Shor Factorization Algorithm
|
|
- Jemima Fisher
- 6 years ago
- Views:
Transcription
1 qitd52 Shor Factorization Algorithm Robert B. Griffiths Version of 7 March 202 References: Mermin = N. D. Mermin, Quantum Computer Science (Cambridge University Press, 2007), Ch. 3 QCQI = M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information (Cambridge University Press, 2000), Ch. 5 Pittenger = A. O. Pittenger, An Introduction to Quantum Computing Algorithms (Birkhäuser, 2000), Ch. 3 Contents Introduction 2 Factorization by Order Finding 3 Modular Exponentiation 3 4 Quantum Fourier Transform and Measurement 4 4. Introduction M a multiple of r M not a multiple of r Example Post-Processing: Continued Fractions 6 Introduction Shor s algorithm for factoring numbers remains one of the best-known quantum algorithms. It represents a substantial speedup over any classical competitor known at present, and addresses a problem of considerable significance, since the difficulty of factoring is the basis of the well-known RSA public-key cryptographic method. The purpose of these notes is to provide a big picture ; with numerous details left to the references. Mermin and Pittenger provide a somewhat gentler introduction to the subject than QCQI, which presents a detailed treatment. 2 Factorization by Order Finding Suppose we want to factor a large composite number N, i.e., one which can be written in the form N = pq, () where we assume that p and q are relatively prime, i.e., they have no common factors, their greatest common divisor (gcd) is. Exercise. Show that any composite N, i.e., integer with some nontrivial factor, can be written in the form () (perhaps in more than one way) with p > and q > relatively prime. Given any integer N >, the integers between and N which are relatively prime to N form an abelian group ZN under multiplication modn. The order (number of elements) in Z N is denoted by φ(n).
2 In the case N = 5, Z 5 is the set {, 2, 4, 7, 8,, 3, 4}, so φ(5) = 8 elements. Since ZN is a multiplicative group, if a is in Z N all its powers a, a2, a 3,... are also in ZN. Together they constitute the subgroup a of ZN generated by a. The order of this subgroup, the number of elements it contains, is the smallest integer r such that a r = mod N (2) Because the order of a subgroup always divides the order of a group (Lagrange), it will always be the case that r divides φ(n). The order of a = 2 in Z 5 is r = 4, because 24 = mod5, whereas a x mod5 for x =, 2, 3 is just a x. As expected, r = 4 divides φ(5) = 8. Exercise. What are the orders of the other elements of Z 5? The strategy employed by Shor to factor N begins with the observation that that if one can find the order r of some element a in ZN, and if one is not unlucky (more on that below), then by relatively efficient methods (polynomial in the number of bits) it is possible to factor N. The first bit of luck: r is an even number, which means that r/2 is an integer, and in view of (2) we can write (a r/2 ) (a r/2 + ) = a r = 0 mod N, so (a r/2 ) (a r/2 + ) = LN = Lpq, (3) where L is some integer, and in the last equality ordinary (not modular) multiplication is employed. From (3) we see that both p and q must divide the product (a r/2 ) (a r/2 + ). One possibility is that p divides (a r/2 ), but q does not divide (a r/2 ). Good luck! Because then s = gcd(n, (a r/2 )) must be p or a multiple of p, since it divides both arguments, but it cannot be N, because N = pq and by hypothesis q does not divide the second argument. Consequently s > is a nontrivial factor of N, and at least we have made a first step in finding the factors. It is of course equally good if p divides, but q does not divide, (a r/2 + ), or if q but not p divides (a r/2 ). If N is the product of two primes, the problem of finding its factors is solved. If N is the product of three or more primes, we have only made a beginning, but it we have an algorithm that works well for N, we ought to be able to apply it successfully to the smaller number(s) obtained by finding at least one factor. At this stage it won t hurt to work through a simple example. For N = 5 and a = 2 we know that r = 4, which is an even number. That looks encouraging. The product of interest to us is then We have successfully factored 5. Exercise. Try factoring 2. (a r/2 ) (a r/2 + ) = (a 2 ) (a 2 + ) = 3 5 = 5. (4) Alas, it could also be the case that we are unlucky and (a r/2 + ) is itself a multiple of N, divisible by both p and q, in which case the gcd(n, (a r/2 )) might be, and we will learn nothing useful. Also if (a r/2 ) turns out to be a multiple of N this would be equally bad luck. But such cannot be the case, for if it were then we would have a r/2 = modn, but r is the order of a, so it is the smallest positive integer such that a r = mod N. If at first you don t succeed, try again with a different a. After all, it is relatively easy to choose an a and check that gcd(a, N) =. But there might be a second failure... Hence the number-theoretic arguments which ensure a reasonably high probability of success are not without interest, though they lie outside the scope of these notes. What makes this attack on factoring difficult for a classical computer is that there is no known efficient way of finding the order of some a which is relatively prime to N. The problem with the straightforward attack of computing a, a 2, a 3..., all modn, is that even though each individual term can be computed efficiently, r can itself be a very large number, so one has to work through a vast forest of possibilities before reaching the goal. Which, of course, is why the quantum algorithm is so interesting. 2
3 3 Modular Exponentiation Let x be any integer, and define the integer-valued function f(x) = a x mod N, (5) where a is a positive integer relatively prime to N lying somewhere between 2 and N. The function f(x) is periodic with period r, where r is the order of a, in the sease that where k is some integer. Exercise. Prove it. f(x) = f(y) mod N if and only if y = xmod r, or y = x + kr, (6) The ordinary definition of the period p of a periodic real-valued function g(z), where z is a real number, is the smallest positive number such that g(z + p) = g(z) for all z. Smallest, since of course it is then the case that g(z + kp) = g(z) where k is any integer. However, a function which is periodic in this sense can have g(z) = g(z ) without z z 0 being an integer multiple of p. The only if part of (6) excludes such a possibility, and this exclusion is important for what follows. Exercise. Find an example of a real valued periodic function g(z), z real, with the property that g(z) = g(z ) for some z and z whose difference is not an integer multiple of the period. The quantum factoring scheme is shown schematically as a circuit in Fig.. The two Hilbert spaces H A and H B have dimensions d A = M and d B = N, where we assume that systems A and B consist of m and n qubits, respectively, so M = 2 m, N = 2 n > N, (7) with n the smallest integer satisfying this inequality. x = 0 y = 0 A B H x x v Q F f(x) P Figure : Schematic representation of the Shor circuit for factoring. Note that the horizontal lines represent several qubits (or bits). Each of the solid horizontal lines in the figure represents a collection of m or n qubits. The standard basis of H A consists of kets x, where x is an integer in the range 0 x 2 m. Let the representation of x in bits be x x 2 x 3...x m, with x the most significant bit. (This convention agrees with QCQI, but disagrees with Mermin, who numbers the bits in the opposite order). Then write x = x x 2 x m, (8) where each x j is 0 or. The analogous convention is used for the standard basis of H B, consisting of kets of the form y. The initial kets of H A and H B in Fig., x = 0 and y = 0, are then tensor product states in which each individual qubit is in the state 0. In Fig. the very first gate, denoted by H, is really a collection of gates: a single Hadamard acts on each of the m qubits. A little thought will show that after these have acted, the state of H A is Φ = (/ M M) x. (9) x=0 3
4 Next comes the unitary transformation F, the F-gate or F-box, which maps H A H B onto itself in such a way that ( ) F x 0 = x f(x) (0) for the f(x) defined in (5). In fact (0) is not a complete definition of the unitary F, since it only tells us what F does to states of the form x 0 and not what F does to the x y states with y > 0. Since F in (0) maps the normalized and mutually orthogonal states on the left side onto normalized and mutually orthogonal states on the right side, it can be extended (in more than one way) to act as a unitary on the entire space H A H B. After the F gate has acted the state of H A H B is given by M Ψ2 = x f(x) = Φ(y) y, () x y where the item on the right side is the expansion of M Ψ 2 in the standard basis of H B, with the Φ(y) as expansion coefficients. Note that some of the Φ(y) will necessarily be zero, because f can only take values in the subgroup a of ZN consisting of powers of a mod N. 4 Quantum Fourier Transform and Measurement 4. Introduction Following the F box in Fig. a quantum Fourier transform (QFT) is applied to the H A system alone. This is a unitary gate Q mapping H A to itself and defined by Q = M M v=0 M x=0 e 2πixv/M v x. (2) For clarity the states of H A after Q has acted are labeled by an integer v rather than x, but of course v takes values in the range from 0 to M, just like x. To understand the effects of the Fourier transform Q, it is helpful to think about it in the following way. Imagine measuring system B in the standard basis when it emerges from the F gate, instead of simply throwing it away, as in Fig.. If the outcome of this measurement is ȳ = f( x), then the corresponding Φ(ȳ) defined in () will, since f(x) is periodic, be of the form Φ(ȳ) = x + x + r + x + 2r + x + (µ )r, (3) where we have assumed that x is the smallest one of the µ distinct values of x between 0 and M for which f(x) = ȳ. If M is a multiple of r, then µ = M/r. Otherwise µ will either be M/r or this quantity plus, depending on x. The QFT of Φ(ȳ) is ( M Q Φ(ȳ) = e 2πiv x/m)( + λ(v) + λ(v) 2 + λ(v) µ ) v = v v λ(v) = e 2πivr/M ; ( e 2πiv x/m) c(v) v ; c(v) = λ(v)µ λ(v). (4) Following the application of Q comes a measurement of H A in the standard basis, indicated by the symbol D in Fig.. That is, each of the m qubits is measured in the basis 0,. The outcome of the measurement, 0 or, on the j th qubit is then v j, the j th bit in the binary representation of v. The probability that this measurement yields a particular integer v is proportional to c(v) 2, where c(v) is the coefficient of v in (4). 4
