Quantum Computers: Qubits, Superposition, Measurement, and Quantum Fourier Transform, Study notes of Introduction to Computers

An introduction to quantum computers, focusing on the fundamental concepts of qubits, superposition, measurement, and the quantum fourier transform (qft). It explains how these principles differ from classical physics and discusses their implications for secure business transactions on the internet.

Typology: Study notes

2010/2011

Uploaded on 09/06/2011

stifler_11
stifler_11 🇬🇧

4.6

(9)

272 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Chapter 10
Quantum algorithms
This book started with the world’s oldest and most widely used algorithms (the ones for adding
and multiplying numbers) and an ancient hard problem (FACT ORI NG). In this last chapter the
tables are turned: we present one of the latest algorithms—and it is an efficient algorithm for
FACT OR ING!
There is a catch, of course: this algorithm needs a quantum computer to execute.
Quantum physics is a beautiful and mysterious theory that describes Nature in the small,
at the level of elementary particles. One of the major discoveries of the nineties was that
quantum computers—computers based on quantum physics principles—are radically differ-
ent from those that operate according to the more familiar principles of classical physics.
Surprisingly, they can be exponentially more powerful: as we shall see, quantum computers
can solve FAC TOR ING in polynomial time! As a result, in a world with quantum computers,
the systems that currently safeguard business transactions on the Internet (and are based on
the RSA cryptosystem) will no longer be secure.
10.1 Qubits, superposition, and measurement
In this section we introduce the basic features of quantum physics that are necessary for
understanding how quantum computers work.1
In ordinary computer chips, bits are physically represented by low and high voltages on
wires. But there are many other ways a bit could be stored—for instance, in the state of a
hydrogen atom. The single electron in this atom can either be in the ground state (the lowest
energy configuration) or it can be in an excited state (a high energy configuration). We can
use these two states to encode for bit values 0and 1, respectively.
Let us now introduce some quantum physics notation. We denote the ground state of our
electron by
0, since it encodes for bit value 0, and likewise the excited state by
1. These are
1This field is so strange that the famous physicist Richard Feynman is quoted as having said, “I think I can
safely say that no one understands quantum physics.” So there is little chance you will understand the theory in
depth after reading this section! But if you are interested in learning more, see the recommended reading at the
book’s end.
311
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Quantum Computers: Qubits, Superposition, Measurement, and Quantum Fourier Transform and more Study notes Introduction to Computers in PDF only on Docsity!

Chapter 10

Quantum algorithms

This book started with the world’s oldest and most widely used algorithms (the ones for adding and multiplying numbers) and an ancient hard problem (FACTORING). In this last chapter the tables are turned: we present one of the latest algorithms—and it is an efficient algorithm for FACTORING! There is a catch, of course: this algorithm needs a quantum computer to execute.

Quantum physics is a beautiful and mysterious theory that describes Nature in the small, at the level of elementary particles. One of the major discoveries of the nineties was that quantum computers—computers based on quantum physics principles—are radically differ- ent from those that operate according to the more familiar principles of classical physics. Surprisingly, they can be exponentially more powerful: as we shall see, quantum computers can solve FACTORING in polynomial time! As a result, in a world with quantum computers, the systems that currently safeguard business transactions on the Internet (and are based on the RSA cryptosystem) will no longer be secure.

10.1 Qubits, superposition, and measurement

In this section we introduce the basic features of quantum physics that are necessary for understanding how quantum computers work.^1 In ordinary computer chips, bits are physically represented by low and high voltages on wires. But there are many other ways a bit could be stored—for instance, in the state of a hydrogen atom. The single electron in this atom can either be in the ground state (the lowest energy configuration) or it can be in an excited state (a high energy configuration). We can use these two states to encode for bit values 0 and 1 , respectively. Let us now introduce some quantum physics notation. We denote the ground state of our electron by

, since it encodes for bit value 0 , and likewise the excited state by

. These are (^1) This field is so strange that the famous physicist Richard Feynman is quoted as having said, “I think I can safely say that no one understands quantum physics.” So there is little chance you will understand the theory in depth after reading this section! But if you are interested in learning more, see the recommended reading at the book’s end.

311

312 Algorithms

Figure 10.1 An electron can be in a ground state or in an excited state. In the Dirac notation used in quantum physics, these are denoted

and

. But the superposition principle says that, in fact, the electron is in a state that is a linear combination of these two: α 0

∣ 0 〉^ + α 1

∣ 1 〉^.

This would make immediate sense if the α’s were probabilities, nonnegative real numbers adding to 1. But the superposition principle insists that they can be arbitrary complex num- bers , as long as the squares of their norms add up to 1!

ground state

excited state

superposition α 0

  • α 1

the two possible states of the electron in classical physics. Many of the most counterintuitive aspects of quantum physics arise from the superposition principle which states that if a quantum system can be in one of two states, then it can also be in any linear superposition of those two states. For instance, the state of the electron could well be √^12

+ √^12

or √^1 2

∣ 0 〉^ − √^1

2

∣ 1 〉^ ; or an infinite number of other combinations of the form α 0

∣ 0 〉^ + α 1

∣ 1 〉^. The

coefficient α 0 is called the amplitude of state

, and similarly with α 1. And—if things aren’t already strange enough—the α’s can be complex numbers, as long as they are normalized so that |α 0 |^2 + |α 1 |^2 = 1. For example, √^15

  • √^2 i 5

(where i is the imaginary unit,

− 1 ) is a

perfectly valid quantum state! Such a superposition, α 0

∣ 0 〉^ +α 1

∣ 1 〉^ , is the basic unit of encoded

information in quantum computers (Figure 10.1). It is called a qubit (pronounced “cubit”).

The whole concept of a superposition suggests that the electron does not make up its mind about whether it is in the ground or excited state, and the amplitude α 0 is a measure of its inclination toward the ground state. Continuing along this line of thought, it is tempting to think of α 0 as the probability that the electron is in the ground state. But then how are we to make sense of the fact that α 0 can be negative, or even worse, imaginary? This is one of the most mysterious aspects of quantum physics, one that seems to extend beyond our intuitions about the physical world.

This linear superposition, however, is the private world of the electron. For us to get a glimpse of the electron’s state we must make a measurement , and when we do so, we get a single bit of information— 0 or 1. If the state of the electron is α 0

∣ 0 〉^ + α 1

∣ 1 〉^ , then the

outcome of the measurement is 0 with probability |α 0 |^2 and 1 with probability |α 1 |^2 (luckily we normalized so |α 0 |^2 + |α 1 |^2 = 1). Moreover, the act of measurement causes the system to change its state: if the outcome of the measurement is∣ 0 , then the new state of the system is ∣ 0 〉^ (the ground state), and if the outcome is 1 , the new state is

∣ 1 〉^ (the excited state). This

314 Algorithms

Entanglement

Suppose we have two qubits, the first in the state α 0

  • α 1

and the second in the state β 0

∣ 0 〉^ + β 1

∣ 1 〉^. What is the joint state of the two qubits? The answer is, the (tensor) product of the two: α 0 β 0

  • α 0 β 1
  • α 1 β 0
  • α 1 β 1

Given an arbitrary state of two qubits, can we specify the state of each individual qubit in this way? No, in general the two qubits are entangled and cannot be decomposed into the states of the individual qubits. For example, consider the state

∣ψ〉^ = √^1 2

∣ 00 〉^ + √^1

2

∣ 11 〉^ , which is one of the famous Bell states. It cannot be decomposed into states of the two individual qubits (see Exercise 10.1). Entanglement is one of the most mysterious aspects of quantum mechanics and is ultimately the source of the power of quantum computation.

of information, and the probability of outcome x ∈ { 0 , 1 }^2 is |αx|^2. Moreover, as before, if the outcome of measurement is jk, then the new state of the system is

