Stanfod Univesity CS59Q: Quantum Computing Handout 8 Luca Tevisan Octobe 8, 0 Lectue 8 In which we use the quantum Fouie tansfom to solve the peiod-finding poblem. The Peiod Finding Poblem Let f : {0,..., } {0,..., } be a peiodic function of peiod, meaning that x {0,..., } we have that f(x) = f(x + ) and the values f(x), f(x + ),..., f(x + ) ae all distinct. Suppose also that = m is a powe of and that /. Today we will descibe a quantum algoithm that finds in time polynomial in m and in the size of a classical cicuit computing f. The impotance of the peiod-finding poblem is that, as we will see next time, the intege factoing poblem educes to it, and so the quantum polynomial time fo peiod-finding yields a quantum polynomial time algoithm fo intege factoing. The Algoithm The algoithm is essentially identical to the algoithm fo the Boolean peiod-finding poblem discussed in the last lectue.. Ceate the quantum state x x f(x) Let U f be a unitay tansfomation on l = m + m + O(S) bits that maps x 0 0 0 0 to x f(x) 0 0, whee S is the size of a classical cicuit that computes f. We constuct a cicuit ove l qubits that fist applies Hadamad gates to each of the fist m qubits. Afte these opeations, stating fom the input 0 l we get x 0 l m. Then we apply U f, which gives us the state x f(x) 0 l m. Fom this point on, we ignoe the last l m wies.
. easue the last m bits of the state The outcome of this measuement will be a possible output y of f( ). Let us call x 0 the smallest input such that f(x 0 ) = y. Fo such an outcome, the esidual state will be [ [ x 0 + t f(x 0 ) whee [/ stands fo / o fo / depending on x 0. Fom this point on we ignoe the last n bits of the state because they have been fixed by the measuement. 3. Apply the Fouie tansfom to the fist m bits The state becomes whee ω = e πi/. 4. easue the fist m bits. [ [ ω (x0+t) s s s The measuement will give us an intege s with pobability [ ω x0s = [ [ [ ω (x 0+t) s ω ts We will now discuss how to use the measuement done in step (4) in ode to estimate. The point will be that, with noticeably high pobability, s/ will be close to k/ fo a andom k, and this infomation will be sufficient to identify, afte executing the algoithm a few times in ode to obtain multiple samples. The key to the analysis is to undestand the pobability distibution of outcomes of the measuement in step (4). The analysis is simple in the special case in which divides, so we begin with this special case.
3 If is a ultiple of Suppose that q := / is an intege, and let us call a value s good if s is a multiple of q. Note that thee ae exactly good values of s, namely 0, /, /,...,. If s is good, then, fo evey t, ts is a multiple of, and so ω ts =, and the pobability that s is sampled is /, and so the good values of s contain all the pobability mass of the distibution.. This means that in step 4 we sample a numbe s which is unifomly distibuted in {0, /, /,..., }, and the ational numbe s/, which we can compute afte sampling s, is of the fom k/ fo a andom k {0,..., }. Afte simplifying the faction s/, we get copime integes a, b such that s = a ; if k and ae copime, b then = b, othewise b is a diviso of. If we execute the algoithm twice, we get two numbes s, s such that s i / = k i / fo andom k, k. If we compute the simplified factions a i b i = s i, then each b i is eithe o a diviso of and, moe pecisely, we have b i = / gcd(k i, ). Now, if gcd(k, ) and gcd(k, ) ae copime, then = lcm(b, b ). This gives us a quantum algoithm that computes and whose eo pobability is the pobability that picking two andom numbe k, k {0,..., } we have that, k, k all shae a common facto. The pobability that this happens is at most the pobability that k, k shae a common facto, which is at most p pime P[k multiple of p k multiple of p p pime p < n = π 6 <.65 n So we have at least a pobability of about /3 of finding the coect, and this can be boosted to be abitaily close to by epeating the algoithm seveal times. (A final note: if we epeat the algoithm seveal times, we collect seveal values,..., a such that, with high pobability, at least one of them is the coect peiod. How do we find the coect peiod out of this list? Fist of all we check fo each i whethe, say, f(0) = f( i ), and if not we emove it fom the list. The emaining values ae eithe the coect peiod o multiples of the coect peiod. We then output the smallest value of the emaining ones.) 4 The Geneal Case Suppose now that, as will usually be the case in the application to factoing, does not divide. Fo the geneal case, we will develop an appoximate vesion of the agument of the pevious section. We will define a value of s to be good if 3
