Quantum Computing MAS 725 Hartmut Klauck NTU

Order finding over Z N We are given x, N, x<N Order r(x) of x in Z N : min. r  0: x r =1 mod N „Period“ of the powers x

Order finding over Z N Is there a quantum algorithm to find r(x)? Shor‘s algorithm finds r(x) in time poly(log N) trivial approach: compute x i for i=1,...,r(x) this is inefficient, could be that r(x)=N-1

Application Factorization problem: Given a natural number N, find some nontrivial prime factor (or even all of them) Factorization can be reduced to order finding! Purely classical reduction

Shor‘s algorithm We follow the general outline of Simon‘s algorithm Start with Hadamard transform, query the black box But then we need another transformation, the quantum Fourier transform

Fourier Transform Fourier transform: g is a function Z L ! C [or a vector with L entries] Let w=e 2  i/L. Then the Fourier transform is a linear map with matrix FT L (i,j)=w ij ; 0 · i,j · L-1 The trivial algorithm to compute the Fourier transform takes time O(L 2 ) Fast Fourier Transform [FFT] takes times O(L log L)

Quantum Fourier Transform Set L=2 n. Consider the state |  i =  j=0,...,L-1  j |j i. The Fourier transform of |  i is |  i =  j=0,...,L-1  j |j i, with This is just the Fourier transform on the superposition Also called QFT Can we implement the QFT efficiently? Efficient means here: polynomial in n=log L

Quantum Fourier Transform Let L=2 n. Consider |  i =  j=0,...,L-1  j |j i Write j=j 1  j n ; j = j 1 2 n-1 +  +j n 2 0 Set 0.j t j t+1... j n = j t /2+  +j n /2 n-t+1 QFT has the following product representation: |j 1...j n i maps to 1/2 n/2 ¢ ­ t=n,...,1 (|0 i + e 2  i 0. j t...j n |1 i ) =1/2 n/2 ¢ ­ t=1,...,n (|0 i + e 2  ij/2 t |1 i )

Quantum Fourier Transform |j 1...j n i is mapped to 1/2 n/2 ¢ ­ t=n,...,1 (|0 i + e 2  i 0. j t... j n |1 i ) Let R k be the following gate/unitary operator Apply H to j 1. Result: 1/2 1/2 ¢ (|0 i + e 2  i 0. j 1 |1 i ) ­ |j 2,...,j n i Now apply the R t gate controlled by j t for t=2,...,n to the first qubit. Result: 1/2 1/2 ¢ (|0 i + e 2  i 0. j 1,...,j n |1 i ) ­ |j 2,...,j n i First qubit is now correct (corresponds to last desired qubit)

Quantum Fourier Transform This is the circuit for QFT (up to changing the order of qubits) Number of gates: n+(n-1)+  +1=O(n 2 )=O(log 2 L)

Quantum Fourier Transform Caveat: The result of the QFT is a superposition, there is no exponential speedup of computing the Fourier transform in the classical sense (computing the whole vector)

Properties of the QFT Computes in time O(n 2 ), ie. can als be approximated by standard gates quickly QFT is unitary Set w=e 2  i/L, then FT -1 L (i,j)=w -ij ; 0 · i,j · L-1 Translation invariance: Let QFT  j=0,...,L-1  j |j i =  j=0,...,L-1  j |j i T k : |j i  |j+k mod L i. QFT T k  j=0,...,L-1  j |j i = QFT  j=0,...,L-1  j |j+k mod L i =  j=0,...L-1 e 2  ijk/L  j |j i

Period finding Function f: Z L ! Z N given as black box Promise: there is a r<N: f(i)=f(i+r) for all i 2 Z L i  j+kr ) f(i)  f(j) Find r Try to solve this for arbitrary f Black box: U f : |j i |y i  |j i |f(j) y i ; j 2 Z L ; f(j)y 2 Z N Note that Order finding is an instance of Period finding with f(i)=x i

