sign in sign up
<<
Home , Quantum computing

Q UANTUM C OMPUTING

IS SEARCH PRACTICAL?

Gauging a quantum ’s practical significance requires weighing it against the best conventional techniques applied to useful instances of the same problem. The authors show that several commonly suggested applications of Grover’s quantum fail to offer computational improvements over the best conventional .

ome researchers suggest achieving mas- polynomial-time algorithm for number factoring sive speedups in by exploiting is known, and the security of the RSA code used quantum-mechanical effects such as su- on the Internet relies on this problem’s difficulty. perposition (quantum parallelism) and If a large and error-tolerant quantum Sentanglement.1 A typically were available today, running Shor’s algorithm on consists of applying quantum gates to quantum it could compromise e-commerce. states, but because the input to the algorithm Lov Grover’s quantum search algorithm is also might be normal classical (or nonquantum), widely studied. It must compete with advanced it only affects the selection of quantum gates. Af- classical search techniques in applications that use ter all the gates are applied, quantum measure- parallel processing3 or exploit problem structure, ment is performed, producing the algorithm’s often implicitly. Despite its promise, though, it is nonquantum output. Deutsch’s algorithm, for in- by no means clear whether, or how soon, quantum stance, solves a certain artificial problem in fewer computing methods will offer better performance steps than any classical (nonquantum) algorithm, in useful applications.4 Traditional complexity and its relative speedup grows with the problem analysis of Grover’s algorithm doesn’t consider the size. However, Charles Bennett and his col- complexity of processing the so-called oracle leagues2 have shown that quantum algorithms are queries—that is, certain questions with yes or no unlikely to solve NP-complete problems in poly- answers. The query process is simply treated as a nomial time, although more modest speedups re- black box, thus making Grover’s algorithm appeal- main possible. designed a fast (poly- ing because it needs fewer queries than classical nomial-time) quantum algorithm for number search. However, with sufficiently time-consuming factoring—a key problem in that query processing, Grover’s algorithm can become isn’t believed to be NP-complete. No classical nearly as slow as a simple (exhaustive) classical search. In this article, we identify requirements for 1521-9615/05/$20.00 © 2005 IEEE Grover’s algorithm to be useful in practice: Copublished by the IEEE CS and the AIP

GEORGE F. V IAMONTES, IGOR L. MARKOV, AND JOHN P. H AYES 1. A search application S where classical meth- University of Michigan ods don’t provide sufficient scalability. 2. An instantiation Q(S) of Grover’s search for

22 COMPUTING IN SCIENCE & ENGINEERING Grover’s Quantum Search Algorithm evaluated on a superposition of all items. Addi- rover’s quantum algorithm searches for a subset of tionally, converting classical search criteria to quantum cir- Gitems in an unstructured set of N items.1 The algo- cuits often entails a moderate overhead, and the quantum rithm incorporates the search criteria in the form of a black- predicate’s complexity can offset the reduction in the num- box predicate that can be evaluated on any items in the ber of queries. set. The complexity of this evaluation (query) varies de- Figure A shows a high-level circuit representation of pending on the search criteria. With conventional algo- Grover’s algorithm. (See related research2,3 for more de- rithms, searching an unstructured set of N items requires tailed circuits.) The algorithm’s first step is to initialize (N) queries in the worst case. In the quantum domain, log(N) , each with a value of |0. These qubits are however, Grover’s algorithm can perform unstructured then placed into an equal superposition of all values from 0 search by making only O(N ) queries, a quadratic to N – 1 (encoded in binary) by applying one Hadamard speedup over the classical case. This improvement is con- gate on each input . Because the superposition con- tingent on the assumption that the search predicate can be continued on p. 24

R iterations

|0 Iteratively increase the . Measure qubits to Create an equal amplitudes log(N) . retrieve one of the superposition of of index states which qubits matching indices . indices to N items match the search criteria probabilistically |0

Workspace qubits Black-box Predicate: Is f(x) = 1?

Search criteria

Repeat to find multiple matching indices

Figure A. A high-level circuit depiction of Grover’s quantum search algorithm.

