Factoring integers with a quantum computer

Transcription

1 Factoring integers with a quantum computer Andrew Childs Department of Combinatorics and Optimization and Institute for Quantum Computing University of Waterloo Eighth Canadian Summer School on Quantum Information Montreal, Quebec, 10 June 2008

2 The fundamental theorem of arithmetic Every positive integer larger than 1 can be uniquely* factored as a product of prime numbers. =2 n 2 3 n 3 5 n 5 * Up to the order of the factors.

3 Examples 15 =

4 Examples 15 = 3 5

5 Examples 15 = =

6 Examples 15 = = 7 13

7 Examples 15 = = =

8 Examples 15 = = =

9 The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length... Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. Carl Friedrich Gauss, Disquisitiones Arithmeticæ (1801)

10 RSA public-key cryptosystem M message Rivest, Shamir, Adleman 1977

11 RSA public-key cryptosystem M message M M Rivest, Shamir, Adleman 1977

12 RSA public-key cryptosystem M message Rivest, Shamir, Adleman 1977

13 RSA public-key cryptosystem M message primes p, q Rivest, Shamir, Adleman 1977

14 RSA public-key cryptosystem M message primes p, q n = pq Rivest, Shamir, Adleman 1977

15 RSA public-key cryptosystem M message primes p, q n = pq e Z (p 1)(q 1) encryption key Rivest, Shamir, Adleman 1977

16 RSA public-key cryptosystem M message primes p, q n = pq e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key Rivest, Shamir, Adleman 1977

17 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key Rivest, Shamir, Adleman 1977

18 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext Rivest, Shamir, Adleman 1977

19 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C Rivest, Shamir, Adleman 1977

20 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d Rivest, Shamir, Adleman 1977

21 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d = M ed mod n Rivest, Shamir, Adleman 1977

22 RSA public-key cryptosystem M message primes p, q n n n = pq e e e Z (p 1)(q 1) encryption key d := e 1 mod (p 1)(q 1) decryption key C := M e mod n cyphertext C C d = M ed mod n = M Rivest, Shamir, Adleman 1977

23 Outline Integers The quantum Fourier transform Period finding over Z Period finding over Z Reduction of factoring to period finding Beyond factoring

24 Z

25 All else is the work of man Z = {..., 3, 2, 1, 0, 1, 2, 3,...}

26 All else is the work of man Z = {..., 3, 2, 1, 0, 1, 2, 3,...} Z = { 0 := {...,,0,, 2,...} 1 := {..., +1, 1, +1, 2 +1,...} 2 := {..., +2, 2, +2, 2 +2,...}... 1 := {..., 1, 1, 1, 2 1,...} }

27 Multiplication modulo Z = {j Z : k, jk =1}

28 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z

29 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1

30 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1

31 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1 ϕ(p n 1 1 pn k k )=(p 1 1)p n (p k 1)p n k 1 k

32 Multiplication modulo Z = {j Z : k, jk =1} ϕ() := Z ϕ(p) =p 1 ϕ(p n )=(p 1)p n 1 ϕ(p n 1 1 pn k k )=(p 1 1)p n 1 1 (p 1 k 1)p n k 1 k φ n n 1.0 Fact: ϕ() = Ω ( 1 log log ) n

33 The quantum Fourier transform

34 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 y Z ω xy y

35 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 ω xy y y Z F Z = 1 = 1 x,y Z ω xy y x ω ω 2 ω 1 1 ω 2 ω 4 ω ω 1 ω 2 2 ω ( 1)( 1)

36 Quantum Fourier transform over Z ω := e 2πi/ x F Z 1 ω xy y y Z F Z = 1 = 1 x,y Z ω xy y x ω ω 2 ω 1 1 ω 2 ω 4 ω ω 1 ω 2 2 ω ( 1)( 1)

37 Examples

38 Examples F Z2 = 1 ( ) = H (Hadamard gate)

39 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3

40 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 1 ω6 5 ω6 4 ω6 3 ω6 2 ω 6

41 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 = ω3 2 ω 3 1 ω3 2 ω 3 1 ω 3 ω3 2 1 ω 3 ω ω3 2 ω 3 1 ω3 2 ω 3 1 ω 5 6 ω 4 6 ω 3 6 ω 2 6 ω 6 1 ω 3 ω ω 3 ω 2 3

42 Examples F Z2 = 1 ( ) = H (Hadamard gate) F Z3 = ω 3 ω ω3 2 ω 3 F Z6 = ω 6 ω6 2 ω6 3 ω6 4 ω ω6 2 ω6 4 1 ω6 2 ω6 4 1 ω6 3 1 ω6 3 1 ω6 3 1 ω6 4 ω6 2 1 ω6 4 ω6 2 = ω3 2 ω 3 1 ω3 2 ω 3 1 ω 3 ω3 2 1 ω 3 ω ω3 2 ω 3 1 ω3 2 ω 3 1 ω 5 6 ω 4 6 ω 3 6 ω 2 6 ω 6 1 ω 3 ω ω 3 ω 2 3 = F Z2 F Z3 by the isomorphism Z 6 = Z 2 Z 3

43 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j.

44 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )

45 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )

46 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )

47 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )

48 QFT implementation ( = 2 n ) Write x = n 1 2j x j,y= n 1 2j y j. F Z2 n x = 1 2 n = 1 2 n = 1 2 n = = n 1 n 1 y {0,1} n ω x( y {0,1} n n 1 P n 1 2j y j ) 2 n y 0 y n 1 n 1 y j {0,1} ω xy j2 j 2 n y j e 2πi xy j/2 n j y j 1 2 ( 0 + e 2πix2j /2 n 1 ) 1 2 ( 0 + e 2πi P n 1 k=0 2j+k n x k 1 )

49 QFT circuit We have F Z2 n x = n 1 z j where z j = 1 2 ( 0 + e 2πi(2j n x 0 +2 j+1 n x x n 1 j ) 1 )

50 QFT circuit We have F Z2 n x = n 1 z j where z j = 1 2 ( 0 + e 2πi(2j n x 0 +2 j+1 n x x n 1 j ) 1 ) Quantum circuit: x 0 H z n 1 x 1 H.. R 2 z n 2.. x n 3 z 2 x n 2 H x n 1 H R 2 R 3 R n 1 R 2 R n 2 R n 1 z 1 R n z = R r e 2πi/2r note reversal of order

51 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000

52 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk

53 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk Example: F (Z2 ) n = H H

54 More general QFTs There are efficient quantum circuits for F Z for general ; see Kitaev, Quantum measurements and the abelian stabilizer problem, quantph/ Hales and Hallgren, An improved quantum Fourier transform algorithm and applications, FOCS 2000 In general, F Z1 Z k = F Z1 F Zk Example: F (Z2 ) n = H H We can also define a Fourier transform for a nonabelian group; many of these can be implemented efficiently as well.

55 Period finding over Z

56 Periodic functions A function f : Z S is periodic with period r Z if f(x) =f(y) if x y r Z

57 Periodic functions A function f : Z S is periodic with period r Z if Example (=32): f(x) =f(y) if x y r Z f x x 1 2 1

58 Periodic functions A function f : Z S is periodic with period r Z if Example (=32): f(x) =f(y) if x y r Z f x x (otice that r must divide.)

59 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z

60 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z f x x 1 2 1

61 Periodic functions A function f : Z S is injectively periodic with period r Z if f(x) =f(y) if and only if x y r Z f x x periodic, but not injectively periodic

62 Periodic functions A function f : Z S is injectively periodic with period r Z if Example ( = 32): f(x) =f(y) if and only if x y r Z f x x 1 2 1

63 Periodic functions A function f : Z S is injectively periodic with period r Z if Example ( = 32): f(x) =f(y) if and only if x y r Z f x x 1 2 1

64 Producing a periodic state

65 Producing a periodic state Create the state Z := 1 x Z x

66 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x)

67 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x) Measure the second register: r r 1 s + jr s uniformly random classical value f(s)

68 Producing a periodic state Create the state Z := 1 Append 0 and compute f: 1 x Z x x Z x, f(x) Measure the second register: r r 1 s + jr s uniformly random classical value f(s)

69 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y

70 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y

71 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y

72 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y

73 Apply the QFT Recall x F Z 1 ω xy y y Z r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z r 1 ω jy /r y

74 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0

75 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof:

76 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof: For k = 0 mod M, obvious.

