SLIDE 1
Factoring using 2n+2 qubits with Toffoli based modular multiplication
Thomas H¨ aner1,2 Martin Roetteler2 Krysta M. Svore2
1Institute for Theoretical Physics
ETH Z¨ urich, Switzerland
2Quantum Architectures and Computation Group
Factoring using 2n+2 qubits with Toffoli based modular - - PowerPoint PPT Presentation
Factoring using 2n+2 qubits with Toffoli based modular - - PowerPoint PPT Presentation
Factoring using 2n+2 qubits with Toffoli based modular multiplication aner 1 , 2 Martin Roetteler 2 Krysta M. Svore 2 Thomas H 1 Institute for Theoretical Physics ETH Z urich, Switzerland 2 Quantum Architectures and Computation Group
SLIDE 2
SLIDE 3
How to increment a quantum register?
Realizing a cyclic shift How to realize x → x + 1 mod 2n, which cyclically shifts the basis states of an n qubit register? Solution 1: Recursive
r r r r ❢ r r r ❢ r r ❢
· · · · · · ... · · · · · · · · ·
r ❢ ❢
Good: needs only n+1 qubits Bad: needs O(n2) gates Solution 2: Fourier-style
. . . DFT−1
2n 1 ω
. . .
1 ω2 1 ω
n
DFT2n . . .
Good: needs only n qubits Bad: needs O(n2) gates Ugly: needs rotations
3
SLIDE 4
How to increment a quantum register?
Realizing a cyclic shift How to realize x → x + 1 mod 2n, which cyclically shifts the basis states of an n qubit register? Solution 1: Recursive
r r r r ❢ r r r ❢ r r ❢
· · · · · · ... · · · · · · · · ·
r ❢ ❢
Good: needs only n+1 qubits Bad: needs O(n2) gates Solution 2: Fourier-style
. . . DFT−1
2n 1 ω
. . .
1 ω2 1 ω
n
DFT2n . . .
Good: needs only n qubits Bad: needs O(n2) gates Ugly: needs rotations
3
SLIDE 5
How to increment a quantum register?
Realizing a cyclic shift How to realize x → x + 1 mod 2n, which cyclically shifts the basis states of an n qubit register? Solution 1: Recursive
r r r r ❢ r r r ❢ r r ❢
· · · · · · ... · · · · · · · · ·
r ❢ ❢
Good: needs only n+1 qubits Bad: needs O(n2) gates Solution 2: Fourier-style
. . . DFT−1
2n 1 ω
. . .
1 ω2 1 ω
n
DFT2n . . .
Good: needs only n qubits Bad: needs O(n2) gates Ugly: needs rotations
3
SLIDE 6
How to increment a quantum register?
Realizing a cyclic shift How to realize x → x + 1 mod 2n, which cyclically shifts the basis states of an n qubit register? Solution 1: Recursive
r r r r ❢ r r r ❢ r r ❢
· · · · · · ... · · · · · · · · ·
r ❢ ❢
Good: needs only n+1 qubits Bad: needs O(n2) gates Solution 2: Fourier-style
. . . DFT−1
2n 1 ω
. . .
1 ω2 1 ω
n
DFT2n . . .
Good: needs only n qubits Bad: needs O(n2) gates Ugly: needs rotations
3
SLIDE 7
How to increment a quantum register?
Realizing a cyclic shift How to realize x → x + 1 mod 2n, which cyclically shifts the basis states of an n qubit register? Solution 1: Recursive
r r r r ❢ r r r ❢ r r ❢
· · · · · · ... · · · · · · · · ·
r ❢ ❢
Good: needs only n+1 qubits Bad: needs O(n2) gates Solution 2: Fourier-style
. . . DFT−1
2n 1 ω
. . .
1 ω2 1 ω
n
DFT2n . . .
Good: needs only n qubits Bad: needs O(n2) gates Ugly: needs rotations
3
SLIDE 8
How to increment a quantum register?
Solution 3: Constant folding
const const const const const
Good: needs O(n) gates. Bad: needs 2n qubits Solution 4 ??? Is there a circuit with n qubits, that needs only O(n) gates? Or even just one with n + const qubits but O(n) gates?
4
SLIDE 9
How to increment a quantum register?
Solution 3: Constant folding
const const const const const
Good: needs O(n) gates. Bad: needs 2n qubits Solution 4 ??? Is there a circuit with n qubits, that needs only O(n) gates? Or even just one with n + const qubits but O(n) gates?
4
SLIDE 10
How to increment a quantum register?
Solution 3: Constant folding
const const const const const
Good: needs O(n) gates. Bad: needs 2n qubits Solution 4 ??? Is there a circuit with n qubits, that needs only O(n) gates? Or even just one with n + const qubits but O(n) gates?
4
SLIDE 11
How to increment a quantum register?
Solution 3: Constant folding
const const const const const
Good: needs O(n) gates. Bad: needs 2n qubits Solution 4 ??? Is there a circuit with n qubits, that needs only O(n) gates? Or even just one with n + const qubits but O(n) gates?
4
SLIDE 12
Trick from Barenco et al (PRA’95)
Note: this uses n/2 “dirty” ancillas qubits.
5
SLIDE 13
Trick from Barenco et al (PRA’95)
Note: this uses n/2 “dirty” ancillas qubits.
5
SLIDE 14
Incrementer “+1” by Craig Gidney
Based on the following trick: |x |g → |x − g |g → |x − g
- g′ − 1
- →
- x − g − g′ + 1
g′ − 1
- → |x + 1 |g
(Note that g + 1 = g′, where g′ denotes two’s complement and g denotes one’s complement, and that g + g′ = 0). If n dirty ancillas are available, this allows to implement +1 increment using only O(n) Toffoli gates. If only 1 dirty ancilla is available, precompute final carry, apply a split and recurse. Leads to O(n log n) Toffoli gates.
6
SLIDE 15
Incrementer “+1” by Craig Gidney
Based on the following trick: |x |g → |x − g |g → |x − g
- g′ − 1
- →
- x − g − g′ + 1
g′ − 1
- → |x + 1 |g
(Note that g + 1 = g′, where g′ denotes two’s complement and g denotes one’s complement, and that g + g′ = 0). If n dirty ancillas are available, this allows to implement +1 increment using only O(n) Toffoli gates. If only 1 dirty ancilla is available, precompute final carry, apply a split and recurse. Leads to O(n log n) Toffoli gates.
6
SLIDE 16
Incrementer “+1” by Craig Gidney
Based on the following trick: |x |g → |x − g |g → |x − g
- g′ − 1
- →
- x − g − g′ + 1
g′ − 1
- → |x + 1 |g
(Note that g + 1 = g′, where g′ denotes two’s complement and g denotes one’s complement, and that g + g′ = 0). If n dirty ancillas are available, this allows to implement +1 increment using only O(n) Toffoli gates. If only 1 dirty ancilla is available, precompute final carry, apply a split and recurse. Leads to O(n log n) Toffoli gates.
6
SLIDE 17
Carry precomputation w/dirty qubits
|a0 |g0 |a1 |g1 . . . . . . ... ... |a0 |˜ g0 |˜ a1 |˜ g1 |gn−3 |an−2 |gn−2 |an−1 · · · · · · |˜ gn−3 · · · |˜ an−2 · · · |˜ gn−2 |rn−1
Works for any constant addition “+c” (not just “+1”). Bits are encoded in the presence/absence of orange gates. This needs 4(n − 2) Toffoli and 4wt(c) Clifford gates.
7
SLIDE 18
Carry precomputation w/dirty qubits
|a0 |g0 |a1 |g1 . . . . . . ... ... |a0 |˜ g0 |˜ a1 |˜ g1 |gn−3 |an−2 |gn−2 |an−1 · · · · · · |˜ gn−3 · · · |˜ an−2 · · · |˜ gn−2 |rn−1
Works for any constant addition “+c” (not just “+1”). Bits are encoded in the presence/absence of orange gates. This needs 4(n − 2) Toffoli and 4wt(c) Clifford gates.
7
SLIDE 19
Carry precomputation w/dirty qubits
|a0 |g0 |a1 |g1 . . . . . . ... ... |a0 |˜ g0 |˜ a1 |˜ g1 |gn−3 |an−2 |gn−2 |an−1 · · · · · · |˜ gn−3 · · · |˜ an−2 · · · |˜ gn−2 |rn−1
Works for any constant addition “+c” (not just “+1”). Bits are encoded in the presence/absence of orange gates. This needs 4(n − 2) Toffoli and 4wt(c) Clifford gates.
7
SLIDE 20
Carry precomputation w/dirty qubits
|a0 |g0 |a1 |g1 . . . . . . ... ... |a0 |˜ g0 |˜ a1 |˜ g1 |gn−3 |an−2 |gn−2 |an−1 · · · · · · |˜ gn−3 · · · |˜ an−2 · · · |˜ gn−2 |rn−1
Works for any constant addition “+c” (not just “+1”). Bits are encoded in the presence/absence of orange gates. This needs 4(n − 2) Toffoli and 4wt(c) Clifford gates.
7
SLIDE 21
Carry precomputation w/dirty qubits
|a |g |0
n n − 1
C A R R Y
|a |g |(a + c)n
c = 11
≡
|a0 |a1 |g0 |a2 |g1 |a3 |g2 |0 |a0 |a1 |g1 |a2 |g2 |a3 |g3 |(a + 11)4
8
SLIDE 22
Putting it all together: addition-by-constant
|xL |xH |0
⌈ n 2 ⌉ ⌊ n 2 ⌋
C A R R Y +1 C A R R Y +cL +cH |rL |rH |0
Note that this circuit uses a clean ancilla to detect if the final
- verflow happened.
However, it is not necessary to use a clean qubit, a dirty qubit suffices as shown next.
9
SLIDE 23
Carry computation using garbage only
|xL |xH |g
⌈ n 2 ⌉ ⌊ n 2 ⌋
+1 C A R R Y +1 C A R R Y +cL +cH |rL |rH |g 10
SLIDE 24
Carry computation using garbage only
|xL |xH |g
⌈ n 2 ⌉ ⌊ n 2 ⌋
+1 C A R R Y +1 C A R R Y +cL +cH |rL |rH |g
TA(n) = 2TA(n 2) + 2(2 · 2n 2
incr
+ 4n 2
- carry
) = 2TA(n 2) + 8n . . . = 8n log2 n
10
SLIDE 25
Experimental results (addition)
Toffoli circuits implemented and simulated in LIQUi|.
11
SLIDE 26
Addition-by-constant: comparison
Fourier-based adder, Draper-style: Advantage: Ancilla-free Disadvantage: Θ(n2) gates, not exact Cuccaro et al adder, with folded constants: Advantage: O(n) runtime Disadvantage: Requires n + 1 extra (clean) qubits Takahashi et al adder, with folded constants: Advantage: O(n) runtime Disadvantage: Requires n extra (clean) qubits
12
SLIDE 27
Addition-by-constant: comparison
Fourier-based adder, Draper-style: Advantage: Ancilla-free Disadvantage: Θ(n2) gates, not exact Cuccaro et al adder, with folded constants: Advantage: O(n) runtime Disadvantage: Requires n + 1 extra (clean) qubits Takahashi et al adder, with folded constants: Advantage: O(n) runtime Disadvantage: Requires n extra (clean) qubits Our adder: Advantage: Toffoli-based, only 1 extra (dirty) qubit Disadvantage: Θ(n log n) runtime
12
SLIDE 28
Application: modular exponentiation
Shor’s algorithm Finds period r of f(x) = ax mod N, where a, N constant. ax mod N = axm·2m · · · ax1·21 · ax0·20 mod N = (a2m mod N)xm · · · (a21 mod N)x1 · (a20 mod N)x0 ✶
13
SLIDE 29
Application: modular exponentiation
Shor’s algorithm Finds period r of f(x) = ax mod N, where a, N constant. ax mod N = axm·2m · · · ax1·21 · ax0·20 mod N = (a2m mod N)xm · · · (a21 mod N)x1 · (a20 mod N)x0 Start with |y = 1 |x0 For i = 0, ..., m, apply the operator
- y
- (a2iy) mod N
- y| ⊗ |1 1| + ✶ ⊗ |0 0|
to |y |xi. Final state: |ax mod N |x
13
SLIDE 30
Shor’s algorithm, PE style
Note that computing a modular multiplication ax mod N = a · (2mxm + · · · + 2x1 + x0) mod N = ((2ma) mod N)xm ⊕ · · · ⊕ ((2a) mod N)x1 ⊕ ax0 can be done using m + 1 controlled modular additions Controlled multiplication ⇒ Doubly-controlled modular additions How to perform modular additions?