S with an asymptotic worst-case runtime, a given criterion. (See the “Grover’s Quantum which is less than that of any classical algo- Search Algorithm” sidebar for a more detailed de- rithm C(S) for S. scription of this algorithm and its implementa- 3. A Q(S) with an actual runtime for practical tion.) For any N-element database, it takes instances of S, which is less than that of any ~NM/ evaluations of the search criterion C(S). (queries to an oracle) on database elements, whereas classical algorithms provably need at least Yet, we also show that real-life database applications ~N evaluations for some inputs. rarely satisfy these requirements. We also describe a To search a (large) database used in a particular simulation methodology for evaluating potential application S, Grover’s algorithm must be supplied speedups of quantum for specific in- with two different kinds of inputs that depend on stances of S. We demonstrate that search problems S: often contain a great deal of structure, which sug- gests several directions for future research. the database, including its read-access mech- anism, and Quantum Search the search criteria, Grover’s quantum algorithm1,5,6 searches an un- structured database to find M records that satisfy each of which is specified by a black-box predicate

MAY/JUNE 2005 23 continued from p. 23

⎢π ⎥ tains strings, they’re thought of as indices to the N items ⎢ arcsin() M / N ⎥ R = rather than as the items themselves. ⎢ 4 ⎥ . ⎣⎢ ⎦⎥ The next step is to iteratively increase the probability am- plitudes of those indices in the superposition that match Grover’s algorithm also exhibits a periodic behavior, and af- the search criteria. The key component of each iteration is ter the amplitudes of sought elements peak, they start de- querying the black-box predicate. We can view the predi- creasing. cate abstractly as a function f(x) that returns 1 if the index x In the final step, quantum measurement is applied to matches the search criteria and 0 otherwise. Assuming that each of the log(N) qubits, producing a single bit string. The the predicate can be evaluated on the superposition of in- larger a bit string’s amplitude, the more likely the bit string dices, a single query then evaluates the predicate on all in- is to be observed. dices simultaneously. In conjunction with extra gates and When M items match the search criteria in a particular qubits (or workspace qubits), the indices for which f(x) = 1 search problem, then Grover’s algorithm produces one of can be marked by rotating their phases by radians. To them. Each item is equally likely to appear because the in- capitalize on this distinction, additional gates are applied to version about the mean process increases the probability increase the probability amplitudes of marked indices and amplitudes of matching items equally. If all such items must decrease the probability amplitudes of unmarked indices. be found, Grover’s algorithm might have to be repeated Mathematically, this transformation is a form of inversion more than M times, potentially returning some items more about the mean. It can be illustrated on sample input than once. On the other hand, classical deterministic search {–1/2, 1/2, 1/2, 1/2} with mean 1/4, where inversion about techniques avoid such duplication and might be more suit- mean produces {1, 0, 0, 0}. Both vectors in the example able in applications in which M is a significant fraction of N. have norm 1. In general, the inversion about mean is a uni- tary transformation. One of Grover’s insights was that it can References be implemented with fairly small quantum circuits. 1. L.K. Grover, “Quantum Helps in Searching for a Needle in a In the case in which only one element out of N satisfies Haystack,” Physical Rev. Letters, vol. 79, no. 2, 1997, . 325– 328. the search criterion, each iteration of Grover’s algorithm in- 2. M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum In- creases the amplitude of this state by approximately formation, Cambridge Univ. Press, 2000. O(1/N ). Therefore, approximately N iterations are re- 3. G.F. Viamontes, I.L. Markov, and J.P. Hayes, “More Efficient Gate-Level quired to maximize the probability that a quantum mea- Simulation of Quantum Circuits,” Quantum Processing, vol. surement will yield the sought index (bit string). For the 2, no. 5, 2003, pp. 347–380. more general case with M elements satisfying the search 4. M. Boyer et al., “Tight Bounds on Quantum Searching,” Fortschritte der criteria, the optimal number of iterations4 is Physik, vol. 46, no. 4–5, 1998, pp. 493–505.

or oracle p(x) that can be evaluated on any record x dex. of the database. The algorithm then looks for an x Researchers are aware of several variants of such that p(x) = 1. In this context, x can be ad- Grover’s algorithm, including those based on quan- dressed by a k bit string, and the database can con- tum circuits and different forms of adiabatic evolu- tain up to N = 2k records. tion. However, as other work has discussed,7 all are Classically, we can evaluate or query p() on one closely related to the original algorithm and have input at a time. In the quantum domain, however, similar computational behavior. if p() can be evaluated on either x or y, then it can For comparison, consider a classical determinis- also be evaluated on the superposition (x + y)/2 , tic algorithm for unstructured search, assuming that with the result (p(x) + p(y))/2 . This quantum par- we aren’t using parallel processing techniques.3 It allelism enables search with N queries.5 If M el- requires making many queries because an unsuc- ements satisfy the predicate, then NM/ cessful evaluation of p(x) does not, in general, yield queries suffice.6 The parallel evaluation of p() re- new information about records other than x. There- quires a superposition of multiple bit strings at the fore, we might need anywhere from 1 to N queries, input, which can be achieved by starting in the depending on the input—N/2 on average. We must |00…0 state and applying the Hadamard gate H make queries until one of them is successful, and we on every qubit. This, of course, requires that p() can’t take advantage of an unsuccessful query. Thus, can interpret a bit string as a database record’s in- every deterministic algorithm must visit the data-

24 COMPUTING IN SCIENCE & ENGINEERING base records one by one, in some order, and inde- a|000000> + b(|110100> + |111000>) pendently try up to 2k database records until it finds a desired record. Randomized algorithms can pick records at random and have an edge over deter- ministic algorithms when many records satisfy p() R0 because, for any input, approximately N/(2M) queries suffice with very high probability. However, R1 R1 this improvement doesn’t compare with the qua- dratic speedup Grover’s algorithm offers. R2 R2 Application Scalability Although Grover’s algorithm relies on , it nevertheless solves a classical search R3 R3 R3 problem and competes with advanced classical search techniques in existing and new applications. Existing applications include Web search engines, R4 R4 large for real-time processing of credit- card transactions, analysis of high-volume astro- nomic observations, and so forth. Such databases R5 R5 explicitly store numerous pieces of classical infor- mation (records). Another class of existing applica- tions is illustrated by code breaking and Boolean a 0 b satisfiability, where the input is a mathematical function p(x) specified concisely by a formula, al- gorithm, or logic circuit. We seek the bits of x such Figure 1. A 5-qubit state-vector in the QuIDD data structure. Each that p(x ) = 1, which might represent a correct pass- decision variable Ri corresponds to a bit i in the binary encoding of word or key. The database of all possi- indices in the vector. Dashed lines model zeroes assigned to the index ble values of x is implicit and doesn’t require large bit, and solid lines model ones. Top-down paths represent the 32 amounts of memory. entries of the state-vector; a path might capture multiple entries with Explicit databases in existing applications are often equal values. too large to fit in one computer’s memory. They’re distributed through the network and searched in par- allel, and records can be quickly added, copied, and lenge II decryption problem was solved in one day modified. Distributed storage also facilitates redun- by a custom set of parallel processors built by the dancy, backup, and crash recovery. The records in Electronic Frontier Foundation for less than such databases correspond to physical objects (sen- $250,000 and nearly 100,000 PCs on distrib- sors, people, or Web pages), which tends to limit uted.net, an Internet-wide databases’ typical growth rates. Explicit databases project similar to SETI@home but geared toward might temporarily experience exponential growth, as code cracking. (See http://www.eff.org/ exemplified by the Web, but existing search infra- Privacy/Crypto/Crypto_misc/DESCracker/ and structures appear scalable enough for such applica- http://www.distributed.net for details.) tions, as ’s continuing success shows. Grover’s Implicit search applications typically exhibit ex- algorithm, on the other hand, isn’t well-suited to ponential scalability—for example, adding an extra searching explicit databases of this kind because it de- bit to an encryption key doubles the key space. mands a of all database This can’t be matched in principle by the linear records. Creating such a superposition, or using a su- scalability of classical parallel processing techniques perposition of indices in that capacity, seems to re- such as by adding hardware. Therefore, we believe quire localizing classical records in one place, which that these applications meet Requirement 1 in the is impractical for the largest explicit databases. introduction and thus are potential candidates for Consequently, Grover’s search algorithm seems practical quantum search tasks. confined to implicit databases, where it also faces se- rious competition from classical parallel methods.3 Oracle Implementation This application class includes cryptographic prob- Although the oracle function p() in Grover’s algo- lems, which are amenable to classical massively par- rithm can be evaluated on multiple inputs simulta- allel computation. For instance, the DES Chal- neously, the description of p() is usually left un-

