Factoring on a Quantum Computer

Similar documents
Shor s Prime Factorization Algorithm

Quantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity

Introduction to Quantum Computing

Introduction to Quantum Computing for Folks

Introduction to Quantum Computing

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

Richard Cleve David R. Cheriton School of Computer Science Institute for Quantum Computing University of Waterloo

Chapter 2. Basic Principles of Quantum mechanics

CSCI 2570 Introduction to Nanocomputing. Discrete Quantum Computation

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Lecture 3: Hilbert spaces, tensor products

CS257 Discrete Quantum Computation

Lecture note 8: Quantum Algorithms

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Chapter 10. Quantum algorithms

Concepts and Algorithms of Scientific and Visual Computing Advanced Computation Models. CS448J, Autumn 2015, Stanford University Dominik L.

Complex numbers: a quick review. Chapter 10. Quantum algorithms. Definition: where i = 1. Polar form of z = a + b i is z = re iθ, where

Shor s Quantum Factorization Algorithm

Advanced Cryptography Quantum Algorithms Christophe Petit

Quantum Computing Lecture 2. Review of Linear Algebra

Physics ; CS 4812 Problem Set 4

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

INTRODUCTION TO QUANTUM COMPUTING

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

1 Measurements, Tensor Products, and Entanglement

Linear Algebra and Dirac Notation, Pt. 1

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Quantum Computation and Communication

QLang: Qubit Language

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)

Introduction to Quantum Information Processing

Unitary evolution: this axiom governs how the state of the quantum system evolves in time.

Short Course in Quantum Information Lecture 2

Introduction to Quantum Computing

Lecture 3: Constructing a Quantum Model

. Here we are using the standard inner-product over C k to define orthogonality. Recall that the inner-product of two vectors φ = i α i.

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Quantum Information & Quantum Computing

Lecture 2: From Classical to Quantum Model of Computation

Some Introductory Notes on Quantum Computing

Security Implications of Quantum Technologies

Quantum computing! quantum gates! Fisica dell Energia!

Hilbert Space, Entanglement, Quantum Gates, Bell States, Superdense Coding.

Quantum Information & Quantum Computation

Introduction to Quantum Computing

QUANTUM COMPUTING. Part II. Jean V. Bellissard. Georgia Institute of Technology & Institut Universitaire de France

Shor Factorization Algorithm

Simon s algorithm (1994)

Introduction to Quantum Algorithms Part I: Quantum Gates and Simon s Algorithm

Ph 219b/CS 219b. Exercises Due: Wednesday 21 November 2018 H = 1 ( ) 1 1. in quantum circuit notation, we denote the Hadamard gate as

arxiv:quant-ph/ v2 19 Jan 2000

QUANTUM COMPUTER SIMULATION

Experimental Realization of Shor s Quantum Factoring Algorithm

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Quantum Computation. Alessandra Di Pierro Computational models (Circuits, QTM) Algorithms (QFT, Quantum search)

Quantum Computers. Peter Shor MIT

Introduction into Quantum Computations Alexei Ashikhmin Bell Labs

Quantum Cryptography. Marshall Roth March 9, 2007

Lecture 11 - Basic Number Theory.

Reversible and Quantum computing. Fisica dell Energia - a.a. 2015/2016

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT

Quantum Computer Simulation Using CUDA (Quantum Fourier Transform Algorithm)

Measuring progress in Shor s factoring algorithm

Quantum Computing Lecture 6. Quantum Search

Principles of Quantum Mechanics Pt. 2

Classical RSA algorithm

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Fourier Sampling & Simon s Algorithm

2. Introduction to quantum mechanics

An Introduction to Quantum Computing for Non-Physicists

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Quantum Gates, Circuits & Teleportation

