Lecture 8: Applications of Quantum Fourier transform

Similar documents
Lecture 13: Factoring Integers

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Lecture 13 - Basic Number Theory.

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

Factoring by Quantum Computers

What Has Quantum Mechanics to Do With Factoring? Things I wish they had told me about Peter Shor s algorithm

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Factoring & Primality

Cryptography and Network Security Chapter 8

Shor s algorithm and secret sharing

Quantum Algorithms in NMR Experiments. 25 th May 2012 Ling LIN & Michael Loretz

0.1 Phase Estimation Technique

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Public Key Cryptography: RSA and Lots of Number Theory

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

An Overview of Integer Factoring Algorithms. The Problem

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Factoring Algorithms

RSA and Primality Testing

Study of algorithms for factoring integers and computing discrete logarithms

Cryptography and Network Security Chapter 9

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Cryptography and Network Security Number Theory

Elements of Applied Cryptography Public key encryption

Faster deterministic integer factorisation

Advanced Cryptography

Bits Superposition Quantum Parallelism

Primality - Factorization

8 Primes and Modular Arithmetic

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Modern Factoring Algorithms

The application of prime numbers to RSA encryption

I. Introduction. MPRI Cours Lecture IV: Integer factorization. What is the factorization of a random number? II. Smoothness testing. F.

Public Key Cryptography and RSA. Review: Number Theory Basics

The Mathematics of the RSA Public-Key Cryptosystem

Groups in Cryptography

Homework # 3 Solutions

CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

CIS 5371 Cryptography. 8. Encryption --

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Elementary factoring algorithms

Some applications of LLL

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Quantum Computers. And How Does Nature Compute? Kenneth W. Regan 1 University at Buffalo (SUNY) 21 May, Quantum Computers

MATH 4330/5330, Fourier Analysis Section 11, The Discrete Fourier Transform

Lukasz Pater CMMS Administrator and Developer

A Recent Improvements in Quantum Model and Counter Measures in Quantum Computing

Chapter 3. if 2 a i then location: = i. Page 40

A New Generic Digital Signature Algorithm

Chapter. Number Theory and Cryptography. Contents

Quantum Algorithms Lecture Notes Summer School on Theory and Technology in Quantum Information, Communication, Computation and Cryptography

FACTORS AND MULTIPLES Answer Key

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Notes on Factoring. MA 206 Kurt Bryan

Grade 7/8 Math Circles Fall 2012 Factors and Primes

Quotient Rings and Field Extensions

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Introduction to Finite Fields (cont.)

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

Stupid Divisibility Tricks

Integer Factorization using the Quadratic Sieve

arxiv:quant-ph/ v2 25 Jan 1996

How To Know If A Message Is From A Person Or A Machine

1 Formulating The Low Degree Testing Problem

Cryptography and Network Security

THE NUMBER OF REPRESENTATIONS OF n OF THE FORM n = x 2 2 y, x > 0, y 0

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Factoring Algorithms Based on NMR Quantum

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

Computing exponents modulo a number: Repeated squaring

The van Hoeij Algorithm for Factoring Polynomials

minimal polyonomial Example

Basic Algorithms In Computer Algebra

CSCE 465 Computer & Network Security

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Table of Contents. Bibliografische Informationen digitalisiert durch

Factoring Algorithms

Influences in low-degree polynomials

3. Computational Complexity.

Lecture 2: Universality

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Using quantum computing to realize the Fourier Transform in computer vision applications

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

COMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

Recent Breakthrough in Primality Testing

Quantum Computers vs. Computers

Applications of Fermat s Little Theorem and Congruences

Transcription:

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 1/25 Quantum information and computing Lecture 8: Applications of Quantum Fourier transform Jani-Petri Martikainen Jani-Petri.Martikainen@helsinki.fi http://www.helsinki.fi/ jamartik Department of Physical Sciences University of Helsinki

