mathematical essentials of quantum computing · pdf filemathematical essentials of quantum...

MATHEMATICAL ESSENTIALS

OF QUANTUM COMPUTING

JUANJO RUE * AND SEBASTIAN XAMBO

Abstract. The purpose of this expository article is to phrase the essentialnotions of quantum computation in purely mathematical terms. In particu-lar we will define the notions of q-computation, q-measurement, q-procedure,q-computer and q-algorithm, and each of them will be illustrated with severalexamples. In addition to some low level q-algorithms, we discuss in detail agood sample of the most relevant discovered in the last years. These includeq-algorithms for the Fourier transform, for telling which alternative occurs for aBoolean function that is known to be constant or balanced (Deutsch), for data-base searching (Grover), for estimating the phase of an eigenvalue of a unitaryoperator (Kitaev), for finding the multiplicative order of an integer modulo an-other integer (Shor) and for factoring an integer (Shor). The possible physicalrealizations of the model, and its potential use to obtain gains with respect toclassical algorithms (sometimes even exponential gains), are analyzed in termsof a standard axiomatic formulation of (finite dimensional) quantum theory.

Contents

Introduction

1. Preliminaries

2. q-Computations

3. q-Measurements and q-Procedures

4. q-Computers and q-Algorithms

5. Deutsch’s and Grover’s q-Algorithms

6. Phase estimation

7. Modular Order of an Integer

8. Shor’s Factoring q-Algorithm

9. Physical Interpretations

10. Remarks and Proofs

References

* Supported by a JAE-DOC grant from the Junta para la Ampliacion de Estudios (CSIC),the MTM2011-22851 grant (Spain) and the ICMAT Severo Ochoa Project SEV-2011-0087(Spain).

2 J. RUE AND S. XAMBO

Introduction

The mathematical side of quantum processing, which we will call q-processing,will be presented as a suitable rephrasing of mathematical notions, most notablycomplex linear algebra and basic notions of elementary probability theory. Ouraim is to cover from the most basic concepts up to the expression and analysisof a good sample of the remarkable q-algorithms discovered in the last twentyfive years.

Since the link to physics is not addressed until a late section, our approach mightbe judged as a vacuous game by physicists and engineers, and perhaps even asan inconsequential story by mathematicians. Yet in our experience the approachturns out to be surprisingly powerful and illuminating, and we much hope thatthis appreciation will be shared by other people as well. Actually, the phrasingof our scheme is crafted in such a way that the tacit physical meaning will beapparent for physicists and, we expect, a reliable basis for mathematicians toappreciate the key physical ideas with minimal effort.

At the earliest stages, the most visible reason for the robustness of the paradigm,and perhaps also for its esthetical appeal, is its close relation with Booleanalgebra, the mathematical side of classical computing. This relation is rootedin the fact that the basic playground of q-processing is the complex space H (n)

generated by the set B n of binary vectors of length n, which is the basic arenaof classical computation.

Later, when the q of q-processing is interpreted as genuine quantum feature, thescheme delivers its full meaning as a mathematical model of interesting physicalphenomena that are being intensively explored in labs around the world andwhich hold a broad range of scientific and technological possibilities for theyears to come.

It may be worth reflecting that if computing with classical bits has broughtabout the ‘digital era’, dominated by information theory and computer science,together with all the enabling technologies, the long term development of themuch more comprehensive q-processing is likely to be even mightier and certainlynot less interesting.

1. Preliminaries

Let us begin by declaring a number of symbols and conventions that will beused throughout.

n, a positive integer. We will refer to n as the number of q-bits.

j, k, ... positive integers in the range 0, . . . , 2n − 1.

QUANTUM COMPUTING 3

j = j1j2 · · · jn, the binary expression of j (and similarly for k). In other words,

j1, . . . , jn ∈ {0, 1} and j = j12n−1 + j22

n−2 + · · ·+ jn−12 + jn20.

Binary vectors. Let B = {0, 1}, the set of binary digits (bits). Then the setof binary vectors of length n is B n. Its elements are usually written as stringsof bits. For example,

B 3 = {000, 001, 010, 011, 100, 101, 110, 111}.

Henceforth the vectors 0n)· · · 0 and 1

n)· · · 1 will be denoted 0n and 1n, respectively.

The binary representation of integers allows us to identify the binary vectors oflength n with the integers in the range 0, . . . , 2n − 1:

j ↔ j1j2 · · · jn.

Since (classical) information can be represented by elements of B n, the setsB n are the playing ground for classical computations. Actually, a classicalcomputation of order n can be seen as a map f : B n → B n. If this mapis one-to-one, the computation is said to be reversible. Since every classicalcomputation can be embedded in a reversible one (�1),1 classical computationswill be assumed to be reversible unless it is said otherwise explicitely.

Real and comple numbers. The fields of real and complex numbers will bedenoted R and C, respectively. Given a complex number a = α+ βi (α, β ∈ R),we write a to denote its conjugate: a = α − βi. We have aa = α2 + β2 = |a|2,where |a| denotes the modulus or norm of a. The complex numbers of modulus1 have the form cosφ+ i sinφ = eiφ, φ ∈ R (φ is defined up to integer multiplesof 2π). The set U(1) of unit complex numbers is a multiplicative group.

1

i

eiϕ

ϕ

U(1)

q-Vectors. We will write H (n) = C2n and we will say that this is the space ofq-vectors of order n. These spaces are the playing ground for q-procedures, justas the sets B n are the playing ground for classical computations. In standardmathematical notation, the elements a in H (n) are complex column vectors ofdimension or length 2n:

1 �n refers to the note number n in section 10 (Remarks and Proofs), p. 43.


a =

a0

a1...

a2n−1

, aj ∈ C.

The q-vector a can be written in the form

a = a0

1

0...

0

+ a1

0

1...

0

+ · · ·+ a2n−1

0

0...

1

.This can be compressed as a =

∑j aju j , where u j is the q-vector whose j-th

component is 1 and with all other components 0.

Dirac’s notation. Instead of u j we will write |j⟩. Thus we have a =∑

j aj |j⟩.Regarding j as a binary vector of length n, we see that H (n) is the complexvector space with basis B n.

Example 1.1 (n = 1: One q-bit).

a =

[a0

a1

]= a0|0⟩+ a1|1⟩ = a0

[1

0

]+ a1

[0

1

].

Example 1.2 (n = 2: Two q-bits).

a = a0|0⟩+ a1|1⟩+ a2|2⟩+ a3|3⟩= a00|00⟩+ a01|01⟩+ a10|10⟩+ a11|11⟩

=

a0

a1

a2

a3

=

a00

a01

a10

a11

= a00

1

0

0

0

+ a01

0

1

0

0

+ a10

0

0

1

0

+ a11

0

0

0

1

Here the 0 in |0⟩ is an integer and those in |00⟩ are bits. This abuse of notationis basically harmless, as we can infer the meaning from the context. Note alsothat |1⟩ (1 an integer) and |01⟩ (0 and 1 are bits) refer to the same basis vector,and that it is required to write the bit 0 on the left.

Example 1.3 (Hadamard q-vector of order n). The Hadamard q-vector of ordern is defined as

h (n) = ρn(|0⟩+ |1⟩+ · · ·+ |2n − 1⟩

),

where ρ = 1/√2 (see the table on page 49 for a list of frequently used symbols).

QUANTUM COMPUTING 5

Linear maps. Let us recall that a C-linear map T : H (n) → H (n) (also calledan operator) is determined by the 2n images t j = T |j⟩, for

T

∑j

aj |j⟩

=∑j

ajT (|j⟩) =∑j

ajt j .

Moreover, given any set of q-vectors {t j}0≤j<2n , there is a (unique) linear map

T : H (n) → H (n) such that T |j⟩ = t j . In the sequel, this observation will bethe basic method used to prescribe operators. Properties of T are usually areflection of properties of the t j . For example, the map T is bijective if andonly if the vectors t j are linearly independent.

Scalar product and norm. If a and b be q-vectors, the bracket product, orjust the bracket, of a and b , ⟨a |b ⟩, is defined by

⟨a |b ⟩ =∑j

ajbj .

It is linear in b and conjugate-linear in a . If ⟨a |b ⟩ = 0, we say that a and b

are orthogonal. Note that ⟨a |a ⟩ = |a |2, where|a |2 = |a0|2 + |a1|2 + · · ·+ |a2n−1|2

(the norm squared of a ). If |a | = 1, we say that a is a unit vector. If x is anynon-zero q-vector, x / |x | is a unit q-vector. This vector is denoted x or u (x ).

Note also that ⟨u j |u k⟩ = δij . This means that the u j are pairwise orthogo-nal unit vectors (this property is expressed by saying that the {u j} form anorthonormal basis). In Dirac’s notation this is written as ⟨j|k⟩ = δjk.

Tensor product. Let a ∈ H (n) and a ′ ∈ H (n′). Then the tensor product ofa and a ′, denoted a ⊗a ′, is the vector in H (n+n′) whose components are aja

′j′ ,

with (j, j′) in lexicographic order.

For example, [a0

a1

]⊗

[a′0a′1

]=

a0a

′0

a0a′1

a1a′0

a1a′1

.Proposition 1.4. If a =

∑j aj |j⟩ and a ′ =

∑j′ a

′j′ |j′⟩, then

a ⊗a ′ =∑j,j′

aja′j′ |j · 2n

′+ j′⟩.

Proof. The index j ∈ {0, . . . , 2n− 1} of the entry aj of a vector a is the numberof entries preceding it (these entries are a0, a1, . . . , aj−1). Now the claim follows

because the number of entries preceding the entry aja′j′ in a ⊗a ′ is j′+j ·2n′

. �


If we think of j and j′ as binary numbers, then j·2n′+j′ is just the binary number

obtained by concatenating the binary representations of j and j′. In practicethis number is simply written as jj′, and so we get the following expression forthe tensor product:

a ⊗a ′ =∑j,j′

aja′j′ |jj′⟩.

The tensor product |j⟩⊗|j′⟩ is also denoted |j⟩|j′⟩, so that we have

|j⟩⊗|j′⟩ = |j⟩|j′⟩ = |jj′⟩.

In particular we can write

|j1⟩⊗|j2⟩⊗ · · · ⊗|jn⟩ = |j1⟩|j2⟩ · · · |jn⟩ = |j1j2 · · · jn⟩

Example 1.5. Let h (n) be the Hadamard q-vector of order n (see Example 1.3).Then

h (n) = ρn(|0⟩+ |1⟩

)⊗(|0⟩+ |1⟩

)⊗ · · · ⊗

(|0⟩+ |1⟩

).

In fact, the right hand side is equal to

ρn∑

j1,...,jn∈B|j1⟩ · · · |jn⟩ = ρn

∑j∈B n

|j⟩ = h (n).

Remark 1.6. The map H (n) × H (n′) → H (n+n′), (a ,a ′) 7→ a ⊗a ′ is bilinear,and hence induces a linear map

H (n) ⊗H (n′) → H (n+n′), a ⊗ a ′ 7→ a ⊗a ′.

This map is an isomorphism, as it sends the basis {|j⟩ ⊗ |j′⟩} of H (n) ⊗H (n′)

to the basis {|jj′⟩} of H (n+n′). In particular we have an isomorphism

H (n) ≃ H (1) ⊗n)· · · ⊗H (1).

Because of the isomorphism given by a ⊗ a ′ 7→ a ⊗a ′, from now on we willwrite ⊗ instead of ⊗.

Remark 1.7. A q-vector of order n of the form a 1⊗· · ·⊗a n, a l ∈ H (1), is said tobe decomposable. The basis vectors |j1j2 · · · jn⟩ = |j1⟩|j2⟩ · · · |jn⟩ are examplesof decomposable vectors. In general, however, q-vectors are not decomposable.For example, it is easy to check that |00⟩ + |11⟩ ∈ H (2) cannot be writtenin the form (a0|0⟩ + a1|1⟩)(b0|0⟩ + b1|1⟩). Using a terminology originated inphysics (see page 39), non-decomposable q-vectors are said to be entangled anddecomposable q-vectors are also called composite.

QUANTUM COMPUTING 7

2. q-Computations

If U = [ujk] is a matrix, its transpose is UT = [ukj ] and its adjoint is

U † = [ukj ] = UT .

A q-computation of order n is a unitary matrix U of dimension 2n. This meansthat

U = [ujk]0≤j, k<2n , ujk ∈ Cand

UU † = I2n ,

where I2n denotes the identity matrix of dimension 2n.

The set of unitary matrices of dimension 2n, U (2n), will be denoted U (n). With

the standard multiplication of matrices, U (n) is a group. In detail, this meansthe following:

(Identity) I2n ∈ U (n). In words, the identity matrix of dimension 2n is aq-computation of order n.

(Composition) If U, V ∈ U (n), then V U ∈ U (n). Thus the composition of twoq-computations of order n is a q-computation of order n.

(Reversibility) If U ∈ U (n), then U−1 ∈ U (n) (notice that U−1 = U †). Theinverse of a q-computation of order n is a q-computation of order n.

If a ∈ H (n) is a unit vector and U a q-computation, then b = Ua is also a unitvector. As in classical computations, we say that b is the q-output of U withq-input a .

Example 2.1. If U ∈ U (n) and U ′ ∈ U (n′), define the map

U ⊗ U ′ : H (n+n′) → H (n+n′)

such that |jj′⟩ = |j⟩|j′⟩ 7→ U |j⟩U ′|j′⟩. Then U ⊗ U ′ ∈ U (n+n′). This map

actually satisfies |a ⟩|a ′⟩ 7→ U |a ⟩U ′|a ′⟩ for all a ∈ H (n) and a ′ ∈ H (n′).

Similarly, if U ∈ U (1), then we can define U⊗n ∈ U (n) by the relation

U⊗n|j⟩ = U |j1⟩U |j2⟩ · · ·U |jn⟩.

Example 2.2 (Classical reversible computations). Given a classical computation

of order n, f : B n → B n, we can define a linear map Uf : H (n) → H (n) by therelations

Uf |j⟩ = |f(j)⟩.If f is reversible, then Uf is a q-computation, as it maps the orthonormal basis{|j⟩} to the orthonormal basis {|f(j)⟩} (a permutation of the former). We willsay that Uf is the q-computation associated to the classical reversible computa-tion f .


Some of the examples below are just special cases of this general example.

Remark 2.3. The q-computations of order n are vastly more abundant than theclassical reversible computations of order n. This is already clear for n = 1,for in this case Not is the only classical reversible computation of order 1different from the identity, whereas the q-computations of order 1 depend onfour continuous parameters (cf. Example 2.4).

Graphical representation. A q-computation U of order n is often representedby a diagram like this:

n U{.

.

.

The n horizontal lines are called q-wires.

If we want to represent the q-input a and q-output b , the diagram can bemodified as follows:

Un

a b

{

In the case where a = |j1⟩ · · · |jn⟩, the input is represented as follows:

|jn−1〉

|jn〉

.

.

.

|j2〉

|j1〉

Example 2.4 (n = 1). It is easy to check that the matrix

U = eiα

[u0 u1

−u1 u0

], α ∈ R, u0, u1 ∈ C, u0u0 + u1u1 = 1

is a q-computation of order 1. Actually any U ∈ U (1) has this form. Indeed,we may write U = eiαU ′ with det(U ′) = 1 (this follows from UU † = I2, so

that det(U) is a unit complex) and then U ′ ∈ U (1) has necessarily the form[u0 u1

−u1 u0

]if its inverse has to coincide with its adjoint.

U

Remark 2.5. For later reference, let us consider a more explicit construction ofthe q-computations of order 1.2 With the notations of the previous example,

2Here, and in the remaining of the section, we closely follow [15], Section 4.2.

QUANTUM COMPUTING 9

the relation u0u0 + u1u1 = 1 implies that there is a unique θ ∈ [0, π] such that|u0| = cos θ2 and |u1| = sin θ

2 . It follows that u0 = e−iλ cos θ2 and u1 = −eiµ sin θ2 ,

λ, µ ∈ R (the choice of signs is for later convenience) and so[u0 u1

−u1 u0

]=

[e−iλ cos θ2 −eiµ sin θ

2

e−iµ sin θ2 eiλ cos θ2

]If we do the replacements λ = (β+ γ)/2, µ = (γ− β)/2 (β, γ ∈ R), then we canwrite [

e−iλ cos θ2 −eiµ sin θ2

e−iµ sin θ2 eiλ cos θ2

]= Rz(β)Ry(θ)Rz(γ)

where we define

Rz(φ) =

[e−iφ/2 0

0 eiφ/2

], Ry(θ) =

[cos θ2 − sin θ

2

sin θ2 cos θ2

].

We therefore conclude that a general element of SU (1) (the elements of U (1)

with determinant 1) has the form

U(θ, β, γ) = Rz(β)Ry(θ)Rz(γ).

The geometrical meaning of this statement, closely related to rotations in Eu-clidean 3-space, will be considered in Section 9.

Special cases

a) Pauli matrices

I2 =

[1 0

0 1

], X = σx =

[0 1

1 0

], Y = σy =

[0 −ii 0

], Z = σz =

[1 0

0 −1

].

The Pauli matrices are self-adjoint and unitary: X2 = Y 2 = Z2 = 1.

Notice that the matrix X can be defined by the relations

X|0⟩ = |1⟩, X|1⟩ = |0⟩.

This means that X is the q-computation corresponding to the classical Booleanoperator Not (negation) :

X|j⟩ = |Not(j)⟩ .In terms of the Boolean sum of bits, we have Not(j) = 1 + j, as 1 + 0 = 1 and1 + 1 = 0. Briefly, X|j⟩ = |1 + j⟩.

X Y Z


Remark 2.6. With the notations of Remark 2.5, we have

Rz(φ) = cos φ2 I2 − i sin φ2Z = e−i

φ2Z

Ry(θ) = cos θ2I2 − i sin θ2Y = e−i

θ2Y .

This suggests defining

Rx(ψ) = cos ψ2 I2 − i sin ψ2X = e−i

ψ2X =

[cos ψ2 −i sin ψ

2

−i sin ψ2 cos ψ2

].

One further observation is that every U ∈ U (1) can be expressed as

U = eiαAXBXC,

with A,B,C ∈ SU (1) and ABC = I2 (this will be called an Euler decompositionof U). Indeed, if U = eiαRz(β)Ry(θ)Rz(γ), it is enough to set

A = Rz(β)Ry(θ2)

B = Ry(− θ2)Rz(−

β+γ2 )

C = Rz(γ−β2 )

The proof is a staightforward computation (�2).

b) The Hadamard matrix H

The matrix

[1 1

1 −1

]is self-adjoint and

[1 1

1 −1

]2= 2

[1 0

0 1

]. It follows that

the matrix

H = ρ

[1 1

1 −1

] {|0⟩ 7→ ρ(|0⟩+ |1⟩)|1⟩ 7→ ρ(|0⟩ − |1⟩)

is a q-computation of order 1. To write H in the form of Example 2.4, note that

H = (−i)(iH) and check that iH has the form

[u0 u1

−u1 u0

]with u0 = u1 = i.

H

The q-computation H⊗n (see the second part of the Example 2.1) will appearoften in the following. Notice that using the notation of Example 1.3 we havethe following identity:

H⊗n(|0n⟩) = h (n).

QUANTUM COMPUTING 11

c) Phase shift matrices

These are the matrices of the form

Sα =

[1 0

0 eiα

]= ei

α2

[e−i

α2 0

0 eiα2

]

Sα

In particular we define

S = Sπ/2 =

[1 0

0 i

]and T = Sπ/4 =

[1 0

0 eiπ/4

].

Note that T 4 = S2 = X, which is sometimes written as S =√Not.

S T

Example 2.7 (n = 2). Let U ∈ U (1). Define C12(U) ∈ U (2) as follows:

C12(U)|0j2⟩ = |0j2⟩, C12(U)|1j2⟩ = |1⟩U |j2⟩.

In matrix form we have, if U =

[u00 u01

u10 u11

],

C12(U) =

1 0 0 0

0 1 0 0

0 0 u00 u01

0 0 u10 u11

Note that this is a form of Controlled-U , as U acts on |j2⟩ only when j1 = 1.

|j1〉

|j2〉 U

In particular we set N12 = C12(X) (Controlled-Not, or Cnot):

N12|0j2⟩ = |0j2⟩, N12|1j2⟩ = |1⟩|1 + j2⟩,

which can be written more compactly as

N12|j1j2⟩ = |j1⟩|j1 + j2⟩.

This shows that N12 : H (2) → H (2) is the q-computation corresponding to theclassical computation Cnot : B 2 → B 2 such that

00 7→ 00, 01 7→ 01, 10 7→ 11, 11 7→ 10


or Cnot(j1, j2) = (j1, j1 + j2). Since its action amounts to negating the secondbit if and only if the first bit is 1, it is a Not on the second bit “controlled”by the first bit, which means that it is conditional to the first bit having thevalue 1.

In matrix form,

N12 =

1 0 0 0

0 1 0 0

0 0 0 1

0 0 1 0

.|j1〉

|j2〉 ⊕ |j1 + j2〉

|j1〉

C21(U) is defined in an analogous way. For example, the matrix form of N21 =C21(X) is

N21 =

0 1 0 0

1 0 0 0

0 0 1 0

0 0 0 1

⊕|j1〉

|j2〉

|j1 + j2〉

|j2〉

More generally, in the case of order n, we can define the q-computations Cr,s(U),where r, s ∈ {1, . . . , n} are two distinct position indices, in the same way. Thisq-computation acts by U on the s-th bit when the r-th bit is 1, and otherwiseacts as the identity. In the special case U = X, we let Nr,s = Cr,s(X). Thisnegates the s-th q-bit if and only if the value of the r-th q-bit is 1. Here aresome illustrations:

N4,1|10101⟩ = |10101⟩, C4,1(U)|10101⟩ = |10101⟩N4,1|10111⟩ = |00111⟩, C4,1(U)|10111⟩ = (U |1⟩)|0111⟩.

Example 2.8. The q-computation C12(U) is quite different from I2⊗U . In fact,the matrix of the latter is

u00 u01 0 0

u10 u11 0 0

0 0 u00 u01

0 0 u10 u11

Thus (I2⊗U)|00⟩ = |0⟩U |0⟩ = u00|0⟩|0⟩+u10|0⟩|1⟩, whereas C12(U)|00⟩ = |00⟩.


Example 2.9 (No cloning). In its most basic form, the no-cloning theorem is theassertion that there is no q-computation U of order 2 that satisfies

U(|b⟩|0⟩) = |b⟩|b⟩,

for b ∈ {0, 1}. Indeed, consider |x⟩ = ρ(|b⟩+ |b′⟩) and b′ = 1 + b. Then we have

U(|x⟩|0⟩) =

{|x⟩|x⟩ = ρ2(|b⟩|b⟩+ |b⟩|b′⟩+ |b′⟩|b⟩+ |b′⟩|b′⟩)ρU(|b⟩|0⟩+ |b′⟩|0⟩) = ρ(|b⟩|b⟩+ |b′⟩|b′⟩)

,

which is a contradiction.

Example 2.10. The swap gate is the q-computation of order 2 corresponding tothe classical swap j1j2 7→ j2j1:

|j1j2⟩ 7→ |j2j1⟩

Since it leaves |00⟩ and |11⟩ fixed and interchanges |01⟩ and |10⟩, its matrix is1 0 0 0

0 0 1 0

0 1 0 0

0 0 0 1

|j1〉

|j2〉 |j1〉

|j2〉

Example 2.11. The Toffoli gate is the q-computation of order 3 correspondingto the classical computation j1j2j3 7→ (j1 ·j2)+j3. It negates the bit j3 preciselywhen j1 = j2 = 1, so it is a doubly controlled negation. It interchanges |110⟩and |111⟩, leaving all other basis vectors fixed. It follows that its matrix is

1 0 0 0 0 0 0 0

0 1 0 0 0 0 0 0

0 0 1 0 0 0 0 0

0 0 0 1 0 0 0 0

0 0 0 0 1 0 0 0

0 0 0 0 0 1 0 0

0 0 0 0 0 0 0 1

0 0 0 0 0 0 1 0

|j2〉

|j3〉⊕

|j1〉 |j1〉

|j2〉

|(j1 · j2) + j3〉


The Toffoli gate can be seen as the q-computation of order 3 corresponding toa classical reversible computation of order 3 that defines a reversible version ofNand: if j3 = 1, then j′3 = Nand(j1, j2). For further details, �1.

Example 2.12. The Fredkin gate is the q-computation of order 3 correspondingto the classical computation 0j2j3 7→ 0j2j3 and 1j2j3 7→ 1j3j2. In other words,it is a controlled-swap. It interchanges |110⟩ and |101⟩ and leaves all other basisvectors fixed. Hence its matrix is

1 0 0 0 0 0 0 0

0 1 0 0 0 0 0 0

0 0 1 0 0 0 0 0

0 0 0 1 0 0 0 0

0 0 0 0 1 0 0 0

0 0 0 0 0 0 1 0

0 0 0 0 0 1 0 0

0 0 0 0 0 0 0 1

|j2〉

|j3〉

|j1〉

|j3〉

|j2〉

|j1〉

Note that if j3 = 0, then j′3 = And(j1, j2). If in addition j2 = 1, then j′2 =Not(j1). Thus the Fredkin gate can also be used to implement a reversibleversion of classical computation.

3. q-Measurements and q-procedures

In addition to the q-computations, in order to produce a mathematical modelof a quantum computation we need to include the operation of measuring a setL = {l1, . . . , lr} ⊆ {1, . . . , n} of q-bits. In the following, a ∈ H (n) will denotea unit q-vector. We think of this vector as the current state of a q-register oflenght n (the q-memory).

q-Measurements. For any binary vector of length r, sayM = m1 · · ·mr ∈ B n,we can form the subspace EM ⊆ H (n) generated by the basis vectors |j⟩ suchthat jL = M , where jL = jl1 · · · jlr . Its dimension is 2n−r. The orthogonalprojection of a to EM is the vector

aML =∑jL=M

aj |j⟩.


Since the spaces EM , M ∈ B n, are pairwise orthogonal and ⊕MEM = H (n),we conclude that

a =∑

M∈B n

aML

and that

1 = |a |2 =∑M

∣∣aML ∣∣2 ,so that the numbers pM =

∣∣aML ∣∣2 define a probability distribution on {M} =B r. The q-measurement or q-observation of the q-bits at the positions l1, . . . , lr,which we will denoteML(a ), is defined as consisting of the following two aspects:

(i) It extrats an M ∈ B n at random, with probability pM ;(ii) it resets the q-memory state to u (aML ), where u (x ) = x denotes the

unit vector defined by the non-zero q-vector x .

Notice that if M is the outcome of a trial, then aML = 0.

The q-vectors aML are said to be the collapses of a with respect to the posi-tions L.

Since a q-measurement produces a classical binary vector M and a new q-memory state, ML will be represented graphically as

MLa

aM

L

M

The fat line on the right represents the classical value supplied by the q-meas-urement and the thin one the collapsed state.

Example 3.1. As an illustration, let’s look to a few special cases. Considerthe case n = 3. If we measure the third q-bit, M3(a ), then there are twopossible values, 0 and 1, and the corresponding collapses are a 0

3 =∑

jk ajk0|jk0⟩and a 1

3 =∑

jk ajk1|jk1⟩. Their probabilities are p0 =∣∣a 0

3

∣∣2 and p1 =∣∣a 1

3

∣∣2.Similarly, for M13(a ) there are four possible outcomes and the correspondingcollapses are a rs13 = ar0s|r0s⟩ + ar1s|r1s⟩ (rs ∈ B 2), with probabilities prs =

|a rs13|2.

In the case when L = {1, . . . , n}, we write simply M(a ). In that case thepossible outcomes are the elements j ∈ B n and the corresponding collapses areaj |j⟩, with probabilities |aj |2. In this context, the coefficient aj is usually called

the (probability) amplitude of |j⟩, and the probability of this result is pj = |aj |2:the probability is the norm squared of the amplitude. If n = 3, for instance, thenthere are eight possible outcomes for M(a ) = M123(a ) and the corresponding

collapses are a rst123 = arst|rst⟩ (rst ∈ B 3) with probabilities prst = |arst|2.


A q-procedure is a sequence of actions, each of which is either a q-computationor a q-measurement, that are applied successively to |0 · · · 0⟩ (this is the defaultinitial state of the q-memory). Since procedures are meant to produce results,usually the last action is a q-measurement.

Example 3.2 (Random generator). The following q-procedure outputs randomnumbers of n bits with a uniform probability distribution:

Random

a = H⊗n|0 . . . 0⟩ = H|0⟩ · · ·H|0⟩, M(a )

Indeed, from the Example 1.3 we know that a is the Hadamard q-vector h (n)

and the amplitude of any binary vector of length n is 1/ρn, and so its probabilityis (1/ρn)2 = 1/2n.

4. q-Computers and q-Algorithms

A q-computer of order n is a system endowed with the following operations:

1. q-Memory

A store capable of holding any unit q-vector a ∈ H (n). We will say that a isthe q-memory state, or simply the state.

The operations 2, 3 and 4 below, which we will call elementary procedures, areto be applied successively, one at a time, to the current state. We also assumethat when the q-computer is switched on, the q-memory is set to the state|0 · · · 0⟩ = |0n⟩ (default state).

2. One q-bit rotations Rl(U), U ∈ U (1)

This is the action of U on the l-th q-bit. More precisely, it is the q-computationdefined as follows:

| · · · jl · · · ⟩ = | · · · ⟩ |jl⟩ | · · · ⟩ 7→ | · · · ⟩ U |jl⟩ | · · · ⟩.

For n = 2, for instance, R2(U) = I2 ⊗ U (cf. Example 2.8).

This kind of elementary q-procedures will be called U -gates. An U -gate willbe called restricted if U is the Hadamard matrix H or one of the phase shiftmatrices S = Sπ/2 or T = Sπ/4.

3. Controlled negations Nr,s

This q-computation negates the s-th q-bit if (an only if) the r-th q-bit is |1⟩.It is the linear map which is the identity on the basis q-vectors of the form


| · · · 0j · · · ⟩ and such that

| · · · 1j · · · 0k · · · ⟩ 7→ | · · · 1j · · · 1k · · · ⟩| · · · 1j · · · 1k · · · ⟩ 7→ | · · · 1j · · · 0k · · · ⟩

This kind of elementary q-procedures will be called Cnot gates.

4. Measurement ML(a ), L = {l1 < · · · < lr} ⊆ {1, . . . , n}

This elementary procedure has been explained in detail in the previous section.

q-Algorithms. A q-algorithm is a q-procedure involving elementary q-proced-ures only. We will say that a q-algorithm is internal if it does not involvemeasurements. A q-algorithm (internal or not) will be called restricted if it onlyinvolves restricted U -gates.

As a measure of the complexity of a q-algorithm we take the number of elemen-tary gates it involves. A q-algorithm is polynomial if its complexity is boundedby a polynomial in n.

Example 4.1 (Swap[r, s]). This internal q-algorithm is defined as follows:

Swap[r, s]

Nr,s, Ns,r, Nr,s

⊕

|k〉

|j〉

⊕

⊕|k〉

|j〉|j〉

|k〉 |j〉

|k〉

=

The q-computation performed by this algorithm amounts to interchanging ther-th and s-th q-bits, which means that it is equal to the linear map defined by

| · · · jr · · · js · · · ⟩ 7→ | · · · js · · · jr · · · ⟩

This statement is a direct consequence of the fact that it holds for classicalcomputations. Indeed, for any pair of bits, (x, y), we have:

N1,2(x, y) = (x, x+ y),

N2,1(x, x+ y) = (x+ x+ y, x+ y) = (y, x+ y),

N1,2(y, x+ y) = (y, y + x+ y) = (y, x).

Example 4.2 (Multiple H). Consists in applying the Hadamard gate H at anyindex on a given list L ⊆ {1, . . . , n} of positions:

Hadamard[L]

for l ∈ L do Rl(H)


Remark that if m ∈ {1, . . . , n}, Hadamard[{1, . . . ,m}] yields a q-algorithmfor the q-procedure |j⟩ 7→ (H⊗m|j1 · · · jm⟩)|jm+1 · · · jn⟩. This algorithm will bedenoted Hadamard[m]. In the case m = n, it is a q-algorithm for H⊗n andinstead of Hadamard[n] we will simple write Hadamard.

Similar algorithms can be devised replacing H by any U ∈ U (1). For example,U⊗n can be computed by the following q-algorithm:

for l ∈ {1, . . . , n} do Rl(U)

Example 4.3 (q-algorithm associated to a classical algorithm).If f : B n → B n is a reversible computation, then there is a classical algorithmthat computes f . This algorithm is a sequence of logical gates that are either aNot or a Nand. Even more, adding auxiliary bits if necessary, we may assumethat the Nand are reversible. Then the algorithm can be translated into a q-procedure consisting of q-gates that are either a Pauli X gate or a Toffoli gate.This q-procedure will become a q-algorithm if we can find a q-algorithm forthe Toffoli gate. A solution to this question can be expressed by the followingdiagram (cf. [15], Exercise 4.24):

⊕ H ⊕ T † ⊕ T ⊕ T † ⊕ T H

S⊕T †≡ T † ⊕

T

Toffoli

R3(H), N2,3, R3(T†), N1,3, R3(T ), N2,3, R3(T

†), N1,3, R3(T ), R3(H),

R2(T†), N2,3, R2(T

†), N1,2, R2(S), R1(T )

Example 4.4. In this example we show an algorithm for the q-procedure Cr,s(U),

U ∈ U (1), r, s ∈ {1, . . . , n} distinct position indices (see the Example 2.7 forthe definition). For this it we will use an Euler decomposition of U (see Remark2.6):

U = eiαAXBXC, ABC = I2.

With these notations, the q-algorithm is as follows:

Control[r, s, U ]

Rs(C), Nr,s, Rs(B), Nr,s, Rs(A), Rr(Sα)

We shall assume r = 1 and s = 2, as the argument can be easily adapted to thegeneral case. Note that if j1 = 0, then the N1,2 and R1(Sα) act as the identityand hence, since ABC = I2, Control also acts as the identity. If j1 = 1, thenthe action on |j2⟩ is AXBXC|j2⟩ and on |j1⟩ = |1⟩ by the phase factor eiα:

|1⟩|j2⟩ 7→ eiα|1⟩AXBXC|j2⟩ = |1⟩U |j2⟩.


≡

⊕ ⊕U C B A

Sα

Example 4.5 (Multicontroled U -gates). In this example we indicate how to ob-tain a q-algorithm for the q-procedure C{1,...,n},n+1(U) defined by the relations

|j⟩|jn+1⟩ 7→

{|1n⟩|1 + jn+1⟩ if j = 1n

|j⟩|jn+1⟩ otherwise

If we take V ∈ U (1) such that U = V 2, then the algorithm is based on thefollowing recursive recipe:

Control[{1, . . . , n}, n+ 1, U ]

Control[{2, . . . , n}, n+ 1, V ]

Control[{1, . . . , n− 1}, n,X]

Control[{2, . . . , n}, n+ 1, V †]

Control[{1, . . . , n− 1}, n,X]

Control[{1, . . . , n− 1}, n+ 1, V ]

In other words, an n-controlled U -gate is reduced to five (n − 1)-controlled U -gates. This is more easily grasped pictorially. Consider, for instance, the casen = 3:

U

⊕ ⊕

V V†

V

≡

If the first q-bit is |0⟩, then the action on the third q-bit is V V † = I2. If thesecond q-bit is |0⟩, then the action on the third q-bit is I2. If the third q-bitis |0⟩, and the first and second are |1⟩, then the action on the third q-bit isV †V = I2. Finally, if the three q-bits are |1⟩, then the action on the third q-bitis V 2 = U .

Example 4.6 (Action of U ∈ SU (1) on a plane). Consider the plane P = [|j⟩, |k⟩]spanned by two different basis vectors |j⟩ and |k⟩. Then we can let U =

[[a, b], [c, d]] ∈ SU (1) act on that plane in the obvious way: U |j⟩ = a|j⟩ + b|k⟩and U |k⟩ = c|j⟩ + d|k⟩. Moreover, we can extend this action to H (n) so that


U |l⟩ = |l⟩ for all l = j, k. Since |l⟩ is orthogonal to P , this action is a q-computation (we will write Uj,k to denote it). Note, for example, that if j = 1and k = 2, then the matrix of our q-computation is U ⊕ I2n−2.

The aim of this example is to indicate how to get a q-algorithm for Uj,k. Infact, by the previous example, it will be enough to show how to resolve Uj,k bymeans of simple and multicontrol U -gates. The simplest case is when |j⟩ and|k⟩ have the form

|j⟩ = |x⟩|0⟩|y⟩, |k⟩ = |x⟩|1⟩|y⟩.

Indeed, in this case U |j⟩ = a|j⟩ + b|k⟩ = |x⟩(a|0⟩ + b|1⟩)|y⟩ = |x⟩(U |0⟩)|y⟩,U |k⟩ = |x⟩(U |1⟩)|y⟩ (similar computation), and therefore Uj,k is a multicontrolU -gate, in the sense that if |l⟩ = |x′⟩|b⟩|y′⟩, then Uj,k|l⟩ = |l⟩ if x = x′ or y = y′

and otherwise it is equal to |x⟩(U |b⟩)|y⟩. Note that if the controlling value of abit is 0, then we can reduce it to the standard controlling value 1 and two Xgates, as shown in the picture (the white circle is to indicate that the controlvalue is 0):

U

≡ X X

U

If j and k differ in r ≥ 2 two places, let j′ ∈ B n be such that j′ differs in oneposition from j and in r − 1 positions from k. By induction we may assumethat there is a q-algorithm to compute Uj′,k, for the case r = 1 has already beenestablished. Now a q-algorithm for Uj,k is obtained on noticing that it coincideswith Xj,j′Uj′,kXj,j′ , where Xj,j′ is defined so that Xj,j′ |j⟩ = |j′⟩, Xj,j′ |j′⟩ = |j⟩and Xj,j′ |l⟩ = |l⟩ if l = j, j′. Since Xj,j′ is a (form of) multicontrol-Not, it canbe computed by a q-algorithm, and thus so it can Uj,k.

Example 4.7 (Fourier Transform). The Fourier transform (FT) on H (n) is thelinear operator

F : H (n) → H (n), |j⟩ 7→ f j = ρn∑k

ξjk|k⟩,

where ξ = ξn = ei2π2n = ei

π2n−1 .

Observe that F ∈ U (n):

⟨f j |f j′⟩ =1

2n

∑k

ξ(j′−j)k = δjj′ ,


QFT

for l ∈ {1, . . . , n} do

Rl(H)

for s ∈ {1, . . . , n− l} do Cl+s,l(Siπ/2s)

for l ∈ {1, . . . , ⌊n/2⌋} do Swap[l, n− l + 1]

This shows that QFT computes F with complexity O(n2). The swaps at theend are meant to restore the original order.

Here is a diagram to illustrate the case n = 4.

|j3〉

|j4〉

R1

|j2〉 R1 R2

|j1〉 R1 R2 R3

H

H

H

H

Remark 4.8. Let us point out, for later reference, that the formula (∗) can bewritten in the form

F |j⟩ = ρn(|0⟩+ e2πi 0.jn |1⟩)(|0⟩+ e2πi 0.jn−1jn |1⟩) · · · (|0⟩+ e2πi 0.j1j1···jn |1⟩),where, for binary digits b1, b2, . . . ,

0.b1b2 · · · =b12

+b222

+ · · ·

The q-algorithms presented so far provide nice illustrations of the followinggeneral result:

Theorem 4.9 (Universality of the U and Cnot gates).

1) Any q-computation can be realized by an internal q-algorithm.2) For any q-computation U there exists a restricted internal q-algorithm

which approximates U to any wanted degree.

Proof. �3 for 1) and �4 for 2). �

5. Deutsch’s and Grover’s q-algorithms

In this section we present two archtypal q-algorithms. The first, due to Deutsch–Josza [5], takes a Boolean function which is known to be constant or balancedand decides exactly which of the two possibilities actually occurs in O(n) steps.This is quite remarkable if we remember that the classical solution may requireup to 2n−1+1 steps (see below) and that q-algoritms are, in general, intrinsicallyprobabilistic.


The second, due to Grover [6], searches for an item in an unordered list of length

N in O(√N) steps. In this case the complexity gain is quite significant, as the

classical complexity is O(N), but the solution may be incorrect with a smallprobability. This fact need not be as bad as it could seem, because usually itis possible to recognize whether the returned item is the one we were searchingfor, with the idea that, if it is not, we can run the search again.

Deutsch’s problem. Let f : B n → B be a map, and assume we know that itis either constant or balanced (this means that the sets f−1(0) and f−1(1) havethe same cardinal). Then the Deutsch’s problem consists in deciding which ofthe two possibilities holds.

The classical solution is based on evaluating f on successive elements of B n.This process stops as soon as either we have found two different values, inwhich case f has to be balanced, or else the number of evaluations has exceeded2n−1, in which case f must be constant. Since the worse case requires 2n−1 + 1evaluations, the complexity of this procedure is exponential in n.

Deutsch’s q-procedure. The solution to Deutsch’s problem is provided by thefollowing Deutsch–Jozsa q-procedure:

1. Initialize a q-computer of order n+ 1 with |u 1⟩ = |0⟩ n). . .|0⟩|1⟩.

2. Using Example 4.2, obtain

|u 2⟩ = H⊗(n+1)|u 1⟩ = ρn+12n−1∑j=0

|j⟩(|0⟩ − |1⟩).

3. Let Ufbe the q-computation corresponding to the classical (reversible) com-

putation B n × B → B n × B , (x, b) 7→ (x, b + f(x)) and let |u 3⟩ = Uf|u 2⟩.

Since

U(|j⟩|b⟩) = |j⟩|b+ f(j)⟩

we clearly have

|u 3⟩ = ρn+12n−1∑j=0

|j⟩(|f(j)⟩ − |1 + f(j)⟩).

Note that this can be written as

ρn+12n−1∑j=0

(−1)f(j)|j⟩(|0⟩ − |1⟩) = ρn+1∑jr∈B

(−1)f(j1···jn)|j1 · · · jn⟩(|0⟩ − |1⟩).


4. Compute |u 4⟩ = (H⊗n ⊗ I2) |u 3⟩. Since(H⊗n ⊗ I2)|j1 · · · jn⟩(|0⟩ − |1⟩) = (H|j1⟩) · · · (H|jn⟩)(|0⟩ − |1⟩)

= ρnn∏r=1

(|0⟩+ (−1)jr |1⟩)(|0⟩ − |1⟩)

= ρn∑ks∈B

(−1)j·k|k1 · · · kn⟩(|0⟩ − |1⟩),

where j · k = j1k1 + · · ·+ jnkn is the scalar product of the binary vectors j andk, we find

|u 4⟩ = ρ2n+1∑ks∈B

∑jr∈B

(−1)j·k+f(j1···jn)|k1 · · · kn⟩(|0⟩ − |1⟩),

which can be summarized as

ρ2n+1∑j,k

(−1)j·k+f(j)|k⟩(|0⟩ − |1⟩).

Let us look at the coefficient ak = ρ2n+1∑

j(−1)j·k+f(j) of |k⟩(|0⟩ − |1⟩) in

this expression. If f is constant, ak = ρ2n+1(−1)f(0)∑

j(−1)j·k, so that a0 =

(−1)f(0)ρ and ak = 0 for k = 0. If f is balanced then a0 = ρ2n+1∑

j(−1)f(j) = 0,and clearly ak = 0 for some k = 0. We can summarize these findings as follows:

|u 4⟩ =

{ρ|0⟩ (|0⟩ − |1⟩) iff is constant,∑

k =0 ak|k⟩ (|0⟩ − |1⟩) iff is balanced,

5. The last step consists in measuring the first n q-bits. If f is constant, theresult is 0 with centainty, and if f is balanced, then we obtain a non-zero integer.Hence, the algorithm decides exactly whether f is constant or not.

Deutsch’s q-algorithm. Given a map f : B n → B which is either constant orbalanced, this q-algorithm returns 0 if and only if f is constant. We will work at

order n+1 and we will let f denote the classical reversible computation definedby (x, b) 7→ (x, b+ f(x)), x ∈ B n, b ∈ B .


Deutsch[f ]

→ |0n⟩|0⟩Rn+1(X) → |0 · · · 0⟩|1⟩Hadamard[n] → ρn+1

∑2n−1j=0 |j⟩

(|0⟩ − |1⟩

)Uf

→ ρn+1∑2n−1

j=0 (−1)f(j)|j⟩(|0⟩ − |1⟩

)Hadamard[n] → ρ2n+1

∑k

∑j(−1)j·k+f(j)|k⟩

(|0⟩ − |1⟩

)//ρ|0n⟩(|0⟩ − |1⟩) if f is constant, and

//∑

j =0 aj |j⟩(|0⟩ − |1⟩) if f is balanced.

M{1,...,n} → M

if M = 0 then Constant else Balanced

Grover’s search

Suppose {j → xj | j = 0, . . . , N − 1} is a database with N = 2n items. If we areto search for the j such that xj satisfies some condition, like finding the positionof a given number in a random list, in the worst case we will have to examineall the N items. In any case, to find a randomly chosen value x we will need,on the average, N/2 tests.

The remarkable discovery of Grover [6, 7] is that there is a q-algorithm with

complexity O(√N/M) that finds an x satisfying the condition, where M is the

number of solutions to the query.3

Grover’s procedure. Let J1 (J0) be the subset of {0, 1, . . . , N − 1} formedwith the j such that xj satisfies (does not satisfy) the condition in question.Consider the map f : B n → B such that

f(j) =

{0 if j ∈ J0

1 if j ∈ J1.

Define the unit q-vectors

a =1√

N −M

∑j∈J0

|j⟩ and b =1√M

∑j∈J1

|j⟩.

3Grover’s q-algorithm is probabilistic, in the sense that there is a small probability p thatthe outcome of a run does not satisfy the condition. As it is customary is such cases, runningthe algorithm some fixed number of times k (this does not change the complexity) will yield ananswer that may be wrong with probability pk, a value that usually is negligibly small alreadyfor small k.


The non-zero summands in b (respectively a ) are the basis vectors correspond-ing to the solutions (non-solutions) of our query. Note also that

h (n) =

√N −M

Na +

√M

Nb = cos(

φ

2)a + sin(

φ

2)b ,

where the last equality defines φ ∈ (0, π) uniquely: φ = 2arcsin(√M/N).

b

ϕ/2a

h(n)

Remark 5.1. Using the trigonometric formulae for the double angle we get that

sin(φ) = 2√M

√N−M

N , cos(φ) = N−2MN . �

To explain how Grover’s procedure works, we need to introduce two q-computa-tions of order n, which we denote Gf and K. The definition of Gf is as follows(j ∈ B n):

Gf (|j⟩) =

{−|j⟩ if j ∈ J1

|j⟩ if j ∈ J0

In other words, Gf is the reflexion with respect to the space spanned by thenon-solutions. In particular, Gf (a ) = a and Gf (b ) = −b . Therefore we alsohave

Gf (h(n)) = Gf

(cos(φ2

)a + sin

(φ2

)b)= cos

(φ2

)a − sin

(φ2

)b .

The q-computation K, which does not depend on f , is defined as

K(x ) =∑j

(2x− xj)|j⟩,

where x = Av(x ) = 1N

∑j xj , the average of the amplitudes xj of x (we say

that K is the inversion with respect to the mean). This linear map is indeed aq-computation, for it preserves the norm:

|K(x )|2 =∑j

(2x− xj)(2x− xj)

= 4Nxx− 2x∑j

xj − 2x∑j

xj +∑j

xj xj

= 4Nxx− 2Nxx− 2Nxx+ |x |2

= |x |2 .

Now Grover’s q-procedure can be described as follows:


1. Let u 0 = h (n) = cos(φ2

)a + sin

(φ2

)b .

2. For j = 1, . . . ,m =

⌊π

2φ

⌋, define u j = K(Gf (u j−1)).

3. Return M(um).

The main reason why this procedure works is that in the plane spanned by aand b the map KGf is a rotation of amplitude φ. Actually it is enough to showthat

Ka = cos(φ)a + sin(φ)b

and

K(−b ) = − sin(φ)a + cos(φ)b ,

and this follows from a straightfoward computation using the definition of Kand the formulae in Remark 5.1 (�5). In particular we have

u j = a cos2j + 1

2φ+ b sin

2j + 1

2φ.

This tells us that the optimal choice for the number m of iterations in step 2 isthe least positive integer such that um is closest to b , and this clearly occurswhen m is the nearest integer to

(π

2− φ

2)/φ =

π

2φ− 1/2,

that is, when m = ⌊ π2φ⌋ =

⌊π

4 arcsin(√M/N)

⌋.4

Remark 5.2. Since arcsin(x) > x for x ∈ (0, π2 ), we have

m ≤ π

4 arcsin√M/N

≤ π

4

√N/M.

Hence also m ≤⌊π4

√N/M

⌋. Since π

4x − π4 arcsin(x) < 1 for all x ∈ (0, 1), we also

have⌊π4

√N/M

⌋≤ m + 1. A more detailed study shows that when x → 0 the

intervals in which⌊π4x

⌋=⌊

π4 arcsin(x)

⌋+ 1 become negligibly small compared to

the intervals in which⌊π4x

⌋=⌊

π4 arcsin(x)

⌋. Thus if we iterate

⌊π4

√N/M

⌋times

the loop in step 2 of Grover’s q-procedure, we would get the right number ofrotations most of the time and otherwise we would go one step beyond, whichin practice gives a q-vector that is almost as good as the previous one.

The probability of obtaining a right answer in a run of Grover’s q-procedureis p = sin2(2m+1

2 φ), as sin(2m+12 φ) 1√

Mis the amplitude in um of any of the

M solutions. Similarly, the probability of obtaining an erroneous answer is

4We use that the nearest integer to x− 12is ⌊x⌋.


q = cos2(2m+12 φ). Since the specification on m entails that 2m+1

2 φ = π2 +ε, with

|ε| ≤ φ/2, we see that

p = sin2(π

2+ ε) = cos2(ε) = cos2(|ε|)

≥ cos2(φ2

)= cos2

(arcsin

(√M/N

))= 1− M

N.

Hence also q = 1− p ≤M/N .

Example 5.3. Let us illustrate the ideas so far with the case n = 8 and M = 1.We get N = 256, φ = 7.166643◦, m = 12. The slope of the vector u 12 is89.583042◦ and the probability of success is p = 0.999947. Note that p is muchcloser to 1 than the lower bound 1 − M/N = 1 − 1/256 = 0.996094. Theprobability of error is q = 0.000053, again much closer to 0 than the upperbound M/N = 1/256 = 0.003906.

b

ϕ/2 a

0

1

2

3

4

5

6

7

8

910

1112

ϕ

Grover’s algorithm. Given a map f : B n → B for which we know that M =∣∣f−1(1)∣∣ > 0, this q-algorithm computes Grover’s q-procedure for f . We will

work at order n+1 and we will let f denote the classical reversible computationdefined by (x, b) 7→ (x, b+ f(x)), x ∈ B n, b ∈ B . As before, the correspondingq-computation will be denoted Uf . We will use the notations m and u j (j =

0, 1, . . . ,m) from the forgoing discussion.

It is easy to phrase the sought q-algorithm Grover[f ] in terms of q-algorithmsGroverG[f ] and GroverK for Gf and K:


Grover[f,m]

→ |0n⟩Hadamard → u 0 = h (n)

for j ∈ {1, . . . ,m} do

GroverK GroverG[f ] |u j−1⟩ → |u j⟩M(um) → M

To describe GroverG[f ] we will also work at order n+ 1. The last q-bit playsan ancillary role and initially it is supposed to be in the state |1⟩. Since at theend it will recover this state, GroverG[f ] is revealed by looking at the finalstate of the q-bits other than the last.

GroverG[f ]

→ |x ⟩|1⟩// Set x = x 0 + x 1, x i =

∑j∈Ji xj |j⟩, i = 0, 1.

Rn+1(H) → ρ(|x 0⟩|0⟩+ |x 1⟩|0⟩ − |x 0⟩|1⟩ − |x 1⟩|1⟩

)Uf → ρ

(|x 0⟩|0⟩+ |x 1⟩|1⟩ − |x 0⟩|1⟩ − |x 1⟩|0⟩

)= (|x 0⟩ − |x 1⟩)(H|1⟩)

Rn+1(H) → |Gfx ⟩|1⟩

GroverK

→ |x ⟩Hadamard

for l ∈ {1, . . . , n} do

Rl(X)

//This loop acts as X⊗n

C{2,...,n},1(Z)

//Z to first q-bit controlled by all the others.

for l ∈ {1, . . . , n} do

Rl(X)

//X⊗n

Hadamard → |K(x )⟩

The justification that this q-algorithm computes K is based on the followingobservations:


1) K = 2Ph (n) −IN , where Pa denotes the orthogonal projector onto a (for unita , Pa x = ⟨a |x ⟩a ). Indeed, the claim follows immediately from the relation

Ph (n)x = ⟨h (n)|x ⟩h (n) = ρ2n(∑

xj)∑

|j⟩ = Av(x )∑

|j⟩

and the definition of K.

2) K = H⊗n(2P|0n⟩ − IN)H⊗n. This is a direct consequence of the formula

UPaU−1 = PUa , where U is a arbitrary q-computation and a any q-vector, and

the preceding formula. Note that if we apply UPaU−1 to Ux we obtain Ua if

x = a and 0 if x is orthogonal to a .

3) IN − 2P|0n⟩ = X⊗nC{2,...,n},1(Z)X⊗n. Note that IN − 2P|0n⟩ changes the sign

of |0n⟩ and is the identity on all |j⟩ with j = 0n. In relation to the right hand sideof the formula, observe that C{2,...,n},1(Z), and hence the whole composition, willdo nothing on |j⟩ if not all j2, . . . , jn are 0. If j2 = · · · jn = 0, then C{2,...,n},1(Z)

applies Z to |j1⟩, and, by the definition of Z (Z|0⟩ = |0⟩, Z|1⟩ = −|1⟩), thisaction does nothing if j1 = 1 and changes its sign if j1 = 0.

4) The analysis of Grover’s q-algorithm has to be completed with a q-algorithmfor C{2,...,n},1(Z). But this can be obtained as indicated in the Example 4.5.

6. Phase estimation

Let U be a q-computation of order n, and let u ∈ H (n) be an eigenvector of U .The corresponding eigenvalue can be written in the form e2πiφ, with φ ∈ [0, 1).Assuming that U and u are known, then the phase estimation problem consistsin obtaining r bits φ1, . . . , φr, for a given r, of the binary expansion 0.φ1φ2 · · ·of φ.

The aim of this section is to phrase and analyze the interesting q-algorithmdiscovered by Kitaev [11] to solve this problem.

Since we need some ancillary q-bits, say m, we will work in H (m) ×H (n). Thealgorithm assumes that we can initialize H (n) with the q-vector u and also

that we are able to perform the ‘controlled’ q-computations Cm−l+1(U2l−1

), for

l = 1, . . . , n, defined on H (m) ×H (n) as follows:

Cm−l+1(U2l−1

)(|φ1 · · ·φm⟩|u ⟩

)=

{|φ1 · · ·φm⟩|u ⟩ if φm−l+1 = 0

|φ1 · · ·φm⟩(U2l−1 |u ⟩

)if φm−l+1 = 1


Kitaev’s q-algorithm

Kitaev[U,u ]

0. → |0m⟩|u ⟩1. Hadamard[m] → |h (m)⟩|u ⟩2. for l ∈ 1..m do

Cm−l+1(U2l−1

)

3. QFT†[m]

4. M{1,...,m}

We will analyze this algorithm in two steps, denoted A and B below. In thefirst we will assume that φ = 0.φ1 · · ·φm and in the second we will look at thegeneral case. The following diagram illustrates the steps 0-2.

|0〉

|0〉

|0〉

...

|0〉

...

......

...

...

...

...

...

...

...

...

H

H

H

H

U U2

U4 U

2m−1|u〉

|0〉+ e2πi(2m−1ϕ)|1〉

|0〉+ e2πi(22ϕ)|1〉

|0〉+ e2πi(21ϕ)|1〉

|0〉+ e2πi(20ϕ)|1〉

n

m

A. The action of U2l−1only changes |u ⟩ by a factor, either 1 or e2πi2

l−1φ de-pending on whether the controlling bit is |0⟩ or |1⟩. Now this factor may bemoved next to the controlling bit and therefore the state at the end of the loop2 can be written in the form

(1) ρm(|0⟩+ e2πi2

m−1φ|1⟩)(

|0⟩+ e2πi2m−2φ|1⟩

)· · ·(|0⟩+ e2πi2

0φ|1⟩).

This, in the notation of binary expansions, takes the form

(2) ρm(|0⟩+ e2πi 0.φm |1⟩

) (|0⟩+ e2πi 0.φm−1φm |1⟩

)· · ·(|0⟩+ e2πi 0.φ1···φm |1⟩

),

as e2πik = 1 for any integer k. But by the Remark 4.8, this expression is equalto F |φ⟩, which is computed by the q-algorithm QFT (Example 4.7). Thus itis clear that we recover the state |φ⟩|u ⟩ by applying F † ⊗ I2n , where F

† is theinverse of F . We have denoted QFT†[m] the q-algorithm for F † that is obtained


by carrying out QFT in reverse order. Thus Kitaev supplies φ exactly in thecase where φ can be expressed with m bits.

B. The reasoning is somewhat more involved when φ cannot be expressed usingm bits. In this case, F † ⊗ I2n does not give the q-vector |φ⟩|u ⟩, but a super-position of the form

∑al|l⟩|u ⟩. As we will show below, this difficulty can be

overcome in order to obtain the first r bits of φ provided r ≤ m.

By expanding the product in the formula (2), we see that it can be writen inthe form

ρm2m−1∑k=0

e2πiφk|k⟩|u ⟩.

The result in step 3 is

ρm2m−1∑k=0

e2πiφk(F †|k⟩

)|u ⟩ = ρ2m

2m−1∑k=0

e2πiφk2m−1∑l=0

e−2πikl2m |l⟩|u ⟩

= ρ2m2m−1∑l=0

(2m−1∑k=0

e2πi(φ−l/2m)k

)|l⟩|u ⟩

= ρ2m2m−1∑l=0

1− e2πi(φ−l/2m)2m

1− e2πi(φ−l/2m)|l⟩|u ⟩

Finally the result of step 4, the measurement of the first m bits, is also clear: itwill be an m-bit integer l drawn with probability5

(∗) pl = ρ4m

∣∣∣∣∣1− e2πi(φ−l/2m)2m

1− e2πi(φ−l/2m)

∣∣∣∣∣2

= ρ4msin2 π

(φ− l/2m

)2m

sin2 π(φ− l/2m

)With this distribution law we can now estimate what are the chances that thefirst r bits of l (0 < r ≤ m) agree with f = φ1 · · ·φr. Indeed, using theprobabilities pl one can show (�6) that

(∗∗) p(|2mφ− l| > 2m−r) ≤ 1

2(2m−r − 2).

Therefore we can guarantee that r bits are correct with probability 1 − ε if1

2(2m−r−2)≤ ε, a relation that is equivalent to

m ≥ r + log2

(2 +

1

2ε

).

5We use the formula∣∣1− eiα

∣∣2 = 4 sin2(α/2), which is a consequence of∣∣1− eiα

∣∣2 =

(1− eiα)(1− e−iα) = 2− (eiα + e−iα) = 2(1− cosα).


7. Modular order of an integer

The object of this section is a presentation of Shor’s q-algorithm for findingordN (a), the order of a positive integer a modulo a positive integer N , provided(a,N) = 1. By definition, r = ordN (a) is the least positive integer such thatar ≡ 1 mod N or, in other words, the order of a seen as an element of thegroup Z∗

N .

From a classical point of view, finding ordN (a) is related to the search of thedivisors of ϕ(N) (where ϕ denotes the classical Euler’s totient function), whichhas exponential complexity in terms of n = log2(N) (see [1] for details). By con-trast, Shor’s q-algorithm produces a probabilistic solution which is polynomialin n.