1 Fundamental physical postulates. C/CS/Phys C191 Quantum Mechanics in a Nutshell I 10/04/07 Fall 2007 Lecture 12

QFT, Period Finding & Shor s Algorithm

Ph 219b/CS 219b. Exercises Due: Wednesday 22 February 2006

2.0 Basic Elements of a Quantum Information Processor. 2.1 Classical information processing The carrier of information

Qubit Recycling. Ran Chu. May 4, 2016

Introduction to Quantum Computation

Quantum Information & Quantum Computation

6.080/6.089 GITCS May 6-8, Lecture 22/23. α 0 + β 1. α 2 + β 2 = 1

Lecture 11 September 30, 2015

Factoring integers with a quantum computer

Quantum Computing. Thorsten Altenkirch

Quantum Computation 650 Spring 2009 Lectures The World of Quantum Information. Quantum Information: fundamental principles

)j > Riley Tipton Perry University of New South Wales, Australia. World Scientific CHENNAI

QUANTUM CRYPTOGRAPHY QUANTUM COMPUTING. Philippe Grangier, Institut d'optique, Orsay. from basic principles to practical realizations.

SUPERDENSE CODING AND QUANTUM TELEPORTATION

Quantum Computing 1. Multi-Qubit System. Goutam Biswas. Lect 2

Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras

Introduction to Quantum Computing

Quantum Computing. Vraj Parikh B.E.-G.H.Patel College of Engineering & Technology, Anand (Affiliated with GTU) Abstract HISTORY OF QUANTUM COMPUTING-

C/CS/Phys 191 Quantum Gates and Universality 9/22/05 Fall 2005 Lecture 8. a b b d. w. Therefore, U preserves norms and angles (up to sign).

Tensor product Take two tensors, get together enough inputs to feed into both, and take the product of their results.

2 A Fourier Transform for Bivariate Functions

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras

Universal quantum computers

A brief survey on quantum computing

Transcription:

Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p. 1

Why is factoring interesting? Factoring and computing discrete logarithms is presumed hard on classical computers. There is no proof. Best algorithm for factoring an n-bit number: O ( exp ( ( 64 9 n)1/3 (log n) /3)). All practical public key encryption systems are based on one of these problems. RSA (Rivest, Shamir and Adleman) factoring ElGamal (Taher ElGamal) discrete logarithms DSA (Digital Signature Algorithm) discrete logarithms over elliptic curves. There are no known (practical) alternatives for public key encryption. A quantum computer can solve both problems in polynomial time. Dire consequences: digital signatures become forgeable, e-commerce seizes, etc. Wolfgang Polak San Jose State University, 4-14-010 - p.

Overview Quantum Mechanics Quantum States State Transformations Measurement Quantum Computation Use of quantum state transformation, measurement to compute Time: number of primitive transformations required. Space: size (dimension) of the quantum state required. Discrete Fourier Transform Useful for finding the period of a function Efficient implementation on a quantum computer. Factoring Reduced to period finding Use quantum Fourier transform Wolfgang Polak San Jose State University, 4-14-010 - p. 3

Quantum Mechanics I think I can safely say that nobody understands quantum mechanics. Richard Feynman Work from a set of axioms (postulates in physics) - simplified for discrete quantum systems: Ax 1: The state space of a binary quantum system is a -dimensional complex vector space. Ax : The state space of multiple binary quantum systems is the tensor product of the individual state spaces. Ax 3: Transformations of quantum states are unitary. Ax 4: Measurement of a quantum system is a probabilistic projection on one of several orthogonal subspaces. Wolfgang Polak San Jose State University, 4-14-010 - p. 4

Binary Quantum Systems Ax 1: The state space of a binary quantum system is a - dimensional complex vector space. More precisely: CP 1, the complex projective space of dimension 1. Convention: (i) quantum states are unit vectors (ii) two states are the same if they differ by a constant factor (phase). Bra-Ket notation: vectors that represent quantum states [Paul Dirac]: x Vector labeled x column vector, x, x x Conjugate transpose row vector, x x y = x y Inner product x y x y = 0 Orthogonal vectors x y = 0 x x = x Length x x x = 1 Unit vector x x = 1 x y Outer product a matrix Example: ( x y ) y = x ( y y ) = x. Wolfgang Polak San Jose State University, 4-14-010 - p. 5

Binary Quantum Systems - Example Examples of binary quantum systems: electron spin, ground/excited state, photon polarization. vertical polarization horizontal polarization {, } basis, i.e. = 0 1 ( + ) 1 ( + i ) { 1 ( + ), 1 ( )} linear combination aka superposition a different basis Example: 1 ( + ) 1 ( ) = 1 ( + ). = 1 (1 1 + 0 0) = 0 Caution: + and are the same quantum state, but 1/ ( + ) and 1/ ( ) are different Wolfgang Polak San Jose State University, 4-14-010 - p. 6

Quantum Bits A quantum bit or qubit is a -dimensional quantum system. The state space B (1) of a qubit has (computational) basis states 0 and 1 encoding 0 and 1. Unlike classical bits, qubits can be in superposition states, e.g. 1 ( 0 + 1 ). does NOT mean 0.5, NEITHER randomly 0 or 1, maybe 0 and 1 at the same time. A general qubit state is a 0 + b 1 for complex a, b with a + b = 1. Qubit: unit of quantum information, different from classical information. The essence of quantum computation is not the use of quantum effects (every transistor does that) it is the use of quantum, not classical information. Wolfgang Polak San Jose State University, 4-14-010 - p. 7

Multi-qubit State Spaces Ax : The state space of multiple binary quantum systems is the tensor product of the individual state spaces. If V 1 has basis {a 1,...,a k } and V has basis {b 1,...,b n }, V 1 V has basis {a i b j 1 i k, 1 j n}. dim(v 1 V ) = dim(v 1 ) dim(v ). Notation: x y = x y = xy. The -qubit state space B () has computational basis { 00, 01, 10, 11 }. The state space B (n) of an n-qubit system is a n dimensional complex vector space with computational basis { 00...00, 00...01,..., 11...10, 11...11 }. Notation: 6 = 110 (when n is understood) A general n-qubit state: n 1 i=0 a i i, s.t. i a i = 1. Wolfgang Polak San Jose State University, 4-14-010 - p. 8

Quantum State Transformations Ax 3: Transformations of quantum states are unitary. Possible quantum state transformations are subject to physical constraints unitary U = U 1 length preserving, linear basis change inner product preserving rotation = reversible. It suffices to specify transformation for some basis: I : 0 0 1 1 X : 0 1 1 0 Z : 0 0 1 1 H : 0 1 ( 0 + 1 ) 1 1 ( 0 1 ) C not : 00 00 01 01 10 11 11 10 Wolfgang Polak San Jose State University, 4-14-010 - p. 9

Realizing Transformations Complex, high-dimensional transformation can be composed from primitive ones called quantum gates. Sequential composition (product): HXH[= Z], Tensor product: I X I, a transformation of one of 3 qubits. Complete set of gates: can be composed to realize any unitary transformation. Computational complexity: number of primitive gates required to realize a unitary transformation. A complete (infinite) gate set: C not together with R(β) and P(α) R(β) : 0 cos β 0 + sinβ 1 1 sin β 0 + cos β 1 P(α) : 0 e iα 0 1 e iα 1 There is no complete finite set of gates. Wolfgang Polak San Jose State University, 4-14-010 - p. 10

Quantum Measurement Ax 4: Measurement of a quantum system is a probabilistic projection on one of several orthogonal subspaces. Single qubit case: Basis { 0, 1 } defines two subspaces, x 0 and y 1. b 1 Measuring qubit a 0 + b 1 in the computational basis { 0, 1 } returns 0 with probability a, state becomes 0 returns 1 with probability b, state becomes 1 a 0 Measurement changes the state unless it is one of the basis states of the measurement. Measurement of a qubit provides only one classical bit of information. Wolfgang Polak San Jose State University, 4-14-010 - p. 11

