Lecture 8: Applications of Quantum Fourier transform

Transcription

1 Department of Physical Sciences, University of Helsinki quantumgas/ p. 1/25 Quantum information and computing Lecture 8: Applications of Quantum Fourier transform Jani-Petri Martikainen jamartik Department of Physical Sciences University of Helsinki

2 Department of Physical Sciences, University of Helsinki quantumgas/ p. 2/25 Quantum algorithms and their relations Quantum search Fourier transform Hidden subgroup problem Quantum counting Discrete log Order finding Factoring Statistics: mean, median, min Speedup for some NP problems Search for crypto keys Break cryptosystems (RSA)

3 Department of Physical Sciences, University of Helsinki quantumgas/ p. 3/25 Application:order finding We won t give the number theoretical proofs for some statements. See the text book appendix for details if you are interested. For positive integers x and N, x < N, with no common factors (co-prime), the order of x modulo N is the least positive integer, such that x r = 1(modN). Order finding problem is to determine the order for some specified x and N This problem is believed to be hard for a classical computer For example, order of x = 5 modulo 21 is 6...(x 6 /21 gives the same remainder as 1/21)

4 Department of Physical Sciences, University of Helsinki quantumgas/ p. 4/25 Application:order finding The quantum algorithm for order finding is just the phase estimation algorithm applied to the unitary operator U y = xy(modn) (1) with y {0, 1} L. When N y 2 L 1, we use the convention that xy(modn) is just y again. That is, U acts non-trivially only when 0 y N 1. states defined by (0 s r 1) u s = 1 r 1 r k=0 [ ] 2πisk exp x k modn (2) r

5 Department of Physical Sciences, University of Helsinki quantumgas/ p. 5/25 Application:order finding are eigenstates of U since U u s = 1 r 1 [ ] 2πisk exp x k+1 modn r r k=0 [ ] 2πis = exp u s (3) r Using phase estimation we obtain, with high accuracy, the eigenvalues exp(2πis/r), from which we can obtain the order r with a little bit more work. For us to be able to use phase estimation we must be able to 1. Implement efficiently controlled-u 2n operation for any integer j 2. Prepare an eigenstate u s efficiently

6 Department of Physical Sciences, University of Helsinki quantumgas/ p. 6/25 Application:order finding The first requirement is satisfied by using a procedure known as modular exponentiation (READ FROM THE BOOK/NOTES) The second condition is trickier: preparing u s requires that we know r, so this is out of the question. We can circumvent the problem by using the clever observation that 1 r 1 u s = 1 (4) r s=0 In phase estimation if we use t = 2L [log(2 + 1/2ǫ)] qubits in the first register and we prepare the second register in the state 1 (that is easy)...

7 Department of Physical Sciences, University of Helsinki quantumgas/ p. 7/25 Application:order finding it follows that for each s in the range 0...r 1, we will obtain an estimate of the phase φ s/r accurate to 2L + 1 bits, with probability at least (1 ǫ)/r. SEE THE SCHEMATIC DIAGRAM FOR ORDER FINDING. The reduction of order-finding to phase estimation is completed by explaining how we obtain the desired answer r, from the result of the phase estimation φ s/r. We only know 2L + 1 bits, but we also know a priori that it is a rational number...if we could compute nearest such fraction to φ we might obtain r

8 Department of Physical Sciences, University of Helsinki quantumgas/ p. 8/25 Order finding:continued fraction This task can be accomplished efficiently using the continued fraction algorithm. SEE NOTES OR READ FROM THE BOOK Theorem: suppose that s/r is a rational number such that s/r φ 1/2r 2. Then s/r is a convergent of the continued fraction for φ and thus can be computed in O(L 3 ) operations.

9 Department of Physical Sciences, University of Helsinki quantumgas/ p. 9/25 Order finding:continued fraction Since φ approximates s/r with accuracy 2L + 1 bits, it follows that s/r φ 2 2L 1 1/2r 2, since r N 2 L. Thus the theorem applies. Therefore, given φ the continued fraction algorithm efficiently produces numbers s and r with no common factor, such that s /r = s/r. The number r is our candidate for the order. Candidate can be efficiently checked by computing x r modn and seeing if the result is 1. If so, then r is the order of x modulo N! Algorithm takes O(L 3 ) gates...main cost comes from modular exponentiation. see the summary in the book or notes...