5 4.2 M a multiple of r To see most easily what is going on, make the assumption that M is a multiple of r, i.e., M = µr, and hence λ(v) = e 2πiv/µ, λ(v) µ =. (5) Consequently, c(v) = 0 unless v is a multiple of µ, and if it is, then λ(v) = and c(v) = µ. Consequently, the only measurement outcomes that occur with nonzero probability are those for which v = kµ for some integer k in the range between 0 and r, and the probability of this outcome is independent of k. Note that this conclusion is independent of the value of x, as this only enters the coefficient of v in (4) as a phase factor that does not influence the probability of a measurement outcome. Consequently, the outcome ȳ of the measurement on H B, which determines x, is irrelevant. (We have simply used the the measurement on B as an aid to understanding; it is not actually part of the Shor algorithm.) The measurement outcome v does not tell us the value of r, but only that there is some integer k such that v = Mk/r, or v/m = k/r. (6) It is often but not always, possible to extract the value of r from k/r using some post-processing on a classical computer. If this fails, the quantum computer can be run a second or third time, or perhaps more often, to yield additional values for v. 4.3 M not a multiple of r In general M is not a multiple of r and Mk/r is not be an integer, so the measurement outcome v will not satisfy (6). However, if M is sufficiently large one can argue that with reasonably high probability the measurement outcome v will be close to k(m/r) for some integer k, close enough that v/m provides a good estimate of k/r. In more detail. From (4), with λ = λ(v), c(v) 2 = λ µ λ 2 = λ µ/2 λ µ/2 λ /2 λ /2 2 = sin2 [πµrv/m] sin 2 [πrv/m]. (7) We are interested in a situation in which M is substantially larger than r. It then turns out, though it is not immediately obvious from looking at (7), that c(v) 2 is very small except when v/m is in the vicinity of k/r for some integer k, close enough that one has a reasonable chance of using the measured v to determine k/r. One way to get an idea of what is going on is to insert in (7), and, noting that µ and k are integers, write the right side as v = km/r + δv (8) sin 2 [(µr/m)δv] sin 2 [πδv/m] ( µ π ) 2 sin 2 (πδv) (δv) 2. (9) Here we are assuming that M/r is very large and therefore (µr/m). The function sin 2 (πδv)/(δv) 2 has its maximum value (π 2 ) at δv = 0, and then decreases reasonably rapidly in an oscillatory manner as δv increases. This sort of crude analysis of course needs to be bolstered by more careful calculations and inequalities, for which we refer the reader to the references. It is very helpful to make plots of (7) for small values of r and M to see how the right side behaves as a function of v. An example is given below. 5
6 4.4 Example To understand the behavior of the measurement outcome probabilities (7) it is helpful to look at examples. Figure 2 shows plots of these probabilities for r = 4 and various values of M = 2 m. One expects that the probability will peak for values of v near km/r, where k is some integer. Quantum Fourier Transform for M=32, r=4 Quantum Fourier Transform for M=64, r= Quantum Fourier Transform for M=28, r=4 Quantum Fourier Transform for M=256, r= Figure 2: Plots of probability (height of bar) as a function of measurement outcome v, for r = 4 and M = 32 and 64 on the top row; M = 28 and 256 on the bottom row, where not all v values are shown. For M = 32 there is a a jumble of 4 peaks, but the probability is rather spread out, and it would be difficult to draw a conclusion from a single measurement of v, or even several measurements. However, the 4 peaks are better separated for M = 64, and one sees that there is a reasonable chance that a measurement will yield v within a distance of 2 or less from the nearest integer to km/r = (64/4)k for k =, 2,.... Exercise. Calculate the nearest integer to (64/4)k for several choices of k, and locate it on the horizontal axis of the M = 64 plot. As M increases to 28 and then to 256, the peaks become better separated and their widths, measured in terms of v, remain roughly the same, as do their heights. The fractional width measured in terms of v/m is decreasing. 5 Post-Processing: Continued Fractions The preceding analysis at least makes it plausible that the value v obtained from the measurement of system A after the QFT is likely to be such that v/m is close to k/r, where k is an unknown integer and r is the unknown order of a that we are looking for. But how can we extract r, given that we do not know k in advance, and we only know k/r approximately? 6
