Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Similar documents
Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Shor Factorization Algorithm

Ma/CS 6a Class 4: Primality Testing

Applied Cryptography and Computer Security CSE 664 Spring 2018

Shor s Prime Factorization Algorithm

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Factorization & Primality Testing

1. Algebra 1.7. Prime numbers

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Lecture 11 - Basic Number Theory.

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Algorithms (II) Yu Yu. Shanghai Jiaotong University

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

CSE 521: Design and Analysis of Algorithms I

Quantum Computing and Shor s Algorithm

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Introduction to Quantum Computing

Cryptography: Joining the RSA Cryptosystem

Lecture 31: Miller Rabin Test. Miller Rabin Test

CPSC 467: Cryptography and Computer Security

Advanced Algorithms and Complexity Course Project Report

Ma/CS 6a Class 4: Primality Testing

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Lecture note 8: Quantum Algorithms

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Number Theory. The study of the integers

QFT, Period Finding & Shor s Algorithm

The running time of Euclid s algorithm

CPSC 467b: Cryptography and Computer Security

Introduction to Quantum Information Processing

Phase estimation. p. 1/24

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Number Theory. Everything else. Misha Lavrov. ARML Practice 10/06/2013

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Cryptography IV: Asymmetric Ciphers

Shor s Quantum Factorization Algorithm

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Algorithms in the Quantum Computing Framework

CPSC 467b: Cryptography and Computer Security

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Lecture 9: Shor s Algorithm

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Richard Cleve David R. Cheriton School of Computer Science Institute for Quantum Computing University of Waterloo

QIP Note: On the Quantum Fourier Transform and Applications

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Lecture 2: Randomized Algorithms

THE SOLOVAY STRASSEN TEST

Measuring progress in Shor s factoring algorithm

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

ECEN 5022 Cryptography

Factoring on a Quantum Computer

Factoring integers with a quantum computer

Lecture 10: Eigenvalue Estimation

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

Some Facts from Number Theory

Number Theory and Group Theoryfor Public-Key Cryptography

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Lecture 8: Finite fields

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Public Key Encryption

Lecture 6: Deterministic Primality Testing

Introduction to Public-Key Cryptosystems:

Postmodern Primality Proving

Basic counting techniques. Periklis A. Papakonstantinou Rutgers Business School

Quantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity

Short Course in Quantum Information Lecture 5

Applied Cryptography and Computer Security CSE 664 Spring 2017

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

10 Concrete candidates for public key crypto

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Lecture 14: Hardness Assumptions

About complexity. We define the class informally P in the following way:

QUANTUM COMPUTATION. Lecture notes. Ashley Montanaro, University of Bristol 1 Introduction 2

8 Primes and Modular Arithmetic

Basic elements of number theory

Quantum Error Correction Codes-From Qubit to Qudit. Xiaoyi Tang, Paul McGuirk

Basic elements of number theory

CPSC 467b: Cryptography and Computer Security

arxiv:math/ v1 [math.nt] 16 Jan 2003

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Transcription:

Introduction to Quantum Information Processing QIC 71 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 8 (217) Jon Yard QNC 3126 jyard@uwaterloo.ca http://math.uwaterloo.ca/~jyard/qic71 1

Recap of: Eigenvalue estimation problem (a.k.a. phase estimation) 2

a b Generalized controlled-u gates U a U a b I U a 1 : a m b 1 : b n U a 1 : a m U a 1 a m b I U U 2 U 2 m 1 Example: 11111 111U 13 11 3

Eigenvalue estimation problem U is a unitary operation on n qubits ψ is an eigenvector of U, with eigenvalue e 2πiφ ( φ < 1) Input: black-box for m qubits and a copy of ψ U n qubits Output: φ (m-bit approximation) Algorithm: one query to generalized controlled-u gate O n 2 auxiliary gates Success probability 4/ 2.4 Note: with 2m-qubit control gate, error probability is exponentially small 4

Order-finding via eigenvalue estimation 5

Order-finding problem Let m be an n-bit integer Def: Z m = {x {1,2,, m 1} gcd(x, m) = 1} a group (mult.) Def: ord m (a) is the minimum r > such that a r 1 mod m Order-finding problem: given m and a Z m find ord m (a) Example: Z 21 = {1,2,4,5,8,1,11,13,16,17,19,2} The powers of 5 are: 1, 5, 4, 2, 16, 17, 1, 5, 4, 2, 16, 17, 1, 5, Therefore, ord 21 (5) = 6 Note: no classical polynomial-time algorithm is known for this problem it turns out that this is as hard as factoring 6

Order-finding algorithm (1) Define: U (an operation on n qubits) as: U y = ay mod m Define: ψ 1 r 1 Then = 1 r j= e 2πi 1/r j a j mod m U ψ 1 r 1 = 1 r j= e 2πi 1/r j a j+1 mod m r 1 = 1 r j= e 2πi(1/r) e 2πi 1/r (j+1) a j+1 mod m = e 2πi(1/r) ψ 1 Therefore ψ 1 is an eigenvector of U. Knowing the eigenvalue is equivalent to knowing 1/r, from which r can be determined. 7