77 A useful identity Claim: 1 M M 1 ω jk M = δ k mod M,0 Proof: For k = 0 mod M, obvious. For k 0, M 1 M = 1 ωkm M 1 ωm k ω jk (geometric series) = 1 e2πik 1 ω k M ω 2 6 ω 1 6 =0 1 =ω 3 6 ω 0 6 =1 ω 4 6 ω 5 6

78 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0

79 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0

80 Apply the QFT, continued r r 1 s + jr r r 1 ω (s+jr)y y Z y = r ω sy y Z r 1 ω jry y = r ω sy y Z = 1 r = 1 r r 1 y (/r)z r ω sy z Z r ω sz y /r z r ω jy /r y 1 M M 1 ω jk M = δ k mod M,0

81 Effect of the QFT r r 1 s + jr periodic, period r unknown offset s FZ 1 r z Z r ω sz /r z r periodic, period /r zero offset unknown phases

82 Learning the period Measure 1 r z Z r ω sz /r z r

83 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random

84 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random Strategy: Compute z/r in lowest terms (Euclid s algorithm) and assume the denominator is r.

85 Learning the period Measure 1 r z Z r ω sz /r z r Outcome: 0, r, 2 r, 3 r,..., r uniformly at random Strategy: Compute z/r in lowest terms (Euclid s algorithm) and assume the denominator is r. Probability of success is ( ) ϕ(r) 1 = Ω r log log r = Ω ( 1 log log )

86 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random

87 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random ρ r = r 2 s Z r 1 j,k=0 s + jr s + kr = 1 s Z r 1 s + jr s

88 An equivalent formulation Prepare 1 x Z x, f(x) and discard the second register: r r 1 s + jr with s uniformly random ρ r = r 2 s Z r 1 j,k=0 s + jr s + kr = 1 s Z r 1 s + jr s F Z F Z ρ r F Z = 1 r z r z r z Z

89 Period finding over Z

90 Unknown domain of periodicity Suppose we have a function f : Z S f(x) =f(y) if and only if satisfying x y r but we don t know an for which f(x + ) = f(x). Z Can we still find r?

91 Unknown domain of periodicity Suppose we have a function f : Z S f(x) =f(y) if and only if satisfying x y r but we don t know an for which f(x + ) = f(x). Z Can we still find r? Strategy: Choose a large, and hope that the procedure still works, even though r will probably not divide r.

92 Producing an (almost) periodic state Create the state Z := 1 x Z x

93 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x)

94 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x) Measure the second register: n 1 1 s + jr n n /r s ¼ uniformly random

95 Producing an (almost) periodic state Create the state Z := 1 1 x Z x Append 0 and compute f: x Z x, f(x) Measure the second register: n 1 1 s + jr n n /r s ¼ uniformly random

96 The (almost) periodic state {}}{ s } {{ }} {{ } r r }{{}}{{} r r /r } {{ } /r periods n 1 1 n s + jr n = { /r +1 /r s < r /r otherwise. where s occurs with probability n/

97 Apply the QFT Recall x F Z 1 ω xy y y Z

98 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y

99 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y

100 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y

101 Apply the QFT Recall x F Z 1 ω xy y y Z n 1 1 n s + jr 1 n 1 n = 1 ω sy n y Z ω (s+jr)y y Z n 1 y ω jry y Probability of observing y: Pr(y) = 1 n n 1 ω jry 2

102 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2

103 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0

104 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0 In general, Pr(y) is sharply peaked around multiples of /r. Example ( = 64, r = 5):

105 The distribution of measurement outcomes Probability of observing y: Pr(y) = 1 n n 1 ω jry 2 When r divides, we have already seen that Pr(y) = 1 r δ y mod r,0 In general, Pr(y) is sharply peaked around multiples of /r. Example ( = 64, r = 5): 0 Exercise: Show Pr ( y {0, r, 2 r,..., (r 1) r }) = Ω(1)

106 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r.

107 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 +

108 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 + Suppose we know that r < rmax. Then the closest continued fraction approximation with denominator less than rmax is guaranteed to be r provided > (rmax) 2.

109 Continued fractions Problem: Given a sample from {0, r, 2 r,..., (r 1) r }, determine r. Compute the continued fraction expansion j/r = a a a 3 + Suppose we know that r < rmax. Then the closest continued fraction approximation with denominator less than rmax is guaranteed to be r provided > (rmax) 2. If we are not given an a priori upper bound rmax, we can start with rmax = 2 and successively double it until we find r; then the running time will be poly(log r).

110 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1.

111 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G.

112 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: f(x + r) =g x+r = g x = f(x)

113 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: injectivity: f(x + r) =g x+r = g x = f(x) there is no x < r for which f(x) = f(0)

114 Application: Order finding Let G be a group. The order of g 2 G is the smallest r 2 {1, 2, 3,...} such that g r = 1. The function f : Z G defined by f(x) = g x is (injectively) periodic with period equal to the order of g in G. periodicity: injectivity: f(x + r) =g x+r = g x = f(x) there is no x < r for which f(x) = f(0) So there is an efficient (running time poly(log G )) quantum algorithm for order finding.

115 Reduction of factoring to period finding

116 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability.

117 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if

118 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if We can assume is odd, since it is easy to find the factor 2.

119 Factoring Finding a nontrivial factor Suppose we want to factor the positive integer. Since primality can be tested efficiently, it suffices to give a procedure for finding a nontrivial factor of with constant probability. function factor() if is prime output else repeat x=find_nontrivial_factor() until success factor(x) factor(/x) end if We can assume is odd, since it is easy to find the factor 2. We can also assume that contains at least two distinct prime powers, since it is easy to check if it is a power of some integer.

120 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z

121 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z.

122 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo.

123 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod

124 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod (a r/2 1)(a r/2 + 1) = 0 mod

125 Miller s reduction Factoring reduces to order finding in (Miller 1976). Z Choose a {2, 3,..., 1} uniformly at random. If gcd(a, ) 1, then it is a nontrivial factor of ; otherwise a Z. Let r denote the (multiplicative) order of a modulo. Suppose r is even. Then a r = 1 mod (a r/2 ) 2 1 = 0 mod (a r/2 1)(a r/2 + 1) = 0 mod so we might hope for gcd(a r/2 1,) to be a nontrivial factor of.

126 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of?

127 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be

128 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be So it suffices to ensure that a r/ mod.

129 Miller s reduction Given (a r/2 1)(a r/2 + 1) = 0 mod when does gcd(a r/2 1,) give a nontrivial factor of? ote that a r/2 1 0 mod r/2, or smaller). (otherwise the order of a would be So it suffices to ensure that a r/ mod. Lemma: Suppose a Z is chosen uniformly at random, where is an odd integer with at least two distinct prime factors. Then with probability at least 1/2, the multiplicative order r of a is even and a r/2 1 mod.

130 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri

131 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck.

132 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0.

133 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0. If r is even and a r/2 = 1 mod, then a r/2 = 1 mod p m i i for each i, so ri does not divide r/2; but notice that ri does divide r.

134 Proof (part 1 of 2) Let = p m 1 1 p m k k (pi distinct primes, k 2) a = a i mod p m i i ri = order of ai modulo p m i i 2 c i = largest power of 2 that divides ri Claim 1: If r is odd or a r/ mod, then c1 = = ck. Since r = lcm(r 1,..., r k ), r is odd iff c1 = = ck = 0. If r is even and a r/2 = 1 mod, then a r/2 = 1 mod p m i i for each i, so ri does not divide r/2; but notice that ri does divide r. Hence r/ri is an odd integer for each i, and every ri must contain the same number of powers of 2 as r.

135 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2

136 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.)

137 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.) a Z uniformly at random a i Z p m i i uniformly at random

138 Proof (part 2 of 2) Claim 2: Prob(ci = any particular value) 1/2 (Then the lemma follows, because in particular Prob(c1 = c2) 1/2.) a Z uniformly at random a i Z p m i i uniformly at random Z p m i i Since is cyclic and of even order, exactly half its elements have the maximal value of ci, so in particular the probability of any particular ci is at most 1/2.

139 Shor s factoring algorithm Input: Integer Output: A nontrivial factor of 1. Choose a random a {2, 3,..., 1} 2. Compute gcd(a, ); if it is not 1 then it is a nontrivial factor, and otherwise we continue 3. Prepare the uniform superposition Z 2 (or replace 2 by the next largest power of 2) 4. Append an ancilla register, and conditioned on the value x in the first register, compute f(x) = a x mod in the ancilla register; discard the ancilla 5. Perform the quantum Fourier transform over 6. Measure in the computational basis Z 2 7. Compute the continued fraction expansion of the result divided by 2, obtaining the best approximation with denominator less than ; call this denominator r 8. Compute gcd(ar/2 1, ). If it is 1 or then we have failed, and we start over; otherwise the result is a nontrivial factor of.

140 Performance Most expensive step: Modular exponentiation. Using repeated squaring, this can be done in time O((log ) 3 ). ) Running time of Shor s algorithm is O((log ) 3 ) In contrast, the best known classical algorithm for factoring (the number field sieve) takes time 2 O((log )1/3 (log log ) 2/3 ).

141 Performance Most expensive step: Modular exponentiation. Using repeated squaring, this can be done in time O((log ) 3 ). ) Running time of Shor s algorithm is O((log ) 3 ) In contrast, the best known classical algorithm for factoring (the number field sieve) takes time 2 O((log )1/3 (log log ) 2/3 ). ote that the quantum part of Shor s algorithm can be highly parallelized: with polynomial-time classical pre- and post-processing, can achieve depth O((log log ) 2 ) and size O((log ) 3 ) (Cleve and Watrous 2000).

142 Beyond factoring

143 So much more than Shor and Grover Quantum simulation Algebraic problems Factoring, discrete log, decomposing abelian groups, Pell s equation, principal ideal problem, computing unit/class groups of number fields, shifted Legendre symbol, approximating Gauss sums, counting points on curves, some nonabelian hidden subgroup problems,... Search and its applications (Peter Høyer s lectures yesterday) Unstructured search (decision, finding, counting), collision, median finding, graph connectivity, minimum spanning trees, single source shortest paths, matchings, network flows,... Quantum walk algorithms (Eddie Farhi s lectures on Friday) Black box graph traversal, spatial search, element distinctness, triangle finding, checking matrix multiplication, testing group commutativity, formula evaluation,... Approximation of #P-hard problems Jones polynomial, HOMFLYPT polynomial, Tutte polynomial/potts model partition function,... Miscellanea Oracle interrogation, ordered search, gradient estimation,...

144 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}.

145 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}. Computing logg x is (apparently) classically hard, and (as for factoring) this assumption is used in cryptographic protocols. Common groups: G = Z M G = elliptic curve best classical algorithm 2 O((log M)1/3 (log log M) 2/3 ) O( O(log ) ) = 2

146 Discrete log Let G = {g α : α Z } be a cyclic group generated by g. Given x G, define log g x := min{l Z + : g l = x}. Computing logg x is (apparently) classically hard, and (as for factoring) this assumption is used in cryptographic protocols. Common groups: G = Z M G = elliptic curve best classical algorithm 2 O((log M)1/3 (log log M) 2/3 ) O( O(log ) ) = 2 But there is an efficient quantum algorithm for discrete log in general groups (Shor 1994).

147 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H.

148 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r

149 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r Example: The function f(α, β) =x α g β hides (α, α log g x):α Z Z Z

150 The abelian hidden subgroup problem Let G be an abelian group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if x y H Abelian HSP: Given the ability to query f, find a generating set for H. Example: If G = Z, then f hides a subgroup isomorphic to Z/r iff it is injectively periodic with period r Example: The function f(α, β) =x α g β hides (α, α log g x):α Z Z Z There is an efficient quantum algorithm for the hidden subgroup problem in any finitely generated abelian group.

151 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)?

152 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer.

153 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer. But Kedlaya showed it can be solved in time poly(log p, d) on a quantum computer, where d is the degree of the polynomial.

154 Counting points on curves Problem: How many solutions are there to the polynomial equation f(x, y) = 0 where x, y 2 Zp (or more generally, a finite field)? This problem appears to be hard for a classical computer. But Kedlaya showed it can be solved in time poly(log p, d) on a quantum computer, where d is the degree of the polynomial. Approach: Use the algorithm for the abelian HSP to learn the structure of the class group of the curve, which determines the number of points.

155 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1.

156 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1).

157 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d).

158 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d). This can be found efficiently by a quantum computer using a generalization of period finding to the real numbers.

159 Pell s equation and number fields Pell s equation: Given a squarefree positive integer d, find integer solutions (x, y) to x 2 dy 2 =1. There are infinitely many solutions, but they are all generated by one fundamental solution (x1, y1). Even the fundamental solution may be too large just to write down in polynomial time, but it can be encoded in the integer part of the regulator, log(x 1 + y 1 d). This can be found efficiently by a quantum computer using a generalization of period finding to the real numbers. Similar ideas lead to efficient quantum algorithms for computing properties of number fields.

160 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H.

161 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H. When G is nonabelian, this can be significantly harder.

162 The nonabelian hidden subgroup problem Let G be any finite group. We say that f : G S hides the subgroup H G if f(x) =f(y) if and only if xy 1 H HSP: Given the ability to query f, find a generating set for H. When G is nonabelian, this can be significantly harder. Potential applications: Graph isomorphism Lattice problems

163 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group?

164 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 =

165 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5

166 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2

167 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2 Aut(Γ 3 ) = {id}

168 Graph automorphism Problem: Given an n-vertex graph, what is its automorphism group? 1 = 2 = 3 = Aut(Γ 1 ) = S 5 Aut(Γ 2 ) = Z 2 Aut(Γ 3 ) = {id} This is an HSP in with having hidden subgroup G = S n f(π) = π(γ) H = Aut( )

169 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z}

170 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0

171 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0

172 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice?

173 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice? This is P-hard, but what if we promise that the shortest vector is shorter than the next-shortest non-parallel vector by some factor?

174 Shortest lattice vector problem Basis vectors v 1,..., v n R n define a lattice L := { i c i v i : c i Z} v 1 v 2 0 Problem: What is the shortest nonzero vector in the lattice? This is P-hard, but what if we promise that the shortest vector is shorter than the next-shortest non-parallel vector by some factor? Lattice cryptosystems assume this is hard with a factor poly(n).

175 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon.

176 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections).

177 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections). Standard method : Given samples of φ x = 1 2 ( 0 + e 2πisx/ 1 ) Z with x uniformly random in (and known), determine s.

178 Dihedral hidden subgroup problem The dihedral group of order 2 is the group of symmetries of an -sided regular polygon. Is there an efficient quantum algorithm for the HSP in this group? ote: It suffices to consider hidden subgroups of order 2 (hidden reflections). Standard method : Given samples of φ x = 1 2 ( 0 + e 2πisx/ 1 ) Z with x uniformly random in (and known), determine s. Solving this problem would break lattice-based cryptography, one of the few types of cryptosystems not yet known to be broken by quantum computers!