quantum algorithms subset sum example for the subset sum
play

Quantum algorithms Subset-sum example: for the subset-sum problem - PowerPoint PPT Presentation

May 09, 2023 •365 likes •2.02k views

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

  1. lattice connection The coding connection Recent asym ① 1 = 499, ✿ ✿ ✿ , ① 12 = 9413. A weight- ✇ subset-sum problem: Eurocrypt ▲ ✒ Z 12 as Is there a subsequence of Howgrave-Graham–Joux: (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum ✙ ✿ ❢ ✈ ✈ ① 1 + ✁ ✁ ✁ + ✈ 12 ① 12 = 0 ❣ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect ✙ ✿ ✉ ✷ Z 12 as having length ✇ and sum 36634? Eurocrypt ❀ ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0). Replace Z with ( Z ❂ 2) ♠ : Becker–Co ❏ ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ 12 ❣ Is there a subsequence of subset-sum ✙ ✿ P ✐ ✷ ❏ ① ✐ = 36634 then (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ ✈ ✷ ▲ where ✈ ✐ = ✉ ✐ � [ ✐ ✷ ❏ ]. Adaptations 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) Asiacrypt ✈ very close to ✉ . having length ✇ and xor 1060? Thomae, Reasonable to hope that This is the central algorithmic Becker–Joux–Ma the closest vector in ▲ to ✉ . ✈ problem in coding theory. Subset-sum algorithms ✙ dimension-1 CVP algorithms.

  2. connection The coding connection Recent asymptotic ① 499, ✿ ✿ ✿ , ① 12 = 9413. A weight- ✇ subset-sum problem: Eurocrypt 2010 Is there a subsequence of Howgrave-Graham–Joux: ▲ ✒ as (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum exponent ✙ ✿ ❢ ✈ ✈ ① ✁ ✁ ✁ ✈ 12 ① 12 = 0 ❣ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect claim: ✙ ✿ ✉ ✷ as having length ✇ and sum 36634? Eurocrypt 2011 ❀ ❀ ❀ ❀ ❀ ❀ ❀ 0 ❀ 0 ❀ 0 ❀ 0 ❀ 0). Replace Z with ( Z ❂ 2) ♠ : Becker–Coron–Jou ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 12 ❣ Is there a subsequence of subset-sum exponent ✙ ✿ P ✐ ✷ ❏ ① ✐ 36634 then (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ ✈ ✷ ▲ ✈ ✐ = ✉ ✐ � [ ✐ ✷ ❏ ]. Adaptations to deco 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) Asiacrypt 2011 Ma ✈ to ✉ . having length ✇ and xor 1060? Thomae, Eurocrypt hope that This is the central algorithmic Becker–Joux–May–Meurer. vector in ▲ to ✉ . ✈ problem in coding theory. rithms ✙ CVP algorithms.

  3. The coding connection Recent asymptotic news ① ✿ ✿ ✿ ① = 9413. A weight- ✇ subset-sum problem: Eurocrypt 2010 Is there a subsequence of Howgrave-Graham–Joux: ▲ ✒ (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum exponent ✙ 0 ✿ 337. ❢ ✈ ✈ ① ✁ ✁ ✁ ✈ ① 0 ❣ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect claim: ✙ 0 ✿ 311.) ✉ ✷ having length ✇ and sum 36634? Eurocrypt 2011 ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ 0). Replace Z with ( Z ❂ 2) ♠ : Becker–Coron–Joux: ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ Is there a subsequence of subset-sum exponent ✙ 0 ✿ 291. P ✐ ✷ ❏ ① ✐ then (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ ✈ ✷ ▲ ✈ ✐ ✉ ✐ � ✐ ✷ ❏ ]. Adaptations to decoding: 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) Asiacrypt 2011 May–Meurer– ✈ ✉ having length ✇ and xor 1060? Thomae, Eurocrypt 2012 This is the central algorithmic Becker–Joux–May–Meurer. ▲ to ✉ . ✈ problem in coding theory. ✙ rithms.

  4. The coding connection Recent asymptotic news A weight- ✇ subset-sum problem: Eurocrypt 2010 Is there a subsequence of Howgrave-Graham–Joux: (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum exponent ✙ 0 ✿ 337. 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect claim: ✙ 0 ✿ 311.) having length ✇ and sum 36634? Eurocrypt 2011 Replace Z with ( Z ❂ 2) ♠ : Becker–Coron–Joux: Is there a subsequence of subset-sum exponent ✙ 0 ✿ 291. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Adaptations to decoding: 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) Asiacrypt 2011 May–Meurer– having length ✇ and xor 1060? Thomae, Eurocrypt 2012 This is the central algorithmic Becker–Joux–May–Meurer. problem in coding theory.

  5. ding connection Recent asymptotic news Post-quantum eight- ✇ subset-sum problem: Eurocrypt 2010 Claimed there a subsequence of Howgrave-Graham–Joux: Lyubashevsky–P ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum exponent ✙ 0 ✿ 337. “Public-k ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect claim: ✙ 0 ✿ 311.) primitives length ✇ and sum 36634? as secure Eurocrypt 2011 Replace Z with ( Z ❂ 2) ♠ : Becker–Coron–Joux: There ar there a subsequence of subset-sum exponent ✙ 0 ✿ 291. quantum ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ better than Adaptations to decoding: ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) on the subset Asiacrypt 2011 May–Meurer– length ✇ and xor 1060? Thomae, Eurocrypt 2012 Hmmm. the central algorithmic Becker–Joux–May–Meurer. quantum roblem in coding theory.

  6. connection Recent asymptotic news Post-quantum subset ✇ subset-sum problem: Eurocrypt 2010 Claimed in TCC 2010 subsequence of Howgrave-Graham–Joux: Lyubashevsky–Palacio–Segev ❀ ❀ ❀ 2535 ❀ 3596 ❀ 3608 ❀ subset-sum exponent ✙ 0 ✿ 337. “Public-key cryptograph ❀ ❀ ❀ 7353 ❀ 7650 ❀ 9413) (Incorrect claim: ✙ 0 ✿ 311.) primitives provably ✇ and sum 36634? as secure as subset Eurocrypt 2011 ( Z ❂ 2) ♠ : Becker–Coron–Joux: There are “currently subsequence of subset-sum exponent ✙ 0 ✿ 291. quantum algorithms ❀ ❀ ❀ 2535 ❀ 3596 ❀ 3608 ❀ better than classical Adaptations to decoding: ❀ ❀ ❀ 7353 ❀ 7650 ❀ 9413) on the subset sum Asiacrypt 2011 May–Meurer– ✇ and xor 1060? Thomae, Eurocrypt 2012 Hmmm. What’s the central algorithmic Becker–Joux–May–Meurer. quantum subset-sum ding theory.

  7. Recent asymptotic news Post-quantum subset sum ✇ roblem: Eurocrypt 2010 Claimed in TCC 2010 Howgrave-Graham–Joux: Lyubashevsky–Palacio–Segev ❀ ❀ ❀ ❀ ❀ 3608 ❀ subset-sum exponent ✙ 0 ✿ 337. “Public-key cryptographic ❀ ❀ ❀ ❀ 7650 ❀ 9413) (Incorrect claim: ✙ 0 ✿ 311.) primitives provably ✇ 36634? as secure as subset sum”: Eurocrypt 2011 ♠ ❂ Becker–Coron–Joux: There are “currently no known subset-sum exponent ✙ 0 ✿ 291. quantum algorithms that perfo ❀ ❀ ❀ ❀ ❀ 3608 ❀ better than classical ones Adaptations to decoding: ❀ ❀ ❀ ❀ 7650 ❀ 9413) on the subset sum problem”. Asiacrypt 2011 May–Meurer– ✇ 1060? Thomae, Eurocrypt 2012 Hmmm. What’s the best rithmic Becker–Joux–May–Meurer. quantum subset-sum exponent?

  8. Recent asymptotic news Post-quantum subset sum Eurocrypt 2010 Claimed in TCC 2010 Howgrave-Graham–Joux: Lyubashevsky–Palacio–Segev subset-sum exponent ✙ 0 ✿ 337. “Public-key cryptographic (Incorrect claim: ✙ 0 ✿ 311.) primitives provably as secure as subset sum”: Eurocrypt 2011 Becker–Coron–Joux: There are “currently no known subset-sum exponent ✙ 0 ✿ 291. quantum algorithms that perform better than classical ones Adaptations to decoding: on the subset sum problem”. Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Hmmm. What’s the best Becker–Joux–May–Meurer. quantum subset-sum exponent?

  9. Recent asymptotic news Post-quantum subset sum Quantum crypt 2010 Claimed in TCC 2010 Assume ❢ wgrave-Graham–Joux: Lyubashevsky–Palacio–Segev has ♥ -bit subset-sum exponent ✙ 0 ✿ 337. “Public-key cryptographic Generic b rrect claim: ✙ 0 ✿ 311.) primitives provably finds this as secure as subset sum”: ✙ 2 ♥ evaluations crypt 2011 ❢ er–Coron–Joux: There are “currently no known 1996 Grover subset-sum exponent ✙ 0 ✿ 291. quantum algorithms that perform finds this better than classical ones ✙ 2 0 ✿ 5 ♥ quantum Adaptations to decoding: ❢ on the subset sum problem”. Asiacrypt 2011 May–Meurer– on superp Thomae, Eurocrypt 2012 Hmmm. What’s the best Cost of quantu ❢ er–Joux–May–Meurer. quantum subset-sum exponent? ✙ cost of ❢ if cost counts

  10. ptotic news Post-quantum subset sum Quantum search (0.5) Claimed in TCC 2010 Assume that function ❢ wgrave-Graham–Joux: Lyubashevsky–Palacio–Segev has ♥ -bit input, unique onent ✙ 0 ✿ 337. “Public-key cryptographic Generic brute-force ✙ 0 ✿ 311.) primitives provably finds this root using as secure as subset sum”: ✙ 2 ♥ evaluations of ❢ oux: There are “currently no known 1996 Grover metho onent ✙ 0 ✿ 291. quantum algorithms that perform finds this root using better than classical ones ✙ 2 0 ✿ 5 ♥ quantum evaluations ecoding: ❢ on the subset sum problem”. May–Meurer– on superpositions of crypt 2012 Hmmm. What’s the best Cost of quantum evaluation ❢ er–Joux–May–Meurer. quantum subset-sum exponent? ✙ cost of evaluation ❢ if cost counts qubit

  11. Post-quantum subset sum Quantum search (0.5) Claimed in TCC 2010 Assume that function ❢ Lyubashevsky–Palacio–Segev has ♥ -bit input, unique root. ✙ ✿ 337. “Public-key cryptographic Generic brute-force search ✙ ✿ primitives provably finds this root using as secure as subset sum”: ✙ 2 ♥ evaluations of ❢ . There are “currently no known 1996 Grover method ✙ ✿ 291. quantum algorithms that perform finds this root using better than classical ones ✙ 2 0 ✿ 5 ♥ quantum evaluations ❢ on the subset sum problem”. y–Meurer– on superpositions of inputs. Hmmm. What’s the best Cost of quantum evaluation ❢ y–Meurer. quantum subset-sum exponent? ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  12. Post-quantum subset sum Quantum search (0.5) Claimed in TCC 2010 Assume that function ❢ Lyubashevsky–Palacio–Segev has ♥ -bit input, unique root. “Public-key cryptographic Generic brute-force search primitives provably finds this root using as secure as subset sum”: ✙ 2 ♥ evaluations of ❢ . There are “currently no known 1996 Grover method quantum algorithms that perform finds this root using better than classical ones ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ on the subset sum problem”. on superpositions of inputs. Hmmm. What’s the best Cost of quantum evaluation of ❢ quantum subset-sum exponent? ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  13. ost-quantum subset sum Quantum search (0.5) Easily adapt different Claimed in TCC 2010 Assume that function ❢ and # not Lyubashevsky–Palacio–Segev has ♥ -bit input, unique root. Faster if “Public-key cryptographic Generic brute-force search but typic rimitives provably finds this root using Most interesting: ✷ ❢ ❀ ❣ secure as subset sum”: ✙ 2 ♥ evaluations of ❢ . are “currently no known 1996 Grover method quantum algorithms that perform finds this root using than classical ones ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ subset sum problem”. on superpositions of inputs. Hmmm. What’s the best Cost of quantum evaluation of ❢ quantum subset-sum exponent? ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  14. subset sum Quantum search (0.5) Easily adapt to handle different # of roots, 2010 Assume that function ❢ and # not known alacio–Segev has ♥ -bit input, unique root. Faster if # is large, cryptographic Generic brute-force search but typically # is not rovably finds this root using Most interesting: # ✷ ❢ ❀ ❣ subset sum”: ✙ 2 ♥ evaluations of ❢ . “currently no known 1996 Grover method rithms that perform finds this root using classical ones ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ sum problem”. on superpositions of inputs. the best Cost of quantum evaluation of ❢ subset-sum exponent? ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  15. Quantum search (0.5) Easily adapt to handle different # of roots, Assume that function ❢ and # not known in advance. alacio–Segev has ♥ -bit input, unique root. Faster if # is large, Generic brute-force search but typically # is not very la finds this root using Most interesting: # ✷ ❢ 0 ❀ 1 ❣ ✙ 2 ♥ evaluations of ❢ . known 1996 Grover method perform finds this root using ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ m”. on superpositions of inputs. Cost of quantum evaluation of ❢ onent? ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  16. Quantum search (0.5) Easily adapt to handle different # of roots, Assume that function ❢ and # not known in advance. has ♥ -bit input, unique root. Faster if # is large, Generic brute-force search but typically # is not very large. finds this root using Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ✙ 2 ♥ evaluations of ❢ . 1996 Grover method finds this root using ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ on superpositions of inputs. Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

  17. Quantum search (0.5) Easily adapt to handle different # of roots, Assume that function ❢ and # not known in advance. has ♥ -bit input, unique root. Faster if # is large, Generic brute-force search but typically # is not very large. finds this root using Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ✙ 2 ♥ evaluations of ❢ . Apply to the function 1996 Grover method ❏ ✼✦ Σ( ❏ ) � t where finds this root using Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . ✙ 2 0 ✿ 5 ♥ quantum evaluations of ❢ Cost 2 0 ✿ 5 ♥ to find root (i.e., on superpositions of inputs. to find indices of subsequence Cost of quantum evaluation of ❢ of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) ✙ cost of evaluation of ❢ or to decide that no root exists. if cost counts qubit “operations”. We suppress poly factors in cost.

  18. Quantum search (0.5) Easily adapt to handle Algorithm different # of roots, Represent ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥ ❣ Assume that function ❢ and # not known in advance. ♥ � integer b ♥ -bit input, unique root. Faster if # is large, ♥ bits are Generic brute-force search but typically # is not very large. to store this root using Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ✙ ♥ evaluations of ❢ . ♥ qubits Apply to the function a superp ❏ Grover method ❏ ✼✦ Σ( ❏ ) � t where 2 ♥ complex this root using Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . ✿ ♥ quantum evaluations of ❢ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ ♥ � ✙ Cost 2 0 ✿ 5 ♥ to find root (i.e., ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ ❥ ❛ ♥ � ❥ erpositions of inputs. to find indices of subsequence Measuring ♥ of quantum evaluation of ❢ of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ ❏ ✙ cost of evaluation of ❢ or to decide that no root exists. Start from counts qubit “operations”. We suppress poly factors in cost. i.e., ❛ ❏ = ❂ ♥❂ ❏

  19. (0.5) Easily adapt to handle Algorithm details fo different # of roots, Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ function ❢ and # not known in advance. ♥ � integer between 0 ♥ unique root. Faster if # is large, ♥ bits are enough rce search but typically # is not very large. to store one such integer. using Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ✙ ♥ of ❢ . ♥ qubits store much Apply to the function a superposition over ❏ method ❏ ✼✦ Σ( ❏ ) � t where 2 ♥ complex amplitudes using Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . ✿ ♥ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ✙ evaluations of ❢ Cost 2 0 ✿ 5 ♥ to find root (i.e., ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � ❥ ositions of inputs. to find indices of subsequence Measuring these ♥ evaluation of ❢ of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ 2 to ❏ ✙ evaluation of ❢ or to decide that no root exists. Start from uniform qubit “operations”. We suppress poly factors in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 fo ❏

  20. Easily adapt to handle Algorithm details for unique different # of roots, Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as ❢ and # not known in advance. integer between 0 and 2 ♥ � ♥ ot. Faster if # is large, ♥ bits are enough space but typically # is not very large. to store one such integer. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ✙ ♥ ❢ ♥ qubits store much more, Apply to the function a superposition over sets ❏ : ❏ ✼✦ Σ( ❏ ) � t where 2 ♥ complex amplitudes Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . ✿ ♥ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ✙ evaluations of ❢ Cost 2 0 ✿ 5 ♥ to find root (i.e., ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. inputs. to find indices of subsequence Measuring these ♥ qubits evaluation of ❢ of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ 2 to produce ❏ ✙ ❢ or to decide that no root exists. Start from uniform superposition, erations”. We suppress poly factors in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ .

  21. Easily adapt to handle Algorithm details for unique root: different # of roots, Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an and # not known in advance. integer between 0 and 2 ♥ � 1. Faster if # is large, ♥ bits are enough space but typically # is not very large. to store one such integer. Most interesting: # ✷ ❢ 0 ❀ 1 ❣ . ♥ qubits store much more, Apply to the function a superposition over sets ❏ : ❏ ✼✦ Σ( ❏ ) � t where 2 ♥ complex amplitudes Σ( ❏ ) = P ✐ ✷ ❏ ① ✐ . ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with Cost 2 0 ✿ 5 ♥ to find root (i.e., ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. to find indices of subsequence Measuring these ♥ qubits of ① 1 ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . or to decide that no root exists. Start from uniform superposition, We suppress poly factors in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ .

  22. adapt to handle Algorithm details for unique root: Step 1: ❛ ✥ ❜ different # of roots, ❜ ❏ = � ❛ ❏ ❏ t Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an not known in advance. ❜ ❏ = ❛ ❏ integer between 0 and 2 ♥ � 1. if # is large, This is ab ♥ bits are enough space ypically # is not very large. as computing to store one such integer. interesting: # ✷ ❢ 0 ❀ 1 ❣ . Step 2: ♥ qubits store much more, to the function Set ❛ ✥ ❜ a superposition over sets ❏ : ❂ ♥ P ❏ ✼✦ Σ( ❏ ) � t where ❜ ❏ = � ❛ ❏ ■ ❛ ■ 2 ♥ complex amplitudes P ✐ ✷ ❏ ① ✐ . This is also ❏ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with 0 ✿ 5 ♥ to find root (i.e., Repeat steps ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. ✿ ♥ indices of subsequence about 0 ✿ ✁ Measuring these ♥ qubits ① ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Measure ♥ decide that no root exists. With high Start from uniform superposition, suppress poly factors in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ . the unique ❏ ❏ t

  23. handle Algorithm details for unique root: Step 1: Set ❛ ✥ ❜ ots, ❜ ❏ = � ❛ ❏ if Σ( ❏ ) t Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an wn in advance. ❜ ❏ = ❛ ❏ otherwise. integer between 0 and 2 ♥ � 1. rge, This is about as easy ♥ bits are enough space is not very large. as computing Σ. to store one such integer. interesting: # ✷ ❢ 0 ❀ 1 ❣ . Step 2: “Grover diffusion”. ♥ qubits store much more, function Set ❛ ✥ ❜ where a superposition over sets ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ P ❏ ✼✦ ❏ � t where ■ ❛ ■ 2 ♥ complex amplitudes P ✐ ✷ ❏ ① ✐ . This is also easy. ❏ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ✿ ♥ find root (i.e., Repeat steps 1 and ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ of subsequence Measuring these ♥ qubits ① ❀ ✿ ✿ ✿ ❀ ① ♥ with sum t ) has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Measure the ♥ qubits. that no root exists. With high probabilit Start from uniform superposition, oly factors in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ . the unique ❏ such ❏ t

  24. Algorithm details for unique root: Step 1: Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an advance. ❜ ❏ = ❛ ❏ otherwise. integer between 0 and 2 ♥ � 1. This is about as easy ♥ bits are enough space large. as computing Σ. to store one such integer. ✷ ❢ ❀ 1 ❣ . Step 2: “Grover diffusion”. ♥ qubits store much more, Set ❛ ✥ ❜ where a superposition over sets ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ❏ ✼✦ ❏ � t ■ ❛ ■ . 2 ♥ complex amplitudes P This is also easy. ❏ ✐ ✷ ❏ ① ✐ ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with ✿ ♥ (i.e., Repeat steps 1 and 2 ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. subsequence Measuring these ♥ qubits ① ❀ ✿ ✿ ✿ ❀ ① ♥ t has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Measure the ♥ qubits. exists. With high probability this finds Start from uniform superposition, in cost. i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ . the unique ❏ such that Σ( ❏ ) t

  25. Algorithm details for unique root: Step 1: Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , Represent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an ❜ ❏ = ❛ ❏ otherwise. integer between 0 and 2 ♥ � 1. This is about as easy ♥ bits are enough space as computing Σ. to store one such integer. Step 2: “Grover diffusion”. ♥ qubits store much more, Set ❛ ✥ ❜ where a superposition over sets ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 2 ♥ complex amplitudes This is also easy. ❛ 0 ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with Repeat steps 1 and 2 ❥ ❛ 0 ❥ 2 + ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measuring these ♥ qubits has chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Measure the ♥ qubits. With high probability this finds Start from uniform superposition, i.e., ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ . the unique ❏ such that Σ( ❏ ) = t .

  26. rithm details for unique root: Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 ♥ resent ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an ❜ ❏ = ❛ ❏ otherwise. after 0 steps: integer between 0 and 2 ♥ � 1. This is about as easy 1.0 ♥ are enough space as computing Σ. re one such integer. Step 2: “Grover diffusion”. 0.5 ♥ qubits store much more, Set ❛ ✥ ❜ where erposition over sets ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . ♥ complex amplitudes 0.0 This is also easy. ❛ ❀ ✿ ✿ ✿ ❀ ❛ 2 ♥ � 1 with Repeat steps 1 and 2 ✁ ✁ ✁ + ❥ ❛ 2 ♥ � 1 ❥ 2 = 1. ❥ ❛ ❥ −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measuring these ♥ qubits chance ❥ ❛ ❏ ❥ 2 to produce ❏ . Measure the ♥ qubits. −1.0 With high probability this finds from uniform superposition, ❛ ❏ = 1 ❂ 2 ♥❂ 2 for all ❏ . the unique ❏ such that Σ( ❏ ) = t .

  27. ls for unique root: Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example ♥ ❏ ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an ❜ ❏ = ❛ ❏ otherwise. after 0 steps: 0 and 2 ♥ � 1. This is about as easy 1.0 ♥ enough space as computing Σ. such integer. Step 2: “Grover diffusion”. 0.5 ♥ much more, Set ❛ ✥ ❜ where over sets ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . ♥ 0.0 amplitudes This is also easy. ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ � with Repeat steps 1 and 2 ❥ ❛ ♥ � 1 ❥ 2 = 1. ❥ ❛ ❥ ✁ ✁ ✁ −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. ♥ qubits ❥ ❛ ❏ ❥ to produce ❏ . Measure the ♥ qubits. −1.0 With high probability this finds rm superposition, ❂ ♥❂ for all ❏ . the unique ❏ such that Σ( ❏ ) = t . ❛ ❏

  28. unique root: Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥ ❣ as an ❜ ❏ = ❛ ❏ otherwise. after 0 steps: ♥ � 1. This is about as easy 1.0 ♥ as computing Σ. Step 2: “Grover diffusion”. 0.5 ♥ re, Set ❛ ✥ ❜ where ❏ : ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . ♥ 0.0 This is also easy. ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ � Repeat steps 1 and 2 ❥ ❛ ❥ ✁ ✁ ✁ ❥ ❛ ♥ � ❥ 1. −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. ♥ ❥ ❛ ❏ ❥ duce ❏ . Measure the ♥ qubits. −1.0 With high probability this finds osition, the unique ❏ such that Σ( ❏ ) = t . ❂ ♥❂ ❛ ❏ ❏ .

  29. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 0 steps: This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  30. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after Step 1: This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  31. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after Step 1 + Step 2: This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  32. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after Step 1 + Step 2 + Step 1: This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  33. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 2 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  34. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 3 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  35. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 4 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  36. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 5 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  37. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 6 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  38. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 7 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  39. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 8 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  40. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 9 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  41. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 10 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  42. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 11 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  43. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 12 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  44. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 13 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  45. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 14 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  46. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 15 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  47. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 16 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  48. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 17 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  49. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 18 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  50. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 19 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  51. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 20 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  52. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 25 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  53. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 30 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  54. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 35 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds Good moment to stop, measure. the unique ❏ such that Σ( ❏ ) = t .

  55. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 40 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  56. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 45 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  57. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 50 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds Traditional stopping point. the unique ❏ such that Σ( ❏ ) = t .

  58. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 60 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  59. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 70 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  60. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 80 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  61. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 90 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds the unique ❏ such that Σ( ❏ ) = t .

  62. Step 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❜ ❏ = � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 ❜ ❏ = ❛ ❏ otherwise. after 100 ✂ (Step 1 + Step 2): This is about as easy 1.0 as computing Σ. Step 2: “Grover diffusion”. 0.5 Set ❛ ✥ ❜ where ❜ ❏ = � ❛ ❏ + (2 ❂ 2 ♥ ) P ■ ❛ ■ . 0.0 This is also easy. Repeat steps 1 and 2 −0.5 about 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. Measure the ♥ qubits. −1.0 With high probability this finds Very bad stopping point. the unique ❏ such that Σ( ❏ ) = t .

  63. 1: Set ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ ❜ ❏ � ❛ ❏ if Σ( ❏ ) = t , for 36634 example with ♥ = 12 by a vecto ❜ ❏ ❛ ❏ otherwise. after 100 ✂ (Step 1 + Step 2): (with fixed about as easy (1) ❛ ❏ fo ❏ 1.0 computing Σ. (2) ❛ ❏ fo ❏ 2: “Grover diffusion”. Step 1 + 0.5 ❛ ✥ ❜ where act linea � ❛ ❏ + (2 ❂ 2 ♥ ) P ❜ ❏ ■ ❛ ■ . Easily compute 0.0 also easy. and pow eat steps 1 and 2 to understand −0.5 0 ✿ 58 ✁ 2 0 ✿ 5 ♥ times. of state ✮ Probabilit ✙ Measure the ♥ qubits. ✿ ♥ after ✙ ( ✙❂ −1.0 high probability this finds Very bad stopping point. unique ❏ such that Σ( ❏ ) = t .

  64. ❛ ✥ ❜ where Graph of ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely ❜ ❏ � ❛ ❏ ❏ ) = t , for 36634 example with ♥ = 12 by a vector of two ❜ ❏ ❛ ❏ otherwise. after 100 ✂ (Step 1 + Step 2): (with fixed multiplicities): easy (1) ❛ ❏ for roots ❏ ; 1.0 Σ. (2) ❛ ❏ for non-roots ❏ diffusion”. Step 1 + Step 2 0.5 ❛ ✥ ❜ act linearly on this ❂ 2 ♥ ) P ❜ ❏ � ❛ ❏ ■ ❛ ■ . Easily compute eigenvalues 0.0 . and powers of this and 2 to understand evolution −0.5 ✿ ♥ times. ✿ ✁ of state of Grover’s ✮ Probability is ✙ ♥ qubits. after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ −1.0 robability this finds Very bad stopping point. ❏ such that Σ( ❏ ) = t .

  65. ❛ ✥ ❜ Graph of ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely describ ❜ ❏ � ❛ ❏ ❏ t for 36634 example with ♥ = 12 by a vector of two numbers ❜ ❏ ❛ ❏ after 100 ✂ (Step 1 + Step 2): (with fixed multiplicities): (1) ❛ ❏ for roots ❏ ; 1.0 (2) ❛ ❏ for non-roots ❏ . diffusion”. Step 1 + Step 2 0.5 ❛ ✥ ❜ act linearly on this vector. ❂ ♥ P ❜ ❏ � ❛ ❏ ■ ❛ ■ . Easily compute eigenvalues 0.0 and powers of this linear map to understand evolution −0.5 ✿ ♥ ✿ ✁ of state of Grover’s algorithm. ✮ Probability is ✙ 1 ♥ after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations. −1.0 finds Very bad stopping point. ❏ ❏ ) = t .

  66. Graph of ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely described for 36634 example with ♥ = 12 by a vector of two numbers after 100 ✂ (Step 1 + Step 2): (with fixed multiplicities): (1) ❛ ❏ for roots ❏ ; 1.0 (2) ❛ ❏ for non-roots ❏ . Step 1 + Step 2 0.5 act linearly on this vector. Easily compute eigenvalues 0.0 and powers of this linear map to understand evolution −0.5 of state of Grover’s algorithm. ✮ Probability is ✙ 1 after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations. −1.0 Very bad stopping point.

  67. of ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely described Left-right 36634 example with ♥ = 12 by a vector of two numbers Don’t need 100 ✂ (Step 1 + Step 2): (with fixed multiplicities): to achieve ✿ (1) ❛ ❏ for roots ❏ ; For simplicit ♥ ✷ (2) ❛ ❏ for non-roots ❏ . 1974 Ho Step 1 + Step 2 Sort list ❏ act linearly on this vector. for all ❏ 1 ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ Easily compute eigenvalues and list of t � ❏ and powers of this linear map for all ❏ 2 ✒ ❢ ♥❂ ❀ ✿ ✿ ✿ ❀ ♥ ❣ to understand evolution Merge to of state of Grover’s algorithm. Σ( ❏ 1 ) = t � ❏ ✮ Probability is ✙ 1 i.e., Σ( ❏ 1 ❬ ❏ t after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations. bad stopping point.

