classical rsa algorithm
Post on 26-Feb-2022
13 Views
Preview:
TRANSCRIPT
Classical RSA algorithm
Modulo-ðð arithmetic (modular arithmetic, clock arithmetic)
We need to discuss some mathematics (number theory) first
Usual operations: addition and multiplication (ring), we need only multiplication
2 â¡ 9 (mod 7)4 Ã 3 â¡ 5 (mod 7)
âcongruentâ (I will also use â=â instead of ââ¡â)
Definition: Order of ðð is the smallest ðð, for which
ðððð â¡ 1 (mod ðð)
Why important: if ðð ð¥ð¥ = ððð¥ð¥ (mod ðð), then ðð is the period of ðð(ð¥ð¥).
Check: ðð ð¥ð¥ + ðð = ððð¥ð¥+ðð = ððð¥ð¥ðððð = ððð¥ð¥ = ðð(ð¥ð¥) mod ðð
Fermatâs little theorem (simple proof, any number theory course)
If ðð is prime and ðð is not divisible by ðð, then
ððððâ1 â¡ 1 (mod ðð)(e.g., proof via the product ðð 2ðð 3ðð ⊠ðð â 1 ðð = ððððâ1 ðð â 1 ! = ðð â 1 ! mod ðð,
since all ðððð should be different mod ðð)
Fermat 1640 (letter, no proof) Leibniz 1683 (unpublished)Euler 1736 (first published proof)
RSA mathematicsFermatâs little theorem: If ðð is prime and ðð is not divisible by ðð, then ððððâ1 â¡ 1 (mod ðð)
â Lemma If ðð and ðð are primes and ðð is not divisible by ðð or ðð, then
ðð(ððâ1)(ððâ1) â¡ 1 (mod ðððð)
Proof ðð(ððâ1) (ððâ1) â¡ 1 (mod ðð)ðð(ððâ1) (ððâ1) â¡ 1 (mod ðð)
â ðð(ððâ1)(ððâ1) â 1 is a multiple of both ðð and ðð, therefore multiple of ðððð.
QED
â Lemma If ðð and ðð are primes and ð ð is an integer, then
ðð1+ð ð (ððâ1)(ððâ1) â¡ ðð (mod ðððð)
Note: works even if ðð is divisible by ðð or ðð (trivial if a multiple of ðððð; if only ðð = ðððð,
then Fermat: ððð ð ððâ1(ððâ1)
= 1 + ðððð, so ððð ð ððâ1 ððâ1 +1 = ðð + ðððððð = ðð + ðððððððð )
â Theorem If ðððð â¡ 1 [mod (ðð â 1)(ðð â 1)] and ðð & ðð are primes, then
ðððððð â¡ ðð (mod ðððð)
RSA algorithmRivest, Shamir, Adlerman, 1977, authors from MIT
Alice
Clifford Cocks, 1973, British Intelligence, secret until 1997
Bobpublic key
message(in Merminâs book roles of Alice and Bob are exchanged)
Alice Pick large primes ðð and ðð, calculate ðð = ððððPick ðð < ðð [coprime with (ðð â 1)(ðð â 1)]
Find ðð, for which ðððð â¡ 1 [mod ðð â 1 ðð â 1 ](easy to find ðð using Euclidean algorithm for ðð and ðð â 1 ðð â 1 )
Public key: ðð and ððPrivate key: ðð and ðð
Bob Wants to send message ðð (ðð < ðð)
Encoding: ðð â ï¿œðð = ðððð (mod ðð)
Alice Decoding: ï¿œðððð mod ðð = ðððððð mod ðð = ðð
RSA algorithm (cont.)Remarks
- Typically ðð ⌠2048 â 4096 bits long
- Computation of ðððð (mod ðð) and ï¿œðððð (mod ðð) is fast:ðð â ðð2 â ðð4 â ðð8 â. . . , then products (all mod ðð )
- Eve knows ðð. If she can factor ðð = ðððð, then she can do the same as Alice, so she can decode. This is why factoring is so important.
- ðð can be factored via finding the period of the function ðð ð¥ð¥ = ððð¥ð¥ (mod ðð),where ðð is any number (will discuss in more detail later).
Idea: if ðððð â¡ 1 (mod ðð) and ðð is even, then ðð âðð 2 â 1 ðð âðð 2 + 1 â¡ 0 (mod ðð)
- RSA can be also broken directly with a period-finding algorithm.ï¿œðð, ï¿œðð2, ï¿œðð3, . . . ï¿œðððð = 1, ï¿œðððð+1 = ï¿œðð (mod N) (if ï¿œðð is not coprime with ðð,
then factor immediately). Then ðððð â¡ 1 (mod ðð) also (because subgroups ï¿œðððð and ðððð coincide since ðððð â¡ ï¿œðð, and ï¿œðððð â¡ ðð, so the same order.)
Then if we find ððð so that ððððâ² â¡ 1 (mod ðð), then ï¿œððððâ² â¡ ððððððâ² â¡ ðð1+ðððð = ðð ðððð ðð = ðð, so direct decoding.
