Quantum algorithms Subset-sum example: for the subset-sum problem - - PowerPoint PPT Presentation

Quantum algorithms for the subset-sum problem

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven Alexander Meurer Ruhr-Universit¨ at Bochum Subset-sum example: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc.

Quantum algorithms subset-sum problem Bernstein University of Illinois at Chicago & echnische Universiteit Eindhoven cr.yp.to/qsubsetsum.html

• rk with:

Jeffery University of Waterloo Lange echnische Universiteit Eindhoven Alexander Meurer Ruhr-Universit¨ at Bochum Subset-sum example: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc. The lattice Define ① ✿ ✿ ✿ ① Define ▲ ✒ ❢✈ : ✈1①1 ✁ ✁ ✁ ✈ ① ❣ Define ✉ ✷ (70❀ 2❀ 0❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ If ❏ ✒ ❢1❀ ❀ ✿ ✿ ✿ ❀ ❣ and P

✐✷❏ ①✐

✈ ✷ ▲ where ✈✐ ✉✐ ✐ ✷ ❏ ✈ is very ✉ Reasonable ✈ is the ▲ ✉ Subset-sum ✙ codimension-1

rithms subset-sum problem Illinois at Chicago & Universiteit Eindhoven cr.yp.to/qsubsetsum.html aterloo Universiteit Eindhoven Meurer Bochum Subset-sum example: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ ① Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈ ① ❣ Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ ❀ ❀ ❀ If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634

✈ ✷ ▲ where ✈✐ = ✉✐ ✐ ✷ ❏ ✈ is very close to ✉ Reasonable to hop ✈ is the closest vecto ▲ ✉ Subset-sum algorithms ✙ codimension-1 CVP

Chicago & Eindhoven cr.yp.to/qsubsetsum.html Eindhoven Subset-sum example: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣ Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏ ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉ Subset-sum algorithms ✙ codimension-1 CVP algorithms.

Subset-sum example: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having sum 36634? Many variations: e.g., find such a subsequence if one exists; find such a subsequence knowing that one exists; allow range of sums; coefficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms.

Subset-sum example: there a subsequence of ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) sum 36634? variations: e.g., such a subsequence exists; such a subsequence wing that one exists; range of sums; efficients outside ❢0❀ 1❣; etc. “Subset-sum problem”; “knapsack problem”; etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms. The coding A weight-✇ Is there a (499❀ 852❀ ❀ ❀ ❀ ❀ 4688❀ 5989❀ ❀ ❀ ❀ having length ✇

example: subsequence of ❀ ❀ ❀ 2535❀ 3596❀ 3608❀ ❀ ❀ ❀ 7353❀ 7650❀ 9413) 36634? riations: e.g., subsequence subsequence

• ne exists;

sums;

• utside ❢0❀ 1❣; etc.
• blem”;

roblem”; etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms. The coding connection A weight-✇ subset-sum Is there a subsequence (499❀ 852❀ 1927❀ 2535❀ ❀ ❀ 4688❀ 5989❀ 6385❀ 7353❀ ❀ having length ✇ and

❀ ❀ ❀ ❀ ❀ 3608❀ ❀ ❀ ❀ ❀ 7650❀ 9413) ❢ ❀ ❣ etc. The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ having length ✇ and sum 36634?

The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634?

The lattice connection Define ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. Define ▲ ✒ Z12 as ❢✈ : ✈1①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. Define ✉ ✷ Z12 as (70❀ 2❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). If ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ and P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ is very close to ✉. Reasonable to hope that ✈ is the closest vector in ▲ to ✉. Subset-sum algorithms ✙ codimension-1 CVP algorithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634? Replace Z with (Z❂2)♠: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory.

lattice connection ①1 = 499, ✿ ✿ ✿ , ①12 = 9413. ▲ ✒ Z12 as ❢✈ ✈ ①1 + ✁ ✁ ✁ + ✈12①12 = 0❣. ✉ ✷ Z12 as ❀ ❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0❀ 0). ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ 12❣ P

✐✷❏ ①✐ = 36634 then

✈ ✷ ▲ where ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ very close to ✉. Reasonable to hope that ✈ the closest vector in ▲ to ✉. Subset-sum algorithms ✙ dimension-1 CVP algorithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634? Replace Z with (Z❂2)♠: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory. Recent asym Eurocrypt Howgrave-Graham–Joux: subset-sum ✙ ✿ (Incorrect ✙ ✿ Eurocrypt Becker–Co subset-sum ✙ ✿ Adaptations Asiacrypt Thomae, Becker–Joux–Ma

connection ① 499, ✿ ✿ ✿ , ①12 = 9413. ▲ ✒ as ❢✈ ✈ ① ✁ ✁ ✁ ✈12①12 = 0❣. ✉ ✷ as ❀ ❀ ❀ ❀ ❀ ❀ ❀ 0❀ 0❀ 0❀ 0❀ 0). ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 12❣ P

✐✷❏ ①✐

36634 then ✈ ✷ ▲ ✈✐ = ✉✐ [✐ ✷ ❏]. ✈ to ✉. hope that ✈ vector in ▲ to ✉. rithms ✙ CVP algorithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634? Replace Z with (Z❂2)♠: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory. Recent asymptotic Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙ ✿ (Incorrect claim: ✙ ✿ Eurocrypt 2011 Becker–Coron–Jou subset-sum exponent ✙ ✿ Adaptations to deco Asiacrypt 2011 Ma Thomae, Eurocrypt Becker–Joux–May–Meurer.

① ✿ ✿ ✿ ① = 9413. ▲ ✒ ❢✈ ✈ ① ✁ ✁ ✁ ✈ ① 0❣. ✉ ✷ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ ❀ 0). ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ P

✐✷❏ ①✐

then ✈ ✷ ▲ ✈✐ ✉✐ ✐ ✷ ❏]. ✈ ✉ ✈ ▲ to ✉. ✙ rithms. The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634? Replace Z with (Z❂2)♠: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer.

The coding connection A weight-✇ subset-sum problem: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and sum 36634? Replace Z with (Z❂2)♠: Is there a subsequence of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) having length ✇ and xor 1060? This is the central algorithmic problem in coding theory. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer.

ding connection eight-✇ subset-sum problem: there a subsequence of ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) length ✇ and sum 36634? Replace Z with (Z❂2)♠: there a subsequence of ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) length ✇ and xor 1060? the central algorithmic roblem in coding theory. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer. Post-quantum Claimed Lyubashevsky–P “Public-k primitives as secure There ar quantum better than

• n the subset

Hmmm. quantum

connection ✇ subset-sum problem: subsequence of ❀ ❀ ❀ 2535❀ 3596❀ 3608❀ ❀ ❀ ❀ 7353❀ 7650❀ 9413) ✇ and sum 36634? (Z❂2)♠: subsequence of ❀ ❀ ❀ 2535❀ 3596❀ 3608❀ ❀ ❀ ❀ 7353❀ 7650❀ 9413) ✇ and xor 1060? central algorithmic ding theory. Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer. Post-quantum subset Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptograph primitives provably as secure as subset There are “currently quantum algorithms better than classical

• n the subset sum
• Hmmm. What’s the

quantum subset-sum

✇ roblem: ❀ ❀ ❀ ❀ ❀ 3608❀ ❀ ❀ ❀ ❀ 7650❀ 9413) ✇ 36634? ❂

♠

❀ ❀ ❀ ❀ ❀ 3608❀ ❀ ❀ ❀ ❀ 7650❀ 9413) ✇ 1060? rithmic Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perfo better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent?

Recent asymptotic news Eurocrypt 2010 Howgrave-Graham–Joux: subset-sum exponent ✙0✿337. (Incorrect claim: ✙0✿311.) Eurocrypt 2011 Becker–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 Becker–Joux–May–Meurer. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent?

Recent asymptotic news crypt 2010 wgrave-Graham–Joux: subset-sum exponent ✙0✿337. rrect claim: ✙0✿311.) crypt 2011 er–Coron–Joux: subset-sum exponent ✙0✿291. Adaptations to decoding: Asiacrypt 2011 May–Meurer– Thomae, Eurocrypt 2012 er–Joux–May–Meurer. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent? Quantum Assume ❢ has ♥-bit Generic b finds this ✙2♥ evaluations ❢ 1996 Grover finds this ✙20✿5♥ quantum ❢

• n superp

Cost of quantu ❢ ✙ cost of ❢ if cost counts

ptotic news wgrave-Graham–Joux:

• nent ✙0✿337.

✙0✿311.)