  68. ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely described Left-right split (0.5) example with ♥ = 12 by a vector of two numbers Don’t need quantum ✂ (Step 1 + Step 2): (with fixed multiplicities): to achieve exponent ✿ (1) ❛ ❏ for roots ❏ ; For simplicity assume ♥ ✷ (2) ❛ ❏ for non-roots ❏ . 1974 Horowitz–Sahni: Step 1 + Step 2 Sort list of Σ( ❏ 1 ) act linearly on this vector. for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ Easily compute eigenvalues and list of t � Σ( ❏ and powers of this linear map for all ❏ 2 ✒ ❢ ♥❂ 2 + ❀ ✿ ✿ ✿ ❀ ♥ ❣ to understand evolution Merge to find collisions of state of Grover’s algorithm. Σ( ❏ 1 ) = t � Σ( ❏ 2 ), ✮ Probability is ✙ 1 i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations. stopping point.

  69. ❏ ✼✦ ❛ ❏ ❏ ✼✦ ❛ ❏ is completely described Left-right split (0.5) ♥ = 12 by a vector of two numbers Don’t need quantum computers ✂ 2): (with fixed multiplicities): to achieve exponent 0 ✿ 5. (1) ❛ ❏ for roots ❏ ; For simplicity assume ♥ ✷ 2 Z (2) ❛ ❏ for non-roots ❏ . 1974 Horowitz–Sahni: Step 1 + Step 2 Sort list of Σ( ❏ 1 ) act linearly on this vector. for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ Easily compute eigenvalues and list of t � Σ( ❏ 2 ) and powers of this linear map for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ to understand evolution Merge to find collisions of state of Grover’s algorithm. Σ( ❏ 1 ) = t � Σ( ❏ 2 ), ✮ Probability is ✙ 1 i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations.

  70. ❏ ✼✦ ❛ ❏ is completely described Left-right split (0.5) by a vector of two numbers Don’t need quantum computers (with fixed multiplicities): to achieve exponent 0 ✿ 5. (1) ❛ ❏ for roots ❏ ; For simplicity assume ♥ ✷ 2 Z . (2) ❛ ❏ for non-roots ❏ . 1974 Horowitz–Sahni: Step 1 + Step 2 Sort list of Σ( ❏ 1 ) act linearly on this vector. for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ Easily compute eigenvalues and list of t � Σ( ❏ 2 ) and powers of this linear map for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . to understand evolution Merge to find collisions of state of Grover’s algorithm. Σ( ❏ 1 ) = t � Σ( ❏ 2 ), ✮ Probability is ✙ 1 i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . after ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations.

  71. Cost 2 0 ✿ 5 ♥ ❏ ✼✦ ❛ ❏ is completely described Left-right split (0.5) vector of two numbers We assign Don’t need quantum computers fixed multiplicities): to achieve exponent 0 ✿ 5. e.g. 36634 ❛ ❏ for roots ❏ ; (499 ❀ 852 ❀ ❀ ❀ ❀ ❀ For simplicity assume ♥ ✷ 2 Z . ❛ ❏ for non-roots ❏ . 4688 ❀ 5989 ❀ ❀ ❀ ❀ 1974 Horowitz–Sahni: + Step 2 Sort the Sort list of Σ( ❏ 1 ) linearly on this vector. 0 ❀ 499 ❀ 852 ❀ ❀ ✿ ✿ ✿ ❀ for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ compute eigenvalues 499 + 852 ✁ ✁ ✁ and list of t � Σ( ❏ 2 ) wers of this linear map and the for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . understand evolution 36634 � ❀ � ❀ ✿ ✿ ✿ ❀ Merge to find collisions state of Grover’s algorithm. 36634 � � ✁ ✁ ✁ � Σ( ❏ 1 ) = t � Σ( ❏ 2 ), ✮ Probability is ✙ 1 to see that i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . ✙ ( ✙❂ 4)2 0 ✿ 5 ♥ iterations. 499 + 852 36634 � 5989 � � �

  72. Cost 2 0 ✿ 5 ♥ for sorting, ❏ ✼✦ ❛ ❏ completely described Left-right split (0.5) o numbers We assign cost 1 to Don’t need quantum computers multiplicities): to achieve exponent 0 ✿ 5. e.g. 36634 as sum ❛ ❏ ❏ ; (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ ❀ ❀ For simplicity assume ♥ ✷ 2 Z . ❛ ❏ non-roots ❏ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ ❀ 1974 Horowitz–Sahni: Sort the 64 sums Sort list of Σ( ❏ 1 ) this vector. 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ eigenvalues 499 + 852 + 1927 ✁ ✁ ✁ and list of t � Σ( ❏ 2 ) this linear map and the 64 differences for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . evolution 36634 � 0 ❀ 36634 � ❀ ✿ ✿ ✿ ❀ Merge to find collisions Grover’s algorithm. 36634 � 4688 � ✁ ✁ ✁ � Σ( ❏ 1 ) = t � Σ( ❏ 2 ), ✙ 1 to see that ✮ i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . ✿ ♥ iterations. ✙ ✙❂ 499 + 852 + 2535 36634 � 5989 � 6385 � �

  73. Cost 2 0 ✿ 5 ♥ for sorting, merging. ❏ ✼✦ ❛ ❏ described Left-right split (0.5) ers We assign cost 1 to RAM. Don’t need quantum computers to achieve exponent 0 ✿ 5. e.g. 36634 as sum of ❛ ❏ ❏ (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ For simplicity assume ♥ ✷ 2 Z . ❛ ❏ ❏ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 1974 Horowitz–Sahni: Sort the 64 sums Sort list of Σ( ❏ 1 ) 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ eigenvalues 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and list of t � Σ( ❏ 2 ) map and the 64 differences for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ Merge to find collisions rithm. 36634 � 4688 � ✁ ✁ ✁ � 9413 Σ( ❏ 1 ) = t � Σ( ❏ 2 ), to see that ✮ ✙ i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . ✿ ♥ iterations. ✙ ✙❂ 499 + 852 + 2535 + 3608 = 36634 � 5989 � 6385 � 7353 �

  74. Cost 2 0 ✿ 5 ♥ for sorting, merging. Left-right split (0.5) We assign cost 1 to RAM. Don’t need quantum computers to achieve exponent 0 ✿ 5. e.g. 36634 as sum of (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ For simplicity assume ♥ ✷ 2 Z . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): 1974 Horowitz–Sahni: Sort the 64 sums Sort list of Σ( ❏ 1 ) 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ for all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and list of t � Σ( ❏ 2 ) and the 64 differences for all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ Merge to find collisions 36634 � 4688 � ✁ ✁ ✁ � 9413 Σ( ❏ 1 ) = t � Σ( ❏ 2 ), to see that i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . 499 + 852 + 2535 + 3608 = 36634 � 5989 � 6385 � 7353 � 9413.

  75. Cost 2 0 ✿ 5 ♥ for sorting, merging. Left-right split (0.5) Moduli (0.5) We assign cost 1 to RAM. need quantum computers For simplicit ♥ ✷ achieve exponent 0 ✿ 5. e.g. 36634 as sum of ✿ ♥ Choose ▼ ✙ (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ simplicity assume ♥ ✷ 2 Z . Choose t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ▼ � ❣ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Define t 2 t � t Horowitz–Sahni: Sort the 64 sums ist of Σ( ❏ 1 ) Find all ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ such that ❏ ✑ t ▼ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 list of t � Σ( ❏ 2 ) How? Split ❏ ❏ ❬ ❏ and the 64 differences ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . Find all ❏ ✒ ❢ ♥❂ ❀ ✿ ✿ ✿ ❀ ♥ ❣ 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ to find collisions such that ❏ ✑ t ▼ 36634 � 4688 � ✁ ✁ ✁ � 9413 ❏ = t � Σ( ❏ 2 ), to see that Sort and Σ( ❏ 1 ❬ ❏ 2 ) = t . 499 + 852 + 2535 + 3608 = collisions ❏ t � ❏ 36634 � 5989 � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ t

  76. Cost 2 0 ✿ 5 ♥ for sorting, merging. (0.5) Moduli (0.5) We assign cost 1 to RAM. quantum computers For simplicity assume ♥ ✷ ent 0 ✿ 5. e.g. 36634 as sum of Choose ▼ ✙ 2 0 ✿ 25 ♥ (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ assume ♥ ✷ 2 Z . Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � ❣ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Define t 2 = t � t 1 . witz–Sahni: Sort the 64 sums ❏ ) Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ such that Σ( ❏ 1 ) ✑ t ▼ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 t � Σ( ❏ 2 ) How? Split ❏ 1 as ❏ ❬ ❏ and the 64 differences ❏ ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . Find all ❏ 2 ✒ ❢ ♥❂ 2 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ collisions such that Σ( ❏ 2 ) ✑ t ▼ 36634 � 4688 � ✁ ✁ ✁ � 9413 ❏ t � ❏ 2 ), to see that Sort and merge to ❏ ❬ ❏ = t . 499 + 852 + 2535 + 3608 = collisions Σ( ❏ 1 ) = t � ❏ 36634 � 5989 � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t

  77. Cost 2 0 ✿ 5 ♥ for sorting, merging. Moduli (0.5) We assign cost 1 to RAM. computers For simplicity assume ♥ ✷ 4 Z ✿ e.g. 36634 as sum of Choose ▼ ✙ 2 0 ✿ 25 ♥ . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ ♥ ✷ 2 Z . Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Define t 2 = t � t 1 . Sort the 64 sums ❏ Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 t � ❏ How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . and the 64 differences ❏ ✒ ❢ ♥❂ ❀ ✿ ✿ ✿ ❀ ♥ ❣ . Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ 36634 � 4688 � ✁ ✁ ✁ � 9413 ❏ t � ❏ to see that Sort and merge to find all ❏ ❬ ❏ t 499 + 852 + 2535 + 3608 = collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), 36634 � 5989 � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t .

  78. Cost 2 0 ✿ 5 ♥ for sorting, merging. Moduli (0.5) We assign cost 1 to RAM. For simplicity assume ♥ ✷ 4 Z . e.g. 36634 as sum of Choose ▼ ✙ 2 0 ✿ 25 ♥ . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Define t 2 = t � t 1 . Sort the 64 sums Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ 0 ❀ 499 ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . and the 64 differences Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 36634 � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). 36634 � 4688 � ✁ ✁ ✁ � 9413 to see that Sort and merge to find all 499 + 852 + 2535 + 3608 = collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), 36634 � 5989 � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t .

  79. 0 ✿ 5 ♥ for sorting, merging. Moduli (0.5) Finds ❏ iff ❏ ✑ t ✿ ♥ assign cost 1 to RAM. There ar ✙ t For simplicity assume ♥ ✷ 4 Z . ✿ ♥ Each choice 36634 as sum of Choose ▼ ✙ 2 0 ✿ 25 ♥ . ✿ ♥ Total cost ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Not visible Define t 2 = t � t 1 . ✿ ♥ this uses e 64 sums Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming ❀ ❀ 852 ❀ 499 + 852 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). 852 + 1927 + ✁ ✁ ✁ + 3608 Algorithm How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . the 64 differences introduced Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ � 0 ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ 2006 Elsenhans–Jahnel; such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). � 4688 � ✁ ✁ ✁ � 9413 2010 Ho that Sort and merge to find all Different 852 + 2535 + 3608 = collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), for simila � 5989 � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . 1981 Schro

  80. ✿ ♥ rting, merging. Moduli (0.5) Finds ❏ iff Σ( ❏ 1 ) ✑ t There are ✙ 2 0 ✿ 25 ♥ to RAM. t For simplicity assume ♥ ✷ 4 Z . ✿ ♥ Each choice costs sum of Choose ▼ ✙ 2 0 ✿ 25 ♥ . Total cost 2 0 ✿ 5 ♥ . ❀ ❀ ❀ 2535 ❀ 3596 ❀ 3608 ❀ Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . ❀ ❀ ❀ 7353 ❀ 7650 ❀ 9413): Not visible in cost Define t 2 = t � t 1 . ✿ ♥ this uses space only sums Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming typical distribution. ❀ ❀ ❀ 852 ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). 1927 + ✁ ✁ ✁ + 3608 Algorithm has been How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . differences introduced at least Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ � ❀ 36634 � 4688 ❀ ✿ ✿ ✿ ❀ 2006 Elsenhans–Jahnel; such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). � � ✁ ✁ ✁ � 9413 2010 Howgrave-Graha Sort and merge to find all Different technique 2535 + 3608 = collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), for similar space reduction: � � 6385 � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . 1981 Schroeppel–Shamir.

  81. ✿ ♥ merging. Moduli (0.5) Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . There are ✙ 2 0 ✿ 25 ♥ choices of t RAM. For simplicity assume ♥ ✷ 4 Z . Each choice costs 2 0 ✿ 25 ♥ . Choose ▼ ✙ 2 0 ✿ 25 ♥ . Total cost 2 0 ✿ 5 ♥ . ❀ ❀ ❀ ❀ ❀ 3608 ❀ Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . ❀ ❀ ❀ ❀ 7650 ❀ 9413): Not visible in cost metric: Define t 2 = t � t 1 . this uses space only 2 0 ✿ 25 ♥ , Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming typical distribution. ❀ ❀ ❀ ❀ ✿ ✿ ✿ ❀ such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). ✁ ✁ ✁ 3608 Algorithm has been How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . introduced at least twice: Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ � ❀ � ❀ ✿ ✿ ✿ ❀ 2006 Elsenhans–Jahnel; such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). � � ✁ ✁ ✁ � 9413 2010 Howgrave-Graham–Joux. Sort and merge to find all Different technique = collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), for similar space reduction: � � � 7353 � 9413. i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . 1981 Schroeppel–Shamir.

  82. Moduli (0.5) Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . There are ✙ 2 0 ✿ 25 ♥ choices of t 1 . For simplicity assume ♥ ✷ 4 Z . Each choice costs 2 0 ✿ 25 ♥ . Choose ▼ ✙ 2 0 ✿ 25 ♥ . Total cost 2 0 ✿ 5 ♥ . Choose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . Not visible in cost metric: Define t 2 = t � t 1 . this uses space only 2 0 ✿ 25 ♥ , Find all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming typical distribution. such that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). Algorithm has been How? Split ❏ 1 as ❏ 11 ❬ ❏ 12 . introduced at least twice: Find all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 2006 Elsenhans–Jahnel; such that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). 2010 Howgrave-Graham–Joux. Sort and merge to find all Different technique collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), for similar space reduction: i.e., Σ( ❏ 1 ❬ ❏ 2 ) = t . 1981 Schroeppel–Shamir.

  83. duli (0.5) Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . e.g. ▼ = t ① There are ✙ 2 0 ✿ 25 ♥ choices of t 1 . (499 ❀ 852 ❀ ❀ ❀ ❀ ❀ simplicity assume ♥ ✷ 4 Z . Each choice costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ ❀ ❀ ❀ ose ▼ ✙ 2 0 ✿ 25 ♥ . Total cost 2 0 ✿ 5 ♥ . Try each t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ ose t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . Not visible in cost metric: t 2 = t � t 1 . In particula t this uses space only 2 0 ✿ 25 ♥ , There are all ❏ 1 ✒ ❢ 1 ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming typical distribution. (499 ❀ 852 ❀ ❀ ❀ ❀ that Σ( ❏ 1 ) ✑ t 1 (mod ▼ ). Algorithm has been with sum Split ❏ 1 as ❏ 11 ❬ ❏ 12 . introduced at least twice: There are all ❏ 2 ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 2006 Elsenhans–Jahnel; (4688 ❀ 5989 ❀ ❀ ❀ ❀ that Σ( ❏ 2 ) ✑ t 2 (mod ▼ ). 2010 Howgrave-Graham–Joux. with sum � Sort and and merge to find all Different technique 499 + 852 collisions Σ( ❏ 1 ) = t � Σ( ❏ 2 ), for similar space reduction: 36634 � 5989 � � � Σ( ❏ 1 ❬ ❏ 2 ) = t . 1981 Schroeppel–Shamir.

  84. Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . e.g. ▼ = 8, t = 36634, ① There are ✙ 2 0 ✿ 25 ♥ choices of t 1 . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ ❀ ❀ assume ♥ ✷ 4 Z . Each choice costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ ❀ ✿ 25 ♥ . Total cost 2 0 ✿ 5 ♥ . ▼ ✙ Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ ❣ t ✷ ❢ ❀ 1 ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . Not visible in cost metric: t t � t 1 . In particular try t 1 this uses space only 2 0 ✿ 25 ♥ , There are 12 subsequences ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ 2 ❣ assuming typical distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ ❀ (mod ▼ ). ❏ ✑ t 1 Algorithm has been with sum 6 modulo ❏ as ❏ 11 ❬ ❏ 12 . introduced at least twice: There are 6 subsequences ❏ ✒ ❢ ♥❂ 2 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ 2006 Elsenhans–Jahnel; (4688 ❀ 5989 ❀ 6385 ❀ ❀ ❀ (mod ▼ ). ❏ ✑ t 2 2010 Howgrave-Graham–Joux. with sum 36634 � Sort and merge to to find all Different technique 499 + 852 + 2535 ❏ = t � Σ( ❏ 2 ), for similar space reduction: 36634 � 5989 � 6385 � � = t . ❏ ❬ ❏ 1981 Schroeppel–Shamir.

  85. Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . e.g. ▼ = 8, t = 36634, ① = There are ✙ 2 0 ✿ 25 ♥ choices of t 1 . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ ♥ ✷ 4 Z . Each choice costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ ✿ ♥ Total cost 2 0 ✿ 5 ♥ . ▼ ✙ Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ▼ � 1 ❣ . Not visible in cost metric: t t � t In particular try t 1 = 6. this uses space only 2 0 ✿ 25 ♥ , There are 12 subsequences of ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ assuming typical distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) (mod ▼ ). ❏ ✑ t Algorithm has been with sum 6 modulo 8. ❏ ❏ ❬ ❏ . introduced at least twice: There are 6 subsequences of ❏ ✒ ❢ ♥❂ ❀ ✿ ✿ ✿ ❀ ♥ ❣ 2006 Elsenhans–Jahnel; (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ (mod ▼ ). ❏ ✑ t 2010 Howgrave-Graham–Joux. with sum 36634 � 6 modulo Sort and merge to find Different technique 499 + 852 + 2535 + 3608 = ❏ t � ❏ 2 ), for similar space reduction: 36634 � 5989 � 6385 � 7353 � ❏ ❬ ❏ t 1981 Schroeppel–Shamir.

  86. Finds ❏ iff Σ( ❏ 1 ) ✑ t 1 . e.g. ▼ = 8, t = 36634, ① = There are ✙ 2 0 ✿ 25 ♥ choices of t 1 . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Each choice costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): Total cost 2 0 ✿ 5 ♥ . Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . Not visible in cost metric: In particular try t 1 = 6. this uses space only 2 0 ✿ 25 ♥ , There are 12 subsequences of assuming typical distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) Algorithm has been with sum 6 modulo 8. introduced at least twice: There are 6 subsequences of 2006 Elsenhans–Jahnel; (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) 2010 Howgrave-Graham–Joux. with sum 36634 � 6 modulo 8. Sort and merge to find Different technique 499 + 852 + 2535 + 3608 = for similar space reduction: 36634 � 5989 � 6385 � 7353 � 9413. 1981 Schroeppel–Shamir.

  87. ❏ iff Σ( ❏ 1 ) ✑ t 1 . e.g. ▼ = 8, t = 36634, ① = Quantum ✿ ✿ ✿ ✿ are ✙ 2 0 ✿ 25 ♥ choices of t 1 . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Cost 2 ♥❂ choice costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): 1998 Brassa cost 2 0 ✿ 5 ♥ . Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . For simplicit ♥ ✷ visible in cost metric: In particular try t 1 = 6. uses space only 2 0 ✿ 25 ♥ , Compute ❏ There are 12 subsequences of ❏ 1 ✒ ❢ 1 ❀ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ assuming typical distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) Sort ▲ = ❢ ❏ ❣ rithm has been with sum 6 modulo 8. Can now duced at least twice: There are 6 subsequences of ❏ 2 ✼✦ [ t � ❏ ✷ ▲ ❂ Elsenhans–Jahnel; (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) for ❏ 2 ✒ ❢ ♥❂ ❀ ✿ ✿ ✿ ❀ ♥ ❣ Howgrave-Graham–Joux. with sum 36634 � 6 modulo 8. Recall: w Sort and merge to find Different technique 499 + 852 + 2535 + 3608 = Use Grover’s imilar space reduction: 36634 � 5989 � 6385 � 7353 � 9413. whether Schroeppel–Shamir.

  88. ❏ ❏ ) ✑ t 1 . e.g. ▼ = 8, t = 36634, ① = Quantum left-right ✿ ✿ ✿ ✿ ♥ choices of t 1 . ✿ ✙ (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Cost 2 ♥❂ 3 , imitating costs 2 0 ✿ 25 ♥ . 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): 1998 Brassard–Høy ✿ ♥ . Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . For simplicity assume ♥ ✷ cost metric: In particular try t 1 = 6. only 2 0 ✿ 25 ♥ , Compute Σ( ❏ 1 ) fo There are 12 subsequences of ❏ 1 ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ ♥❂ 3 ❣ ypical distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) Sort ▲ = ❢ Σ( ❏ 1 ) ❣ . een with sum 6 modulo 8. Can now efficiently least twice: There are 6 subsequences of ❏ 2 ✼✦ [ t � Σ( ❏ 2 ) ❂ ✷ ▲ Elsenhans–Jahnel; (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) for ❏ 2 ✒ ❢ ♥❂ 3 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ wgrave-Graham–Joux. with sum 36634 � 6 modulo 8. Recall: we assign cost Sort and merge to find nique 499 + 852 + 2535 + 3608 = Use Grover’s metho reduction: 36634 � 5989 � 6385 � 7353 � 9413. whether this function el–Shamir.

  89. ❏ ❏ ✑ t e.g. ▼ = 8, t = 36634, ① = Quantum left-right split (0 ✿ 333 ✿ ✿ ✿ ✿ ♥ ✙ of t 1 . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Cost 2 ♥❂ 3 , imitating ✿ ♥ 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): 1998 Brassard–Høyer–Tapp: ✿ ♥ Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . For simplicity assume ♥ ✷ 3 Z In particular try t 1 = 6. ✿ ♥ , Compute Σ( ❏ 1 ) for all There are 12 subsequences of ❏ 1 ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ ♥❂ 3 ❣ . distribution. (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) Sort ▲ = ❢ Σ( ❏ 1 ) ❣ . with sum 6 modulo 8. Can now efficiently compute There are 6 subsequences of ❏ 2 ✼✦ [ t � Σ( ❏ 2 ) ❂ ✷ ▲ ] (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) for ❏ 2 ✒ ❢ ♥❂ 3 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . –Joux. with sum 36634 � 6 modulo 8. Recall: we assign cost 1 to RAM. Sort and merge to find 499 + 852 + 2535 + 3608 = Use Grover’s method to see reduction: 36634 � 5989 � 6385 � 7353 � 9413. whether this function has a ro

  90. e.g. ▼ = 8, t = 36634, ① = Quantum left-right split (0 ✿ 333 ✿ ✿ ✿ ) (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608 ❀ Cost 2 ♥❂ 3 , imitating 4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413): 1998 Brassard–Høyer–Tapp: Try each t 1 ✷ ❢ 0 ❀ 1 ❀ ✿ ✿ ✿ ❀ 7 ❣ . For simplicity assume ♥ ✷ 3 Z . In particular try t 1 = 6. Compute Σ( ❏ 1 ) for all There are 12 subsequences of ❏ 1 ✒ ❢ 1 ❀ 2 ❀ ✿ ✿ ✿ ❀ ♥❂ 3 ❣ . (499 ❀ 852 ❀ 1927 ❀ 2535 ❀ 3596 ❀ 3608) Sort ▲ = ❢ Σ( ❏ 1 ) ❣ . with sum 6 modulo 8. Can now efficiently compute There are 6 subsequences of ❏ 2 ✼✦ [ t � Σ( ❏ 2 ) ❂ ✷ ▲ ] (4688 ❀ 5989 ❀ 6385 ❀ 7353 ❀ 7650 ❀ 9413) for ❏ 2 ✒ ❢ ♥❂ 3 + 1 ❀ ✿ ✿ ✿ ❀ ♥ ❣ . with sum 36634 � 6 modulo 8. Recall: we assign cost 1 to RAM. Sort and merge to find 499 + 852 + 2535 + 3608 = Use Grover’s method to see 36634 � 5989 � 6385 � 7353 � 9413. whether this function has a root.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

1.2k views • 98 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Subset Sum Subset Sum Instance : X = { x 1 , . . . , x n } n integer positive num- Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ? Subset Sum SolveSubsetSum ( X , t , M ) b [ 0 . . . Mn ] -

260 views • 5 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine Learning Department, Carnegie Mellon University 1 COLUMN SUBSET SELECTION M R n 1 n 2 C R n 1 s | C | s k M CC M k F min 2

385 views • 15 slides
Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

65 views • 5 slides
Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n.

Backtracking And Branch And Bound Subset & Permutation Problems Subset problem of size n. Nonsystematic search of the space for the answer takes O(p2 n ) time, where p is the time needed to evaluate each member of the solution space.

310 views • 4 slides
CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA

CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA

CSE 311: Foundations of Computing Subset Construction Fall 2013 Subset construction: NFA to DFA Lecture 25: Non-regularity and limits of FSMs 0,1 0 a,b a 1 0 1 1 1 b c 0 b c 1 0 0 0

316 views • 6 slides
Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and Permutation Graphs Charis Papadopoulos Spyridon Tzimas 21st International Symposium on Fundamentals of Computation Theory - FCT 2017 Bordeaux, France,

1.5k views • 103 slides
Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy Claire Delaplace, Andre Esser and Alexander May About Me Claire Delaplace: Postdoc researcher Ruhr University Bochum, Germany Team: Cryptology

1.12k views • 99 slides
Just Relax Convex Programming Methods for Subset Selection and Sparse Approximation Joel A.

Just Relax Convex Programming Methods for Subset Selection and Sparse Approximation Joel A.

Just Relax Convex Programming Methods for Subset Selection and Sparse Approximation Joel A. Tropp <jtropp@ices.utexas.edu> The University of Texas at Austin 1 Subset Selection Work in finite-dimensional inner-product space

511 views • 15 slides
A Fast Greedy Algorithm for Generalized Column Subset Selec:on

A Fast Greedy Algorithm for Generalized Column Subset Selec:on

NIPS'13 Workshop on 1 Greedy Algorithms, Frank-Wolfe and Friends A Fast Greedy Algorithm for Generalized Column Subset Selec:on Ali Ghodsi

567 views • 17 slides
Observing with a LISA spectrograph David Boyd BAAVSS, AAVSO, CBA For me, the appeal of

Observing with a LISA spectrograph David Boyd BAAVSS, AAVSO, CBA For me, the appeal of

Observing with a LISA spectrograph David Boyd BAAVSS, AAVSO, CBA For me, the appeal of spectroscopy is in its scientific potential Photometry reveals changes in a stars brightness R Scutum Spectroscopy reveals why these changes are

822 views • 53 slides
Search for Associated Higgs Boson Production with Like - Sign Leptons at DZero Maiko Takahashi (

Search for Associated Higgs Boson Production with Like - Sign Leptons at DZero Maiko Takahashi (

Search for Associated Higgs Boson Production with Like - Sign Leptons at DZero Maiko Takahashi ( University of Manchester / Fermilab ) Phenomenology 2009 Symposium 090511 PHENO2009 Like - Charge Signature H WW dominant decay at high Higgs

256 views • 12 slides
Tracking Detectors for Collider Experiments Hubert Kroha MPI Munich iSTEP 2016 Hubert Kroha,

Tracking Detectors for Collider Experiments Hubert Kroha MPI Munich iSTEP 2016 Hubert Kroha,

Tracking Detectors for Collider Experiments Hubert Kroha MPI Munich iSTEP 2016 Hubert Kroha, MPI Munich iSTEP 2016, 11/07/2016 1 Overview and pp colliders Detector concepts and systems at e + e of the past 30

1.13k views • 78 slides
Events in Magnetized GAr Tom Junk DUNE GARTPC ND Meeting January 5, 2018 The question: What

Events in Magnetized GAr Tom Junk DUNE GARTPC ND Meeting January 5, 2018 The question: What

Electron Sign Determination in GENIE v e Events in Magnetized GAr Tom Junk DUNE GARTPC ND Meeting January 5, 2018 The question: What fraction of electrons in v e CC events have their signs correctly identified? Approximate answer: We expect

367 views • 20 slides
The Effect of Salience on Chinese Pun Comprehension: An Eye-tracking Study Wang Xiaolu Zhejiang

The Effect of Salience on Chinese Pun Comprehension: An Eye-tracking Study Wang Xiaolu Zhejiang

The Effect of Salience on Chinese Pun Comprehension: An Eye-tracking Study Wang Xiaolu Zhejiang University Contents 1. Introduction 2. Research Question 3. Eye-tracking Experiment 4. Results and Discussion 5. Conclusion

848 views • 29 slides
Visual complexity and referring expression generation Micha Elsner with Alasdair Clarke,

Visual complexity and referring expression generation Micha Elsner with Alasdair Clarke,

Visual complexity and referring expression generation Micha Elsner with Alasdair Clarke, Hannah Rohde Wheres the Scott Monument? See the clock tower? Its the pointy black spire just to the right. Terminology: Relational descriptions

704 views • 51 slides
SOCI 323 Social Psychology Session 8 Attributional Errors Lecturer: Dr. Peace Mamle Tetteh,

SOCI 323 Social Psychology Session 8 Attributional Errors Lecturer: Dr. Peace Mamle Tetteh,

SOCI 323 Social Psychology Session 8 Attributional Errors Lecturer: Dr. Peace Mamle Tetteh, Department of Sociology Contact Information: ptetteh@ug.edu.gh College of Education School of Continuing and Distance Education 2014/2015

326 views • 19 slides
Sally Eberhard & Dr Nhung Nguyen Mute /unmute Raise hand for questions

Sally Eberhard & Dr Nhung Nguyen Mute /unmute Raise hand for questions

Sally Eberhard & Dr Nhung Nguyen Mute /unmute Raise hand for questions

545 views • 31 slides

More recommend