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 2/25 Quantum algorithms and their relations Quantum search Fourier transform Hidden subgroup problem Quantum counting Discrete log Order finding Factoring Statistics: mean, median, min Speedup for some NP problems Search for crypto keys Break cryptosystems (RSA)

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 3/25 Application:order finding We won t give the number theoretical proofs for some statements. See the text book appendix for details if you are interested. For positive integers x and N, x < N, with no common factors (co-prime), the order of x modulo N is the least positive integer, such that x r = 1(modN). Order finding problem is to determine the order for some specified x and N This problem is believed to be hard for a classical computer For example, order of x = 5 modulo 21 is 6...(x 6 /21 gives the same remainder as 1/21)

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 4/25 Application:order finding The quantum algorithm for order finding is just the phase estimation algorithm applied to the unitary operator U y = xy(modn) (1) with y {0, 1} L. When N y 2 L 1, we use the convention that xy(modn) is just y again. That is, U acts non-trivially only when 0 y N 1. states defined by (0 s r 1) u s = 1 r 1 r k=0 [ ] 2πisk exp x k modn (2) r

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 5/25 Application:order finding are eigenstates of U since U u s = 1 r 1 [ ] 2πisk exp x k+1 modn r r k=0 [ ] 2πis = exp u s (3) r Using phase estimation we obtain, with high accuracy, the eigenvalues exp(2πis/r), from which we can obtain the order r with a little bit more work. For us to be able to use phase estimation we must be able to 1. Implement efficiently controlled-u 2n operation for any integer j 2. Prepare an eigenstate u s efficiently

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 6/25 Application:order finding The first requirement is satisfied by using a procedure known as modular exponentiation (READ FROM THE BOOK/NOTES) The second condition is trickier: preparing u s requires that we know r, so this is out of the question. We can circumvent the problem by using the clever observation that 1 r 1 u s = 1 (4) r s=0 In phase estimation if we use t = 2L + 1 + [log(2 + 1/2ǫ)] qubits in the first register and we prepare the second register in the state 1 (that is easy)...

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 7/25 Application:order finding it follows that for each s in the range 0...r 1, we will obtain an estimate of the phase φ s/r accurate to 2L + 1 bits, with probability at least (1 ǫ)/r. SEE THE SCHEMATIC DIAGRAM FOR ORDER FINDING. The reduction of order-finding to phase estimation is completed by explaining how we obtain the desired answer r, from the result of the phase estimation φ s/r. We only know 2L + 1 bits, but we also know a priori that it is a rational number...if we could compute nearest such fraction to φ we might obtain r

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 8/25 Order finding:continued fraction This task can be accomplished efficiently using the continued fraction algorithm. SEE NOTES OR READ FROM THE BOOK Theorem: suppose that s/r is a rational number such that s/r φ 1/2r 2. Then s/r is a convergent of the continued fraction for φ and thus can be computed in O(L 3 ) operations.

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 9/25 Order finding:continued fraction Since φ approximates s/r with accuracy 2L + 1 bits, it follows that s/r φ 2 2L 1 1/2r 2, since r N 2 L. Thus the theorem applies. Therefore, given φ the continued fraction algorithm efficiently produces numbers s and r with no common factor, such that s /r = s/r. The number r is our candidate for the order. Candidate can be efficiently checked by computing x r modn and seeing if the result is 1. If so, then r is the order of x modulo N! Algorithm takes O(L 3 ) gates...main cost comes from modular exponentiation. see the summary in the book or notes...

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 10/25 Factoring Factoring problem: Given a positive integer N, what prime numbers have to be multiplied together to get N? This problem turns out to be equivalent to the order finding problem. Fast algorithm for order finding can be turned into a fast algorithm for factoring. 1. Show that we can compute a factor of N if we can find a non-trivial solution x ±1(modN) to the equation x 2 = 1(modN) 2. Show that a randomly chosen co-prime to N is quite likely to have an order r which is even, and such that y r/2 ±1(modN) and thus x = y r/2 (modn) is a non-trivial solution to x 2 = 1(modN).