MAY/JUNE 2005 25 Easy to Verify, Hard to Solve no two vertices connected by an edge have the same any practical computational problems exist in science color. This problem is NP-complete for graphs containing Mand engineering that are difficult to solve even on a fast at least one vertex connected to four or more edges.1 computer. For some of these problems, the best-known algo- • Boolean 3-satisfiability (3-SAT). This problem requires rithms that find an exact solution require super-polynomially finding an assignment of true/false values to variables of many computational steps in the problem size. However, ver- a Boolean function f in conjunctive normal form (CNF) ifying whether a given candidate solution solves the problem such that f is true. In CNF, the function consists of the might require up to polynomially many steps. Problems with conjunction (logical AND) of clauses, and each clause is this feature are called NP-complete1 and include the disjunction (logical OR) of Boolean variables in com- plemented or uncomplemented form. In 3-SAT, each • Traveling salesman problem (TSP). Given a list of cities clause contains three variables, though the number of connected by roads and a gasoline budget of k dollars, a distinct variables and clauses might vary. To illustrate, route must be determined, if one exists, so that a sales- given the CNF formula, f = (a + b + c)(a + –b + d)(–b + –c + man visits each city only once, returns to the starting city, d), where + denotes disjunction and neighboring clauses and spends k or fewer dollars on gasoline. There’s a dif- imply conjunction, a solution is a, c, d = true; b = false. ferent monetary cost for gasoline associated with travel- ing between different cities. Indeed, we can formulate Despite the difficulty of finding solutions to NP-complete TSP as a graph traversal problem (see Figure B). problems, researchers have developed many heuristics and • Graph 3-coloring. The input to this problem is three differ- approximation algorithms exhibiting efficient performance ent colors and an arbitrary graph. The goal is to find an in many useful cases.2,3 Heuristics are generally algorithms assignment of colors to all vertices, if one exists, so that that exhibit good empirical performance though their worst- case computational complexities might not be well under- Farmington Hills stood. Approximation algorithms have well-defined compu- tational complexities, but their solution quality and runtime might be worse than heuristics in specific cases. However, $0.75 $2.00 because we can map any NP-Complete problem to an in- stance of any other NP-complete problem with negligible 1 Livonia overhead, flexibility exists in choosing different approaches. $2.25 Detroit $1.00 $2.00 References Ann Arbor Canton 1. M.R. Garey and D.S. Johnson, and Intractability: A Guide to $2.30 the Theory of NP-Completeness, W.H. Freeman and Company, 2000. $2.00 2. Z. Michalewicz and D.B. Fogel, How to Solve It: Modern Heuristics, Figure B. A TSP with Ann Arbor as the starting city. Given a Springer, 2000. gasoline budget of $9.30, a solution is in green. 3. V.V. Vazirani, Approximation Algorithms, Springer, 2001.

specified.1,5,6 To actually implement Grover’s al- bers for an N-item database scale much worse than gorithm for a particular search problem, we must N, then both classical and quantum searching will explicitly construct p(). Several pitfalls are associ- be dominated by the evaluation of p(), diminishing ated with this important step and are related to the the relative value of the quantum speedup on the complexity of p(). log-scale. The first problem is that to query p() using quan- A more subtle problem is the complexity of de- tum parallelism, we must implement p() in quan- signing hardware implementations of p(). Even if tum hardware. This hardware can take various log- a given p() can theoretically be implemented with- ical and physical forms.1 If a quantum out undermining the relative speedup of Grover’s implementation of p() is derived from classical algorithm, there might not be a practical way to hardware design techniques, the classical and quan- find compact classical or quantum implementations tum implementations’ circuit size might be similar. in a reasonable amount of time. In classical elec- Circuit size is estimated by the number of logic op- tronic design automation (EDA), finding small erations (gates) used, and computation time by the logic circuits is an enormously difficult computa- circuit’s maximum depth. However, if these num- tional and engineering task that requires synergies

