Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Similar documents
QFT, Period Finding & Shor s Algorithm

Shor s Prime Factorization Algorithm

Introduction to Quantum Computing

Compute the Fourier transform on the first register to get x {0,1} n x 0.

C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19

Phase estimation. p. 1/24

Fourier Sampling & Simon s Algorithm

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT

2 A Fourier Transform for Bivariate Functions

Shor Factorization Algorithm

QIP Note: On the Quantum Fourier Transform and Applications

Introduction to Quantum Computing

Math 109 HW 9 Solutions

Factoring on a Quantum Computer

Discrete Math, Fourteenth Problem Set (July 18)

Quantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Classical RSA algorithm

Short Course in Quantum Information Lecture 5

Ph 219b/CS 219b. Exercises Due: Wednesday 4 December 2013

Simon s algorithm (1994)

Factoring integers with a quantum computer

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)

Number theory (Chapter 4)

A Glimpse of Quantum Computation

Lecture note 8: Quantum Algorithms

QUANTUM COMPUTATION. Lecture notes. Ashley Montanaro, University of Bristol 1 Introduction 2

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Advanced Cryptography Quantum Algorithms Christophe Petit

Lecture 9: Phase Estimation

Introduction to Quantum Computing

Measuring progress in Shor s factoring algorithm

α x x 0 α x x f(x) α x x α x ( 1) f(x) x f(x) x f(x) α x = α x x 2

Theoretical Cryptography, Lectures 18-20

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

Quantum Computing: Foundations to Frontier Fall Lecture 3

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Lecture 6: Introducing Complexity

. Here we are using the standard inner-product over C k to define orthogonality. Recall that the inner-product of two vectors φ = i α i.

arxiv: v2 [quant-ph] 1 Aug 2017

Quantum Computing Lecture 7. Quantum Factoring

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Simulating classical circuits with quantum circuits. The complexity class Reversible-P. Universal gate set for reversible circuits P = Reversible-P

Chinese Remainder Theorem

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

Ma/CS 6a Class 4: Primality Testing

CS1800 Discrete Structures Final Version A

NOTE: You have 2 hours, please plan your time. Problems are not ordered by difficulty.

Simulation of quantum computers with probabilistic models

1 Randomized Computation

Lecture 7: Quantum Fourier Transform over Z N

Quantum Computation CMU BB, Fall Week 6 work: Oct. 11 Oct hour week Obligatory problems are marked with [ ]

ADVANCED QUANTUM INFORMATION THEORY

Basic elements of number theory

Basic elements of number theory

Quantum Computing and Shor s Algorithm

6.S897 Algebra and Computation February 27, Lecture 6

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Divide and Conquer. Maximum/minimum. Median finding. CS125 Lecture 4 Fall 2016

Lecture 8: Linearity and Assignment Testing

Lecture 10: Eigenvalue Estimation

6.080/6.089 GITCS May 13, Lecture 24

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Shor s Quantum Factorization Algorithm

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

1 Quantum Circuits. CS Quantum Complexity theory 1/31/07 Spring 2007 Lecture Class P - Polynomial Time

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Lecture 15: The Hidden Subgroup Problem

Quantum Algorithms Lecture #2. Stephen Jordan

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Lecture 11 - Basic Number Theory.

Introduction to Quantum Information Processing

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Quantum Computation and Communication

Ph 219b/CS 219b. Exercises Due: Wednesday 22 February 2006

Lecture 9: Shor s Algorithm

Lecture 2: Continued fractions, rational approximations

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

DRAFT. Quantum Computation. Chapter 21

a = a i 2 i a = All such series are automatically convergent with respect to the standard norm, but note that this representation is not unique: i<0

D-MATH Algebra I HS18 Prof. Rahul Pandharipande. Solution 1. Arithmetic, Zorn s Lemma.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Quantum computing. Shor s factoring algorithm. Dimitri Petritis. UFR de mathématiques Université de Rennes CNRS (UMR 6625) Rennes, 30 novembre 2018

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

QUANTUM COMPUTATION. Exercise sheet 1. Ashley Montanaro, University of Bristol H Z U = 1 2

CS 151 Complexity Theory Spring Solution Set 5

Number Theory. Modular Arithmetic

Introduction to Quantum Algorithms Part I: Quantum Gates and Simon s Algorithm

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Discrete Mathematics GCD, LCM, RSA Algorithm

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Transcription:

