Quantum Factoring Michele Mosca The Fifth Canadian Summer School on Quantum Information August 3,...

Quantum Factoring

Michele Mosca

The Fifth Canadian Summer Schoolon Quantum Information

August 3, 2005

Quantum Algorithms

Quantum Algorithms should exploit quantum parallelism and quantum interference.

We have already seen some elementary algorithms.

Quantum Algorithms These algorithms have been computing

essentially classical functions on quantum superpositions

This encoded information in the phases of the basis states: measuring basis states would provide little useful information

But a simple quantum transformation translated the phase information into information that was measurable in the computational basis

Extracting phase information with the Hadamard operation

nH

nH

x y

yx

ny)1(

2

1

y

yx

ny)1(

2

1x

Overview

Quantum Phase Estimation Eigenvalue Kick-back Eigenvalue estimation and order-

finding/factoring Shor’s approach Discrete Logarithm and Hidden

Subgroup Problem (if there’s time)

Quantum Phase Estimation

Suppose we wish to estimate a numbergiven the quantum state )1,0[

12

0y

i2n

yye

Note that in binary we can express321 xxx.0

321 xx.x2

1nn1n3211n xx.xxxx2


1e ik2 Since for any integer k, we have

...)xx.0(i2...)xx.0(i2ix2...)xx.x(i2)(i2 32321321 eeee2e

...)xx.0(i2)k(i2 2k1ke2e


1x.0 If then we can do the following

H 1x2

1)1(02

1e0

1

1

x

)x.0(i2

Useful identity

We can show that

1e0

1e01e0

1e0

1e01e0

yye

...)xx.0(i2

...)xxx.0(i2...)xx.0(i2

)(i2

)2n2(i2)1n2(i2

12

0y

i2

21

1nn1n1nn

n


21xx.0 So if then we can do the following

H 2x

2

1e0 )xx.0(i2 21

2

1e0 )x.0(i2 2

H 1x12R

k2/i2k e0

01R


321 xxx.0 So if then we can do the following

H 3x

2

1e0 )xx.0(i2 32

2

1e0 )x.0(i2 3

H 2x12R

2

1e0 )xxx.0(i2 321H 1x1

2R 13R


Generalizing this network (and reversing the order of the qubits at the end) gives us a network with O(n2) gates that implements

xyyx

e12

0y

n2i2

n

Discrete Fourier Transform

The discrete Fourier transform maps vectors of dimension N by transforming the elementary vector according to

1N

0y

Ni2

yyx

ex

)e,,e,e,1()0,...0,1,0,...,0,0( Nx)1N(

i2Nx2

i2Nx

i2

thx

The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to


Thus we have illustrated how to implement (the inverse of) the quantum Fourier transform in a Hilbert space of dimension 2n

Estimating arbitrary What if is not necessarily of the form

for some integer x?

)1,0[

12

0x

i2n

zze The QFT will map to a

superposition

n2x

where

y

y y~

Ny

1Oy2

8N1

Ny

obPr

For any real


H

1x

2

10 22 )( ie

2

10 42 )( ie

H 2x12R

2

1e0 )(i2

H

3x

12R 1

3R

)1,0[

With high probability ω8

24 321 xxx

Recall the “trick”:

Eigenvalue kick-back

x

)x(f10

x)1( )x(f

)10(x)1(

)10()1(x)x(f

)x(f

10

)1)x(f)x(f(x)10(x

Consider a unitary operation U with eigenvalue and eigenvector


i2e 1

1e i2

1e

e1i2

i2 U11

U


0

0

U


10

1e0 i2

U

As a relative phase, becomes measurable

i2e

If we exponentiate U, we get multiples of


1

1xe i2

xU


10

1xe0 i2

xU


10

1e0 i2

U

10 1e0 )2(i2 1n

10

10 1e0 )2(i2

U2U U

1n2 2n2

1e0 )2(i2 2n

Phase estimation

1e0 i2

1e0 )2(i2 1n

1e0 )2(i2

1e0 )2(i2 2n

H

1x

H

2x

12R

nn2

2n1

1n

2

xx2x2

nx

12R 1

3R

1nx

H

Eigenvalue estimation

10

10

2U U 4U

10 H

1x

2x12R

H

3x

12R 1

3R

H


xU

0

1x

2x

3x

00

8QFT 18QFT


U Given with eigenvector and eigenvalue we thus have an algorithm that maps

i2e

~0 IQFT,Uc,IQFT 1x


U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps

kki2

e

kkk~0

k

kkkk

kkk

kk~00

and therefore


Measuring the first register of

k

kkk~

is equivalent to measuring with probability

k~

2

k

kkkk

kkkk

kkkk

Tr

~~

~~ *

22

i.e.

