1 / 57

# Short course on quantum computing - PowerPoint PPT Presentation

Short course on quantum computing. Andris Ambainis University of Latvia. Lecture 2. Quantum algorithms and factoring. Factoring. Input: composite N. Output: p, q  {2, …, N-1} s.t. pq=N. Hard for classical computers. Factoring large integers would break RSA. Factoring.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Short course on quantum computing' - donald

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Short course on quantum computing

Andris Ambainis

University of Latvia

### Lecture 2

Quantum algorithms and factoring

• Input: composite N.

• Output: p, q  {2, …, N-1} s.t. pq=N.

• Hard for classical computers.

• Factoring large integers would break RSA.

• Quantum computers can factor integers in polynomial (quadratic) time [Shor’94].

• Similar approach also solves discrete logarithm by quantum algorithm.

• Today: Shor’s algorithm.

1) Computational model.

2) Quantum parallelism and quantum interference.

3) Simon’s algorithm.

4) Shor’s algorithm.

• State space consisting of n (quantum) bits.

• Elementary gates on 1 or 2 (qu)bits.

• Efficiently computable = poly-size circuits.

X1

X2

X3

X5

^

^

Result

H

H

H

H

Gates on quantum bits

• Phase shift

• Rotation by angle 

• Controlled NOT

• Any quantum computation can be performed by a circuit consisting of Hadamard, phase, rotation by /8 and controlled NOT gates.

• We have a classical circuit.

• Can we construct a quantum circuit that computes the same function?

• Assume f(x)=f(y)=z.

• If

then

• U not unitary.

We can transform a classical circuit

for F to quantum circuit.

|x>

|x>

F

|0>

|F(x)>

Add extra input initialized to 0.

|a(xy)>

Example

Quantum

Classical

x

y

|x>

|x>

|y>

|y>

^

|0>

|xy>

Toffoli gate.

• By linearity,

• Many evaluations of f in unit time.

|x>

|x>

|0>

|f(x)>

 |x> |f(x)>

 |x> |0>

x

x

• Once we measure

we get one particular x and f(x).

• Same as if we evaluated f on a random x.

 |x> |f(x)>

x

• Is it useful?

• We cannot obtain all values f(x) from

because quantum states cannot be measured completely.

• We can obtain quantities that depend on many f(x).

 |x> |f(x)>

x

• Negative interference: |1> and -|1> cancel out one another.

• Positive interference: |0> and |0> add up to a higher probability.

• Use quantum parallelism to compute many f(x).

• Use interference to obtain information that depends on many values f(x).

• Requires algebraic structure.

• Ideal for number-theoretic problems (factoring).

• The order of aZN * modulo N is the smallest integer r>0 such that

ar1 (mod N)

• For example, order of 4 mod 7 is 3:

41 4, 42 =162, 43 =641 (mod 7).

• Factoring reduces to order-finding.

• If ar1(mod N), then N divides ar-1.

• If r even, ar-1=(ar/2-1)(ar/2+1).

• If N is product of two or more primes,

gcd(ar/2-1, N)

is a nontrivial factor of N with probability at least 1/2.

Repeat O(log n) times:

• Generate random a{1, …, N-1};

• Check if (a, N)=1;

• r = order(a);

• If r even, check (ar/2-1, N).

Period finding

• Function F:NN

such that F(x)=F(x+r) for all x.

• Find smallest r.

|x>

|x>

F

|0>

|F(x)>

• Function F:{0, 1}n {0, 1}n.

• F(x+y)=F(x) for all x, + bitwise addition.

• Find y.

|x>

|x>

F

|0>

|F(x)>

H

H

|0>

|y>

F

H

H

H

H

|f(x)>

|0>

Repeat n times and combine results y1,..., yn.

|0>

H

|0>

H

H

H

|0>

|y>

F

H

H

H

H

|F(x)>

|0>

• Partial measurement.

• We get some value y=F(x).

• The state

• collapses to part consistent with y=F(x).

• We now have the state

• How do we get z?

• Measuring the first register would give only one of x and x+z.

H

H

|0>

|y>

F

H

H

H

H

|f(x)>

|0>

|x1>

H

|x2>

H

...

...

...

|xn>

H

Signs are the same iff zi yi= 0 mod 2.

• Measuring the final state gives a vector y such that

• n-1 such constraints uniquely determine z, with high probability.

• Quantum parallelism: computing F for many values simultaneously.

Period finding

• Function F:NN

such that F(x)=F(x+r) for all x.

• Find r.

|x>

|x>

F

|0>

|F(x)>

H

H

|0>

H

H

F

H

H

|0>

Repeat n times and combine results y1,..., yn.

QFT

QFT

|0>

F

|0>

Find factor by continued fraction expansion.

QFT

QFT

|0>

F

|0>

• Measuring the second register leaves the first register in a state consisting of all x with the same F(x):

|d>+|d+r>+…+|d+ir>

If M=2, this is Hadamard transform.

• Assume r divides M.

• Then,

• If j relatively prime with r,

• Assume r does not divide M.

• Then, most of T| consists of |k> with

r does not

divide M

r divides M

0

0

Can we find r?

• Number theory algorithm.

• Given k, M, finds j, r such that

is smallest among all j and r  r0.

• If M=(r2), correct w.h.p.

• Reduce factoring to period-finding.

• Generate a quantum state with period r.

• In the easy case, QFT transforms a state with period r into multiples of M/r.

• General case: same but approximately.

• Continued fraction algorithm finds the closest multiple of M/r.

• Function F:GS

such that F(g)=F(hg) iff hH.

• Find H.

|x>

|x>

F

|0>

|F(x)>

• Captures a lot of problems.

• Simon’s problem: G={0, 1}n, H={0n, z}.

• Shor’s period-finding: G=Z, H=rZ (multiples of r).

• Discrete logarithm: G=Z2.

• Pell’s equation [Hallgren, 2002]: G=R.

• Given N, g and x, compute r such that

grx (mod N).

• Another hard problem relevant to crypto (Diffie-Hellman).

• Define F(y, z)=gyxz mod N.

• G=Z2.

• H={y,z | y+zr =0 mod N-1} because gyxz=gy+rz and gN-1=1.

• Quantum polynomial time for Abelian G.

• Open for non-Abelian G (except a few groups G with simple structure).

G2

G1

?

• G: all permutations of vertices.

• F() = (G).

• H - permutations that fix G.

• Graph Isomorphism reduces to hidden subgroup for non-Abelian groups.

• Approximating shortest vector in lattice also reduces to HSP.

• Solving HSP by quantum algorithm remains open for almost all non-Abelian groups.