Shor‘s Algorithm log L+log N work space log L qubits in |0 i ; 0 2 Z L log N qubits in |1 i ; 1 2 Z N Apply Hadamard on the first register Apply U f Result: Measure second register Result:

Shor‘s Algorithm Result: 0 · j 0 · r-1; L-r · j 0 +(A-1)r · L-1 A-1 < L/r < A+1

Shor‘s Algorithm Result: Now apply QFT Result: i.e. the probability of k is independent of j 0 (translation invariance)

Shor‘s Algorithm Result: Measurement now: Probability of k is Assumption : r is a divisor of L, i.e. A=L/r, then

Shor‘s Algorithm Assumption : r is a divisor of L, i.e. A=L/r, then If A is a divisor of k, then =1/r If A is no divisor of k, then = 0 (because there are r values k that are multiples of A, each contributing probability 1/r) I.e. we receive a multiple of A=L/r, say, cL/r with 0 · c · r-1 With high probability: c and L/r have no common divisor Then gcd(cL/r,L)=L/r, L is known, hence we learn r.

Shor‘s Algorithm In general: the probability of k is „favorizes“ values of k with kr/L close to an integer Geometric sum with  k =2  kr (mod L)/ L

Shor‘s Algorithm with  k =2  kr (mod L))/ L There are exactly r values k 2 Z L with -r/2 · kr (mod L) · r/2 For those also -  r/L ·  k ·  r/L i.e. with 0 · j · A-1<L/r the angles j  k all lie in the same halfspace ) constructive interference! Call such a k good

Shor‘s Algorithm Some bounds: |1-e i  k | · |  k | [direct distance „1“ to „e i  k “ is smaller than the length of the arc] |1-e iA  k | ¸ 2A|  k |/ , if A|  k | ·  Set dist(0,  )=|1-e i  |, then dist(0,  )/|  | ¸ dist(0,  )/  =2/  A < (L/r)+1, hence A  k · A  r/L <  (1+r/L) use that kr · r/2 for a good k

Shor‘s Algorithm |1-e i  k | · |  k | ; |1-e iA  k | ¸ 2A|  k |/ , if A|  k | ·  A  k · A  r/L <  (1+r/L)

Shor‘s Algorithm Each of the r good values of k has probability close to 1/r, hence with constant probability we get a k with -r/2 · kr (mod L) · r/2 [Success] |kr-cL| · r/2 for some c Then:|k/L-c/r| · 1/(2L), i.e. k/L is approximation of c/r We know k and L. Consider k/L as rational number (reduced). c is uniformly random from 0,...,r-1 c and r have no common divisor with probability at least 1/log r Then: computing c/r (as a rational number in reduced form) gives us also r Choose L large enough to get a good approximation

Shor‘s Algorithm With constant probability we get k with |k/L-c/r| · 1/(2L) With probability 1/log r > 1/log L we have gcd(c,r)=1 Let r<N, L=N 2 c/r is a rational number with denominator <N Any two such numbers are not closer than 1/N 2 =1/L > 1/(2L) The interval contains only one rational number c/r with denominator < N Find the rational number with denominator < N that is close to k/L Use the continued fractions algorithm to do that

Continued fractions The continued fractions algorithm computed for a real  its representation as continued fraction If |c/r-  | · 1/(2r 2 ), then one of the steps computes the pair c,r, after at mostO(t 3 ) Operations for t-bit numbers

Total running time/success probability k is good with constant probability With probability 1/log N also c is good (i.e. no common divisor with r) Need to repeat only O(log N) times For order finding in Z N choose L=N 2, i.e. 2 log N +log N qubits are used Fourier transform in O(log 2 L) Continued fractions finds r from k/L in time O(log 3 L) Can check r for correctness using the black box Total time is O(log 4 N), can be reduced to O(log 3 N)

Continued fractions Given: real  Approximate  by Take integer part as a 0, invert remaining number, iterate Theorem: |p/q-  | · 1/(2q 2 ), then p/q appears after at most O(log (p+q)) steps