∣jk〉^ : if jk = 10, for

example, then the first electron is in the excited state and the second electron is in the ground state. An interesting question comes up here: what if we make a partial measurement? For instance, if we measure just the first qubit, what is the probability that the outcome is 0? This is simple. It is exactly the same as it would have been had we measured both qubits, namely, Pr { 1 st bit = 0} = Pr { 00 } + Pr { 01 } = |α 00 | 2 + |α 01 | 2. Fine, but how much does this partial measurement disturb the state of the system? The answer is elegant. If the outcome of measuring the first qubit is 0 , then the new superposition is obtained by crossing out all terms of

∣α

that are inconsistent with this outcome (that is, whose first bit is 1 ). Of course the sum of the squares of the amplitudes is no longer 1 , so we must renormalize. In our example, this new state would be

∣∣ αnew

α 00 √ |α 00 | 2 + |α 01 | 2

α 01 √ |α 00 | 2 + |α 01 | 2

Finally, let us consider the general case of n hydrogen atoms. Think of n as a fairly small number of atoms, say n = 500. Classically the states of the 500 electrons could be used to store 500 bits of information in the obvious way. But the quantum state of the 500 qubits is a linear superposition of all 2500 possible classical states: ∑

x∈{ 0 , 1 }n

αx

x

It is as if Nature has 2500 scraps of paper on the side, each with a complex number written on it, just to keep track of the state of this system of 500 hydrogen atoms! Moreover, at each moment, as the state of the system evolves in time, it is as though Nature crosses out the complex number on each scrap of paper and replaces it with its new value. Let us consider the effort involved in doing all this. The number 2500 is much larger than estimates of the number of elementary particles in the universe. Where, then, does Nature store this information? How could microscopic quantum systems of a few hundred atoms

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 315

Figure 10.3 A quantum algorithm takes n “classical” bits as its input, manipulates them so as to create a superposition of their 2 n^ possible states, manipulates this exponentially large superposition to obtain the final quantum result, and then measures the result to get (with the appropriate probability distribution) the n output bits. For the middle phase, there are elementary operations which count as one step and yet manipulate all the exponentially many amplitudes of the superposition.

Exponential superposition

Input x Output y n-bit string n-bit string

contain more information than we can possibly store in the entire classical universe? Surely this is a most extravagant theory about the amount of effort put in by Nature just to keep a tiny system evolving in time. In this phenomenon lies the basic motivation for quantum computation. After all, if Na- ture is so extravagant at the quantum level, why should we base our computers on classical physics? Why not tap into this massive amount of effort being expended at the quantum level? But there is a fundamental problem: this exponentially large linear superposition is the private world of the electrons. Measuring the system only reveals n bits of information. As before, the probability that the outcome is a particular 500 -bit string x is |αx|^2. And the new state after measurement is just

∣x〉^.

10.2 The plan

A quantum algorithm is unlike any you have seen so far. Its structure reflects the tension between the exponential “private workspace” of an n-qubit system and the mere n bits that can be obtained through measurement.

The input to a quantum algorithm consists of n classical bits, and the output also consists of n classical bits. It is while the quantum system is not being watched that the quantum effects take over and we have the benefit of Nature working exponentially hard on our behalf. If the input is an n-bit string x, then the quantum computer takes as input n qubits in

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 317

complex-valued vector β:

β 0 β 1 β 2 .. . βM − 1

M

1 ω ω^2 · · · ωM^ −^1 1 ω^2 ω^4 · · · ω2(M^ −1) .. . 1 ωj^ ω^2 j^ · · · ω(M^ −1)j .. . 1 ω(M^ −1)^ ω2(M^ −1)^ · · · ω(M^ −1)(M^ −1)

α 0 α 1 α 2 .. . αM − 1

where ω is a complex M th root of unity (the extra factor of

M is new and has the effect of ensuring that if the |αi|^2 add up to 1 , then so do the |βi|^2 ). Although the preceding equa- tion suggests an O(M 2 ) algorithm, the classical FFT is able to perform this calculation in just O(M log M ) steps, and it is this speedup that has had the profound effect of making digital sig- nal processing practically feasible. We will now see that quantum computers can implement the FFT exponentially faster, in O(log^2 M ) time! But wait, how can any algorithm take time less than M , the length of the input? The point is that we can encode the input in a superposition of just m = log M qubits: after all, this superposition consists of 2 m^ amplitude values. In the notation we introduced earlier, we would write the superposition as