Classical algorithm for factoring via period findingðð = ðððð can be factored via period of ðð ð¥ð¥ = ððð¥ð¥ (mod ðð)
1. Pick a random number ðð (ðð < ðð). Check that coprime with ðð (if not, then great luck!).
2. Find smallest ðð, for which ðððð â¡ 1 (mod ðð) (i.e., ðð is the order of ðð).
3. If ðð is odd, choose another ðð and repeat (go back to Step 1).Probability of going back is âŒ50%.
4. If ðð is even, then ðð âðð 2 â 1 ðð âðð 2 + 1 = ðððð â 1 â¡ 0 (mod ðð).ðð âðð 2 â 1 cannot be 0 (mod ðð), since ðð is the smallest period. If ðð âðð 2 + 1 â¡ 0 (mod ðð), choose another ðð and repeat (go back to Step 1; this is very rare).
5. Since ðð = ðððð and ðð & ðð are primes, then ðð âðð 2 â 1 is a multiple of ðð,and ðð âðð 2 + 1 is a multiple of ðð (or vice versa).
Find the greatest common divisor (GCD) of ðð and ðð âðð 2 ± 1,they will be ðð and ðð.
Remarks - If ðð and ðð are not prime, then similar algorithm.- If ðð is not the smallest period, then check that ðð âðð 2 â 1 is not 0 (mod N),
otherwise choose another ðð (very rare)
General idea of period finding by a QC (Shorâs algorithm)
After meas. of output register, the input reg. is ðð ðð = 1ððâðð=0ððâ1 ð¥ð¥0 + ðððð ðð
ðð has ðð0 bits
Key: Quantum Fourier transform (QFT) can be done very efficiently
ððððð»ð»
ð¥ð¥ ð¥ð¥
ðŠðŠ ðŠðŠ â ðð ð¥ð¥
0 ðð
ðð ð¥ð¥ = ððð¥ð¥(mod ðð)
ð»ð»ð»ð»ð»ð»ð»ð»ð»ð»
mea
s.Q
FT
mea
sure
|0â©
ððqubits
ðð0qubits
ðð ð¥ð¥ = ððð¥ð¥ (mod ðð)
Output register has ðð0 qubitsInput register has ðð ⥠2ðð0 qubits
not needed, but easier to think
12ððâð¥ð¥=02ððâ1 ð¥ð¥ ðð 0 ðð0 â¶
12ððâð¥ð¥=02ððâ1 ð¥ð¥ ðð ðð(ð¥ð¥) ðð0
where ðð is the period of ðð(ð¥ð¥) (i.e., order of ðð), ðð = int[ â2ðð ðð] or int â2ðð ðð + 1
Idea: Input register state is periodic (ðð) â Fourier transform finds this period
ðð < ðð < 2ðð0, so ðð > 2ðð0 (very many states in superposition)
For ðð ⌠2ðð, usual Fourier transform needs ⌠ðð2 ⌠2ðð 2 operations, Fast Fourier Transform (FFT) needs ⌠ðð ⌠2ðð operations (actually ðð2ðð),QFT needs ⌠logðð 2 ⌠ðð2 operations. (Calculation of ðð(ð¥ð¥) needs ⌠ðð3 operations.)
Calculation of ðð ð¥ð¥ = ððð¥ð¥ (mod ðð)
Fast classical algorithm â quantum algorithm of the same complexity
input register(ðð qubits)
Prepare ðð, ðð2, ðð4, ðð8, . . . (mod ðð), then multiply some of them, depending on the corresponding bits of ð¥ð¥ = ð¥ð¥ððâ1. . . ð¥ð¥1ð¥ð¥0
By the way, in this algorithm the work register remains unentangled with input and output registers, so no âglobalâ garbage collection is needed (garbage collection at each step is still necessary)
Complexity: ðð steps, each contains multiplication (mod ðð) requiring ⌠ðð2 steps,so overall ⌠ðð3 steps
ð¥ð¥
work register(ðð0 qubits)
output register(ðð0 qubits)
ðð ðð2 ðð4
1à ðð or à 1, depending on ð¥ð¥0
à ðð2 or à 1, depending on ð¥ð¥1
(ðð0 ⌠ðð)
Quantum Fourier Transform (QFT)Discrete Fourier transform (DFT)
ð¥ð¥ = 0, 1, 2, . . .ðð â 1 ðð ð¥ð¥ â ï¿œðð(ð¥ð¥)
ï¿œðð ð¥ð¥ = 1ððâðŠðŠ=0ððâ1 ðð2ðððð âð¥ð¥ðŠðŠ ðððð(ðŠðŠ)
Inverse DFT: the same with ðð â âðð
In QC, ðð = 2ðð (ðð qubits), and we do discrete Fourier transform of amplitudes:
âð¥ð¥=02ððâ1ðð ð¥ð¥ |ð¥ð¥â© ⶠâð¥ð¥=02ððâ1 ï¿œðð ð¥ð¥ |ð¥ð¥â©ðððððððð
Therefore ðððððððð ð¥ð¥ = 12ðð
âðŠðŠ=02ððâ1 ðð2ðððð âð¥ð¥ðŠðŠ 2ðð|ðŠðŠâ©
- Check that unitary. For basis vectors |ð¥ð¥ððâ© and |ð¥ð¥ððâ©, the inner product after QFT isð¥ð¥ðððððððððð
â |ððððððððð¥ð¥ðð = 12ððâðŠðŠ=02ððâ1 ðð2ðððð(âð¥ð¥ðð+ð¥ð¥ðð) âðŠðŠ 2ððâšðŠðŠ|ðŠðŠâ© = 1
2ðð2ððð¿ð¿ðððð = ð¿ð¿ðððð.
So, the orthonormal basis is transformed into an orthonormal basis â unitary.
- Somewhat similar to ðð-fold Hadamard: transforms each basis vector into equal-weight superposition of all basis vectors (but instead of ±1 for Hadamard, many phases in QFT)
Quantum Fourier Transform (cont.)
ðððððððð ð¥ð¥ = 12ðð
âðŠðŠ=02ððâ1 ðð2ðððð âð¥ð¥ðŠðŠ 2ðð|ðŠðŠâ©
A very simple quantum circuit exits for QFT
For ð¥ð¥ = ð¥ð¥ððâ12ððâ1 + ð¥ð¥ððâ22ððâ2+ . . . ð¥ð¥020, many digits are not important
ðððððððð ð¥ð¥ = 12ðð
âðŠðŠððâ1,âŠðŠðŠ0 ðð2ðððð âð¥ð¥(ðŠðŠððâ12ððâ1+ðŠðŠððâ22ððâ2+...+ðŠðŠ020) 2ðð ðŠðŠððâ1 ðŠðŠððâ2 . . . |ðŠðŠ0â©
=12ðð
0 + 1 ðð2ððððð¥ð¥ â2ððâ1 2ðð 0 + 1 ðð2ððððð¥ð¥ â2ððâ2 2ðð . . . 0 + 1 ðð2ððððð¥ð¥ â20 2ðð
ðððððððð ð¥ð¥ =0 + 1 ðð2ðððð
ð¥ð¥02
20 + 1 ðð2ðððð(
ð¥ð¥12 +
ð¥ð¥022)
2. . .
0 + 1 ðð2ðððð(ð¥ð¥ððâ12 +ð¥ð¥ððâ222 +...+ð¥ð¥02ðð)
212
0 + 1 ðð2ððððð¥ð¥02 = 1
2( 0 + 1 â1 ð¥ð¥0) = ð»ð»|ð¥ð¥0â©First (most significant) qubit:
(only in computational basis)So, if we use reverse order (most significant â least significant), then the only necessary operation is ð»ð» acting on qubit |ð¥ð¥0â©.
Second qubit: needs ð»ð» acting on |ð¥ð¥1â© and also 1 00 exp(2ðð âðð 22) if ð¥ð¥0 = 1.
Quantum Fourier Transform (cont.)
=0 + 1 ðð2ðððð
ð¥ð¥02
20 + 1 ðð2ðððð(
ð¥ð¥12 +
ð¥ð¥022)
2. . .
0 + 1 ðð2ðððð(ð¥ð¥ððâ12 +ð¥ð¥ððâ222 +...+ð¥ð¥02ðð)
2
ð ð ðð â¡1 00 exp(2ðð âðð 2ðð)Let us introduce rotation operator
Two qubits
(Mermin: ð ð ðð = ððððâ1)
|ð¥ð¥1â©|ð¥ð¥0â©
ð ð 2ð»ð»
|ðŠðŠ0â©|ðŠðŠ1â©
(reverse order)ð»ð»
Three qubits
|ð¥ð¥2â©|ð¥ð¥1â©
ð ð 2ð»ð»
ðŠðŠ0 = ï¿œ0 + 1 e2ððððð¥ð¥22 +
ð¥ð¥122+
ð¥ð¥023 2ð»ð»
|ð¥ð¥0â©
ð ð 3ð ð 2
ð»ð»ðŠðŠ1 = ï¿œ0 + 1 e2ðððð
ð¥ð¥12 +
ð¥ð¥022 2
ðŠðŠ2 = ï¿œ0 + 1 e2ððððð¥ð¥02 2
again, output order is reversed
ðððððððð ð¥ð¥ = 12ðð
âðŠðŠ=02ððâ1 ðð2ðððð âð¥ð¥ðŠðŠ 2ðð|ðŠðŠâ©
Quantum Fourier Transform (cont.)
ðððððððð ð¥ð¥ =0 + 1 ðð2ðððð
ð¥ð¥02
20 + 1 ðð2ðððð(
ð¥ð¥12 +
ð¥ð¥022)
2. . .