CS 94 //09 Fourier Transform, Period Finding and Factoring in BQP Spring 009 Lecture 4 Recap: Simon s Algorithm Recall that in the Simon s problem, we are given a function f : Z n Zn (i.e. from n-bit strings to n-bit strings), with the promise that there is a non-zero string s Z n \ {0} such that for all x y, f(x) = f(y) if and only if x y = s. The challenge is to determine s. As we saw last time, the problem can be solved with the following circuit. [thin,scale=.5] [] (0.5,-0.5) ++(5.5,0); [] (0.5,-0.5) ++(5.5,0); [] (0.5,-0.75) ++(5.5,0); [] (0.5,-.5) ++(5.5,0); [] (0.5,-.5) ++(5.5,0); [] (5.75,0) ++(0,-) arc (-90:90:8pt and 4pt) ++(0.,-0.5) arc (90:0:0pt) ++(-0.4,0) [- ] ++(0.4,0.4); [left] at (0,-0.5) 0 ; [left] at (0,-.375) 0 ; [right] at (6,-.375) f(x) ; [rectangle,draw,fill=white,minimum height=40pt,minimum width=40pt,below] at (.5,0) H; [rectangle,draw,fill=white,minimum height=70pt,minimum width=40pt,below] at (3,0) U f ; [rectangle,draw,fill=white,minimum height=40pt,minimum width=40pt,below] at (4.5,0) H; Figure : Circuit for Simon s Algorithm The above circuit corresponds to the following sequence of transformations. 0 0 H n n x 0 for some numbers α y. x f n x f(x) x measure ( x0 + x0 s ) a (measuring the nd register, we observe a Z n such that a = f(x 0 ) = f(x 0 s)) H n n α y y a y Recall that the Hadamard transform of a general state x is so H n x = n ( ) x y y, α y = (( ) x 0 y +( ) (x 0 s) y ). y There are now two cases. For each y, if s y =, then α y = 0, whereas if s y = 0, then α y = ( ) x 0 y. CS 94, Spring 009, Lecture 4

When we observe the first register, we get a uniformly random y such that s y = s y + +s n y n = 0. We repeat to collect more and more equations, and recover s from n linearly independent equations. There is another way to view the final Hadamard transform. When we have x0 + x0 s, measuring immediately would destroy the state. That s why we transform it to another basis (the Hadamard basis) before measuring. Fourier Transform on Z for Integer Let f : Z C be a complex-valued function on Z. Its Fourier transform ˆf : Z C is given by ˆf(t) = f(x)ω xt x Z where ω = exp(πi/) is a primitive -th root of unity. If we write f as the vector f(0) f() f =. C, f( ) and similarly write ˆf as ˆf C, then the vectors f and ˆf are related by a change of basis ˆf = F f, where the matrix F takes the form ω ω ω 3 ω F = ω ω 4 ω 6 ω ω 3 ω 6 ω 9 ω 3 3,........ ω ω ω 3 3 ω ( )( ) that is, (i, j)-th entry of F is ω i j (if we ignore the normalization factor / ). 3 Classical Fast Fourier Transform Straightforward multiplication of the vector f by F would take Ω( ) steps because multiplication of f by each row requires multiplications. Exploiting the symmetry of F, it is possible to perform Fourier transform in O( log) operations when is a power of two, i.e. = m. This algorithm is known as fast Fourier transform (FFT). The idea is to rewrite the Fourier coefficients ˆf(j) as ˆf(j) = ω i j f(i) (where for simplicity we ignore the normalization factor / ) = ω i j f(i)+ ω i j f(i) i even i odd / = i =0 = (splitting into odd and even terms) / (ω i ) j f(i )+ω j (ω i ) j f(i + ) (write even i as i, odd as i + ) i =0 ( ) ( F / feven ( j)+ω j F / fodd )( j). CS 94, Spring 009, Lecture 4

v 0 v FT N/ FT N/ identity ----------------- w j + ---------------- multiplication by w j The above idea is summarized in the diagram below. Figure : A circuit for classical fast Fourier transform This representation gives a recursive algorithm for computing the Fourier transform in time T() = T(/) + O() = O( log). 4 Quantum Fourier Transform We continue to assume = m. Suppose a quantum state f on m qubits is given as f = x=0 f(x) x. Quantum Fourier transform (QFT) is the operation that maps f to ˆf, where ˆf = x=0 ˆf(x) x (and ˆf(x) are the Fourier coefficients of f ). As we shall see, QFT can be implemented by circuit of size O(log ). However, this does not constitute an exponential speed-up over the classical algorithm because the result of quantum Fourier transform is a superposition of states which can be observed, and any measurement can extract at most m = log bits of information. We now describe a circuit that implements quantum Fourier transform. Step : QFT / on the first m qubits Similar to the classical fast Fourier transform, we will split x f(x) x into odd and even terms. Hence x f(x) x = / f(i) i 0 + / f(i+) i. where i is written as i 0 because appending a zero to a binary number is the same as doubling the number (e.g. if i is 000 in binary, then i is 0000). In a quantum circuit for uantum Fourier transform, we will first apply QFT / on the first register (i.e. the first m qubits), obtaining / / α i i 0 + β i i CS 94, Spring 009, Lecture 4 3

