1
lecture 1 1
Michele Mosca [email protected] Research Chair in Quantum Computation
Introduction to Quantum Algorithms
11th Canadian Summer School on Quantum
Information
Computational Complexity
• We measure the complexity as a function of the input size.
• The (computational) complexity of an algorithm refers to some measure of the resources (e.g. time, space, basic operations, energy)used by the algorithm.
• E.g. the traditional algorithm for multiplying two n-bit numbers takes O(n2) time steps (with pen and paper, or on a PC).
• E.g. the best-known rigorous probabilistic classical algorithms for factoring an n-digit number into its prime factors with high probability takes time in
.log nnOe
• Unless stated otherwise, we refer to the “worst-case” complexity, i.e. the running time on a worst-case input. 2
2
Computational Complexity
Until 2007, the best known upper bound was (Schönhage-Strassen,
1971) )logloglog( nnnO
• E.g. multiplying two n-bit numbers must take time (even just to write
the answer).)(n
• The (computational) complexity of a problem refers to some measure of the resources (e.g. time, space, basic operations, energy) required to
solve a problem.
• No known algorithm achieves that lower bound.
In 2007, this was improved (Fürer) to )2log(*log nnnO
• Unless stated otherwise, we refer to the “worst-case” complexity, i.e. the resources required to solve the problem on any input of size n. 3
Aside :Computationally secure cryptography
4
Why do we believe the current cryptographic tools are secure?
• Best-known heuristic classical methods take roughly steps.
3 2log2 nn
• The best known classical methods for breaking elliptic curve cryptography with n digit keys take roughly steps.
n2
n23 2log2 nn
2n
n
• It is easy to multiply two large numbers9287137268623 x 61649017818402059 = 572542890955285156447699294757
• It takes between n and n2 steps to multiply two n-digit numbers.
• It is not known how to easily factor an arbitrary large (non-prime) number (e.g. 6521860808574070658969971) into a product of smaller numbers.
3
Really big numbers …
5
A million GHz computers, running for 100 years, can perform about 271 basic operations
A billion THz computer, running for 1000 years, can perform about 2104 basic operations
Approximate age of the universe: 292 seconds
106 computers x 109 cycles/second/computer x 31536000 seconds/year x 100 years ≈220 x 230 x 224 x 27 = 271 cycles
109 computers x 1012 cycles/second/computer x 31536000 seconds/year x 103 years ≈230 x 240 x 224 x 210 = 2104 cycles
6
The best known classical algorithm for cracking 256-bit Elliptic Curve Crypto requires about 2128 steps
The best known classical algorithm for cracking 2030-bit RSA requires about 2128 steps
The best known classical algorithm for cracking 128-bit AES (a widely used symmetric key cipher) requires about 2128 steps
www.keylength.com
Big numbers …
4
“Polynomial” cost
7
• We say an algorithm A runs in “polynomial” time if there exists a polynomial p(n) such that the algorithm takes time at most p(n) on inputs of size n.
• One can similarly talk about algorithms that use polynomial space, or a polynomial number of logic gates.
• Algorithm A simulates algorithm B with “polynomial overhead” (in time e.g.) if there is some polynomial p(n) such that when algorithm B uses Ttime then algorithm A takes time at most p(T) when simulating algorithm B. (similarly for other resources)
Why polynomials ??
8
• Polynomials are closed under addition, multiplication and composition.
• Any known realistic classical computing model can be simulated with polynomial overhead by a classical (probabilistic) Turing machine (or a PC with arbitrary memory and random coins). Thus, in these cases, the Strong Church-Turing thesis holds.
• In general, measuring complexity up to a polynomial factor gives a certain degree of robustness (e.g. against reasonable changes in computing model, and other “details”)
5
Polynomial complexity ≈ Efficient
9
“It should not come as a surprise that our choice of polynomial algorithms as the mathematical concept that is supposed to capture theinformal notion of ‘practically efficient computation’ is open to criticismfrom all sides. […]
Ultimately, our argument for our choice must be this: Adoptingpolynomial worst-case performance as our criterion of efficiencyresults in an elegant and useful theory that says somethingmeaningful about practical computation, and would be impossiblewithout this simplification” – Christos Papadimitriou
How does quantum information change computational complexity?
• We don’t think a classical computer efficiently captures the computational power of a quantum universe.
• Quantum Strong Church-Turing thesis:
Any known realistic computing model can be simulated with polynomial overhead by a quantum computer.
