Short course on quantum computing Andris Ambainis University
Short course on quantum computing Andris Ambainis University of Latvia
Lecture 2 Quantum algorithms and factoring
Factoring n n Input: composite N. Output: p, q {2, …, N-1} s. t. pq=N. Hard for classical computers. Factoring large integers would break RSA.
Factoring n n n Quantum computers can factor integers in polynomial (quadratic) time [Shor’ 94]. Similar approach also solves discrete logarithm by quantum algorithm. Today: Shor’s algorithm.
Outline 1) Computational model. 2) Quantum parallelism and quantum interference. 3) Simon’s algorithm. 4) Shor’s algorithm.
Basic ideas n n n State space consisting of n (quantum) bits. Elementary gates on 1 or 2 (qu)bits. Efficiently computable = poly-size circuits.
Classical circuits X 1 X 2 X 3 X 5 ^ ^ Result
Quantum circuit H H Gates on quantum bits
Elementary gates (1) n Hadamard gate n Phase shift
Elementary gates (2) n Rotation by angle n Controlled NOT
Universality n Any quantum computation can be performed by a circuit consisting of Hadamard, phase, rotation by /8 and controlled NOT gates.
Classical vs. quantum circuits n n We have a classical circuit. Can we construct a quantum circuit that computes the same function?
Reversibility n n Assume f(x)=f(y)=z. If then n U not unitary.
Reversibility We can transform a classical circuit for F to quantum circuit. |x> |0> |x> F |F(x)> Add extra input initialized to 0.
Example Quantum Classical x y ^ |x> |y> |0> |x y> |a (x y)> Toffoli gate.
Quantum parallelism |x> |0> |f(x)> n n By linearity, x |x> |0> |x> |f(x)> x Many evaluations of f in unit time.
Quantum parallelism n Once we measure |x> |f(x)> x we get one particular x and f(x). n Same as if we evaluated f on a random x.
Quantum parallelism n n Is it useful? We cannot obtain all values f(x) from |x> |f(x)> x n because quantum states cannot be measured completely. We can obtain quantities that depend on many f(x).
Quantum interference n Hadamard transform:
Quantum interference n n Negative interference: |1> and -|1> cancel out one another. Positive interference: |0> and |0> add up to a higher probability.
Parallelism+interference n n Use quantum parallelism to compute many f(x). Use interference to obtain information that depends on many values f(x). Requires algebraic structure. Ideal for number-theoretic problems (factoring).
Order finding n n n The order of a ZN * modulo N is the smallest integer r>0 such that ar 1 (mod N) For example, order of 4 mod 7 is 3: 41 4, 42 =16 2, 43 =64 1 (mod 7). Factoring reduces to order-finding.
Reduction n If ar 1(mod N), then N divides ar-1. If r even, ar-1=(ar/2 -1)(ar/2+1). If N is product of two or more primes, gcd(ar/2 -1, N) is a nontrivial factor of N with probability at least 1/2.
Shor’s algorithm Repeat O(log n) times: n n Generate random a {1, …, N-1}; Check if (a, N)=1; r = order(a); If r even, check (ar/2 -1, N).
Period finding n Function F: N N |x> F |0> n |x> |F(x)> such that F(x)=F(x+r) for all x. Find smallest r.
Simon’s problem n Function F: {0, 1}n. |x> |0> n n F |x> |F(x)> F(x+y)=F(x) for all x, + bitwise addition. Find y.
![Algorithm [Simon, 1994] |0> H H H |0> F |y> H |f(x)> Repeat n](http://slidetodoc.com/presentation_image/4916032af364f18f8e8530285fd7f16d/image-27.jpg "Algorithm [Simon, 1994] |0> H H H |0> F |y> H |f(x)> Repeat n")
Algorithm [Simon, 1994] |0> H H H |0> F |y> H |f(x)> Repeat n times and combine results y 1, . . . , yn.
