r
This means that the eigenvalues of are of the form where k is an integer
aU
rki2
e
(Aside: more on reversible computing)
If we know how to efficiently compute and then we can efficiently and reversibly map
x
bfU
x
)(xfb
c
y1f
U)(1 yfc
y
f1f
Example
Let Then We can easily implement, for example,
14,13,12,11 2441
5mod}4,3,2,1{ZG *5
010001U2
The eigenvectors of include
100001U 22
011001U 32
2U
00100142 U
2U
5mod2e j3
0j
4
jki2
k
Quantum Factoring The security of many public key
cryptosystems used in industry today relies on the difficulty of factoring large numbers into smaller factors.
Factoring the integer N into smaller factors can be reduced to the following task: Given integer a, find the smallest positive integer r so that ar Nmod1
Example
Let We can easily implement
1ar *NZGa
axxUa
The eigenvectors of include
xaxa
UxU 22
2a
aUj
1r
0j
r
jki2
k ae
xaxa
UxUn2
n2
n2a
Example
krki2
1rrk)1r(
i22rk2
i2rki2
rki2
rrk)1r(
i23rk2
i22rki2
1rrk)1r(
i22rk2
i2rki2
aka
e
)aeaeae1(e
aeaeaea
)aeaeae1(UU
Eigenvalue kick-back
U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps
krki2
e
kk rk~
0
k
kkk
kkk
kk rk~
00
and therefore
Eigenvalue kick-back
Measuring the first register of
k
krk~
r1
is equivalent to measuring with probability r
k~
r1
Finding r
For most integers k, a good estimate of
(with error at most ) allows us to determine r (even if we don’t know k). (using continued fractions)
rk
2r21
(aside: how does factoring reduce to order-finding??)
The most common approach for factoring integers is the difference of squares technique:» “Randomly” find two integers x and y
satisfying
» So N divides» Hope that is non-trivial
If r is even, then let so that
Nyx mod22
),gcd( yxN ))((22 yxyxyx
Nax r mod2/Nx mod122
Shor’s approach
This eigenvalue estimation approach is not the original approach discovered by Shor
Kitaev developed an eigenvalue estimation approach (to the more general “Hidden Stabilizer Problem”)
We’ve presented the CEMM version here
Discrete Fourier Transform
The discrete Fourier transform maps uniform periodic states, say with period r dividing N, and offset w, to a periodic state with period N/r.
),0,0,,0,0,,0,0,1(
1
)0,1,0,0,0,1,0,0,0,1,0,0(
12
222
rwr
irw
irwi
eeer
Nr
Discrete Fourier Transform
1
0
21
0
r
k
irN
x
krNr
wk
ewxrNr
The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to
Shor’s Factoring Algorithm
x
/\x /
\ax
/\
/\a
y
r y
( ) /\a
r0
r r1 k
F-1
w0w
0w
x
/\x /
\1w
w
1r
1r
Eigenvalue Estimation Factoring Algorithm
( ) /\
kk r
k
x /
\xk
e2π ix
rk
/\
k
/\0 /
\1 x /
\xk
/\
k
Equivalence of Shor&CEMM Shor analysis CEMM analysis
s
s010
s
sxx
xx 1
ss
x
r
sxix
r
x k
xeaxrk 21
0
ss
xr
x
a 1
0 r
s
r
k
rrr
210
Equivalence of Shor&CEMM Shor analysis CEMM analysis
ss
xr
x
a 1
0
s
r
x
1
0
r
k
rrr
210 r
s
r
k
rrr
210 r
k
rrr
210 r
s
r
s
Consider two elements from a group G satisfying
Find s.
Gba ,
1rasab
xU xaa
Discrete Logarithm Problem
Discrete Logarithm Problem
Thus has the same eigenvectors but with eigenvalues exponentiated to the power of s
Ub
Ub kkk ψψψ ks
i2π
erU sa
Discrete Logarithm Problem
kΨkΨx
bU
ks0rF
1rF
Given k and ks, we can compute s mod r (provided k and r are coprime)
Abelian Hidden Subgroup Problem
f ( ) f ( )x
f :
Z Z ZM MM
1
. . .
nG
G X
y iff x y-
KG
K
Find generators for K
0
AHS for in eigenbasis
/\
( )
s K /\f ( )x- )1(
x.ss
s ss/\
is an eigenvector of f ( )x f ( )x y
x
/\x /
\f ( )xF
-
(Simon’s Problem)
nZ
2
1
K
Other applications of Abelian HSP
Any finite Abelian group G is the direct sum of finite cyclic groups
But finding generators satisfying is not always easy, e.g. for it’s as hard as factoring N
Given any polynomial sized set of generators, we can use the Abelian HSP algorithm to find new generators that decompose G into a direct sum of finite cyclic groups.
nggg 21
nggg ,,, 21
ngggG 21
*NZG
Examples:
Deutsch’s Problem: }1,0{G X
K }1,0{
}1,0{
}0{ or
Order finding: ZGf
X
)x( K rZ
any group
ax
Examples:
Self-shift equivalences: n)q(GFG
f
]X,...,X,X)[q(GFX n21
)a,...,a,a( n21
K
)aX,...,aX(P nn11
)}X,...,X(P)aX,...,aX(P
:)a,...,a{(
n1nn11
n1
What about non-Abelian HSP
Consider the symmetric group Sn is the set of permutations of n elements Let G be an n-vertex graph Let
Define Then where
nSG
}|)({ nG SGX ππ
)(GfG ππ GnG XSf :
KKff GG 2121 ππππ GGGAUTK ππ |)(
Graph automorphism problem
So the hidden subgroup of is the automorphism group of G
This is a difficult problem in NP that is believed not to be in BPP and yet not NP-complete.
Gf
Other
Progress on the Hidden Subgroup Problem in non-Abelian groups (not an exhaustive list)•Ettinger, Hoyer arxiv.gov/abs/quant-ph/9807029
•Roetteler,Beth quant-ph/9812070
•Ivanyos,Magniez,Santha arxiv.org/abs/quant-ph/0102014
•Friedl,Ivanyos,Magniez,Santha,Sen quant-ph/0211091 (Hidden Translation and Orbit Coset in Quantum Computing); they show e.g. that the HSP can be solved for solvable groups with bounded exponent and of bounded derived series
•Moore,Rockmore,Russell,Schulman, quant-ph/0211124