∣α〉^ = ∑M j=0^ − 1 αj

∣j〉^ where αi is the amplitude of the m-bit

binary string corresponding to the number i in the natural way. This brings up an important point: the

∣j〉^ notation is really just another way of writing a vector, where the index of each

entry of the vector is written out explicitly in the special bracket symbol. Starting from this input superposition

α

, the quantum Fourier transform (QFT) manip- ulates it appropriately in m = log M stages. At each stage the superposition evolves so that it encodes the intermediate results at the same stage of the classical FFT (whose circuit, with m = log M stages, is reproduced from Chapter 2 in Figure 10.4). As we will see in Section 10.5, this can be achieved with m quantum operations per stage. Ultimately, after m such stages and m^2 = log^2 M elementary operations, we obtain the superposition

∣β〉^ that corresponds to

the desired output of the QFT. So far we have only considered the good news about the QFT: its amazing speed. Now it is time to read the fine print. The classical FFT algorithm actually outputs the M complex numbers β 0 ,... , βM − 1. In contrast, the QFT only prepares a superposition

β

∑M − 1

j=0 β

j

And, as we saw earlier, these amplitudes are part of the “private world” of this quantum system. Thus the only way to get our hands on this result is by measuring it! And measuring the state of the system only yields m = log M classical bits: specifically, the output is index j with probability |βj |^2. So, instead of QFT, it would be more accurate to call this algorithm quantum Fourier sampling. Moreover, even though we have confined our attention to the case M = 2m^ in this section, the algorithm can be implemented for arbitrary values of M , and can be summarized as follows:

318 Algorithms

Figure 10.4 The classical FFT circuit from Chapter 2. Input vectors of M bits are processed in a sequence of m = log M levels.











 













!

"#

$%

&'

()

*+

,-

./

α 0

α 4

α 2

α 6

α 1

α 5

α 7

α 3

1

4

4

4

4

6

6 7

4

4

2

2 3 6

2

5

4

β 0

β 1

β 2

β 3

β 4

β 5

β 6

β 7

Input: A superposition of m = log M qubits,

α

∑M − 1

j=0 αj

j

Method: Using O(m^2 ) = O(log^2 M ) quantum operations perform the quantum FFT to obtain the superposition

β

∑M − 1

j=0 βj

j

Output: A random m-bit number j (that is, 0 ≤ j ≤ M − 1 ), from the probability distribution P r[j] = |βj |^2.

Quantum Fourier sampling is basically a quick way of getting a very rough idea about the output of the classical FFT, just detecting one of the larger components of the answer vector. In fact, we don’t even see the value of that component—we only see its index. How can we use such meager information? In which applications of the FFT is just the index of the large components enough? This is what we explore next.

10.4 Periodicity

Suppose that the input to the QFT,

∣α〉^ = (α 0 , α 1 ,... , αM − 1 ), is such that αi = αj whenever

i ≡ j mod k, where k is a particular integer that divides M. That is, the array α consists of M/k repetitions of some sequence (α 0 , α 1 ,... , αk− 1 ) of length k. Moreover, suppose that

320 Algorithms

The Fourier transform of a periodic vector

Suppose the vector

α

= (α 0 , α 1 ,... , αM − 1 ) is periodic with period k and with no offset (that is, the nonzero terms are α 0 , αk, α 2 k ,.. .). Thus,

∣ ∣α

M/k ∑− 1

j=

k M

∣jk

We will show that its Fourier transform

β

= (β 0 , β 1 ,... , βM − 1 ) is also periodic, with period M/k and no offset. Claim

∣β〉^ = √^1 k

∑k− 1 j=

∣ jM k^ 〉.

Proof. In the input vector, the coefficient α` is

k/M if k divides `, and is zero otherwise. We can plug this into the formula for the jth coefficient of

∣β〉^ :

βj =

M

M∑ − 1

`=

ωjα =

k M

M/k ∑− 1

i=

ωjik.