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 11/25 Factoring Steps a embodied in the following number theoretical theorems Theorem: Suppose N is an L bit composite number, and x is a non-trivial solution to the equation x 2 = 1(modN) in the range 1 x N, that is neither x = 1(modN) nor x = N 1 = 1(modN). Then at least one of gcd(x 1,N) and gcd(x + 1,N) is a non-trivial factor of N Suppose N = p α 1 1 pα m m is the prime factorization of an odd composite positive integer. Let x be an integer chosen uniformly at random, subject to the requirements that 1 x N 1 and x is co-prime to N. Let r be the order of x modulo N. Then p(r is even and x r/2 1(modN)) 1 1/2 m

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 12/25 Factoring:algorithm These theorems can be combined to give an algorithm which returns a non-trivial factor of a composite N with high probability. 1. If N is even, return 2 2. Determine whether N = a b for integers a 1 and b 2, and if so return the factor a (this can use a classical algorithm) 3. Randomly choose x in the range 1 to N 1. If gcd(x,n) > 1 then return the factor gcd(x,n) 4. Use the order finding to find the order r of x modulo N. 5. If r even and x r/2 1(modN) then compute gcd(x r/2 1,N) and gcd(x r/2 + 1,N) and test to see if one of these is a non-trivial factor, returning the factor if so. Otherwise algorithm fails.

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 13/25 Factoring:algorithm Steps 1 and 2 either return a factor, or else ensure that N is an odd integer with more than one prime factor. Step 3 either produces a factor or else a randomly chosen element x of {0, 1, 2,...N 1}. Step 4 computes the order and step 5 completes the algorithm since the earlier theorem guarantees that either gcd(x r/2 1,N) or gcd(x r/2 + 1,N) is a non-trivial factor.

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 14/25 Factoring: 15 Take N = 15. This is not even and also not a power of anything so we can jump to the step 3 of the algorithm. Choose x = 7 (random). Compute the order r of x modulo N: We start in the state 0 0 and create the state 1 2 t 2 t 1 k 0 = 1 2 t [ 0 + 1 + 2 t 1 ] 0 k=0 by using t = 11 Hadamard transforms to the first register. This choice of t ensures an error probability of at most 1/4. Next, compute f(k) = x k mod N

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 15/25 Factoring: 15 We leave the result in the second register so we have a state 1 2 t = 2X t 1 k=0 1 2 t k x k modn [ 0 1 + 1 7 + 2 4 + 3 13 + 4 1 + 5 7 + 6 4 + ] (5) (the second register qubits start repeating themselves) We now apply inverse Fourier transform FT to the first register and measure it. Since no further operations are applied to the second register, we can apply the principle of implicit measurement and assume that the second register is measured. We obtain a random result from 1,7, 4, or 13.

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 16/25 Factoring: 15 Suppose we get 4 which implies that the input to the inverse FT would have been 4 [ 2 + 6 + 10 + 14 + ] (6) 2t After applying FT we obtain a state l α l l with the probability distribution..see FIGURE...shown for 2 t = 2048 The final measurement will give either 0, 512, 1024, or 1536 each with probability almost exactly 1/4 Suppose we get l = 1536 from the measurement

Factoring: 15 amplitudes 1 α k 0.5 0 0 5 10 15 20 25 30 35 40 k F transform 1 α l 0.5 0 0 500 1000 1500 2000 l Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 17/25

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 18/25 Factoring: 15 Computing the continued fraction expansion thus gives 1536/2048 = 1/(1 + (1/3)) so that 3/4 occurs as a convergent in the expansion. Therefore, r = 4 is the order of x = 7. By chance, r is even, and moreover, x r/2 mod N = 7 2 mod15 1mod15 so the algorithm works Computing the greatest common divisor gcd(x 2 1, 15) = 3 and gcd(x 2 + 1, 15) = 5 tells us that 15 = 3 5

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 19/25 Period finding Suppose f is a periodic function producing a single bit as output and such that f(x + r) = f(x), for some unknown 0 < r < 2 L, where x,r {0, 1, 2,...} Given a quantum black box U which performs U x y x y f(x) ( is addition modulo 2), how many black box queries and other operations are required to determine r? Here is a quantum algorithm which solves this problem using one query, and O(L 2 ) other operations...