6
Different computational models
11
Closed system (i.e. reversible)
Open system (i.e. not necessarily reversible)
classical Classical reversible circuit model
(without randomness) Deterministic classical circuit model
(with randomness) Probabilistic classical circuit model
quantum Quantum circuit model with unitary gates
Quantum circuit model with general quantum gates
Increasing (?) capabilities
Increasing (?) capabilities
Universal set of quantum gates
12
Definition
A set of gates G is said to be universal if for any integer n>0, any n-qubit
unitary operator can be approximated to arbitrary accuracy by a quantum
circuit using only gates from G.
Results about universality give us guidelines for useful implementation paradigms, as well as for useful algorithmic paradigms.
To capture the full computational power of quantum information (as defined in previous lectures), it suffices to have a universal set of unitary quantum gates.
7
Definition of error or accuracy
13
Suppose we approximate a desired unitary transformation U by some
other unitary transformation V.
The error in the approximation is defined to be
||||max),(
VUVUE
Universal set of quantum gates
14
Definition
A two-qubit gate is said to be entangling if for some input product state,
the output of the gate is an entangled state.
Entangledstate
Entangling gate
Input state
8
Universal set of quantum gates
15
Theorem:
A set composed of any two-qubit entangling gate, together with all one-qubit
gates, is universal.
… a bit of an overkill, since such a set allows one to achieve any
unitary exactly.
Also unrealistic, since one needs access to an infinite number of one-qubit
gates.
Can we achieve universality with a finite set of gates?
Arbitrary one-qubit operations
16
Theorem (one-qubit universality):
Let and be any two non-parallel axes of the Bloch sphere,
and let be real numbers such that
are not rational.
,
,
Then
is universal for one-qubit gates.
mn RRG ˆˆ ,
n m
9
A universal set of gates: an example
17
Theorem:
The set
is a universal set of gates.
CNOTTHG ,,
i.e. any n-qubit unitary operator U can be approximated with error ,
for any , using a finite circuit with gates from G.
0
Efficiency of approximation
18
How does the size of a circuit scale as the desired accuracy improves?
1
O
e ?
1
O ?
1
logO ?
10
Solovay-Kitaev theorem
19
Theorem:
If G is a finite set of one-qubit gates satisfying the conditions of the one-qubit universality theorem, and
iii) for any gate , its inverse can be implemented exactly by a finite sequence of gates in G
Gg 1g
any one-qubit gate can be approximated with error at most using
gates from G, where c is a positive constant.
)/1(log cO
Efficiency of approximation
20
Corollary
It is possible to approximate a circuit with T gates from any universal set with
gates from any finite universal set of gates satisfying
condition iii). )/(log TTO c
• Key points are sketched in section 4.4 of KLM textbook.
• More details in Appendix of N&C, or KSV.
11
Bottom line for computer algorithmics
21
It suffices to design algorithms with your favourite finite universal gate set.
However, one might gain intuition or other practical advantages by working in other equivalent algorithmic paradigms (e.g. quantum walks, adiabatic algorithms, measurement-based, topological, etc)
22
A classical randomized algorithm
00
00
01
10
11
00
01
10
11
The probabilities could correspond to the square of a probability amplitude (due to measuring the quantum system at each time step)
2
00a ,
2
30a ,
2
00b ,
2
33b ,
j
2
0jj0 ba00 ,,)Pr(
12
23
A quantum algorithm
00
00
01
10
11
00
01
10
11
0,0a
3,0a
0,0b
3,3b
If we don’t measure at each time step, only at the end, the probability
amplitudes first have a chance to interfere.
2
0,,0)00Pr( j
jjba
• A quantum system that is continually measured (or “leaks” information to an external system) will behave like a classical randomized system.
• Partial measurements will give a probability distribution somewhere in between the two extremes.
• Error-correcting codes will allow a quantum system interacting with the environment to maintain “coherence”.
Decoherence
24
13
How do quantum algorithms work?
25
at the cost of about one evaluation of f
But we can make some interesting tradeoffs:
instead of learning about any (x, f (x)) point, one can learn something about a
global property of f
Given a polynomial-time classical algorithm for f :0,1n → T, it is
straightforward to construct a quantum algorithm that creates the state
)(2
1xfx
xn
No! — the most straightforward way of extracting information from the state yields
just (x, f (x)) for a random x0,1n
Is this exponentially many computations at polynomial cost?
25
26
Quantum algorithms
• Quantum Algorithms should exploit quantum parallelism and quantum interference.
• This is necessary, but not sufficient, in order to outperform a classical probabilistic algorithm.
E.g. at some point in the execution of the algorithm, the state of the system should have a substantial amount of entanglement (assuming we are in the usual model of unitary operations on pure states).
14
27
Query scenario
Input: a function f, given as a black box (a.k.a. oracle) fx f (x)
Goal: determine some information about f making as few queries to f as possible (of course, other operations are allowed – but we do not count them)
Example: polynomial interpolation
Let: f (x) = c0 + c1x + c2 x2 + ... + cd xd
Goal: determine c0 , c1 , c2 , ... , cd
Question: How many classical f-queries does one require for this? Answer: d +1
28
• Introduction to quantum algorithms
• Parity problem and Deutsch’s algorithm
• Constant vs. balanced problem
• Computing HH ... H
• Simon’s problem
15
29
Deutsch’s problem
Let f : 0,1 0,1 f
There are four possibilities:
x f1(x)0
1
0
0
x f2(x)0
1
1
1
x f3(x)0
1
0
1
x f4(x)0
1
1
0
Goal: determine whether or not f(0) = f(1) (i.e. f(0) f(1))
Any classical method requires two queries
What about a quantum method?
30
Unitary black box for f
a
b
a
b f(a)
a and b can be more than one qubit
2 queries + 1 auxiliary operation
A classical algorithm: (still requires 2 queries)
0
0
1
f(0) f(1)
Uf
Uf Uf
b f (a)
Uf
b
a
16
31
Quantum algorithm for Deutsch
H
H
H
1
0 f(0) f(1)
1 query + 4 auxiliary operations
11
11
2
1H
How does this algorithm work?
Each of the three H operations can be seen as playing a different role ...
1
2 3
Uf
32
Quantum algorithm (1)
1. Creates the state 0 – 1, which is an eigenvector of
NOT with eigenvalue –1
I with eigenvalue +1
This causes f to induce a phase shift of (–1) f(x) to x
0 – 1
x (–1) f(x)x
0 – 1
2 3
H
H
H
1
0
1
Uf
Uf
17
33
2. Causes f to be queried in superposition (at 0 + 1)
0 – 1
0 (–1) f(0)0 + (–1) f(1)1
0 – 1
H
x f1(x)0
1
0
0
x f2(x)0
1
1
1
x f3(x)0
1
0
1
x f4(x)0
1
1
0
(0 + 1) (0 – 1)
Quantum algorithm (2)
Uf
34
3. Distinguishes between (0 + 1) and (0 – 1)
H
(0 + 1) 0
(0 – 1) 1
H
Quantum algorithm (3)
18
35
Summary of Deutsch’s algorithm
H
H
H
1
0 f(0) f(1)
1
2 3
constructs eigenvector so f-queries induce phases: x (–1) f(x)x
produces superpositions of inputs to f : 0 + 1
extracts phase differences from
(–1) f(0)0 + (–1) f(1)1
Makes only one query, whereas two are needed classically
Uf
36
• Introduction to quantum algorithms
• Parity problem and Deutsch’s algorithm
• Constant vs. balanced problem
• Computing HH ... H
• Simon’s problem
19
37
Constant vs. balanced
Let f : 0,1n 0,1 be either constant or balanced, where
• constant means f (x) = 0 for all x, or f (x) = 1 for all x• balanced means x f (x) = 2n−1
Goal: determine whether f is constant or balanced
How many queries are there needed classically?
Quantumly?
Example: if f (0000) = f (0001) = f (0010) = ... = f (0111) = 0 then it still could be either
[Deutsch & Jozsa, 1992]
2n−1 +1
just 1 query suffices!
38
Quantum algorithm
H
H
H1
0
0
H0
Constant case: ψ = x x Why?
How to distinguish between the cases? What is Hnψ?
Last step of the algorithm: if the measured result is 000 then output “constant”, otherwise output “balanced”
ψ
Constant case: Hnψ = 00...0
Balanced case: Hn ψ is orthogonal to 0...00
H
H
H
H1
0
0
H0
H
H
Balanced case: ψ is orthogonal to x x Why?
Uf Uf
20
39
Probabilistic classical algorithm solving constant vs. balanced
But here’s a classical procedure that makes only 2 queries and performs fairly well probabilistically:
1. pick x1, x2 0,1n randomly2. if f(x1) ≠ f(x2) then output balanced else output constant
What happens if f is constant?