s is appoximately a multiple of, we will show that thee ae appoximately good values of s, each with pobability appoximately appoximately /, so that the measuement at step (4) will give us with good pobability a value of s such that s/ is close to a multiple of /, fom which we will be able to get a diviso of, and then, by epeating the algoithm seveal times, the actual value of. Befoe ealizing the above plan, let us conside a concete example, to get a sense of what we may hope fo. Suppose that = 8 = 56, that = 0, and that, at step (), we measued a value y equal to f(3). Then, at step (4), the pobability of the vaious values of s ae as in the gaph below: If = 0 had been a diviso of, we would expect 0 values of s to have pobability. each, those being the multiples of /0, and all the othe values to have pobability 0. In the above example, s = 0 and s = 8, which ae the only intege multiples of /0 = 5.6 have the highest pobability, which is about.05. The values s = 5 and s = 6 ae both close to /0, but neithe is vey close, and thei pobabilities ae.046 and.057 espectively. The value s = 5 is quite close to /0 = 5., and its pobability is.0885, much close to the 0% pobability of the ideal case. The next nea-multiple is s = 77 3 /0 = 76.8, which also has pobability.0885. The next pobability spike is nea 4 /0 = 0.4 and it is split between s = 0 and s = 03, which have pobability.057 and.046, espectively, and so on. A couple of obsevations that follow fom the above calculations ae that () the pobability of sampling a value s depends entiely on the diffeence between s and the closest multiple of / o, equivalently, it depends exclusively on s mod, a fact that is easy to veify igoously, and that () the values of s that diffe by less than / fom the closest multiple of / have an oveall pobability of moe than 80% (in fact, nealy 90%) of being sampled. We will give a igoous poof of a weake bound that holds in geneal. 4
Definition (Good s) We say that a value of s is good if s mod Lemma Evey good s has pobability at least 8 o(/) of being sampled. Poof: We need to estimate P[outcome s = [ [ ω ts = [ [ e πi ts (Recall that ω = e πi/, and that conjugation does not affect the magnitude of a complex numbe.) Let us conside the case 0 s mod, and the othe case will be analogous. Call g := (s mod )/. Then [ e πi ts = [ e πigt So we ae summing e θi fo values of θ that ange fom 0 to πg π in [/ equal incements. Thinking of complex numbes as two-dimensional vectos, we ae summing [/ equally spaced unit vectos within an angle of π. This means that at least half of the vectos in the sum fom an angle of π/4 with the sum vecto, and each of those contibutes at least / to the sum vecto. This means that the magnitude (length) of the sum is at least [ and the oveall pobability of s is at least [ 8 [ ( o()) 8 This seems consideably less than the pobabilities we saw in the example above, whee the good s had pobability at least.057, which was.57/. Indeed the lowe bound could be impoved to 4 >.405 by poving the following π Claim 3 Fo evey good s [ e πi st ( o()) 4 π 5
Poof:[Sketch Again we will only look at the case 0 s mod. Ignoing the diffeence between [/ and / (which will be accounted fo in the o() eo tem, we want to study which we can think of as E t {0,.../ } e πi st e πi st and if we call θ max := π (s mod ) (note that 0 θ max π) we can appoximate the discete set {π st : t = 0,... / } with the continuous inteval [0, θ max, so that, up to an eo that is accounted fo in the o(), we have to bound the expectation E θ [0,θ max e iθ = θ max θmax 0 e iθ dθ = ( cos θ θmax max ) The function in the ight-hand side of the above equation is monotone deceasing fo 0 θ max π, and so its minimum is achieved at θ max = π, and it is 4/π. Lemma 4 Thee ae at least good s Poof: Fo evey k {0,..., }, thee must be an intege s k in the inteval [k/ /, k/ + /, and such an intege satisfies / s k mod /. Futhemoe, the integes s k ae all distinct because they belong to disjoint intevals. Suppose now that we have measued a good s at step (4). Then, fo some k, we have s k /, that is s k Now we want to see how to use such an s to find the exact atio k/. Fist of all, let us see that this is possible in pinciple. Fact 5 If a b and a b ae two diffeent ationals such that b, b D, then a b a b D 6
Poof: The diffeence is a multiple of bb. This means that if we have a eal numbe ρ, and a bound D, then thee can be at most one ational numbe a/b with b D such that ρ a/b < /D. Inteestingly, if such a numbe exists, it can be found efficiently. Fact 6 (Continued Faction Algoithm) Given a eal numbe ρ and a bound D, thee is a O((log D) O() ) time algoithm that finds the unique ational numbe a/b with b D such that ρ a/b /D, if such a numbe exists. Putting it all togethe, the measuement at step (4) gives us, with Ω() pobability, a good s, and fom such an s, using the fact that, fo some k, s/ k/ / and that <, we can use the continued faction algoithm to find copime a, b such that a/b = k/, which is the same outcome that we had eached in the pevious section. Futhemoe, each k has pobability Ω(/), and so thee is Ω() pobability that, epeating the algoithm twice, we obtain a /b = k / and a /b = k / whee k and k ae copime, so that lcm(b, b ) =. 7