1 / 15

Richard Cleve DC 2117 cleve@cs.uwaterloo

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681. Lecture 11 (2011). Richard Cleve DC 2117 cleve@cs.uwaterloo.ca. Order-finding via eigenvalue estimation. Example: Z 21 * = { 1,2,4,5,8,10,11,13,16,17,19,20 }.

phyre
Download Presentation

Richard Cleve DC 2117 cleve@cs.uwaterloo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Quantum Information ProcessingCS 467 / CS 667Phys 667 / Phys 767C&O 481 / C&O 681 Lecture 11 (2011) Richard Cleve DC 2117 cleve@cs.uwaterloo.ca

  2. Order-finding via eigenvalue estimation

  3. Example: Z21*= {1,2,4,5,8,10,11,13,16,17,19,20} The powers of 10 are: 1, 10, 16, 13, 4, 19, 1, 10, 16, … Therefore,ord21(10) = 6 Order-finding problem Let M be an m-bit integer Def: ZM*= {x  {1,2,…, M1} : gcd(x,M) = 1} (a group) Def: ordM (a) is the minimum r> 0 such that ar=1(mod M) Order-finding problem: given a and M, find ordM (a) Note: no classical polynomial-time algorithm is known for this problem

  4. Order-finding algorithm (1) Define:U (an operation on m qubits) as: Uy =ay mod M Define: Then

  5. 2nqubits U nqubits Order-finding algorithm (2) corresponds to the mapping: xy xaxy mod M Moreover, this mapping can be implemented with roughly O(n2) gates The phase estimation algorithm yields a2n-bit estimate of1/r From this, a good estimate of r can be calculated by taking the reciprocal, and rounding off to the nearest integer Exercise: why are 2n bits necessary and sufficient for this? Problem: how do we construct state1 to begin with?

  6. Bypassing the need for 1(1) Let Any one of these could be used in the previous procedure, to yield an estimate of k/r, from which r can be extracted What if kis chosen randomly and kept secret?

  7. Bypassing the need for 1(2) What if kis chosen randomly and kept secret? Can still uniquely determine k and r, from a 2m-bit estimate of k/r, provided they have no common factors, using the continued fractions algorithm* Note:If k and r have a common factor, it is impossible because, for example, 2/3and17/51 are indistinguishable So this is fine as long as k and r are relatively prime … * For a discussion of the continued fractions algorithm, please see Appendix A4.4 in [Nielsen & Chuang]

  8. Bypassing the need for 1(3) What is the probability that k and r are relatively prime? Recall that k is randomly chosen from {1,…,r} The probability that this occurs is (r)/r, where  is Euler’s totient function It is known that (r) = (r/loglogr), which implies that the above probability is at least (1/loglog r) = (1/log m) Therefore, the success probability is at least (1/log m) Is this good enough? Yes, because it means that the success probability can be amplified to any constant < 1 by repeating O(log m) times (so still polynomial in m) But we still need to generate a random k here …

  9. 0 H F†M 0 H 0 H 11+22 U It will be an estimate of 1 with probability |1|2 2 with probability |2|2 Bypassing the need for 1(4) Returning to the phase estimation problem, suppose that 1 and 2 have respective eigenvalues e2i1ande2i2, and that 11 +22 is used in place of an eigenvector: What will the outcome be? (Showing this is left as an exercise)

  10. Is it hard to construct the state ? Bypassing the need for 1(5) Along similar lines, the state yields results equivalent to choosing a k at random In fact, this is something that is easy, since This is how the previous requirement for 1 is bypassed

  11. Quantum algorithm for order-finding inverse QFT 0 H H measure these qubits and apply continued fractions algorithm to determine a quotient, whose denominator divides r 0 H H 4 0 H H 4 8 0 Ua,M 0 1 Ua,M y = ay modM Number of gates for (1/log m)success probability is: O(m2 log m loglog m) For constant success probability, repeat O(1/log m) times and take the smallest resulting r such that ar=1(mod M)

  12. Reduction from factoring to order-finding

  13. The integer factorization problem Input:M (n-bit integer; we can assume it is composite) Output:p, q (each greater than 1) such that pq = N Note 1: no efficient (polynomial-time) classical algorithm is known for this problem Note 2: given any efficient algorithm for the above, we can recursively apply it to fully factor M into primes* efficiently * A polynomial-time classical algorithm for primality testing exists

  14. Factoring prime-powers There is a straightforward classical algorithm for factoring numbers of the form M=pk, for some prime p What is this algorithm? Therefore, the interesting remaining case is where M has at least two distinct prime factors

  15. Numbers other than prime-powers • Proposed quantum algorithm (repeatedly do): • randomly choose a {2, 3, …, M–1} • compute g= gcd(a,M) • ifg> 1then • output g, M/g • else • compute r = ordM(a) (quantum part) • ifr is even then • compute x =ar/2–1 mod M • compute h= gcd(x,M) • ifh> 1then output h, M/h Analysis: we haveM|ar–1 soM|(ar/2+1)(ar/21) thus, eitherM|ar/2+1 orgcd(ar/2+1,M) is a nontrivial factor of M It can be shown that at least half of the a {2, 3, …, M–1} are have order even and result in gcd(ar/2+1,M) being a nontrivial factor of M

More Related