Lecture 5 Grover’s algorithm, amplitude amplification and applications to cryptography

February 12, 2020

Quantum Information Theory Plan

1. Grover’s algorithm 2. A generalization : amplitude amplification and application to collision finding 3. Lower bound on the query complexity

Quantum Information Theory 1/42 Grover 1. Grover’s algorithm

I Allows a quadratic speedup for searching in an unstructured data structure I Does not provide an exponential speedup unlike Shor’s algorithm but is more widely applicable

Quantum Information Theory 2/42 Grover The problem

Problem 1. Input: A boolean function f : {0, 1}n → {0, 1} given as a “black box” Output: an x ∈ {0, 1}n such that f(x) = 1. n I Can be viewed as a modeling of a data search in an unstructured database of size N = 2 I Classically a randomized algorithm would need Θ(N) queries if there are 0(1) elements x such that f(x) = 1 √ √ I Grover can solve this problem with only O( N) queries to f and O( N log N) other gates I This query complexity can be shown to be optimal

Quantum Information Theory 3/42 Grover The algorithm

√ Start by applying H⊗n and then iterate N times the following steps

f(x) 1. Perform Of : |xi 7→ (−1) |xi 2. Perform H⊗n 3. Perform R where • R |0i = |0i • R |xi = − |xi for x 6= 0 4. Perform H⊗n

Quantum Information Theory 4/42 Grover Exercise

Give a quantum circuit of low complexity implementing R.

Quantum Information Theory 5/42 Grover Circuit for R

Ingredient 1: from a quantum circuit Qg performing |x, bi 7→ |x, b ⊕ g(x)i where g is a Boolean function to a circuit performing |xi 7→ (−1)g(x) |xi:

|x> Qg

|0> X H

E |g(x)i − g(x) Id⊗X Id⊗H |0i − |1i Qg |0i − |1i |xi |0i → |xi |1i → |xi √ → |xi √ = (−1)g(x) |xi √ 2 2 2 Ingredient 2: a quantum circuit performing

|x1, ··· , xni |bi 7→ |xi b ⊕ x¯1 ··· x¯n

Quantum Information Theory 6/42 Grover Exercise

def 1 P ⊗n ⊗n 1. Let |ψi = √ n |xi. Show that one iteration of H RH amounts to multiply 2n x∈{0,1} the quantum state by 2 |ψi hψ| − Id ⊗n ⊗n P 2. Show that one iteration of H RH amounts to transform a state x αx |xi into X (2hαi − αx) |xi x

1 P where hαi = 2n x αx.

Quantum Information Theory 7/42 Grover Grover

1.

R = 2 |0ni h0n| − Id H⊗nRH⊗n = 2 |ψi hψ| − Id

2. X X |ψi hψ| αx |xi = αx |ψi hψ| |xi x x ! X = αx hψ|xi |ψi x ! 1 X 1 X = αx |yi 2n/2 2n/2 x y X = hαi |yi y

Quantum Information Theory 8/42 Grover Initialisation+first step

Quantum Information Theory 9/42 Grover Second step

Quantum Information Theory 10/42 Grover Third step

Quantum Information Theory 11/42 Grover Steps 4-7

Quantum Information Theory 12/42 Grover Steps 8-11

Quantum Information Theory 13/42 Grover An algebraic proof

N def= 2n t def= #{x : f(x) = 1}

def |ψki = state after k iterations X X |ψki = ak |xi + bk |xi x:f(x)=1 x:f(x)=0

Quantum Information Theory 14/42 Grover Algebraic proof(I)

1 a0 = b0 = √ N 0 X X ψk = −ak |xi + bk |xi x:f(x)=1 x:f(x)=0

X 0 X 0 |ψk+1i = (2hψki + ak) |xi + (2hψki − bk) |xi x:f(x)=1 | {z } x:f(x)=0 | {z } ak+1 bk+1   0 t t hψ i = − ak + 1 − bk k N N  2t  2t ak+1 = 1 − ak + 2 − bk N N 2t  2t bk+1 = − ak + 1 − bk N N

Quantum Information Theory 15/42 Grover Algebraic proof(II)

r t sin θ def= N  2t 2t def 1 − N 2 − N P = 2t 2t −N 1 − N  cos 2θ 2 cos2 θ = −2 sin2 θ cos 2θ

The eigenvalues of P are readily seen to be equal to e±2iθ and therefore

−2ikθ −2ikθ ak = A−e + A+e −2ikθ −2ikθ bk = B−e + B+e

Quantum Information Theory 16/42 Grover Algebraic proof(III)

1 ak = √ sin ((2k + 1)θ) t 1 bk = √ cos ((2k + 1)θ) N − t

2 I Probability of seing a solution Pk = sin ((2k + 1)θ)

π 1 k˜ def= − 4θ 2 k def= closest integer to k˜ 2 1 − Pk = cos ((2k + 1)θ) = cos2((2k˜ + 1)θ + 2(k − k˜)θ) π  = cos2 + 2(k − k˜)θ 2 t = sin2(2(k − k˜)θ) ≤ sin2 θ = N

Quantum Information Theory 17/42 Grover A geometric proof

N def= 2n t def= #{x : f(x) = 1}

def 1 X |Gi = √ |xi t x:f(x)=1

def 1 X |Bi = √ |xi N − t x:f(x)=0

def 1 X |Ui = √ |xi N x = sin θ |Gi + cos θ |Bi with r t sin θ = N

Quantum Information Theory 18/42 Grover The {|Gi , |Bi} plane

|G>

|U> θ |B>

Quantum Information Theory 19/42 Grover Reflections

I Of = reflection through |Bi

Of |Bi = |Bi

Of |Gi = − |Gi ⊗n ⊗n I H RH = 2 |Ui hU| − Id reflection through |Ui

(2 |Ui hU| − Id) |Ui = 2 hU|Ui |Ui − |Ui = |Ui E D E E ⊥ ⊥ ⊥ (2 |Ui hU| − Id) U = 2 U|U |Ui − U E ⊥ = − U

Quantum Information Theory 20/42 Grover The picture

|G> |G> HRHOf |U>

|U> 3θ |U> θ θ |B> |B> θ θ

Of |U> Of |U>

Quantum Information Theory 21/42 Grover Iterating the reflections

I Initial state sin θ |Gi + cos θ |Bi I Each iteration = rotation of an angle 2θ, after k iterations we have

sin((2k + 1)θ) |Gi + cos((2k + 1)θ) |Bi I Probability of seing a solution

2 t Pk = sin ((2k + 1)θ) ≥ 1 − N

π 1 for k chosen as the closest integer to 4θ − 2 I The algorithm given in this way needs to know t to stop when the number of iterations k is π 1 −1 q t  the closest integer to 4θ − 2 where θ = sin N

  qN Complexity = O t

Quantum Information Theory 22/42 Grover Exercise : do we need to know t? (Quantum counting)

def ⊗n ⊗n 1 P 1. Let G=H RH Of and let |Ui = √ n |xi. What is the dimension of the 2n x∈{0,1} space V generated by the Gi |Ui’s ? 2. What are the eigenvalues of G restricted to V ? 3. Give a quantum algorithm that estimates these eigenvalues up to s bits of precision.

Quantum Information Theory 23/42 Grover Quantum counting

1. dim V = 2 (generated by |Bi and |Gi) 2iθ −2iθ q t 2. The eigenvalues are e and e where sin θ = N 3. This is the phase estimation algorithm of Lecture 4.

Quantum Information Theory 24/42 Grover Quantum counting: the circuit

|0> |0> |0> |0> * H QFTs |0> s |0> |0> |0>

|0> |0> |0> |0> 2 4 2s−1 Hn G GGG |0> |0> |0> |0>

Quantum Information Theory 25/42 Grover Quantum counting: the analysis

−s ∗ I Estimating the eigenvalue ±θ can be done with a precision of 2 by using QFT2s and s auxiliary qubits. Estimation holds with some probability ≥ 1 − ε

t sin2 θ def= N |∆t| = sin2(θ + ∆θ) − sin2 θ N < |2 sin θ + |∆θ|| |∆θ| |∆θ| ≤ 2−s  √ N  ⇒ |∆t| < 2 tN + 2−s 2s √ √ = O( t) for 2s = N

Quantum Information Theory 26/42 amplification 2. Amplitude amplification

I More general version of Grover’s algorithm • Boolean function χ : X → {0, 1} P • Quantum algorithm A such that A |0i = x∈X αx |xi that has probability p of finding P 2 an element x ∈ X for which χ(x) = 1, when A |0i is measured i.e. p = x:χ(x)=1 |αx| 1 I Classically we need to run A p times

−1 √1 I Quantumly we only need to run A and A O( p) times

Amplitude amplification algorithm

1. Setup the starting state |Ui = A |0i √1 2. Repeat the following O( p) times χ(x) (a) apply Oχ : |xi 7→ (−1) (= reflect through |Bi) (b) apply ARA−1 (=reflect through |Ui) 3. measure and verify that the outcome |xi is such that χ(x) = 1

Quantum Information Theory 27/42 amplification Amplitude amplification

I The analysis on Grover’s search algorithm actually shows in this case a stronger statement. Let V be the space h|xi : χ(x) = 1i. We have in our case E ⊥ A |0i = α |φV i + β φV

where |α|2 = p. The quantum amplitude amplification algorithm produces a state close to |φV i

Quantum Information Theory 28/42 amplification Exercise : collision search

Let f : {0, 1}n → {0, 1}n which is assumed to be to 2 to 1, for each x ∈ {0, 1} there is exactly one other y such that f(x) = f(y). Such a pair is called a collision.