7 The basic ideas is to use a value of M = 2 m which is very much larger than r. Let us assume that the number of bits in the argument register is twice that in the function register, which is to say m = 2n, M = (N ) 2 > N 2, so M > Nr > r 2, (20) since r cannot exceed φ(n), which cannot be bigger than N. The values of v/m for successive values of v are thus separated by an interval of /M, which is very much smaller than the interval /r between successive values of k/r with k an integer. This means that even if v differs by a small integer from the value closest to the relevant k(m/r), the value of k will be unambiguous. It may help to visualize this by thinking of points v/m laid out along the real axis for successive v, together with points k/r for successive k: v/m: M k/r: r But since we don t yet know r, how are we to find the correct k/r lying near v/m, and not some other k /r? Important observation. Suppose k/r k /r. What can we say about the difference? Assume without loss of generality that k/r < k /r ; then k r k r = rk r k rr rr > M, (2) as rk r k cannot be less than. The final inequality applies to the case where both r and r are smaller than N, see (20), which is of course the case of interest to us. So if we can find a fraction k/r with a small denominator that is near to v/m, we can be reasonably sure that r is the order of a that we are looking for. But r is not a prime number, so it might be the case that the k for which k/r is closest to our v/m has some factor in common with r. Then the denominator of this fraction will not be r itself but only some number that divides r. This is a worry. Let us put it aside for the moment and return to it later. So how do we find fractions k/r which are near to v/m and have small denominators? The trick is to expand v/m as a continued fraction and look at the convergents. Quick introduction to continued fractions. The kind we are interested in are of the form w 0 = a 0 + a + a 2 + a 3 + where w 0 is any real number, a 0 = w 0 is the integer part of w 0, the largest integer that is not greater than w 0, and a, a 2, and so forth are positive integers. Calculating a 0, a, etc., is fairly easy. Subtract a 0 from w 0 and take the reciprocal: w := w 0 a 0 = a + a 2 + (22). (23) a 3 + Thus a = w is the integer part of w. The integer part of w 2 = /(w a ) is a 2, and so forth. It at some stage we stop and throw away the following a j set them equal to zero the result is the j th convergent of the continued fraction expansion of w 0, written as [a 0, a,...a j ]. E.g., the second convergent of w 0 is a 2 [a 0, a, a 2 ] = a 0 + a + = a 0 + (24) + a a 2 a 2 7
8 Exercise. Find the first, second, and third convergents of π, writing them as fractions k/l. In each case is the convergent greater than or less than π? (Do you see something systematic here?) How close to π is the third convergent? Thus the procedure to find r from v/m is to expand the latter as a continued fraction and look at the convergents. If one finds a fraction i/j which is close to v/m and for which the denominator j is not too large, there is a fair chance that j = r is the order of a that we are looking for. Note that while the order r of a is very hard to find using only a classical computer (at least by algorithms known at present), it is relatively simple to check whether some specific ˆr is a period of f(x) = a x mod N by calculating aˆr mod N and seeing if this is. If it is, that does not guarantee that ˆr is the order r of a, as it might be some integer multiple of r. But since the quantum algorithm yields significant probabilities for v/m only in the vicinity of k/r and not near fractions whose denominators are multiples of r, it seems reasonable that some ˆr that emerges from the process described above and is a period of f(x) will be r. But how do we know that a nearby k/r will actually show up as one of the convergents to v/m? There is a useful number-theoretic result in Appendix A4 of QCQI which tells us that if w is any real number and k/r a rational number which is close to it in the sense that w k r 2r 2, (25) then k/r is one of the convergents of the continued fraction expansion of w. So provided M is large enough, as in (20), we can be confident that the continued fraction expansion will yield the r we are looking for, unless k and r have some factor in common, in which case the continued fraction expansion will yield k/ r instead of k/r, where k and r are relatively prime, and k = l k, r = l r for some integer l. This r will not, of course, be the desired order of a. What to do? The most straightforward remedy is to run the quantum computation once again to get a different measurement outcome v, and carry out the continued fraction expansion on v /M in the hopes that k /r with k relatively prime to r will be one of the convergents. And if this does not succeed, try again... In QCQI, p. 23, there is an argument, based on the probability that a random integer k in the expected range will be relatively prime to r, that if the quantum algorithm is repeated the order of 2 log(n) times there is a high probability of successfully finding the denominator r in one of the convergents. Note that while log(n) may be large (say 000), it is not impossibly large, so it is easy to imagine that if a quantum computer can actually be built it will be possible to run it a thousand times. For a method that makes more efficient use of the results of repeating the quantum computation, see QCQI p
Shor s Prime Factorization Algorithm
Shor s Prime Factorization Algorithm Bay Area Quantum Computing Meetup - 08/17/2017 Harley Patton Outline Why is factorization important? Shor s Algorithm Reduction to Order Finding Order Finding Algorithm
More informationUnitary Dynamics and Quantum Circuits
qitd323 Unitary Dynamics and Quantum Circuits Robert B. Griffiths Version of 20 January 2014 Contents 1 Unitary Dynamics 1 1.1 Time development operator T.................................... 1 1.2 Particular
More informationCircuits for Shor Factorization
qitd521 Circuits for Shor Factorization Robert B. Griffiths Version of 22 March 2012 Contents 1 Introduction 1 2 Quantum Fourier Transform 2 3 Modular Exponentiation 5 1 Introduction ow can Shor s algorithm
More informationStochastic Quantum Dynamics I. Born Rule
Stochastic Quantum Dynamics I. Born Rule Robert B. Griffiths Version of 25 January 2010 Contents 1 Introduction 1 2 Born Rule 1 2.1 Statement of the Born Rule................................ 1 2.2 Incompatible
More informationIntroduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871
Introduction to Quantum Information Processing QIC 71 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 8 (217) Jon Yard QNC 3126 jyard@uwaterloo.ca http://math.uwaterloo.ca/~jyard/qic71 1 Recap of: Eigenvalue
More informationStochastic Processes
qmc082.tex. Version of 30 September 2010. Lecture Notes on Quantum Mechanics No. 8 R. B. Griffiths References: Stochastic Processes CQT = R. B. Griffiths, Consistent Quantum Theory (Cambridge, 2002) DeGroot
More informationIntroduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681
Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 48 / C&O 68 Lecture (2) Richard Cleve DC 27 cleve@cs.uwaterloo.ca Order-finding via eigenvalue estimation 2 Order-finding
More informationShor s Quantum Factorization Algorithm
Shor s Quantum Factorization Algorithm Tayeb Aïssiou Department of Mathematics and Statistics McGill University, Montreal, Quebec Canada H3A K6 e-mail: tayeb.aissiou@mail.mcgill.ca November, 5 Abstract
More informationChecking Consistency. Chapter Introduction Support of a Consistent Family
Chapter 11 Checking Consistency 11.1 Introduction The conditions which define a consistent family of histories were stated in Ch. 10. The sample space must consist of a collection of mutually orthogonal
More informationFigure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.
CS 94 //09 Fourier Transform, Period Finding and Factoring in BQP Spring 009 Lecture 4 Recap: Simon s Algorithm Recall that in the Simon s problem, we are given a function f : Z n Zn (i.e. from n-bit strings
More informationPhase estimation. p. 1/24
p. 1/24 Phase estimation Last time we saw how the quantum Fourier transform made it possible to find the period of a function by repeated measurements and the greatest common divisor (GCD) algorithm. We
More informationQ: How can quantum computers break ecryption?
Q: How can quantum computers break ecryption? Posted on February 21, 2011 by The Physicist Physicist: What follows is the famous Shor algorithm, which can break any RSA encryption key. The problem: RSA,
More informationQuantum Information Types
qitd181 Quantum Information Types Robert B. Griffiths Version of 6 February 2012 References: R. B. Griffiths, Types of Quantum Information, Phys. Rev. A 76 (2007) 062320; arxiv:0707.3752 Contents 1 Introduction
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT
Quantum algorithms (CO 78, Winter 008) Prof. Andrew Childs, University of Waterloo LECTURE : Quantum circuits and the abelian QFT This is a course on quantum algorithms. It is intended for graduate students
More informationFactoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).
18.310 lecture notes April 22, 2015 Factoring Lecturer: Michel Goemans We ve seen that it s possible to efficiently check whether an integer n is prime or not. What about factoring a number? If this could
More informationQFT, Period Finding & Shor s Algorithm
Chapter 5 QFT, Period Finding & Shor s Algorithm 5 Quantum Fourier Transform Quantum Fourier Transform is a quantum implementation of the discreet Fourier transform You might be familiar with the discreet
More informationQuantum Computing: Foundations to Frontier Fall Lecture 3
Quantum Computing: Foundations to Frontier Fall 018 Lecturer: Henry Yuen Lecture 3 Scribes: Seyed Sajjad Nezhadi, Angad Kalra Nora Hahn, David Wandler 1 Overview In Lecture 3, we started off talking about
More informationShor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015
Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best
More informationQuantum algorithms for computing short discrete logarithms and factoring RSA integers
Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short
More informationCommutative Rings and Fields
Commutative Rings and Fields 1-22-2017 Different algebraic systems are used in linear algebra. The most important are commutative rings with identity and fields. Definition. A ring is a set R with two
More informationBasic counting techniques. Periklis A. Papakonstantinou Rutgers Business School
Basic counting techniques Periklis A. Papakonstantinou Rutgers Business School i LECTURE NOTES IN Elementary counting methods Periklis A. Papakonstantinou MSIS, Rutgers Business School ALL RIGHTS RESERVED
More informationPh 219b/CS 219b. Exercises Due: Wednesday 4 December 2013
1 Ph 219b/CS 219b Exercises Due: Wednesday 4 December 2013 4.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More information[Disclaimer: This is not a complete list of everything you need to know, just some of the topics that gave people difficulty.]
Math 43 Review Notes [Disclaimer: This is not a complete list of everything you need to know, just some of the topics that gave people difficulty Dot Product If v (v, v, v 3 and w (w, w, w 3, then the
More informationQuantum Fourier Transforms
Quantum Fourier Transforms Burton Rosenberg November 10, 2003 Fundamental notions First, review and maybe introduce some notation. It s all about functions from G to C. A vector is consider a function
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationClassical RSA algorithm
Classical RSA algorithm We need to discuss some mathematics (number theory) first Modulo-NN arithmetic (modular arithmetic, clock arithmetic) 9 (mod 7) 4 3 5 (mod 7) congruent (I will also use = instead
More informationFactoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationFactoring on a Quantum Computer
Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationC/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19
C/CS/Phys 9 Shor s order (period) finding algorithm and factoring /0/05 Fall 2005 Lecture 9 Readings Benenti et al., Ch. 3.2-3.4 Stolze and Suter, uantum Computing, Ch. 8.3 Nielsen and Chuang, uantum Computation
More informationPh 219b/CS 219b. Exercises Due: Wednesday 20 November 2013
1 h 219b/CS 219b Exercises Due: Wednesday 20 November 2013 3.1 Universal quantum gates I In this exercise and the two that follow, we will establish that several simple sets of gates are universal for
More information6 Cosets & Factor Groups
6 Cosets & Factor Groups The course becomes markedly more abstract at this point. Our primary goal is to break apart a group into subsets such that the set of subsets inherits a natural group structure.
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing The lecture notes were prepared according to Peter Shor s papers Quantum Computing and Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a
More information6.080/6.089 GITCS May 13, Lecture 24
6.080/6.089 GITCS May 13, 2008 Lecturer: Scott Aaronson Lecture 24 Scribe: Chris Granade 1 Quantum Algorithms Of course the real question is: can quantum computers actually do something more efficiently
More information8 Primes and Modular Arithmetic
8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.
More informationPh 219b/CS 219b. Exercises Due: Wednesday 11 February 2009
1 Ph 219b/CS 219b Exercises Due: Wednesday 11 February 2009 5.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationDiscrete Mathematics and Probability Theory Summer 2014 James Cook Note 5
CS 70 Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes wish to work over a
More informationChapter 11 - Sequences and Series
Calculus and Analytic Geometry II Chapter - Sequences and Series. Sequences Definition. A sequence is a list of numbers written in a definite order, We call a n the general term of the sequence. {a, a
More informationQuantum Error Correction
qitd213 Quantum Error Correction Robert B. Griffiths Version of 9 April 2012 References: QCQI = Quantum Computation and Quantum Information by Nielsen and Chuang(Cambridge, 2000), Secs. 10.1, 10.2, 10.3.
More informationNumber Systems III MA1S1. Tristan McLoughlin. December 4, 2013
Number Systems III MA1S1 Tristan McLoughlin December 4, 2013 http://en.wikipedia.org/wiki/binary numeral system http://accu.org/index.php/articles/1558 http://www.binaryconvert.com http://en.wikipedia.org/wiki/ascii
More informationIntroduction to Group Theory
Chapter 10 Introduction to Group Theory Since symmetries described by groups play such an important role in modern physics, we will take a little time to introduce the basic structure (as seen by a physicist)
More informationQuantum Computers. Peter Shor MIT
Quantum Computers Peter Shor MIT 1 What is the difference between a computer and a physics experiment? 2 One answer: A computer answers mathematical questions. A physics experiment answers physical questions.
More information1 Measurement Uncertainties
1 Measurement Uncertainties (Adapted stolen, really from work by Amin Jaziri) 1.1 Introduction No measurement can be perfectly certain. No measuring device is infinitely sensitive or infinitely precise.
More informationHardy s Paradox. Chapter Introduction
Chapter 25 Hardy s Paradox 25.1 Introduction Hardy s paradox resembles the Bohm version of the Einstein-Podolsky-Rosen paradox, discussed in Chs. 23 and 24, in that it involves two correlated particles,
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Part I Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 12, 2011 Overview Outline What is quantum computing? Background Caveats Fundamental differences
More informationCompute the Fourier transform on the first register to get x {0,1} n x 0.
CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary
More informationLECTURE NOTES ON QUANTUM COMPUTATION. Cornell University, Physics , CS 483; Spring, 2005 c 2006, N. David Mermin
LECTURE NOTES ON QUANTUM COMPUTATION Cornell University, Physics 481-681, CS 483; Spring, 2005 c 2006, N. David Mermin IV. Searching with a Quantum Computer Last revised 3/30/06 Suppose you know that eactly
More informationA Gentle Introduction to Quantum Computing
A Gentle Introduction to Quantum Computing Abdullah Khalid 01-10-0168 School of Science and Engineering Lahore University of Management Sciences Friday 3 rd June, 011 Contents 1 Introduction to Quantum
More informationLecture 7: More Arithmetic and Fun With Primes
IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Advanced Course on Computational Complexity Lecture 7: More Arithmetic and Fun With Primes David Mix Barrington and Alexis Maciel July
More informationRings If R is a commutative ring, a zero divisor is a nonzero element x such that xy = 0 for some nonzero element y R.