10 Department of Physical Sciences, University of Helsinki quantumgas/ p. 10/25 Factoring Factoring problem: Given a positive integer N, what prime numbers have to be multiplied together to get N? This problem turns out to be equivalent to the order finding problem. Fast algorithm for order finding can be turned into a fast algorithm for factoring. 1. Show that we can compute a factor of N if we can find a non-trivial solution x ±1(modN) to the equation x 2 = 1(modN) 2. Show that a randomly chosen co-prime to N is quite likely to have an order r which is even, and such that y r/2 ±1(modN) and thus x = y r/2 (modn) is a non-trivial solution to x 2 = 1(modN).

11 Department of Physical Sciences, University of Helsinki quantumgas/ p. 11/25 Factoring Steps a embodied in the following number theoretical theorems Theorem: Suppose N is an L bit composite number, and x is a non-trivial solution to the equation x 2 = 1(modN) in the range 1 x N, that is neither x = 1(modN) nor x = N 1 = 1(modN). Then at least one of gcd(x 1,N) and gcd(x + 1,N) is a non-trivial factor of N Suppose N = p α 1 1 pα m m is the prime factorization of an odd composite positive integer. Let x be an integer chosen uniformly at random, subject to the requirements that 1 x N 1 and x is co-prime to N. Let r be the order of x modulo N. Then p(r is even and x r/2 1(modN)) 1 1/2 m

12 Department of Physical Sciences, University of Helsinki quantumgas/ p. 12/25 Factoring:algorithm These theorems can be combined to give an algorithm which returns a non-trivial factor of a composite N with high probability. 1. If N is even, return 2 2. Determine whether N = a b for integers a 1 and b 2, and if so return the factor a (this can use a classical algorithm) 3. Randomly choose x in the range 1 to N 1. If gcd(x,n) > 1 then return the factor gcd(x,n) 4. Use the order finding to find the order r of x modulo N. 5. If r even and x r/2 1(modN) then compute gcd(x r/2 1,N) and gcd(x r/2 + 1,N) and test to see if one of these is a non-trivial factor, returning the factor if so. Otherwise algorithm fails.

13 Department of Physical Sciences, University of Helsinki quantumgas/ p. 13/25 Factoring:algorithm Steps 1 and 2 either return a factor, or else ensure that N is an odd integer with more than one prime factor. Step 3 either produces a factor or else a randomly chosen element x of {0, 1, 2,...N 1}. Step 4 computes the order and step 5 completes the algorithm since the earlier theorem guarantees that either gcd(x r/2 1,N) or gcd(x r/2 + 1,N) is a non-trivial factor.

14 Department of Physical Sciences, University of Helsinki quantumgas/ p. 14/25 Factoring: 15 Take N = 15. This is not even and also not a power of anything so we can jump to the step 3 of the algorithm. Choose x = 7 (random). Compute the order r of x modulo N: We start in the state 0 0 and create the state 1 2 t 2 t 1 k 0 = 1 2 t [ t 1 ] 0 k=0 by using t = 11 Hadamard transforms to the first register. This choice of t ensures an error probability of at most 1/4. Next, compute f(k) = x k mod N

15 Department of Physical Sciences, University of Helsinki quantumgas/ p. 15/25 Factoring: 15 We leave the result in the second register so we have a state 1 2 t = 2X t 1 k=0 1 2 t k x k modn [ ] (5) (the second register qubits start repeating themselves) We now apply inverse Fourier transform FT to the first register and measure it. Since no further operations are applied to the second register, we can apply the principle of implicit measurement and assume that the second register is measured. We obtain a random result from 1,7, 4, or 13.

16 Department of Physical Sciences, University of Helsinki quantumgas/ p. 16/25 Factoring: 15 Suppose we get 4 which implies that the input to the inverse FT would have been 4 [ ] (6) 2t After applying FT we obtain a state l α l l with the probability distribution..see FIGURE...shown for 2 t = 2048 The final measurement will give either 0, 512, 1024, or 1536 each with probability almost exactly 1/4 Suppose we get l = 1536 from the measurement

17 Factoring: 15 amplitudes 1 α k k F transform 1 α l l Department of Physical Sciences, University of Helsinki quantumgas/ p. 17/25

18 Department of Physical Sciences, University of Helsinki quantumgas/ p. 18/25 Factoring: 15 Computing the continued fraction expansion thus gives 1536/2048 = 1/(1 + (1/3)) so that 3/4 occurs as a convergent in the expansion. Therefore, r = 4 is the order of x = 7. By chance, r is even, and moreover, x r/2 mod N = 7 2 mod15 1mod15 so the algorithm works Computing the greatest common divisor gcd(x 2 1, 15) = 3 and gcd(x 2 + 1, 15) = 5 tells us that 15 = 3 5

19 Department of Physical Sciences, University of Helsinki quantumgas/ p. 19/25 Period finding Suppose f is a periodic function producing a single bit as output and such that f(x + r) = f(x), for some unknown 0 < r < 2 L, where x,r {0, 1, 2,...} Given a quantum black box U which performs U x y x y f(x) ( is addition modulo 2), how many black box queries and other operations are required to determine r? Here is a quantum algorithm which solves this problem using one query, and O(L 2 ) other operations...