26 COMPUTING IN SCIENCE & ENGINEERING between circuit designers and expensive design 0.0017*k*(1.42k) software. Automatic synthesis of small quantum QuIDDPro circuits appears considerably harder because some 100,000 formulations allow gates with a function that de- pends on continuous parameters,8 rendering dis- crete methods irrelevant. 10,000 Although Grover’s algorithm satisfies Require- ment 2 in principle, satisfying it by a significant Runtime (s) margin on the log-scale might be difficult in many 1,000 cases because a small-circuit implementation of the oracle-function p() might not exist or might re- quire an unreasonable effort to find. 100 26 28 30 32 34 36 38 40 Classical Simulation Number of data qubits As in the case of Grover’s algorithm, quantum computation is often represented in the quantum- Figure 2. For k qubits, an actual quantum computer implementing circuit formalism, which can be described mathe- Grover’s algorithm must perform at least ck()2 k steps where c is a matically using and modeled on a constant. For the type of predicates Grover originally considered,5 the classical computer.1 Qubits are the fundamental empirical runtime of QuIDDPro simulation fits well to this formula units of information; k-qubit quantum states can be (plotted on a log-log scale), and the value of c is small. represented by 2k-dimensional vectors, and square matrices of various sizes can represent gates. The parallel composition of gates corresponds to the test-by-simulation approach to identify violations (Kronecker) product and serial composition of Requirement 3. Indeed, researchers have pro- to the ordinary product. Like classical cir- posed polynomial-time simulation techniques for cuits, quantum circuits can be conveniently simu- circuits with restricted gate types10,11 and slightly lated by computer software for analysis or design entangled quantum computation.12 However, they purposes. A can be simulated haven’t applied these results to quantum search. naively by a sequence of 2k 2k matrices applied se- We’ve found that QuIDDs enable a classical quentially to a state vector. This reduces quantum computer to simulate a useful class of quantum cir- simulation to standard linear-algebraic operations cuits using time and memory that scale polynomi- with exponentially sized matrices and vectors. Mea- ally with the number of qubits.9 All the compo- surement is simulated similarly. Because Grover’s nents of Grover’s algorithm, except for the algorithm only requires k qubits for a database of application-dependent oracle, fall into this class. N = 2k records, a naive classical simulation of We’ve also proven that a QuIDD-based simulation Grover’s algorithm would be exponentially worse of Grover’s algorithm requires time and memory than an actual quantum circuit that implemented resources that are polynomial in the size of the or- the algorithm. acle p() function represented as a QuIDD.9 Thus, The linear-algebraic formalism doesn’t differen- if a particular p() for some search problem can be tiate between structured and unstructured data. represented as a QuIDD using polynomial time However, the state vectors and gate matrices that and memory resources (including conversion of an appear in typical quantum simulations are anything original specification into a QuIDD), then classi- but unstructured. In particular, they compress well cal simulation of Grover’s algorithm performs the when simulated using the search nearly as fast as an ideal quantum circuit. If Decision Diagram (QuIDD) data structure.9 A a practical implementation of an oracle function p() QuIDD is a directed acyclic graph with one source is known, it’s straightforward to represent it in and multiple sinks, where each sink is labeled with QuIDD form because all relevant gate operations a . Matrix and vector elements are are defined for QuIDDs. Once p() is captured by a modeled by directed paths in the graph, as Figure 1 QuIDD, a QuIDD-based simulation requires illustrates. Linear-algebraic operations can then be NM/ queries, just like an actual quantum implemented by graph algorithms in terms of com- computer.9 If the size of the QuIDD for p() scales pressed data representations. Using data compres- polynomially for k-qubit instances of the search sion might substantially reduce simulation runtime problem, then Grover’s algorithm offers no for specific applications, especially those dealing speedup for the given search problem. with nonrandom data and circuits. This suggests a We implemented a generic QuIDD-based sim-