Rings 10-26-2008 A ring is an abelian group R with binary operation + ( addition ), together with a second binary operation ( multiplication ). Multiplication must be associative, and must distribute over
More informationLecture 10: A (Brief) Introduction to Group Theory (See Chapter 3.13 in Boas, 3rd Edition)
Lecture 0: A (Brief) Introduction to Group heory (See Chapter 3.3 in Boas, 3rd Edition) Having gained some new experience with matrices, which provide us with representations of groups, and because symmetries
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationInteger factorization, part 1: the Q sieve. D. J. Bernstein
Integer factorization, part 1: the Q sieve D. J. Bernstein Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc. Sieving and 611 +
More informationFinite Mathematics : A Business Approach
Finite Mathematics : A Business Approach Dr. Brian Travers and Prof. James Lampes Second Edition Cover Art by Stephanie Oxenford Additional Editing by John Gambino Contents What You Should Already Know
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationQubit Recycling. Ran Chu. May 4, 2016
Qubit Recycling Ran Chu May 4, 06 Abstract Shor s quantum algorithm for fast number factoring is a key example of quantum computational algorithm and the prime motivator in the international effort to
More information2. FUNCTIONS AND ALGEBRA
2. FUNCTIONS AND ALGEBRA You might think of this chapter as an icebreaker. Functions are the primary participants in the game of calculus, so before we play the game we ought to get to know a few functions.
More informationStochastic Histories. Chapter Introduction
Chapter 8 Stochastic Histories 8.1 Introduction Despite the fact that classical mechanics employs deterministic dynamical laws, random dynamical processes often arise in classical physics, as well as in
More information22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve
22. The Quadratic Sieve and Elliptic Curves 22.a The Quadratic Sieve Sieve methods for finding primes or for finding factors of numbers are methods by which you take a set P of prime numbers one by one,
More informationAddition & Subtraction of Polynomials
Chapter 12 Addition & Subtraction of Polynomials Monomials and Addition, 1 Laurent Polynomials, 3 Plain Polynomials, 6 Addition, 8 Subtraction, 10. While, as we saw in the preceding chapter, monomials
More informationGRE Quantitative Reasoning Practice Questions
GRE Quantitative Reasoning Practice Questions y O x 7. The figure above shows the graph of the function f in the xy-plane. What is the value of f (f( ))? A B C 0 D E Explanation Note that to find f (f(
More information2 = = 0 Thus, the number which is largest in magnitude is equal to the number which is smallest in magnitude.
Limits at Infinity Two additional topics of interest with its are its as x ± and its where f(x) ±. Before we can properly discuss the notion of infinite its, we will need to begin with a discussion on
More informationQ 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?
2 Mod math Modular arithmetic is the math you do when you talk about time on a clock. For example, if it s 9 o clock right now, then it ll be 1 o clock in 4 hours. Clearly, 9 + 4 1 in general. But on a
More informationThe next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.
CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 10 The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationLecture 22: Quantum computational complexity
CPSC 519/619: Quantum Computation John Watrous, University of Calgary Lecture 22: Quantum computational complexity April 11, 2006 This will be the last lecture of the course I hope you have enjoyed the
More informationarxiv: v2 [quant-ph] 1 Aug 2017
A quantum algorithm for greatest common divisor problem arxiv:1707.06430v2 [quant-ph] 1 Aug 2017 Wen Wang, 1 Xu Jiang, 1 Liang-Zhu Mu, 1, 2, 3, 4, and Heng Fan 1 School of Physics, Peking University, Beijing
More informationIncompatibility Paradoxes
Chapter 22 Incompatibility Paradoxes 22.1 Simultaneous Values There is never any difficulty in supposing that a classical mechanical system possesses, at a particular instant of time, precise values of
More informationConsistent Histories. Chapter Chain Operators and Weights
Chapter 10 Consistent Histories 10.1 Chain Operators and Weights The previous chapter showed how the Born rule can be used to assign probabilities to a sample space of histories based upon an initial state
More informationALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers
ALGEBRA CHRISTIAN REMLING 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers by Z = {..., 2, 1, 0, 1,...}. Given a, b Z, we write a b if b = ac for some
More informationPh 219b/CS 219b. Exercises Due: Wednesday 22 February 2006
1 Ph 219b/CS 219b Exercises Due: Wednesday 22 February 2006 6.1 Estimating the trace of a unitary matrix Recall that using an oracle that applies the conditional unitary Λ(U), Λ(U): 0 ψ 0 ψ, 1 ψ 1 U ψ
More informationSinglet State Correlations
Chapter 23 Singlet State Correlations 23.1 Introduction This and the following chapter can be thought of as a single unit devoted to discussing various issues raised by a famous paper published by Einstein,
More informationChapter 5. Number Theory. 5.1 Base b representations
Chapter 5 Number Theory The material in this chapter offers a small glimpse of why a lot of facts that you ve probably nown and used for a long time are true. It also offers some exposure to generalization,
More informationLecture note 8: Quantum Algorithms
Lecture note 8: Quantum Algorithms Jian-Wei Pan Physikalisches Institut der Universität Heidelberg Philosophenweg 12, 69120 Heidelberg, Germany Outline Quantum Parallelism Shor s quantum factoring algorithm
More informationSUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by
SUBGROUPS OF CYCLIC GROUPS KEITH CONRAD 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by g = {g k : k Z}. If G = g, then G itself is cyclic, with g as a generator. Examples
More informationLecture 8: Finite fields
Lecture 8: Finite fields Rajat Mittal IIT Kanpur We have learnt about groups, rings, integral domains and fields till now. Fields have the maximum required properties and hence many nice theorems can be
More informationFirst, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)
Lecture 8 Shor's algorithm (quantum factoring algorithm) First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number) (1) Pick any number y less than 15: y=13.
More informationBasic Algebra. Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series
Basic Algebra Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series Cornerstones Selected Pages from Chapter I: pp. 1 15 Anthony
More information1 Review of the dot product
Any typographical or other corrections about these notes are welcome. Review of the dot product The dot product on R n is an operation that takes two vectors and returns a number. It is defined by n u
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationPartial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions.
Partial Fractions June 7, 04 In this section, we will learn to integrate another class of functions: the rational functions. Definition. A rational function is a fraction of two polynomials. For example,
More informationMath101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2:
Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2: 03 17 08 3 All about lines 3.1 The Rectangular Coordinate System Know how to plot points in the rectangular coordinate system. Know the
More informationAN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS
AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS The integers are the set 1. Groups, Rings, and Fields: Basic Examples Z := {..., 3, 2, 1, 0, 1, 2, 3,...}, and we can add, subtract, and multiply
More informationPRACTICE PROBLEMS: SET 1
PRACTICE PROBLEMS: SET MATH 437/537: PROF. DRAGOS GHIOCA. Problems Problem. Let a, b N. Show that if gcd(a, b) = lcm[a, b], then a = b. Problem. Let n, k N with n. Prove that (n ) (n k ) if and only if
More informationThis is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.
8 Modular Arithmetic We introduce an operator mod. Let d be a positive integer. For c a nonnegative integer, the value c mod d is the remainder when c is divided by d. For example, c mod d = 0 if and only
More informationShor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017
Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation
More informationStandard forms for writing numbers
Standard forms for writing numbers In order to relate the abstract mathematical descriptions of familiar number systems to the everyday descriptions of numbers by decimal expansions and similar means,
More informationQuantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras
Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras Lecture - 4 Postulates of Quantum Mechanics I In today s lecture I will essentially be talking
More informationFourier Sampling & Simon s Algorithm
Chapter 4 Fourier Sampling & Simon s Algorithm 4.1 Reversible Computation A quantum circuit acting on n qubits is described by an n n unitary operator U. Since U is unitary, UU = U U = I. This implies
More informationFINITE ABELIAN GROUPS Amin Witno
WON Series in Discrete Mathematics and Modern Algebra Volume 7 FINITE ABELIAN GROUPS Amin Witno Abstract We detail the proof of the fundamental theorem of finite abelian groups, which states that every
More information1 Continued Fractions
Continued Fractions To start off the course, we consider a generalization of the Euclidean Algorithm which has ancient historical roots and yet still has relevance and applications today.. Continued Fraction
More informationPractical Algebra. A Step-by-step Approach. Brought to you by Softmath, producers of Algebrator Software
Practical Algebra A Step-by-step Approach Brought to you by Softmath, producers of Algebrator Software 2 Algebra e-book Table of Contents Chapter 1 Algebraic expressions 5 1 Collecting... like terms 5
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationSlope Fields: Graphing Solutions Without the Solutions
8 Slope Fields: Graphing Solutions Without the Solutions Up to now, our efforts have been directed mainly towards finding formulas or equations describing solutions to given differential equations. Then,
More informationProjective space. There are some situations when this approach seems to break down; for example with an equation like f(x; y) =y 2 (x 3 5x +3) the lin
Math 445 Handy facts since the second exam Don't forget the handy facts from the first two exams! Rational points on curves For more general curves, defined by polynomials f(x; y) = 0 of higher degree,
More informationNumber Theory. Introduction
Number Theory Introduction Number theory is the branch of algebra which studies the properties of the integers. While we may from time to time use real or even complex numbers as tools to help us study
More informationTHE DIVISION THEOREM IN Z AND R[T ]
THE DIVISION THEOREM IN Z AND R[T ] KEITH CONRAD 1. Introduction In both Z and R[T ], we can carry out a process of division with remainder. Theorem 1.1. For any integers a and b, with b nonzero, there
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationLecture 11 - Basic Number Theory.
Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,
More information