quantum algorithms...input: a number n of nbits. goal: nd the decomposition of nin prime numbers n=...
TRANSCRIPT
Chapter 0
Prequel
Quantum algorithms:
• Potentially much faster than classical algorithms.
• examples: Deutsch-Jozsa, Simon, Grover.
• Shor’s quantum algorithm for factoring1: probably the most important for quantum algo-rithms (1994).
Factoring Problem
Input: a number N of n bits.Goal: find the decomposition of N in prime numbers N = Πip
αii .
Best known classical algorithm : general number field sieve which runs inO(eO(n1/3 log2/3(n))) (heuris-tic complexity)2
Shor’s quantum algorithm runs in O(n2 log2(n)).
• Exponential speedup.
• Breaks RSA based cryptosystems (that’s a lot!).
Extends to Discrete logarithm (Diffie Hellman key exchange, elliptic curve crypto).Organisation of the lecture:
• Chapter 1: the quantum Fourier transform.
• Chapter 2: Shor’s quantum factoring algorithm.
Chapters 1 and 2 will follow very closely chapters 4 and 5 from Ronald de Wolf’s lecture notes3.
1Peter Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Com-puter, full version available here https://arxiv.org/abs/quant-ph/9508027
2Carl Pomerance, A tale of two sieves, Notices Amer. Math. Soc, 1996, https://www.ams.org/notices/199612/pomerance.pdf
3Full lecture notes: https://homepages.cwi.nl/~rdewolf/qcnotes.pdf
1
Chapter 1
The quantum Fourier transform
The quantum Fourier will be one of our main tools when constructing quantum algorithms. It willbe at the heart of Shor’s factoring algorithm.
1.1 The classical Fourier transform
Widely used: data compression, signal processing, complexity theory. Here, we will consider onlythe discrete Fourier transform.
1.1.1 Definition
Fourier transform FN : N ×N unitary matrix, with elements of the same magnitude.
F2 := H =1√2
(1 11 −1
).
N = 3 (for example): impossible to achieve with real numbers. Use complex numbers.
We will use roots of unity ωN = e2iπN . The discrete Fourier transform FN is defined as
FN := 1√N
. . .
... . ..
. . . ωjkN . . .
. .. ...
. . .
meaning that for any line j ∈ 0, . . . , N − 1 and any column
k ∈ 0, . . . , N − 1, we have (FN )jk := ωjkN .
Properties
• Each column Ck = 1√N
1ωkN...
ω(N−1)kN
has norm 1 and any two columns are orthogonal. Indeed
∀k, k′ ∈ 0, . . . , N − 1, 1
N
N−1∑j=0
ωjkN ω−jk′N =
1
N
N−1∑j=0
ωj(k−k′)N = δkk′ .
2
1.1.2 Computing the classical Fourier transform
Computing the classical Fourier transform problem
Input: a column vector v =
v0...
vN−1
.
Goal: compute v = FN · v.
Naive way: Perform the whole multiplication entry-wise
• O(N) operations (+ and ×) per entry.
• O(N2) operations in total.
Fast Fourier transform
• O(N log(N)) operations in total.
• recursive algorithm.
1.2 The quantum Fourier transform
1.2.1 Definition of the problem
Take N = 2n. Since FN is a N × N unitary matrix, we can interpret it as a quantum unitaryoperation acting on n qubits.
Computing the quantum Fourier transform problem
Input: a quantum state |ψ〉 of n qubits.Goal: output FN (|ψ〉).
How efficiently can we implement this quantum Fourier transform?
• QFT can be implemented with a quantum circuit of size O(n2). The rest of the chapter willbe devoted to the construction of this algorithm.
• Exponentially faster than classical FFT which runs in O(N log(N)).
" In the classical setting, we are given an explicit (written) description of a vector v =
v0...
vN−1
as an input and ask to have a similar description of the output. In the quantum setting, we aregiven a quantum state |ψ〉 =
∑N−1i=0 vi|i〉 and ask to output the state FN (|ψ〉) =
∑N−1i=0 vi|i〉. Notice
that we cannot fully recover the vector v =
v0...
vN−1
from FN (|ψ〉).
Even though the speedup is exponential, it doesn’t allow to recover v, which makes it incompa-rable with the FFT. The quantum algorithm in particular doesn’t help in computing the classicalFourier transform. It will still have other important uses.
3
1.2.2 Efficient quantum circuit for QFT
Elementary gates
• Hadamard gate H = 1√2
(1 11 −1
).
• Phase rotation Rs =
(1 0
0 e2iπ2s
).
• Controlled Rs gate written C-Rs and acting on 2 qubits.
C-Rs(|0〉|x〉) := |0〉|x〉 ; C-Rs(|1〉|x〉) := |1〉Rs(|x〉) which gives C-Rs(|b〉|x〉) = |b〉e2iπbx2s |x〉.
