Quatum Computig Lecture 7 Quatum Factorig Maris Ozols Quatum factorig A polyomial time quatum algorithm for factorig umbers was published by Peter Shor i 1994. Polyomial time meas that the umber of gates is bouded by a polyomial i log N, where log N is the umber of bits required to represet the umber N beig factored. The best kow classical algorithm takes sub-expoetial time (it is expoetial i (log N) 1/3 ). Fast factorig would udermie widely used public-key cryptographic systems such as RSA.
Example RSA-768 It has 3 decimal digits ad was factored over the spa of years: 1301866845301177551304949583849670778535695953 347919734515176400507636575187450199786469 389956474947740638459519557363034537315486850 791706114913461670491431160140479747377 9408066535141959745985690143413 = 334780716989568987860441698481690817704794983713 768568914313889888379387800876147116553174308 7737814467999489 36746043666799590484463379967956379158164343 08764676038381573966651179333734171433968107 009798736308917 The total CPU time spet o a parallel computer amouted to approximately 000 years o a sigle-core. GHz computer. Order fidig Suppose we are give a, N N such that a < N ad Cosider the ifiite sequece gcd(a, N) = 1 a 0, a 1, a, a 3,... (mod N) Sice each a k {0,..., N 1}, the sequece starts to repeat at some poit. I particular, a r 1 (mod N) for some iteger r 1 sice gcd(a, N) = 1 (see Euler s theorem or the exteded Euclidea algorithm). The order of a is the smallest such r (it is also the period of the above sequece). Strategy: Reduce factorig to order (period) fidig. We wat to show that if we ca fid the period r of a the we ca factor N.
Usig order fidig to factor Assume N = pq, where p ad q are odd primes (the geeral case ca be hadled with a little more effort). Also, assume we have a subroutie for fidig order modulo N. Reductio: 1. Pick a radom a {,..., N 1} ad compute g = gcd(a, N).. If g 1, it is a o-trivial factor of N, so we output g ad N/g ad we are doe. Otherwise, gcd(a, N) = 1 ad we cotiue. 3. Use the order fidig subroutie to fid the order r of a modulo N. 4. If r is eve, let x = a r/ (otherwise, abort ad retur to 1). 5. If x + 1 0 (mod N), output gcd(n, x + 1) ad gcd(n, x 1) (otherwise, abort ad retur to 1). Aalysis of haltig Does this procedure halt? We could keep abortig i steps 4 or 5... Fact: If N is a product of two odd primes ad we choose a radom a {,..., N 1} such that gcd(a, N) = 1, the with probability > 1 (i) the order r of a is eve ad (ii) a r/ + 1 0 (mod N) I other words, i each ru we abort with probability < 1/. The probability that we still have t succeeded i k rouds is thus < k. Assume we made it to step 5 ad output gcd(n, x + 1) ad gcd(n, x 1). Why are they factors of N?
Recoverig factors from a ad r Let N = pq, where p ad q are odd primes, ad assume we have guessed a such that (i) r is eve ad (ii) a r/ + 1 0 (mod N). Let x = a r/. Sice a r 1 (mod N), we have x 1 0 (mod N) so But ote that (x 1)(x + 1) 0 (mod N) ( ) x 1 0 (mod N) (by miimality of r) x + 1 0 (mod N) (by assumptio) The coditio ( ) is equivalet to: (x 1)(x + 1) = kpq for some iteger k Sice either x 1 or x + 1 is a multiple of N, computig gcd(n, x 1) ad gcd(n, x + 1) will fid p ad q. Fidig the order / period A fast order-fidig algorithm allows us to factor umbers quickly. It remais to figure out how to quickly fid the order. Equivaletly, we ca look for the period of the sequece a 0, a 1, a, a 3,... (mod N) Fourier trasform is a great tool for fidig periodic patters i data. Classically, we could use the fast Fourier trasform, but this would require time N log N, which is expoetial i log N, the umber of bits of N.
Discrete Fourier trasform The discrete Fourier trasform (DFT) of a sequece of M complex umbers x 0, x 1,..., x M 1 is aother sequece of M complex umbers such that y 0, y 1,..., y M 1 y j = 1 M 1 ω jk x k M where ω = e πi/m is the M-th root of 1. DFT as a uitary matrix The discrete Fourier trasform is a liear operatio o C M : y 0 y 1. y M 1 = D where D jk = ω jk / M. More explicitly: D = 1 M x 0 x 1. x M 1 1 1 1 1 1 1 ω ω ω 3 ω M 1 1 ω ω 4 ω 6 ω (M 1) 1 ω 3 ω 6 ω 9 ω 3(M 1)........ 1 ω M 1 ω (M 1) ω 3(M 1) ω (M 1)(M 1) Clearly, D T = D, so D = D T = D. Oe ca check that D is uitary by otig that ω = e πi/m = e πi/m = ω 1.