MAY/JUNE 2005 27 ulator called QuIDDPro in the C++ programming isfied clauses. Randomization in the algorithm fa- language.9 We can use this simulator in practice to cilitates hill climbing and an extremely fast move perform the test by the simulation we just de- selection mechanism.) The algorithms that Uwe scribed. Figure 2 gives runtime results for QuID- Schöning13 and David Eppstein14 describe exploit DPro simulating Grover’s algorithm for the search subtle structure in problem formulations, so they problem considered in Grover’s seminal paper.5 have the potential for further improvement. No The oracle function for this search problem returns such improvement is possible for Grover’s algo- p(x) = 1 for one item in the database. In all such rithm unless additional assumptions are made.15,7 cases, the QuIDD for p() has only k nodes, and Of course, many practical NP-complete search QuIDD-based simulation is empirically as fast as problems have upper bounds that far exceed an actual quantum computer. Memory usage is ~poly(k)1.41k—for example, k-satisfiability and k- only a few megabytes and grows linearly with the coloring, with k 4. However, known classical al- number of qubits.9 This particular search problem gorithms often finish much faster on certain inputs, fails to meet Requirement 3, so it doesn’t benefit by application-derived and artificial, structured, or un- being implemented on a quantum computer. structured.16 Indeed, we can now solve randomly Predicates exist that don’t compress well in generated hard-to-satisfy instances of Boolean sat- QuIDD form, so they require super-polynomial isfiability with a million variables in one day using time and memory resources. However, some of a single- PC. Grover’s algorithm is these predicates might also require a super-poly- mainly sensitive to the number of solutions, but not nomial number of quantum gates. This might to the solutions themselves or to the input features cause the evaluation of p(x) to dominate the quan- (such as symmetries) that classical algorithms tum search’s runtime and undermine the speedup sometimes exploit. of Grover’s algorithm over classical search. The Euclidean traveling salesman problem (TSP) and many other geometric optimization problems Problem-Specific Algorithms have defied fast, exact algorithms so far, but we can As we discussed earlier, comparisons between often solve them using polynomial-time approxi- quantum and classical search algorithms often im- mation schemes that trade-off accuracy for run- plicitly make strong assumptions—namely, the un- time.17 Their geometric structure lets us solve these restricted use of black-box predicates and the mis- problems to a given precision > 0 in polynomial conception that no quantum circuit can be time. Additionally, specific large instances of such simulated efficiently on any inputs. These assump- problems have been solved optimally in the past— tions overestimate the potential speedup quantum for example, the TSP for over 10,000 cities. Op- search offers. Another, and perhaps more serious, portunistic algorithms and heuristics that work well oversight in popular analysis concerns the structure only on some inputs are useful in practice, but com- present in particular search problems. Therefore, parable quantum heuristics are poorly understood. we must compare Grover’s algorithm against Hard cryptography problems have also been highly tuned classical algorithms specialized to a mentioned as potential applications of Grover’s al- given search problem rather than against generic gorithm.3 They include code breaking (particularly, exhaustive search. the Data Encryption Standard [DES] and Ad- Boolean 3-satisfiability (3-SAT) and graph 3-col- vanced Encryption Standard [AES] cryptosystems) oring have been suggested as possible applications and reversing cryptographically secure hash func- of quantum search because polynomial-time algo- tions (Message Digest Algorithm [MD5] and Se- rithms aren’t known for these NP-complete prob- cure Hash Algorithm [SHA-1]). Indeed, these can lems and are unlikely to be found. (See the “Easy be cast as unstructured search algorithms, but cryp- to Verify, Hard to Solve” sidebar for fuller defini- tographers have identified the structure in all such tions.) However, classical algorithms13,14 exist that applications. In fact, using clever classical methods, solve these two problems in less than ~poly(k)1.34k cryptographers have recently cracked the hash and ~poly(k)1.37k steps, respectively (k is the num- functions MD5, MD4, HAVAL-128, and ber of variables), thereby outperforming quantum RIPEMD.18 Other new classical attacks have also techniques that require at least ~poly(k)1.41k steps. been developed that seriously challenge the secu- (The algorithm Uwe Schöning13 analyzed is a sim- rity of SHA-0 and SHA-1.19 The task of breaking plified version of the well-known WalkSAT pro- DES has been reduced to Boolean 3-satisfiability20 gram. It’s a type of randomized local search in and clearly doesn’t require a naive enumeration of which variable assignments are changed one at a keys. Essential algebraic structure21 has been iden- time to statistically decrease the number of unsat- tified in AES (see http://csrc.nist.gov/Crypto