Order-finding algorithm (2) U 2n qubits* n qubits Corresponds to the mapping x y x a x y mod m. Moreover, this mapping can be implemented with roughly O(n 2 ) gates. The eigenvalue estimation algorithm yields a 2n-bit estimate of 1/r (using the above mapping and the state ψ 1 ). From this, a good estimate of r can be calculated by taking the reciprocal, and rounding off to the nearest integer. Exercise: why are 2n bits necessary and sufficient for this? Big problem: how do we construct ψ 1 to begin with? * We re now using m for the modulus and setting the number of control qubits to 2n. 8

Bypassing the need for ψ 1 (1) Note: If we let r 1 ψ 1 = 1 r j= e 2πi 1/r j a j mod m ψ 2 ψ k ψ r r 1 = 1 r e 2πi 2/r j a j mod m j= r 1 = 1 r e 2πi k/r j a j mod m j= r 1 = 1 r e 2πi r/r j a j mod m j= then any one of these could be used in the previous procedure, giving an estimate of k/r. Then r = k k/r 1. What if k is chosen randomly and kept secret? 9

Bypassing the need for ψ 1 (2) What if k is chosen randomly and kept secret? Can still uniquely determine k and r from a 2n-bit estimate of k/r, provided they have no common factors, using the continued fractions algorithm*. Note: If k and r have a common factor, it is impossible because, for example, 2/3 and 34/51 are indistinguishable So this is fine as long as k and r are relatively prime * For a discussion of the continued fractions algorithm, please see Appendix A4.4 in [Nielsen & Chuang] 1

Bypassing the need for ψ 1 (3) What is the probability that k and r are relatively prime? Recall that k is randomly chosen from {1,, r}. The probability that this occurs is φ(r)/r, where φ is Euler s totient function (defined as the cardinality of Z r ). It is known that φ r = Ω(r/ log log(r)), which implies that this probability is at least Ω(1/ log log(r)) = Ω(1/ log(n)). Therefore, the success probability is at least Ω(1/ log(n)). Is this good enough? Yes, because it means that the success probability can be amplified to any constant < 1 by repeating O(log n) times (so still polynomial in n). But we d still need to generate a random ψ k here 11

Bypassing the need for ψ 1 (4) Returning to the phase estimation problem, suppose that ψ 1 and ψ 2 are orthogonal, with eigenvalues e 2πiφ 1 and e 2πiφ 2, and that α 1 ψ 1 + α 2 ψ 2 is used in place of an eigenvector: H H H F m α 1 ψ 1 + α 2 ψ 2 U What will the outcome of the measurement be? It can be shown* that the outcome will be an estimate of φ 1 with probability α 1 2 φ 2 with probability α 2 2 * Showing this is straightforward, but not entirely trivial. 12

Bypassing the need for ψ 1 (5) Along these lines, the state 1 r r k=1 ψ k yields the same outcome as using a random ψ k (but not being given k), where each k {1,, r} occurs with probability 1/r. This is a case that we ve already solved. So now all we have to do is construct the state. In fact, this is something that is easy, since 1 r k=1 r r r 1 ψ k = 1 r k=1 e 2πi k/r j a j mod m = 1 j= This is how the previous requirement for ψ 1 is bypassed. 13

Quantum algorithm for order-finding 1 H H H U a,m H inverse QFT 4 8 H 4 H measure these qubits and apply continued fractions algorithm to determine a quotient, whose denominator divides r U a,m y = a y mod m Number of gates for Ω(1/ log n) success probability is: O(n 2 log n log log(n)) For constant success probability, repeat O(log n) times and take the smallest resulting r such that a r 1 mod m 14

Reducing factoring to order finding 15

The integer factorization problem Input: m (n-bit integer; we can assume it is composite) Output: h, h > 1 such that hh = m. Note 1: no efficient (polynomial-time) classical algorithm is known for this problem. Note 2: given any efficient algorithm for the above, we can recursively apply it to fully factor m into primes efficiently. Note 3: polynomial-time classical algorithms for primality testing: Miller-Rabin - randomized Agrawal Kayal Saxena (AKS) - deterministic, but slower sage: is_prime(m) uses PARI implementation of ECPP (Elliptic Curve Primality Proving) - randomized and faster 16

Factoring prime-powers There is a straightforward efficient classical algorithm for recognizing and factoring numbers of the form m = p k, for some (unknown) prime p. What is this algorithm? Hint: If in fact m = p k, then k log 2 m n. Therefore, the interesting remaining case is where m has at least two distinct prime factors. 17

Numbers other than prime-powers Problem. Given odd composite m p k, compute nontrivial divisor h of m. Proposed quantum algorithm (repeatedly do): 1. randomly choose a {2, 3,, m 1} 2. compute h = gcd(a, m) 3. if h > 1 then output h, m/h else compute r = ord m (a) (quantum part) if r is even then compute x = a r/2 1 mod m compute h = gcd(x, m) if h > 1 then output h, m/h Analysis Assume we find an a with r = ord m a even. This means m a r 1. So m a r/2 + 1 a r/2 1. Thus, either m a r/2 + 1 or gcd a r/2 1, m is a nontrivial divisor of m. At least half (actually a 1 2 #odd prime factors of m fraction) of the a {2, 3,, m 1} have ord m (a) even and result in gcd a r/2 1, m being a nontrivial divisor of m (see Shor s 1995 paper for details). 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback