Classical RSA algorithm
Modulo-ππ arithmetic (modular arithmetic, clock arithmetic)
We need to discuss some mathematics (number theory) first
Usual operations: addition and multiplication (ring), we need only multiplication
2 β‘ 9 (mod 7)4 Γ 3 β‘ 5 (mod 7)
βcongruentβ (I will also use β=β instead of ββ‘β)
Definition: Order of ππ is the smallest ππ, for which
ππππ β‘ 1 (mod ππ)
Why important: if ππ π₯π₯ = πππ₯π₯ (mod ππ), then ππ is the period of ππ(π₯π₯).
Check: ππ π₯π₯ + ππ = πππ₯π₯+ππ = πππ₯π₯ππππ = πππ₯π₯ = ππ(π₯π₯) mod ππ
Fermatβs little theorem (simple proof, any number theory course)
If ππ is prime and ππ is not divisible by ππ, then
ππππβ1 β‘ 1 (mod ππ)(e.g., proof via the product ππ 2ππ 3ππ β¦ ππ β 1 ππ = ππππβ1 ππ β 1 ! = ππ β 1 ! mod ππ,
since all ππππ should be different mod ππ)
Fermat 1640 (letter, no proof) Leibniz 1683 (unpublished)Euler 1736 (first published proof)
RSA mathematicsFermatβs little theorem: If ππ is prime and ππ is not divisible by ππ, then ππππβ1 β‘ 1 (mod ππ)
β Lemma If ππ and ππ are primes and ππ is not divisible by ππ or ππ, then
ππ(ππβ1)(ππβ1) β‘ 1 (mod ππππ)
Proof ππ(ππβ1) (ππβ1) β‘ 1 (mod ππ)ππ(ππβ1) (ππβ1) β‘ 1 (mod ππ)
β ππ(ππβ1)(ππβ1) β 1 is a multiple of both ππ and ππ, therefore multiple of ππππ.
QED
β Lemma If ππ and ππ are primes and π π is an integer, then
ππ1+π π (ππβ1)(ππβ1) β‘ ππ (mod ππππ)
Note: works even if ππ is divisible by ππ or ππ (trivial if a multiple of ππππ; if only ππ = ππππ,
then Fermat: πππ π ππβ1(ππβ1)
= 1 + ππππ, so πππ π ππβ1 ππβ1 +1 = ππ + ππππππ = ππ + ππππππππ )
β Theorem If ππππ β‘ 1 [mod (ππ β 1)(ππ β 1)] and ππ & ππ are primes, then
ππππππ β‘ ππ (mod ππππ)
RSA algorithmRivest, Shamir, Adlerman, 1977, authors from MIT
Alice
Clifford Cocks, 1973, British Intelligence, secret until 1997
Bobpublic key
message(in Merminβs book roles of Alice and Bob are exchanged)
Alice Pick large primes ππ and ππ, calculate ππ = ππππPick ππ < ππ [coprime with (ππ β 1)(ππ β 1)]
Find ππ, for which ππππ β‘ 1 [mod ππ β 1 ππ β 1 ](easy to find ππ using Euclidean algorithm for ππ and ππ β 1 ππ β 1 )
Public key: ππ and ππPrivate key: ππ and ππ
Bob Wants to send message ππ (ππ < ππ)
Encoding: ππ β οΏ½ππ = ππππ (mod ππ)
Alice Decoding: οΏ½ππππ mod ππ = ππππππ mod ππ = ππ
RSA algorithm (cont.)Remarks
- Typically ππ βΌ 2048 β 4096 bits long
- Computation of ππππ (mod ππ) and οΏ½ππππ (mod ππ) is fast:ππ β ππ2 β ππ4 β ππ8 β. . . , then products (all mod ππ )
- Eve knows ππ. If she can factor ππ = ππππ, then she can do the same as Alice, so she can decode. This is why factoring is so important.
- ππ can be factored via finding the period of the function ππ π₯π₯ = πππ₯π₯ (mod ππ),where ππ is any number (will discuss in more detail later).
Idea: if ππππ β‘ 1 (mod ππ) and ππ is even, then ππ βππ 2 β 1 ππ βππ 2 + 1 β‘ 0 (mod ππ)
- RSA can be also broken directly with a period-finding algorithm.οΏ½ππ, οΏ½ππ2, οΏ½ππ3, . . . οΏ½ππππ = 1, οΏ½ππππ+1 = οΏ½ππ (mod N) (if οΏ½ππ is not coprime with ππ,
then factor immediately). Then ππππ β‘ 1 (mod ππ) also (because subgroups οΏ½ππππ and ππππ coincide since ππππ β‘ οΏ½ππ, and οΏ½ππππ β‘ ππ, so the same order.)
Then if we find πππ so that ππππβ² β‘ 1 (mod ππ), then οΏ½ππππβ² β‘ ππππππβ² β‘ ππ1+ππππ = ππ ππππ ππ = ππ, so direct decoding.
Classical algorithm for factoring via period findingππ = ππππ can be factored via period of ππ π₯π₯ = πππ₯π₯ (mod ππ)
1. Pick a random number ππ (ππ < ππ). Check that coprime with ππ (if not, then great luck!).
2. Find smallest ππ, for which ππππ β‘ 1 (mod ππ) (i.e., ππ is the order of ππ).
3. If ππ is odd, choose another ππ and repeat (go back to Step 1).Probability of going back is βΌ50%.
4. If ππ is even, then ππ βππ 2 β 1 ππ βππ 2 + 1 = ππππ β 1 β‘ 0 (mod ππ).ππ βππ 2 β 1 cannot be 0 (mod ππ), since ππ is the smallest period. If ππ βππ 2 + 1 β‘ 0 (mod ππ), choose another ππ and repeat (go back to Step 1; this is very rare).
5. Since ππ = ππππ and ππ & ππ are primes, then ππ βππ 2 β 1 is a multiple of ππ,and ππ βππ 2 + 1 is a multiple of ππ (or vice versa).
Find the greatest common divisor (GCD) of ππ and ππ βππ 2 Β± 1,they will be ππ and ππ.
Remarks - If ππ and ππ are not prime, then similar algorithm.- If ππ is not the smallest period, then check that ππ βππ 2 β 1 is not 0 (mod N),
otherwise choose another ππ (very rare)
General idea of period finding by a QC (Shorβs algorithm)
After meas. of output register, the input reg. is ππ ππ = 1ππβππ=0ππβ1 π₯π₯0 + ππππ ππ
ππ has ππ0 bits
Key: Quantum Fourier transform (QFT) can be done very efficiently
πππππ»π»
π₯π₯ π₯π₯
π¦π¦ π¦π¦ β ππ π₯π₯
0 ππ
ππ π₯π₯ = πππ₯π₯(mod ππ)
π»π»π»π»π»π»π»π»π»π»
mea
s.Q
FT
mea
sure
|0β©
ππqubits
ππ0qubits
ππ π₯π₯ = πππ₯π₯ (mod ππ)
Output register has ππ0 qubitsInput register has ππ β₯ 2ππ0 qubits
not needed, but easier to think
12ππβπ₯π₯=02ππβ1 π₯π₯ ππ 0 ππ0 βΆ
12ππβπ₯π₯=02ππβ1 π₯π₯ ππ ππ(π₯π₯) ππ0
where ππ is the period of ππ(π₯π₯) (i.e., order of ππ), ππ = int[ β2ππ ππ] or int β2ππ ππ + 1
Idea: Input register state is periodic (ππ) β Fourier transform finds this period
ππ < ππ < 2ππ0, so ππ > 2ππ0 (very many states in superposition)
For ππ βΌ 2ππ, usual Fourier transform needs βΌ ππ2 βΌ 2ππ 2 operations, Fast Fourier Transform (FFT) needs βΌ ππ βΌ 2ππ operations (actually ππ2ππ),QFT needs βΌ logππ 2 βΌ ππ2 operations. (Calculation of ππ(π₯π₯) needs βΌ ππ3 operations.)
Calculation of ππ π₯π₯ = πππ₯π₯ (mod ππ)
Fast classical algorithm β quantum algorithm of the same complexity
input register(ππ qubits)
Prepare ππ, ππ2, ππ4, ππ8, . . . (mod ππ), then multiply some of them, depending on the corresponding bits of π₯π₯ = π₯π₯ππβ1. . . π₯π₯1π₯π₯0
By the way, in this algorithm the work register remains unentangled with input and output registers, so no βglobalβ garbage collection is needed (garbage collection at each step is still necessary)
Complexity: ππ steps, each contains multiplication (mod ππ) requiring βΌ ππ2 steps,so overall βΌ ππ3 steps
π₯π₯
work register(ππ0 qubits)
output register(ππ0 qubits)
ππ ππ2 ππ4
1Γ ππ or Γ 1, depending on π₯π₯0
Γ ππ2 or Γ 1, depending on π₯π₯1
(ππ0 βΌ ππ)
Quantum Fourier Transform (QFT)Discrete Fourier transform (DFT)
π₯π₯ = 0, 1, 2, . . .ππ β 1 ππ π₯π₯ β οΏ½ππ(π₯π₯)
οΏ½ππ π₯π₯ = 1ππβπ¦π¦=0ππβ1 ππ2ππππ βπ₯π₯π¦π¦ ππππ(π¦π¦)
Inverse DFT: the same with ππ β βππ
In QC, ππ = 2ππ (ππ qubits), and we do discrete Fourier transform of amplitudes:
βπ₯π₯=02ππβ1ππ π₯π₯ |π₯π₯β© βΆ βπ₯π₯=02ππβ1 οΏ½ππ π₯π₯ |π₯π₯β©ππππππππ
Therefore ππππππππ π₯π₯ = 12ππ
βπ¦π¦=02ππβ1 ππ2ππππ βπ₯π₯π¦π¦ 2ππ|π¦π¦β©
- Check that unitary. For basis vectors |π₯π₯ππβ© and |π₯π₯ππβ©, the inner product after QFT isπ₯π₯ππππππππππ
β |πππππππππ₯π₯ππ = 12ππβπ¦π¦=02ππβ1 ππ2ππππ(βπ₯π₯ππ+π₯π₯ππ) βπ¦π¦ 2ππβ¨π¦π¦|π¦π¦β© = 1
2ππ2πππΏπΏππππ = πΏπΏππππ.
So, the orthonormal basis is transformed into an orthonormal basis β unitary.
- Somewhat similar to ππ-fold Hadamard: transforms each basis vector into equal-weight superposition of all basis vectors (but instead of Β±1 for Hadamard, many phases in QFT)
Quantum Fourier Transform (cont.)
ππππππππ π₯π₯ = 12ππ
βπ¦π¦=02ππβ1 ππ2ππππ βπ₯π₯π¦π¦ 2ππ|π¦π¦β©
A very simple quantum circuit exits for QFT
For π₯π₯ = π₯π₯ππβ12ππβ1 + π₯π₯ππβ22ππβ2+ . . . π₯π₯020, many digits are not important
ππππππππ π₯π₯ = 12ππ
βπ¦π¦ππβ1,β¦π¦π¦0 ππ2ππππ βπ₯π₯(π¦π¦ππβ12ππβ1+π¦π¦ππβ22ππβ2+...+π¦π¦020) 2ππ π¦π¦ππβ1 π¦π¦ππβ2 . . . |π¦π¦0β©
=12ππ
0 + 1 ππ2πππππ₯π₯ β2ππβ1 2ππ 0 + 1 ππ2πππππ₯π₯ β2ππβ2 2ππ . . . 0 + 1 ππ2πππππ₯π₯ β20 2ππ
ππππππππ π₯π₯ =0 + 1 ππ2ππππ
π₯π₯02
20 + 1 ππ2ππππ(
π₯π₯12 +
π₯π₯022)
2. . .
0 + 1 ππ2ππππ(π₯π₯ππβ12 +π₯π₯ππβ222 +...+π₯π₯02ππ)
212
0 + 1 ππ2πππππ₯π₯02 = 1
2( 0 + 1 β1 π₯π₯0) = π»π»|π₯π₯0β©First (most significant) qubit:
(only in computational basis)So, if we use reverse order (most significant β least significant), then the only necessary operation is π»π» acting on qubit |π₯π₯0β©.
Second qubit: needs π»π» acting on |π₯π₯1β© and also 1 00 exp(2ππ βππ 22) if π₯π₯0 = 1.
Quantum Fourier Transform (cont.)
=0 + 1 ππ2ππππ
π₯π₯02
20 + 1 ππ2ππππ(
π₯π₯12 +
π₯π₯022)
2. . .
0 + 1 ππ2ππππ(π₯π₯ππβ12 +π₯π₯ππβ222 +...+π₯π₯02ππ)
2
π π ππ β‘1 00 exp(2ππ βππ 2ππ)Let us introduce rotation operator
Two qubits
(Mermin: π π ππ = ππππβ1)
|π₯π₯1β©|π₯π₯0β©
π π 2π»π»
|π¦π¦0β©|π¦π¦1β©
(reverse order)π»π»
Three qubits
|π₯π₯2β©|π₯π₯1β©
π π 2π»π»
π¦π¦0 = οΏ½0 + 1 e2πππππ₯π₯22 +
π₯π₯122+
π₯π₯023 2π»π»
|π₯π₯0β©
π π 3π π 2
π»π»π¦π¦1 = οΏ½0 + 1 e2ππππ
π₯π₯12 +
π₯π₯022 2
π¦π¦2 = οΏ½0 + 1 e2πππππ₯π₯02 2
again, output order is reversed
ππππππππ π₯π₯ = 12ππ
βπ¦π¦=02ππβ1 ππ2ππππ βπ₯π₯π¦π¦ 2ππ|π¦π¦β©
Quantum Fourier Transform (cont.)
ππππππππ π₯π₯ =0 + 1 ππ2ππππ
π₯π₯02
20 + 1 ππ2ππππ(
π₯π₯12 +
π₯π₯022)
2. . .
0 + 1 ππ2ππππ(π₯π₯ππβ12 +π₯π₯ππβ222 +...+π₯π₯02ππ)
2
π π ππ = 1 00 exp(2ππ βππ 2ππ)
Four qubits
reversed order
|π₯π₯3β©|π₯π₯2β©
π π 2π»π»
π¦π¦0π»π»
|π₯π₯1β©
π π 3π π 2
π»π»π¦π¦1π¦π¦2
|π₯π₯0β©
π π 4π π 3
π π 2π»π» π¦π¦3
Similar for ππ qubits: need ππ Hadamard gates and βππ(ππ β 1) 2 controlled-R gates. Each c-R gate can be realized with 2 CNOTs, so βΌ ππ2 CNOTs. (With superconducting qubits, c-R gate can be realized directly.)
c-R gates with extreme precision (βΌ 2βππ) are actually not needed. Crude precision is sufficient (will discuss later), so gates c-π π ππ with ππ > 20 are not needed. Then only βΌ 20ππ c-R gates are needed.
= 12ππ
βπ¦π¦=02ππβ1 ππ2ππππ βπ₯π₯π¦π¦ 2ππ|π¦π¦β©
c-R2 c-R3 c-R4 c-R5 c-R6
Another representation of the same circuit for QFT
π»π» π»π» π»π» π»π» π»π» π»π»
|π¦π¦0β©
|π¦π¦1β©
|π¦π¦2β©
|π¦π¦3β©
|π¦π¦4β©
Symmetry of c-R gates and reversed order are naturally represented
|π¦π¦5β©
Inverse QFT: time-reverse the sequence and conjugate gates (π»π»β = π»π», so only replace c-π π ππ β c-π π ππ
β )
π π ππ β‘1 00 exp(2ππ βππ 2ππ)
Inverse QFT in this representationyellow: π»π»blue: c-π π ππgreen: c-π π ππ
β
Inverse QFT using the first circuit|π₯π₯3β©|π₯π₯2β©
π π 2π»π»
π¦π¦0π»π»
|π₯π₯1β©
π π 3π π 2
π»π»π¦π¦1π¦π¦2
|π₯π₯0β©
π π 4π π 3
π π 2π»π» π¦π¦3
Inverse QFT: ππ β βππ, so we would expect
|π¦π¦3β©|π¦π¦2β©
π π 2β
π»π»π₯π₯0π»π»
|π¦π¦1β©
π π 3β
π π 2β
π»π»π₯π₯1π₯π₯2
|π¦π¦0β©
π π 4β
π π 3β
π π 2β
π»π» π₯π₯3On the other hand, we know that for inverse, the circuit should be time-reversed and gates should be conjugated.
QFTβ1
QFT
|π¦π¦3β©|π¦π¦2β© π π 2
β π»π»π₯π₯0π»π»
|π¦π¦1β© π π 3β π π 2
β π»π»π₯π₯1π₯π₯2
|π¦π¦0β© π π 4β π π 3
β π π 2β π»π» π₯π₯3
QFTβ1
use symmetry of c-π π ππ,then shift gates
Does not look the same! But actually is.
Inverse QFT (cont.)
|π¦π¦3β©|π¦π¦2β©
π π 2β
π»π»π₯π₯0π»π»
|π¦π¦1β©
π π 3β
π π 2β
π»π»π₯π₯1π₯π₯2
|π¦π¦0β©
π π 4β
π π 3β
π π 2β
π»π» π₯π₯3
|π¦π¦3β©|π¦π¦2β© π π 2
β π»π»π₯π₯0π»π»
|π¦π¦1β© π π 3β π π 2
β π»π»π₯π₯1π₯π₯2
|π¦π¦0β© π π 4β π π 3
β π π 2β π»π» π₯π₯3
use symmetry of c-π π ππ
|π¦π¦3β©|π¦π¦2β©
π π 2β
π»π»π₯π₯0π»π»
|π¦π¦1β©
π π 3β
π π 2β
π»π»π₯π₯1π₯π₯2
|π¦π¦0β©
π π 4β
π π 3β
π π 2β
π»π» π₯π₯3
shift some gates to the left
Measurement-based realization of QFTIn Shorβs algorithm, all qubits are measured after QFT. In this case QFT can be realized with classically-controlled π π ππ gates.
|π₯π₯3β©|π₯π₯2β©
π π 2π»π»
π¦π¦0π»π»
|π₯π₯1β©
π π 3π π 2
π»π»π¦π¦1π¦π¦2
|π₯π₯0β©
π π 4π π 3
π π 2π»π» π¦π¦3
Usual QFT
Since c-π π ππ gates are symmetric, exchange control and target
|π₯π₯3β©|π₯π₯2β© π π 2 π»π»
π¦π¦0π»π»
|π₯π₯1β© π π 3 π π 2 π»π»π¦π¦1π¦π¦2
|π₯π₯0β© π π 4 π π 3 π π 2 π»π» π¦π¦3
Step 1
Measurement-based realization of QFT (cont.)
|π₯π₯3β©|π₯π₯2β© π π 2 π»π»
π¦π¦0π»π»
|π₯π₯1β© π π 3 π π 2 π»π»
π¦π¦1π¦π¦2
|π₯π₯0β© π π 4 π π 3 π π 2 π»π» π¦π¦3
Step 1
Step 2Measure and control classically
|π₯π₯3β©|π₯π₯2β© π»π»
π»π»
|π₯π₯1β© π»π»|π₯π₯0β© π π 4
π¦π¦0 π»π»
meas.result π¦π¦0
π π 3π¦π¦0
π π 2π¦π¦0 meas.
result π¦π¦1
π π 3π¦π¦1
π π 2π¦π¦1 meas.
result π¦π¦2
π π 2π¦π¦2 meas.
result π¦π¦3
meas. result π¦π¦0meas. result π¦π¦1meas. result π¦π¦2meas. result π¦π¦3
Because of βspooky actionβ, measurement acts back in time, so we can exchange in time measurement and control
So far we assume that gates are perfect (it is not possible experimentally for π π ππ with exponentially small angles). We will discuss later that precision is not a problem.
π π ππ β‘1 00 exp(2ππ βππ 2ππ)
Back to Shorβs algorithm (period finding)
Measure first register, probability of result π¦π¦ is
πππππ»π»
π₯π₯ π₯π₯
π¦π¦ π¦π¦ β ππ π₯π₯
0 ππ
ππ π₯π₯ = πππ₯π₯(mod ππ)
π»π»π»π»π»π»π»π»π»π»
mea
s.Q
FT
mea
sure
|0β©
ππqubits
ππ0qubits
12ππβπ₯π₯=02ππβ1 π₯π₯ ππ 0 ππ0 βΆ
12ππβπ₯π₯=02ππβ1 π₯π₯ ππ ππ(π₯π₯) ππ0 βΆ
1ππβππ=0ππβ1 π₯π₯0 + ππππ ππ βΆ
ππππ
measure second register, result ππ(π₯π₯0)
period we want to find
βΆ 12ππβπ¦π¦=02ππβ1 1
ππβππ=0ππβ1 ππ2ππππ π₯π₯0+ππππ βπ¦π¦ 2ππ π¦π¦ ππ
ππQFT ππ = int[ β2ππ ππ]
= 12ππ
1ππβπ¦π¦=02ππβ1 ππ2πππππ₯π₯0 βπ¦π¦ 2ππ βππ=0ππβ1 ππ2ππππ ππππ βπ¦π¦ 2ππ π¦π¦ ππ
π₯π₯0 is not important, just a phase factor
ππ π¦π¦ = ππ π¦π¦ 2 =1
2ππππ οΏ½ππ=0
ππβ1ππ2ππππ ππππ βπ¦π¦ 2ππ
2
No more QM, let us see how result is related to ππ
Shorβs algorithm (cont.)
integerππ π¦π¦ = ππ π¦π¦ 2 =1
2ππππ οΏ½ππ=0
ππβ1ππ2ππππ ππππ βπ¦π¦ 2ππ
2
Significant ππ(π¦π¦) only if all terms are in phase: π¦π¦ β2ππ
ππ ππUnderstanding via Fourier transform
|ππβ© = 1ππβππ=0ππβ1 π₯π₯0 + ππππ ππ
0 2ππ β 1π₯π₯0
ππ QFT
0 2ππ β 1
2ππ
ππππ π¦π¦ 2
2ππ
ππππ
comb with period ππ # of peaks: ππ, height:
βΌ ππ2
ππ 2ππ= ππ
2ππ= 1
ππ
Peaks should be at integers, while β2ππ ππ is not an integer
Measurement randomly picks one of the peaks of ππ π¦π¦ , while we need ππ.
Two steps next:1) Show that with a significant probability (>40%) the measured number
is the closest (<1/2) to one of multiples of β2ππ ππ.2) Show that in this case, from the measured number we can obtain ππ.
Shorβs algorithm (cont.)
ππ π¦π¦ =1
2ππππ οΏ½ππ=0
ππβ1ππ2ππππ ππππ βπ¦π¦ 2ππ
2
0 2ππ β 1
2ππ
ππππ(π¦π¦)
2ππ
ππππ
1) Show that with a significant probability (>40%) the measured number is the closest (<1/2) to one of multiples of β2ππ ππ.
Denote the closest integer as π¦π¦ππ = ππ β2ππ ππ + πΏπΏππ , πΏπΏππ β€ β1 2Sum geometric series for ππ(π¦π¦ππ)
ππ π¦π¦ππ =1
2πππποΏ½
ππ=0
ππβ1ππ2ππππππππ βπΏπΏππ 2ππ
2
=1
2ππππππ2ππππππππ βπΏπΏππ 2ππ β 1ππ2ππππππ βπΏπΏππ 2ππ β 1
2
=1
2ππππsin2(ππππππ βπΏπΏππ 2ππ)sin2(ππππ βπΏπΏππ 2ππ)
β 2ππ
β1
2ππππsin2(πππΏπΏππ)
sin2(ππππ βπΏπΏππ 2ππ) β1ππ
sin πππΏπΏππππ πΏπΏππ
2
β₯1ππ
4ππ2
very small, ππ < 2ππ0 βͺ 2ππβ β4ππ ππ at πΏπΏππ = Β± β1 2
β ππ peaks (ππ2ππ/ππ, ππ = 1, 2, . . . ππ β 1), so total probability that measured result is within β1 2 from ππ2ππ/ππ is β₯ β4 ππ2 > 40%. Not always but quite likely.
Actually, if try both neighbors, then probability to be within β1 2 from ππ2ππ/ππis > 80%, if try 4 closest neighbors, then > 90%.
Shorβs algorithm (cont.)2) How to find period ππ from π¦π¦ = ππ β2ππ ππ + πΏπΏ , where πΏπΏ β€ β1 2
ππ is a parameter we can choose. For large enough ππ, the result βπ¦π¦ 2ππ will be very close to the rational number βππ ππ.
Rewrite π¦π¦2ππ
βππππ
β€1
2ππ+1
So, if
want to findwe know
Remember ππ < ππ < 2ππ0
integer to factor # of bits in ππ
Rational numbers with denominators < ππ are not closer to each other than β1 ππ2
(because βππ ππ β βππ ππ β₯ β1 ππππ)1
2ππ+1β€
12ππ2 , then the closest to βπ¦π¦ 2ππ rational number
with denominator β€ ππ is βππ ππ. This is why we need ππ β₯ 2ππ0.
How to find βππ ππ: continued fractions
π¦π¦2ππ
=1
π§π§0 + 1π§π§1 + 1
π§π§2+. . .
,This expansion will go through βππ ππ
Theorem: If π₯π₯ is an estimate of βππ ππ, π₯π₯ β βππ ππ β€ 1/(2ππ2), then continued fractionsgo through βππ ππ (proven in N-C book, not a very short proof)
Continued fractions is a fast classical algorithm, ππ(ππ03) operations
Shorβs algorithm (cont.)
So, we will find ππ/ππ with a significant probability (> 40%). It is still possible that we will not find correct ππ if ππ and ππ have common divisors.
Then we will find a divisor of ππ instead of ππ itself. However, the probability of finding ππ (not its divisor) is β₯ 50%, and if it is not ππ,
then it is most likely βππ 2 or βππ 3 (not large denominator). So, after finding ππ0, we can try ππ0, 2ππ0, 3ππ0, etc.It is important that it is easy to check classically if ππππ0 is a period of ππ(π₯π₯) or not.
Finding period ππ
If the procedure is unsuccessful, we can run the algorithm again (with the same ππ). If find another divider of ππ, we can calculate Least Common Multiple (LCM); most likely if will be ππ.
Still possible that π¦π¦/2ππ was not the closest βππ ππ, so need several trials.
So, βΌ 3 β 10 runs of the quantum algorithm will give us the period ππ.
Required precision of gates c-π π ππ in QFT
If a gate is imprecise, then ππ β |ππβ²β©. But if the imprecision is not too big, then the states |ππβ© and |ππβ²β© are still close, ππ ππβ² 2 = 1 β ππ with ππ βͺ 1. Then they are not well-distinguishable (independently of what we measure). So, probability of measuring what we want does not change much.
General idea
In some sense, the operation is digital, and therefore insensitive to small analog errors.
π π ππ = 1 00 exp(2ππ βππ 2ππ)
For ππ > 10 it is very difficult to realize c-π π ππ accurately, for ππ > 20 practically impossible.Is this precision (very small angles) really necessary? No!
Required precision of gates c-π π ππ in QFT (cont.)Estimate of phase accuracy needed for QFT
Ideally, ππ π¦π¦ = 12ππππ
βππ=0ππβ1 ππ2ππππππππ βπ¦π¦ 2ππ 2
Suppose there are phase errorsππππ π¦π¦ =
12ππππ
οΏ½ππ=0
ππβ1ππ2ππππππππ βπ¦π¦ 2ππ ππππππππ(π¦π¦)
2
β 1 + ππππππ(π¦π¦)
can depend on both ππ and π¦π¦
Assume ππππ(π¦π¦) β€ ππ βͺ 1As before, π¦π¦ππ = ππ β2ππ ππ + πΏπΏππ with πΏπΏππ β€ β1 2
ππππ π¦π¦ππ β 12ππππ
βππ=0ππβ1 ππ2ππππππππ βπΏπΏππ 2ππ 1 + ππππππ,ππ2β
for π¦π¦ = π¦π¦ππ
β ππ π¦π¦ππ + 22ππππ
Re (βππ=0ππβ1 ππ2ππππππππ βπΏπΏππ 2ππ ππππππ,ππ)(βππβ²=0ππβ1 ππβ2ππππππ
β²ππ βπΏπΏππ 2ππ)ideal
in linear order
Even in the worst case: βππβ²=0
ππβ1 ππβ2ππππππβ²ππ βπΏπΏππ 2ππ β€ ππβππ=0ππβ1 ππ2ππππππππ βπΏπΏππ 2ππ ππππππ,ππ β€ ππππ ,
So differenceis limited: ππππ π¦π¦ππ β ππ(π¦π¦ππ) β€
22ππππ
ππππ ππ =2ππ2ππ
ππ β2ππππ
Total difference β€ ππ ππππ π¦π¦ππ β ππ π¦π¦ππ β€ 2ππ βͺ 1 Small!
Required precision of gates c-π π ππ in QFT (cont.)
ππ π¦π¦ = 12ππππ
βππ=0ππβ1 ππ2ππππππππ βπ¦π¦ 2ππ 2
Therefore, the probability of success (i.e. the measured π¦π¦ is the closest integerto ππ 2ππ/ππ) is not β₯ 40%, but β₯ 40% β 2ππ.
ππππ π¦π¦ = 12ππππ
βππ=0ππβ1 ππ2ππππππππ βπ¦π¦ 2ππ ππππππππ(π¦π¦) 2
ππππ(π¦π¦) β€ ππ βͺ 1ideally
Therefore the precision ππ βΌ 10% is sufficient! (digital computation)
Total probability difference β€ ππ ππππ π¦π¦ππ β ππ π¦π¦ππ β€ 2ππwith phase errors
We still cannot say that all gates with 3% accuracy is OK, because many gates for each βwireβ
Inaccuracy scales (at most) linearly with the number of gates.
In QFT, there are βΌ ππ gates π π ππ. The gates π π ππ can be completely neglected if ππ 2ππ 2βππ < 0.1Therefore πππππππ₯π₯ βΌ log2 ππ + 6 βΌ 20 is sufficient
Then the number of gates in QFT is not ~ ππ2 but only βΌ ππ log(ππ)
Precision of gates (more general discussion)
οΏ½ππ = supππ β 0
οΏ½ππ|ππβ©|ππβ©
= supππ β 0
β¨ππ οΏ½ππβ οΏ½ππ ππβ©β¨ππ|ππβ©
maxIntroduce operator norm
Suppose a unitary ππ is replaced with a slightly imprecise unitary πππ. The imprecision can be characterized by the norm of the difference: Ξ = ππ β πππ .
It is really a norm (satisfies triangle inequality)
Imprecision of a gate
Then for an imprecise sequence of gates (composition of operations), ππππ . . .ππ2ππ1 βΆ ππππβ² . . .ππ2β²ππ1β² , we can show Ξ β€ βππ ΞππThe proof is step-by-step, using triangle inequality and norm-preservation by a unitary
ππ2ππ1 ππ β ππ2β²ππ1β² ππ = ππ2ππ1 ππ β ππ2β²ππ1|ππβ©) + ππ2β²ππ1 ππ β ππ2β²ππ1β² |ππβ©) =
= (ππ2βππ2β²)ππ1 ππ β ππ2β²(ππ1 β ππ1β²) ππ
ππ2ππ1 β ππ2β²ππ1β² β€ ππ2 β ππ2β² + ππ1 β ππ1β²Therefore
So, we proved that the imprecision Ξ accumulates at most linearly with the number of gates
Precision of gates (cont.)We proved that the imprecision Ξ accumulates at most linearly with the number of gates.
For an overall imprecision Ξ, the difference in the probability of obtaining a certain result for a measurement is less than 2Ξ (simple proof in N-C book, Sec. 4.5.3).
Two more important properties:
If a 1-qubit or 2-qubit gate ππ has imprecision Ξ, then the same imprecision for this gate acting on many-qubit state (i.e., gate ππβ οΏ½1).
Proof (for a 2-qubit gate) A multi-qubit entangled state can always be represented as
Ξ¨ = πΌπΌ00 00 Ξ¦00 + πΌπΌ01 01 Ξ¦01 + πΌπΌ10 10 Ξ¦10 + πΌπΌ11 11 Ξ¦11 ,where |Ξ¦ππππβ© are normalized states of other qubits, πΌπΌ00 2 + πΌπΌ01 2 + πΌπΌ10 2 + πΌπΌ11 2 = 1.
A gate ππ acts only on πΌπΌππππ, an imprecise πππ produces πΌπΌππππ,in β πΌπΌππππβ² instead of πΌπΌππππ,in β πΌπΌππππ.
+ πΌπΌ01β² β πΌπΌ01 01 Ξ¦01 + πΌπΌ10β² β πΌπΌ10 10 Ξ¦10 + πΌπΌ11β² β πΌπΌ11 11 Ξ¦11 || =Then ππ β πππ = max Ξ¨β² β Ξ¨ = max || πΌπΌ00β² β πΌπΌ00 00 Ξ¦00 +
= max πΌπΌ00β² β πΌπΌ00 2 + πΌπΌ01β² β πΌπΌ01 2 + πΌπΌ10β² β πΌπΌ10 2 + πΌπΌ11β² β πΌπΌ11 2,
which is the same as when this gate acts only on two qubits. QED
Phase estimation algorithm (Kitaev)Consider a toy problem, which can be used in serious problems (period finding, etc.)
ππSuppose we know an eigenstate |π’π’β©, but do not know the corresponding eigenvalue ππ2ππππππ(since ππ is unitary, absolute value of eigenvalue is 1)
Goal: find ππ
First idea: π»π» π»π» meas.
ππ|π’π’β© |π’π’β© |π’π’β© does not change, since eigenstate
0 + 12
π’π’ βΆ0 + 1 ππ2ππππππ
2π’π’ βΆ
0 + 1 + 0 β 1 ππ2ππππππ
2π’π’ =
c-ππ π»π»
= 01 + ππ2ππππππ
2+ 1
1 β ππ2ππππππ
2π’π’
Measure many times, find probabilities ππ(0) and ππ(1)
ππ 0 β ππ 1 = cos(2ππππ)
Phase estimation algorithm (cont.)
Now add S-gate
π»π» π»π» meas.
ππ|π’π’β© |π’π’β©ππ 0 β ππ 1 = cos(2ππππ)
ππ = 1 00 ππ
π»π» π»π» meas.
ππ|π’π’β© |π’π’β©
ππ
ππ 0 β ππ 1 = βsin(2ππππ)
Measuring many times, we can find ππ accurately, but this is not fast (to find ππ bits of ππ, we need βΌ 22ππ measurements)
Main idea: use c-ππ2, c-ππ4, c-ππ8, etc. to find ππ bit-by-bit (Kitaev)
Even better to use (inverse) QFT after that
Phase estimation algorithm (cont.)
π»π»
ππ|π’π’β© |π’π’β©
State of the input register after c-ππππ gates:
Exact result if ππ has ππ-bit representation 0.ππππβ1ππππβ2 . . .ππ0
This is just Fourier transform of 2ππππ
π»π»π»π»
. . . |0β©
|0β©|0β©
ππbits
ππ2 . . . ππ2ππβ1
QFQFTβ1
= QFTβ
mea
sure
men
t
12ππ
( 0 + ππ2ππππ2ππβ1ππ|1β©)( 0 + ππ2ππππ2ππβ2ππ|1β©) . . . ( 0 + ππ2ππππππ|1β©) =
=12πποΏ½
π¦π¦=0
2ππβ1ππ2πππππππ¦π¦ |π¦π¦β©
So, apply inverse QFT to get 2ππππ
lower upperIf 2ππππ is not integer, then some errors.Result: to find ππ bits of ππ with probability 1 β ππ, we need ππ = ππ + log(2 + 1
2ππ) qubits
Phase estimation algorithm (cont.)
Relation to period finding ππ π₯π₯ = πππ₯π₯ (mod ππ)Define ππ as multiplication by ππ (mod N): ππ π¦π¦ = |πππ¦π¦ mod ππ β©.
Then ππππ = οΏ½1 for the period ππ, which we want to find.
Therefore eigenvalues of ππ are ππ2ππππ βππ ππ for integer ππ.So, finding the phase, we learn βππ ππ (as in Shorβs algorithm)Therefore, phase estimation algorithms can be used for factoring integers.
It seems that for this algorithm we need to prepare an eigenstate |π’π’β©. However, any state is a linear combination of eigenstates, so it does not matter (the algorithm will randomly find one of eigenstates of ππ). Natural to start with 1 (we need to avoid |0β©).
If output register starts with |00. . 01β©, then after c-ππππ gates: 12ππβπ₯π₯=02ππβ1 π₯π₯ |ππ π₯π₯ β©
(unitary because ππ is coprime with ππ)