20 Department of Physical Sciences, University of Helsinki quantumgas/ p. 20/25 Period finding Inputs: (1) A black box which performs U, (2) a state to store the function evaluation, initialized to 0, and (3) t = O(L + log(1/ǫ)) qubits initialized to 0 Outputs: The least integer r > 0 such that f(x + r) = f(x) 1. Initial state Create superposition: 1/ 2 t 2 t 1 x=0 x 0 3. Apply U: 1/ 2 t 1 2 t x f(x) x=0 1/ r 1 r2 t l=0 2 t 1 x=0 e 2πilx/r x ˆf(l) Note: f(x) = 1/ r P r 1 l=0 e2πilx/r ˆf(l) is an identity when x is an integer multiple of r! Approximation sign needed since 2 t might not be a multiple integer of r.

21 Department of Physical Sciences, University of Helsinki quantumgas/ p. 21/25...continues Period finding 1. Apply inverse FT to the first register: r 1 l=0 l/r ˆf(l) 2. Measure first register: l/r 3. Continued fraction algorithm: r

22 Department of Physical Sciences, University of Helsinki quantumgas/ p. 22/25 Discrete logarithm Period finding was simple, in that the domain and range of the periodic function where integers. What if the function is more complex? Consider f(x 1,x 2 ) = a sx 1+x 2 modn where all variables are integers, and r is the smallest positive integer for which a r modn = 1. This function is periodic since f(x 1 + l,x 2 ls) = f(x 1,x 2 ), but the period is a 2-tuple (l, ls) This function is useful in cryptography, since determining s allows one to solve the discrete logarithm problem: given a and b = a s, what is s Here quantum algorithm solving this problem using one query of a quantum black box U

23 Department of Physical Sciences, University of Helsinki quantumgas/ p. 23/25 Discrete logarithm Inputs: (1) A black box which performs U x 1 x 2 y = x 1 x 2 y f(x 1,x 2 ) for f(x 1,x 2 ) = b x 1 a x 2, (2) a state to store the function evaluation, initialized to 0, and (3) t = O(log r + log(1/ǫ)) qubits initialized to 0 Outputs: The least positive integer s such that a s = b 1. Initial state Create superposition: 1/2 t 2 t 1 x 1 =0 2 t 1 x 2 =0 x 1 x 2 0

24 Department of Physical Sciences, University of Helsinki quantumgas/ p. 24/25...continues 1. Apply U (Key step!): 2X 1/2 t Discrete logarithm t 1 1/(2 t r) = 1/2 t r 2 t 1 X x 1 =0 x 2 =0 r 1 X x 1 x 2 f(x 1, x 2 ) 2X t 1 2X t 1 l 2 =0 x 1 =0 x 2 =0 r 1 X l 2 = X t 1 x 1 =0 e 2πi(sl 2x 1 +l 2 x 2 )/r x 1 x 2 ˆf(sl 2, l 2 ) 3 2 e 2πi(sl 2x 1 )/r x X t 1 x 2 =0 2. Apply inverse FT to first two registers: 1/ r r 1 sl 2 /r l 2 /r ˆf(sl 2,l 2 ) l 2 =0 3. Measure first two registers: ( sl 2 /r, l 2 /r) 4. Apply generalized cont. frac. alg.: s 3 e 2πi(l 2x 2 )/r x 2 5 ˆf(sl 2, l 2 )

25 Department of Physical Sciences, University of Helsinki quantumgas/ p. 25/25 General applications of QFT Earlier examples, are all examples of a very general problem known as hidden subgroup problem This problem encompasses all known exponentially fast applications of QFT Problem: Let f be a function from a finitely generated group G to a finite set X such that f is constant on the cosets of a subgroup K, and distinct on each coset. Given a quantum black box for performing the unitary transformation U g h = g h f(g), for g G, h X and an appropriately chosen binary operation on X, find a generating set for K. See the text book for more details and references