D. QUANTUM ALGORITHMS 151 D.3 Shor If computers that you build are quantum, Then spies everywhere will all want ’em. Our codes will all fail, And they’ll read our email, Till we get crypto that’s quantum, and daunt ’em. — Jennifer and Peter Shor6 These lectures primarily follow Eleanor Rie↵el and Wolfgang Polak’s “An Introduction to Quantum Computing for Non-Physicists” (Rie↵el & Polak, 2000). 1. RSA: The widely used RSA public-key cryptography system is based ¶ on the difficulty of factoring large numbers. 2. Complexity: The best classical algorithms are exponential in the size ¶ of the input, m =logM. Specifically, the best current (2006) algorithm (the number field sieve (m1/3 log2/3 m) algorithm)runsintimeeO . 3. Shor’s algorithm is bounded error-probability quantum polynomial time ¶ (BQP), specifically, (m3). O 4. Period finding: Shor’s algorithm reduces factoring to finding the ¶ period of a function. 5. Shor’s algorithm was invented in 1994, inspired by Simon’s algorithm. ¶ 6. QFT: Like the classical Fourier transform, the Quantum Fourier Trans- ¶ form puts all the amplitude of the function into multiples of the fre- quency (reciprocal period). 7. Measuring the state yields the period with high probability. ¶ 8. Motivation for Period-finding: The connection between factoring ¶ and period finding can be understood as follows: Suppose you are trying to factor M. Suppose you can find x such that x2 =1(modM). 6NC 216. 152 CHAPTER III. QUANTUM COMPUTATION Then x2 1=0(modM). Therefore− (x +1)(x 1) = 0 (mod M). Therefore both x +1and− x 1havecommonfactorswithM (except in the trivial cases x =1,x =− M, and so long as neither is a multiple of M). 9. Pick an a that is coprime (relatively prime) to M. ¶ If ar =1(modM)andr happens to be even, we’re done (since we can find a factor of M as in previous topic). (The smallest such r is the order of a.) This r is the period of ax,sinceax+r = axar = ax (mod M). D.3.a Quantum Fourier transform 1. Let f be a function defined on [0, 2⇡). ¶ We know it can be represented as a Fourier series, a 1 A 1 f(x)= 0 + (a cos kx + b sin kx)= 0 + A cos(kx + φ ), 2 k k 2 k k Xk=1 Xk=1 where k =0, 1, 2,... represents the overtone series (natural number multiples of the fundamental frequency). 2. Ciscoid basis: You know also that it can be represented in the ciscoid ¶ def ikx (sine and cosine) basis, uk(x) =cis( kx)=e− .(The“ ”signis irrelevant, but will be convenient later.)− − ˆ f(x)= k1= fk cis( kx). 1 − 3. The FourierP coefficients are given by fˆ = u f = 2⇡ eikxf(x)dx. ¶ k h k | i 0 4. DFT: For the discrete Fourier transform we supposeR that f is repre- ¶ def j def sented by N samples, fj = f(xj), where xj =2⇡ N ,withj N = T 2 0, 1,...,N 1 .Letf =(f0,...,fN 1) . { − } − 5. Discrete basis: Likewise each of the basis functions is represented by ¶ N samples: def 2⇡ikj/N u =cis( kx )=e− ,j N. kj − j 2 T Let uk =(uk,0,...,uk,N 1) . 2⇡ikj/N − In e− ,notethat2⇡i represents a full cycle, k is the overtone, and j/N represents the fraction of a full cycle. D. QUANTUM ALGORITHMS 153 6. Roots of unity: Notice that N samples of the fundamental period ¶ correspond to the N primitive N th-roots of unity, that is, !j where ! = e2⇡i/N . kj Hence, ukj = !− . 7. Orthonormality: It is easy to show that the vectors u are orthogo- ¶ k nal, and in fact that uk/pN are ON (exercise). 8. Therefore, f can be represented by a Fourier series, ¶ 1 1 f = fˆ u = (u† f)u . p k k p k k N k N N k N X2 X2 9. Discrete Fourier transform: Define the discrete Fourier transform ¶ ˆ ˆ of the vector f, f =Ff,tobethevectorofFouriercoefficients,fk = uk† f. 10. Determine F as follows: ¶ ˆ f0 u0†f u0† ˆ f1 1 u1†f 1 u1† ˆf = 0 . 1 = 0 . 1 = 0 . 1 f. pN . pN . B ˆ C B C B C B fN 1 C B uN† 1f C B uN† 1 C B − C B C B C @ A @ − A @ − A 11. Therefore let ¶ 0 0 0 1 0 (N 1) ! · ! · ! · − u0† 1 0 1 1 ··· 1 (N 1) ! · ! · ! · − def 1 u1† 1 0 2 0 2 1 ··· 2 (N 1) 1 F = 0 . 