Shor’s Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers — on a quantum algorithm. Why is this a big deal? ◮ O ( e n 1/3 ( log n ) 2/3 ) -time is the best known runtime for factoring on Jim Royer “nonquantum” computers. ◮ The security of RSA and many other cryptosystems depend on the hardness of factoring. CIS 675 ◮ Factoring was one of the first “natural” problems on which quantum computation appeared to have a real advantage. April 24, 2019 (There are more such problems now, but still not that many.) Chapter 10 of DPV sketches Shor’s Algorithm. Here we will sketch Chapter 10 of DPV. Uncredited diagrams are from DPV or homemade. Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 1 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 2 / 19 Representing Bits Qubits & Superposition An electron of a hydrogen atom can be in: a ground (low energy) state, denoted | 0 � , or an excited (high energy) state, denoted | 1 � , or The standard way to represent a bit is with voltages on a wire: α 0 | 0 � + α 1 | 1 � , a linear combination of | 0 � and | 1 � where α 0 , α 1 ∈ C and | α 0 | 2 + | α 1 | 2 = 1. ◮ a low voltage for 0 . ◮ a high voltage for 1 . An alternative is to use a single electron and use the electron’s state: ◮ its ground state represents 0 . ◮ its excited state to represent 1 . An electron can be in a mixture (superposition) of its ground and excited � � ground state � excited state � superposition � 0 � 1 � � � � � 0 + α 1 � 1 states. α 0 We can used these superposition to achieve a kind of parallelism . . . Superposition principle If a quantum system can be in one of two states, s 0 and s 1 , then it can also be in any linear superposition of s 0 and s 1 . There are many proposed physical representations for qubits. Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 3 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 4 / 19
Qubits & Measurement Quantum Registers, 1 Quantum register ≡ an array of qubits For a two qubit register: When we measure a qubit ( α 0 | 0 � + α 1 | 1 � ), we force it into: ( α 0 | 0 � + α 1 | 1 � ) ⊗ ( β 0 | 0 � + β 1 | 1 � ) state | 0 � with probability | α 0 | 2 , or else = α 0 β 0 | 00 � + α 0 β 1 | 01 � + α 1 β 0 | 10 � + α 1 β 1 | 11 � state | 1 � with probability | α 1 | 2 = 1 − | α 0 | 2 . ◮ Note that ( α 0 β 0 ) 2 + ( α 0 β 1 ) 2 + ( α 1 β 0 ) 2 + ( α 1 β 1 ) 2 state � � � 0 with prob | α 0 | 2 = α 2 0 · ( β 2 0 + β 2 1 ) + α 2 1 · ( β 2 0 + β 2 1 ) = α 2 0 · 1 + α 2 1 · 1 = 1. ◮ The probability of obtaining | ij � from a measurement is: | α i β j | 2 . ◮ If we measure just the first qubit and obtain | 0 � , the state of the register � � � � � 0 + α 1 � 1 α 0 � � state � 1 with prob | α 1 | 2 becomes α 0 β 0 | 00 � + α 0 β 1 � | α 0 β 0 | 2 + | α 0 β 1 | 2 . | 01 � , where r = r r Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 5 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 6 / 19 Quantum Registers, 2 The Plan for Factoring in Quantum Poly-Time Quantum register ≡ an array of qubits For an n qubit register: ◮ Can achieve the superimposition of all 2 n classical states. FACTORING is reduced to finding a nontrivial 1 ◮ If you put this through a series of reversible circuits, no states are collapsed. square root of 1 modulo N . ∴ You have 2 n many classical computations going on at the same time. !!! The problem is learning anything useful via measurements. Finding such a root is reduced to computing the 2 order of a random integer modulo N . The order of an integer is precisely the period of a 3 Input x Output y particular periodic superposition. n -bit string n -bit string Finally, periods of superpositions can be found by 4 the quantum FFT. Exponential superposition Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 7 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 8 / 19
The Discrete Fourier Transform, 1 The Discrete Fourier Transform, 2 1 1 1 . . . 1 1 1 1 . . . 1 ω n − 1 ω n − 1 ω 2 ω 2 1 ω . . . 1 ω . . . β 0 α 0 β 0 α 0 ω 2 ω 4 ω 2 ( n − 1 ) ω 2 ω 4 ω 2 ( n − 1 ) 1 . . . 1 . . . β 1 α 1 β 1 α 1 . . . . 1 1 . . . . β 2 α 2 β 2 α 2 = √ . . = √ . . . . . . M M ω j ω 2 j ω j ( n − 1 ) ω j ω 2 j ω j ( n − 1 ) . . . . 1 . . . 1 . . . . . . . . . . . β M − 1 . . α M − 1 β M − 1 . . α M − 1 . . . . ω n − 1 ω 2 ( n − 1 ) ω ( n − 1 )( n − 1 ) ω n − 1 ω 2 ( n − 1 ) ω ( n − 1 )( n − 1 ) 1 . . . 1 . . . � α ∈ C M , β , � The quantum version of FFT takes O (( log M ) 2 ) time!!!. ω = a complex M th root of unity, Input/Output ( log 2 M ) = m qubits in superimposition α ∗ = 1. 1 M is a fudge so that � α · � √ α = ∑ M − 1 � j = 0 α j | j � , where | j � = | j m − 1 . . . j 1 j 0 � The classical Fast Fourier Transform algorithm computes this transform in and ( j m − 1 . . . j 1 j 0 ) 2 = the binary rep of j . Θ ( M log M ) time. Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 9 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 10 / 19 The Quantum Fast Fourier Transform, 1 The Quantum Fast Fourier Transform, 2 The Classical circuit for FFT However: The output comes from a measurement. The output will be | j � (where j is an m bit vector) with probability | β j | 2 (for j ∈ { 0, . . . , M − 1 } ). So this is more like sampling than straightforward computation. QFT α � = ∑ M − 1 Input: A superposition of m = log 2 M qubits | � j = 0 α j | j � . Method: Using O ( m 2 ) quantum/reversible operations perform the quantum version of FFT to obtain the superposition | � β � = ∑ M − 1 j = 0 β j | j � . Output: A random m -bit number j ∈ { 0, . . . , M − 1 } from the There is a reversible version of this that takes m stages with O ( m ) probability distribution Prob [ j ] = | β j | 2 . operations per stage. Hence the O ( m 2 ) = O (( log M ) 2 ) run time. Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 11 / 19 Jim Royer (CIS 675) Quantum Algorithms April 24, 2019 12 / 19
Recommend
More recommend