Succeeds with probability ½
By repeating the above procedure k times:2k queries and one-sided error probability (½)k
Therefore, for “bounded-error” algorithms, the improvement doesn’t scale as a function of n, though there is an improvement with respect to error probability.
The algorithm always succeeds
What happens if f is balanced?
40
• Introduction to quantum algorithms
• Parity problem and Deutsch’s algorithm
• Constant vs. balanced problem
• Computing HH ... H
• Simon’s problem
21
41
Recap
• Quantum Computational Complexity is an elegant robust framework for studying the efficient computability of computational problems
• A guiding tool for computationally secure cryptography• Notion of polynomial cost and polynomial overhead is critical• Quantum Strong Turing thesis• Efficient universal quantum computation
• Quantum Algorithms exploit quantum parallelism and quantum interference to solve problems more efficiently than the best-known classical algorithms
• Black-box (or “query”) complexity is a useful paradigm for studying quantum algorithms and complexity
• Deutsch’s “constant vs balanced” problem and solution gave us the first quantum algorithm; several developments eventually led to Simon’s algorithm and then Shor’s algorithms
42
About HH ... H = Hn
yxH
n,y/n
yxn
102
)1(2
1Theorem: for x 0,1n,
Thus, H nx1 ... xn = (y1(–1)x1y1y1) ... (yn
(–1)xnynyn)
Proof: For all x 0,1, H x = 0 + (–1) x1 = y (–1)xyy
1111
1111
1111
1111
2
1HHExample:
where x · y = x1 y1 ... xn yn
= y (–1) x1y1 ... xnyny1 ... yn
22
43
• Introduction to quantum algorithms
• Parity problem and Deutsch’s algorithm
• Constant vs. balanced problem
• Computing HH ... H
• Simon’s problem
44
Quantum vs. classical separations
Black-box problem Quantum Classical
Deutsch’s problem 1 (query) 2 (queries)
constant vs. balanced 1 ½ 2n + 1 (only for exact)
(probabilistic)Simon’s problem O(n) (2n/2)
23
45
Simon’s problem
Let f : 0,1n 0,1n have the property that there exists an r 0,1n
such that f (x) = f (y) iff xy = r or x = y
x f (x)000
001
010
011
100
101
110
111
011
101
000
010
101
011
010
000
Example:
What is r is this case? r = 101
Find r.000, 101
011f
001, 100
101f
010, 111
000f
011, 110
010f
46
A classical algorithm for Simon
Search for a collision, an x ≠ y such that f (x) = f (y)
A hard case is where r is chosen randomly from 0,1n– 0n and then the “table” for f is filled out randomly subject to the structure implied by r
1. Choose x1, x2 ,..., xk 0,1n uniformly randomly (independently)
2. For all i ≠ j, if f (xi) = f (xj) then output xixj and halt
Question: How big does k have to be for the probability of a collision to be a constant, such as ¾?
Answer: order 2n/2 (each (xi , xj) collides with prob. O(2 – n))
24
47
Classical lower bound
Theorem: any classical algorithm solving Simon’s problem must make Ω(2n/2) queries
Proof is omitted here
Note: the performance analysis of the previous algorithm does notimply the theorem
… how can we know that there isn’t a different algorithm that performs better?
48
A quantum algorithm for Simon (1)
x2
xn
x1
y2yn
y1
x2
xn
x1
y f (x)
Queries:
Proposed start of quantum algorithm: query all values of f in superposition
H
H
0
0
0
H0
00
What is the output state of this circuit?
?
Uf
Uf
25
49
Answer: the output state is
n,x
xfx10
)(
)()( rxfrxxfxTx
Let T 0,1n be such that one element from each matched pair is in T (assume r ≠ 00...0)
x f (x)000
001
010
011
100
101
110
111
011
101
000
010
101
011
010
000
Example: could take T = 000, 001, 011, 111
Then the output state can be written as:
Tx
xfrxx )(
A quantum algorithm for Simon (2)
50
Measuring the second register yields x + x r in the first register, for a random x T
How can we use this to obtain some information about r ?
Try applying H n to the state, yielding:
yy
n,yn,y
yrxyx
1010
)()1()1(
y
n,y
yryx
10
)1(1)1(
(1/2)n–1 if r · y = 00 if r · y = 1 Measuring this state yields y with prob.
A quantum algorithm for Simon (3)
26
51
Executing this algorithm k = n+O(1) times yields random y1, y2 ,..., yk 0,1n such that r · y1 = r · y2
= ... = r · yk = 0 H
H
0
0
0
H0
00
H
H
H
This is a system of k linear equations:
0
0
0
2
1
21
22221
11211
nknkk
n
n
r
r
r
yyy
yyy
yyy
With high probability, there is a unique non-zero solution that is r(which can be efficiently found by linear algebra)
How does this help?
A quantum algorithm for Simon (4)
Uf
52
Conclusion of Simon’s algorithm
• Any classical algorithm has to query the black box (2n/2 ) times, even to succeed with probability ¾.
• There is a quantum algorithm that queries the black box only n+O(1)times, performs only O(n 3 ) auxiliary operations (for the Hadamards, measurements, and linear algebra), and succeeds with probability ¾.
27
53
Aside:
• Note that we assumed that if we know how to classically compute f(x) then we can implement
)(0 xfxx
• Is that necessarily possible to do with comparable efficiency?
54
Irreversible gates from reversible ones
ab a b
Note that irreversible gates are really just reversible gates where we hardwire some inputs and throw away some outputs
0ab
ab
a b
28
55
Making reversible circuits
abc
d
00
ab
cd
Replace irreversible gates with their reversible counterparts
56
Making reversible circuits
One problem is that there will be junk left in the extra bits
)(00)(
)()()()(
0)()()(
000
xfxxfuncompute
xfxjunkxfxxfcopy
xjunkxfxxfcompute
x
Bennett showed how to “uncompute” the junk
29
57
Making reversible circuits
An irreversible circuit with space S and depth (or “time”) T can thus be simulated by a reversible circuit with space in O(S+T) and time O(T)
Bennett also showed how to implement a reversible version with time O(T1+ ) and space O(S log(T)) or time O(T) and space O(ST ).
• Bottom line: if we know how to classically compute f(x) then we can implement, with similar efficiency,
)(0 xfxx
58
Recall: Multi-qubit Hadamard
x nH y
yx
ny)1(
2
1
nH y
yx
ny)1(
2
1x
30
59
Quantum algorithms
• These algorithms have been computing essentially classical functions on quantum superpositions.
• When information is encoded in the phases of the basis states, measuring basis states would provide little useful information
• However, a quantum transformation might translate the phase information into information that is measurable in the computational basis.
60
Quantum phase estimation
• Note that in binary we can express
321.0 xxx
321.2 xxx
113211 .2 nnn
n xxxxxx
• Suppose we wish to estimate a number given the quantum state
12
0
2n
y
i yye
),[ 10
31
61
Quantum phase estimation
1e ik2 Since for any integer k, we have
...).0(2...).0(22...).(2)(2 323213212 xxixxiixxxxii eeeee
...).0(2)(2 212 kk xxiki ee
• If then we can do the following
62
Quantum phase estimation
1x0.
1x
2
1)1(0
2
10 11 ).0(2 xxie
H
2
1)1(0 1x
32
63
Useful identity
• We can show that
10
1010...).0(2
...).0(2...).0(2
21
111
xxi
xxxixxi
e
ee nnnnn
101010 )(2)22(2)12(2 inini eee
12
0
2n
y
i yye
64
Quantum phase estimation
21xx0.• So if then we can do the following
2x
2
10 ).0(2 21xxie
2
10 ).0(2 2xie
1x
kik e
R 2/20
01
H
H12R
33
• So if then we can do the following
65
Quantum phase estimation
321 xxx0.
3x
2
10 ).0(2 32xxie
2
10 ).0(2 3xie
2x
2
10 ).0(2 321 xxxie 1x
H
H
H
12R
12R1
3R
66
Quantum phase estimation
• Generalizing this network (and reversing the order of the qubits at the end) gives us a network with O(n2) gates that implements
xyen
y
ynx
i
12
0
22
34
67
Discrete Fourier transform
• The discrete Fourier transform maps vectors of dimension N by
transforming the elementary vector according to
1
0
21 N
y
Ni
yyx
eN
x
),,,,1(1
)0,...0,1,0,...,0,0()1(
22
22N
xNi
N
xi
N
xi
eeeN
thx
• The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to
68
Discrete Fourier transform
• Thus we have illustrated how to implement (the inverse of) the quantum
Fourier transform in a Hilbert space of dimension 2n
35
69
Estimating arbitrary ω ϵ [0,1)
• What if ω is not necessarily of the form for some integer x ?