14
SLIDE 31
Shor’s algorithm, PE style
Note that computing a modular multiplication ax mod N = a · (2mxm + · · · + 2x1 + x0) mod N = ((2ma) mod N)xm ⊕ · · · ⊕ ((2a) mod N)x1 ⊕ ax0 can be done using m + 1 controlled modular additions Controlled multiplication ⇒ Doubly-controlled modular additions How to perform modular additions?
14
SLIDE 32
Shor’s algorithm, PE style
Note that computing a modular multiplication ax mod N = a · (2mxm + · · · + 2x1 + x0) mod N = ((2ma) mod N)xm ⊕ · · · ⊕ ((2a) mod N)x1 ⊕ ax0 can be done using m + 1 controlled modular additions Controlled multiplication ⇒ Doubly-controlled modular additions How to perform modular additions?
14
SLIDE 33
Modular addition: requires 3 integer additions
|b |0 |g CMP (N − a) Adda
- r
SubN−a CMP (a) |r%N |0 |g
Ultimately, the b register holds the value r = a + b mod N, where a is the constant to be added. This method was used in van Meter and Itoh [4] and Takahashi and Kunihiro [5].
15
SLIDE 34
Scaling results (modular multiplication)
16
SLIDE 35
Resource estimates for Shor’s algorithm
Takahashi et al Our implementation Runtime (exact) Θ(n4 log 1
ε)
Θ(n3 log n) Runtime (approx.) Θ(n3 log n
ǫ log 1 ε)
n/a Depth Θ(n3 log 1
ε)
Θ(n3) Space 2n + 2 2n + 2 Bonus feature: Our modular multiplication circuit can be tested and debugged efficiently!
17
SLIDE 36
Resource estimates for Shor’s algorithm
Takahashi et al Our implementation Runtime (exact) Θ(n4 log 1
ε)
Θ(n3 log n) Runtime (approx.) Θ(n3 log n
ǫ log 1 ε)
n/a Depth Θ(n3 log 1
ε)
Θ(n3) Space 2n + 2 2n + 2 Bonus feature: Our modular multiplication circuit can be tested and debugged efficiently!
17
SLIDE 37
Toffoli networks: debugging
Toffoli network to implement modular addition of the constant value 65, 521 to a 16-qubit register.
18
SLIDE 38
Toffoli networks: debugging
Toffoli network to implement modular addition of the constant value 65, 521 to a 16-qubit register. Partial executions.
18
SLIDE 39
Toffoli networks: debugging
Toffoli network to implement modular addition of the constant value 65, 521 to a 16-qubit register. Partial executions.
18
SLIDE 40
Hierarchical debugging of Toffoli circuits
Remark: If chosen test vectors trigger all faults that might be present in the circuit, this method allows to localize of all faults.
19
SLIDE 41
Hierarchical debugging of Toffoli circuits
Remark: If chosen test vectors trigger all faults that might be present in the circuit, this method allows to localize of all faults.
19
SLIDE 42