0 + 1 ðð2ðððð(ð¥ð¥ððâ12 +ð¥ð¥ððâ222 +...+ð¥ð¥02ðð)
2
ð ð ðð = 1 00 exp(2ðð âðð 2ðð)
Four qubits
reversed order
|ð¥ð¥3â©|ð¥ð¥2â©
ð ð 2ð»ð»
ðŠðŠ0ð»ð»
|ð¥ð¥1â©
ð ð 3ð ð 2
ð»ð»ðŠðŠ1ðŠðŠ2
|ð¥ð¥0â©
ð ð 4ð ð 3
ð ð 2ð»ð» ðŠðŠ3
Similar for ðð qubits: need ðð Hadamard gates and âðð(ðð â 1) 2 controlled-R gates. Each c-R gate can be realized with 2 CNOTs, so ⌠ðð2 CNOTs. (With superconducting qubits, c-R gate can be realized directly.)
c-R gates with extreme precision (⌠2âðð) are actually not needed. Crude precision is sufficient (will discuss later), so gates c-ð ð ðð with ðð > 20 are not needed. Then only ⌠20ðð c-R gates are needed.
= 12ðð
âðŠðŠ=02ððâ1 ðð2ðððð âð¥ð¥ðŠðŠ 2ðð|ðŠðŠâ©
c-R2 c-R3 c-R4 c-R5 c-R6
Another representation of the same circuit for QFT
ð»ð» ð»ð» ð»ð» ð»ð» ð»ð» ð»ð»
|ðŠðŠ0â©
|ðŠðŠ1â©
|ðŠðŠ2â©
|ðŠðŠ3â©
|ðŠðŠ4â©
Symmetry of c-R gates and reversed order are naturally represented
|ðŠðŠ5â©
Inverse QFT: time-reverse the sequence and conjugate gates (ð»ð»â = ð»ð», so only replace c-ð ð ðð â c-ð ð ðð
â )
ð ð ðð â¡1 00 exp(2ðð âðð 2ðð)
Inverse QFT in this representationyellow: ð»ð»blue: c-ð ð ððgreen: c-ð ð ðð
â
Inverse QFT using the first circuit|ð¥ð¥3â©|ð¥ð¥2â©
ð ð 2ð»ð»
ðŠðŠ0ð»ð»
|ð¥ð¥1â©
ð ð 3ð ð 2
ð»ð»ðŠðŠ1ðŠðŠ2
|ð¥ð¥0â©
ð ð 4ð ð 3
ð ð 2ð»ð» ðŠðŠ3
Inverse QFT: ðð â âðð, so we would expect
|ðŠðŠ3â©|ðŠðŠ2â©
ð ð 2â
ð»ð»ð¥ð¥0ð»ð»
|ðŠðŠ1â©
ð ð 3â
ð ð 2â
ð»ð»ð¥ð¥1ð¥ð¥2
|ðŠðŠ0â©
ð ð 4â
ð ð 3â
ð ð 2â
ð»ð» ð¥ð¥3On the other hand, we know that for inverse, the circuit should be time-reversed and gates should be conjugated.
QFTâ1
QFT
|ðŠðŠ3â©|ðŠðŠ2â© ð ð 2
â ð»ð»ð¥ð¥0ð»ð»
|ðŠðŠ1â© ð ð 3â ð ð 2
â ð»ð»ð¥ð¥1ð¥ð¥2
|ðŠðŠ0â© ð ð 4â ð ð 3
â ð ð 2â ð»ð» ð¥ð¥3
QFTâ1
use symmetry of c-ð ð ðð,then shift gates
Does not look the same! But actually is.
Inverse QFT (cont.)
|ðŠðŠ3â©|ðŠðŠ2â©
ð ð 2â
ð»ð»ð¥ð¥0ð»ð»
|ðŠðŠ1â©
ð ð 3â
ð ð 2â
ð»ð»ð¥ð¥1ð¥ð¥2
|ðŠðŠ0â©
ð ð 4â
ð ð 3â
ð ð 2â
ð»ð» ð¥ð¥3
|ðŠðŠ3â©|ðŠðŠ2â© ð ð 2
â ð»ð»ð¥ð¥0ð»ð»
|ðŠðŠ1â© ð ð 3â ð ð 2
â ð»ð»ð¥ð¥1ð¥ð¥2
|ðŠðŠ0â© ð ð 4â ð ð 3
â ð ð 2â ð»ð» ð¥ð¥3
use symmetry of c-ð ð ðð
|ðŠðŠ3â©|ðŠðŠ2â©
ð ð 2â
ð»ð»ð¥ð¥0ð»ð»
|ðŠðŠ1â©
ð ð 3â
ð ð 2â
ð»ð»ð¥ð¥1ð¥ð¥2
|ðŠðŠ0â©
ð ð 4â
ð ð 3â
ð ð 2â
ð»ð» ð¥ð¥3
shift some gates to the left
Measurement-based realization of QFTIn Shorâs algorithm, all qubits are measured after QFT. In this case QFT can be realized with classically-controlled ð ð ðð gates.
|ð¥ð¥3â©|ð¥ð¥2â©
ð ð 2ð»ð»
ðŠðŠ0ð»ð»
|ð¥ð¥1â©
ð ð 3ð ð 2
ð»ð»ðŠðŠ1ðŠðŠ2
|ð¥ð¥0â©
ð ð 4ð ð 3
ð ð 2ð»ð» ðŠðŠ3
Usual QFT
Since c-ð ð ðð gates are symmetric, exchange control and target
|ð¥ð¥3â©|ð¥ð¥2â© ð ð 2 ð»ð»
ðŠðŠ0ð»ð»
|ð¥ð¥1â© ð ð 3 ð ð 2 ð»ð»ðŠðŠ1ðŠðŠ2
|ð¥ð¥0â© ð ð 4 ð ð 3 ð ð 2 ð»ð» ðŠðŠ3
Step 1
Measurement-based realization of QFT (cont.)
|ð¥ð¥3â©|ð¥ð¥2â© ð ð 2 ð»ð»
ðŠðŠ0ð»ð»
|ð¥ð¥1â© ð ð 3 ð ð 2 ð»ð»
ðŠðŠ1ðŠðŠ2
|ð¥ð¥0â© ð ð 4 ð ð 3 ð ð 2 ð»ð» ðŠðŠ3
Step 1
Step 2Measure and control classically
|ð¥ð¥3â©|ð¥ð¥2â© ð»ð»
ð»ð»
|ð¥ð¥1â© ð»ð»|ð¥ð¥0â© ð ð 4
ðŠðŠ0 ð»ð»
meas.result ðŠðŠ0
ð ð 3ðŠðŠ0
ð ð 2ðŠðŠ0 meas.
result ðŠðŠ1
ð ð 3ðŠðŠ1
ð ð 2ðŠðŠ1 meas.
result ðŠðŠ2
ð ð 2ðŠðŠ2 meas.
result ðŠðŠ3
meas. result ðŠðŠ0meas. result ðŠðŠ1meas. result ðŠðŠ2meas. result ðŠðŠ3
Because of âspooky actionâ, measurement acts back in time, so we can exchange in time measurement and control
So far we assume that gates are perfect (it is not possible experimentally for ð ð ðð with exponentially small angles). We will discuss later that precision is not a problem.
ð ð ðð â¡1 00 exp(2ðð âðð 2ðð)
Back to Shorâs algorithm (period finding)
Measure first register, probability of result ðŠðŠ is
ððððð»ð»
ð¥ð¥ ð¥ð¥
ðŠðŠ ðŠðŠ â ðð ð¥ð¥
0 ðð
ðð ð¥ð¥ = ððð¥ð¥(mod ðð)
ð»ð»ð»ð»ð»ð»ð»ð»ð»ð»
mea
s.Q
FT
mea
sure
|0â©
ððqubits
ðð0qubits
12ððâð¥ð¥=02ððâ1 ð¥ð¥ ðð 0 ðð0 â¶
12ððâð¥ð¥=02ððâ1 ð¥ð¥ ðð ðð(ð¥ð¥) ðð0 â¶
1ððâðð=0ððâ1 ð¥ð¥0 + ðððð ðð â¶
ðððð
measure second register, result ðð(ð¥ð¥0)
period we want to find
ⶠ12ððâðŠðŠ=02ððâ1 1
ððâðð=0ððâ1 ðð2ðððð ð¥ð¥0+ðððð âðŠðŠ 2ðð ðŠðŠ ðð
ððQFT ðð = int[ â2ðð ðð]
= 12ðð
1ððâðŠðŠ=02ððâ1 ðð2ððððð¥ð¥0 âðŠðŠ 2ðð âðð=0ððâ1 ðð2ðððð ðððð âðŠðŠ 2ðð ðŠðŠ ðð
ð¥ð¥0 is not important, just a phase factor
ðð ðŠðŠ = ðð ðŠðŠ 2 =1
2ðððð ï¿œðð=0
ððâ1ðð2ðððð ðððð âðŠðŠ 2ðð
2
No more QM, let us see how result is related to ðð
Shorâs algorithm (cont.)
integerðð ðŠðŠ = ðð ðŠðŠ 2 =1
2ðððð ï¿œðð=0
ððâ1ðð2ðððð ðððð âðŠðŠ 2ðð
2
Significant ðð(ðŠðŠ) only if all terms are in phase: ðŠðŠ â2ðð
ðð ððUnderstanding via Fourier transform
|ððâ© = 1ððâðð=0ððâ1 ð¥ð¥0 + ðððð ðð
0 2ðð â 1ð¥ð¥0
ðð QFT
0 2ðð â 1
2ðð
ðððð ðŠðŠ 2
2ðð
ðððð
comb with period ðð # of peaks: ðð, height:
⌠ðð2
ðð 2ðð= ðð
2ðð= 1
ðð
Peaks should be at integers, while â2ðð ðð is not an integer
Measurement randomly picks one of the peaks of ðð ðŠðŠ , while we need ðð.
Two steps next:1) Show that with a significant probability (>40%) the measured number
is the closest (<1/2) to one of multiples of â2ðð ðð.2) Show that in this case, from the measured number we can obtain ðð.