The summation is a geometric series, 1 + ωjk^ + ω^2 jk^ + ω^3 jk^ + · · · , containing M/k terms and with ratio ωjk^ (recall that ω is a complex M th root of unity). There are two cases. If the ratio is exactly 1 , which happens if jk ≡ 0 mod M , then the sum of the series is simply the number of terms. If the ratio isn’t 1 , we can apply the usual formula for geometric series to find that the sum is 1 −ω jk(M/k) 1 −ωjk^ =^

1 −ωMj 1 −ωjk^ = 0. Therefore βj is 1 /

k if M divides jk, and is zero otherwise. More generally, we can consider the original superposition to be periodic with period k, but with some offset l < k: ∣∣ α

M/k ∑− 1

j=

k M

jk + l

Then, as before, the Fourier transform

∣β

will have nonzero amplitudes precisely at multi- ples of M/k: Claim

∣β〉^ = √^1 k

∑k− 1 j=0 ω ljM/k∣∣ jM k

The proof of this claim is very similar to the preceding one (Exercise 10.5).

We conclude that the QFT of any periodic superposition with period k is an array that is everywhere zero, except at indices that are multiples of M/k , and all these k nonzero coeffi- cients have equal absolute values. So if we sample the output, we will get an index that is a multiple of M/k, and each of the k such indices will occur with probability 1 /k.

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 321

Let’s make this more precise.

Lemma Suppose s independent samples are drawn uniformly from

M

k

2 M

k

(k − 1)M k

Then with probability at least 1 − k/ 2 s , the greatest common divisor of these samples is M/k.

Proof. The only way this can fail is if all the samples are multiples of j · M/k, where j is some integer greater than 1. So, fix any integer j ≥ 2. The chance that a particular sample is a multiple of jM/k is at most 1 /j ≤ 1 / 2 ; and thus the chance that all the samples are multiples of jM/k is at most 1 / 2 s. So far we have been thinking about a particular number j; the probability that this bad event will happen for some j ≤ k is at most equal to the sum of these probabilities over the different values of j, which is no more than k/ 2 s.

We can make the failure probability as small as we like by taking s to be an appropriate multiple of log M.

10.5 Quantum circuits

So quantum computers can carry out a Fourier transform exponentially faster than classical computers. But what do these computers actually look like? What is a quantum circuit made up of, and exactly how does it compute Fourier transforms so quickly?

10.5.1 Elementary quantum gates

An elementary quantum operation is analogous to an elementary gate like the AND or NOT gate in a classical circuit. It operates upon either a single qubit or two qubits. One of the most important examples is the Hadamard gate, denoted by H, which operates on a single qubit. On input

, it outputs H(

) = √^12

+ √^12

. And for input

, H(

) = √^12

− √^12

In pictures:

√^1 2

+ √^12

H

H ∣^1 〉

∣ 0 〉^ √^1

2

∣ 0 〉^ − √^1

2

Notice that in either case, measuring the resulting qubit yields 0 with probability 1 / 2 and 1 with probability 1 / 2. But what happens if the input to the Hadamard gate is an arbitrary superposition α 0

∣ 0 〉^ + α 1

∣ 1 〉^? The answer, dictated by the linearity of quantum physics, is the

superposition α 0 H(

) + α 1 H(

) = α^0 √+ 2 α^1

  • α^0 √− 2 α^1

. And so, if we apply the Hadamard gate to the output of a Hadamard gate, it restores the qubit to its original state!

Another basic gate is the controlled-NOT, or CNOT. It operates upon two qubits, with the first acting as a control qubit and the second as the target qubit. The CNOT gate flips the second bit if and only if the first qubit is a 1. Thus CNOT(

∣ 00 〉^ ) =

∣ 00 〉^ and CNOT(

∣ 10 〉^ ) =

∣ 11 〉^ :

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 323

10.5.3 The quantum Fourier transform circuit

Here we have reproduced the diagram (from Section 2.6.4) showing how the classical FFT cir- cuit for M -vectors is composed of two FFT circuits for (M/2)-vectors followed by some simple gates.