First let us fix some notations. Set r = ordN (a) and n = ⌈log2(N)⌉. Next definethe q-computation Ua = Ua,N of order n by the relation

Ua|j⟩ =

{|aj mod N⟩ if j < N

|j⟩ if N ≤ j < 2n.

It is indeed a q-computation, as the map ZN → ZN such that j 7→ aj mod Nis bijective (a permutation map). The inverse q-computation is Ua−1,N . Finallydefine, for every s ∈ {0, . . . , r − 1}, the q-vector of order n

u s =r−1∑j=0

e−2πij sr |aj mod N⟩.

Applying the operator Ua to u s we get

Uau s =r−1∑j=0

e−2πij sr |aj+1 mod N⟩ = e2πi

sru s,

which means that u s is an eigenvector of Ua,N with eigenvalue e2πisr .

At this point it would seem natural to apply Kitaev’s q-algorithm to estimatethe phase s/r of e2πi

sr , with the idea that the information gained in this way

could give us precious information about r. However this does not work, sincethe eigenvector u s would be known only if r were already known.

Fortunately this can be circumvented with the observation that

1√r

r−1∑s=0

|u s⟩ = |1n⟩.

Indeed, if in Kitaev’s q-algorithm we set m = 2n+ 1 +⌈2 + 1

2ε

⌉and we let the

initial state be |0m⟩|1n⟩, then, with probability (1−ε)/r, we will get an estimate


φ ≈ s/r with 2n+ 1 correct bits. Now we have that∣∣∣sr− φ

∣∣∣ ≤ 1

22n+1≤ 1

2r2

and hence, letting s/r = s′/r′ with (s′, r′) = 1, the inequality∣∣∣∣s′r′ − φ

∣∣∣∣ ≤ 1

2r′2

also holds. By a well known result in continued fractions (see [8]), s′/r′ must bea convergent of φ. As φ is a rational number, its set of convergents is finite andcan be computed by the continued fraction algorithm. Summarizing, the choiceof m in the phase estimation procedure assures that, with a probability of 1− ε,there exists a convergent φ such that its denominator is either r if (s, r) = 1 ora divisor of r if (s, r) = 1.

If (s, r) = 1 then r is the order of a. This fact can be checked directly computingarn mod N where sn/rn is a convergent of φ. If (s, r) = 1, then ar mod N isnot equal to 1, and we need to repeat the phase estimation algorithm in orderto get an estimation such that (s, r) = 1. Using the prime number theorem(see [1]), one can show that repeating the algorithm O(n) times, with highprobability we get an estimation φ with a convergent s/r such that (s, r) = 1(�7).

The number of steps of the whole q-algorithm is O(n4): the more complex

step is associated to the continued fraction algorithm, with complexity O(n3),

which needs to be repeated O(n) times in order to assure, with high probability,a convergent s/r such that (s, r) = 1.

With further improvements of these ideas (see [15]) the complexity can be re-duced to O

(n3).

Shor’s order-finding

Let 1 < a < N be positive integers such that (a,N) = 1 and ε > 0 a (small)real number. The algorithm described below finds r = ordN (a) with probability1− ε with an average number of iterations which is O(n). The total complexityis O(n4). The algorithm ContFrac returns, given a rational number, the list ofthe denominators of its convergents (�8).


Shor-Order[a,N, ε]

n = ⌈log2(N)⌉, m = 2n+ 1 + log2(2 + 1

2ε

)//Working q-space: H (m) ⊗H (n)

0. → |0m⟩|0n⟩1. Hadamard[m] → ρm

∑2m−1j=0 |j⟩|0n⟩

2. Ua,N → ρm√r

∑r−1s=0

∑2m−1j=0 e2πij

sr |j⟩|u s⟩

3. QFT†[m] → 1√r

∑r−1s=0

∣∣∣s/r⟩ |u s⟩

4. M =M{1,...,n} → s/r

5. ContFrac → D

6. for r′ ∈ D do

if ar′mod N = 1, return r′

7. return Not-successful

//r′|r, and r′ = r in O(n) iterations

Since the condition r′ = r is met in O(n) iterations, we will get the correct orderr with an average time O(n4). This is the algorithm we need in the next Sectionand will be denoted Shor-Order(a,N).

8. Shor’s factoring q-algorithm

A fundamental problem in computacional number theory is the search of properdivisors of a big positive integer N . The difficulty of this problem (by classicalalgorithms) provides a basis for efficient criptographic algorithms [18]. Amaz-ingly, the quantum framework permits a solution whose complexity is polyno-mial in n = log2(N). The key idea is to reduce, by a well known procedure, thefactoring problem to and order-finding problem and then use the q-algorithmShor-Order studied in Section 7 to solve the latter.

Thus we first review how to go from factoring to order-finding and then we willformulate the q-algorithm Shor-Factor by calling Shor-Order.

From order-finding to factoring. Let N be a positive integer. Since thereare efficient classical algorithms to decide whether N is a primer power pr,6

henceforth we will assume that N is not a prime power. It is also harmless toassume that N is odd. It will be enough to find a proper divisor d of N , forthen N = d · (N/d) and we can proceed recursively with the factors d and N/d.

6 If N = mr, m > 1, then r ≤ log2(N). For each such r, r > 1, let m =⌊N1/r

⌋and check

whether mr = N . If the equality holds, N is an exact power and factoring N is reduced tofactoring m. Otherwise N is not an exact power and hence, in particular, not a prime power.


Now the main observation is that we can obtain a proper factor of N if we areable to produce an integer x ∈ {2, . . . , N − 1} such that

(1) (x,N) = 1;(2) r = ordN (x) is even.

(3) xr2 + 1 is not divisible by N .

Indeed, since by definition r is the least positive integer such that xr = 1mod N (the condition 1 implies that this number exists), we see that xr − 1 =(xr2 − 1

)(xr2 + 1

)is divisible by N . Since neither x

r2 −1 nor x

r2 +1 is divisible

by N , it follows that a prime factor of N must divide either xr2 − 1 or x

r2 + 1.

Therefore either gcd(xr2 − 1, N

)or gcd

(xr2 + 1, N

)is a proper divisor of N .

So we are led to the question of finding an x satisfying the three conditionsabove. As we will see, this can be accomplished, with good chances, by pickingx at random in {2, . . . , N − 1}. Indeed, iff (x,N) > 1, then d = (x,N) is aproper divisor of N and we are done. So we may assume that (x,N) = 1, and

hence that r = ordN (x) exists. How likely are we that r is even and xr2 + 1 is

not divisible by N? The following proposition provides the answer we need.

Proposition 8.1. Let N be a positive integer with m ≥ 2 distinct prime factors.Then the density of the set

{x ∈ Z∗N | r = ordN (x) is even and x

r2 + 1 is not divisible by N}

in Z∗N is ≥ 1− 1

2m−1 .

Proof. See �9. �Example 8.2. Consider the number N = 904279, which is odd and not a primepower. We pick a number x at random in {1, . . . , N − 1} (say as the valueof random(N)). In our case we got x = 743579. We check that (x,N) = 1(gcd(x,N)→1), so r = ordN (x) exists. We get r = 150396, as the value of

order(x,N). This is even and(xr2 − 1, N

)gives the (prime) divisor 907 and(

xr2 + 1, N

)gives the (prime) divisor 997. Finally we check that N = 907 · 997.

Shor’s q-algorithm for factoring integers. As explained in the precedingsection, we assume that N is an odd positive integer which is not a prime power.


Shor-Factor[N ]

x, r, d

1. random(N) → x

2. if d = (x,N) > 1, return d

3. Shor-Order(x,N) → r

4. if r ≡ 1 mod 2, go to 1.

5. if d =(xr2 − 1, N

)> 1 return d

6. if xr2 + 1 mod N = 0, go to 1.

7. return d =(xr2 + 1, N

)The complexity of Shor-Factor is determined by step 3, and so its averagecost is O(n4), n = log2(N).

A more detailed analysis (�10) shows that the average number of go to in steps4 and 6 is O(1).

9. Physical interpretations

In this section we will present how q-computations can be interpreted in (ax-iomatic) physical terms. For a deeper understanding of the physics involved, seefor example [20, 10, 21].

1. Quantum states. A quantum system Σ is characterized by a complexvector space E endowed with a Hermitian scalar product ⟨x |y ⟩ (i.e., linear in yand conjugate-linear in x ). For the purposes of quantum computation we mayalso asume that E has finite dimension.

The non-zero vectors x ∈ E represent (pure) states of Σ, and two non-zerovectors x ,y ∈ E represent the same state if and only if there exists ξ ∈ C suchthat y = ξx .

In particular, any state can be represented by a unitary vector u (determinedup to a phase factor eiα). Thus the state space of Σ is the projective spaceassociated to E (it is usually denoted PE).

Following Dirac’s notations, we will write |u ⟩ to denote the state correspondingto u (in projective geometry it is denoted [u ]). If v ∈ E is arbitrary, butnon-zero, we have |v ⟩ = |v ⟩, where v is the unit vector v / |v |.

Quantum superposition. Given two states |u ⟩ and |u ′⟩ and complex numbersa = α + βi and a′ = α′ + β′i, we can form the state |au + a′u ′⟩. Such statesare said to be a quantum superposition of the states |u ⟩ and |u ′⟩ and are often


denoted, by abuse of notation, as a|u ⟩+ a′|u ′⟩. In geometrical terms, they arethe points on the line determined by |u ⟩ and |u ′⟩.

2. Observables. An observable of Σ is a linear map A : E → E such that

⟨Ax |y ⟩ = ⟨x |Ay ⟩.If we express A with respect to an orthonormal basis, it is easy to check thatthis condition is equivalent to A = A†. In other words,

observable ≡ self-adjoint operator

If a1, . . . , ar are the distinct eigenvalues of A, then a1, . . . , ar ∈ R and

(3) A =∑j

ajPj ,

where Pj : E → Ej is the orthogonal projection from E onto the space ofeigenvectors of A with eigenvalue aj , namely

Ej = {x ∈ E | Ax = ajx }.

The result of an observation or measure of A when Σ is in the state |u ⟩ is oneof the eigenvalues aj , with probability

pj = |Pju |2 = ⟨u |Pju ⟩,and also that Σ is reset to the state Pju (or, more precisely, to |Pju ⟩). Notice

that u =∑

j Pju and hence 1 = |u |2 =∑

j |Pju |2 =∑

j pj , as the Ej are pair-

wise orthogonal. Note also that ⟨u |Pju ⟩ − |Pju |2 = ⟨u |Pju ⟩ − ⟨Pju |Pju ⟩ =⟨u − Pju |Pju ⟩ = 0, since u − Pju is orthogonal to Ej by definition of Pj .

In particular, if u ∈ Ej , then the observation yields aj with certainty and Σremains in the state |u ⟩.

Example 9.1. If F is a linear subspace of E, the orthogonal projection PF :E → F is an observable with eigenvalues 1 and 0: E1 = F and E0 = F †. Theobservables of this form are called propositions or eventualities. Note that theprobability of measuring 1, if the system is in the state u ∈ E, is |PF (u )|2.

The formula (3) shows that any observable is a linear combination with realcoefficients (the values aj) of eventualities (the projector Paj is the eventualitycorresponding to the space Ej = Eaj ). Seen in this light, an observable can beidentified with a list of pairs {(a1, E1), ..., (ar, Er)}, where a1, . . . , ar ∈ R (thepossible values of the observable) and E1, . . . , Er ⊆ E are linear subspaces of Esuch that E = E1 ⊕ · · · ⊕ Er and Ej ⊥ Ek for j = k. The non-zero vectors ofEj represent states for which the measured value is aj with certainty and the

non-zero vectors in the orthogonal E⊥j = ⊕k =jEk represent states for which the

measured value is = aj with certainty. Note that the probability of obtainingaj agrees with the probability of observing 1 for the eventuality defined by Ej .


3. Unitary dynamics. If Σ lies in a non-reactive environment (i.e., theenvironment is not affected by Σ) in the time interval [0, t], there exists a unitaryoperator

U : E → E

such that

b = Ua

represents the state of Σ at time t if a ∈ E represents the state of Σ at time 0.

Example 9.2. If H is an observable, the operator

U = eiHt

is unitary, as U † = e−iH†t = e−iHt = U−1. It is customary to say that U = eiHt

is the time evolution defined by the Hamiltonian H.

4. Entanglement. If Σ′ is a second quantum system with associated spaceE′, then the associated space of the composite system Σ + Σ′ is E ⊗ E′, withthe natural hermitian bracket defined by the relation

⟨x ⊗ x ′|y ⊗ y ′⟩ = ⟨x |y ⟩ · ⟨x ′|y ′⟩.

If u ∈ E and u ′ ∈ E′ are unit vectors, the state |u ⊗u ′⟩ is also denoted |u ⟩|u ′⟩,or |uu ′⟩, and it is thought as the state of the composite system correspondingto the state |u ⟩ of Σ and |u ′⟩ of Σ′. We will say that they are compositestates. Note, however, that in general the states of the composite system arenot composite states. A simple example is given by |u 1 ⊗ u ′

1⟩ + |u 2 ⊗ u ′2⟩ if

u 1,u 2 ∈ E (respectively u ′1,u

′2 ∈ E′) are orthogonal unit vectors (�11). Since

the non-composite states are superposition of composite states (any vector inE ⊗ E′ is a sum of composite vectors), the non-composite states are calledentagled states.

Example 9.3 (q-bits). The states of a spin-12 particle (system Σ(1)) can be

thought as points lying on the sphere S2 of radius 1 (in suitable units).

The complex space associated to this system according to axiom 1 is C2 (spinorspace).

This fact can be argued as follows.

Identify ξ = x + iy ∈ C with the point (x, y, 0) ∈ R3 and consider the pointP = P (ξ) of

S2 = {(x, y, z) ∈ R3|x2 + y2 + z2 = 1}

obtained by stereographic projection from N = (0, 0, 1):

P =

(2x

x2 + y2 + 1,

2y

x2 + y2 + 1,x2 + y2 − 1

x2 + y2 + 1

).


ξ = x+ iy

P (ξ)

x

y

z

N

Setting P (∞) = N , we get a bijection between C = C ∪ {∞} and S2. Theinverse map is given by

(x, y, z) 7→ x

1− z+ i

y

1− z, for z < 1,

and N = [0, 0, 1] 7→ ∞, for z = 1.

On the other hand we also have

C ≃ PC2 = P1C,

for any element [ξ0, ξ1] ∈ C2 is proportional to a unique vector of the form[1, ξ] when ξ0 = 0, and to [0, 1] if ξ0 = 0. Thus we have a bijective map

C → P1C, ξ 7→ [1, ξ], ∞ 7→ [0, 1].

The inverse map is given by

[ξ0, ξ1] 7→

{ξ = ξ1/ξ0 if ξ0 = 0

∞ if ξ0 = 0

These considerations indicate that we may take C2 as the space associated toΣ(1).

Note. The sphere S2, with the structure of P1C, is called the Riemann sphere. It

is the simplest compact Riemann surface. In quantum computation references,it is often called the Bloch sphere or even the Poincare–Bloch sphere.

Remark 9.4. Let P = (x, y, z) be a point of S2 and define φ as the argument ofx + iy and θ as the angle between OP and ON , where O is the center of thesphere. The relation between the spherical coordinates (φ, θ) and the cartesiancoordinates (x, y, z) is given by the formulas

(4) x = sin θ cosφ, y = sin θ sinφ, z = cos θ.


The point in C corresponding to P (x, y, z) is

ξ =x

1− z+ i

y

1− z=

sin θ cosφ

1− cos θ+ i

sin θ sinφ

1− cos θ=

sin θ

1− cos θeiφ = eiφ cot θ2 .

Since this corresponds to the point

[1, eiφ cot θ2 ] ∼ [e−iφ/2 sin θ2 , e

iφ/2 cos θ2 ] ∈ P1C,

we conclude that

(5) p = e−iφ/2 sin θ2 |0⟩+ eiφ/2 cos θ2 |1⟩ ∈ P1

C

is the point corresponding to P under the identification S2 ≃ P1C. The pic-

ture below illustrates this relation and also shows some special cases (up to anormalization factor).

|1〉

|0〉

θ

ϕ

|0〉 + |1〉

|0〉 + i|1〉

|0〉 − |1〉

p = e−iϕ/2 sin(θ2)|0〉 + eiϕ/2 cos(θ

2)|1〉

P

|0〉 − i|1〉 O

Remark 9.5. The formula (5) shows that Rz(α)(p ) corresponds to ρz(α)(P ),where ρz(α) denotes the rotation about the axis Oz of amplitude α. This is a

special case of a well known relation between matrices U ∈ SU (1) and rotationsof S2. This relation can be explained as follows.

We can view a matrix U =

[u0 u1

−u1 u0

]∈ SU (1) as a linear map C2 → C2:[

ξ0

ξ1

]7→ U

[ξ0

ξ1

]. This map induces a projective map of P1

C,

[ξ0, ξ1] 7→ [u0ξ0 + u1ξ1,−u1ξ0 + u0ξ1]

and hence a map U : C → C,

ξ 7→ u0ξ − u1u1ξ + u0

, ∞ 7→ u0/u1.


This map induces, in turn, the map U : S2 → S2 such that U (P (ξ)) = P(Uξ).

If we take U to be one of the matrices

Rz(φ) =

[e−iφ/2 0

0 eiφ/2

], Ry(θ) =

[cos θ2 sin θ

2

− sin θ2 cos θ2

], Rx(ψ) =

[cos ψ2 −i sin ψ

2

−i sin ψ2 cos ψ2

]

(see Section 2, p. 9) then it turns out that ρz(φ) = Rz(φ), ρy(θ) = Ry(θ) and

ρx(ψ) = Rx(ψ) are the rotations of amplitude φ, θ and ψ about the axes z, yand x, respectively. This, together with the relations

p = e−φ/2 sin θ2 |0⟩+ eφ/2 cos θ2 |1⟩ = Rz(φ)Ry(θ)|1⟩,

show that, in terms of S2,

P = ρz(φ)ρy(θ)N,

whose geometric content is clear by the definitions of φ and θ. Conversely, thisrelation, together with the interpretation of Rz and Ry, provides a proof of theformula for p .

Example 9.6 (q-Registers). By Axiom 4 (Entanglement) and the formulaH (n) ≃H (1)⊗· · ·⊗H (1), the spaceH (n) is the associated space of Σ(n) = Σ(1)+· · ·+Σ(1)

(n summands), the system composed of n q-bits. By analogy with the classicalbit registers, it is called a q-register of order n.

Now Axiom 3 (Unitary dynamics) tells us that the time evolution of Σ(n) isgiven by a unitary matrix of order 2n. In other words, the time evolution ofΣ(n) is a q-computation.

Finally, Axiom 2 (Observables) indicates that the [optional] operation M(b ) atthe end of q-programs corresponds to the operation of measuring the (diagonal)observable

L =∑j

j|j⟩⟨j| (that is, L|k⟩ = k|k⟩ for all k)

when Σ(n) is in the state |b ⟩. Note that(H (n)

)j= C|j⟩, hence Pjb = bj |j⟩ and

pj = |bj |2.

Quantum computers. From the preceding observations it follows that it issufficient, in order to execute q-programs of order n on a physical support, tohave a quantum register and “implementations” of the operations

M(b )

Rj(U) [with U ∈ {H,Uπ/2, Uπ/4} in the restricted case]

Cj,k

A quantum computer (of order n) is a quantum register Σ(n) endowed with suchimplementations.


Its main beauty is that such a computer allows us to perform (or approximate)any q-computation.

An interesting feature of a quantum computer is that it supports quantum par-allelism. This stems from the possibility of initializing the q-computation instates such as the Hadamard q-input

h (n) =1√2n

(|0⟩+ |1⟩+ · · · |2n − 1⟩) ,

which has the following features:

It contains (actually is the normalized sum of) all numbers of n bits.

Hence, any operation of the quantum computer acts on all numbers simulta-neously. This “explains” why the quantum computer can be much faster thana classical computer.

In general, the usefulness of the algorithms (as Shor’s order-finding, for in-stance) is based in the fact that after its execution the amplitudes of “usefulnumbers” are high and the others are small.

Let us mention here the “problem of decoherence”, which arises from the factthat interactions with the environment can quickly “perturb” the states of Σ(n)

(uncontrolled entanglement between states of the environment and states of

Σ(n)). Such problems in the road of building quantum computers are of aphysical and technological nature. Research in many labs around the world isfocussed on those questions, with continuous progress and in many directions(�12).

More references. In addition to the references given so far, here are a fewmore books, ordered by year of publication, that the reader may find interestingto delve more deeply into the study of quantum computing or, more generally,quantum information processing: [17], [12, 13], [19], [3, 4], [14], [9], [2].

10. Remarks and Proofs

I1 (p. 3, p. 14). It is a well known fact that any classical computation can beresolved into a sequence of logical gates that are either Not acting on a singlebit or Nand acting on two bits (instead of Nand we could use any of a numberof 2-bit gates, like And, Or or Xor; the choice of Nand is just a conveniencefor our presentation). Therefore it is enough to embed Nand into a reversiblecomputation f . This can be accomplished with f : B 3 → B 3 that interchanges110 and 111 and is the identity otherwise. Indeed, in the following table of f ,


x 000 001 010 011 100 101 110 111

f(x) 000 001 010 011 100 101 111 110

we see the Nand embedded by looking at the boldfaced bits. Notice that thisembedding involves the four 3-bit vectors ending with 1, and that for these facts as ij1 7→ ijNand(i, j) = ij(1 + i · j).

I2 (p. 10). For the proof, we follow the indications given in [16], Section 2.2.4.We will use the relations

XRy(θ)X = Ry(−θ), XRz(φ)X = Rz(−φ).Notice that XM (respectivelyMX) interchanges the rows (columns) ofM . Theclaim follows from this and the definitions of Ry(θ) and Rz(φ). Hence we canwrite (the φ in the third equality is an arbitrary auxiliary angle):

Rz(β)Ry(θ)Rz(γ) = Rz(β)Ry(θ/2)Ry(θ/2)Rz(γ)

= Rz(β)Ry(θ/2)XRy(−θ/2)XRz(γ)= Rz(β)Ry(θ/2)XRy(−θ/2)Rz(φ)Rz(−φ)XRz(γ)= Rz(β)Ry(θ/2)XRy(−θ/2)Rz(φ)XRz(φ+ γ)

= AXBXC

with

A = Rz(β)Ry(θ/2), B = Ry(−θ/2)Rz(φ), C = Rz(φ+ γ).

Finally, since ABC = Rz(2φ + β + γ), it is enough to choose φ = −(β + γ)/2,which means that

A = Rz(β)Ry(θ2

), B = Ry(−φ

2 )Rz

(−β+γ

2

), C = Rz

(γ−β2

),

as claimed.

I3 (p. 22). This result is not used in this article, but its proof is interestingand so we outline it.

Let U = [ujk] ∈ U (n) and set N = 2n. Then U = eiαU1U2 · · ·UN−1, with α ∈ Rand where Ul = Ul,l+1 · · ·Ul,N , with Ul,j an element of SU (1) acting on the plane[|l⟩, |j⟩] in the standard form (using the reference |j⟩ and |k⟩) and acting as theidentity on any |k⟩ such that k = l, j. This expression of U can be constructedas follows. The matrix U1,2 is taken as the identity if u21 = 0 and otherwise as[

u11/ρ −u21/ρu21/ρ u11/ρ

], ρ =

√|u11|2 + |u12|2,

so that the entry 21 of the matrix U †1,2U is 0. Defining U1,3, ..., U1,N in a similar

way, we achieve that all entries of the first column of U ′ = U †1,N · · ·U †

1,2U , other

than the entry 11, are 0. Since U ′ is unitary, so that any two of its columns are


orthogonal, all entries of the first row of U ′, other than the entry 11, are also 0.Since the entry 11 of U ′ is a unit complex number, we see that there is α1 ∈ Rsuch that e−iα1U †

1,N · · ·U †1,2U has the form[

1 0n

0†n V

], V ∈ U (N−1).

Now, by induction, V = eiβU2 · · ·UN−1, with β ∈ R and where Ul = Ul,l+1 · · ·Ul,Nwith Ul,j an element of SU (1) acting on the plane [|l⟩, |j⟩] and as the identityon any |k⟩, k = l, j. Finally the claim follows by defining α = α1 + β andU1 = U1,2U1,3 · · ·U1,N . Note that the number of the Ul,j different from theidentity is at most N(N − 1)/2.

The proof can be completed on noticing that in the Example 4.6 we establishedthat the Ul,j can be expressed as a product of U -gates and Nr,s-gates.

I4 (p. 22). We refer to Section 4.5.3 of [15] for a sketch of how the proof goes.But even in this encyclopedic book we read that providing all the details “is alittle beyond our scope” (p. 198). A more complete proof, including the moresubtle mathematical details, can be found in [16]. In particular it contains a fullproof of the key fact that if cosα = cos2(π/8), then α/π is irrational (Lemma3.1.8).

I5 (p. 27). Since Av(a ) = 1N

N−M√N−M =

√N −M/N ,

K(a ) =∑j∈J0

(2√N −M/N − 1/

√N −M

)|j⟩+

∑j∈J1

2√N −M

N|j⟩

=∑j∈J0

N − 2M

N√N −M

|j⟩+∑j∈J1

2√M

√N −M

N√M

|j⟩

= cos(φ)a + sin(φ)b .

Similarly, since Av(v ) =M/N√M =

√M/N ,

K(b ) =∑j∈J0

(2√M

N

)|j⟩+

∑j∈J1

(2√M

N− 1√

M

)|j⟩

=∑j∈J0

(2√M

√N −M

N

1√N −M

)|j⟩+

∑j∈J1

(2M −N

N√M

)|j⟩

= sin(φ)a − cos(φ)b .

Observe that the relations above imply that K is, on the space spanned by aand b , the symmetry with respect to h (n) = cos(φ/2)a + sin(φ/2)b . Indeed,

let u α = cos(α)a + sin(α)b (thus h (n) = u φ/2) and let Rφ denote the rotation


of amplitude φ. Then K = RφG (from KG = Rφ and G2 = Id) and

K(h (n)) = Rφ(G(u φ/2)) = Rφ(u−φ/2) = u φ/2 = h (n),

while, if k (n) = − sin(φ/2)a + cos(φ/2)b = u φ/2+π/2, then

K(k (n)) = RφGRπ/2u φ/2 = RφR−π/2Gu φ/2

= Rφ−π/2u−φ/2 = u φ/2−π/2 = −k (n).

I6 (p. 32). The probability p(|2mφ− l| > 2m−r) is equal to

−(2m−r+1)∑l=−2m−1+1

pl +

2m−1∑l=(2m−r+1)

pl.

Now the bound (∗∗), p. 32, can be derived from the explicit expression (∗) forpl (page 32). We refer to [15] for further details.

I7 (p. 34). The Prime Number Theorem asserts that the number of primeswhich are smaller than r is asymptotically equal to r

log(r) . Hence, the probability

of choosing (uniformly) a random prime number 0 < s < r is asymptoticallyequal to

p(0 < s < r, s is prime) = p ∼ 1

log r>

1

logN.

Then the expected number of iterations in order to find a prime number s < ris equal to:

∞∑i=1

i(1− p)i−1p = p

∞∑i=1

i(1− p)i−1 =p

(1− (1− p))2=

1

p∼ log(r) < log(N).

Hence, after not more than log(N) = O(n) choices, we expect to choose a valueof s which is prime with r.

I8 (p. 34). The continuous fraction representation of a rational number x isa vector of integers [x0, x1, . . . , xn], with xj > 0 for j = 1, . . . , n. The relationbetween x and [x0, x1, . . . , xn] can be displayed as a ‘continuous fraction’:

x = x0 +1

x1 +1

. . .

xn−1 +1

xn


By abuse of notation we will also write x = [x0, x1, . . . , xn]. In these terms thecontinuous fraction can be expressed by the recursive formula

[x0, x1, . . . , xn] = x0 +1

[x1, . . . , xn]

The rational numbers cj = [x0, x1, . . . , xj ], j = 0, 1, . . . , n, are called the con-vergents of the number x. The list of denominators {d0, d1, . . . , dn} of theseconvergents can be computed recursively as follows:

d0 = 1, d1 = x1, dj = xjdj−1 + dj−2 (j = 2, ..., n)

Actually it is easy to prove by induction that cj = mj/dj , where

m0 = x0, m1 = x1x0 + 1, mj = xjmj−1 +mj−2 (j = 2, ..., n)

It follows that the list {d0, d1, ..., dn} can be computed by the following algo-rithm:

ContFrac(x):=

a=floor(x), k=1, d={0,1}

while x!=a and j<n do

x=1/(x-a)

a=floor(x)

d=d|{a*d.(j-1)+d.(j-2)}

j=j+1

return tail(d)

I9 (p. 36). We prove that

p(x ∈ Z∗

N | r = ordN (x) is odd or xr2 + 1 is divisible by N

)≥ 1

2m.

We start writing N = pα11 . . . pαmm , where p1, . . . , pm are distinct prime numbers.

Then, Z∗N = Z∗

pα11

× · · · × Z∗pαmm

. Write xj for the reduction of x mod pαjj , and

rj for the order of xj in Z∗pαjj

. Denote by dj the biggest exponent such that 2dj

divides rj . Denote by d the biggest exponent such that 2d divides r. Then, it is

easy to show that if r is odd or if r is even and xr2 ≡ −1 mod N , then dj = d

for all d.

To conclude, we use that if 2dj is the largest power of 2 dividing φ(pαjj ), then

p

(x ∈ Z∗

N | 2dj divides ordpαjj(x)

)=

1

2

I10 (p. 37). Denote by p the probability of the event {x ∈ Z∗N | r =

ordN (x) is even and xr2 + 1 is not divisible by N}, when x is chosen uniformly


at random at Z∗N . Then, the expected number of iterations of the algorithm is

equal to:

∞∑i=1

i(1− p)i−1p = p∞∑i=1

i(1− p)i−1 =1

p≤ 2m−1

2m−1 − 1= 1 +

1

2m−1 − 1.

As m > 1, the expected number of iterations is O(1).

I11 (p. 39). If u 1, . . . ,u n is an orthonormal basis of E and If u ′1, . . . ,u

′n′

an orthonormal basis of E′, then a general vector of E ⊗ E′ has the form∑j,j′ aj,j′u j ⊗ u j′ . On the other hand, the composite vector x ⊗ x ′ has the

form∑

j,j′ ajaj′u j ⊗ u j′ if x =∑

j aju j and x ′ =∑

j′ aj′u j′ . Now this vector

may not be equal to u 1 ⊗ u ′1 + u 2 ⊗ u ′

2, for this would in particular requirethat the inconsistent relations a0a

′0 = 1, a1a

′1 = 1, a0a

′1 = 0 were satisfied.

I12 (p. 43). There is an explosion of activity in the last years, and especiallysince 2006, as seen, for example, in

http://en.wikipedia.org/wiki/Timeline of quantum computing

http://en.wikipedia.org/wiki/Quantum computer

In the latter, in particular, there are over a dozen lines of inquiry aiming at therealization of a quantum computer.

References

[1] T. Apostol. Introduction to Analytic Number Theory. Undergraduate Texts in Mathemat-ics. Springer-Verlag, 1976.

[2] F. Benatti, M. Fannes, R. Floreanini, and D. (editors) Petritis. Quantum information,computation and cryptography. An introductory survey of theory, technology and experi-ments, volume 808 of Lecture Notes in Physics. Springer, 2010.

[3] Giuliano Benenti, Giulio Casati, and Giuliano Strini. Principles of quantum computationand information, volume I: Basic cocepts. World Scientific, 2004.

[4] Giuliano Benenti, Giulio Casati, and Giuliano Strini. Principles of quantum computationand information, volume II: Basic tools and special topics. World Scientific, 2007.

[5] D. Deutsch and R. Jozsa. Rapid solution of problems by quantum computation. Proc RoySoc Lond A, 439:553–558, October 1992.

[6] L. K. Grover. A fast quantum mechanical algorithm for database search. Annual ACMSymposium on Theory of Computing, pages 212–219, 1996.

[7] L. K. Grover. From Schrodinger’s equation to quantum search algorithm. American Jour-nal of Physics, 69(7):769–777, 2001.

[8] G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford Uni-versity Press, 2008 (6th edition, revised by D. R. Heath-Brown and J. H. Silvermann; 1stedition published in 1938).

[9] G. Jaeger. Quantum Information –An overview. Springer, 2007.[10] A. Kitaev, A. H. Shen, and M. N. Vyalyi. Classical and quantum computation, volume 47

of Graduate Studies in Mathematics. American Mathematical Society, 2002.


[11] A. Y. Kitaev. Quantum measurements and the abelian stabilizer problem. Electr. Coll.Comput. Complex., 3:article no. 3, 22 pp., 1995.

[12] S. J. Jr. Lomonaco, editor. Quantum computation: A grand mathematical challenge for thetwenty-first century and the millenium, volume 58 of Proceedings of Symposica in AppliedMathematics. American Mathematical Society, 2002.

[13] S. J. Jr. Lomonaco and H Brand, editors. Quantum computation and information, volume305 of Contemporary Mathematics. American Mathematical Society, 2002.

[14] D. Mermin. Quantum Computer Science: An Introduction. Cambridge University Press,2007.

[15] M. A. Nielsen and I. L. Chuang. Quantum Computation and Quantum Information. Cam-bridge University Press, 2000 (5th printing 2005).

[16] K. R. Parthasarathy. Lectures on Quantum Computation, Quantum Error CorrectingCodes and Information Theory. Narosa Publishing House, 2006. (For the Tata Instituteof Fundamental Research, international distribution by AMS).

[17] A. O. Pittenger. An Introduction to Quantum Computing Algorithms. Progress in Com-puter Science and Applied Logic. Birkhuser, 2000.

[18] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures andpublic-key cryptosystems. Commun. ACM, 21(2):120–126, 1978.

[19] Joachim Stolze and Dieter Suter. Quantum Computing: a Short Course from Theory toExperiment. Physics Textbook. Wiley-VCH, 2008. Second, updated and enlarged edition.

[20] A. Sudbery. Quantum mechanics and the particles of nature. An outline for mathemati-cians. Cambridge University Press, 1988 (reprinting, with corrections, of 1986 edition).

[21] Steven Weinberg. Lectures on quantum mechanics. Cambridge University Press, 2013.

List of frequently used symbols

0n 0 n. . . 0

1n 1 n. . . 1

⟨a |b ⟩ Scalar product of a and b∑j ajbj

a ⊗b ,a ⊗ b Tensorial product of a and b

B Set of binary digits {0, 1}

C12(U) Controlled-U

|j⟩ Ket of j

F Quantum Fourier Transform

I2n Identity matrix of dimension 2n

H (n) Space of q-vectors of order n C2n

h (n) Hadamard q-vector of lenght n ρn(∑2n−1

j=0 |j⟩)

H Hadamard matrix ρ

1 1

1 −1

ML(a ) q-measurement of a at the positions {l1, . . . , lr}

Nr,s Controlled negation Cr,s(X)

ρ 1/√2


Rl(U) One q-bit rotation, U ∈ U (1)

Ry(φ)

cos θ2 − sin θ2

sin θ2

cos θ2

Rz(θ)

e−iθ/2 0

0 eiθ/2

σx = X Pauli matrix x

1

1

σy = Y Pauli matrix y

−i

i

σz = Z Pauli matrix z

1−1

Sα Shift matrix of angle α

1 0

0 eiα

Swap[r, s] Transposition of bits r and s

U (n) Group of unitary matrices of dimension 2n

U ⊗ U ′ Tensorial product of matrices

U† Adjoint matrix UT

U⊗n U⊗ n. . . ⊗U

Instituto de Ciencias Matematicas-CSIC, Calle Nicolas Cabrera 13-15, CampusCantoblanco UAM, 28049 Madrid, Spain.Matematica Aplicada II, Universitat Politecnica de Catalunya, Edifici OMEGA,c/ Jordi Girona 1-3, 08034 Barcelona, Spain.

E-mail address: [email protected], [email protected]

mathematical essentials of quantum computing · pdf filemathematical essentials of quantum...

Documents