st bit R most significant bits nd bit QFT / R least significant bit Figure 3: Circuit for quantum Fourier transform H for certain amplitudes α i and β i. Step : Controlled phase shifts Next, for each of the first m- qubits k ( k m), if both the k-th qubit and the last qubit are, then we need to multiply the phase by ω m k, and otherwise leave the phase unchanged. Thus, we apply the following transformations R k : k-th qubit last qubit {}}{{}}{ R k = ω m k R k 0 = 0 R k 0 = 0 R k 00 = 00 Hence, R k is just a controlled phase shift (with angle π/ k ). After the controlled phase shift, we get the state / Step 3: Hadamard gate / α i i 0 + ω i β i i. Finally, we apply a Hadamard gate to the last qubit, and end up with the state [ / α i i ( 0 + / )+ ω i β i i ( 0 ] ) = i (α i + ω i β i ) i 0 }{{} ith output +(α i ω i β i ) i i }{{} (i+/)th output Putting together, in the circuity above the quantum Fourier transform on m qubits corresponds to two Fourier transforms on m bits in the figure??. The controlled phase shifts correspond to multiplications by ω j in classical circuit. Finally, the Hadamard gate at the very end corresponds to the summation. The number of gates T() satisfies the recurrence relation T() = T(/) + log. Thus T() = O(log ).. CS 94, Spring 009, Lecture 4 4

5 Period Finding Period finding is the problem in which we are given a function f : Z C, with the promise that f is periodic with period r, i.e. there is a r such that for all x y, f(x) = f(y) if and only if x y mod r. The challenge is the find the period r. This problem can be solved efficiently using the following circuit. [thin,scale=.5] [] (0.5,-0.5) ++(5.5,0); [] (0.5,-0.5) ++(5.5,0); [] (0.5,-0.75) ++(5.5,0); [] (0.5,-.5) ++(5.5,0); [] (0.5,-.5) ++(5.5,0); [] (5.75,0) ++(0,-) arc (-90:90:8pt and 4pt) ++(0.,-0.5) arc (90:0:0pt) ++(-0.4,0) [- ] ++(0.4,0.4); [left] at (0,-0.5) 0 ; [left] at (0,-.375) 0 ; [right] at (6,-.375) f(x) ; [rectangle,draw,fill=white,minimum height=40pt,minimum width=40pt,below] at (.5,0) QFT ; [rectangle,draw,fill=white,minimum height=70pt,minimum width=40pt,below] at (3,0) U f ; [rectangle,draw,fill=white,minimum height=40pt,minimum width=40pt,below] at (4.5,0) QFT ; Figure 4: Circuit for period finding The above circuit corresponds to the following sequence of transformations. 0 0 QFT x Z x x 0 f x f(x) measure nd register /r l+kr f(l) /r k=0 (Here we assume r divides to simplify the analysis. We will remove this restriction later.) QFT r y α y y, where α y = /r k=0 ω (l+kn)y = ω ly k ω kry. There are two cases for y:. Case : y is a multiple of r. In this case, then ω kry = e πiry/ =. So α y = r r = r. Note that there are r multiples of /r. The sum of the magnitudes squared for these values of y is. This implies that for any other y, α y = 0.. Case : y is not a multiple of r. We already showed that α y must be 0 from the previous case. But we can also give an intuition for why this is the case. Note that ω ry,ω ry,... are evenly spaced vectors of unit length around the origin. Being the sum of these complex numbers, α y is 0. CS 94, Spring 009, Lecture 4 5

