Introduction to Data (state) stored in n bits: an element of { 0 ; 1 - - PowerPoint PPT Presentation

Introduction to quantum algorithms Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}.

Introduction to quantum algorithms Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough!

Introduction to quantum algorithms Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

duction to quantum algorithms

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples (1; 0; 0; 0 “|0” in Measurement

rithms Bernstein Illinois at Chicago & Universiteit Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of (1; 0; 0; 0; 0; 0; 0; 0) “|0” in standard notation. Measurement produces

Chicago & Eindhoven Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0.

Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0.

Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6.

Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6.

Data (“state”) stored in n bits: an element of {0; 1}n,

• ften viewed as representing

an element of {0; 1; : : : ; 2n − 1}. State stored in n qubits: a nonzero element of C2n. Retrieving this vector is tough! If n qubits have state (a0; a1; : : : ; a2n−1) then measuring the qubits produces an element of {0; 1; : : : ; 2n − 1} and destroys the state. Measurement produces element q with probability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%.

(“state”) stored in n bits: element of {0; 1}n, viewed as representing element of {0; 1; : : : ; 2n − 1}. stored in n qubits: nonzero element of C2n. Retrieving this vector is tough! qubits have state ; : : : ; a2n−1) then measuring the qubits produces element of {0; 1; : : : ; 2n − 1} destroys the state. Measurement produces element q robability |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%. Fast quan (a0; a1; a (a1; a0; a is complementing hence “compleme

stored in n bits: ; 1}n, representing ; 1; : : : ; 2n − 1}. qubits: element of C2n. vector is tough! state

1) then

qubits produces ; 1; : : : ; 2n − 1} state. roduces element q |aq|2= P

r |ar|2.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%. Fast quantum operations, (a0; a1; a2; a3; a4; a (a1; a0; a3; a2; a5; a is complementing index hence “complemen

bits: nting − 1}. tough! duces − 1} element q |ar|2. Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%. Fast quantum operations, pa (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%. Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”.

Some examples of 3-qubit states: (1; 0; 0; 0; 0; 0; 0; 0) is “|0” in standard notation. Measurement produces 0. (0; 0; 0; 0; 0; 0; 1; 0) is “|6” in standard notation. Measurement produces 6. (0; 0; 0; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. (0; 0; 4; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces 2 with probability 20%, 6 with probability 80%. Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

examples of 3-qubit states: ; 0; 0; 0; 0; 0) is in standard notation. Measurement produces 0. ; 0; 0; 0; 1; 0) is in standard notation. Measurement produces 6. ; 0; 0; 0; −7i; 0) = −7i|6: Measurement produces 6. ; 0; 0; 0; 8; 0) = 4|2 + 8|6: Measurement produces probability 20%, probability 80%. Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a (a4; a5; a is “complementing (q0; q1; q

• f 3-qubit states:

0) is rd notation. roduces 0. 0) is rd notation. roduces 6. 7i; 0) = −7i|6: roduces 6. 0) = 4|2 + 8|6: roduces y 20%, y 80%. Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a (a4; a5; a6; a7; a0; a is “complementing (q0; q1; q2) → (q0;

states: notation. notation. 7i|6: + 8|6: Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1).

Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1).

Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0).

Fast quantum operations, part 1 (a0; a1; a2; a3; a4; a5; a6; a7) → (a1; a0; a3; a2; a5; a4; a7; a6) is complementing index bit 0, hence “complementing qubit 0”. (a0; a1; a2; a3; a4; a5; a6; a7) is measured as (q0; q1; q2), representing q = q0 + 2q1 + 4q2, with probability |aq|2= P

r |ar|2.

(a1; a0; a3; a2; a5; a4; a7; a6) is measured as (q0 ⊕ 1; q1; q2), representing q ⊕ 1, with probability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0). Complementing qubit 2 = swapping qubits 0 and 2

• complementing qubit 0
• swapping qubits 0 and 2.

Similarly: swapping qubits i; j.

quantum operations, part 1 ; a2; a3; a4; a5; a6; a7) → ; a3; a2; a5; a4; a7; a6) complementing index bit 0, “complementing qubit 0”. ; a2; a3; a4; a5; a6; a7) measured as (q0; q1; q2), resenting q = q0 + 2q1 + 4q2, robability |aq|2= P

r |ar|2.

; a3; a2; a5; a4; a7; a6) measured as (q0 ⊕ 1; q1; q2), resenting q ⊕ 1, robability |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0). Complementing qubit 2 = swapping qubits 0 and 2

• complementing qubit 0
• swapping qubits 0 and 2.

Similarly: swapping qubits i; j. (a0; a1; a (a0; a1; a is a “reversible “controlled (q0; q1; q Example (a0; a1; a a8; a9; a10 a16; a17; a24; a25; → (a0; a a8; a9; a11 a16; a17; a24; a25;

• perations, part 1

; a5; a6; a7) → ; a4; a7; a6) complementing index bit 0, “complementing qubit 0”. ; a5; a6; a7) q0; q1; q2), q0 + 2q1 + 4q2, |aq|2= P

r |ar|2.

; a4; a7; a6) q0 ⊕ 1; q1; q2), 1, |aq|2= P

r |ar|2.

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0). Complementing qubit 2 = swapping qubits 0 and 2

• complementing qubit 0
• swapping qubits 0 and 2.

Similarly: swapping qubits i; j. (a0; a1; a2; a3; a4; a (a0; a1; a3; a2; a4; a is a “reversible XOR “controlled NOT gate”: (q0; q1; q2) → (q0 Example with more (a0; a1; a2; a3; a4; a a8; a9; a10; a11; a12; a16; a17; a18; a19; a20 a24; a25; a26; a27; a28 → (a0; a1; a3; a2; a a8; a9; a11; a10; a12; a16; a17; a19; a18; a20 a24; a25; a27; a26; a28

part 1 ) → ) bit 0, qubit 0”. ) ), + 4q2, |ar|2. ) ; q2), |ar|2. (a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0). Complementing qubit 2 = swapping qubits 0 and 2

• complementing qubit 0
• swapping qubits 0 and 2.

Similarly: swapping qubits i; j. (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a a16; a17; a18; a19; a20; a21; a22 a24; a25; a26; a27; a28; a29; a30 → (a0; a1; a3; a2; a4; a5; a7; a6 a8; a9; a11; a10; a12; a13; a15; a a16; a17; a19; a18; a20; a21; a23 a24; a25; a27; a26; a28; a29; a31

(a0; a1; a2; a3; a4; a5; a6; a7) → (a4; a5; a6; a7; a0; a1; a2; a3) is “complementing qubit 2”: (q0; q1; q2) → (q0; q1; q2 ⊕ 1). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a4; a2; a6; a1; a5; a3; a7) is “swapping qubits 0 and 2”: (q0; q1; q2) → (q2; q1; q0). Complementing qubit 2 = swapping qubits 0 and 2

• complementing qubit 0
• swapping qubits 0 and 2.

Similarly: swapping qubits i; j. (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a3; a2; a4; a5; a7; a6; a8; a9; a11; a10; a12; a13; a15; a14; a16; a17; a19; a18; a20; a21; a23; a22; a24; a25; a27; a26; a28; a29; a31; a30).

; a2; a3; a4; a5; a6; a7) → ; a6; a7; a0; a1; a2; a3) “complementing qubit 2”: ; q2) → (q0; q1; q2 ⊕ 1). ; a2; a3; a4; a5; a6; a7) → ; a2; a6; a1; a5; a3; a7) apping qubits 0 and 2”: ; q2) → (q2; q1; q0). Complementing qubit 2 pping qubits 0 and 2 complementing qubit 0 apping qubits 0 and 2. rly: swapping qubits i; j. (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a3; a2; a4; a5; a7; a6; a8; a9; a11; a10; a12; a13; a15; a14; a16; a17; a19; a18; a20; a21; a23; a22; a24; a25; a27; a26; a28; a29; a31; a30). (a0; a1; a (a0; a1; a is a “Toffoli “controlled (q0; q1; q Example (a0; a1; a a8; a9; a10 a16; a17; a24; a25; → (a0; a a8; a9; a10 a16; a17; a24; a25;

; a5; a6; a7) → ; a1; a2; a3) “complementing qubit 2”:

0; q1; q2 ⊕ 1).

; a5; a6; a7) → ; a5; a3; a7) qubits 0 and 2”:

2; q1; q0).

qubit 2 qubits 0 and 2 complementing qubit 0 qubits 0 and 2. apping qubits i; j. (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a3; a2; a4; a5; a7; a6; a8; a9; a11; a10; a12; a13; a15; a14; a16; a17; a19; a18; a20; a21; a23; a22; a24; a25; a27; a26; a28; a29; a31; a30). (a0; a1; a2; a3; a4; a (a0; a1; a2; a3; a4; a is a “Toffoli gate” “controlled controlled (q0; q1; q2) → (q0 Example with more (a0; a1; a2; a3; a4; a a8; a9; a10; a11; a12; a16; a17; a18; a19; a20 a24; a25; a26; a27; a28 → (a0; a1; a2; a3; a a8; a9; a10; a11; a12; a16; a17; a18; a19; a20 a24; a25; a26; a27; a28

) → ) 2”: 1). ) → ) 2”: 2 and 2. i; j. (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a3; a2; a4; a5; a7; a6; a8; a9; a11; a10; a12; a13; a15; a14; a16; a17; a19; a18; a20; a21; a23; a22; a24; a25; a27; a26; a28; a29; a31; a30). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT (q0; q1; q2) → (q0 ⊕ q1q2; q1 Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a a16; a17; a18; a19; a20; a21; a22 a24; a25; a26; a27; a28; a29; a30 → (a0; a1; a2; a3; a4; a5; a7; a6 a8; a9; a10; a11; a12; a13; a15; a a16; a17; a18; a19; a20; a21; a23 a24; a25; a26; a27; a28; a29; a31

(a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a3; a2; a4; a5; a7; a6) is a “reversible XOR gate” = “controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a3; a2; a4; a5; a7; a6; a8; a9; a11; a10; a12; a13; a15; a14; a16; a17; a19; a18; a20; a21; a23; a22; a24; a25; a27; a26; a28; a29; a31; a30). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30).

; a2; a3; a4; a5; a6; a7) → ; a3; a2; a4; a5; a7; a6) “reversible XOR gate” = “controlled NOT gate”: ; q2) → (q0 ⊕ q1; q1; q2). Example with more qubits: ; a2; a3; a4; a5; a6; a7; a10; a11; a12; a13; a14; a15;

17; a18; a19; a20; a21; a22; a23; 25; a26; a27; a28; a29; a30; a31)

; a1; a3; a2; a4; a5; a7; a6; a11; a10; a12; a13; a15; a14;

17; a19; a18; a20; a21; a23; a22; 25; a27; a26; a28; a29; a31; a30).

(a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30). Reversible Say p is

• f {0; 1;

General strategy these fast to obtain (ap(0); ap → (a0; a

; a5; a6; a7) → ; a5; a7; a6) OR gate” = gate”:

0 ⊕ q1; q1; q2).

more qubits: ; a5; a6; a7;

12; a13; a14; a15;

; a20; a21; a22; a23; ; a28; a29; a30; a31) ; a4; a5; a7; a6;

12; a13; a15; a14;

; a20; a21; a23; a22; ; a28; a29; a31; a30). (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30). Reversible computa Say p is a permutation

• f {0; 1; : : : ; 2n − 1

General strategy to these fast quantum to obtain index permutation (ap(0); ap(1); : : : ; ap → (a0; a1; : : : ; a2n−

) → ) = ; q2). qubits: ; ; a15;

22; a23; 30; a31)

; a6; ; a14;

23; a22; 31; a30).

(a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30). Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

(a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30). Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

(a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a3; a4; a5; a7; a6) is a “Toffoli gate” = “controlled controlled NOT gate”: (q0; q1; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: (a0; a1; a2; a3; a4; a5; a6; a7; a8; a9; a10; a11; a12; a13; a14; a15; a16; a17; a18; a19; a20; a21; a22; a23; a24; a25; a26; a27; a28; a29; a30; a31) → (a0; a1; a2; a3; a4; a5; a7; a6; a8; a9; a10; a11; a12; a13; a15; a14; a16; a17; a18; a19; a20; a21; a23; a22; a24; a25; a26; a27; a28; a29; a31; a30). Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

• 1. Build a traditional circuit

to compute j → p(j) using NOT/XOR/AND gates.

• 2. Convert into reversible gates:

e.g., convert AND into Toffoli.

; a2; a3; a4; a5; a6; a7) → ; a2; a3; a4; a5; a7; a6)

• ffoli gate” =

“controlled controlled NOT gate”: ; q2) → (q0 ⊕ q1q2; q1; q2). Example with more qubits: ; a2; a3; a4; a5; a6; a7; a10; a11; a12; a13; a14; a15;

17; a18; a19; a20; a21; a22; a23; 25; a26; a27; a28; a29; a30; a31)

; a1; a2; a3; a4; a5; a7; a6; a10; a11; a12; a13; a15; a14;

17; a18; a19; a20; a21; a23; a22; 25; a26; a27; a28; a29; a31; a30).

Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

• 1. Build a traditional circuit

to compute j → p(j) using NOT/XOR/AND gates.

• 2. Convert into reversible gates:

e.g., convert AND into Toffoli. Example: (a0; a1; a (a7; a0; a permutation

• 1. Build

to compute q0

• ✷

✷ ✷ ✷ ✷ ✷ ❉ ❉ ❉ q0 ⊕ 1

; a5; a6; a7) → ; a5; a7; a6) gate” = controlled NOT gate”:

0 ⊕ q1q2; q1; q2).

more qubits: ; a5; a6; a7;

12; a13; a14; a15;

; a20; a21; a22; a23; ; a28; a29; a30; a31) ; a4; a5; a7; a6;

12; a13; a15; a14;

; a20; a21; a23; a22; ; a28; a29; a31; a30). Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

• 1. Build a traditional circuit

to compute j → p(j) using NOT/XOR/AND gates.

• 2. Convert into reversible gates:

e.g., convert AND into Toffoli. Example: Let’s com (a0; a1; a2; a3; a4; a (a7; a0; a1; a2; a3; a permutation q → q

• 1. Build a traditional

to compute q → q q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• c1 = q1

❉ q0 ⊕ 1 q1 ⊕ q

) → ) NOT gate”: q1; q2). qubits: ; ; a15;

22; a23; 30; a31)

; a6; ; a14;

23; a22; 31; a30).

Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

• 1. Build a traditional circuit

to compute j → p(j) using NOT/XOR/AND gates.

• 2. Convert into reversible gates:

e.g., convert AND into Toffoli. Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod

• 1. Build a traditional circuit

to compute q → q + 1 mod q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕

Reversible computation Say p is a permutation

• f {0; 1; : : : ; 2n − 1}.

General strategy to compose these fast quantum operations to obtain index permutation (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1):

• 1. Build a traditional circuit

to compute j → p(j) using NOT/XOR/AND gates.

• 2. Convert into reversible gates:

e.g., convert AND into Toffoli. Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

Reversible computation is a permutation 1; : : : ; 2n − 1}. General strategy to compose fast quantum operations

• btain index permutation

ap(1); : : : ; ap(2n−1)) ; a1; : : : ; a2n−1): Build a traditional circuit compute j → p(j) NOT/XOR/AND gates. Convert into reversible gates: convert AND into Toffoli. Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert

Toffoli fo (a0; a1; a (a0; a1; a

• mputation

ermutation − 1}. to compose quantum operations permutation ; ap(2n−1))

n−1):

traditional circuit p(j) OR/AND gates. reversible gates: AND into Toffoli. Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible

Toffoli for q2 ← q2 (a0; a1; a2; a3; a4; a (a0; a1; a2; a7; a4; a

• se

erations ermutation circuit gates. gates:

• ffoli.

Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3).

Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3).

Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5).

Example: Let’s compute (a0; a1; a2; a3; a4; a5; a6; a7) → (a7; a0; a1; a2; a3; a4; a5; a6); permutation q → q + 1 mod 8.

• 1. Build a traditional circuit

to compute q → q + 1 mod 8. q0

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 ⊕ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6).

Example: Let’s compute ; a2; a3; a4; a5; a6; a7) → ; a1; a2; a3; a4; a5; a6); ermutation q → q + 1 mod 8. Build a traditional circuit compute q → q + 1 mod 8.

• ✷

✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷ ✷

• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ q1

• q2
• c1 = q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ 1 q1 ⊕ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6). This permutation was deceptively It didn’t For large need many Really w

compute ; a5; a6; a7) → ; a4; a5; a6); q + 1 mod 8. traditional circuit q + 1 mod 8.

• q2
• q1q0
• ❉

❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ q0 q2 ⊕ c1

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6). This permutation example was deceptively easy It didn’t need many For large n, most p need many operations Really want fast circuits.

) → ); mod 8. circuit d 8. q2

• ⊕ c1
• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations need many operations ⇒ slo Really want fast circuits.

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits.

• 2. Convert into reversible gates.

Toffoli for q2 ← q2 ⊕ q1q0: (a0; a1; a2; a3; a4; a5; a6; a7) → (a0; a1; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: (a0; a1; a2; a7; a4; a5; a6; a3) → (a0; a7; a2; a1; a4; a3; a6; a5). NOT for q0 ← q0 ⊕ 1: (a0; a7; a2; a1; a4; a3; a6; a5) → (a7; a0; a1; a2; a3; a4; a5; a6). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place.

Convert into reversible gates. for q2 ← q2 ⊕ q1q0: ; a2; a3; a4; a5; a6; a7) → ; a2; a7; a4; a5; a6; a3). Controlled NOT for q1 ← q1 ⊕ q0: ; a2; a7; a4; a5; a6; a3) → ; a2; a1; a4; a3; a6; a5). for q0 ← q0 ⊕ 1: ; a2; a1; a4; a3; a6; a5) → ; a1; a2; a3; a4; a5; a6). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place. Start from inputs b1 bi+1 = 1 bi+2 = 1 : : : bT = 1 ⊕ specified

reversible gates. q2 ⊕ q1q0: ; a5; a6; a7) → ; a5; a6; a3). for q1 ← q1 ⊕ q0: ; a5; a6; a3) → ; a3; a6; a5).

0 ⊕ 1:

; a3; a6; a5) → ; a4; a5; a6). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; b bi+1 = 1 ⊕ bf (i+1) bi+2 = 1 ⊕ bf (i+2) : : : bT = 1 ⊕ bf (T)bg( specified outputs.

gates. : ) → ). q1 ⊕ q0: ) → ). ) → ). This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs.

This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs.

This permutation example was deceptively easy. It didn’t need many operations. For large n, most permutations p need many operations ⇒ slow. Really want fast circuits. Also, it didn’t need extra storage: circuit operated “in place” after computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. Typical circuits aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs. Reversible but dirty: inputs b1; b2; : : : ; bT ; bi+1 ← 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); bi+2 ← 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); : : : bT ← 1 ⊕ bT ⊕ bf (T)bg(T). Same outputs if all of bi+1; : : : ; bT started as 0.

ermutation example deceptively easy. didn’t need many operations. rge n, most permutations p many operations ⇒ slow. want fast circuits. it didn’t need extra storage:

• perated “in place” after

computation c1 ← q1q0 was merged into q2 ← q2 ⊕ c1. ypical circuits aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs. Reversible but dirty: inputs b1; b2; : : : ; bT ; bi+1 ← 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); bi+2 ← 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); : : : bT ← 1 ⊕ bT ⊕ bf (T)bg(T). Same outputs if all of bi+1; : : : ; bT started as 0. Reversible after finishing set non-outputs by repeating

• n non-outputs

Original (inputs) (inputs; dirt Dirty reversible (inputs; zeros (inputs; dirt Clean reversible (inputs; zeros (inputs; zeros

ermutation example easy. many operations. most permutations p erations ⇒ slow. circuits. need extra storage: “in place” after ← q1q0 was ← q2 ⊕ c1. aren’t in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs. Reversible but dirty: inputs b1; b2; : : : ; bT ; bi+1 ← 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); bi+2 ← 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); : : : bT ← 1 ⊕ bT ⊕ bf (T)bg(T). Same outputs if all of bi+1; : : : ; bT started as 0. Reversible and clean: after finishing dirty set non-outputs back by repeating same

• n non-outputs in

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) (inputs; zeros; outputs).

erations. ermutations p slow. storage: after as . in-place. Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs. Reversible but dirty: inputs b1; b2; : : : ; bT ; bi+1 ← 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); bi+2 ← 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); : : : bT ← 1 ⊕ bT ⊕ bf (T)bg(T). Same outputs if all of bi+1; : : : ; bT started as 0. Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs).

Start from any circuit: inputs b1; b2; : : : ; bi; bi+1 = 1 ⊕ bf (i+1)bg(i+1); bi+2 = 1 ⊕ bf (i+2)bg(i+2); : : : bT = 1 ⊕ bf (T)bg(T); specified outputs. Reversible but dirty: inputs b1; b2; : : : ; bT ; bi+1 ← 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); bi+2 ← 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); : : : bT ← 1 ⊕ bT ⊕ bf (T)bg(T). Same outputs if all of bi+1; : : : ; bT started as 0. Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs).

from any circuit: b1; b2; : : : ; bi; 1 ⊕ bf (i+1)bg(i+1); 1 ⊕ bf (i+2)bg(i+2); 1 ⊕ bf (T)bg(T); ecified outputs. Reversible but dirty: b1; b2; : : : ; bT ; 1 ⊕ bi+1 ⊕ bf (i+1)bg(i+1); 1 ⊕ bi+2 ⊕ bf (i+2)bg(i+2); 1 ⊕ bT ⊕ bf (T)bg(T).

• utputs if all of

: : ; bT started as 0. Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast and fast build fast (x; zeros)

circuit: ; bi;

+1)bg(i+1); +2)bg(i+2); g(T);

• utputs.

dirty: ; bT ; ⊕ bf (i+1)bg(i+1); ⊕ bf (i+2)bg(i+2); bf (T)bg(T). all of rted as 0. Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast circuit fo and fast circuit for build fast reversible (x; zeros) → (p(x)

; ; bg(i+1); bg(i+2); . Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast circuit for p and fast circuit for p−1, build fast reversible circuit fo (x; zeros) → (p(x); zeros).

Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros).

Reversible and clean: after finishing dirty computation, set non-outputs back to 0, by repeating same operations

• n non-outputs in reverse order.

Original computation: (inputs) → (inputs; dirt; outputs). Dirty reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). Clean reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros). Replace reversible bit operations with Toffoli gates etc. permuting C2n+z → C2n+z . Permutation on first 2n entries is (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1). Typically prepare vectors supported on first 2n entries so don’t care how permutation acts on last 2n+z − 2n entries.

Reversible and clean: finishing dirty computation, non-outputs back to 0, eating same operations non-outputs in reverse order. Original computation: (inputs) → (inputs; dirt; outputs). reversible computation: (inputs; zeros; zeros) → (inputs; dirt; outputs). reversible computation: (inputs; zeros; zeros) → (inputs; zeros; outputs). Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros). Replace reversible bit operations with Toffoli gates etc. permuting C2n+z → C2n+z . Permutation on first 2n entries is (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1). Typically prepare vectors supported on first 2n entries so don’t care how permutation acts on last 2n+z − 2n entries. Warning: ≈ number in original This can than numb in the original Many useful to compress but often Many subtle Crude “p don’t care but serious is much

clean: irty computation, back to 0, same operations in reverse order. computation:

• utputs).

computation: zeros) →

• utputs).

computation: zeros) →

• utputs).

Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros). Replace reversible bit operations with Toffoli gates etc. permuting C2n+z → C2n+z . Permutation on first 2n entries is (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1). Typically prepare vectors supported on first 2n entries so don’t care how permutation acts on last 2n+z − 2n entries. Warning: Number ≈ number of bit op in original p; p−1 circuits. This can be much than number of bits in the original circuits. Many useful techniques to compress into few but often these lose Many subtle tradeoffs. Crude “poly-time” don’t care about this, but serious cryptanalysis is much more prec

computation, 0, erations

• rder.

computation: computation: Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros). Replace reversible bit operations with Toffoli gates etc. permuting C2n+z → C2n+z . Permutation on first 2n entries is (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1). Typically prepare vectors supported on first 2n entries so don’t care how permutation acts on last 2n+z − 2n entries. Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise.

Given fast circuit for p and fast circuit for p−1, build fast reversible circuit for (x; zeros) → (p(x); zeros). Replace reversible bit operations with Toffoli gates etc. permuting C2n+z → C2n+z . Permutation on first 2n entries is (ap(0); ap(1); : : : ; ap(2n−1)) → (a0; a1; : : : ; a2n−1). Typically prepare vectors supported on first 2n entries so don’t care how permutation acts on last 2n+z − 2n entries. Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise.

fast circuit for p fast circuit for p−1, fast reversible circuit for zeros) → (p(x); zeros). Replace reversible bit operations

• ffoli gates etc.

ermuting C2n+z → C2n+z . ermutation on first 2n entries is ap(1); : : : ; ap(2n−1)) ; a1; : : : ; a2n−1). ypically prepare vectors rted on first 2n entries don’t care how permutation

• n last 2n+z − 2n entries.

Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quan “Hadama (a0; a1) →

circuit for p for p−1, ersible circuit for x); zeros). ble bit operations gates etc. → C2n+z . first 2n entries is ; ap(2n−1))

n−1).

re vectors first 2n entries w permutation − 2n entries. Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, “Hadamard”: (a0; a1) → (a0 + a

for erations . entries is entries ermutation entries. Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, pa “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1).

Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1).

Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3).

Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3).

Warning: Number of qubits ≈ number of bit operations in original p; p−1 circuits. This can be much larger than number of bits stored in the original circuits. Many useful techniques to compress into fewer qubits, but often these lose time. Many subtle tradeoffs. Crude “poly-time” analyses don’t care about this, but serious cryptanalysis is much more precise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3).

rning: Number of qubits number of bit operations iginal p; p−1 circuits. can be much larger number of bits stored

• riginal circuits.

useful techniques compress into fewer qubits,

• ften these lose time.

subtle tradeoffs. “poly-time” analyses care about this, serious cryptanalysis much more precise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3). Repeat n (1; 0; 0; : Measuring always p Measuring can produce Pr[output

er of qubits bit operations circuits. much larger bits stored circuits. techniques fewer qubits, lose time. tradeoffs.

• ly-time” analyses

this, cryptanalysis recise. Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1 Measuring (1; 0; 0; always produces 0. Measuring (1; 1; 1; can produce any output: Pr[output = q] = 1

qubits erations red qubits, analyses Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n.

Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n.

Fast quantum operations, part 2 “Hadamard”: (a0; a1) → (a0 + a1; a0 − a1). (a0; a1; a2; a3) → (a0 + a1; a0 − a1; a2 + a3; a2 − a3). Same for qubit 1: (a0; a1; a2; a3) → (a0 + a2; a1 + a3; a0 − a2; a1 − a3). Qubit 0 and then qubit 1: (a0; a1; a2; a3) → (a0+a1; a0−a1; a2+a3; a2−a3) → (a0 +a1 +a2 +a3; a0 −a1 +a2 −a3, a0 +a1 −a2 −a3; a0 −a1 −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0).

quantum operations, part 2 “Hadamard”: ) → (a0 + a1; a0 − a1). ; a2; a3) → a1; a0 − a1; a2 + a3; a2 − a3). for qubit 1: ; a2; a3) → a2; a1 + a3; a0 − a2; a1 − a3). 0 and then qubit 1: ; a2; a3) →

1; a0−a1; a2+a3; a2−a3) → 1 +a2 +a3; a0 −a1 +a2 −a3, 1 −a2 −a3; a0 −a1 −a2 +a3).

Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s Assume: satisfies for every Can we find given a fast

• perations, part 2

a1; a0 − a1). ; a2 + a3; a2 − a3). 1: ; a0 − a2; a1 − a3). then qubit 1: a2+a3; a2−a3) → ; a0 −a1 +a2 −a3, ; a0 −a1 −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s algorithm Assume: nonzero s satisfies f (x) = f (x for every x ∈ {0; 1 Can we find this p given a fast circuit

part 2

1).

a2 − a3). a1 − a3). −a3) → a2 −a3, −a2 +a3). Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ?

Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ?

Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s.

Repeat n times: e.g., (1; 0; 0; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) always produces 0. Measuring (1; 1; 1; : : : ; 1) can produce any output: Pr[output = q] = 1=2n. Aside from “normalization” (irrelevant to measurement), have Hadamard = Hadamard−1, so easily work backwards from “uniform superposition” (1; 1; 1; : : : ; 1) to “pure state” (1; 0; 0; : : : ; 0). Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s. Traditional solution: Compute f for many inputs, sort, analyze collisions. Success probability is very low until #inputs approaches 2n=2.

eat n times: e.g., ; : : : ; 0) → (1; 1; 1; : : : ; 1). Measuring (1; 0; 0; : : : ; 0) produces 0. Measuring (1; 1; 1; : : : ; 1) roduce any output: [output = q] = 1=2n. from “normalization” (irrelevant to measurement), Hadamard = Hadamard−1, easily work backwards “uniform superposition” ; : : : ; 1) to “pure state” ; : : : ; 0). Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s. Traditional solution: Compute f for many inputs, sort, analyze collisions. Success probability is very low until #inputs approaches 2n=2. Simon’s is much, Say f maps using z “ancilla” for reversibili Prepare n in pure zero vector (1 Use n-fold to move into unifo (1; 1; 1; : with 2n entries

e.g., (1; 1; 1; : : : ; 1). 0; : : : ; 0) 0. 1; : : : ; 1)

• utput:

1=2n. rmalization” measurement), = Hadamard−1, backwards superposition” to “pure state” Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s. Traditional solution: Compute f for many inputs, sort, analyze collisions. Success probability is very low until #inputs approaches 2n=2. Simon’s algorithm is much, much, much Say f maps n bits using z “ancilla” bits for reversibility. Prepare n + m + z in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadama to move first n qubits into uniform superp (1; 1; 1; : : : ; 1; 0; 0; with 2n entries 1, others

: : ; 1). rmalization” measurement), Hadamard−1,

• sition”

state” Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s. Traditional solution: Compute f for many inputs, sort, analyze collisions. Success probability is very low until #inputs approaches 2n=2. Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0.

Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) for every x ∈ {0; 1}n. Can we find this period s, given a fast circuit for f ? We don’t have enough data if f has many periods. Assume: only periods are 0; s. Traditional solution: Compute f for many inputs, sort, analyze collisions. Success probability is very low until #inputs approaches 2n=2. Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0.

Simon’s algorithm Assume: nonzero s ∈ {0; 1}n satisfies f (x) = f (x ⊕ s) very x ∈ {0; 1}n. e find this period s, a fast circuit for f ? don’t have enough data has many periods. Assume: only periods are 0; s. raditional solution: Compute f for many inputs, analyze collisions. Success probability is very low #inputs approaches 2n=2. Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0. Apply fast for reversible 1 in position moves to Note sym 1 at (q; f 1 at (q ⊕ Apply n-fold Measure.

• utput is

Repeat n Use Gaussian to (probably)

rithm nonzero s ∈ {0; 1}n f (x ⊕ s) ; 1}n. period s, circuit for f ? enough data eriods. eriods are 0; s. solution: any inputs, collisions. robability is very low pproaches 2n=2. Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0. Apply fast vector p for reversible f computation: 1 in position (q; 0; moves to position Note symmetry bet 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadama

• Measure. By symme
• utput is orthogonal

Repeat n + 10 tim Use Gaussian elimination to (probably) find

}n data 0; s. inputs, low 2n=2. Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0. Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s.

Simon’s algorithm is much, much, much faster. Say f maps n bits to m bits, using z “ancilla” bits for reversibility. Prepare n + m + z qubits in pure zero state: vector (1; 0; 0; : : :). Use n-fold Hadamard to move first n qubits into uniform superposition: (1; 1; 1; : : : ; 1; 0; 0; : : :) with 2n entries 1, others 0. Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s.

Simon’s algorithm much, much, much faster. maps n bits to m bits, z “ancilla” bits versibility. re n + m + z qubits pure zero state: (1; 0; 0; : : :).

• fold Hadamard

move first n qubits uniform superposition: ; : : : ; 1; 0; 0; : : :) entries 1, others 0. Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s. Grover’s Assume: has f (s) Traditiona compute hope to Success until #inputs Grover’s reversible Typically: is small enough easily beats

rithm much faster. bits to m bits, bits z qubits state: :). Hadamard qubits erposition: 0; : : :) 1, others 0. Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s. Grover’s algorithm Assume: unique s has f (s) = 0. Traditional algorithm compute f for many hope to find output Success probability until #inputs approaches Grover’s algorithm reversible computations Typically: reversibilit is small enough that easily beats traditional

faster. bits,

• sition:

0. Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s. Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find compute f for many inputs, hope to find output 0. Success probability is very lo until #inputs approaches 2n Grover’s algorithm takes only reversible computations of f Typically: reversibility overhead is small enough that this easily beats traditional algorithm.

Apply fast vector permutation for reversible f computation: 1 in position (q; 0; 0) moves to position (q; f (q); 0). Note symmetry between 1 at (q; f (q); 0) and 1 at (q ⊕ s; f (q); 0). Apply n-fold Hadamard.

• Measure. By symmetry,
• utput is orthogonal to s.

Repeat n + 10 times. Use Gaussian elimination to (probably) find s. Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find s: compute f for many inputs, hope to find output 0. Success probability is very low until #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . Typically: reversibility overhead is small enough that this easily beats traditional algorithm.

fast vector permutation versible f computation:

• sition (q; 0; 0)

to position (q; f (q); 0). symmetry between ; f (q); 0) and ⊕ s; f (q); 0). n-fold Hadamard.

• Measure. By symmetry,

is orthogonal to s. eat n + 10 times. Gaussian elimination robably) find s. Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find s: compute f for many inputs, hope to find output 0. Success probability is very low until #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . Typically: reversibility overhead is small enough that this easily beats traditional algorithm. Start from

• ver all n

Step 1: bq = −a bq = aq This is fast. Step 2: Negate a This is also Repeat steps about 0: Measure With high

r permutation computation: 0; 0)

• sition (q; f (q); 0).

between and ; 0). Hadamard. symmetry, rthogonal to s. times. elimination find s. Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find s: compute f for many inputs, hope to find output 0. Success probability is very low until #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . Typically: reversibility overhead is small enough that this easily beats traditional algorithm. Start from uniform

• ver all n-bit strings

Step 1: Set a ← b bq = −aq if f (q) = bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its This is also fast. Repeat steps 1 and about 0:58 · 20:5n times. Measure the n qubits. With high probabilit

ermutation computation: ; 0). Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find s: compute f for many inputs, hope to find output 0. Success probability is very low until #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . Typically: reversibility overhead is small enough that this easily beats traditional algorithm. Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds

Grover’s algorithm Assume: unique s ∈ {0; 1}n has f (s) = 0. Traditional algorithm to find s: compute f for many inputs, hope to find output 0. Success probability is very low until #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . Typically: reversibility overhead is small enough that this easily beats traditional algorithm. Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s.

Grover’s algorithm Assume: unique s ∈ {0; 1}n s) = 0. raditional algorithm to find s: compute f for many inputs, to find output 0. Success probability is very low #inputs approaches 2n. Grover’s algorithm takes only 2n=2 reversible computations of f . ypically: reversibility overhead small enough that this beats traditional algorithm. Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of for an example after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

ithm s ∈ {0; 1}n rithm to find s: any inputs,

• utput 0.

robability is very low proaches 2n. ithm takes only 2n=2 utations of f . reversibility overhead that this traditional algorithm. Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

}n find s: inputs, low 2n.

• nly 2n=2

f .

• verhead

algorithm. Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after Step 1:

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after Step 1 + Step 2:

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after Step 1 + Step 2 + Step 1:

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 2 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 3 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 4 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 5 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 6 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 7 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 8 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 9 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 10 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 11 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 12 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 13 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 14 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 15 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 16 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 17 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 18 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 19 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 20 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 25 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 30 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 35 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Good moment to stop, measure.

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 40 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 45 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 50 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Traditional stopping point.

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 60 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 70 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 80 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 90 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Start from uniform superposition

• ver all n-bit strings q.

Step 1: Set a ← b where bq = −aq if f (q) = 0, bq = aq otherwise. This is fast. Step 2: “Grover diffusion”. Negate a around its average. This is also fast. Repeat steps 1 and 2 about 0:58 · 20:5n times. Measure the n qubits. With high probability this finds s. Graph of q → aq for an example with n = 12 after 100 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point.

from uniform superposition all n-bit strings q. 1: Set a ← b where −aq if f (q) = 0,

q otherwise.

fast. 2: “Grover diffusion”. Negate a around its average. also fast. eat steps 1 and 2 0:58 · 20:5n times. Measure the n qubits. high probability this finds s. Graph of q → aq for an example with n = 12 after 100 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. q → aq is by a vecto (with fixed (1) aq fo (2) aq fo Step 1 + act linea Easily compute and pow to understand

• f state

⇒ Probabilit after ≈(ı

rm superposition strings q. b where ) = 0,

• therwise.

diffusion”. its average. and 2 times. qubits. robability this finds s. Graph of q → aq for an example with n = 12 after 100 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. q → aq is completely by a vector of two (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots Step 1 + Step 2 act linearly on this Easily compute eigenvalues and powers of this to understand evolution

• f state of Grover’s

⇒ Probability is ≈ after ≈(ı=4)20:5n

• sition

diffusion”. average. finds s. Graph of q → aq for an example with n = 12 after 100 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. q → aq is completely describ by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations.

Graph of q → aq for an example with n = 12 after 100 × (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. q → aq is completely described by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations.

• f q → aq

example with n = 12 100 × (Step 1 + Step 2): bad stopping point. q → aq is completely described by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations. Notes on Textbook Proof of New Proof of Mislead that best best proven

with n = 12 (Step 1 + Step 2): stopping point. q → aq is completely described by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations. Notes on provabilit Textbook algorithm Proof of correctness New algorithm

• Proof of run tim

Mislead students into that best algorithm best proven algorithm.

12 2): q → aq is completely described by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations. Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm.

q → aq is completely described by a vector of two numbers (with fixed multiplicities): (1) aq for roots q; (2) aq for non-roots q. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

⇒ Probability is ≈1 after ≈(ı=4)20:5n iterations. Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm.

is completely described vector of two numbers fixed multiplicities): for roots q; for non-roots q. + Step 2 linearly on this vector. compute eigenvalues wers of this linear map understand evolution state of Grover’s algorithm. Probability is ≈1 (ı=4)20:5n iterations. Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: cryptanalytic are almost

completely described

• numbers

multiplicities): q; non-roots q. this vector. eigenvalues this linear map evolution Grover’s algorithm. ≈1

n iterations.

Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-a cryptanalytic algorithms are almost never p

described ers eigenvalues map rithm. iterations. Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven.

Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven.

Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!”

Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly.

Notes on provability Textbook algorithm analysis: Proof of correctness New algorithm

• Proof of run time

Mislead students into thinking that best algorithm = best proven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments.

• n provability
• k algorithm analysis:
• f correctness

New algorithm

• f of run time

Mislead students into thinking est algorithm = roven algorithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What ab Want to quantum to figure against future

rovability rithm analysis: ctness rithm time students into thinking rithm = rithm. Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum Want to analyze, optimize quantum algorithms to figure out safe crypto against future quantum

analysis: thinking Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

• 1. Simulate tiny q. computer?

⇒ Huge extrapolation errors.

Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

• 1. Simulate tiny q. computer?

⇒ Huge extrapolation errors.

• 2. Faster algorithm-specific

simulation? Yes, sometimes.

Reality: state-of-the-art cryptanalytic algorithms are almost never proven. Ignorant response: “Work harder, find proofs!” Consensus of the experts: proofs probably do not exist for most of these algorithms. So demanding proofs is silly. Without proofs, how do we analyze correctness+speed? Answer: Real algorithm analysis relies critically on heuristics and computer experiments. What about quantum algorithms? Want to analyze, optimize quantum algorithms today to figure out safe crypto against future quantum attack.

• 1. Simulate tiny q. computer?

⇒ Huge extrapolation errors.

• 2. Faster algorithm-specific

simulation? Yes, sometimes.

• 3. Fast trapdoor simulation.

Simulator (like prover) knows more than the algorithm does. Tung Chou has implemented this, found errors in two publications.