1. Choose S uniformly at random among the sets of size s in {0, 1}n. What is the expected number of solutions in S ? 2. Give√ a classical randomized algorithm that finds a collision (with probability ≥ 2/3 say) using O( 2n) queries to f 3. Give a quantum algorithm that finds a collision using O(2n/3) queries to f

Quantum Information Theory 29/42 amplification collision search

s(s−1) 1. 2(2n−1) 2. Choosing a set of size Ω(2n/2) 3. Choosing a set S of size Ω(2n/3), check that there is no collision in it, then define

g(x) = 1 iff ∃y ∈ S : f(y) = f(x)

and use Grover’s algorithm

Quantum Information Theory 30/42 amplification Exercise : collision finding with poly(n) quantum memory

We keep the same notation as before, but model now f as a random function. Let ( ) def n−r Sr = (x, f(x)) : ∃z ∈ {0, 1} , f(x) = 0 ··· 0 ||z and consider the following algorithm |r {ztimes}

t−r n (i) Construct a list L consisting of 2 elements from Sr. Let g : {0, 1} → {0, 1} where g(x) = 1 if and only if there is an (x0, f(x0)) in L such that f(x) = f(x0). (ii) apply the quantum amplification algorithm where def 1 P • the initialization consists in the construction of |ψi = √ (x,f(x))∈S |x, f(x)i |Sr| r • the oracle is Og

1. How do you perform (i) and (ii) ? What are the costs (complexity, quantum memory, classical memory) of steps (i) and (ii) ? 2. What are the classical and quantum memory costs of this algorithm ? 3. What is the optimal quantum complexity of this algorithm for a polynomial quantum memory cost ?

Quantum Information Theory 31/42 amplification collision finding with poly(n) quantum memory

1. (i) can be done with Grover with fr(x) = 1 if (x, f(x)) ∈ Sr. Probability that a given x evaluates to 1 = O(2−r) ⇒ Complexity O(2r/2) of a Grover call – overall quantum complexity O(2t−r/2) – quantum memory poly(n) – classical memory O(2t−r) (ii) detailing each step setup: (constructing |φri) done by amplitude amplification with gr(x) = 1 if (x, f(x)) ∈ Sr and A |0i = 1 P |xi 2n/2 x ∗ quantum complexity O(2r/2) ∗ quantum memory poly(n) Og : testing sequentially against the elements of L ∗ quantum complexity O(2t−r) ∗ quantum memory poly(n)

Quantum Information Theory 32/42 Step (ii) is essentially a Grover search for g with input space Sr

t−r ! 2 t−n Prob(g(x) = 1|(x, f(x)) ∈ Sr) = O = O(2 ) 2n−r    n−t r/2 t−r ⇒ qu. comp. of (ii) = O  2 2 2 + 2  |{z} |{z} |{z} # Grover iter. setup Og

Overall complexity • time  n−t h i O 2t−r/2 + 2 2 2r/2 + 2t−r • quantum memory poly(n) • classical memory 2t−r 2. Optimization 2 • r/2 = t − r ⇒ r = 3t n−t n t 2t 3n • 2 + r/2 = t − r/2 ⇒ 2 − 6 = 3 ⇒ t = 5 • Overall complexity 2n – time O(2 5 ) n – classical memory O(2 5 )

Quantum Information Theory 33/42 lower bound 3. Lower bound on the query complexity I Assumptions • only one solution x : Ox = Id − 2 |xi hx|

• the algorithm starts in a state |ψi and applies the oracle Ox exactly k times with unitary operations U1, ··· , Uk interleaved between the oracle calls

x def |ψk i = UkOxUk−1Ox ··· U1Ox |ψi def |ψki = UkUk−1 ··· U1 |ψi

def X x 2 Dk = |||ψk i − |ψki|| x It turns out that

2 (i) Dk ≤ 4k

(ii) to distinguish among N alternatives we need Dk = Ω(N)