Hadamard transform
Hadamard on n qubits |0> H
Simon’s algorithm step-by-step |0> H H H |0> F |y> H |F(x)>
Measuring F(x) n Partial measurement. We get some value y=F(x). The state n collapses to part consistent with y=F(x). n n
Last step n We now have the state n How do we get z? Measuring the first register would give only one of x and x+z. n
Simon’s algorithm |0> H H H |0> F |y> H |f(x)>
Hadamard transform
Hadamard transform |x 1> H |x 2> H . . . |xn> H . . .
Hadamard transform Signs are the same iff zi yi= 0 mod 2.
Summary n Measuring the final state gives a vector y such that n n-1 such constraints uniquely determine z, with high probability.
Summary n n Quantum parallelism: computing F for many values simultaneously. Quantum interference: Hadamard transform.
Period finding n Function F: N N |x> F |0> n such that F(x)=F(x+r) for all x. Find r. |x> |F(x)>
![Algorithm [Simon, 1994] |0> H H H F H |0> Repeat n times and](http://slidetodoc.com/presentation_image/4916032af364f18f8e8530285fd7f16d/image-40.jpg "Algorithm [Simon, 1994] |0> H H H F H |0> Repeat n times and")
Algorithm [Simon, 1994] |0> H H H F H |0> Repeat n times and combine results y 1, . . . , yn.
![Algorithm [Shor, 1994] |0> QFT F QFT |0> Find factor by continued fraction expansion.](http://slidetodoc.com/presentation_image/4916032af364f18f8e8530285fd7f16d/image-41.jpg "Algorithm [Shor, 1994] |0> QFT F QFT |0> Find factor by continued fraction expansion.")
Algorithm [Shor, 1994] |0> QFT F QFT |0> Find factor by continued fraction expansion.
Shor’s algorithm step-by-step |0> QFT F QFT
Shor’s algorithm step by step n Measuring the second register leaves the first register in a state consisting of all x with the same F(x): |d>+|d+r>+…+|d+ir>
Quantum Fourier transform If M=2, this is Hadamard transform.
QFT detects periods n Assume r divides M. n Then, n If j relatively prime with r,
QFT detects periods n Assume r does not divide M. n Then, most of T| consists of |k> with
QFT detects periods r does not divide M r divides M 0 0 Can we find r?
Continued fraction expansion n Number theory algorithm. Given k, M, finds j, r such that n is smallest among all j and r r 0. If M= (r 2), correct w. h. p. n
Summary of Shor’s factoring n n n Reduce factoring to period-finding. Generate a quantum state with period r. In the easy case, QFT transforms a state with period r into multiples of M/r. General case: same but approximately. Continued fraction algorithm finds the closest multiple of M/r.
Hidden subgroup n Function F: G S |x> F |0> n |x> |F(x)> such that F(g)=F(hg) iff h H. Find H.
Hidden subgroup n n n Captures a lot of problems. Simon’s problem: G={0, 1}n, H={0 n, z}. Shor’s period-finding: G=Z, H=r. Z (multiples of r). Discrete logarithm: G=Z 2. Pell’s equation [Hallgren, 2002]: G=R.
Discrete log n n Given N, g and x, compute r such that gr x (mod N). Another hard problem relevant to crypto (Diffie-Hellman).
Discrete log n n n Define F(y, z)=gyxz mod N. G=Z 2. H={y, z | y+zr =0 mod N-1} because gyxz=gy+rz and g. N-1=1.
Status of hidden subgroup n n Quantum polynomial time for Abelian G. Open for non-Abelian G (except a few groups G with simple structure).
Graph Isomorphism G 2 G 1 ?
Graph Isomorphism • G: all permutations of vertices. • F( ) = (G). • H - permutations that fix G.
Hidden subgroup n n n Graph Isomorphism reduces to hidden subgroup for non-Abelian groups. Approximating shortest vector in lattice also reduces to HSP. Solving HSP by quantum algorithm remains open for almost all non-Abelian groups.
- Slides: 57