Quatum Fourier trasform Computig the discrete Fourier trasform classically takes time polyomial i M. Peter Shor showed how to implemet D usig O ( (log M) ) oe- ad two-qubit gates. This is polyomial i log M = the umber of qubits! The M M uitary matrix D is therefore also kow as the quatum Fourier trasform (QFT). Note: QFT does ot give a fast way to compute the DFT o a quatum computer, i the sese of obtaiig the umbers y 0, y 1,..., y M 1. Just like we ca t extract all decimal digits of the umbers x i by measurig a sigle copy of x = i x i i, we ca t extract y i from y = D x eve though we ca easily apply D o a quatum computer. Fourier trasform o biary strigs Suppose M = ad let x C M be a computatioal basis state where x {0,..., 1}. We ca uiquely write x = b 1 1 + b + + b for some b j {0, 1} (i.e., b 1 b... b is the biary represetatio of x). Oe ca check that D b 1 b... b = 1 ( 0 + β 1 ) ( 0 + β 1 1 ) ( 0 + β 1 1 ) where β j = exp(πi0.b j b j+1... b ) ad 0.b j b j+1... b [0, 1] is the biary represetatio of b j + b j+1 4 + + b j+1
Quatum Fourier trasform circuit We ca use this form to implemet the quatum Fourier trasform usig Hadamard gates H ad coditioal phase-shift gates R k : b 1 b b 3 b 4 H R R 3 R 4 H R R 3 H R H H = 1 ( ) 1 1 1 1 ( ) 1 0 R k = 0 e πi/k Coditioal phase shifts Two-qubit coditioal phase shift gates are actually symmetric betwee the two bits, despite the asymmetry i the draw circuit. It seems that for large, a -bit quatum Fourier trasform circuit would require coditioal phase shifts of arbitrary precisio. It ca be show that this ca be avoided with some (but ot sigificat) loss i the probability of success for the factorig algorithm.
Period fidig Recall: Give a, N N such that a < N ad gcd(a, N) = 1, we would like to fid the order of a modulo N, i.e., the smallest iteger r 1 such that a r 1 (mod N). Cosider the fuctio f a : N {0,..., N 1} give by f a (x) = a x mod N Note that f a is periodic, with period at most N. Also ote that f a (0) = f a (r) is equivalet to a r 1 (mod N), so the period of f a is equal to the order of a. How ca we fid the period of f a? More geerally, suppose we ca evaluate some arbitrary fuctio f : N {0,..., N 1} which is promised to be periodic, i.e., for some iteger r 1 ad all x, f(x + r) = f(x) How ca we fid the least value of such r, i.e., the period of f? Evaluatig f i superpositio Let f : {0, 1} {0, 1} ad U f be a oracle that reversibly implemets f (ote that here x, y {0, 1} are -bit strigs ad so is f(x)): x y U f x y f(x) Let us deote the uiform superpositio by Ψ = H 0 = + = 1 1 x=0 x We ca evaluate all values of f i superpositio as follows: U f Ψ 0 = 1 1 x=0 x f(x) Note: This does ot mea that we ca simultaeously extract all values of f(x) from this state. By measurig i the stadard basis, we ca get each pair (x, f(x)) oly with expoetially small probability.
The 1st measuremet Measure the secod register (i.e., the last qubits) of U f Ψ 0 ad deote the outcome by f 0 {0, 1}. The state after the measuremet is: where ( ) m 1 1 x 0 + kr f 0 m x 0 {0,..., N 1} is the least value such that f(x 0 ) = f 0 r {1,..., N 1} is the period of the fuctio f m = /r is the umber of x such that f(x) = f 0 Note: The state i the first register has a periodic structure. We wat to extract the period usig QFT. QFT applicatio We ow apply the -qubit quatum Fourier trasform D = 1 1 x,y=0 ω xy y x to the first register (i.e., the first qubits of the left-over state): ( ) m 1 1 D x 0 + kr m = 1 = 1 y=0 1 y=0 where ω = e πi/ is the -th root of 1. ω x 0y 1 m 1 1 ω (x0+kr)y y m ( m 1 1 ω ) y kry m
The d measuremet We measure the resultig state i the stadard basis: 1 y=0 ω x 0y 1 ( m 1 1 ω ) y kry m The probability of observig outcome y {0, 1} = {0,..., N 1} is: p(y) = 1 m 1 ω kry m This probability distributio peaks at those y for which ry/ is close to a iteger. Ideed, assumig ry/ is exactly a iteger (so rm = ), ω kry = exp(πikry/ ) = exp(πik) = 1 ad p(y) = m m = m = 1 r. I this case, the umber of multiples of r/ that are itegers is r, so we always obtai y that is a multiple of r/. Fact: Give a iteger multiple of r/, oe ca recover r usig cotiued fractio expasio. Expoetiatio To complete the factorig algorithm, we eed to check that we ca also implemet the uitary trasform U f for the particular fuctio f a (x) = a x mod N with a umber of quatum gates that is polyomial i log N. This is achieved through repeated squarig.
Some poits to ote The two measuremet steps ca be combied at the ed, with the Fourier trasform applied before the measuremet of f(x). The probability of successfully fidig the period i ay ru of the algorithm is oly 0.4. However, this meas a small umber of repetitios will suffice to fid the period with high probability. Puttig a lower boud o the coditioal phase shift we are allowed to perform affects the probability of success, but ot the rest of the algorithm. Summary Factorig: classically: O(exp( 3 log N)), quatumly: O((log N) ), where log N is the iput size ad N is the umber to be factored Order: smallest r 1 such that a r 1 (mod N) Period: smallest r 1 such that f(x + r) = f(x) for all x; it is equal to the order of a if f(x) = a x mod N Reductio: ability to fid orders ca be used to factor; Idea: x = a r 1 (mod N) so (x 1)(x + 1) = kpq 0 (mod N) DFT: D jk = ω jk / M where ω = exp(πi/m); D is uitary QFT: its circuit implemetatio ( uses the fact that D b 1 b... b = 1 0 +β 1 ) ( 0 +β 1 1 ) ( 0 +β 1 1 ) where β j = exp(πi0.b j b j+1... b ) Shor s algorithm: (D I)U fa + 0, measurig the 1st register gives a umber that is close to a iteger multiple of r/ ; oe ca fid the order r of a modulo N from here; the factors of N are obtaied form r ad a usig the classical reductio