Download Quantum computing - Shor`s factoring algorithm

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts
no text concepts found
Transcript 
Quantum computing
Shor’s factoring algorithm
Dimitri Petritis
UFR de mathématiques
Université de Rennes 1 et CNRS (UMR 6625)
Coëtquidan, 17 January 2016
Master de cryptographie 2016–2017
Quantum computing
Shor’s algorithm (1994)
Integer factoring
Algorithm allowing factoring of a large integer n, with N = log n, in
polynomial time temps in N. Decomposed into sub-routines:
quantum Fourier transform,
quantum phase estimation,
quantum order finding,
factoring.
Master de cryptographie 2016–2017
Quantum computing
Quantum Fourier transform (QFT)
Generalisation of the discrete Fourier transform (DFT)
N fixed > 0 integer.
x : R → C signal sampled at instants {0, . . . , N − 1}
becomes vector x = (x0 , . . . , xN−1 ) ∈ CN .
Definition
Discrete Fourier transform
CN 3 x = (x0 , . . . , xN−1 ) 7→ F(x) = y := (y0 , . . . , yN−1 ) ∈ CN ,
where yj =
√1
N
PN−1
k=0
xk exp(2πik Nj ), j ∈ {0, . . . , N − 1}.
Quantum Fourier transform on HN = CN :
HN = CN 3 | j i 7→ F| j i =
N−1
X
exp(2πik
k=0
j
)| k i ∈ HN .
N
Abridge unit vector | ei i of canonical basis (| ei i)i=0,...,N−1 ∈ HN in | i i .
Master de cryptographie 2016–2017
Quantum computing
Quantum Fourier transform
Quantum computing
N = 2n , H = C2 , H = ⊗n−1
k=0 H.
Basis vector | j i ∈ H, indexed by integer j = 0, . . . , 2n − 1.
Identificy {0, . . . , 2n − 1} 3 j 7→ j = (j1 , . . . jn ) ∈ Bn :
j1
jn
+ ... + n)
1
2
2
= 2n h0.j1 · · · jn i2 = hj1 · · · jn i2 = hji2 .
j = j1 2n−1 + . . . + jn 20 = 2n (
1
F
| j i = | j1 · · · jn i 7→
=
=
1
2n/2
1
2n/2
2n/2
X
n
2X
−1
exp(2πij
k=0
k
)| k i
2n
exp(2πijh0.k1 · · · kn i2 )| k1 · · · kn i
(k1 ···kn )∈Bn
[| 0 i + exp(2πij/2)| 1 i] ⊗ · · · ⊗ [| 0 i + exp(2πij/2n )| 1 i] .
Master de cryptographie 2016–2017
Quantum computing
Quantum Fourier transform
Logical circuit
Blackboard : gates, implementation of F: 5.5–5.6.
Master de cryptographie 2016–2017
Quantum computing
Quantum phase estimation
Statement of the proble
Definition
U : H⊗n → H⊗n unitary, | u i ∈ H⊗n eigenvector of U (assumed known
by some other source of information). Phase estimation: estimation of
φu ∈ [0, 1] s.t.
U| u i = exp(2πiφu )| u i.
j
Assume we have black boxes U 2 , j = 0, . . . , t − 1 and eigenvector | u i.
j
Immédiat to construct controlled gates C (U 2 ).
Master de cryptographie 2016–2017
Quantum computing
Quantum phase estimation
Quantum circuit
Blackboard 5.7: phase-estimation-algorithm.pdf
Master de cryptographie 2016–2017
Quantum computing
Quantum phase estimation
Functioning principle of the quantum circuit
Content of registers | ψ i ⊗ | u i ∈ Ht ⊗ Hn defore action of the operator
F ∗:
1
[| 0 i + exp(2πi2t−1 φu )| 1 i] ⊗ · · · ⊗ [| 0 i + exp(2πi20 φu )| 1 i] ⊗ | u i
2t/2
X
1
= t/2
exp(2πiφu hkt1 · · · k0 i)| kt−1 · · · k0 i ⊗ | u i
2
t
|ψi ⊗ |ui =
k0 ···kt−1 ∈B
=
F ∗ on
φu .
1
2t/2
1
2t/2
t
2X
−1
exp(2πiφu k)| k i ⊗ | u i.
k=0
P2t −1
k=0
exp(2πiφu k)| k i: good rational approximation b/2t of
Theorem
For every ε > 0, there exists integer p = p(ε) > 0 s.t.
t = n + p ⇒ PF ∗ ψ (|
Master de cryptographie 2016–2017
b
1
− φu | < n ) ≥ 1 − ε.
t
2
2
Quantum computing
Quantum phase estimation
Algorithm
Algorithm
j
Require: Black boxes C (U 2 ),
eigenvector | u i o U,
precision level ε,
1
t = n + dlog(2 + 2ε
e qubits initialised at | 0 i.
Ensure: Estimation of φu precise up to t bits.
t
Initialise | 0 i ⊗ | u i.
Act as in figure.
Apply F ∗ on register of t first qubits to obtain | φ̃u i.
Measure register of t first qubits to obtain estimation φ̃u .
Master de cryptographie 2016–2017
Quantum computing
Order finding
Definition
x, N fixed > 1 integer verifying pgcd(x, N) = 1. Order:
ord(x, N) = inf{r > 0 : x r = 1
mod N}.
Blackboard : example: 5.13.
Order finding, conjectured to be algorithmically hard.
If L = dlog Ne, no known classical algorithm solving the problem in
polynomial time in L.
Define unitary U| y i = | xy mod N i.
For y ∈ BL , N ≤ y ≤ 2L − 1, xy mod N = y ⇒ U acts non trivially
solely on 0 ≤ y ≤ N − 1.
Master de cryptographie 2016–2017
Quantum computing
Order finding
Principle of the algorithm
Lemma
Let r := ord(x, N) ≤ N. For s = 0, . . . , r − 1,
s
U| us i = exp(2πi )| us i,
r
where | us i =
1
√
r
Pr −1
k=0
exp(−2πik sr )| x k mod N i.
Problem: vector | us i needed in previous lemma is an eigenvector of U
but its construction presupposes knowledge of r .
Master de cryptographie 2016–2017
Quantum computing
Order finding
Essential technical lemma
Lemma
r −1
1 X
√
| us i = | 1 i.
r s=0
Blackboard : proof: 5:15.
Instead of initialising circuit with | us i, initialise with | 1 i.
Master de cryptographie 2016–2017
Quantum computing
Order finding
Continued fraction expansion
Algorithm
Require: real α > 0, integer M > 0.
Ensure: a0 , . . . , aM with ai > 0 for 1 ≤ i ≤ M.
Initialise m ← 0.
repeat
am ← bαc.
β ← {α}.
m ← m + 1.
if β 6= 0 then
α ← β1
else
α=0
end if
until m > M.
Master de cryptographie 2016–2017
Quantum computing
Order finding
Some precisions on continued fraction expansion
If α ∈ Q, there exists M > 0 such that its expansion is
[a0 , . . . , am , 0, 0, . . .].
If α 6∈ Q, its expansion is [a0 , a2 , a3 , . . .], with ai > 0 for all i ≥ 1.
[a0 , . . . , am ] =
pm (α)
qm (α)
and limm→∞
Master de cryptographie 2016–2017
pm (α)
qm (α)
= α.
Quantum computing
Factoring
Shor’s algorithm
Algorithm
Require: Integer N of L bits,
x coprime with N,
precision level ε,
1
e qubits initialised at | 0 i,
t = 2L + 1 + dlog(2 + 2ε
⊗t
⊗L
UN,x : H ⊗ H → H⊗t ⊗ H⊗L unitary,
FractionContinue .
Ensure: ord(x, N) with probability 1 − ε in O(L3 ) steps.
Let H ⊗t ⊗ I ⊗L act on | 0 i ⊗ | 1 i ∈ H⊗t ⊗ H⊗L .
Act as in figure.
Apply F ∗ on register of t first qubits to obtain | φ̃u i.
Measure register of t first qubits to obtain estimation φ̃u .
Blackboard : end of algorithm: 5.18–5.20.
Master de cryptographie 2016–2017
Quantum computing
Factoring
Idea of the algorithm
Theorem
Suppose N is an L-bit composite integer and x a non-triviala solution to
the equation x 2 = 1 mod N for 1 ≤ x ≤ N. Then at least one of
gcd(x − 1, N), gcd(x + 1, N) is a non-trivial factor of N.
a i.e.
neither x = 1 mod N nor x = (N − 1) mod N = −1 mod N.
Theorem
αm
and x an integer randomly chosen in
Suppose N = p1α1 · · · pm
1 ≤ x ≤ N − 1 that is coprime with N. Let r = ord(x, N). Then
P(r is even and x r /2 = −1
mod N) ≥ 1 −
1
.
2m
Combine two theorems to give algorithm returning with high probability a
non-trivial factor of N. All steps can be performed efficiently on a
classical computer except the order finding.
Master de cryptographie 2016–2017
Quantum computing
Related documents