28 COMPUTING IN SCIENCE & ENGINEERING Toolkit/aes/aesfact.html), which has recently re- stricted to Grover’s search and apply to other po- placed DES as the US encryption standard. tential applications of quantum computing. The graph automorphism problem, for example, seeks symmetries of a given graph and is sometimes sug- lthough quantum computing has dra- gested as a candidate for polynomial-time quantum matically advanced during the past algorithms.4 Classically, this problem appears to re- decade, researchers have yet to quire more than polynomial time in the worst case demonstrate its potential applications but is unlikely to be NP-complete, just like num- atA full scale. Such demonstrations are likely to re- ber factoring. However, graph automorphism is quire breakthroughs in , computer sci- provably easy for random graphs and can also be ence, and engineering.4 It’s important to under- solved quickly in many practical cases—for exam- stand current roadblocks to achieving practical ple, in the context of verifica- speedups with quantum algorithms. Our hope is tion23—making existing algorithms and software that the work here will temper unreasonable ex- strong competitors of potential future quantum al- pectations of quantum speedups and encourage gorithms. further study of ways to improve quantum search. Daniel Curtis and David Meyer have proposed a In the near term, quantum computers running novel quantum algorithm application, finding tem- Grover’s algorithm are unlikely to be competitive plate matches in photographs,24 but it relies on the with the best classical computers in practical appli- quantum Fourier transform rather than Grover’s cations. Adding to the arguments of previous re- search. Proposals of this kind also deserve careful searchers3 regarding classical parallelism, we’ve evaluation from the and engi- pointed out that recent work on solving problems neering perspective and must be compared to state- such as Boolean satisfiability and direct simulation of-the-art classical methods on realistic inputs. of quantum circuits offers opportunities to exploit subtle domain-specific structures, even on a single Acknowledgments classical processor. Despite their exponential worst- This work is supported in part by DARPA, the US National case runtime, some of these algorithms are always Science Foundation, and a US Department of Energy faster than Grover’s search. High-Performance Computer Science graduate Some interesting open research issues that de- fellowship. The views and conclusions in this article are serve attention include those of the authors and do not necessarily represent official policies or endorsements of their employers or • search applications in which classical methods funding agencies. don’t offer sufficient scalability; • algorithms for near-optimal synthesis of quan- References tum oracle circuits; 1. M.A. Nielsen and I.L. Chuang, Quantum Computation and Quan- • quantum heuristics that finish faster or pro- tum Information, Cambridge Univ. Press 2000. duce better solutions on practical inputs; and 2. C. Bennett et al., “Strengths and Weaknesses of Quantum Com- puting,” SIAM J. Computing, vol. 26, no. 5, 1997, pp. 1510–1523. • quantum algorithms that exploit the structure 3. C. Zalka, “Using Grover’s Quantum Algorithm for Searching Ac- of useful search problems. tual Databases,” Physical Rev. A, vol. 62, no. 5, 2000, pp. 052305-1–052305-4. Recent work on variants of Grover’s search accounts 4. J. Preskill, “Quantum Computing: Pro and Con,” Proc. Royal Soc. for problem structure and seems particularly London A, vol. 454, no. 1969, 1998, pp. 469–486. promising. Building on earlier proof-of-concept re- 5. L.K. Grover, “Quantum Mechanics Helps in Searching for a Nee- 22 dle in a Haystack,” Physical Rev. Letters, vol. 79, no. 2, 1997, pp. sults, Jérémie Roland and Nicolas Cerf compare 325–328. the fastest known classical algorithms for 3-satisfi- 6. M. Boyer et al., “Tight Bounds on Quantum Searching,” 13 ability to their quantum search algorithm cog- Fortschritte der Physik, vol. 46, no. 4–5, 1998, pp. 493–505. nizant of the 3-literal limitation. Their analysis 7. J. Roland and N.J. Cerf, “Quantum-Circuit Model of Hamiltonian shows that the quantum algorithm has a smaller as- Search Algorithms,” Physical Rev. A, vol. 68, no. 6, 2003, pp. 062311-1–062311-6. ymptotic expected runtime, averaged over multiple 8. V.V. Shende, I.L. Markov, and S.S. Bullock, “Smaller Two-Qubit satisfiability instances with a particular clause-to- Circuits for Quantum Communication and Computation,” Proc. variable ratio (at the phase-transition), which are Design Automation and Test in Europe (DATE), CS Press, 2004, pp. known to be the most difficult to solve on average. 980–985. Similar comparisons for worst-case asymptotic run- 9. G.F. Viamontes, I.L. Markov, and J.P. Hayes, “More Efficient Gate- Level Simulation of Quantum Circuits,” Quantum Information Pro- time remain an attractive goal for future research. cessing, vol. 2, no. 5, 2003, pp. 347–380. Several considerations in our work aren’t re- 10. S. Aaronson and D. Gottesman, “Improved Simulation of Stabi-

MAY/JUNE 2005 29 lizer Circuits,” Physical Rev. A, vol. 70, no. 5, 2004, pp. 052328- 1–052328-14. of-the-year award and the ACM SIGDA Outstanding 11. L.G. Valiant, “Quantum Circuits That Can Be Simulated Classi- New Faculty Award. He is a member of the IEEE and cally in Polynomial Time,” SIAM J. Computing, vol. 31, no. 4, ACM. 2002, pp. 1229–1254. 12. G. Vidal, “Efficient Classical Simulation of Slightly Entangled John P. Hayes is a professor in the Electrical Engineer- Quantum ,” Physical Rev. Letters, vol. 91, no. 14, 2003, pp. 147902-1– 147902-4. ing and Computer Science Department at the Univer- 13. U. Schöning, “A Probabilistic Algorithm for k-SAT and Constraint sity of Michigan, where he holds the Claude E. Shan- Satisfaction Problems,” Proc. IEEE Symp. Foundation of Comp. Sci- non Chair of Engineering Science. His research interests ence, ACM Press, 1999, p. 410. include design, quantum com- 14. D. Eppstein, “Improved Algorithms for 3-Coloring, 3-Edge-Col- puting; computer-aided design, testing, and verifica- oring, and Constraint Satisfaction,” Proc. Symp. Discrete Algo- rithms, ACM/SIAM Press, 2001, pp. 329–337. tion of digital systems; VLSI design; and fault-tolerant 15. C. Zalka, “Grover’s Quantum Searching Algorithm Is Optimal,” and embedded computer systems. He is the author of Physical Rev. A, vol. 60, no. 4, 1999, pp. 2746–2751. and Organization 3rd ed. (Mc- 16. H. Kautz and B. Selman, “Ten Challenges Redux: Recent Progress Graw-Hill, 1998), Layout Minimization for CMOS Cells in Propositional Reasoning and Search,” Proc. Principles and Prac- (Kluwer, 1992), and Introduction to Digital Logic Design tice of Constraint Programming (CP), LNCS 2833, Springer, 2003, pp. 1–18. (Addison-Wesley, 1993). He received the University of 17. S. Arora, “Polynomial-Time Approximation Schemes for Euclid- Michigan’s Distinguished Faculty Award in 1999 and ean Traveling Salesman and Other Geometric Problems,” J. ACM, the Humboldt Research Award in 2004. He received his vol. 45, no. 5, 1998, pp. 753–782. PhD from the University of Illinois, Urbana-Champaign. 18. X. Wang et al., “Collisions for Hash Functions MD4, MD5, He is a fellow of the IEEE and ACM. HAVAL-128, and RIPEMD,” Cryptology ePrint Archive, report no. 199, Aug. 2004, pp. 1–4. 19. E. Biham and R. Chen, “Near-Collisions of SHA-0,” Proc. Int’l Cryptology Conf. (CRYPTO), LNCS 3152, Springer, 2004, pp. 290–305. 20. L. Marraro and F. Massacci, “Towards the Formal Verification of Ciphers: Logical of DES,” Proc. Workshop on and Security Protocols (FMSP), 1999. 21. S.P. Murphy and M.J.B. Robshaw, “Essential Algebraic Structure within the AES,” Proc. Int’l Cryptology Conf. (CRYPTO), LNCS 2442, Springer, 2002, pp. 1–16. 22. J. Roland and N.J. Cerf, “Adiabatic Quantum Search Algorithm for Structured Problems,” Physical Rev. A, vol. 68, no. 6, 2003, pp. 062312-1–062312-7. 23. P.T. Darga et al., “Exploiting Structure in Symmetry Generation for CNF,” Proc. Design Automation Conf. (DAC), ACM Press, 2004, pp. 530–534. 24. D. Curtis and D. A. Meyer, “Towards Quantum Template Match- ing,” Proc. SPIE, vol. 5161 (Quantum Communications and ), SPIE Press, 2004, pp. 134–141.

George F. Viamontes is a PhD candidate in the Elec- trical Engineering and Computer Science Department at the University of Michigan. He is working to develop algorithms that exploit implicit problem structure to simulate quantum mechanical phenomena efficiently. He has an MS in computer science and engineering from the University of Michigan. He is a member of the IEEE and ACM.

Igor L. Markov is an assistant professor in the Electri- cal Engineering and Computer Science Department at the University of Michigan. His interests are in quan- tum computing and combinatorial optimization ap- plied to the design and verification of integrated cir- cuits. He received his PhD in computer science from the University of California, Los Angeles. He is an asso- ciate editor of the ACM SIGDA newsletter. He also re- ceived the 2004 IEEE CAS Donald O. Pederson paper-

30 COMPUTING IN SCIENCE & ENGINEERING