α 0 α 2

α 3 j + M/ 2

α (^1) j FFTM/ 2 βj+M/ 2

... FFTM/ 2

.. .

βj

FFTM (input: α 0 ,... , αM − 1 , output: β 0 ,... , βM − 1 )

αM − 2

αM − 1

Let’s see how to simulate this on a quantum system. The input is now encoded in the 2 m amplitudes of m = log M qubits. Thus the decomposition of the inputs into evens and odds, as shown in the preceding figure, is clearly determined by one of the qubits—the least sig- nificant qubit. How do we separate the even and odd inputs and apply the recursive circuits to compute F F TM/ 2 on each half? The answer is remarkable: just apply the quantum circuit QF TM/ 2 to the remaining m − 1 qubits. The effect of this is to apply QF TM/ 2 to the superpo- sition of all the m-bit strings of the form x 0 (of which there are M/ 2 ), and separately to the superposition of all the m-bit strings of the form x 1. Thus the two recursive classical circuits can be emulated by a single quantum circuit—an exponential speedup when we unwind the recursion!

QFTM/ 2

least significant bit

m − 1 qubits (^) QFTM/ 2

H

Let us now consider the gates in the classical FFT circuit after the recursive calls to F F TM/ 2 : the wires pair up j with M/2 + j, and ignoring for now the phase that is applied to the contents of the (M/2 + j)th wire, we must add and subtract these two quantities to ob- tain the jth and the (M/2 + j)th outputs, respectively. How would a quantum circuit achieve the result of these M classical gates? Simple: just perform the Hadamard gate on the first qubit! Recall from the preceding discussion (Section 10.5.1) that for every possible configura- tion of the remaining m − 1 qubits x, this pairs up the strings 0 x and 1 x. Translating from binary, this means we are pairing up x and M/2+x. Moreover the result of the Hadamard gate is that for each such pair, the amplitudes are replaced by the sum and difference (normalized by 1 /

2 ) , respectively. So far the QFT requires almost no gates at all! The phase that must be applied to the (M/2 + j)th wire for each j requires a little more work. Notice that the phase of ωj^ must be applied only if the first qubit is 1. Now if j is

324 Algorithms

represented by the m − 1 bits j 1... jm− 1 , then ωj^ = Πm l=1−^1 ω^2 jl

. Thus the phase ωj^ can be applied by applying for the lth wire (for each l) a phase of ω^2 l if the lth qubit is a 1 and the first qubit is a 1. This task can be accomplished by another two-qubit quantum gate—the conditional phase gate. It leaves the two qubits unchanged unless they are both 1 , in which case it applies a specified phase factor. The QFT circuit is now specified. The number of quantum gates is given by the formula S(m) = S(m−1)+O(m), which works out to S(m) = O(m^2 ). The QFT on inputs of size M = 2m thus requires O(m^2 ) = O(log^2 M ) quantum operations.

10.6 Factoring as periodicity

We have seen how the quantum Fourier transform can be used to find the period of a periodic superposition. Now we show, by a sequence of simple reductions, how factoring can be recast as a period-finding problem. Fix an integer N. A nontrivial square root of 1 modulo N (recall Exercises 1.36 and 1.40) is any integer x 6 ≡ ±1 mod N such that x^2 ≡ 1 mod N. If we can find a nontrivial square root of 1 mod N , then it is easy to decompose N into a product of two nontrivial factors (and repeating the process would factor N ):

Lemma If x is a nontrivial square root of 1 modulo N , then gcd(x + 1, N ) is a nontrivial factor of N.

Proof. x^2 ≡ 1 mod N implies that N divides (x^2 − 1) = (x + 1)(x − 1). But N does not divide either of these individual terms, since x 6 ≡ ±1 mod N. Therefore N must have a nontrivial factor in common with each of (x + 1) and (x − 1). In particular, gcd(N, x + 1) is a nontrivial factor of N.

Example. Let N = 15. Then 42 ≡ 1 mod 15, but 4 6 ≡ ±1 mod 15. Both gcd(4 − 1 , 15) = 3 and gcd(4 + 1, 15) = 5 are nontrivial factors of 15.