Shorâs algorithm (cont.)
ðð ðŠðŠ =1
2ðððð ï¿œðð=0
ððâ1ðð2ðððð ðððð âðŠðŠ 2ðð
2
0 2ðð â 1
2ðð
ðððð(ðŠðŠ)
2ðð
ðððð
1) Show that with a significant probability (>40%) the measured number is the closest (<1/2) to one of multiples of â2ðð ðð.
Denote the closest integer as ðŠðŠðð = ðð â2ðð ðð + ð¿ð¿ðð , ð¿ð¿ðð †â1 2Sum geometric series for ðð(ðŠðŠðð)
ðð ðŠðŠðð =1
2ððððï¿œ
ðð=0
ððâ1ðð2ðððððððð âð¿ð¿ðð 2ðð
2
=1
2ðððððð2ðððððððð âð¿ð¿ðð 2ðð â 1ðð2ðððððð âð¿ð¿ðð 2ðð â 1
2
=1
2ððððsin2(ðððððð âð¿ð¿ðð 2ðð)sin2(ðððð âð¿ð¿ðð 2ðð)
â 2ðð
â1
2ððððsin2(ððð¿ð¿ðð)
sin2(ðððð âð¿ð¿ðð 2ðð) â1ðð
sin ððð¿ð¿ðððð ð¿ð¿ðð
2
â¥1ðð
4ðð2
very small, ðð < 2ðð0 ⪠2ððâ â4ðð ðð at ð¿ð¿ðð = ± â1 2
â ðð peaks (ðð2ðð/ðð, ðð = 1, 2, . . . ðð â 1), so total probability that measured result is within â1 2 from ðð2ðð/ðð is ⥠â4 ðð2 > 40%. Not always but quite likely.
Actually, if try both neighbors, then probability to be within â1 2 from ðð2ðð/ððis > 80%, if try 4 closest neighbors, then > 90%.
Shorâs algorithm (cont.)2) How to find period ðð from ðŠðŠ = ðð â2ðð ðð + ð¿ð¿ , where ð¿ð¿ †â1 2
ðð is a parameter we can choose. For large enough ðð, the result âðŠðŠ 2ðð will be very close to the rational number âðð ðð.
Rewrite ðŠðŠ2ðð
âðððð
â€1
2ðð+1
So, if
want to findwe know
Remember ðð < ðð < 2ðð0
integer to factor # of bits in ðð
Rational numbers with denominators < ðð are not closer to each other than â1 ðð2
(because âðð ðð â âðð ðð ⥠â1 ðððð)1
2ðð+1â€
12ðð2 , then the closest to âðŠðŠ 2ðð rational number
with denominator †ðð is âðð ðð. This is why we need ðð ⥠2ðð0.
How to find âðð ðð: continued fractions
ðŠðŠ2ðð
=1
ð§ð§0 + 1ð§ð§1 + 1
ð§ð§2+. . .
,This expansion will go through âðð ðð
Theorem: If ð¥ð¥ is an estimate of âðð ðð, ð¥ð¥ â âðð ðð †1/(2ðð2), then continued fractionsgo through âðð ðð (proven in N-C book, not a very short proof)
Continued fractions is a fast classical algorithm, ðð(ðð03) operations
Shorâs algorithm (cont.)
So, we will find ðð/ðð with a significant probability (> 40%). It is still possible that we will not find correct ðð if ðð and ðð have common divisors.
Then we will find a divisor of ðð instead of ðð itself. However, the probability of finding ðð (not its divisor) is ⥠50%, and if it is not ðð,
then it is most likely âðð 2 or âðð 3 (not large denominator). So, after finding ðð0, we can try ðð0, 2ðð0, 3ðð0, etc.It is important that it is easy to check classically if ðððð0 is a period of ðð(ð¥ð¥) or not.
Finding period ðð
If the procedure is unsuccessful, we can run the algorithm again (with the same ðð). If find another divider of ðð, we can calculate Least Common Multiple (LCM); most likely if will be ðð.
Still possible that ðŠðŠ/2ðð was not the closest âðð ðð, so need several trials.
So, ⌠3 â 10 runs of the quantum algorithm will give us the period ðð.
Required precision of gates c-ð ð ðð in QFT
If a gate is imprecise, then ðð â |ððâ²â©. But if the imprecision is not too big, then the states |ððâ© and |ððâ²â© are still close, ðð ððâ² 2 = 1 â ðð with ðð ⪠1. Then they are not well-distinguishable (independently of what we measure). So, probability of measuring what we want does not change much.
General idea
In some sense, the operation is digital, and therefore insensitive to small analog errors.
ð ð ðð = 1 00 exp(2ðð âðð 2ðð)
For ðð > 10 it is very difficult to realize c-ð ð ðð accurately, for ðð > 20 practically impossible.Is this precision (very small angles) really necessary? No!
Required precision of gates c-ð ð ðð in QFT (cont.)Estimate of phase accuracy needed for QFT
Ideally, ðð ðŠðŠ = 12ðððð
âðð=0ððâ1 ðð2ðððððððð âðŠðŠ 2ðð 2
Suppose there are phase errorsðððð ðŠðŠ =
12ðððð
ï¿œðð=0
ððâ1ðð2ðððððððð âðŠðŠ 2ðð ðððððððð(ðŠðŠ)
2
â 1 + ðððððð(ðŠðŠ)
can depend on both ðð and ðŠðŠ
Assume ðððð(ðŠðŠ) †ðð ⪠1As before, ðŠðŠðð = ðð â2ðð ðð + ð¿ð¿ðð with ð¿ð¿ðð †â1 2
ðððð ðŠðŠðð â 12ðððð
âðð=0ððâ1 ðð2ðððððððð âð¿ð¿ðð 2ðð 1 + ðððððð,ðð2â
for ðŠðŠ = ðŠðŠðð
â ðð ðŠðŠðð + 22ðððð
Re (âðð=0ððâ1 ðð2ðððððððð âð¿ð¿ðð 2ðð ðððððð,ðð)(âððâ²=0ððâ1 ððâ2ðððððð
â²ðð âð¿ð¿ðð 2ðð)ideal
in linear order
Even in the worst case: âððâ²=0
ððâ1 ððâ2ððððððâ²ðð âð¿ð¿ðð 2ðð †ððâðð=0ððâ1 ðð2ðððððððð âð¿ð¿ðð 2ðð ðððððð,ðð †ðððð ,
So differenceis limited: ðððð ðŠðŠðð â ðð(ðŠðŠðð) â€
22ðððð
ðððð ðð =2ðð2ðð
ðð â2ðððð
Total difference †ðð ðððð ðŠðŠðð â ðð ðŠðŠðð †2ðð ⪠1 Small!
Required precision of gates c-ð ð ðð in QFT (cont.)
ðð ðŠðŠ = 12ðððð
âðð=0ððâ1 ðð2ðððððððð âðŠðŠ 2ðð 2
Therefore, the probability of success (i.e. the measured ðŠðŠ is the closest integerto ðð 2ðð/ðð) is not ⥠40%, but ⥠40% â 2ðð.
ðððð ðŠðŠ = 12ðððð
âðð=0ððâ1 ðð2ðððððððð âðŠðŠ 2ðð ðððððððð(ðŠðŠ) 2
ðððð(ðŠðŠ) †ðð ⪠1ideally
Therefore the precision ðð ⌠10% is sufficient! (digital computation)
Total probability difference †ðð ðððð ðŠðŠðð â ðð ðŠðŠðð †2ððwith phase errors
We still cannot say that all gates with 3% accuracy is OK, because many gates for each âwireâ
Inaccuracy scales (at most) linearly with the number of gates.
In QFT, there are ⌠ðð gates ð ð ðð. The gates ð ð ðð can be completely neglected if ðð 2ðð 2âðð < 0.1Therefore ððððððð¥ð¥ ⌠log2 ðð + 6 ⌠20 is sufficient
Then the number of gates in QFT is not ~ ðð2 but only ⌠ðð log(ðð)
Precision of gates (more general discussion)
ï¿œðð = supðð â 0
ï¿œðð|ððâ©|ððâ©
= supðð â 0
âšðð ï¿œððâ ï¿œðð ððâ©âšðð|ððâ©
maxIntroduce operator norm
Suppose a unitary ðð is replaced with a slightly imprecise unitary ððð. The imprecision can be characterized by the norm of the difference: Î = ðð â ððð .
It is really a norm (satisfies triangle inequality)
Imprecision of a gate
Then for an imprecise sequence of gates (composition of operations), ðððð . . .ðð2ðð1 ⶠððððâ² . . .ðð2â²ðð1â² , we can show Π†âðð ÎððThe proof is step-by-step, using triangle inequality and norm-preservation by a unitary
ðð2ðð1 ðð â ðð2â²ðð1â² ðð = ðð2ðð1 ðð â ðð2â²ðð1|ððâ©) + ðð2â²ðð1 ðð â ðð2â²ðð1â² |ððâ©) =
= (ðð2âðð2â²)ðð1 ðð â ðð2â²(ðð1 â ðð1â²) ðð
ðð2ðð1 â ðð2â²ðð1Ⲡ†ðð2 â ðð2â² + ðð1 â ðð1â²Therefore
So, we proved that the imprecision Î accumulates at most linearly with the number of gates
Precision of gates (cont.)We proved that the imprecision Î accumulates at most linearly with the number of gates.
For an overall imprecision Î, the difference in the probability of obtaining a certain result for a measurement is less than 2Î (simple proof in N-C book, Sec. 4.5.3).
Two more important properties:
If a 1-qubit or 2-qubit gate ðð has imprecision Î, then the same imprecision for this gate acting on many-qubit state (i.e., gate ððâ ï¿œ1).