This implies √ k = Ω( N)

Quantum Information Theory 34/42 lower bound 2 Induction for Dk ≤ 4k D0 = 0 X x 2 Dk+1 = ||Ox |ψk i − |ψki|| x X x 2 = ||Ox(|ψk i − |ψki) + (Ox − Id) |ψki|| x

X  x 2 x 2 ≤ |||ψk i − |ψki|| + 4 |||ψk i − |ψki|||hx|ψki| + 4 |hψk|xi| (1) x 1 1 !2 !2 X x 2 X 2 p ≤ Dk + 4 |||ψk i − |ψki|| |hx|ψki| ≤ Dk + 4 Dk + 4 x x we used: ||b + c||2 ≤ ||b||2 + 2 ||b||||c|| + ||c||2 with

def x b = Ox(|ψk i − |ψki) def c = (Ox − Id) |ψki

= −2 hx|ψki |xi for (1) (2) X 2 |hx|ψki| = 1 for the last inequality (3) x

Quantum Information Theory 35/42 lower bound Exercise: Dk = Ω(N)

Let

def X x 2 Ek = |||ψk i − |xi|| x

def X 2 Fk = |||xi − |ψki|| x

√ √ 1. Show by using the Cauchy-Schwarz inequality that D ≥ ( F − E )2 √ k k k 2. Show that Fk ≥ 2N − 2 N 3. Show that if the probability of recovering the right x for any x is greater than 1 then √ 2 Ek ≤ (2 − 2)N

4. Show that under the same assumption as in the previous point, we have Dk = Ω(N)

Quantum Information Theory 36/42 lower bound The polynomial method

I The query model: N • want to compute some function f : {0, 1} → {0, 1} on a given input x = x0 ··· xN−1 • x is not given explicitly can be queried through a quantum operation

Ox : |i, bi 7→ |i, b ⊕ xii

• cost : number of queries to Ox, i.e. T when we perform

UT OxUT −1Ox ··· OxU1OxU0 |0 ··· 0i I Example: n f(x) = x0 ∨ x1 ∨ · · · ∨ xN−1 and N = 2 ⇔ knowing whether one of the xi’s evaluate to 1 ⇔ the function g(i) = xi evaluates to 1 on at least one entry

Quantum Information Theory 37/42 lower bound From quantum queries to polynomials

X p(x0, . . . , xN−1)= asΠi∈Sxi S⊆{0,··· ,N−1}

def deg(p) = max{|S| : aS 6= 0}

Fact 1. The final state of a T query algorithm with input x ∈ {0, 1}N acting on an m-qubit space can be written as X az(x) |zi z∈{0,1}m where each az(x) is a polynomial in x of degree at most T

Quantum Information Theory 38/42 lower bound Proof of the fact

By induction on T . Clearly true for T = 0. Assume that the property holds for T queries. Applying a unitary does not change the state of the state ⇒ the az(x)’s are polynomial in x of degree ≤ T . Register of the form |i, b, wi

Query swaps |i, 0, wi and |i, 1, wi iff xi = 1, therefore

α(x) |i, 0, wi+β(x) |i, 1, wi 7→ ((1−xi)α(x)+xiβ(x)) |i, 0, wi+((1−xi)β(x)+xiα(x)) |i, 1, wi ⇒ deg αT +1(x) ≤ T + 1

Quantum Information Theory 39/42 lower bound The second ingredient

Assume algorithm A works on m qubits and the outcome is the first qubit. The probability of output 1 is therefore X 2 p(x) = |αz(x)| z∈{1}×{0,1}m−1 and p(x) is a polynomial of degree ≤ 2T .

1 A computes f with err. prob. ≤ 3 ⇓ if f(x) = 0 then p(x) ∈ [0, 1/3] if f(x) = 1 then p(x) ∈ [2/3, 1] ⇓ p approximates f

Quantum Information Theory 40/42 lower bound Application

I symmetric function f(x) = f(π(x)) for any permutation π of the coordinates: OR, AND, Parity, Majority In such a case q(x) defined by

d 1 X X |x| q(x)= p(π(x)) = ai N! i π∈SN i=0 also approximates f. Moreover there is a single variable polynomial r such that

q(x) = r(|x|)

def Pd z
(choose r(z)= i=0 ai i )

Quantum Information Theory 41/42 lower bound OR

r(0) ∈ [0, 1/3] r(t) ∈ [2/3, 1] for t ∈ {1, ··· ,N} ⇓ √ deg r ≥ Ω( N)

Quantum Information Theory 42/42