For each k, we have FN (|k〉) = 1√N
∑N−1j=0 ωjkN |j〉. For any integer j, we write its binary decomposi-
tion j = j1, . . . , jn where j1 is the bit of highest weight. This means we can write j =∑n
l=1 2n−ljl.We have
FN (|k〉) =1√N
N−1∑j=0
e2iπjk2n |j〉
=1√N
N−1∑j=0
e2iπ(∑nl=1 jl2
−l)k|j1, . . . , jn〉
=1√N
N−1∑j=0
Πnl=1e
2iπjl2−lk|j1, . . . , jn〉
=
n⊗l=1
1√2
(|0〉+ e2iπk2
−l |1〉)
To prove the last equality, recall that the tensor product satisfies
(α|0〉+ β|1〉)⊗ (α′|0〉+ β′|1〉) = αα′|00〉+ αβ′|01〉+ βα′|10〉+ ββ′|11〉.
For any integer k, with binary decomposition k = k1, . . . , kn, we define 0.k := k2n =
∑nl=1 kl2
−l.For example, 0.010 = 1
4 and 0.101 = 58 . Notice that
e2iπk2−l
= e2iπ(∑nm=1 2
n−mkm)2−l
= e2iπ(∑nm=n−l+1 km2m−(n−l+1))2−l
= e2iπ(∑l
m′=1 kn−m′+12−m′
)= 0.kn . . . kn−l+1.
The second equality uses the fact e2iπC = 1 for any C ∈ N which implies that only the l − 1bits of k of least weight matter in the term e2iπk2
−l. We can therefore rewrite
FN (|k〉) =
n⊗l=1
1√2
(|0〉+ e2iπk2
−l |1〉)
=1√2
(|0〉+e2iπ0.kn |1〉)⊗ 1√2
(|0〉+e2iπ0.kn−1kn |1〉)⊗· · ·⊗ 1√2
(|0〉+e2iπ0.k1...kn |1〉).
4
The n = 3 (N = 8) case
From the above, we have
F8(|k1k2k3〉) =1√2
(|0〉+ e2iπ0.k3 |1〉)⊗ 1√2
(|0〉+ e2iπ0.k2k3 |1〉)⊗ 1√2
(|0〉+ e2iπ0.k1k2k3 |1〉).
Because of this product structure, we can easily construct each qubit separately. Notice that with
the 0.k notation, we can write C-Rs(|b〉|x〉) = |b〉e2iπbx2s |x〉 = |b〉e2ixπ·0.0...0b|x〉. where 0. 0 . . . 0b︸ ︷︷ ︸
s bits
.
1st qubit:
|k3〉H−→ 1√
2(|0〉+ (−1)k3 |1〉) =
1√2
(|0〉+ e2iπ0.k3 |1〉).
2nd qubit:
|k2〉H−→ 1√
2(|0〉+ (−1)k2 |1〉) =
1√2
(|0〉+ e2iπ0.k2 |1〉)
|k3〉1√2
(|0〉+ e2iπ0.k2 |1〉) C-R2−−−→ |k3〉1√2
(|0〉+ e2iπ0.k2k3 |1〉)
3rd qubit:
|k1〉H−→ 1√
2(|0〉+ (−1)k1 |1〉) =
1√2
(|0〉+ e2iπ0.k1 |1〉)
|k2〉1√2
(|0〉+ e2iπ0.k1 |1〉) C-R2−−−→ |k2〉1√2
(|0〉+ e2iπ0.k1k2 |1〉)
|k3〉1√2
(|0〉+ e2iπ0.k1k2 |1〉) C-R3−−−→ |k3〉1√2
(|0〉+ e2iπ0.k1k2k3 |1〉)
The 3rd qubit is stored in the quantum register where |k1〉 is and uses |k2〉 and |k3〉 as controlqubits. The 2nd qubit is be stored in the quantum register where |k2〉 is and uses |k3〉 as a controlqubit. The 1st qubit is stored where |k3〉 is. In order to do this, we must first construct the 3rdqubit, then the 2nd and finally the 1st qubit. In order to have the good ordering of qubits, we endup inverting the order of all the qubits.
The circuit of F8 is the following
The number of gates used here is 3 + 2 + 1 gates + the gates in the SWAP.
General case
The construction for n = 3 can be extended to any n following the same pattern. The first qubit willconsist only of an H gate while the last qubit will require applying H, C-R2, . . . , C-Rn. Similarly
5
as in the n = 3 case, we finish by inverting the order of all the qubits. The total number of gatesused is therefore n+ n− 1 + · · ·+ 1 + SWAP = O(n2)gates.
Improvements: we can reduce the number of gates if we allow for some small errors:
• As s grows, C-Rs fastly converges to the identity gate.
• We remove all those gates for s ≥ Ω(log(n)). By a careful error analysis, we can show thatthe result will be O( 1
poly(n)) close to the desired state.
• The total amount of needed gates becomes O(n log(n)) (SWAP is O(n)).
6
Chapter 2
Shor’s quantum factoring algorithm
Shor’s idea:
• There exists an efficient quantum algorithm for finding the period of a function.
• Factoring can be reduced to period finding i.e. an efficient algorithm for period finding ⇒ anefficient algorithm for factoring.
Period finding problem
Input: a function f : N→ 0, . . . , N−1 such that ∃r ∈ 0, . . . , N−1 (unknown) such thatf(a) = f(b)⇔ a = b mod r.Goal: output r.
2.1 From factoring to period finding
2.1.1 Classical algorithm for factoring a number N using period finding
Equivalent to finding a non trivial factor of N .
1. Pick a random x ∈ 2, . . . , N − 1.
2. Calculate x ∧N (efficient, use Euclid’s algorithm).
• if x ∧N = c 6= 1→ c divides N .
• if x ∧N = 1→ continue.
3. Consider the smallest r ∈ 0, . . . , N − 1 such that xr = 1 mod N . Since x ∧ N = 1, suchan r exists.
4. r is the period of the function f(k) = xk mod N . Use the period finding algorithm to findr. If r is odd, go back to step 1.
5. Calculate (xr/2 + 1) ∧N and (xr/2 − 1) ∧N . If one of those values is different than 1 or Nthen this value is a non trivial factor of n. If both of those values are equal to 1 or N , startagain from step 1.
7
2.1.2 Proof that the algorithm works
The main part of the proof will be the following lemma from number theory. The proof will beomitted.
Lemma 1. For any odd N , for a randomly chosen x such that x∧N = 1 and r begin the smallestelement in 0, . . . , n− 1 satisfying xr = 1 mod N , the event
E : r is even ∧ (xr/2 + 1) 6= 0 mod N ∧ (xr/2 + 1) 6= 0 mod N
occurs with probability ≥ 12 .
If r is even, we have
xr = 1 mod N ⇔ (xr/2 + 1)(xr/2 − 1) = 0 mod N
⇔ ∃k ∈ N∗, (xr/2 + 1)(xr/2 − 1) = kN.
Notice first that (xr/2 + 1) > 0 and we also have (xr/2 − 1) > 0 because x ≥ 2 and r ≥ 2.If E holds, both (xr/2 + 1) and (xr/2 − 1) are not multiples of N . Therefore, they will both have anon trivial factor of N and we actually have (xr/2 − 1) ∧N 6= 1 and (xr/2 + 1) ∧N 6= 1.Conclusion: if E holds then step 5 outputs a non trivial factor of N . Since Pr[E] ≥ 1
2 , we requireO(1) calls to the period finding algorithm for the algorithm to succeed with a high (constant)probability.
2.2 Shor’s period finding algorithm
Our goal here is to present Shor’s quantum algorithm for period finding. Let n := dlog(N)e, q :=dlog(N2)e and Q := 2q ∈ [N2, 2N2]. We have a quantum access to f : N → 0, . . . , N − 1. Werestrict the input space to q input bits and consider the quantum unitary
Of : |x〉q|0〉n → |x〉q|f(x)〉n.
The subscripts represent the number of qubits in each register. This means for example that register|x〉q contains q qubits and register |0〉n contains n qubits.
2.2.1 Algorithm for period finding
1. Initialize the protocol at the state|0〉q|0〉n.
2. Apply QFTQ on the first register. We get
1√Q
Q−1∑a=0
|a〉q|0〉n.
3. Apply Of on the whole state to obtain
1√Q
Q−1∑a=0
|a〉q|f(a)〉n.
8
4. Measure the second register: it gives some value f(s) for some s < r. Let m := #a ∈0, . . . , Q− 1 : f(a) = f(s). We have
a ∈ 0, . . . , Q− 1 : f(a) = f(s) = s, s+ r, . . . , s+ (m− 1)r= jr + s0≤j<m
When measuring f(s) in the second register, the first register collapses to
1√m
m−1∑j=0
|jr + s〉.
5. Apply QFTQ on this first register.
1√m
m−1∑j=0
1√Q
Q−1∑b=0
e2iπ(jr+s)b
Q |b〉
=1√mQ
Q−1∑b=0
e2iπsbQ
m−1∑j=0
e2iπjrbQ
|b〉6. Measure the first register. What is the probability of outputting each specific b?
Special case developed here : r divides Q.
In this case, we have m = Qr . We have
b is a multiple ofQ
r⇔ e
2iπrbQ = 1.
Any such b will therefore have squared amplitude
∣∣∣ 1√mQ
e2iπsbQ
m−1∑j=0
e2iπjrbQ
∣∣∣2
=∣∣∣ 1√mQ
e2iπsbQ
m−1∑j=0
1
∣∣∣2=m
Q=
1
r
Each b ∈ 0, . . . , Q − 1 which is a multiple of Qr will be measured with probability ex-
actly 1r . Notice also that there are exactly r such multiples, which are the elements of
0, Qr , . . . ,(r−1)Q
r . Therefore, the measurement will always output a multiple of Qr .
Output b : a uniformly random multiple ofQ
r.
This means there exists a random (unknown) c ∈ 0, . . . , r − 1 such that b = cQr . or
equivalently bQ = c
r .
7. Find r from the above equality. How?
9
• b,Q are known, c, r are unknown. We can rewrite bQ = b′
Q′ with b′ ∧Q′ = 1.
• c is a random number in 0, . . . , r − 1. This implies that c ∧ r = 1 with probabilitygreater than Ω( 1
log(log(r))). When this happens, we necessarily have c = b′ and r = Q′.
• Check that Q′ is a period of f . If yes: done. If no, go back to step 1.
General case (Sketch) : r does not divide Q.
If we measure the first register, we obtain b such that | bQ −cr | ≤
12Q with high probability for
some random c. If this is the case, cr is the only fraction with c ∧ r = 1 and r ≤ N such that
| bQ −cr | ≤
12Q (proof omitted). This is because we chose Q such that Q ≥ N2.
If we indeed have c∧r = 1, which still happens with probability greater than Ω( 1log(log(r))), we
can use the continuous fraction method to find the unique fraction cr satisfying | bQ −
cr | ≤
12Q
from which we can get r.
DONE :)
Complexity of the period finding algorithm
We apply the above procedure until we find c such that c ∧ r = 1. This means we performO(log(log(r))) loops. Each loop makes 2 calls to QFTQ and 1 call to Of .
The running time is therefore PFAf ≤ O (log(log(r))(QFTQ +Of )).
2.2.2 Complexity of Shor’s algorithm
Shor’s algorithm: O(1) calls to PFAf with f(k) = xk mod N for some random x.One can show that Of can be calculated in O(log2(N) log(log(N)) log(log(log(N)))) using effi-
cient squaring. (Perfect) QFTQ is made in O(Q2) = O(log2(N)).From there, we conclude that the total running time of Shor’s algorithm is
O(log(log(r)) ∗
(log2(N) + log2(N) log(log(N)) log(log(log(N)))
))≤ O
(log(n) ∗
(n2 + n2 log(n) log(log(n))
))= O(n2polylog(n)).
10
Chapter 3
Collision algorithms
3.1 Cryptographic hash functions
A cryptographic hash function H : 0, 1∗ → 0, 1n must satisfy the following properties.
• One-wayness: for a random y ∈ 0, 1n, it should be hard to find x, such that H(x) = y.
• Second-preimage resistance: for a fixed x, it should be hard to find x′ 6= x such that H(x) =H(x′).
• Collision resistance: it should be hard to find x, x′ 6= x such that H(x) = H(x′).
Brute force complexity of those algorithms classically: One-wayness: O(2n), second-preimage:O(2n), collision resistance: O(2n/2).
Quantum brute force complexity: One-wayness: O(2n/2), second-preimage: O(2n/2), collisionresistance: ??.
Collision problem. Here, we fix the input space to be of n bits as well, and we consider arandom function f .
Collision problem
Input: a random function f : 0, 1n → 0, 1n.Goal: find (x, y) such that f(x) = f(y) and x 6= y. Because f is random, many such couples.
3.2 A classical algorithm
1. Pick a parameter r. Pick a random subset I ⊆ 0, 1n of size r. Construct the list L =f(i)i∈I and sort it. If we find 2 values i, j ∈ I such that f(i) = f(j) and i 6= j, output(i, j). Else:
2. Compute f(x) for random values x /∈ I and for each such f(x), we test if f(x) ∈ L. Wecontinue until we find f(x) ∈ L. Since f is random, each x /∈ I will satisfy f(x) ∈ L withprobability r
2n . We need to test on average O(2n
r ) to find one with high probability.
This algorithm uses the well known birthday paradox. The first step takes time O(r log(r)) and the
second one O(2n log(r)r ). By taking r = 2n/2, we have an algorithm running in time O(poly(n)2n/2).
11
There are also algorithms that use a smaller amount of memory.
3.3 Quantum algorithms
3.3.1 A naive way
Consider the function g(x, y) = 1 if (f(x) = f(y) ∧ x 6= y) and g(x, y) = 0 otherwise. We applyGrover on g. Because f is random, there are on average O(2n) couples (x, y) such that g(x, y) = 1.
We perform Grover on g which takes time O(√
22n
2n ) = O(2n/2). This is not significantly better
than the classical algorithm.
3.3.2 The quantum BHT (Brassard,Hoyer and Tapp) Algorithm
1. Pick a parameter r. Pick a random subset I ⊆ 0, 1n of size r. Construct the list L =f(i)i∈I .
2. Let g : 0, 1n → 0, 1 satisfying g(x) = 1 ⇔ [x /∈ I and ∃i ∈ I, f(x) = f(i)]. ≈ r solutionswhen r 2n.
3. Apply Grover on g. Find y such that g(y) = 1.
4. Find i ∈ I st. f(i) = f(y). Output (i, y).
Time analysis of BHT Let Time(f) the time required to compute f .
• List creation: time Time(f) ∗ r log(r).
• Time to compute Og : classically, g takes time n log(r). Can we use the standard reductionto construct Og from g?
"We have to be careful here, because we don’t actually have a classical circuit that runs in n log(r).We use a RAM that will perform the dichotomic search. We will assume for now that this is not aproblem.
• Time to compute Og : n log(r).
• Grover on g. g is a function from 0, 1n\I → 0, 1. The input space is of size 2n − r and
there are on average r solutions. So we need to iterate Grover ≈√
2n−rr to find a solution to
g.
QTime(BHT ) = Time(f) ∗ r log(r)︸ ︷︷ ︸List L creation
+
√2n − rr︸ ︷︷ ︸
nb. of Grover iterations
· n log(r)︸ ︷︷ ︸time to compute Og
.
We assume f is efficiently computable i.e. Time(f) = poly(n). If we take r = 2n/3, we obtain
QTime(BHT ) = O(2n/3).
12
On quantum RAM, and on how to compute Og.
The classical algorithm to compute g has a sorted list L = (y1, . . . , yr) that contains the valuesf(x) for x ∈ I and performs a dichotomic search on the memory.
We can perform this algorithm classically if we have access to a RAM operation C(i) = yi. Andthis takes time O(n log(r)).
In the quantum setting, we want to construct the quantum membership oracle
OL(|x〉|0〉) = |x〉|“x ∈ L”〉.
where “x ∈ L” is the bit which is equal to 1 if x ∈ L and 0 otherwise. In order to perform this, weneed:
• r quantum bits of memory each storing |yi〉.
• to perform the quantum operation U such that U(|i〉|0〉) = |i〉|yi〉. This essentially requireshaving a reading head that can be in a superposition of states. This operation is called theQRAM operation.
There is still some debate in the community whether such an operation is as hard as building aquantum circuit or significantly harder. We’ll consider here that a QRAM operation is theoreticallyfeasible but very hard to do in practice. In order to compute Og, we are given a sorted listL = (y1, . . . , yr).
If we have access to the elements in L in quantum registers |y1〉, . . . , |yr〉 as well as access toquantum RAM, then we can perform the membership oracle for L in time O(n log(r)) via dichotomicsearch. The proof will be omitted here but the idea is that with RAM access, classical dichotomicsearch can be expressed as a classical circuit of size O(n log(r)). Similarly as in the transformationfrom classical circuits to quantum circuits, we can create the quantum membership oracle fromdichotomic search.
If we don’t have access to that QRAM, then the above can be done in time nr by checking eachelement separately. This is way worst for very large lists like in our example.
13
Quantum collision protocols without QRAM and with small quantum memory. Since2016, we know that there exists a quantum algorithm that runs in time O(22n/5poly(Time(f)))that solves the collision problem with n qubits and no QRAM.
Overview of known quantum algorithm for cryptography Here is an overview of quantumalgorithms so far.
Algorithm Qtime Qspace ApplicationsShor poly(n) n RSA
(factoring)Discrete log poly(n) n Diffie Hellman, ECDH, ECDSA
(elliptic curves)Dihedral subgroup subexp(n) n NTRU, lattice based
(solves SVP)
Grover 2n/2 n generic(hash functions, AES, ...)
Collision 2n/3 or 22n/5 2n/3 or n generic(hash functions, symmetric)
14
3.4 Quantum collision with low memory
Idea of distinguished points
• Fix a parameter v. DPv = x ∈ 0, 1n : ∃y ∈ 0, 1n−v, f(x) = 0vy.
• DPv is the set of inputs x such that f(x) starts with v zeros.
• DPv becomes will become our new input (or search) space.
• We will also reduce the size of the list and put there only images of distinguished points.
3.4.1 Modified quantum algorithm for collision with low quantum memory
1. Pick parameters u, v. Construct a list of couples L = (x1, f(x1)), . . . (x2u , f(x2u)) where thexi are independent random elements of DPv.
2. Let g : DPv → 0, 1 satisfying g(x) = 1⇔ [(x, f(x)) /∈ L and ∃(xi, f(xi)) ∈ L, f(x) = f(xi)].
3. Apply Grover on g. Get y st. g(y) = 1.
4. Find (xi, f(xi)) ∈ L st. f(xi) = f(y). Output (xi, y).
3.4.2 Running time of the algorithm
• Finding a random element xi of DPv: apply Grover on the function h : 0, 1n → 0, 1.h(x) = 1 ⇔ f(x) starts with v zeros . There are 2n−v solutions so takes time O(
√2n
2n−v ) =
2v/2.
• ⇒ time to create the list L = 2u · 2v/2 = 2u+v/2.
• Number of solutions to g = 2u so the total time is
2u+v/2 +
√2n−v
2u(QTime(Ref|ψ1〉) + 1
).
• How much is QTime(Ref|ψ1〉) now?
• Recall |ψ1〉 from Grover’s algorithm
|ψ1〉 =
√1
2n−v
∑x∈DPv
|x〉|g(x)〉.
3.4.3 Time analysis of |ψ1〉 construction
1. To construct |ψ1〉, we first construct∑
x∈DPv |x〉|0〉 and then apply Og : |x〉|0〉 → |x〉|g(x)〉.
2. How to construct Og? Let Lf be L restricted to the second component. We do |x〉|0〉|0〉 →|x〉|f(x)〉|0〉 and then need an operation that performs |x〉|f(x)〉|0〉 → |x〉|f(x)〉|f(x) ∈ Lf 〉.Then undo the f on the second register to get
∑x∈DPv |x〉|0〉|f(x) ∈ Lf 〉.
15
3. We also need to check that (x, f(x)) /∈ L to finally get∑x∈DPv
|x〉|0〉|f(x) ∈ Lf ∧ (x, f(x)) /∈ L〉.
• From the membership test, 2 takes time |L| = 2u.
• But now, 1 starts from a superposition over elements in DPv. How to construct this super-position? Use Grover.
• What is the QTIME to construct√
12n−v
∑x∈DPv |x〉?
• Consider l : 0, 1n → 0, 1 st. l(x) = 1 iff. x ∈ DPv. l is efficiently computable and has2n−v solutions
• If we apply Grover on l, we end up (close to) the state
|ψlGood〉 =∑
x:l(x)=1
√1
2n−v|x〉|h(x)〉
• By undoing l, we have finally∑x:l(x)=1
√1
2n−v|x〉|0〉 =
√1
2n−v
∑x∈DPv
|x〉|0〉.
• Time required =√
2n
2n−v = 2v/2.
3.4.4 Running time
Running time of the algorithm
• Total time is
2u+v/2 +
√2n−v
2u(QTime(Ref|ψ1〉)
)=2u+v/2 + 2
n−v−u2
(2u + 2v/2
).
• Take u = v/2 and u = n5 ; v = 2n
5 . Total time = 22n/5.
3.4.5 Membership oracle with small quantum memory and no QRAM
Quantum membership oracle or the difficulty of efficient quantum data structures
• The problem is that the membership process is adaptative in x.
• Naive idea: check membership with each element of the list as if it was unsorted.
|x〉|0〉 → |x〉|x == y1〉 → |x〉|(x == y1) ∨ (x = y2)〉 → · · ·→ |x〉| [(x == y1) ∨ (x == y2) ∨ · · · ∨ (x == yr)]〉.
• This can be done with a classical memory y1, . . . , yr. But takes time r!
• Can we do better? Not that we know.
16
Recap We constructed a quantum algorithm for collision finding of a random function f withthe following properties
• Time 22n/5 if f is efficiently computable.
• What are the memoty requirements? Classically, the size of the list = 2n/5. Quantumly: n+1qubits for Grover’s algorithm.
• There is a quantum speedup even with small quantum memory.
17
Chapter 4
Other quantum algorithms
4.1 Phase estimation
Our first protocol is a direct application of the quantum Fourier transform.
Phase estimation
Input: a quantum unitary U acting on n qubits. An eigenvector |ψ〉 of U with eigenvalue λgiven as a quantum state.Goal: output λ.
Recall that an eigenvector |ψ〉 of U with eigenvalue λ means that U(|ψ〉) = λ|ψ〉. Because U is aunitary, |λ| = 1 so we can write λ = e2iπφ for some real number φ ∈ [0, 1) ([0, 1[ in French notation).We assume first that φ can be fully described with l bits of precision, i.e. there exists a naturalnumber C ∈ N such that φ = C
2l.
We consider a quantum unitary Q satisfying
Q(|k〉|ψ〉) = |k〉Uk(|ψ〉).
for any k ∈ 0, . . . , 2l − 1 and any state |ψ〉. We perform the following algorithm:
1. Start from |0〉|ψ〉 and apply F2l on the first register. The resulting state is
1√2l
2l−1∑k=0
|k〉|ψ〉.
2. Apply Q on both registers.
1√2l
2l−1∑k=0
Uk|k〉|ψ〉 =1√2l
2l−1∑k=0
λk|k〉|ψ〉
=1√2l
2l−1∑k=0
e2iπkC
2l |k〉|ψ〉.
3. Apply the inverse Fourier transform F−12l
on the first register. The resulting state is |C〉|ψ〉.It is then easy to recover φ from C.
18
General case If φ cannot be written with l bits of precision, we consider the closest approximationof φ of the form C
2l. An error analysis (not detailed here) shows that the above procedure will find
this C with probability at least 4π2 . By performing several iterations of this procedure, we can find
the correct C, i.e. a good approximation of φ with a probability that exponentially converges to 1in the number of iterations.
Efficiency of the algorithm If U can be computed efficiently and if, for any k ∈ 0, . . . , 2l−1,Uk can be computed efficiently then Q can be computed efficiently and the whole algorithm isefficient. This means that if we want our algorithm to run in time poly(n) (assuming U can becomputed in time poly(n)), we have to take l = O(log(n)).
4.2 Application 1: Counting algorithm
4.2.1 Quick reminder of Grover’s algorithm
We present here a quick reminder of Grover’s algorithm.
Search problem
Input: a function f : 0, 1n → 0, 1.Goal: find x such that f(x) = 1.
We have a quantum access to f i.e. we have access to the quantum unitary Of satisfying:
∀x ∈ 0, 1n, Of (|x〉|0〉) = |x〉|f(x)〉.
Grover’s algorithm: if there are T solutions, finds one with O(√
2n
T ) calls to Of and in time
O(√
2n
T · Time(f)) where we use the notation O(b(n)) = O(b(n) · polylog(b(n))
)for any b(n).
Grover’s algorithm
1. Create the state |ψ1〉 = Of
(1
2n/2
∑x∈0,1n |x〉|0〉
)= 1√
2n
∑x∈0,1n |x〉|f(x)〉.
2. Decompose into the good x and bad x (recall there are T solutions).
|ψ1〉 =
√T
2n
∑x:f(x)=1
1√T|x〉|f(x)〉
︸ ︷︷ ︸|ψGood〉
+
√1− T
2n
∑x:f(x)=0
√1
2n − T|x〉|f(x)〉
︸ ︷︷ ︸|ψBad〉
=
√T
2n|ψGood〉+
√1− T
2n|ψBad〉
3. Alternate the following 2 operations to transform |ψ1〉 into a state close to |ψGood〉
• Phase flip over f(x) register: OZ(|x〉|f(x)〉 = (−1)f(x)|x〉|f(x)〉.• Reflexion over |ψ1〉: Ref|ψ1〉(|ψ1〉) = |ψ1〉 ; Ref|ψ1〉(|ψ⊥1 〉) = −|ψ1〉⊥ for any |ψ1〉⊥ orthog-
onal to |ψ1〉.
4. Geometrical interpretation in the subspace |ψGood〉, |ψBad〉.
19
• OZ is a reflexion over |ψBad〉.• Ref |ψ1〉 is a reflexion over |ψ1〉.•(OZ Ref |ψ1〉
)is a 2θ counter clockwise rotation where cos(θ) := 〈ψ1|ψBad〉
• 〈ψ1|ψBad〉 =√
1− T2n so θ ≈
√T2n when T 2n.
5. Perform this rotation 12θ − 1 times to be close to |ψGood〉.
Picturing the algorithm
. . .
4.2.2 Going back to the counting algorithm
Counting problem
Input: a function f : 0, 1n → 0, 1.Goal: output T = |x : f(x) = 1|.
Description of the algorithm: consider the state |ψ〉 and the operations Ref|ψ1〉 and OZ fromthe Grover’s algorithm section (Section 4.2.1) and let U = OZ Ref |ψ1〉. From the analysis ofGrover’s algorithm, U is a 2θ counter clockwise rotation in the basis |ψBad〉, |ψGood〉 with θ =
arccos(〈ψ1|ψBad〉) = arccos(√
1− T2n ). We can therefore write U =
(cos(2θ) − sin(2θ)sin(2θ) cos(2θ)
)in this
basis.U has 2 eigenvalues |e0〉 = 1√
2(|ψBad〉+ i|ψGood〉) and |e1〉 = 1√
2(|ψBad〉 − i|ψGood〉) with respective
eigenvalues e−2iπ(2θ) and e2iπ(2θ). Take the state
|ψ1〉 =
√T
2n|ψGood〉+
√1− T
2n|ψBad〉
= α|e1〉+ β|e2〉 for some α, β ∈ C
20
which is efficiently computable. What happens when we apply the phase estimation algorithm on|ψ1〉 and U? Well, |ψ1〉 is not an eigenstate of U but a superposition of its 2 eigenstates. Thealgorithm will output −2θ (actually 2π − 2θ) with probability |α|2 and 2θ with probability |β|2.We can easily distinguish between the 2 cases and always output the good value for θ. From there,using the relation between θ and T , we can recover T .
If we want an algorithm running in poly(n) then we can do this up to an additive error of 1poly(n)
in the angle 2θ we find.
4.3 Application 2: Fourier transform FN for any N ∈ N
In Chapter 1, we showed how to perform the Fourier transform FN when N = 2n for some n ∈ N.Here, we show how to perform the Fourier transform for any N . FN will act on a quantum registerthat can take N values from 0 to N − 1 and
∀k ∈ 0, . . . , N − 1, FN (|k〉) =1√N
N−1∑j=0
ωjk|j〉.
where ω := e2iπN . Let U1 and U2 two unitaries that do the following, ∀k ∈ 0, . . . , N − 1.