Proof (for a 2-qubit gate) A multi-qubit entangled state can always be represented as
Κ = ðŒðŒ00 00 Ί00 + ðŒðŒ01 01 Ί01 + ðŒðŒ10 10 Ί10 + ðŒðŒ11 11 Ί11 ,where |Ίððððâ© are normalized states of other qubits, ðŒðŒ00 2 + ðŒðŒ01 2 + ðŒðŒ10 2 + ðŒðŒ11 2 = 1.
A gate ðð acts only on ðŒðŒðððð, an imprecise ððð produces ðŒðŒðððð,in â ðŒðŒððððâ² instead of ðŒðŒðððð,in â ðŒðŒðððð.
+ ðŒðŒ01â² â ðŒðŒ01 01 Ί01 + ðŒðŒ10â² â ðŒðŒ10 10 Ί10 + ðŒðŒ11â² â ðŒðŒ11 11 Ί11 || =Then ðð â ððð = max ΚⲠâ Κ = max || ðŒðŒ00â² â ðŒðŒ00 00 Ί00 +
= max ðŒðŒ00â² â ðŒðŒ00 2 + ðŒðŒ01â² â ðŒðŒ01 2 + ðŒðŒ10â² â ðŒðŒ10 2 + ðŒðŒ11â² â ðŒðŒ11 2,
which is the same as when this gate acts only on two qubits. QED
Phase estimation algorithm (Kitaev)Consider a toy problem, which can be used in serious problems (period finding, etc.)
ððSuppose we know an eigenstate |ð¢ð¢â©, but do not know the corresponding eigenvalue ðð2ðððððð(since ðð is unitary, absolute value of eigenvalue is 1)
Goal: find ðð
First idea: ð»ð» ð»ð» meas.
ðð|ð¢ð¢â© |ð¢ð¢â© |ð¢ð¢â© does not change, since eigenstate
0 + 12
ð¢ð¢ â¶0 + 1 ðð2ðððððð
2ð¢ð¢ â¶
0 + 1 + 0 â 1 ðð2ðððððð
2ð¢ð¢ =
c-ðð ð»ð»
= 01 + ðð2ðððððð
2+ 1
1 â ðð2ðððððð
2ð¢ð¢
Measure many times, find probabilities ðð(0) and ðð(1)
ðð 0 â ðð 1 = cos(2ðððð)
Phase estimation algorithm (cont.)
Now add S-gate
ð»ð» ð»ð» meas.
ðð|ð¢ð¢â© |ð¢ð¢â©ðð 0 â ðð 1 = cos(2ðððð)
ðð = 1 00 ðð
ð»ð» ð»ð» meas.
ðð|ð¢ð¢â© |ð¢ð¢â©
ðð
ðð 0 â ðð 1 = âsin(2ðððð)
Measuring many times, we can find ðð accurately, but this is not fast (to find ðð bits of ðð, we need ⌠22ðð measurements)
Main idea: use c-ðð2, c-ðð4, c-ðð8, etc. to find ðð bit-by-bit (Kitaev)
Even better to use (inverse) QFT after that
Phase estimation algorithm (cont.)
ð»ð»
ðð|ð¢ð¢â© |ð¢ð¢â©
State of the input register after c-ðððð gates:
Exact result if ðð has ðð-bit representation 0.ððððâ1ððððâ2 . . .ðð0
This is just Fourier transform of 2ðððð
ð»ð»ð»ð»
. . . |0â©
|0â©|0â©
ððbits
ðð2 . . . ðð2ððâ1
QFQFTâ1
= QFTâ
mea
sure
men
t
12ðð
( 0 + ðð2ðððð2ððâ1ðð|1â©)( 0 + ðð2ðððð2ððâ2ðð|1â©) . . . ( 0 + ðð2ðððððð|1â©) =
=12ððï¿œ
ðŠðŠ=0
2ððâ1ðð2ðððððððŠðŠ |ðŠðŠâ©
So, apply inverse QFT to get 2ðððð
lower upperIf 2ðððð is not integer, then some errors.Result: to find ðð bits of ðð with probability 1 â ðð, we need ðð = ðð + log(2 + 1
2ðð) qubits
Phase estimation algorithm (cont.)
Relation to period finding ðð ð¥ð¥ = ððð¥ð¥ (mod ðð)Define ðð as multiplication by ðð (mod N): ðð ðŠðŠ = |ðððŠðŠ mod ðð â©.
Then ðððð = ï¿œ1 for the period ðð, which we want to find.
Therefore eigenvalues of ðð are ðð2ðððð âðð ðð for integer ðð.So, finding the phase, we learn âðð ðð (as in Shorâs algorithm)Therefore, phase estimation algorithms can be used for factoring integers.
It seems that for this algorithm we need to prepare an eigenstate |ð¢ð¢â©. However, any state is a linear combination of eigenstates, so it does not matter (the algorithm will randomly find one of eigenstates of ðð). Natural to start with 1 (we need to avoid |0â©).
If output register starts with |00. . 01â©, then after c-ðððð gates: 12ððâð¥ð¥=02ððâ1 ð¥ð¥ |ðð ð¥ð¥ â©
(unitary because ðð is coprime with ðð)
top related