owned this note
owned this note
Published
Linked with GitHub
# Shor's Algorithm
- factor a number
### Fourier Transform
- classical Fourier transform
- input: $x_0,x_1...,x_{n-1}$
- output: $y_0,y_1...,y_{n-1}$
- Definition:
$$y_k=\frac{1}{\sqrt{N}}\sum_{j=0}^{N-1}x_j e^{2\pi i j\cdot k/N}=\frac{1}{\sqrt{N}}\sum_{j=0}^{N-1} \omega_N^{jk}x_j$$
- cost?
- naive: $O(N^2)$ for $N$-vector
- more efficient: Fast Fourier Transform (FFT): $O(n\log n)$
- Quantum Fourier transform (QFT)
- acts on **orthonormal basis** $|0\rangle,|1\rangle,...,|N-1\rangle$
$$|y_k\rangle=\frac{1}{\sqrt{N}}\sum_{k=0}^{N-1}e^{2\pi i j\cdot k/N}|k\rangle$$
- If start at a basis state, **no entanglement** will be created (results in a product state)
- Resources of $n$-qubit QFT gate:
- $O(n)$ hadamard gates
- $O(n^2)$ single qubit rotation gates (2 CNOT each)
- at most $n/2$ swap gate: $O(n)$ (3 CNOT each)
> $O(n^2)$ Quantum Algorithm
- classical FFT: $O(n2^n)$
- QFT provdes an **exponential** speed up
> QFT is <ins>not</ins> an algorithm to speed up classical transformation
> **Problem:** No way known to **access the amplitude** in quantum computer.
> No way known to **prepare efficiently original state** to be transformed.
> *an ingredient of other quantum algorithm*
### Phase Estimation
- make use of QFT
- Setting:
- $U$: unitary
- eigenvector $|u\rangle$ with eigenvalues $e^{2\pi i\varphi}$, where $\varphi$ is unknown
- **Goal:** to estimate $\varphi, \varphi\in[0,1]$
- Assumption:
- can prepare $|u\rangle$
- can perform controlled-$U^{2^j}$
- **Algorithm:**
1. 1-st register prepare $t$ qubits $|0\rangle$, where $t$ depends on
- precision
- success probability
2-nd register begin in $|u\rangle$, contains as many qubits as needed to store $|u\rangle$
$$|0\rangle|u\rangle$$
2. Hadamard gates to 1-st register
$$|0\rangle|u\rangle\xrightarrow[]{H}\frac{1}{\sqrt{2}}(|0\rangle+|1\rangle)|u\rangle$$
3. Controlled-$U^{2^j}$ on 2-nd register
$$\begin{aligned}\frac{1}{\sqrt{2}}(|0\rangle+|1\rangle)|u\rangle\xrightarrow[]{c-U^{2^j}}&\frac{1}{\sqrt{2}}|0\rangle|u\rangle+\frac{1}{\sqrt{2}}U^{2^j}|1\rangle|u\rangle\\
=&\frac{1}{\sqrt{2}}|0\rangle|u\rangle+\frac{1}{\sqrt{2}}e^{2\pi i 2^j\varphi}|1\rangle|u\rangle\\
=& \frac{1}{\sqrt{2}}(|0\rangle+e^{2\pi i 2^j\varphi}|1\rangle)|u\rangle
\end{aligned}$$
- $t$-qubit
$$\frac{1}{\sqrt{2^t}}\sum_{k=0}^{2^t-1}e^{2\pi i\varphi k}|k\rangle$$
- suppose $\varphi=0.\varphi_1...\varphi_t$
$$\frac{1}{\sqrt{2^t}}(|0\rangle+e^{2\pi i\cdot 0.\varphi_t}|1\rangle)(|0\rangle+e^{2\pi i\cdot 0.\varphi_t\varphi_{t-1}}|1\rangle)...(|0\rangle+e^{2\pi i\cdot 0.\varphi_t...\varphi_1}|1\rangle)$$
The Fourier transform of $|\varphi\rangle=|\varphi_1\rangle|\varphi_2\rangle...|\varphi_t\rangle$
4. apply inverse QFT to the 1-st register
$$\frac{1}{\sqrt{2^t}}\sum_{k=0}^{2^t-1}e^{2\pi i\varphi k}|k\rangle|u\rangle\xrightarrow[]{FT^\dagger}|e\rangle|u\rangle$$
5. measure the qubits of first register in computational basis
- **Discuss:**
- To achieve accuracy $2^{-n}$ with probability $(1-\varepsilon)$
$$t=n+\lceil\log(2+\frac{1}{2\varepsilon})\rceil$$
- What if we cannot prepare the eigenstates $|u\rangle$?
$$|\psi\rangle=\sum_u C_u|u\rangle$$
After the estimation, we get
$$\sum_u C_u |\tilde{\varphi_u}\rangle|u\rangle$$
where $\tilde{\varphi_u}$ is a good approximation to the eigenvalue $\varphi_u$
with probability $|C_u|^2$ we get $\tilde{\varphi_u}$
If we do it many times, we can avoid the requirement of preparing $|u\rangle$
### Order Finding
- output $r$ where $x^r=1\text{ mod }N$
- is a hard problem in classical computer (no polynomial time algorithm)
- in quantum computer, it is the phase estimation algorithm applied to the unitary
$$U|y\rangle=|xy\ (\text{ mod }N)\rangle$$
$y$ is an $b$-qubit state
- construct
$$|u_s\rangle=\frac{1}{\sqrt{r}}\sum_{k=0}^r\text{exp}(-\frac{2\pi i s k}{r})|x^k\text{ mod }N\rangle$$
For integer $s$, $|u_s\rangle$ are eigenstates of $U$.
$$U|u_s\rangle=\text{exp}(\frac{2\pi i s}{r})|u_s\rangle$$
so $\text{exp}(\frac{2\pi i s}{r})$ is the eigenvalue of $|u_s\rangle$
This allows us to estimate $\frac{s}{r}=\varphi$
$\Rightarrow$ with the addition work to access order $r$
- **Problem:** not allowed to use $r$, we cannot prepare $|u_s\rangle$
- $\Rightarrow$
$$\frac{1}{\sqrt{r}}\sum_{s=0}^{r-1}|u_s\rangle=|x^0(\text{ mod }N)\rangle=|1\rangle$$
$|1\rangle$ is trivial to prepare
- **Algorithm:**
1. prepare 1-st register with $t$ qubits $|0\rangle$
prepare 2-nd regester with $|1\rangle$
2. run phase estimation
3. measuring the first registers
- for each $s$ in the range of $1$ to $r$, this will lead to an estimation of the phase $\varphi=s/r$
- accuracy: $2L+1$ bits
- probability $(1-\varepsilon)/r$
- "$/r$" because don't know which $|u_s\rangle$ $$\frac{1}{\sqrt{r}}\sum_{s=0}^{r-1}|u_s\rangle$$
entangled with the second register when measuring.
- **moduler exponentiation**
- speed up exponentiation $|z\rangle|x^z\rangle$
- use the third temporary registers
- <ins>reversible computing</ins>
- $O(L)$ spanning operations
$O(L^2)$ standard multiplication for each operation
$\Rightarrow$ total $O(L^3)$ operations
- How to get $r$ from the output $\varphi$
4. run continued function algorithm (on a classical computer)
- **Continued Fraction Algorithm**
- a rational number $s/r$ such that
$$\left|\frac{s}{r}-\varphi\right|\leq\frac{1}{2r^2}$$
then $s/r$ is a convergence of the continued fraction for $\varphi$, and can be calculated in $O(L^3)$ steps
- idea: express the number as
$$[a_0,a_1,...,a_M]=a_0+\frac{1}{a_1+\frac{1}{a_2+\frac{1}{...+\frac{1}{a_M}}}}$$
- check $[a_0],[a_0,a_1],...[a_0,...a_M]$ which satisfies $s/r$
- the algorithm provides efficiently $s'/r'$
- **complexity**
- Hadamard gates: $O(L)$
- Inverse FT: $O(L^2)$
- Modular exponentiation: $O(L^3)$
- classical continued fraction algorithm: $O(L^3)$
- If order finding fails, one has to repeat only for a *constant* number to obtain $r$ with high probability: $O(1)$
$\Rightarrow$ overall cost: $O(L^3)$
> can be reduced to almost $O(L^2)$ by square-and-multiply
### Shor's Algorithm
- Factoring $N$ to two prime numbers
- reduce factoring to order finding
- If we have
$$y^2=1\text{ mod }N\\
(y-1)(y+1)=0\text{ mod }N=k\cdot N$$
If $y\neq \pm1\text{ mod }N$, then
$$\text{gcd}(y+1,N)\\\text{gcd}(y-1,N)$$
must each be a proper divisor of $N$, i.e. prime factors.
- How can we find a non-trivial square root $y$?
1. choose a random $1< x\leq N-1$
2. run the order finding algorithm to find $r$, $x^r=1\text{ mod }N$
- If $r$ is even:
$$\begin{aligned}
x^r&=1\text{ mod }N\\
(x^{r/2}+1)(x^{r/2}-1)&=0\text{ mod }N=k\cdot N
\end{aligned}$$
then $y=x^{r/2}$ is a square root of $1$
and if $x^{r/2}\neq \pm 1$, then compute gcd
> success probability to find a "good" $x$?
> "good": order $r$ is even and $x^{r/2}\neq1$
> **Theorem:** If $N$ is divisible by $l$ distinct odd primes, then at least $$1-\frac{1}{2^{l-1}}$$ elements are "good".
> $l=2\Rightarrow 1/2$ probability to have "good" $x$
> $O(1)$ trials
- If $r$ is not even:
- **Complexity:**
- $O(1)$ for order finding
- overall: $O(L^3)$
- classical factoring: $\text{exp}(O(L^{1/3}))$
- <ins>exponential speedup</ins>
### RSA Algorithm
1. pick random two primes $p,q$, and $n=p\cdot q$
2. pick random public key by $e\in\phi(n)$, where $\phi(n)=(p-1)(q-1)$
3. choose private key $d$ such that $e\cdot d=1\text{ mod }\phi(n)$
4. public key: $(n,e)$
private key: $(n,d)$
- Encryption:
$E(m) = m^e\text{ mod }n$
- Decryption:
$D(c)=c^d\text{ mod }n=m^{e\cdot d}\text{ mod }n=m^{1\text{ mod }\phi(n)}\text{ mod }n= m \text{ mod }n$
> Shor's Algorithm allows us to factor efficiently on a quantum computer
> RSA public key scheme is broken, as soon as sufficiently **large** quantum computer exists.
Google Drive
Gist
Clipboard
Sign in with Wallet