Qubit Measurement in Context Measuring qubit k of an n qubit system. Single qubit basis { 0, 1 } defines two subspaces: S 0 = B (k 1) { 0 } B (n k 1) S 1 = B (k 1) { 1 } B (n k 1) Write ψ B (n) as ψ = c 0 ψ 0 + c 1 ψ 1 with ψ 0 S 0, ψ 1 S 1. Measuring qubit k of ψ results in 0 with probability c 0, changing ψ to ψ 0 results in 1 with probability c 1, changing ψ to ψ 1. Example: measure nd qubit of ψ = a 001 + b 100 + c 110. Let c 0 = ( ) 1 c a then ψ = c 0 c 0 001 + b c 0 100 + c 110 0 with probability c 0 = 1 c, new state a c 0 001 + a c 0 100 1 with probability c, new state 110. Measure multiple qubits one qubit at a time (commutative). Wolfgang Polak San Jose State University, 4-14-010 - p. 1

Measurement No Cloning Theorem: Proof: An unknown quantum state x cannot be copied, not by measurement, not by any other means. Measurement yields only one classical bit of information. Assume U c were a cloning transformation, such that for all x : U c ( x 0 ) = x x. Consider orthogonal a and b and let c = 1 ( a + b ). By linearity: U c ( c 0 ) = 1 (U c ( a 0 ) + U c ( b 0 )) = 1 ( a a + b b ). By cloning: U c ( c 0 ) = c c = 1 ( a a + a b + b a + b b. Thus, there cannot be a cloning transformation. Note: given a, b, a 0 + b 1 can be constructed efficiently. Wolfgang Polak San Jose State University, 4-14-010 - p. 13

Entangled States Most n-qubit states cannot be written as the tensor product of states. These states are called entangled. 1 Examples: 1 ( 00 + 11 ), ( 01 + 10 ) (a 0 0 + b 0 1 ) (a 1 0 + b 1 1 ) = a 0 a 1 00 + a 0 b 1 01 + b 0 a 1 10 + b 0 b 1 11 a 0 a 1 00 + 0 01 + 0 10 + b 0 b 1 11 = 1 ( 00 + 11 ) Entanglement depends on the tensor decomposition of the state. 1 Measurement of ( 00 + 11 ): Measurement of first qubit yields either 0 or 1. Measurement projects the state to either 00 or 11. Measurement of the second qubit will give the same result as measurement of the first. Wolfgang Polak San Jose State University, 4-14-010 - p. 14

Quantum Computation A quantum computation consists of initialization of n-qubit register, quantum state transformation of n-qubit state by a sequence of primitive (1,,3-qubit) transformations that collectively perform the transformation of the register, measurement of some of the qubits of the register, classical control to, interpret results of quantum measurement iterate quantum steps For each classical algorithm with time/space complexity t/s there exist a classical reversible algorithm with time O(t 1+ǫ ) and space O(s logt) complexity. For each classical reversible algorithm there is a unitary transformation with the same complexity. Wolfgang Polak San Jose State University, 4-14-010 - p. 15

Quantum Parallelism For any classical function f : Z n Z m there is a unitary transformation U f on n + m qubits such that for x Z n: U f x 0 = x f(x). By linearity, U f works on superpositions: ( 1 U f n n 1 x=0 x, 0 ) = 1 n n 1 x=0 U f x, 0 = 1 n n 1 x=0 x, f(x). Apparent exponential number of computations!? Exponential size superposition can be created in linear time Hadamard transformation H 0 = 1 ( 0 + 1 ), thus H (n) 0...0 = 1 n n 1 x=0 x. Wolfgang Polak San Jose State University, 4-14-010 - p. 16

Is Quantum Parallelism Useful? How can we exploit 1 n n 1 x=0 x, f(x)? Measurement of all qubits gives x 0, f(x 0 ) for some random x 0. Measurement of the last m qubits gives some u and collapses the state to c x u x f 1 (u) i.e., the first n qubits are a superposition of the preimage of u. Two strategies: 1. adjust amplitudes a x so that values of interest are read with higher probability. compute properties of f or its preimage through Fourier Transform Wolfgang Polak San Jose State University, 4-14-010 - p. 17

Discrete Fourier Transform N-th root of unity ω N = exp( πi N ): = 1 for k = 0 modn. ω k N N 1 i=0 ωik N = 0 for k 0 mod N. Discrete Fourier transform F : C N C N. As matrix, F ij = 1 N ω ij N. F is unitary. Proof: rows F i of F are unit length and orthogonal, i.e., F i F j = δ ij. Let pk = N: If [ v i is non-zero iff i + m is a multiple of p ] (Fv) i = then [ (Fv) i is non-zero iff i is a multiple of N p ]. N 1 j=0 F ij v j = c k 1 r=0 ω ipr N k 1 = c r=0 ω ir k = kc if i = 0 modk 0 otherwise Result is approximate if p does not divide N. Wolfgang Polak San Jose State University, 4-14-010 - p. 18

Fast Fourier Transform FFT = efficient algorithm of DFT for N = n based on recursive decomposition of F : F (0) = 1 F (k) = 1 D (k 1) ij = R (k 1) ij = I(k 1) I (k 1) 0 if i j ω i k otherwise 1 if i = j D (k 1) D (k 1) 1 if i k + 1 = j 0 otherwise F (k 1) 0 0 F (k 1) R (k) Wolfgang Polak San Jose State University, 4-14-010 - p. 19

Quantum Fourier Transforms Q : B (n) B (n) x Q x Q i = 1 N N 1 j=0 ωij N j, N = n Q N 1 i=0 a i i = 1 N 1 N j=0 N 1 i=0 N 1 a i ω ij N j = (Fa) j j j=0 FFT recursive decomposition applies. In bra/ket notation: Q (1) = H Q (k) = 1 M (k) (I Q (k 1) )R (k) M (k) = 1 ( 0 + 1 ) 0 I (k 1) + 1 ( 0 1 ) 0 D (k 1) D (k) = D (k 1) ( 0 0 + ω k+1 1 1 ) R (k) = trivial swap of qubits Wolfgang Polak San Jose State University, 4-14-010 - p. 0

Fast vs Quantum Fourier Transform classical FFT requires explicit representation of exponentially (in n) many complex coefficients. in QFT coefficients are implicit in amplitudes of a single superposition of index values of an n-qubit state. FFT QFT Data structure C n B (n) Space complexity n complex numbers n qubits Time complexity O(n n ) O(n ) Wolfgang Polak San Jose State University, 4-14-010 - p. 1

Factoring by Period-Finding The order of a modm is the least p > 0 such that a p = 1 modm. p is finite when a and M are relative prime. a k = a k+p mod M iff a p = 1 modm Let g(k) = a k modm then g(k) = g(k + p) and p is the period of g. If p, the order of a mod M, is even (a p/ + 1)(a p/ 1) = a p 1 = 0 mod M. If neither a p/ + 1 nor a p/ 1 is a multiple of M, gcd(a p/ + 1, M) or gcd(a p/ 1, M) is a non-trivial factor of M. Shor s algorithm factors M by using QFT to compute the period of g(k) = a k mod M. Wolfgang Polak San Jose State University, 4-14-010 - p.

Shor s Algorithm Input: an n-bit number M, output: a non-trivial factor of M: 1. pick random a, 0 < a < M. If gcd(a, M) 1 we have a factor.. for g(k) = a k mod M compute the n qubit state 1 n 1 n k=0 k, g(k) = U g(h (n) I (n) ) 0, 0. 3. measure right-most n qubits, yielding some u. 4. the state collapses to c n 1 k=0 v k k, u with v k = v k is non-zero iff k + m is a multiple of p. 1 if g(k) = u 0 otherwise 5. perform QFT on the first n qubits giving c n 1 j=0 w j j, w = Fv. 6. measure the result, some j 0. j 0 will be close to n p. 7. conjecture a likely period p from j 0 (uses continued fraction expansion) 8. see if gcd(a p/ ± 1, M) is a nontrivial factor 9. repeat steps 1 through 8 if necessary. Wolfgang Polak San Jose State University, 4-14-010 - p. 3

Conclusion If the computers that you build are quantum, Then spies everywhere will all want em. Our codes will all fail, And they ll read our email, Till we get crypto that s quantum, and daunt em. Jennifer and Peter Shor Wolfgang Polak San Jose State University, 4-14-010 - p. 4

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback