Lecture 2
advertisement
Quantum Computing
(Fall 2013)
Instructor: Shengyu Zhang.
Lecture 2 Factoring and Abelian HSP
1. Factoring problem
Historical importance: one of the oldest computational problems.
Average-case hardness: not only hard on worst-case inputs, but also on average-case inputs.
Relation to RSA: If Factoring is easy, then RSA is insecure.
Best classical algorithms: 2O(√π log π) for π-bit numbers.
Shor’s quantum algorithm: π(π3 ).
2. Quantum Fourier Transform (QFT)
Definition of QFT. In next class, we will define Fourier transform on general groups. Today,
we’ll only focus on a cyclic group: ππ . (Sometimes it is written as π/ππ.) Define ππ =
π π2π/π , a primitive π-th root of unity. For each π₯ ∈ ππ , the QFT has the following effect on
the basis vector |π₯⟩:
|π₯⟩ →
1
π₯π¦
∑ ππ |π¦⟩ =
√π π¦∈π
π
1
∑ π 2πππ₯π¦/π |π¦⟩.
√π π¦∈π
π
In other words, the QFT is the following operator. πΉππ =
form, it is
1
√π
∑π₯,π¦∈ππ πππ₯π¦ |π¦⟩⟨π₯|. In matrix
Algorithm for QFT for πππ . (Note: the group is the cyclic group ππ with π = 2π , but not
π
(π2 )×π ). Write both π₯ and π¦ by binary numbers, namely π₯ = ∑π−1
π=0 2 π₯π and π¦ =
π
∑π−1
π=0 2 π¦π . Then
The QFT can be implemented by the following circuit, where we use some controlled-π
π ,
1
0
π ). (We’ve learned controlled-NOT in the last class; the general
0 π 2ππ/2
with π
π = (
controlled-unitary operator is similar: Conditioned on the control bit being 1, do the unitary.)
We can see intuitively why this circuit works by verifying the first two qubits. For the top
qubit, one Hadamard gates makes the output |0⟩ + (−1)π₯0 |1⟩ = |0⟩ + π 2πππ₯0 /2 |1⟩ = |π§π−1 ⟩.
π π₯
(Note that we used the fact that π 2ππ2
π
= 1 for all π ≥ 0 and π₯π ∈ {0,1}.) Now look at
the second qubit. After the Hadamard gate, it is |0⟩ + π 2πππ₯1 /2 |1⟩. The controlled-π
2 gate
further puts a phase π 2πππ₯0 /4 on |1⟩, thus the final output on this qubit is |0⟩ +
π₯1 π₯0
π 2ππ( 2 + 4 ) |1⟩ = |π§π−2 ⟩. Using the same way one can verify the rest qubits.
3. Tool – Phase Estimation
One important application of QFT on ππ is Phase Estimation. Suppose that there is a unitary
operation π and we are given the ability of applying controlled-ππ operations for j =
2, 22 , 23 , … We are also given an eigenstate |π’⟩, which corresponds to an eigenvalue ππ’ .
The task is to get an estimate of ππ’ . (Recall the spectral decomposition of normal matrices.)
Here is a simple algorithm using QFT.
To get an intuition why the above algorithm is correct, consider the case that the eigenvalue has an
π-bit binary representation. Then the inverse Fourier transform in Step 4 above will give exactly the
eigenvalue ππ’ . (Recall the definition of Fourier transform: |π⟩ → ∑π¦∈ππ π2ππππ |π⟩.)
4. Quantum algorithm for Factoring
First, Factoring is known to be equivalent to another problem called Order Finding. In Order
Finding, we are given two positive integers π₯ and π that are co-prime to each other. We
want to find the smallest π s.t. π₯ π = 1 mod π. For example, when π₯ = 5 and π = 21,
then it is not hard to verify that the powers of π₯ are 5, 4, 20, 16, 17, 1 (all mod 21), thus the
order is 6.
Algorithm for Order Finding. Consider the unitary matrix π|π¦⟩ = |π₯π¦ mod π⟩ for each
π¦ ∈ [0, π − 1]. Note that for different π¦’s, π|π¦⟩’s are also different. (Suppose π₯π¦1 ≡ π₯π¦2 ,
then π₯(π¦1 − π¦2 ) ≡ 0, impossible because π₯ is co-prime with π.) Thus π is indeed a
unitary matrix.
For each π ∈ [0, π − 1], consider state |π’π ⟩ =
1
√π
−π π π
∑π−1
π=0 ππ |π₯ mod π⟩. It is actually an
eigenvector of π with respect to eigenvalue πππ :
π|π’π ⟩ =
1
π−1
∑ ππ−π π |π₯ π+1 mod π⟩ =
√π π=0
1
π−1
−π (π−1)
∑ ππ
√π π=0
|π₯ π mod π⟩ = πππ |π’π ⟩.
Thus we can run the Phase Estimation algorithm on |π’π ⟩ and we’ll get π /π.
Some issues: We don’t have |π’π ⟩; after all it needs information of π. But note that
1
π−1
∑ |π’π ⟩ =
√π π =0
1
π−1
∑
1
π−1
∑ ππ−π π |π₯ π mod π⟩ = |1⟩.
√π π =0 √π π=0
(For π ≠ 0, ∑s ππ−π π = 0.) So if we prepare |1⟩ and run the Phase Estimation algorithm,
then we will get
1
√π
∑π−1
π =0 |π /π⟩|π’π ⟩. Measuring the first register gives π /π. Using a simple
procedure called the continued fraction, one can get π ′ and π ′ s.t.