1 = ! · ! · ! · − . pN . pN B . ···. C B C B . .. C B uN† 1 C B (N 1) 0 (N 1) 1 (N 1) (N 1) C B C B ! − · ! − · ! − · − C @ − A B ··· C @ A That is, F = u /pN = !kj/pN for k, j N. kj kj 2 12. Note that the “ ”signsinthecomplexexponentialswereeliminated ¶ by the conjugate− transpose. 13. Unitary: Fisunitarytransformation(exercise). ¶ 154 CHAPTER III. QUANTUM COMPUTATION 14. FFT: The FFT reduces the number of operations required from (N 2) ¶ to (N log N). O It doesO this with a recursive algorithm that avoids recomputing values. However, it is restricted to N =2n. 15. QFT: The QFT is even faster, (log2 N), that is, (n2). ¶ However, because the spectrumO is encoded in theO amplitudes of the state, we cannot get them all. It too is restricted to N =2n. 16. The QFT transforms the amplitudes of a quantum state: ¶ U f j = fˆ k , QFT j| i k| i j N k N X2 X2 where ˆf def=Ff. 17. Suppose f has period r,andsupposethatr N. ¶ Then all the amplitude of fˆ should be at multiples| of its fundamental frequency, N/r. 18. If r N,thentheamplitudewillbeconcentratednear multiples of ¶ N/r.6| The approximation is improved by using larger n. 19. The QFT can be implemented with n(n +1)/2gatesoftwotypes: ¶ (1) One is Hj, the Hadamard transformation of the jth qubit. (2) The other is a controlled phase-shift. Specifically Sj,k uses qubit xj to control whether it does a particular phase shift on the 1 component | i of qubit xk. That is, S x x x x0 is defined by j,k| j ki 7! | j ki def i✓k j S = 00 00 + 01 01 + 10 10 + e − 11 11 , j,k | ih | | ih | | ih | | ih | k j where ✓k j = ⇡/2 − . − That is, the phase shift depends on the indices j and k. D. QUANTUM ALGORITHMS 155 20. It can be shown that the QFT can be defined:7 ¶ n 1 n 1 − − UQFT = Hj Sj,k. j=0 Y k=Yj+1 This is (n2)gates. O D.3.b Shor’s algorithm 1. Shor’s algorithm depends on many results from number theory, which ¶ are outside of the scope of this course. Since this is not a course in cryptography or number theory, I will just illustrate the ideas. Suppose we are factoring M (and M =21willbeusedforconcrete examples). Let m def= lg M =5inthecaseM =21. d e 2. Step 1: Pick a random number a<M.Ifa and M are not coprime ¶ (relatively prime), we are done. (Euclid’s algorithm is (m2)= (log2 M).) O O 3. Example: Suppose we pick a =11,whichisrelativelyprimewith21. ¶ 4. Modular exponentiation: Let g(x) def= ax (mod M), for x M def= ¶ 0, 1,...,M 1 . 2 { − } 5. This takes (m3) gates. It’s the most complex part of the algorithm! ¶ (ReversibleO circuits typically use m3 gates for m qubits.) 6. Ex.: In our case, g(x)=11x (mod 21), so ¶ g(x)=1, 11, 16, 8, 4, 2, 1, 11, 16, 8, 4,... period | {z } 7. In order to get a good QFT approximation, pick n such that M 2 ¶ 2n < 2M 2.LetN =2n. Alternately, 2 lg M n<2lgM +1,thatis,rouglytwiceasmany 7See Rie↵el & Polak (2000) for this, with a detailed explanation in Nielsen & Chuang (2010, 5.1, pp. 517–21). § 156 CHAPTER III. QUANTUM COMPUTATION qubits as in M. Note that although the number of samples is N =2n,weneedonlyn qubits (thanks to the tensor product). 8. Ex.: For M =21wepickn =9forN = 512 since 441 512 < 882. ¶ Note m =5. 9. Step 2 (quantum parallelism): Apply U to the superposition ¶ g def n n 1 = H⌦ 0 ⌦ = x | 0i | i p | i N x N X2 to get def m 1 = U 0 ⌦ = x, g(x) . | 1i g| 0i| i p | i N x N X2 10. Ex.: Note that 14 qubits are required [n =9forx and m =5forg(x)]. ¶ 11. Step 3 (measurement): The function g has a period r,whichwe ¶ want to transfer to the amplitudes of the state so that we can apply the QFT. 12. This is accomplished by measuring (and discarding) the result register ¶ (as in Simon’s algorithm). Suppose the result register collapses into state g⇤ (e.g., g⇤ =8). The input register will collapse into a superposition of all x such that g(x)=g⇤.Wecanwriteit def 1 1 1 = x, g⇤ = f x, g⇤ = f x g⇤ , | 2i | i x| i x| i | i x N s.t.g(x)=g x N " x N # Z 2 X ⇤ Z X2 Z X2 where def 1, if g(x)=g f = ⇤ , x 0, otherwise ⇢ and def= x g(x)=g is a normalization factor. Z |{ | ⇤}| p 13. Note that the values x for which fx =0di↵erfromeachotherbythe ¶ period. 6 As in Simon’s algorithm, if we could measure two such x,wewould have useful information, but we can’t.