12
0
2
n
x
i zze • The QFT will map
n2
x
where
y
y y~
N
yOy
12
81Pr
NN
yob
to a superposition
70
Quantum phase estimation
• For any real
2
10 )2(2 ie
2
10 )4(2 ie
2
10 )(2 ie
),[ 10
• With high probability 8
24 321 xxx
3x
2x
1x
H
H
H
12R
13R 1
2R
36
71
Eigenvalue kick-back
• Recall the “trick”:
x
10
xxf )()1(
10
)1)()(()10( xfxfxx
)10()1( )( xxf
)10()1( )( xfx
f(x)
72
• Consider a unitary operation U with eigenvalue and
eigenvector
ie2
1
12 ie
U11
U
Eigenvalue kick-back (Kitaev)
12 ie
ie21
37
73
0
0
U
Eigenvalue kick-back
74
U
Eigenvalue kick-back
10 10 2 ie
• As a relative phase, becomes measurable ie2
38
75
Ux
Eigenvalue kick-back
• If we exponentiate U, we get multiples of
1 12 xe i
76
Ux
Eigenvalue kick-back
10 10 2 xe i
39
77
10
10 2 ie
10 10 )2(2 1
nie
10
10 10 )2(2 ie
10 )2(2 2
nie
U U2U U
12 n 22 n
Eigenvalue kick-back
78
Phase estimation
10 2 ie
10 )2(2 1
nie
10 )2(2 ie
10 )2(2 2
nie
1x
H
2x
nn
nn xxx
2
22 22
11
nx
1nx
12R
H
12R
13R
H
40
79
Eigenvalue estimation
10
10
2U U 4U
10 H
1x
2x
3x
H
H12R 1
3R
12R
80
xU
0
1x
2x
3x
0
0
8QFT 18QFT
Eigenvalue estimation
41
• Given U with eigenvector and eigenvalue , we thus have an
algorithm that maps
81
Eigenvalue estimation
i2e
~0
• Given U with eigenvectors and respective eigenvalues
we thus have an algorithm that maps
82
Eigenvalue estimation
k ki2e
kkk ~0
k
kkkk
kkk
kk ~00
and therefore
42
83
Eigenvalue estimation
• Measuring the first register of
k
kkk~
is equivalent to measuring with probability k~ .
2
k
84
Example
• If we can efficiently do arithmetic in the group, then we can realize a
unitary operator Ua that maps .axx
Ia
Ua
U rr
• This means that the eigenvalues of Ua are of the form
where k is an integer.
r
ki2
e
• Suppose we have a group G and we wish to find the order of a ϵ G
(i.e. the smallest positive r such that ar ≡ 1).
• Notice that
43
How do we implement c-U ?
Replace every gate G in the circuit with a c-G.
For example,
85
86
Inefficient exponentiation
We can effect a relative phase shift ofie
r
ky22
10 1 0 ie
k Ua Ua UaUa
r
ky22
k
2y
44
87
Efficient exponentiation
But we can also do it efficiently by noticing that
y2Ua
Ua Ua UaUa
2y
Ua
y2
y2= Ua
88
Quantum factoring
• The security of many public key cryptosystems used in industry today relies on the difficulty of factoring large numbers into smaller factors.
• Factoring the integer N into smaller factors can be reduced to the following task:
Given integer a, find the smallest positive integer r so that ar ≡ 1 mod N
45
89
(Aside: how does factoring reduce to order-finding ?)
• The most common approach for factoring integers is the difference of squares technique:
“Randomly” find two integers x and y satisfying
So N divides
Hope that is non-trivial
• If r is even, then let
so that
Nyx mod22
),gcd( yxN ))((22 yxyxyx
Nax r mod2/
Nx mod122
90
Quantum factoring
Since we know how to efficiently multiply by a mod N, we can efficiently implement
Note that
i.e.
Uax = ax
Ua x = arx = xr
Ua = Ir
Remember that represents the state corresponding to the binary representation of x (e.g. for four qubits, represents )
x2 0010
46
91
(Aside : more on reversible computing)
If we know how to efficiently compute f and f -1 then we can efficiently and reversibly map
x
b
fUx
)(xfb
c
y1f
U)(1 yfc
y
92
And therefore we can efficiently map
)(xfx
(Aside : more on reversible computing)
fU 1fU
x
0
0
)(xf
47
93
Interesting eigenvalues
If Ua = I then the eigenvalues of Ua are of the form
jr
j
r
kπji
k aeψ
1
0
2
r
ki
e2 r
kk ψ ψ k
i2π
eUar
94
Checking the eigenvalues
ja
r
j
r
kπj-i
ka aUeψU
1
0
2
11
0
2
jr
j
r
kπj-i
ae
jr
j
r
kπj-i
r
kπi
aee1
22
j1-r
0j
r
ki2π-
r
ki2π
aeej
kr
kπiψe
2
48
95
Finding r
For most integers k, a good estimate of (with error at most ) allows us
to determine r (even if we don’t know k).
(using continued fractions)
r
k22
1
r
96
Complexity comparison
•The best known rigorous classical algorithms use
operations
))log(log)log(( NNOe
•The best known heuristic classical algorithms use
operations
))log(log)((log( 3
2
3
1
NNOe
•The quantum algorithm uses poly(log(N))
operations
))log((log NOe
49
97
Shor’s Factoring Algorithm
x
xx
axx 1
1
0
r
w y
wayrw
( )-1QFT
w
wa
r
k
r
1
r
0
98
A circuit for Shor’s Factoring Algorithm
Ux
a
0
1
-1QFTQFT
50
99
Eigenvalue EstimationFactoring Algorithm
1
0
1
0
010r
kk
x
r
kk ψxψ
1
0
2r
kk
x
πikx/r ψxe
( )k
kψ
r
k
100
A circuit for Eigenvalue Estimation Factoring Algorithm
Ux
a
0
1
-1QFTQFT
51
101
Equivalence
1
0
1r
kk
xx
ψxx
1
0
21
0
r
kk
x
πikx/rr
w y
w ψxeayrw
r
( )wwa
k10
k
kψ( )=
rr r
k
Discrete Logarithm Problem
102
Consider two elements from a group G satisfyingGba ,
1rasab
Find s.
axxU a
52
103
We know Ua has eigenvectors
j1r
0j
r
kji2-
k aeψ
Discrete Logarithm Problem
kk k
i2π
eUar
104
Thus Ub has the same eigenvectors but with eigenvalues
exponentiated to the power of s
Discrete Logarithm Problem
kkk ksπi
e2
Ua
rUb
s
53
105
1 k
k0rF
random k
Discrete Logarithm Problem
xaU
1rF
106
k
ks0rF
Discrete Logarithm Problem
xbU
1rF
k
Given k and ks, we can compute s mod r(provided k and r are coprime)
54
Complete Circuit
107Lecture 14
1 k
k0 rF
ks0 rF
xaU y
bU
1rF
1rF
random k
Generalization of Simon’s problem, order-finding and DLP: “Hidden subgroup problem”
108
• A unifying framework was developed for these problems
XGf :
iff yfxf SySx GS for some
• If G is Abelian, finitely generated, and represented in a reasonable
way, we can efficiently find S.
55
Example (I)
109
Deutsch’s Problem:
1,0G X 1,0
S 1,00 or
Order finding:
ZG X
S rZ
any group
f )(x ax
Example (II)
110
Discrete Log of b=ak to base a :
f ),( yx a x by
S (k,1)
G rr ZZ X any group
56
What about non-Abelian HSP
111
• Consider the symmetric group
• Sn is the set of permutations of n elements
• Let G be an n-vertex graph
• Let
• Define
• Then
where
nSG
|)( nG SGX
)(GfG GnG XSf :
fG 1 fG 2 1S 2S
S AUT(G) | G G
Further reading
112
http://math.nist.gov/quantum/zoo/ (maintained by S. Jordan)
57
Graduate Program in Quantum Information•A cutting‐edge interdisciplinary program leading to MMath, MSc, MASc and PhD degrees (e.g. PhD in Applied Mathematics (Quantum Information))
• Students must apply directly to one of the following academic units:• Applied Mathematics
• Chemistry
• Combinatorics and Optimization
• David R. Cheriton School of Computer Science
• Electrical and Computer Engineering
• Physics and Astronomy
•Applicants will be subject to the normal admission procedures of the home unit
•Students will be subject to the normal program requirements of the home unit, plus additional QI requirements
•Several scholarships available to both domestic and international students
•For more information, visit www.iqc.ca or email [email protected]
Top Related