π ′
π′
π
= π. π ′ may not be π,
but π ′ is at least a factor of π. Doing this a couple of times and get π ′′ , π ′′′ , … and take the
least common multiple of π ′ , π ′′ , π ′′′ , … would give us π. (Actually, a careful analysis shows
that most likely the least common multiple of π ′ and π ′′ is already π.)
π
Another issue is that in Phase Estimation, we need controlled-π 2 operations.
5. Hidden Subgroup Problem (HSP)
Definition of HSP. Order Finding and many other problems fall into the framework of Hidden
Subgroup Problem (HSP). In HSP, there is a function π: πΊ → π on a group πΊ, which contains a
subgroup π». π» partitions πΊ by (left) cosets. We have the promise that π is constant on each coset,
and distinct on different cosets. The goal is to identify π» efficiently. In quantum algorithms, we can
access π by controlled-π gates. In particular, we can make the following transform: |π₯⟩|0⟩ →
|π₯⟩|π(π₯)⟩.
HSP for finite Abelian groups. Any finite Abelian group πΊ is isomorphic to ππ1 × β― ×
πππ . For each element π = (π1 , … , ππ ) ∈ ππ1 × β― × πππ , define a character function
π π₯1
ππ : πΊ → πΆ by ππ (π₯1 … π₯π ) = ππ11
1
√|πΊ|
π π₯
… ππππ π |π1 … ππ ⟩, and define the QFT by |π₯⟩ →
∑π ππ (π₯)|π⟩. It is easily checked that each ππ is a homomorphism: ππ (π₯π¦) =
ππ (π₯)ππ (π¦). The set of the ππ ’s is denoted by πΊΜ , which is isomorphic to πΊ itself. One
property for πΊΜ is that any two distinct characters are orthogonal. In particular, if π ≠
(0, … ,0), then ∑π₯∈πΊ ππ (π₯) = 0.
Algorithm.
1
√|πΊ|
∑π₯∈πΊ |π₯⟩
query π
→
1
√|πΊ|
∑π₯∈πΊ|π₯⟩|π(π₯)⟩
measure |π(π₯)⟩
→
1
√|π»||πΊ|
ππππ π’ππ
→
1
√|π»|
QFT
→
// prepare a uniform superposition
∑π¦∈π»|π + π¦⟩ for an unknown and random π ∈ πΊ
∑π∈πΊΜ ∑π¦∈π» π(π + π¦)|π⟩
a random π with π(π¦) = 1, ∀π¦ ∈ π».
Do this for π‘ = π(log|πΊ|) times, and obtain π1 , … , ππ‘ . For a character π, define its
kernel as ker(π) = {π ∈ πΊ: π(π) = 1}, and it is easily seen that kernel is a subgroup of πΊ.
Claim. For some π = log 2 |πΊ|, it holds that π» = βπ=1,…,π ker(ππ ) with high probability.
Proof. First, there is a fact that π» ⊥ β {π: π(π¦) = 1, ∀π¦ ∈ π»} = {π: π» ≤ ker(π)} is a group
and it’s isomorphic to the quotient group πΊ/π». Thus |π» ⊥ | = |πΊ|/|π»| . Similarly |πΎπ‘ ⊥ | =
|πΊ|/|πΎπ‘ |. Suppose that after π‘ times, πΎπ‘ = βπ‘π=1 ker(ππ ) is still strictly larger than π». The
next iteration gives a random π ∈ π» ⊥ . Since πΎπ‘+1 ≤ πΎπ‘ , we know that
|πΎπ‘+1 |
|πΎπ‘ |
1
≤ 2 unless
πΎπ‘+1 = πΎπ‘ . Since πΎπ‘+1 = πΎπ‘ ∩ ker(π), it suffices to show that Pr⊥[πΎπ‘ ⊆ ker(π)] ≤ 1/2.
π∈π»
Note that πΎπ‘ ⊆ ker(π) means π ∈ πΎπ‘⊥ . Therefore,
|πΎ ⊥ |
Pr⊥[πΎπ‘ ⊆ ker(π)] = |π»π‘⊥ | =
π∈π»
|πΊ|/|πΎπ‘ |
|πΊ|/|π»|
=
|π»|/|πΎπ‘ |. This ratio is at most 1/2 since we assumed that π» is a proper subgroup of πΎπ‘ .
Note
There are many explanations of Shor’s algorithm, see the wiki page. We basically followed [NC00],
Chapter 5 and [CvD10] Section III.
For the Hidden Subgroup Problem part, see [CvD10], Section IV-C.
Reference
[NC00] Michael Nielsen and Isaac Chuang, Quantum Computation and Quantum Information,
Cambridge University Press, 2000.
[CvD10] Andrew M. Childs and Wim van Dam, Quantum algorithms for algebraic problems, Reviews
of Modern Physics, Volume 82, January–March 2010.
Exercise
1. Verify that the QFT operator πΉπ is unitary.
2. Write down the QFT for π2 , π3 , π4 , π5 .
3. Suppose π = 2π . We want a uniform superposition
1
∑π |π₯⟩.
√π π₯=1
Prove that we can obtain it by
simply preparing π qubits all in state |0⟩, and then applying a Hadamard gate on each qubit.