To complete the connection with periodicity, we need one further concept. Define the order of x modulo N to be the smallest positive integer r such that xr^ ≡ 1 mod N. For instance, the order of 2 mod 15 is 4. Computing the order of a random number x mod N is closely related to the problem of finding nontrivial square roots, and thereby to factoring. Here’s the link.

Lemma Let N be an odd composite, with at least two distinct prime factors, and let x be chosen uniformly at random between 0 and N − 1. If gcd(x, N ) = 1 , then with probability at least 1 / 2 , the order r of x mod N is even, and moreover xr/^2 is a nontrivial square root of 1 mod N.

The proof of this lemma is left as an exercise. What it implies is that if we could compute the order r of a randomly chosen element x mod N , then there’s a good chance that this order is even and that xr/^2 is a nontrivial square root of 1 modulo N. In which case gcd(xr/^2 + 1, N ) is a factor of N.

326 Algorithms

10.7 The quantum algorithm for factoring

We can now put together all the pieces of the quantum algorithm for FACTORING (see Fig- ure 10.6). Since we can test in polynomial time whether the input is a prime or a prime power, we’ll assume that we have already done that and that the input is an odd composite number with at least two distinct prime factors.

Input : an odd composite integer N. Output : a factor of N.

  1. Choose x uniformly at random in the range 1 ≤ x ≤ N − 1.
  2. Let M be a power of 2 near N (for reasons we cannot get into here, it is best to choose M ≈ N 2 ).
  3. Repeat s = 2 log N times:

(a) Start with two quantum registers, both initially 0 , the first large enough to store a number modulo M and the second modulo N. (b) Use the periodic function f (a) ≡ xa^ mod N to create a periodic superposition

∣α

of length M as follows (see box for details): i. Apply the QFT to the first register to obtain the superposition

∑M − 1

a= √^1 M

a, 0

ii. Compute∑ f (a) = xa^ mod N using a quantum circuit, to get the superposition M − 1 a= √^1 M

a, xa^ mod N

iii. Measure the second register. Now the first register contains the periodic super- position

∣α

∑M/r− 1 j=

√ (^) r M

∣jr + k

where k is a random offset between 0 and r − 1 (recall that r is the order of x modulo N ). (c) Fourier sample the superposition

∣α

to obtain an index between 0 and M − 1.

Let g be the gcd of the resulting indices j 1 ,... , js.

  1. If M/g is even, then compute gcd(N, xM/^2 g^ + 1) and output it if it is a nontrivial factor of N ; otherwise return to step 1.

From previous lemmas, we know that this method works for at least half the choices of x, and hence the entire procedure has to be repeated only a couple of times on average before a factor is found. But there is one aspect of this algorithm, having to do with the number M , that is still quite unclear: M , the size of our FFT, must be a power of 2. And for our period-detecting idea to work, the period must divide M —hence it should also be a power of 2. But the period in our case is the order of x, definitely not a power of 2! The reason it all works anyway is the following: the quantum Fourier transform can detect the period of a periodic vector even if it does not divide M_._ But the derivation is not as clean as in the case when the period does divide M , so we shall not go any further into this.

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 327

Figure 10.6 Quantum factoring.

√^1 M

∑M − 1

a=

∣a, 0

√ M

∑M − 1

a=

∣a, xa^ mod N

f (a) =

xa^ mod N

0 QFTM QFTM measure

Let n = log N be the number of bits of the input N. The running time of the algorithm is dominated by the 2 log N = O(n) repetitions of step 3. Since modular exponentiation takes O(n^3 ) steps (as we saw in Section 1.2.2) and the quantum Fourier transform takes O(n^2 ) steps, the total running time for the quantum factoring algorithm is O(n^3 log n).

S. Dasgupta, C.H. Papadimitriou, and U.V. Vazirani 329

Exercises

10.1.

∣∣ ψ

〉 = √^12

∣∣ 00

  • √^12

∣∣ 11

〉 is one of the famous “Bell states,” a highly entangled state of its two qubits. In this question we examine some of its strange properties.