• ux:
• nent ✙0✿291.

ecoding: May–Meurer– crypt 2012 er–Joux–May–Meurer. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent? Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique Generic brute-force finds this root using ✙2♥ evaluations of ❢ 1996 Grover metho finds this root using ✙20✿5♥ quantum evaluations ❢

• n superpositions of

Cost of quantum evaluation ❢ ✙ cost of evaluation ❢ if cost counts qubit

✙ ✿337. ✙ ✿ ✙ ✿291. y–Meurer– y–Meurer. Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent? Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations ❢

• n superpositions of inputs.

Cost of quantum evaluation ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

Post-quantum subset sum Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic primitives provably as secure as subset sum”: There are “currently no known quantum algorithms that perform better than classical ones

• n the subset sum problem”.
• Hmmm. What’s the best

quantum subset-sum exponent? Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”.

• st-quantum subset sum

Claimed in TCC 2010 Lyubashevsky–Palacio–Segev “Public-key cryptographic rimitives provably secure as subset sum”: are “currently no known quantum algorithms that perform than classical ones subset sum problem”.

• Hmmm. What’s the best

quantum subset-sum exponent? Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”. Easily adapt different and # not Faster if but typic Most interesting: ✷ ❢ ❀ ❣

subset sum 2010 alacio–Segev cryptographic rovably subset sum”: “currently no known rithms that perform classical ones sum problem”. the best subset-sum exponent? Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”. Easily adapt to handle different # of roots, and # not known Faster if # is large, but typically # is not Most interesting: # ✷ ❢ ❀ ❣

alacio–Segev known perform m”.

• nent?

Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very la Most interesting: # ✷ ❢0❀ 1❣

Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣.

Quantum search (0.5) Assume that function ❢ has ♥-bit input, unique root. Generic brute-force search finds this root using ✙2♥ evaluations of ❢. 1996 Grover method finds this root using ✙20✿5♥ quantum evaluations of ❢

• n superpositions of inputs.

Cost of quantum evaluation of ❢ ✙ cost of evaluation of ❢ if cost counts qubit “operations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣. Apply to the function ❏ ✼✦ Σ(❏) t where Σ(❏) = P

✐✷❏ ①✐.

Cost 20✿5♥ to find root (i.e., to find indices of subsequence

• f ①1❀ ✿ ✿ ✿ ❀ ①♥ with sum t)
• r to decide that no root exists.

We suppress poly factors in cost.

Quantum search (0.5) Assume that function ❢ ♥-bit input, unique root. Generic brute-force search this root using ✙ ♥ evaluations of ❢. Grover method this root using ✙

✿ ♥ quantum evaluations of ❢

erpositions of inputs.

• f quantum evaluation of ❢

✙ cost of evaluation of ❢ counts qubit “operations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣. Apply to the function ❏ ✼✦ Σ(❏) t where Σ(❏) = P

✐✷❏ ①✐.

Cost 20✿5♥ to find root (i.e., to find indices of subsequence

• f ①1❀ ✿ ✿ ✿ ❀ ①♥ with sum t)
• r to decide that no root exists.

We suppress poly factors in cost. Algorithm Represent ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❣ integer b

♥

♥ bits are to store ♥ qubits a superp ❏ 2♥ complex ❛0❀ ✿ ✿ ✿ ❀ ❛ ♥ ❥❛0❥2 + ✁ ✁ ✁ ❥❛ ♥ ❥ Measuring ♥ has chance ❥❛❏❥ ❏ Start from i.e., ❛❏ = ❂ ♥❂ ❏

(0.5) function ❢ ♥ unique root. rce search using ✙ ♥

• f ❢.

method using ✙

✿ ♥

evaluations of ❢

• sitions of inputs.

evaluation of ❢ ✙ evaluation of ❢ qubit “operations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣. Apply to the function ❏ ✼✦ Σ(❏) t where Σ(❏) = P

✐✷❏ ①✐.

Cost 20✿5♥ to find root (i.e., to find indices of subsequence

• f ①1❀ ✿ ✿ ✿ ❀ ①♥ with sum t)
• r to decide that no root exists.

We suppress poly factors in cost. Algorithm details fo Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ integer between 0

♥

♥ bits are enough to store one such integer. ♥ qubits store much a superposition over ❏ 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥ ❥ Measuring these ♥ has chance ❥❛❏❥2 to ❏ Start from uniform i.e., ❛❏ = 1❂2♥❂2 fo ❏

❢ ♥

• t.

✙ ♥ ❢ ✙

✿ ♥

evaluations of ❢ inputs. evaluation of ❢ ✙ ❢ erations”. Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣. Apply to the function ❏ ✼✦ Σ(❏) t where Σ(❏) = P

✐✷❏ ①✐.

Cost 20✿5♥ to find root (i.e., to find indices of subsequence

• f ①1❀ ✿ ✿ ✿ ❀ ①♥ with sum t)
• r to decide that no root exists.

We suppress poly factors in cost. Algorithm details for unique Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as integer between 0 and 2♥ ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏ Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏.

Easily adapt to handle different # of roots, and # not known in advance. Faster if # is large, but typically # is not very large. Most interesting: # ✷ ❢0❀ 1❣. Apply to the function ❏ ✼✦ Σ(❏) t where Σ(❏) = P

✐✷❏ ①✐.

Cost 20✿5♥ to find root (i.e., to find indices of subsequence

• f ①1❀ ✿ ✿ ✿ ❀ ①♥ with sum t)
• r to decide that no root exists.

We suppress poly factors in cost. Algorithm details for unique root: Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏. Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏.

adapt to handle different # of roots, not known in advance. if # is large, ypically # is not very large. interesting: # ✷ ❢0❀ 1❣. to the function ❏ ✼✦ Σ(❏) t where ❏ P

✐✷❏ ①✐. 0✿5♥ to find root (i.e.,

indices of subsequence ① ❀ ✿ ✿ ✿ ❀ ①♥ with sum t) decide that no root exists. suppress poly factors in cost. Algorithm details for unique root: Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏. Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏. Step 1: ❛ ✥ ❜ ❜❏ = ❛❏ ❏ t ❜❏ = ❛❏ This is ab as computing Step 2: Set ❛ ✥ ❜ ❜❏ = ❛❏ ❂ ♥ P

■ ❛■

This is also Repeat steps about 0✿ ✁

✿ ♥

Measure ♥ With high the unique ❏ ❏ t

handle

• ts,

wn in advance. rge, is not very large. interesting: # ✷ ❢0❀ 1❣. function ❏ ✼✦ ❏ t where ❏ P

✐✷❏ ①✐. ✿ ♥

find root (i.e.,

• f subsequence

① ❀ ✿ ✿ ✿ ❀ ①♥ with sum t) that no root exists.

• ly factors in cost.

Algorithm details for unique root: Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏. Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏. Step 1: Set ❛ ✥ ❜ ❜❏ = ❛❏ if Σ(❏) t ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥ P

■ ❛■

This is also easy. Repeat steps 1 and about 0✿58 ✁ 20✿5♥ Measure the ♥ qubits. With high probabilit the unique ❏ such ❏ t

advance. large. ✷ ❢ ❀ 1❣. ❏ ✼✦ ❏ t ❏ P

✐✷❏ ①✐ ✿ ♥

(i.e., subsequence ① ❀ ✿ ✿ ✿ ❀ ①♥ t exists. in cost. Algorithm details for unique root: Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏. Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏. Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) t

Algorithm details for unique root: Represent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ bits are enough space to store one such integer. ♥ qubits store much more, a superposition over sets ❏: 2♥ complex amplitudes ❛0❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛0❥2 + ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits has chance ❥❛❏❥2 to produce ❏. Start from uniform superposition, i.e., ❛❏ = 1❂2♥❂2 for all ❏. Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t.

rithm details for unique root: resent ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an integer between 0 and 2♥ 1. ♥ are enough space re one such integer. ♥ qubits store much more, erposition over sets ❏:

♥ complex amplitudes

❛ ❀ ✿ ✿ ✿ ❀ ❛2♥1 with ❥❛ ❥ ✁ ✁ ✁ + ❥❛2♥1❥2 = 1. Measuring these ♥ qubits chance ❥❛❏❥2 to produce ❏. from uniform superposition, ❛❏ = 1❂2♥❂2 for all ❏. Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 ♥ after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

ls for unique root: ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❣ as an 0 and 2♥ 1. ♥ enough space such integer. ♥ much more,

• ver sets ❏:

♥

amplitudes ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ with ❥❛ ❥ ✁ ✁ ✁ ❥❛ ♥1❥2 = 1. ♥ qubits ❥❛❏❥ to produce ❏. rm superposition, ❛❏ ❂ ♥❂ for all ❏. Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example ♥ after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

unique root: ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❣ as an

♥ 1.

♥ ♥ re, ❏:

♥

❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ ❥❛ ❥ ✁ ✁ ✁ ❥❛ ♥ ❥ 1. ♥ ❥❛❏❥ duce ❏.

• sition,

❛❏ ❂ ♥❂ ❏. Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 0 steps:

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after Step 1:

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after Step 1 + Step 2:

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after Step 1 + Step 2 + Step 1:

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 2 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 3 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 4 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 5 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 6 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 7 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 8 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 9 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 10 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 11 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 12 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 13 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 14 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 15 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 16 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 17 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 18 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 19 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 20 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 25 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 30 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 35 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Good moment to stop, measure.

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 40 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 45 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 50 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Traditional stopping point.

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 60 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 70 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 80 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 90 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Step 1: Set ❛ ✥ ❜ where ❜❏ = ❛❏ if Σ(❏) = t, ❜❏ = ❛❏ otherwise. This is about as easy as computing Σ. Step 2: “Grover diffusion”. Set ❛ ✥ ❜ where ❜❏ = ❛❏ + (2❂2♥) P

■ ❛■.

This is also easy. Repeat steps 1 and 2 about 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. With high probability this finds the unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 100 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point.

1: Set ❛ ✥ ❜ where ❜❏ ❛❏ if Σ(❏) = t, ❜❏ ❛❏ otherwise. about as easy computing Σ. 2: “Grover diffusion”. ❛ ✥ ❜ where ❜❏ ❛❏ + (2❂2♥) P

■ ❛■.

also easy. eat steps 1 and 2 0✿58 ✁ 20✿5♥ times. Measure the ♥ qubits. high probability this finds unique ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 100 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. ❏ ✼✦ ❛❏ by a vecto (with fixed (1) ❛❏ fo ❏ (2) ❛❏ fo ❏ Step 1 + act linea Easily compute and pow to understand

• f state

✮ Probabilit ✙ after ✙(✙❂

✿ ♥

❛ ✥ ❜ where ❜❏ ❛❏ ❏) = t, ❜❏ ❛❏ otherwise. easy Σ. diffusion”. ❛ ✥ ❜ ❜❏ ❛❏ ❂2♥) P

■ ❛■.

. and 2 ✿ ✁

✿ ♥ times.

♥ qubits. robability this finds ❏ such that Σ(❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 100 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. ❏ ✼✦ ❛❏ is completely by a vector of two (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏ Step 1 + Step 2 act linearly on this Easily compute eigenvalues and powers of this to understand evolution

• f state of Grover’s

✮ Probability is ✙ after ✙(✙❂4)20✿5♥

❛ ✥ ❜ ❜❏ ❛❏ ❏ t ❜❏ ❛❏ diffusion”. ❛ ✥ ❜ ❜❏ ❛❏ ❂ ♥ P

■ ❛■.

✿ ✁

✿ ♥

♥ finds ❏ ❏) = t. Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 100 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. ❏ ✼✦ ❛❏ is completely describ by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations.

Graph of ❏ ✼✦ ❛❏ for 36634 example with ♥ = 12 after 100 ✂ (Step 1 + Step 2):

−1.0 −0.5 0.0 0.5 1.0

Very bad stopping point. ❏ ✼✦ ❛❏ is completely described by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations.

• f ❏ ✼✦ ❛❏

36634 example with ♥ = 12 100 ✂ (Step 1 + Step 2): bad stopping point. ❏ ✼✦ ❛❏ is completely described by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations. Left-right Don’t need to achieve ✿ For simplicit ♥ ✷ 1974 Ho Sort list ❏ for all ❏1 ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ and list of t ❏ for all ❏2 ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣ Merge to Σ(❏1) = t ❏ i.e., Σ(❏1 ❬ ❏ t

❏ ✼✦ ❛❏ example with ♥ = 12 ✂ (Step 1 + Step 2): stopping point. ❏ ✼✦ ❛❏ is completely described by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations. Left-right split (0.5) Don’t need quantum to achieve exponent ✿ For simplicity assume ♥ ✷ 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂ ❣ and list of t Σ(❏ for all ❏2 ✒ ❢♥❂2 + ❀ ✿ ✿ ✿ ❀ ♥❣ Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t

❏ ✼✦ ❛❏ ♥ = 12 ✂ 2): ❏ ✼✦ ❛❏ is completely described by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations. Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t.

❏ ✼✦ ❛❏ is completely described by a vector of two numbers (with fixed multiplicities): (1) ❛❏ for roots ❏; (2) ❛❏ for non-roots ❏. Step 1 + Step 2 act linearly on this vector. Easily compute eigenvalues and powers of this linear map to understand evolution

• f state of Grover’s algorithm.

✮ Probability is ✙1 after ✙(✙❂4)20✿5♥ iterations. Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z. 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t.

❏ ✼✦ ❛❏ is completely described vector of two numbers fixed multiplicities): ❛❏ for roots ❏; ❛❏ for non-roots ❏. + Step 2 linearly on this vector. compute eigenvalues wers of this linear map understand evolution state of Grover’s algorithm. ✮ Probability is ✙1 ✙(✙❂4)20✿5♥ iterations. Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z. 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Cost 20✿5♥ We assign e.g. 36634 (499❀ 852❀ ❀ ❀ ❀ ❀ 4688❀ 5989❀ ❀ ❀ ❀ Sort the 0❀ 499❀ 852❀ ❀ ✿ ✿ ✿ ❀ 499 + 852 ✁ ✁ ✁ and the 36634 ❀

• ❀ ✿ ✿ ✿ ❀

36634 ✁ ✁ ✁ to see that 499 + 852 366345989

❏ ✼✦ ❛❏ completely described

• numbers

multiplicities): ❛❏ ❏; ❛❏ non-roots ❏. this vector. eigenvalues this linear map evolution Grover’s algorithm. ✮ ✙1 ✙ ✙❂

✿ ♥ iterations.

Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z. 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Cost 20✿5♥ for sorting, We assign cost 1 to e.g. 36634 as sum (499❀ 852❀ 1927❀ 2535❀ ❀ ❀ 4688❀ 5989❀ 6385❀ 7353❀ ❀ Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 ✁ ✁ ✁ and the 64 differences 36634 0❀ 36634 ❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ to see that 499 + 852 + 2535 3663459896385

❏ ✼✦ ❛❏ described ers ❛❏ ❏ ❛❏ ❏ eigenvalues map rithm. ✮ ✙ ✙ ✙❂

✿ ♥ iterations.

Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z. 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 36634598963857353

Left-right split (0.5) Don’t need quantum computers to achieve exponent 0✿5. For simplicity assume ♥ ✷ 2Z. 1974 Horowitz–Sahni: Sort list of Σ(❏1) for all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ and list of t Σ(❏2) for all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Merge to find collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 366345989638573539413.

Left-right split (0.5) need quantum computers achieve exponent 0✿5. simplicity assume ♥ ✷ 2Z. Horowitz–Sahni: ist of Σ(❏1) ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ list of t Σ(❏2) ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. to find collisions ❏ = t Σ(❏2), Σ(❏1 ❬ ❏2) = t. Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 366345989638573539413. Moduli (0.5) For simplicit ♥ ✷ Choose ▼ ✙

✿ ♥

Choose t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ▼ ❣ Define t2 t t Find all ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ such that ❏ ✑ t ▼ How? Split ❏ ❏ ❬ ❏ Find all ❏ ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣ such that ❏ ✑ t ▼ Sort and collisions ❏ t ❏ i.e., Σ(❏1 ❬ ❏ t

(0.5) quantum computers ent 0✿5. assume ♥ ✷ 2Z. witz–Sahni: ❏ ) ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂2❣ t Σ(❏2) ❏ ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. collisions ❏ t ❏2), ❏ ❬ ❏ = t. Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 366345989638573539413. Moduli (0.5) For simplicity assume ♥ ✷ Choose ▼ ✙ 20✿25♥ Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ ❣ Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂ ❣ such that Σ(❏1) ✑ t ▼ How? Split ❏1 as ❏ ❬ ❏ Find all ❏2 ✒ ❢♥❂2 ❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t ▼ Sort and merge to collisions Σ(❏1) = t ❏ i.e., Σ(❏1 ❬ ❏2) = t

computers ✿ ♥ ✷ 2Z. ❏ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ t ❏ ❏ ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣. ❏ t ❏ ❏ ❬ ❏ t Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 366345989638573539413. Moduli (0.5) For simplicity assume ♥ ✷ 4Z Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣ Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼ How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼ Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t.

Cost 20✿5♥ for sorting, merging. We assign cost 1 to RAM. e.g. 36634 as sum of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Sort the 64 sums 0❀ 499❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 499 + 852 + 1927 + ✁ ✁ ✁ + 3608 and the 64 differences 36634 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 36634 4688 ✁ ✁ ✁ 9413 to see that 499 + 852 + 2535 + 3608 = 366345989638573539413. Moduli (0.5) For simplicity assume ♥ ✷ 4Z. Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼). How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼). Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t.

0✿5♥ for sorting, merging.

assign cost 1 to RAM. 36634 as sum of ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): e 64 sums ❀ ❀ 852❀ 499 + 852❀ ✿ ✿ ✿ ❀ 852 + 1927 + ✁ ✁ ✁ + 3608 the 64 differences 0❀ 36634 4688❀ ✿ ✿ ✿ ❀ 4688 ✁ ✁ ✁ 9413 that 852 + 2535 + 3608 = 5989638573539413. Moduli (0.5) For simplicity assume ♥ ✷ 4Z. Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼). How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼). Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Finds ❏ iff ❏ ✑ t There ar ✙

✿ ♥

t Each choice

✿ ♥

Total cost

✿ ♥

Not visible this uses

✿ ♥

assuming Algorithm introduced 2006 Elsenhans–Jahnel; 2010 Ho Different for simila 1981 Schro

✿ ♥

rting, merging. to RAM. sum of ❀ ❀ ❀ 2535❀ 3596❀ 3608❀ ❀ ❀ ❀ 7353❀ 7650❀ 9413): sums ❀ ❀ ❀ 852❀ ✿ ✿ ✿ ❀ 1927 + ✁ ✁ ✁ + 3608 differences ❀ 36634 4688❀ ✿ ✿ ✿ ❀

• ✁ ✁ ✁ 9413

2535 + 3608 =

• 638573539413.

Moduli (0.5) For simplicity assume ♥ ✷ 4Z. Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼). How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼). Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Finds ❏ iff Σ(❏1) ✑ t There are ✙20✿25♥ t Each choice costs

✿ ♥

Total cost 20✿5♥. Not visible in cost this uses space only

✿ ♥

assuming typical distribution. Algorithm has been introduced at least 2006 Elsenhans–Jahnel; 2010 Howgrave-Graha Different technique for similar space reduction: 1981 Schroeppel–Shamir.

✿ ♥

merging. RAM. ❀ ❀ ❀ ❀ ❀ 3608❀ ❀ ❀ ❀ ❀ 7650❀ 9413): ❀ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ✁ ✁ ✁ 3608 ❀

• ❀ ✿ ✿ ✿ ❀
• ✁ ✁ ✁ 9413

=

• 73539413.

Moduli (0.5) For simplicity assume ♥ ✷ 4Z. Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼). How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼). Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir.

Moduli (0.5) For simplicity assume ♥ ✷ 4Z. Choose ▼ ✙ 20✿25♥. Choose t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. Define t2 = t t1. Find all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ such that Σ(❏1) ✑ t1 (mod ▼). How? Split ❏1 as ❏11 ❬ ❏12. Find all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ such that Σ(❏2) ✑ t2 (mod ▼). Sort and merge to find all collisions Σ(❏1) = t Σ(❏2), i.e., Σ(❏1 ❬ ❏2) = t. Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t1. Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir.

duli (0.5) simplicity assume ♥ ✷ 4Z.

• se ▼ ✙ 20✿25♥.
• se t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣.

t2 = t t1. all ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣ that Σ(❏1) ✑ t1 (mod ▼). Split ❏1 as ❏11 ❬ ❏12. all ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ that Σ(❏2) ✑ t2 (mod ▼). and merge to find all collisions Σ(❏1) = t Σ(❏2), Σ(❏1 ❬ ❏2) = t. Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t1. Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir. e.g. ▼ = t ① (499❀ 852❀ ❀ ❀ ❀ ❀ 4688❀ 5989❀ ❀ ❀ ❀ Try each t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ In particula t There are (499❀ 852❀ ❀ ❀ ❀ with sum There are (4688❀ 5989❀ ❀ ❀ ❀ with sum

• Sort and

499 + 852 366345989

assume ♥ ✷ 4Z. ▼ ✙

✿25♥.

t ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ ▼ 1❣. t t t1. ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂2❣ ❏ ✑ t1 (mod ▼). ❏ as ❏11 ❬ ❏12. ❏ ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ ❏ ✑ t2 (mod ▼). to find all ❏ = t Σ(❏2), ❏ ❬ ❏ = t. Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t1. Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir. e.g. ▼ = 8, t = 36634, ① (499❀ 852❀ 1927❀ 2535❀ ❀ ❀ 4688❀ 5989❀ 6385❀ 7353❀ ❀ Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ In particular try t1 There are 12 subsequences (499❀ 852❀ 1927❀ 2535❀ ❀ with sum 6 modulo There are 6 subsequences (4688❀ 5989❀ 6385❀ ❀ ❀ with sum 36634 Sort and merge to 499 + 852 + 2535 3663459896385

♥ ✷ 4Z. ▼ ✙

✿ ♥

t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ▼ 1❣. t t t ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ ❏ ✑ t (mod ▼). ❏ ❏ ❬ ❏ . ❏ ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣ ❏ ✑ t (mod ▼). ❏ t ❏2), ❏ ❬ ❏ t Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t1. Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir. e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ with sum 36634 6 modulo Sort and merge to find 499 + 852 + 2535 + 3608 = 36634598963857353

Finds ❏ iff Σ(❏1) ✑ t1. There are ✙20✿25♥ choices of t1. Each choice costs 20✿25♥. Total cost 20✿5♥. Not visible in cost metric: this uses space only 20✿25♥, assuming typical distribution. Algorithm has been introduced at least twice: 2006 Elsenhans–Jahnel; 2010 Howgrave-Graham–Joux. Different technique for similar space reduction: 1981 Schroeppel–Shamir. e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) with sum 36634 6 modulo 8. Sort and merge to find 499 + 852 + 2535 + 3608 = 366345989638573539413.

❏ iff Σ(❏1) ✑ t1. are ✙20✿25♥ choices of t1. choice costs 20✿25♥. cost 20✿5♥. visible in cost metric: uses space only 20✿25♥, assuming typical distribution. rithm has been duced at least twice: Elsenhans–Jahnel; Howgrave-Graham–Joux. Different technique imilar space reduction: Schroeppel–Shamir. e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) with sum 36634 6 modulo 8. Sort and merge to find 499 + 852 + 2535 + 3608 = 366345989638573539413. Quantum ✿ ✿ ✿ ✿ Cost 2♥❂ 1998 Brassa For simplicit ♥ ✷ Compute ❏ ❏1 ✒ ❢1❀ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ Sort ▲ = ❢ ❏ ❣ Can now ❏2 ✼✦ [t ❏ ❂ ✷ ▲ for ❏2 ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣ Recall: w Use Grover’s whether

❏ ❏ ) ✑ t1. ✙

✿ ♥ choices of t1.

costs 20✿25♥.

✿ ♥.

cost metric:

• nly 20✿25♥,

ypical distribution. een least twice: Elsenhans–Jahnel; wgrave-Graham–Joux. nique reduction: el–Shamir. e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) with sum 36634 6 modulo 8. Sort and merge to find 499 + 852 + 2535 + 3608 = 366345989638573539413. Quantum left-right ✿ ✿ ✿ ✿ Cost 2♥❂3, imitating 1998 Brassard–Høy For simplicity assume ♥ ✷ Compute Σ(❏1) fo ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣ Sort ▲ = ❢Σ(❏1)❣. Can now efficiently ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲ for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣ Recall: we assign cost Use Grover’s metho whether this function

❏ ❏ ✑ t ✙

✿ ♥

• f t1.

✿ ♥ ✿ ♥ ✿ ♥,

distribution. –Joux. reduction: e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) with sum 36634 6 modulo 8. Sort and merge to find 499 + 852 + 2535 + 3608 = 366345989638573539413. Quantum left-right split (0✿333 ✿ ✿ ✿ Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a ro

e.g. ▼ = 8, t = 36634, ① = (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ 4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): Try each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. In particular try t1 = 6. There are 12 subsequences of (499❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) with sum 6 modulo 8. There are 6 subsequences of (4688❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) with sum 36634 6 modulo 8. Sort and merge to find 499 + 852 + 2535 + 3608 = 366345989638573539413. Quantum left-right split (0✿333 ✿ ✿ ✿) Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a root.

▼ = 8, t = 36634, ① = ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608❀ ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413): each t1 ✷ ❢0❀ 1❀ ✿ ✿ ✿ ❀ 7❣. rticular try t1 = 6. are 12 subsequences of ❀ 852❀ 1927❀ 2535❀ 3596❀ 3608) sum 6 modulo 8. are 6 subsequences of ❀ 5989❀ 6385❀ 7353❀ 7650❀ 9413) sum 36634 6 modulo 8. and merge to find 852 + 2535 + 3608 = 5989638573539413. Quantum left-right split (0✿333 ✿ ✿ ✿) Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a root. Quantum Unique-collision-finding Say ❢ has ♥ exactly one ❢♣❀ q❣ i.e., ♣ ✻= q ❢ ♣ ❢ q Problem: Cost 2♥: ❙ the set of ♥ Compute ❢ ❙ Generalize r success p ✙ r❂ ♥ Choose a ❙ r Compute ❢ ❙

▼ t 36634, ① = ❀ ❀ ❀ 2535❀ 3596❀ 3608❀ ❀ ❀ ❀ 7353❀ 7650❀ 9413): t ✷ ❢ ❀ 1❀ ✿ ✿ ✿ ❀ 7❣. t1 = 6. subsequences of ❀ ❀ ❀ 2535❀ 3596❀ 3608) dulo 8. subsequences of ❀ ❀ 6385❀ 7353❀ 7650❀ 9413) 6 modulo 8. to find 2535 + 3608 =

• 638573539413.

Quantum left-right split (0✿333 ✿ ✿ ✿) Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a root. Quantum walk Unique-collision-finding Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣ i.e., ♣ ✻= q, ❢(♣) = ❢ q Problem: find this Cost 2♥: Define ❙ the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r success probability ✙ r❂ ♥ Choose a set ❙ of r Compute ❢(❙), sort.

▼ t ① = ❀ ❀ ❀ ❀ ❀ 3608❀ ❀ ❀ ❀ ❀ 7650❀ 9413): t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣. t subsequences of ❀ ❀ ❀ ❀ ❀ 3608)

• f

❀ ❀ ❀ ❀ 7650❀ 9413)

• dulo 8.

=

• 73539413.

Quantum left-right split (0✿333 ✿ ✿ ✿) Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a root. Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2 Choose a set ❙ of size r. Compute ❢(❙), sort.

Quantum left-right split (0✿333 ✿ ✿ ✿) Cost 2♥❂3, imitating 1998 Brassard–Høyer–Tapp: For simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏1 ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. Sort ▲ = ❢Σ(❏1)❣. Can now efficiently compute ❏2 ✼✦ [t Σ(❏2) ❂ ✷ ▲] for ❏2 ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Use Grover’s method to see whether this function has a root. Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2: Choose a set ❙ of size r. Compute ❢(❙), sort.

Quantum left-right split (0✿333 ✿ ✿ ✿)

♥❂3, imitating

Brassard–Høyer–Tapp: simplicity assume ♥ ✷ 3Z. Compute Σ(❏1) for all ❏ ✒ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥❂3❣. ▲ = ❢Σ(❏1)❣. now efficiently compute ❏ ✼✦ [t Σ(❏2) ❂ ✷ ▲] ❏ ✒ ❢♥❂3 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Recall: we assign cost 1 to RAM. Grover’s method to see whether this function has a root. Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2: Choose a set ❙ of size r. Compute ❢(❙), sort. Data structure ❉ ❙ the generalized the set ❙ ❢ ❙ the numb ❙ Very efficient ❉ ❙ to ❉(❚) ❚ #❙ = #❚ r ❙ ❭❚ r 2003 Ambainis, Magniez–Na Create sup (❉(❙)❀ ❉ ❚ ❙❀ ❚ By a qua find ❙ containing

left-right split (0✿333 ✿ ✿ ✿)

♥❂

imitating d–Høyer–Tapp: assume ♥ ✷ 3Z. ❏ for all ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♥❂3❣. ▲ ❢ ❏ ❣. efficiently compute ❏ ✼✦ t ❏ ❂ ✷ ▲] ❏ ✒ ❢♥❂ 1❀ ✿ ✿ ✿ ❀ ♥❣. assign cost 1 to RAM. method to see function has a root. Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2: Choose a set ❙ of size r. Compute ❢(❙), sort. Data structure ❉(❙ the generalized computation: the set ❙; the multiset ❢ ❙ the number of collisions ❙ Very efficient to move ❉ ❙ to ❉(❚) if ❚ is an #❙ = #❚ = r, #(❙ ❭❚ r 2003 Ambainis, simplified Magniez–Nayak–Roland–Santha: Create superposition (❉(❙)❀ ❉(❚)) with ❙❀ ❚ By a quantum walk find ❙ containing a

✿333 ✿ ✿ ✿)

♥❂

app: ♥ ✷ 3Z. ❏ ❏ ✒ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ ▲ ❢ ❏ ❣ compute ❏ ✼✦ t ❏ ❂ ✷ ▲ ❏ ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣. to RAM. see a root. Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2: Choose a set ❙ of size r. Compute ❢(❙), sort. Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙ Very efficient to move from ❉ ❙ to ❉(❚) if ❚ is an adjacent #❙ = #❚ = r, #(❙ ❭❚) = r 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of state (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚ By a quantum walk find ❙ containing a collision.

Quantum walk Unique-collision-finding problem: Say ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: i.e., ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision. Cost 2♥: Define ❙ as the set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2: Choose a set ❙ of size r. Compute ❢(❙), sort. Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙. Very efficient to move from ❉(❙) to ❉(❚) if ❚ is an adjacent set: #❙ = #❚ = r, #(❙ ❭❚) = r 1. 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of states (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚. By a quantum walk find ❙ containing a collision.

Quantum walk Unique-collision-finding problem: ❢ has ♥-bit inputs, exactly one collision ❢♣❀ q❣: ♣ ✻= q, ❢(♣) = ❢(q). Problem: find this collision.

♥: Define ❙ as

set of ♥-bit strings. Compute ❢(❙), sort. Generalize to cost r, success probability ✙(r❂2♥)2:

• se a set ❙ of size r.

Compute ❢(❙), sort. Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙. Very efficient to move from ❉(❙) to ❉(❚) if ❚ is an adjacent set: #❙ = #❚ = r, #(❙ ❭❚) = r 1. 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of states (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚. By a quantum walk find ❙ containing a collision. How the Start from Repeat ✙ ✿ ✁

♥❂r

Negate ❛❙❀❚ if ❙ Repeat ✙ ✿ ✁ ♣r For ❚ Diffuse ❛❙❀❚ ❙ For ❙ Diffuse ❛❙❀❚ ❚ Now high that ❚ contains Cost r+ ♥❂♣r

♥❂

Unique-collision-finding problem: ❢ ♥ inputs, collision ❢♣❀ q❣: ♣ ✻ q ❢ ♣ = ❢(q). this collision.

♥

❙ as ♥ strings. ❢ ❙ sort. cost r, robability ✙(r❂2♥)2: ❙ of size r. ❢ ❙ sort. Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙. Very efficient to move from ❉(❙) to ❉(❚) if ❚ is an adjacent set: #❙ = #❚ = r, #(❙ ❭❚) = r 1. 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of states (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚. By a quantum walk find ❙ containing a collision. How the quantum Start from uniform Repeat ✙0✿6 ✁ 2♥❂r Negate ❛❙❀❚ if ❙ contains Repeat ✙0✿7 ✁ ♣r For each ❚: Diffuse ❛❙❀❚ ❙ For each ❙: Diffuse ❛❙❀❚ ❚ Now high probabilit that ❚ contains collision. Cost r+2♥❂♣r. Optimize:

♥❂

roblem: ❢ ♥ ❢♣❀ q❣: ♣ ✻ q ❢ ♣ ❢ q collision.

♥

❙ ♥ ❢ ❙ r ✙ r❂ ♥)2: ❙ r ❢ ❙ Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙. Very efficient to move from ❉(❙) to ❉(❚) if ❚ is an adjacent set: #❙ = #❚ = r, #(❙ ❭❚) = r 1. 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of states (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚. By a quantum walk find ❙ containing a collision. How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙ For each ❙: Diffuse ❛❙❀❚ across all ❚ Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize:

♥❂

Data structure ❉(❙) capturing the generalized computation: the set ❙; the multiset ❢(❙); the number of collisions in ❙. Very efficient to move from ❉(❙) to ❉(❚) if ❚ is an adjacent set: #❙ = #❚ = r, #(❙ ❭❚) = r 1. 2003 Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: Create superposition of states (❉(❙)❀ ❉(❚)) with adjacent ❙❀ ❚. By a quantum walk find ❙ containing a collision. How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3.

structure ❉(❙) capturing generalized computation: set ❙; the multiset ❢(❙); number of collisions in ❙. efficient to move from ❉(❙) ❉ ❚) if ❚ is an adjacent set: ❙ #❚ = r, #(❙ ❭❚) = r 1. Ambainis, simplified 2007 Magniez–Nayak–Roland–Santha: superposition of states ❉ ❙ ❀ ❉(❚)) with adjacent ❙❀ ❚. quantum walk ❙ containing a collision. How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚ (#(❙ ❭ ❢♣❀ q❣ ❀ ❚ ❭ ❢♣❀ q❣ reduce ❛ Analyze e.g. ♥ = r 0 negations Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Pr[class ❀ ✙ ✿ Right column ❛❙❀❚

❉(❙) capturing computation: ❙ multiset ❢(❙); collisions in ❙. move from ❉(❙) ❉ ❚ ❚ an adjacent set: ❙ ❚ r #(❙ ❭❚) = r 1. simplified 2007 ak–Roland–Santha:

• sition of states

❉ ❙ ❀ ❉ ❚ with adjacent ❙❀ ❚. alk ❙ containing a collision. How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) acco (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣ reduce ❛ to low-dim Analyze evolution e.g. ♥ = 15, r = 1024, 0 negations and 0 Pr[class (0❀ 0)] ✙ 0✿ Pr[class (0❀ 1)] ✙ 0✿ Pr[class (1❀ 0)] ✙ 0✿ Pr[class (1❀ 1)] ✙ 0✿ Pr[class (1❀ 2)] ✙ 0✿ Pr[class (2❀ 1)] ✙ 0✿ Pr[class (2❀ 2)] ✙ 0✿ Right column is sign ❛❙❀❚

❉ ❙ capturing computation: ❙ ❢ ❙); ❙. ❉(❙) ❉ ❚ ❚ adjacent set: ❙ ❚ r ❙ ❭❚ = r 1. 2007 ak–Roland–Santha: states ❉ ❙ ❀ ❉ ❚ ent ❙❀ ❚. ❙

• llision.

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣ reduce ❛ to low-dim vector. Analyze evolution of this vecto e.g. ♥ = 15, r = 1024, after 0 negations and 0 diffusions: Pr[class (0❀ 0)] ✙ 0✿938; + Pr[class (0❀ 1)] ✙ 0✿000; + Pr[class (1❀ 0)] ✙ 0✿000; + Pr[class (1❀ 1)] ✙ 0✿060; + Pr[class (1❀ 2)] ✙ 0✿000; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿001; + Right column is sign of ❛❙❀❚

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 0 negations and 0 diffusions: Pr[class (0❀ 0)] ✙ 0✿938; + Pr[class (0❀ 1)] ✙ 0✿000; + Pr[class (1❀ 0)] ✙ 0✿000; + Pr[class (1❀ 1)] ✙ 0✿060; + Pr[class (1❀ 2)] ✙ 0✿000; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿001; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 1 negation and 46 diffusions: Pr[class (0❀ 0)] ✙ 0✿935; + Pr[class (0❀ 1)] ✙ 0✿000; + Pr[class (1❀ 0)] ✙ 0✿000; Pr[class (1❀ 1)] ✙ 0✿057; + Pr[class (1❀ 2)] ✙ 0✿000; + Pr[class (2❀ 1)] ✙ 0✿000; Pr[class (2❀ 2)] ✙ 0✿008; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 2 negations and 92 diffusions: Pr[class (0❀ 0)] ✙ 0✿918; + Pr[class (0❀ 1)] ✙ 0✿001; + Pr[class (1❀ 0)] ✙ 0✿000; Pr[class (1❀ 1)] ✙ 0✿059; + Pr[class (1❀ 2)] ✙ 0✿001; + Pr[class (2❀ 1)] ✙ 0✿000; Pr[class (2❀ 2)] ✙ 0✿022; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 3 negations and 138 diffusions: Pr[class (0❀ 0)] ✙ 0✿897; + Pr[class (0❀ 1)] ✙ 0✿001; + Pr[class (1❀ 0)] ✙ 0✿000; Pr[class (1❀ 1)] ✙ 0✿058; + Pr[class (1❀ 2)] ✙ 0✿002; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿042; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 4 negations and 184 diffusions: Pr[class (0❀ 0)] ✙ 0✿873; + Pr[class (0❀ 1)] ✙ 0✿001; + Pr[class (1❀ 0)] ✙ 0✿000; Pr[class (1❀ 1)] ✙ 0✿054; + Pr[class (1❀ 2)] ✙ 0✿002; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿070; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 5 negations and 230 diffusions: Pr[class (0❀ 0)] ✙ 0✿838; + Pr[class (0❀ 1)] ✙ 0✿001; + Pr[class (1❀ 0)] ✙ 0✿001; Pr[class (1❀ 1)] ✙ 0✿054; + Pr[class (1❀ 2)] ✙ 0✿003; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿104; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 6 negations and 276 diffusions: Pr[class (0❀ 0)] ✙ 0✿800; + Pr[class (0❀ 1)] ✙ 0✿001; + Pr[class (1❀ 0)] ✙ 0✿001; Pr[class (1❀ 1)] ✙ 0✿051; + Pr[class (1❀ 2)] ✙ 0✿006; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿141; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 7 negations and 322 diffusions: Pr[class (0❀ 0)] ✙ 0✿758; + Pr[class (0❀ 1)] ✙ 0✿002; + Pr[class (1❀ 0)] ✙ 0✿001; Pr[class (1❀ 1)] ✙ 0✿047; + Pr[class (1❀ 2)] ✙ 0✿007; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿184; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 8 negations and 368 diffusions: Pr[class (0❀ 0)] ✙ 0✿708; + Pr[class (0❀ 1)] ✙ 0✿003; + Pr[class (1❀ 0)] ✙ 0✿001; Pr[class (1❀ 1)] ✙ 0✿046; + Pr[class (1❀ 2)] ✙ 0✿007; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿234; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 9 negations and 414 diffusions: Pr[class (0❀ 0)] ✙ 0✿658; + Pr[class (0❀ 1)] ✙ 0✿003; + Pr[class (1❀ 0)] ✙ 0✿001; Pr[class (1❀ 1)] ✙ 0✿042; + Pr[class (1❀ 2)] ✙ 0✿009; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿287; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 10 negations and 460 diffusions: Pr[class (0❀ 0)] ✙ 0✿606; + Pr[class (0❀ 1)] ✙ 0✿003; + Pr[class (1❀ 0)] ✙ 0✿002; Pr[class (1❀ 1)] ✙ 0✿037; + Pr[class (1❀ 2)] ✙ 0✿013; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿338; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 11 negations and 506 diffusions: Pr[class (0❀ 0)] ✙ 0✿547; + Pr[class (0❀ 1)] ✙ 0✿004; + Pr[class (1❀ 0)] ✙ 0✿003; Pr[class (1❀ 1)] ✙ 0✿036; + Pr[class (1❀ 2)] ✙ 0✿015; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿394; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 12 negations and 552 diffusions: Pr[class (0❀ 0)] ✙ 0✿491; + Pr[class (0❀ 1)] ✙ 0✿004; + Pr[class (1❀ 0)] ✙ 0✿003; Pr[class (1❀ 1)] ✙ 0✿032; + Pr[class (1❀ 2)] ✙ 0✿014; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿455; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 13 negations and 598 diffusions: Pr[class (0❀ 0)] ✙ 0✿436; + Pr[class (0❀ 1)] ✙ 0✿005; + Pr[class (1❀ 0)] ✙ 0✿003; Pr[class (1❀ 1)] ✙ 0✿026; + Pr[class (1❀ 2)] ✙ 0✿017; + Pr[class (2❀ 1)] ✙ 0✿000; + Pr[class (2❀ 2)] ✙ 0✿513; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 14 negations and 644 diffusions: Pr[class (0❀ 0)] ✙ 0✿377; + Pr[class (0❀ 1)] ✙ 0✿006; + Pr[class (1❀ 0)] ✙ 0✿004; Pr[class (1❀ 1)] ✙ 0✿025; + Pr[class (1❀ 2)] ✙ 0✿022; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿566; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 15 negations and 690 diffusions: Pr[class (0❀ 0)] ✙ 0✿322; + Pr[class (0❀ 1)] ✙ 0✿005; + Pr[class (1❀ 0)] ✙ 0✿004; Pr[class (1❀ 1)] ✙ 0✿021; + Pr[class (1❀ 2)] ✙ 0✿023; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿623; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 16 negations and 736 diffusions: Pr[class (0❀ 0)] ✙ 0✿270; + Pr[class (0❀ 1)] ✙ 0✿006; + Pr[class (1❀ 0)] ✙ 0✿005; Pr[class (1❀ 1)] ✙ 0✿017; + Pr[class (1❀ 2)] ✙ 0✿022; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿680; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 17 negations and 782 diffusions: Pr[class (0❀ 0)] ✙ 0✿218; + Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿005; Pr[class (1❀ 1)] ✙ 0✿015; + Pr[class (1❀ 2)] ✙ 0✿024; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿730; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 18 negations and 828 diffusions: Pr[class (0❀ 0)] ✙ 0✿172; + Pr[class (0❀ 1)] ✙ 0✿006; + Pr[class (1❀ 0)] ✙ 0✿005; Pr[class (1❀ 1)] ✙ 0✿011; + Pr[class (1❀ 2)] ✙ 0✿029; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿775; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 19 negations and 874 diffusions: Pr[class (0❀ 0)] ✙ 0✿131; + Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿006; Pr[class (1❀ 1)] ✙ 0✿008; + Pr[class (1❀ 2)] ✙ 0✿030; + Pr[class (2❀ 1)] ✙ 0✿002; + Pr[class (2❀ 2)] ✙ 0✿816; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 20 negations and 920 diffusions: Pr[class (0❀ 0)] ✙ 0✿093; + Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿007; + Pr[class (1❀ 2)] ✙ 0✿027; + Pr[class (2❀ 1)] ✙ 0✿002; + Pr[class (2❀ 2)] ✙ 0✿857; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 21 negations and 966 diffusions: Pr[class (0❀ 0)] ✙ 0✿062; + Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿006; Pr[class (1❀ 1)] ✙ 0✿004; + Pr[class (1❀ 2)] ✙ 0✿030; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿890; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 22 negations and 1012 diffusions: Pr[class (0❀ 0)] ✙ 0✿037; + Pr[class (0❀ 1)] ✙ 0✿008; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿002; + Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿910; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 23 negations and 1058 diffusions: Pr[class (0❀ 0)] ✙ 0✿017; + Pr[class (0❀ 1)] ✙ 0✿008; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿002; + Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿002; + Pr[class (2❀ 2)] ✙ 0✿930; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 24 negations and 1104 diffusions: Pr[class (0❀ 0)] ✙ 0✿005; + Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿000; + Pr[class (1❀ 2)] ✙ 0✿030; + Pr[class (2❀ 1)] ✙ 0✿002; + Pr[class (2❀ 2)] ✙ 0✿948; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 25 negations and 1150 diffusions: Pr[class (0❀ 0)] ✙ 0✿000; + Pr[class (0❀ 1)] ✙ 0✿008; + Pr[class (1❀ 0)] ✙ 0✿008; Pr[class (1❀ 1)] ✙ 0✿000; + Pr[class (1❀ 2)] ✙ 0✿031; + Pr[class (2❀ 1)] ✙ 0✿001; + Pr[class (2❀ 2)] ✙ 0✿952; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 26 negations and 1196 diffusions: Pr[class (0❀ 0)] ✙ 0✿002; Pr[class (0❀ 1)] ✙ 0✿008; + Pr[class (1❀ 0)] ✙ 0✿008; Pr[class (1❀ 1)] ✙ 0✿000; Pr[class (1❀ 2)] ✙ 0✿035; + Pr[class (2❀ 1)] ✙ 0✿002; + Pr[class (2❀ 2)] ✙ 0✿945; + Right column is sign of ❛❙❀❚ .

How the quantum walk works: Start from uniform superposition. Repeat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ if ❙ contains collision. Repeat ✙0✿7 ✁ ♣r times: For each ❚: Diffuse ❛❙❀❚ across all ❙. For each ❙: Diffuse ❛❙❀❚ across all ❚. Now high probability that ❚ contains collision. Cost r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 27 negations and 1242 diffusions: Pr[class (0❀ 0)] ✙ 0✿011; Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿001; Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿003; + Pr[class (2❀ 2)] ✙ 0✿938; + Right column is sign of ❛❙❀❚ .

the quantum walk works: from uniform superposition. eat ✙0✿6 ✁ 2♥❂r times: Negate ❛❙❀❚ ❙ contains collision. eat ✙0✿7 ✁ ♣r times:

• r each ❚:

Diffuse ❛❙❀❚ across all ❙.

• r each ❙:

Diffuse ❛❙❀❚ across all ❚. high probability ❚ contains collision. r+2♥❂♣r. Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 27 negations and 1242 diffusions: Pr[class (0❀ 0)] ✙ 0✿011; Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿001; Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿003; + Pr[class (2❀ 2)] ✙ 0✿938; + Right column is sign of ❛❙❀❚ . Subset-sum ✿ ✿ ✿ ✿ Consider ❢ ❢(1❀ ❏1) ❏ for ❏1 ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ ❢(2❀ ❏2) t ❏ for ❏2 ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣ Good chance collision ❏ t ❏ ♥❂2 + 1 so quantum

♥❂

Easily tw to handle ignore Σ(❏ ❏✵

quantum walk works: rm superposition. ✙ ✿ ✁

♥❂r times:

❛❙❀❚ ❙ contains collision. ✙ ✿ ✁ ♣r times: ❚: ❛❙❀❚ across all ❙. ❙: ❛❙❀❚ across all ❚. robability ❚ collision. r

♥❂♣r. Optimize: 22♥❂3.

Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 27 negations and 1242 diffusions: Pr[class (0❀ 0)] ✙ 0✿011; Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿001; Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿003; + Pr[class (2❀ 2)] ✙ 0✿938; + Right column is sign of ❛❙❀❚ . Subset-sum walk (0✿ ✿ ✿ ✿ Consider ❢ defined ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂ ❣ ❢(2❀ ❏2) = t Σ(❏ for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣ Good chance of unique collision Σ(❏1) = t ❏ ♥❂2 + 1 bits of input, so quantum walk costs

♥❂

Easily tweak quantum to handle more collisions, ignore Σ(❏1) = Σ(❏✵

• rks:
• sition.

✙ ✿ ✁

♥❂r

❛❙❀❚ ❙ collision. ✙ ✿ ✁ ♣r times: ❚ ❛❙❀❚ all ❙. ❙ ❛❙❀❚ all ❚. ❚ r

♥❂♣r

Optimize: 22♥❂3. Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 27 negations and 1242 diffusions: Pr[class (0❀ 0)] ✙ 0✿011; Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿001; Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿003; + Pr[class (2❀ 2)] ✙ 0✿938; + Right column is sign of ❛❙❀❚ . Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Classify (❙❀ ❚) according to (#(❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); reduce ❛ to low-dim vector. Analyze evolution of this vector. e.g. ♥ = 15, r = 1024, after 27 negations and 1242 diffusions: Pr[class (0❀ 0)] ✙ 0✿011; Pr[class (0❀ 1)] ✙ 0✿007; + Pr[class (1❀ 0)] ✙ 0✿007; Pr[class (1❀ 1)] ✙ 0✿001; Pr[class (1❀ 2)] ✙ 0✿034; + Pr[class (2❀ 1)] ✙ 0✿003; + Pr[class (2❀ 2)] ✙ 0✿938; + Right column is sign of ❛❙❀❚ . Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Classify (❙❀ ❚) according to ❙ ❭ ❢♣❀ q❣)❀ #(❚ ❭ ❢♣❀ q❣)); ❛ to low-dim vector. Analyze evolution of this vector. ♥ = 15, r = 1024, after negations and 1242 diffusions: [class (0❀ 0)] ✙ 0✿011; [class (0❀ 1)] ✙ 0✿007; + [class (1❀ 0)] ✙ 0✿007; [class (1❀ 1)] ✙ 0✿001; [class (1❀ 2)] ✙ 0✿034; + [class (2❀ 1)] ✙ 0✿003; + [class (2❀ 2)] ✙ 0✿938; + column is sign of ❛❙❀❚ . Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Generalized Choose ▼ t r ▼ ✙ r (Original is the sp r

♥❂

Take set ❙ ❙ r ❏11 ✷ ❙11 ✮ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ (Original ❙

• f all ❏11 ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣

Compute ❏ ▼ for each ❏ ✷ ❙ Similarly ❙ r subsets of ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ Compute t ❏ ▼ for each ❏ ✷ ❙

❙❀ ❚ according to ❙ ❭ ❢♣❀ q❣ ❀ #(❚ ❭ ❢♣❀ q❣)); ❛ w-dim vector. evolution of this vector. ♥ r 1024, after and 1242 diffusions: ❀ ✙ 0✿011; ❀ ✙ 0✿007; + ❀ ✙ 0✿007; ❀ ✙ 0✿001; ❀ ✙ 0✿034; + ❀ ✙ 0✿003; + ❀ ✙ 0✿938; + sign of ❛❙❀❚ . Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r (Original moduli algo is the special case r

♥❂

Take set ❙11, #❙11 r ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ (Original algorithm: ❙

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂ ❣

Compute Σ(❏11) mo ▼ for each ❏11 ✷ ❙11 Similarly take a set ❙ r subsets of ❢♥❂4 + ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ Compute t1 Σ(❏ ▼ for each ❏12 ✷ ❙12

❙❀ ❚ to ❙ ❭ ❢♣❀ q❣ ❀ ❚ ❭ ❢♣❀ q❣)); ❛ r. vector. ♥ r after diffusions: ❀ ✙ ✿

• ❀

✙ ✿ ❀ ✙ ✿

• ❀

✙ ✿

• ❀

✙ ✿ ❀ ✙ ✿ ❀ ✙ ✿ ❛❙❀❚ . Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂ ❣ (Original algorithm: ❙11 is the

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣ Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12.

Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢(1❀ ❏1) = Σ(❏1) for ❏1 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢(2❀ ❏2) = t Σ(❏2) for ❏2 ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. Good chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂2 + 1 bits of input, so quantum walk costs 2♥❂3. Easily tweak quantum walk to handle more collisions, ignore Σ(❏1) = Σ(❏✵

1), etc.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r. (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12.

Subset-sum walk (0✿333 ✿ ✿ ✿) Consider ❢ defined by ❢ ❀ ❏ ) = Σ(❏1) ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢ ❀ ❏ ) = t Σ(❏2) ❏ ✒ ❢♥❂2 + 1❀ ✿ ✿ ✿ ❀ ♥❣. chance of unique collision Σ(❏1) = t Σ(❏2). ♥❂ 1 bits of input, quantum walk costs 2♥❂3. tweak quantum walk handle more collisions, Σ(❏1) = Σ(❏✵

1), etc.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r. (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12. Find all collisions Σ(❏11) ✑ t ❏ i.e., Σ(❏1 ✑ t ▼ where ❏1 ❏ ❬ ❏ Compute ❏ Similarly ❙ ❙ ✮ list of ❏2 ❏ ✑ t t ✮ each t ❏ Find collisions ❏ t ❏ Success r ❂ ♥ at finding ❏ Σ(❏) = t ❏ ✑ t ▼ Assuming cost r, since ▼ ✙ r

(0✿333 ✿ ✿ ✿) ❢ defined by ❢ ❀ ❏ ❏ ) ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂2❣; ❢ ❀ ❏ t Σ(❏2) ❏ ✒ ❢♥❂ 1❀ ✿ ✿ ✿ ❀ ♥❣. unique ❏ t Σ(❏2). ♥❂ input, alk costs 2♥❂3. quantum walk collisions, ❏ Σ(❏✵

1), etc.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r. (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12. Find all collisions Σ(❏11) ✑ t1 Σ(❏ i.e., Σ(❏1) ✑ t1 (mo ▼ where ❏1 = ❏11 ❬ ❏ Compute each Σ(❏ Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏ ✑ t t ✮ each t Σ(❏2). Find collisions Σ(❏ t ❏ Success probability r ❂ ♥ at finding any particula ❏ Σ(❏) = t, Σ(❏1) ✑ t ▼ Assuming typical distribution: cost r, since ▼ ✙ r

✿ ✿ ✿ ✿) ❢ ❢ ❀ ❏ ❏ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣ ❢ ❀ ❏ t ❏ ❏ ✒ ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❣. ❏ t ❏ ). ♥❂

♥❂3.

alk ❏ ❏✵ etc. Generalized moduli Choose ▼, t1, r with ▼ ✙ r. (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12. Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏ Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼ Assuming typical distribution: cost r, since ▼ ✙ r.

Generalized moduli Choose ▼, t1, r with ▼ ✙ r. (Original moduli algorithm is the special case r = 2♥❂4.) Take set ❙11, #❙11 = r, where ❏11 ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set

• f all ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.)

Compute Σ(❏11) mod ▼ for each ❏11 ✷ ❙11. Similarly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ for each ❏12 ✷ ❙12. Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: cost r, since ▼ ✙ r.

Generalized moduli

• se ▼, t1, r with ▼ ✙ r.

(Original moduli algorithm special case r = 2♥❂4.) set ❙11, #❙11 = r, where ❏ ✷ ❙11 ✮ ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. (Original algorithm: ❙11 is the set ❏11 ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣.) Compute Σ(❏11) mod ▼ ach ❏11 ✷ ❙11. rly take a set ❙12 of r subsets of ❢♥❂4 + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. Compute t1 Σ(❏12) mod ▼ ach ❏12 ✷ ❙12. Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: cost r, since ▼ ✙ r. Quantum ✿ Capture generalized as data structure ❉(❙11❀ ❙ ❀ ❙ ❀ ❙ Easy to move from ❙✐❥ ❚✐❥ Convert cost r + ♣r ♥❂ ❂r 20✿2♥ for r ✙

✿ ♥

Use “amplitude to search t Total cost

✿ ♥

duli ▼ t r with ▼ ✙ r. duli algorithm case r = 2♥❂4.) ❙ ❙11 = r, where ❏ ✷ ❙ ✮ ❏ ✒ ❢1❀ ✿ ✿ ✿ ❀ ♥❂4❣. rithm: ❙11 is the set ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂4❣.) ❏ mod ▼ ❏ ✷ ❙11. set ❙12 of r ❢♥❂ + 1❀ ✿ ✿ ✿ ❀ ♥❂2❣. t Σ(❏12) mod ▼ ❏ ✷ ❙12. Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: cost r, since ▼ ✙ r. Quantum moduli (0✿ Capture execution generalized moduli as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22 Easy to move from ❙✐❥ to adjacent ❚✐❥ Convert into quantum cost r + ♣r2♥❂2❂r 20✿2♥ for r ✙ 20✿2♥ Use “amplitude amplification” to search for correct t Total cost 20✿3♥.

▼ t r ▼ ✙ r. r

♥❂4.)

❙ ❙ r where ❏ ✷ ❙ ✮ ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂4❣. ❙ is the set ❏ ✒ ❢ ❀ ✿ ✿ ✿ ❀ ♥❂ ❣.) ❏ ▼ ❏ ✷ ❙ ❙ r ❢♥❂ ❀ ✿ ✿ ✿ ❀ ♥❂2❣. t ❏ ▼ ❏ ✷ ❙ Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: cost r, since ▼ ✙ r. Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥.

Find all collisions Σ(❏11) ✑ t1 Σ(❏12), i.e., Σ(❏1) ✑ t1 (mod ▼) where ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). Similarly ❙21, ❙22 ✮ list of ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). Find collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ at finding any particular ❏ with Σ(❏) = t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: cost r, since ▼ ✙ r. Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥.

all collisions ❏ ) ✑ t1 Σ(❏12), Σ(❏1) ✑ t1 (mod ▼) ❏1 = ❏11 ❬ ❏12. Compute each Σ(❏1). rly ❙21, ❙22 ✮ ❏2 with Σ(❏2) ✑ t t1 ✮ each t Σ(❏2). collisions Σ(❏1) = t Σ(❏2). Success probability r4❂2♥ finding any particular ❏ with ❏ t, Σ(❏1) ✑ t1 (mod ▼). Assuming typical distribution: r, since ▼ ✙ r. Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥. Quantum ✿ ✿ ✿ ✿ Central result Combine with “rep 2010 Ho Subset-sum ✿ ✿ ✿ ✿ new reco Lower-level Ambainis “combination and a skip history-indep We use radix Much easier,

collisions ❏ ✑ t Σ(❏12), ❏ ✑ t (mod ▼) ❏ ❏ ❬ ❏12. Σ(❏1). ❙ ❙22 ✮ ❏ Σ(❏2) ✑ t t1 ✮ t ❏ ). Σ(❏1) = t Σ(❏2). bility r4❂2♥ particular ❏ with ❏ t ❏ ✑ t1 (mod ▼). l distribution: r ▼ ✙ r. Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥. Quantum reps (0✿241 ✿ ✿ ✿ Central result of the Combine quantum with “representations” 2010 Howgrave-Graham–Joux. Subset-sum exponent ✿ ✿ ✿ ✿ new record. Lower-level improvement: Ambainis uses ad-ho “combination of a and a skip list” to history-independence. We use radix trees. Much easier, presumably

❏ ✑ t ❏ ❏ ✑ t ▼) ❏ ❏ ❬ ❏ ❏ ❙ ❙ ✮ ❏ ❏ ✑ t t1 ✮ t ❏ ❏ t Σ(❏2). r ❂ ♥ ❏ with ❏ t ❏ ✑ t (mod ▼). distribution: r ▼ ✙ r Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥. Quantum reps (0✿241 ✿ ✿ ✿) Central result of the paper: Combine quantum walk with “representations” idea of 2010 Howgrave-Graham–Joux. Subset-sum exponent 0✿241 ✿ ✿ ✿ new record. Lower-level improvement: Ambainis uses ad-hoc “combination of a hash table and a skip list” to ensure history-independence. We use radix trees. Much easier, presumably faster.

Quantum moduli (0✿3) Capture execution of generalized moduli algorithm as data structure ❉(❙11❀ ❙12❀ ❙21❀ ❙22). Easy to move from ❙✐❥ to adjacent ❚✐❥. Convert into quantum walk: cost r + ♣r2♥❂2❂r2. 20✿2♥ for r ✙ 20✿2♥. Use “amplitude amplification” to search for correct t1. Total cost 20✿3♥. Quantum reps (0✿241 ✿ ✿ ✿) Central result of the paper: Combine quantum walk with “representations” idea of 2010 Howgrave-Graham–Joux. Subset-sum exponent 0✿241 ✿ ✿ ✿; new record. Lower-level improvement: Ambainis uses ad-hoc “combination of a hash table and a skip list” to ensure history-independence. We use radix trees. Much easier, presumably faster.