2 A Fourier Transform for Bivariate Functions

Transcription

1 Stanford University CS59Q: Quantum Computing Handout 0 Luca Trevisan October 5, 0 Lecture 0 In which we present a polynomial time quantum algorithm for the discrete logarithm problem. The Discrete Log Problem If p is a prime and g is a generator of the multiplicative group Z p, then the modular eponentiation function g mod p is a bijection of Z p to Z p. The discrete log problem is the problem of inverting this mapping, that is, given a prime p, a generator g of Z p and an element z Z p, find the unique r, 0 r p, such that g r z (mod p). An efficient algorithm for the discrete log problem can be used to break several publickey cryptosystems whose design is based on having (p, g, g y mod p) as a private key, where p is a properly chosen prime, g is a generator of Z p, and, y are randomly chosen, while the public key is (p, g, g mod p, g y mod p). The discrete log problem can be formulated for every group G. Once the group is fied, or a description is given, an input to the problem are two elements a, z G, and the goal is to find an integer r such that a r = z, where a r means a a a r times and is the group operation. An algorithm for this more general problem breaks public-key cryptosystems based on elliptic curves. In this lecture we describe a polynomial time quantum algorithm for the discrete logarithm problem in Z p, but the algorithm can be adapted to work in any Abelian group. (The groups arising in elliptic curves cryptographic constructions are Abelian.) A Fourier Transform for Bivariate Functions We briefly describe a theory of discrete Fourier transforms for functions with two inputs. If is a positive integer, the functions

2 f : {0,..., } {0,..., } C form an -dimensional vector space. In the univariate case of functions f : {0,..., } C, we derived the Fourier transform by defining an orthonormal basis and writing f as a linear combination of basis functions. Similarly, we will now define orthonormal functions and write each bivariate function as a linear combination of basis functions. A general principle is that if v,..., v k are an orthonormal vectors, then the collection of all the tensor products v i v j is a set of k orthonormal vectors. Consider now the functions χ s () = e πi s ; we prove that they are orthonormal, and so the collection of their tensor products χ s,s (, y) := e πi (s +s y) is a collection of orthornomal functions, and thus it is an orthonormal basis for the set of functions f : {0,..., } {0,..., } C Each such function can be written as a linear combination f(, y) = s,s ˆf(s, s ) χ s,s (, y) where the coefficients of the linear combination (the Fourier coefficients of f) can be computed as ˆf(s, s ) = f, χ s,s = f(, y)e πi (s +s y),y The transformation from the values f(, y) to the coefficients ˆf(s, s ) is a change of orthonormal basis, and so it is unitary linear transformation, and so if is a quantum state, then f(, y), y,y s,s ˆf(s, s ) s, s is also a quantum state, and the transformation from the former to the latter is the quantum (bivariate) Fourier transform; it is easy to see that this can be done in quantum polynomial time if = m is a power of by first applying the standard quantum Fourier transform to and then to y.

3 3 A Generalized Period Finding Algorithm Given a prime p, a generator g of Z p and an element a = g r mod p of Z p, define the function F (, y) := a (g ) y mod p = g r y mod p Then F (, ) has a period in the sense that for every (, y) we have F (, y) = F (, y + r) We will perform a bivariate version of the period-finding algorithm that we used to solve the factorization problem, and then we will see that, after a constant number of eecutions of the algorithm, we can recover r. Input: prime p, generator g of Z p, element z Z p Step : Fi an = m such that p p and construct the state y a (g ) y mod p (),y where each of the three parts of the state is an integer in {0,..., }, represented as an m-qubit string. The function, y a g y mod p is computable in polynomial time, and so there is a quantum circuit C modep of polynomial size that, given y 0, outputs y a g y mod p. Starting from the state 0 0 0, we first apply Hadamard gates to the first m bits, which results in the state y 0 and then we apply C modep to the above state. Step : easure the third integer in the quantum state.,y If the outcome of the measurement is g k mod p, then the residual state is Where Sk y g k mod p S k := {, y : 0 < 0 y < r y k (mod p )} From now we will disregard the third integer of the state, which has been fied by the measurement. 3

4 Step 3: Apply the bivariate quantum Fourier transform. This gives the state where ω = e πi (s +s y) Step 4: easure the state Sk s =0 s =0 ω s+sy s s It remains to show that after seeing a constant number of eecutions of the algorithm we can reconstruct r from the outcomes at Step 4. 4 Analysis of the Last Step To understand the distribution of outcomes that we get at Step 4, let us first do a non-rigorous calculation assuming that = p and that p is prime. In such a case, S k is just the set of p pairs (, y) Z p Z p such that y = r k mod p. The amplitude of state s, s at Step 4 is ω s +s (r k mod p ) = (p ).5 (p ).5 ω s +s r s k because operations in the eponent of ω are performed mod, which is the same as mod p. The probability of the outcome s, s is (p ) 3 ω s +s r s k = ω s k (p ) 3 ω s +s r = (p ) 3 (ω s +s r ) and if s + s r 0 mod p then the probability is /(p ), and otherwise it is zero. This means that from an outcome (s, s ) of Step 4 we can reconstruct r as r = s (s ) mod (p ) Unfortunately, we do not have = p, and so the modular identities that we get in the eponent of ω are not the same as in the eponent of g, complicating the structure of S k and adding error terms to the above calculations. We also don t have that p is prime, which means that at the end we may have problems inverting modulo p. 4

5 Before discussing how to deal with these problems, let us see what we may epect in practice. Suppose that we run the algorithm on input p = 6, g = 6 and z = 8. We pick = 64, and the probability of the possible outcomes s, s at Step 4 is plotted below: and we see that most of the probability is concentrated on outcomes s, s such that s + 3s is close to a multiple of 64, and indeed 3 is the correct answer. For every {0,..., }, the set S k contains the pairs (, y) such that 0 y < and y = r k mod p and there is always either one or two such y. Hence, S k. In our analysis it will be convenient to use the following notation: {a} is the difference between a and the multiple of that is closest to a. Note that a {a} (mod ) and that / {a} /. The probability of an outcome s, s at Step 4 is 5

6 S k 3 = 3 = 3 = 3 ω s+sy ω s+sy ω s+s(r k mod p ) ω s+sr sk (p )s ω s+sr (p )s r k p r k p where, in the second-to-last equation, we use a mod k = a a k. Our approach is now to define a notion of good pair (s, s ), to show that there are Ω() such pairs, that each of them is generate with probability Ω(/), and that from a good pair it is possible to compute (a large amount of information about) r. Definition (Good Pairs) A pair (s, s ) is good if. s + s r r p {s (p )} differs from a multiple of by at most ±/.. s (p )differs from a multiple of by at most ±/. Lemma (any Good Pairs) There are at least / good pairs. Proof: We first prove the following fact. Claim 3 Let k > a > 0 be positive integers, and t < k/. Then there are at least t distinct values such that t {a} k t Proof: Consider the mapping a mod k This is a gcd(a, k)-to- mapping, that is, there are k/ gcd(a, k) possible outputs, each having gcd(a, k) preimages, and each possible output is a multiple of gcd(a, k). 6 ()

7 (This is easy to see using the Chinese remainders theorem.) We are interested in the number of preimages of 0 and of possible outputs in the range,..., t and in the range t,..., ; overall there are t d + d d such preimages, where d := gcd(a, k). If t d, then we have at least d t preimages; if t > d we have at least ( ) t d + d d = t d > t preimages. From the claim above (applied to = s, a = p and k = ), we see that there are at least / choices of s that satisfy property () of being a good pair. For each such s, we can find an s for which property () holds. Lemma 4 (High Probability of Good Pairs) Each good pair has probability at least Ω(/) of being a possible outcome of Step 4. Proof: [Sketch] We write where and ω s +s r (p )s r k p = ω A+B() A := s + s r B() := {s (p )} r p {s (p )} ( r p ) r k p When (s, s ) is a good pair, we have A / and B /. The summation ω A+B() is a summation of comple numbers ω A, which are either all of the form e iθ either with θ between 0 and π or between 0 and π, and they are uniformly spaced and some of them may be repeated twice in the sum. Each of them is shifted by e B(), which is of the form e iθ with θ π/6. Such a sum produces a vector of length Ω(), and so the overall amplitude of (s, s ) is Ω(/). Now suppose that we have a good pair (s, s ); we see that 7

8 s ( ) + r s (p ) {s (p )} (p ) mod where mod stand for the difference between the real number and the closest integer to. We also note that s (p ) {s (p )} is an integer. This means that by finding the multiple a/(p ) of /(p ) closest to s / we find a number of the form rc/ mod, where c = s (p ) {s (p )} is a known quantity. So we have found numbers a, c such that a/(p ) rc/(p ) mod, that is, Now we can find a rc mod (p ) r = a c mod p provided that gcd(c, p ) = 0. What do we do if c and p have common factors? We can still get some useful information, because it is definitely true that a rc mod p gcd(p, c) and we can invert c modulo (p )/ gcd(p, c) and we find r mod (p )/ gcd(p, c). If we run the algorithm twice, we get good pairs both times, and the two good pairs lead us to values c, c with no common factors, then from r mod (p )/ gcd(p, c) and r mod (p )/ gcd(p, c ) we can reconstruct r mod p via the Chinese remainders theorem. The probability of getting good pairs twice in two consecutive runs of the algorithm is Ω(). Conditioned on that, what is the probability of ending up with c, c having no common factor? This is tricky issue and, indeed, c and c will always be even. However, it can be argued that c, c have Ω() probability of having distinct factors ecept possibly for the first O() primes. When we reconstruct r with the Chinese remainder theorem, we will try all possible values of r modulo those primes. Overall, two eecutions of the algorithm give us probability Ω() of generating a list of values that include r. After O() iterations, we get a list that has a high probability of including r. It is then possible to compute modular eponentiation for each candidate in the list and find the correct r. 8