Example

Suppose we have a group and we wish to find the order of (I.e. the smallest positive such that )

If we can efficiently do arithmetic in the group, then we can realize a unitary operator that maps

Notice that

GGa

r 1ar

aU axx I

aUaU r

r

This means that the eigenvalues of are of the form where k is an integer

aU

rki2

e

(Aside: more on reversible computing)

If we know how to efficiently compute and then we can efficiently and reversibly map

x

bfU

x

)(xfb

c

y1f

U)(1 yfc

y

f1f

(Aside: more on reversible computing)

And therefore we can efficiently map

x

0fU 1f

U0

)(xf

)(xfx

Example

Let Then We can easily implement, for example,

14,13,12,11 2441

5mod}4,3,2,1{ZG *5

010001U2

The eigenvectors of include

100001U 22

011001U 32

2U

00100142 U

2U

5mod2e j3

0j

4

jki2

k

Example

011e100e010e001

011e100e010e001

41

i242

i243

i2

49

i246

i243

i2

3

Example

343

i2

41

i242

i243

i243

i2

41

i242

i243

i2

32

e

)001011e100e010e(e

001e011e100e010

U

Example

343

i2

32

242

i2

22

141

i2

12

002

eU

eU

eU

U

00121

3210

Example

343

i2

32

242

i2

22

141

i2

12

002

1e010Uc

1e010Uc

1e010Uc

1010Uc

Example

342

i2

32

2

222

2

142

i2

12

2

002

2

1e010Uc

1010Uc

1e010Uc

1010Uc

Eigenvalue Kickback

10

3

10

22U 2U

1e0 )1.0(i2

1e0 )11.0(i2

Eigenvalue Kickback

10

3

10

22U 2U

1H12R

H

3

1

1123

Eigenvalue Kickback

10

k

10

22U 2U

1kH12R

H

k

2k

21 kk2k

Eigenvalue Kickback

10

3

0kk2

1

1

10

22U 2U

H12R

H

3

0kkk

21

Quantum Factoring The security of many public key

cryptosystems used in industry today relies on the difficulty of factoring large numbers into smaller factors.

Factoring the integer N into smaller factors can be reduced to the following task: Given integer a, find the smallest positive integer r so that ar Nmod1

Example

Let We can easily implement

1ar *NZGa

axxUa

The eigenvectors of include

xaxa

UxU 22

2a

aUj

1r

0j

r

jki2

k ae

xaxa

UxUn2

n2

n2a

Example

krki2

1rrk)1r(

i22rk2

i2rki2

rki2

rrk)1r(

i23rk2

i22rki2

1rrk)1r(

i22rk2

i2rki2

aka

e

)aeaeae1(e

aeaeaea

)aeaeae1(UU

Example

1r1

1r210

krk2

i2

kj21e010

aUc

j


U Given with eigenvectors and respective eigenvalues we thus have an algorithm that maps

krki2

e

kk rk~

0

k

kkk

kkk

kk rk~

00

and therefore

Eigenvalue Estimation

10

1r

0kkr

1

1

10

22U 2U

n21QFT

1r

0kkr

k~

21

10

2U21n


Measuring the first register of

k

krk~

r1

is equivalent to measuring with probability r

k~

r1

Finding r

For most integers k, a good estimate of

(with error at most ) allows us to determine r (even if we don’t know k). (using continued fractions)

rk

2r21

(aside: how does factoring reduce to order-finding??)

The most common approach for factoring integers is the difference of squares technique:» “Randomly” find two integers x and y

satisfying

» So N divides» Hope that is non-trivial

If r is even, then let so that

Nyx mod22

),gcd( yxN ))((22 yxyxyx

Nax r mod2/Nx mod122

Shor’s approach

This eigenvalue estimation approach is not the original approach discovered by Shor

Kitaev developed an eigenvalue estimation approach (to the more general “Hidden Stabilizer Problem”)

We’ve presented the CEMM version here


The discrete Fourier transform maps uniform periodic states, say with period r dividing N, and offset w, to a periodic state with period N/r.