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 20/25 Period finding Inputs: (1) A black box which performs U, (2) a state to store the function evaluation, initialized to 0, and (3) t = O(L + log(1/ǫ)) qubits initialized to 0 Outputs: The least integer r > 0 such that f(x + r) = f(x) 1. Initial state 0 0 2. Create superposition: 1/ 2 t 2 t 1 x=0 x 0 3. Apply U: 1/ 2 t 1 2 t x f(x) x=0 1/ r 1 r2 t l=0 2 t 1 x=0 e 2πilx/r x ˆf(l) Note: f(x) = 1/ r P r 1 l=0 e2πilx/r ˆf(l) is an identity when x is an integer multiple of r! Approximation sign needed since 2 t might not be a multiple integer of r.

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 21/25...continues Period finding 1. Apply inverse FT to the first register: r 1 l=0 l/r ˆf(l) 2. Measure first register: l/r 3. Continued fraction algorithm: r

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 22/25 Discrete logarithm Period finding was simple, in that the domain and range of the periodic function where integers. What if the function is more complex? Consider f(x 1,x 2 ) = a sx 1+x 2 modn where all variables are integers, and r is the smallest positive integer for which a r modn = 1. This function is periodic since f(x 1 + l,x 2 ls) = f(x 1,x 2 ), but the period is a 2-tuple (l, ls) This function is useful in cryptography, since determining s allows one to solve the discrete logarithm problem: given a and b = a s, what is s Here quantum algorithm solving this problem using one query of a quantum black box U

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 23/25 Discrete logarithm Inputs: (1) A black box which performs U x 1 x 2 y = x 1 x 2 y f(x 1,x 2 ) for f(x 1,x 2 ) = b x 1 a x 2, (2) a state to store the function evaluation, initialized to 0, and (3) t = O(log r + log(1/ǫ)) qubits initialized to 0 Outputs: The least positive integer s such that a s = b 1. Initial state 0 0 0 2. Create superposition: 1/2 t 2 t 1 x 1 =0 2 t 1 x 2 =0 x 1 x 2 0

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 24/25...continues 1. Apply U (Key step!): 2X 1/2 t Discrete logarithm t 1 1/(2 t r) = 1/2 t r 2 t 1 X x 1 =0 x 2 =0 r 1 X x 1 x 2 f(x 1, x 2 ) 2X t 1 2X t 1 l 2 =0 x 1 =0 x 2 =0 r 1 X l 2 =0 2 4 2X t 1 x 1 =0 e 2πi(sl 2x 1 +l 2 x 2 )/r x 1 x 2 ˆf(sl 2, l 2 ) 3 2 e 2πi(sl 2x 1 )/r x 1 5 4 2X t 1 x 2 =0 2. Apply inverse FT to first two registers: 1/ r r 1 sl 2 /r l 2 /r ˆf(sl 2,l 2 ) l 2 =0 3. Measure first two registers: ( sl 2 /r, l 2 /r) 4. Apply generalized cont. frac. alg.: s 3 e 2πi(l 2x 2 )/r x 2 5 ˆf(sl 2, l 2 )

Department of Physical Sciences, University of Helsinki http://theory.physics.helsinki.fi/ quantumgas/ p. 25/25 General applications of QFT Earlier examples, are all examples of a very general problem known as hidden subgroup problem This problem encompasses all known exponentially fast applications of QFT Problem: Let f be a function from a finitely generated group G to a finite set X such that f is constant on the cosets of a subgroup K, and distinct on each coset. Given a quantum black box for performing the unitary transformation U g h = g h f(g), for g G, h X and an appropriately chosen binary operation on X, find a generating set for K. See the text book for more details and references

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information