In other words, if we measure the output from the second quantum Fourier transform, we get a uniformly random multiple of /r. If we repeat the whole process t times, getting t random multiples y,...,y t of /r, the greatest common divisor of the y j s is likely to be /r. Since we know, we can recover r from /gcd(y,...,y t ). Let us compute the chance of finding the correct period with t samples. Suppose after repeating t times, we have not found the desired period /r, but instead a multiple, say λ/r. This means that each of the t samples must be a multiple of λ/r. There are /(λ/r) = r/λ multiples of λ/r, and since there are r multiples in total, the probability of getting a multiple of λ /r is /λ. Therefore, and we err with probability Pr[gcd is a multiple of λ/r] = ( ) t λ Pr[gcd > /r after t samples] ( ) t, ( ) t. So t = O(log ) measurements suffice to guarantee a solution. A more careful analysis shows that a constant number of samples is sufficient. 6 Period Finding: The General Case For the general case where is not a multiple of r, we will fix = m to be a power of two that is at least r. The change to the above analysis is that, after measuring the nd register, we get measure nd register s l+kr f(l) s k=0 where s = /r or s = /r +. If we now take QFT on the first register, we get y α y y with α y = s ω Case now becomes: s ly k=0 ω kry.. Case : ry mod r (in this section the remainder mod is allowed to be negative): Intuitively, in this case the amplitudes ω kry almost line up in the complex plane. Previously, when the period r divides exactly, all the amplitudes for multiples of /r line up at. Claim: If ry mod r, then α y Cs for some constant C. This claim implies that we have substantial probability of observing a y that falls into case. How many y belong to this case? When r is coprime to (which is the usual case when we run period finding as a subroutine in factoring), the set {ry y Z } is just Z. Put differently, as y runs through Z, the product ry also runs through Z. Hence there are about r = r such y. Then Pr[Observing such a y] r C s s C s r const. CS 94, Spring 009, Lecture 4 6

For the rest of the discussion, assume that we measure an y satisfying ry mod r/. How does this help us compute the period r? By assumption ry c r/ for some integer c, and hence y c r. Here y and are both known. We shall show, assuming that > r, how to recover c/r by continued fraction. Here is the idea: c/r is a close approximation to y/. Is it possible to get a better rational approximation with denominator at most r? We will show it is impossible. Suppose c /r is a better rational approximation with denominator r r. Then c r c r = cr c r rr r But now it follows that c r y r >. So if we compute the continued fraction expansion of y/ and look at the successive approximations to y/, one of these must be c/r, thus yielding r. (See the section on continued fractions below.) 7 Continued Fraction Definition 4. (Continued Fraction): A real number α can be approximated by an iterated fraction CF n (α) = a 0 + a + where a 0,...,a n (and hence P n and Q n ) are integers. a +... + a n = P n Q n, CS 94, Spring 009, Lecture 4 7

Example : Let us approximate π to two decimal places with a rational number. We know that π = 3.4... = 3+ 4 00 = 3+ 00 4 = 3+ 3+ 7 7+ 4 = 7 Example : If we decide to approximate π to four decimal places, we would have π = 3.45... = 3+ 45 0000 = 3+ 0000 45 = 3+ 7+ 95 45 = 3+ 7+ 45 95 = 3+ 7+ 4+ 85 95 3+ 7+ 4 = 3 99 The following lemmas are well known facts about continued fraction that we state without proof. Lemma 4.: CF n (α) is the best rational approximation of α with denominator Q n. Lemma 4.: If α is rational then it occurs as one of the approximations CF n (α). CS 94, Spring 009, Lecture 4 8

oreover, it is easy to see that the continued fraction is easy to compute for any rational number. 8 Shor s Quantum Factoring Algorithm Below we give a quantum algorithm that factors N in polylog(n) time (factoring in poly(n) time is trivial and is too slow). It turns out the problem of factoring reduces to finding a nontrivial square root. Claim: If we can find u such that u (mod N) and u ± (mod N), then we can factor N. (Such a number u is called a nontrivial square root of (mod N).) Proof: The condition on u is equivalent to N u = (u + )(u ) but N u + or N u. So gcd(n,u+) and gcd(n,u ) are nontrivial factors of N. To find a non-trivial square root, we simply pick a random number x (mod N) and compute its order, where the order of x is the least positive r such that x r (mod N). Claim: If N is odd, with probability at least / over a random x Z N, the order r of x is even and x r/ ± (mod N). Example: Let N = 5. Then let s suppose we picked x = 7. Then x = 7,x = 4,x 3 = 3,x 4 =, so x has order 4. Now, taking y = x r/ = 4, notice that y = 3 and y+ = 5 are both factors of 5. To compute the order, we can use a quantum circuit to compute f(a) = x a (mod N). The function maps element from Z to Z with > N. This function can be implemented efficiently with Õ(log N) gates if we do modular exponentiation with repeated squaring. Below we give the algorithm that, given an odd integer N, outputs a nontrivial factor of N with constant probability. [] Pick a random x Z N gcd(x,n) > Output gcd(x,n) Run period finding on f(a) = x a (mod N) to get the order r of x (mod N) Compute x r/ (mod N) x r/ ± (mod N) Output gcd(n,x r/ ± ) Abort Note that GCD can be computed quickly using Euclid s algorithm. Because of randomized nature of part of the algorithm, we may need to repeat this procedure many times. Since the algorithm succeeds with constant probability, a constant number of repititions suffice to split N into two non-trivial factors. We can then repeat the procedure on each factor until we are down to the prime factors. CS 94, Spring 009, Lecture 4 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback