C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19

Similar documents
C/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Shor s Prime Factorization Algorithm

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

QFT, Period Finding & Shor s Algorithm

Lecture note 8: Quantum Algorithms

C/CS/Phys C191 Grover s Quantum Search Algorithm 11/06/07 Fall 2007 Lecture 21

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Shor Factorization Algorithm

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

arxiv:quant-ph/ v2 22 Jan 2004

Fast Fraction-Integer Method for Computing Multiplicative Inverse

Introduction to Information Security

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Introduction to Quantum Computing

Quantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity

1 Structure of Finite Fields

1 Overview and revision

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Classical RSA algorithm

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

Lecture 8: Finite fields

C/CS/Phys C191 Quantum Gates, Universality and Solovay-Kitaev 9/25/07 Fall 2007 Lecture 9

11 Division Mod n, Linear Integer Equations, Random Numbers, The Fundamental Theorem of Arithmetic

Inverses. Today: finding inverses quickly. Euclid s Algorithm. Runtime. Euclid s Extended Algorithm.

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Compute the Fourier transform on the first register to get x {0,1} n x 0.

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

Fourier Sampling & Simon s Algorithm

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Quantum Computers. Peter Shor MIT

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Short Course in Quantum Information Lecture 5

Quantum Algorithms Lecture #2. Stephen Jordan

Quantum Fourier Transforms

CMPUT 403: Number Theory

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

2 A Fourier Transform for Bivariate Functions

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Lecture 4: Number theory

ECEN 5022 Cryptography

C/CS/Phys 191 Quantum Gates and Universality 9/22/05 Fall 2005 Lecture 8. a b b d. w. Therefore, U preserves norms and angles (up to sign).

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Lecture 7: Number Theory Steven Skiena. skiena

Factoring integers with a quantum computer

Introduction to Quantum Computing

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

QIP Note: On the Quantum Fourier Transform and Applications

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

cse547, math547 DISCRETE MATHEMATICS Professor Anita Wasilewska

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Factorization & Primality Testing

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009

x 9 or x > 10 Name: Class: Date: 1 How many natural numbers are between 1.5 and 4.5 on the number line?

Lecture 11 - Basic Number Theory.

Olympiad Number Theory Through Challenging Problems

Lecture 3.1: Public Key Cryptography I

b) (5 points) Give a simple quantum circuit that transforms the state

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Quantum Circuits and Algorithms

Quantum Computing and Shor s Algorithm

Simon s algorithm (1994)

Q: How can quantum computers break ecryption?

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)

Number Theory. Zachary Friggstad. Programming Club Meeting

Continuing discussion of CRC s, especially looking at two-bit errors

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

Basic elements of number theory

Basic elements of number theory

Contest Number Theory

Some Own Problems In Number Theory

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

CPSC 467b: Cryptography and Computer Security

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Ma/CS 6a Class 4: Primality Testing

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

Congruent Number Problem and Elliptic curves

WebPage: lomonaco A LECTURE ON SHOR S QUANTUM FACTORING ALGORITHM VERSION 1.1. Contents. 1. Preamble to Shor s algorithm

18 Divisibility. and 0 r < d. Lemma Let n,d Z with d 0. If n = qd+r = q d+r with 0 r,r < d, then q = q and r = r.

Ma/CS 6a Class 4: Primality Testing

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Shor s Quantum Factorization Algorithm

Topic Contents. Factoring Methods. Unit 3: Factoring Methods. Finding the square root of a number

Quantum computing. Shor s factoring algorithm. Dimitri Petritis. UFR de mathématiques Université de Rennes CNRS (UMR 6625) Rennes, 30 novembre 2018

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

Number Theory Marathon. Mario Ynocente Castro, National University of Engineering, Peru

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Transcription:

C/CS/Phys 9 Shor s order (period) finding algorithm and factoring /0/05 Fall 2005 Lecture 9 Readings Benenti et al., Ch. 3.2-3.4 Stolze and Suter, uantum Computing, Ch. 8.3 Nielsen and Chuang, uantum Computation and uantum Information, Ch. 5.2-5.3, 5.4. (NC use phase estimation for this, which we present in the next lecture) literature: Ekert and Jozsa, Rev. Mod. Phys. 68, 733 (996) 2 Introduction With a fast algorithm for the uantum Fourier Transform in hand, it is clear that many useful applications should be possible. Fourier transforms are typically used to extract the periodic components in functions, so this is an immediate one. One very important example is finding the period of a modular exponential function, which is also known as order-finding. This is a key element of Shor s algorithm to factor large integers N. In Shor s algorithm, the quantum algorithm for order-finding is combined with a series of efficient classical computational steps to make an algorithm that is overall polynomial in the input size n log 2 N, scaling as O(n 2 lognloglogn). This is better than the best known classical algorithm, the number field sieve, which scales superpolynomially in n, i.e., as exp(o(n /3 (logn) 2/3 )). In this lecture we shall first present the quantum algorithm for order-finding and then summarize how this is used together with tools from number theory to efficiently factor large numbers. 3 Shor s order-finding algorithm 3. modular exponentiation Recall the exponential function a x. The modular exponential function is obtained by taking this function and calculating the remainder on division by N, i.e., F N (x) a x mod N. The order of the modular exponential, referred to as the order of a mod N or ord(a), is the smallest positive integer r such that a r mod N Equivalently, we can say that r is the period of this function, since from the above equation we have a r k N + a r+ k N a+a a r+ mod N a mod N, where k is some integer. So F N (x+r) F(N x ), i.e., r is the period of F N (x). Note that r N. Three cases arise: C/CS/Phys 9, Fall 2005, Lecture 9

. r is odd 2. r is even and a r/2 mod N 3. r is even and a r/2 mod N. Cases ) and 2) are not relevant to factorization of N, but in case 3) at least one of the two numbers gcd(n,a r/2 ± ) is a non-trivial factor of N where gcd(x,y) is the greatest common denominator of x and y (see Section 4 below). How do we find ord(a) r? The strategy is to calculation the function F N (x) for many values of x in parallel and to use Fourier techniques to detect the period in the sequence of function values. In the next subsection we show Shor s quantum algorithm does this efficiently using the quantum fourier transform. 3.2 Period finding The algorithm uses two registers: register (source) has K qubits and stores a number 2 K, with N 2 2N 2, or equivalently a number mod register 2 (target) has at least n log 2 N qubits, so can store N or more basis states, or equivalently, a number mod N. Note that the total number of qubits required is then given by the sum of K +2log 2 N and n log 2 N. The algorithm can be decomposed into 6 steps.. Both registers are initialized in the state 0 0. 2. The source register is transformed to an equal superposition over all basis states. This can be done either by applying the K qubit Hadamard transform (see homework 3) H K x H K 0 2 K ( ) xy y y 2 K y y or by applying the Fourier Transform q 0 q 0 exp q. q 0 (2πi qq ) q in both cases (what does this tell you about the relation of Hadamard to Fourier transform?) we get the full quantum state (of source and register) q 0 q0 C/CS/Phys 9, Fall 2005, Lecture 9 2

3. Now we apply a gate U a that implements the modular exponentiation q f(q) a q mod N. This is a function that is easy to compute classically (it can be computed in log q multiplications using repeated squaring, a 2 a a, a 4 a 2 a 2, a 8 a 4 a 4,... see Nielsen and Chuang, p. 228 for a detailed analysis). As described above, f(q) has r as its smallest period. Note that f is distinct on [0,r ] (i.e., all values are different) since otherwise it would have a smaller period. Applying the function f to the contents of source register and storing the result in target register 2, i.e., we get q a q mod N. q0 Here > N 2 values of the function f(q) are computed in parallel. Since r < N, the period r must manifest itself in the resulting sequence of function values now stored in the second register. So there can only be r different function values. 4. Now we measure the second register. When we measure, we must get some value which has to be one of the r distinct values of f(q). Suppose it is f(q 0 ). Then all superposed states of the first register inconsistent with this measured value must disappear. For simplicity, we shall restrict ourselves first to the case where mr, i.e., there are m different values of q which have the same value of f(q). Then exactly /r states of register will contribute to the measured state of register 2, and after this measurement the combined state of the two registers must be given by /r jr+q 0 f(q 0 ) /r j0 5. We now have a periodic superposition of state in register, with period r. From now on the second register is irrelevant and we can drop it from discussion. The first register has a periodic superposition whose period is the value that we wanted to compute in the first place. How do we get that period? Can we get anything simply by measuring the first register?no, since all we will get is a random point, with no correlation across independent trials (because q 0 is random). Instead, we first make a quantum Fourier transform on register. Applying the Fourier transform modulo to state gives us φ q0 r r j0 r ω kq 0 k r r k0 jr+q 0 where ω is a primitive rth root of unity, ω e 2πi r. C/CS/Phys 9, Fall 2005, Lecture 9 3

You may be wondering how the sum got changed from /r terms to just r terms. This was the result of destructive interference in the FT of the state φ q0 jr + q 0. Here s how it happened. First rewrite φ q0 as a sum over all states: φ q0 g(a) a a0 where g(a) r/ if a q 0 is a multiple of r and g(a) 0 otherwise. Then Fourier transforming this modulo (this just means the Fourier transform base K or with 2 K basis states), gives c r c r j0 ( ) 2πi( jr+q0 )c exp c ( ) ] ( ) 2πi( jr)c 2πiq0 c c exp. [ exp j0 Now looking at the right hand side, you can see that when rc/ is an integer, i.e., c is a multiple of /r, each term in the sum inside the square brackets will be equal to one. The square bracket term is then equal to and we obtain exp(2πiq 0 c/)/ r for the coefficient of basis state c. On the other hand, when rc/ is not an integer, the sum in the square brackets cancels to zero (see Benenti p. 63 for an example). So the only states in the sum over c that survive are those for which c is a multiple of /r. Thus the Fourier transformed state has period /r, and furthermore it has non-zero values only at values of c that are multiples of this period. Writing c k/r, we get then the FT state r ( ) FT 2πiq0 k k φ q0 r exp r r k0 which is what was given above. Note that the Fourier transform has moved the shift value q 0 in the index of the original state to a phase factor in the fourier transformed state. 6. Now we measure register. The measurement gives us a value C k r, where k is a random number between 0 and r-. Now we have, C, and hence also the ratio C/ k/r. Now if gcd(k,r), i.e., if k and r have no common divisors, we can reduce the ratio C/ to an irreducible fraction, e.g., /r. See Benenti p. 63 for an example. Since k is chosen at random in the measurement, then the probability that gcd(k,r) is greater than /logr for larger values of r (see Appendix A.3 in Ekert and Jozsa, RMP 68, 733 (996)). So one can repeat the is easy to see that with big probability gcd(k, r ). Then by repeating the calculation O(logr) < O(logN) times, one can amplify the success probability to as close to one as desired. So we have an efficient determination of the order r. In the general case, when nr, one has a slightly modified analysis that results in the order being determined to a high probability. Note, in class we looked also at the slightly different procedure followed in Suter s book, where at step 4 one makes a Fourier Transform on register and then measures this. See Suter Ch. 8.3.3. C/CS/Phys 9, Fall 2005, Lecture 9 4

4 Using order-finding to factor large numbers N efficiently Once we have the order r of a x mod N, we first check if r is even and a r/2 mod N (case 3) above). If so, then lets proceed with y a r/2. Since y 2 mod N, then y 2 (y+)(y ) is divisible by N. So N has a common factor with either y+ or y. The common factor must be one of greatest common divisors gcd(n, y ± ). These can be efficiently computed with Euclid s algorithm (classical - what else!). 4. Euclid s algorithm for gcd(x,y) Let x,y be 2 integers, x > y and z gcd(z,y). Then both x and y and the numbers x y, x 2y,... are multiples of z. Therefore the remainder r x ky < y is also a multiple of z. Now if r 0, then z y and the problem is solved. So we only have to figure out how to get to zero remainder from the starting integers x and y. This is easy. We simply repeatedly take the remainder: z gcd(x,y) gcd(y,r ) gcd(r,r 2 ) gcd(r 2,r 3 )... gcd(r n,r n ), where r,r 2,... are the successive remainders, r i r i k i y. The last non-zero remainder r n is z. 4.2 Shor s factoring algorithm The overall quantum factoring algorithm is as follows:. If N even, return the factor 2 2. Determine whether N a b for integers a and b 2: if yes, return the factor a 3. Randomly choose y between and N. If z gcd(y,n) >, return the factor z. 4. Use the order-finding algorithm to find the order r of y mod N, i.e., r such that y r mod N. 5. If r is even and y r/2 mod N, then evaluate gcd(y r/2 ±,N). If one of these is a non-trivial factor (i.e., other than ), return that value as a factor. If not, go back to step 3 and repeat. The success rate of the last three steps must be reasonably high since this is a probabilistic algorithm. See discussions in the texts and in the paper of Ekert and Jozsa. C/CS/Phys 9, Fall 2005, Lecture 9 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback