Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum - - PowerPoint PPT Presentation
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum
1/ 37
2/ 37
I Quantum computers can break public-key cryptography that
I Post-quantum cryptography tries to design classical crypto
I Classical codemakers vs quantum codebreakers I This tutorial:
3/ 37
I Richard Feynman,
I Classical bit is 0 or 1; quantum bit is superposition of 0 and 1
I 2 qubits is superposition of 4 basis states (00,01,10,11)
I Massive space for computation! Easier said than done. . .
4/ 37
I 1-qubit basis states: |0i =
I Qubit: superposition ↵0|0i + ↵1|1i =
I
I n-qubit state: | i =
x2{0,1}n
I Axiom: measuring state | i gives |xi with probability |↵x|2 I Hence
x2{0,1}n
5/ 37
I Quantum operation maps quantum states to quantum states
I Example 1-qubit gates:
I More quantum: Hadamard gate =
1 p 2(|0i + |1i),
1 p 2(|0i |1i)
p 2(|0i + |1i) = 1 p 2H|0i + 1 p 2H|1i = |0i
I Controlled-NOT gate on 2 qubits: |a, bi 7! |a, a bi
6/ 37
I A classical Boolean circuit consists of
I A quantum circuit consists of
H
1 p 2(|00i + |10i) CNOT
1 p 2(|00i + |11i)
7/ 37
I bits
I AND/OR/NOT gates
I classical circuit
I reading the output bit
8/ 37
9/ 37
I Suppose classical algorithm computes f : {0, 1}n ! {0, 1}m I Convert this to quantum circuit U : |xi|0i 7! |xi|f (x)i I We can now compute f “on all inputs simultaneously”!
x2{0,1}n
x2{0,1}n
I This contains all 2n function values! I But observing gives only one random |xi|f (x)i
I More tricks needed for successful quantum computation
10/ 37
I Given: function f : {0, 1}n ! {0, 1} (2n bits) , s.t.
2 · 2n of the x’s (balanced) I Question: is f constant or balanced? I Classically: need at least 1 2 · 2n + 1 steps (“queries” to f ) I Quantumly: O(n) gates suffice, and only 1 query I Query: application of unitary Of : |x, 0i 7! |x, f (x)i I More generally: Of : |x, bi 7! |x, b f (x)i (b 2 {0, 1}) I NB using |i = H|1i, we can get queried bit as a ±-phase:
11/ 37
measure
I Starting state: |0 . . . 0
n
I After first Hadamards:
x2{0,1}n
I Make one query:
x2{0,1}n
I Forget about the last qubit |i
12/ 37
I After second Hadamard:
x2{0,1}n
y2{0,1}n
I ↵0...0 = 1
x2{0,1}n
I Measurement gives right answer with certainty I Big quantum-classical separation: O(n) vs Ω(2n) steps I But the problem is efficiently solvable by bounded-error
13/ 37
14/ 37
I Given N = p · q, compute the prime factors p and q I Fundamental mathematical problem since Antiquity I Fundamental computational problem on log N bits
I Best known classical algorithms use time 2(log N)↵, where
I Its assumed computational hardness is basis of
I A quantum computer can break this,
15/ 37
I Classical reduction: choose random x 2 {2, . . . , N 1}.
I Shor uses the quantum Fourier transform for period-finding
measure measure
QFT
QFT
I Overall complexity: roughly (log N)2 elementary gates
16/ 37
I Pick a random integer x 2 {2, . . . , N 1}, s.t. gcd(x, N)=1 I The sequence x0, x1, x2, x3, . . . mod N cycles:
I With probability 1/4 (over the choice of x):
I Then:
I xr/2 + 1 and xr/2 1 each share a factor with N I This factor of N can be extracted using gcd-algorithm
17/ 37
I Fourier basis (dimension q): |ji =
q1
k=0
2⇡ijk q |ki
1 p 8(|0i+e2⇡i0.j2|1i)⌦(|0i+e2⇡i0.j1j2|1i)⌦(|0i+e2⇡i0.j0j1j2|1i) I Quantum Fourier Transform: |ji 7! |ji I If q = 2`, then can implement this with O(`2) gates. I For Shor: choose q = 2` in (N2, 2N2]
18/ 37
` qubits
dlog N qubitse
q1
a=0
q1
a=0
19/ 37
q/r1
j=0
q/r1
j=0 q1
b=0
q
q1
b=0
q
q/r1
j=0
q
q = 1 iff rb
20/ 37
I b and q are known; c and r are unknown I c and r are coprime with probability 1/ log log r I Then: we find r by writing b
I Since we can find r, we can find prime factors of N !
21/ 37
I Reduce factoring to finding the period r of modular
I Use quantum Fourier transform to find a multiple of q/r,
I Overall complexity:
I QFT takes O(log q)2 = O(log N)2 elementary gates I Modular exponentiation: ⇡ (log N)2 log log N gates;
classical computation by repeated squaring (use Sch¨
I Everything repeated O(log log N) times I Classical postprocessing takes O(log N)2 gates
I Roughly (log N)2 elementary gates in total
22/ 37
I We want to search for some good item in
I Model this as function f : {0, 1}n ! {0, 1} (N = 2n)
I We can query f :
I Goal: find a solution I Classically this takes O(N) steps (queries to f ) I Grover’s algorithm does it in O(
23/ 37
I Apply Grover iteration G k times on uniform starting state
measure
k I Idea: each iteration moves amplitude towards solutions
24/ 37
I Suppose there are t solutions I Define “good” state and “bad” state:
x:f (x)=1
x:f (x)=0
I Initial uniform state is |Ui = sin(✓)|Gi + cos(✓)|Bi
I All intermediate states will be in span{|Gi, |Bi} I Grover iteration is a rotation over angle 2✓
25/ 37
✓
6
⇠ :
✓ ✓
6
⇠ : XXX X z
✓ 2✓
6
⇠ : ⌦ ⌦ ⌦ ⌦
26/ 37
I Success probability after k iterations:
I If k = ⇡
I Example: t = N/4 solutions ) k = 1 I In general, round k to nearest integer (incurs small error) I Query complexity is k ⇡ ⇡
I Gate complexity is O(
27/ 37
I Quantum computers can search any N-element space with
2.1 Reflect through |Bi (costs 1 query) 2.2 Reflect through |Ui (costs O(log N) gates)
I If we don’t know " = t/N, we can try different guesses, still
I The algorithm has a small error probability,
28/ 37
I Given a propositional formula f (x1, . . . , xn)
I This is a typical NP-complete problem I Search space of N = 2n possibilities I Classically: exhaustive search is the best we know.
I Quantumly: Grover finds a satisfying assignment in
I Because Grover is optimal, we believe that NP-hard problems
29/ 37
I Explore a graph by moving to
I If G is d-regular and connected: normalized adjacency matrix
I Suppose an "-fraction of the vertices are “marked” and we
2.1 Check if v is marked (checking cost C) 2.2 Rerandomize v by O(1/δ) RW steps (step cost U)
30/ 37
I Quantum walk: walk in superposition over vertices (edges) I Analogy with Grover’s algorithm:
2.1 Reflect through |Bi (checking cost C) 2.2 Reflect through |Ui (can be implemented using 1/ p δ QW steps, each at cost U)
1 p"
1 p U
31/ 37
I G =Johnson graph: the vertices are the sets R ✓ [n] of size r.
I Fraction of vertices of G that contain collision: " (r/n)2 I Known: spectral gap is ⇡ 1/r I With each vertex R, algorithm records h(R);
I Total cost: S + 1
r=n2/3
I Classically: Θ(n) f -evaluations needed
32/ 37
I Solving large linear systems Ax = b is one of the most
I Harrow-Hassidim-Lloyd’09: “solves” this problem
33/ 37
I Input: Hermitian matrix A 2 RN⇥N and vector b 2 RN
I Let v1, . . . , vN, 1, . . . , N be eigenvectors, eigenvalues of A I HHL algorithm:
i=1 i|vii
NB: applying A−1 corresponds to multiplying with −1
i
i=1 i|vii|ii
i=1 i|vii|ii
✓ −1
i
|0i + q 1 −2
i
|1i ◆
i=1 i−1 i
|vii = |xi
34/ 37
I Similar to Shor: discrete logarithm, solve Pell’s equation,
I Similar to Grover: maximum-finding, approximate counting,
I Similar to quantum walks: finding small subgraphs,
I Similar to HHL: quantum machine learning, principal
I Efficiently simulating quantum-mechanical systems.
35/ 37
I You can simulate every quantum algorithm with an
I For many problems we can show that quantum computers
I NP-complete problems form a famous and important class of
36/ 37
I Quantum mechanics is the best physical theory we have I Fundamentally different from classical physics:
I Quantum algorithms use these non-classical effects to solve
I We saw 4 important examples:
37/ 37
I Suppose we can apply U and are given one of its eigenvectors
I Remember QFT: |ji 7! |ji =
2`1
k=0
2⇡ijk 2` |ki
I Phase estimation algorithm:
1 p 2` X
k∈{0,1}`
|ki|vi
1 p 2` X
k∈{0,1}`
|kie2⇡i✓k|vi = 1 p 2` X
k∈{0,1}`
e2⇡i✓k|ki|vi
I With O(1/") applications of U: "-error approximation of ✓