(a) Suppose this Bell state could be decomposed as the (tensor) product of two qubits (recall the box on page 314), the first in state α 0

∣∣ 0

  • α 1

∣∣ 1

〉 and the second in state β 0

∣∣ 0

  • β 1

∣∣ 1

〉 . Write four equations that the amplitudes α 0 , α 1 , β 0 , and β 1 must satisfy. Conclude that the Bell state cannot be so decomposed. (b) What is the result of measuring the first qubit of

∣∣ ψ

〉 ? (c) What is the result of measuring the second qubit after measuring the first qubit? (d) If the two qubits in state

∣∣ ψ

〉 are very far from each other, can you see why the answer to (c) is surprising?

10.2. Show that the following quantum circuit prepares the Bell state

∣∣ ψ

〉 = √^12

∣∣ 00

  • √^12

∣∣ 11

〉 ∣ on input ∣ 00 〉^ : apply a Hadamard gate to the first qubit followed by a CNOT with the first qubit as the control and the second qubit as the target.

H

What does the circuit output on input 10 , 01 , and 11? These are the rest of the Bell basis states.

10.3. What is the quantum Fourier transform modulo M of the uniform superposition √^1 M

∑M − 1 j=

∣∣ j

〉 ?

10.4. What is the QFT modulo M of

∣∣ j

〉 ?

10.5. Convolution-Multiplication. Suppose we shift a superposition

∣∣ α

∑ j αj

∣∣ j

〉 by l to get the superposition

∣∣ α′

∑ j αj

∣∣ j + l

. If the QFT of

∣∣ α

〉 is

∣∣ β

〉 , show that the QFT of α′^ is β′, where β′ j = βj ωlj^. Conclude that if

∣∣ α′

∑M/k− 1 j=

√ k M

∣∣ jk + l

〉 , then

∣∣ β′

〉 = √^1 k

∑k− 1 j=0 ω ljM/k ∣∣jM/k〉^.

10.6. Show that if you apply the Hadamard gate to the inputs and outputs of a CNOT gate, the result is a CNOT gate with control and target qubits switched:

H

H H

H

10.7. The CONTROLLED SWAP (C-SWAP) gate takes as input 3 qubits and swaps the second and third if and only if the first qubit is a 1. (a) Show that each of the NOT, CNOT, and C-SWAP gates are their own inverses. (b) Show how to implement an AND gate using a C-SWAP gate, i.e., what inputs a, b, c would you give to a C-SWAP gate so that one of the outputs is a ∧ b? (c) How would you achieve fanout using just these three gates? That is, on input a and 0 , output a and a.

330 Algorithms

(d) Conclude therefore that for any classical circuit C there is an equivalent quantum circuit Q using just NOT and C-SWAP gates in the following sense: if C outputs y on input x, then Q outputs

∣∣ x, y, z

〉 on input

∣∣ x, 0 , 0

. (Here z is some set of junk bits that are generated during this computation). (e) Now show that that there is a quantum circuit Q−^1 that outputs

∣∣ x, 0 , 0

〉 on input

∣∣ x, y, z

〉 . (f) Show that there is a quantum circuit Q′^ made up of NOT, CNOT, and C-SWAP gates that outputs

∣∣ x, y, 0

〉 on input

∣∣ x, 0 , 0

〉 .

10.8. In this problem we will show that if N = pq is the product of two odd primes, and if x is chosen uniformly at random between 0 and N − 1 , such that gcd(x, N ) = 1, then with probability at least 3 / 8 , the order r of x mod N is even, and moreover xr/^2 is a nontrivial square root of 1 mod N.

(a) Let p be an odd prime and let x be a uniformly random number modulo p. Show that the order of x mod p is even with probability at least 1 / 2. ( Hint: Use Fermat’s little theorem (Section 1.3).) (b) Use the Chinese remainder theorem (Exercise 1.37) to show that with probability at least 3 / 4 , the order r of x mod N is even. (c) If r is even, prove that the probability that xr/^2 ≡ ± 1 is at most 1 / 2.