),0,0,,0,0,,0,0,1(

1

)0,1,0,0,0,1,0,0,0,1,0,0(

12

222

rwr

irw

irwi

eeer

Nr


1

0

21

0

r

k

irN

x

krNr

wk

ewxrNr

The quantum Fourier transform maps vectors in a Hilbert space of dimension N according to

Shor’s Factoring Algorithm

x

/\x /

\ax

/\

/\a

y

r y

( ) /\a

r0

r r1 k

F-1

w0w

0w

x

/\x /

\1w

w

1r

1r

Network for Shor’s Factoring Algorithm

U

F-1

x

F

a/\1

/\0

Eigenvalue Estimation Factoring Algorithm

( ) /\

kk r

k

x /

\xk

e2π ix

rk

/\

k

/\0 /

\1 x /

\xk

/\

k

Network for Eigenvalue Estimation Factoring Algorithm

U

F-1

x

F

a/\1

/\0

Equivalence of Shor&CEMM Shor analysis CEMM analysis

s

s010

s

sxx

xx 1

ss

x

r

sxix

r

x k

xeaxrk 21

0

ss

xr

x

a 1

0 r

s

r

k

rrr

210

Equivalence of Shor&CEMM Shor analysis CEMM analysis

ss

xr

x

a 1

0

s

r

x

1

0

r

k

rrr

210 r

s

r

k

rrr

210 r

k

rrr

210 r

s

r

s

Consider two elements from a group G satisfying

Find s.

Gba ,

1rasab

xU xaa

Discrete Logarithm Problem


We know has eigenvectorsUa

Ua kk k

i2π

e r

j1r

0j

r

kji2-

k aeψ


Thus has the same eigenvectors but with eigenvalues exponentiated to the power of s

Ub

Ub kkk ψψψ ks

i2π

erU sa


1 kΨxaU

k0rF

1rF


kΨkΨx

bU

ks0rF

1rF

Given k and ks, we can compute s mod r (provided k and r are coprime)

Abelian Hidden Subgroup Problem

f ( ) f ( )x

f :

Z Z ZM MM

1

. . .

nG

G X

y iff x y-

KG

K

Find generators for K

0

Network for AHS

U

F-1F/

\0

f

AHS Algorithm in standard basis

( )s

/\

x

/\x /

\f ( )x

f ( )w

s s0

1n

w

F-

/\f ( )ww

/\w K

1

K

AHS for in eigenbasis

/\

( )

s K /\f ( )x- )1(

x.ss

s ss/\

is an eigenvector of f ( )x f ( )x y

x

/\x /

\f ( )xF

-

(Simon’s Problem)

nZ

2

1

K

Other applications of Abelian HSP

Any finite Abelian group G is the direct sum of finite cyclic groups

But finding generators satisfying is not always easy, e.g. for it’s as hard as factoring N

Given any polynomial sized set of generators, we can use the Abelian HSP algorithm to find new generators that decompose G into a direct sum of finite cyclic groups.

nggg 21

nggg ,,, 21

ngggG 21

*NZG

Examples:

Deutsch’s Problem: }1,0{G X

K }1,0{

}1,0{

}0{ or

Order finding: ZGf

X

)x( K rZ

any group

ax

Example:

Discrete Log of to base :

G rr ZZ X any group

b a

f )y,x( ax by

K 1,

ak

k

Examples:

Self-shift equivalences: n)q(GFG

f

]X,...,X,X)[q(GFX n21

)a,...,a,a( n21

K

)aX,...,aX(P nn11

)}X,...,X(P)aX,...,aX(P

:)a,...,a{(

n1nn11

n1

What about non-Abelian HSP

Consider the symmetric group Sn is the set of permutations of n elements Let G be an n-vertex graph Let

Define Then where

nSG

}|)({ nG SGX ππ

)(GfG ππ GnG XSf :

KKff GG 2121 ππππ GGGAUTK ππ |)(

Graph automorphism problem

So the hidden subgroup of is the automorphism group of G

This is a difficult problem in NP that is believed not to be in BPP and yet not NP-complete.

Gf

Other

Progress on the Hidden Subgroup Problem in non-Abelian groups (not an exhaustive list)•Ettinger, Hoyer arxiv.gov/abs/quant-ph/9807029

•Roetteler,Beth quant-ph/9812070

•Ivanyos,Magniez,Santha arxiv.org/abs/quant-ph/0102014

•Friedl,Ivanyos,Magniez,Santha,Sen quant-ph/0211091 (Hidden Translation and Orbit Coset in Quantum Computing); they show e.g. that the HSP can be solved for solvable groups with bounded exponent and of bounded derived series

•Moore,Rockmore,Russell,Schulman, quant-ph/0211124

Quantum Factoring Michele Mosca The Fifth Canadian Summer School on Quantum Information August 3,...

Documents

Transcript of Quantum Factoring Michele Mosca The Fifth Canadian Summer School on Quantum Information August 3,...