U1(|k〉|0〉) = |k〉FN (|k〉) ; U2(FN |k〉|0〉) = FN (|k〉)|k〉.
From those two unitaries, we can perform FN as follows
|k〉|0〉 U1−→ |k〉FN (|k〉) SWAP−−−−→ FN (|k〉)|k〉 U2−→ FN (|k〉)|0〉.
what is left to show is how to perform U1 and U2. U1 can be performed quite easily.Let SN a quantum unitary such that SN (|0〉) = 1√
N
∑N−1j=0 |j〉. Since N is not a power of 2, SN
cannot be expressed as Hadamards but we can still easily construct such a unitary. Let also Omultsatisfying Omult(|k〉|j〉|0〉) = |k〉|j〉|kj mod N〉.
Let’s now construct U1.
1. Start from |k〉|0〉|0〉 and apply SN on the second register. The resulting state is
|k〉 1√N
∑j
|j〉|0〉.
2. Apply Omult on the three registers.
|k〉 1√N
∑j
|j〉|kj mod N〉.
3. Apply the unitary |x〉 → ωx|x〉 on the third register.
|k〉 1√N
∑j
ωkj |j〉|kj mod N〉.
4. Apply O−1mult on the three registers. We obtain
|k〉 1√N
∑j
ωkj |j〉|0〉 = |k〉FN (|k〉)|0〉.
21
Swapping registers is then easy. What is left to do is to perform unitary U2. We consider theunitary Oadd such that Oadd(|k〉) = |k + 1 mod N〉. The idea is that FN (|k〉) is a eigenvector ofOadd with eigenvalue λk and that it will be easy to recover k from λk. Doing this in a coherent waywill give U2.
First see that
OaddFN (|k〉) =1√N
N−1∑j=0
ωjk|j + 1 mod N〉 = ω−k1√N
N−1∑j=0
ωjk|j〉
which means that FN (|k〉) is an eigenvector of Oadd with eigenvalue ω−k = ωN−1−k. If we applythe phase estimation from the previous section, with l = dlog(N)e, we obtain
FN (|k〉)|0〉 Phase Estimation with Oadd−−−−−−−−−−−−−−−−−→ FN (|k〉)|N − 1− k〉.
Which by applying |N − 1− x〉 → |x〉 gives the correct result. Actually, the phase estimation willonly give N −k with some (high) probability so this whole process will construct an approximationof U2.
Putting everything together, we managed to construct FN (|k〉). This unitary has many appli-cations, for example for the Discrete Log quantum algorithm.
22
Chapter 5
Lower bound for Grover’s algorithm
5.1 Lower bound for Grover’s algorithm and quantum complexity
Here, we show that for the search problem, Grover’s algorithm is essentially optimal so we cannotexpect anything better than 2n/2.
Framework
• Input: function f : 0, 1n → 0, 1. Goal: find x st. f(x) = 1.
• Access to Of (|x〉X |b〉B) = |x〉X |b⊕ f(x)〉B.
• How many calls do I have to make to Of to find x in the worst case?
• Result here: need Ω(2n/2) calls to Of to work wp. 1.
General structure of a q-query search algorithm
• Initialize:
|ψ0,f 〉 = |ψ0〉 =∑
x∈0,1n
∑b∈0,1
α0x,b|x, b〉XB|E0
x,b〉E st.∑x,b
|α0x,b|2 = 1
23
• 1 step: apply a unitary Of on XB and U i+1 independent of f on XBE.
|ψi+1,f 〉 = U i+1(Of ⊗ IE)(|ψi,f 〉)
=∑
x∈0,1n
∑b∈0,1
αi+1,fx,b |x, b〉XB|E
i+1,fx,b 〉E
Again,∑
x,b |αi+1,fx,b |
2 = 1.
• Final state: |ψq,f 〉. Procedure to extract a solution from this state.
Main idea
• For any y ∈ 0, 1n, we define fy satisfying fy(y) = 1 and fy(x) = 0 for x 6= y.
• Consider any y, z ∈ 0, 1n. The search procedure should output y when querying fy and zwhen querying fz.⇒ |ψq,fy〉 and |ψq,fz〉 are orthogonal.
• But |ψ0,fy〉 = |ψ0,fz〉. Idea is to show that each query cannot separate those 2 states toomuch (on average on y, z).
The Euclidian norm on quantum states We consider the Euclidian∣∣∣∣∣∣ · ∣∣∣∣∣∣. Recall that∣∣∣∣∣∣∑
i
αi|i〉∣∣∣∣∣∣ =
√∑i
|αi|2.
For any 2 quantum states |φ1〉, |φ2〉 and any Unitary U , we have∣∣∣∣∣∣|φ1〉 − |φ2〉∣∣∣∣∣∣ =
∣∣∣∣∣∣U(|φ1〉) −
U(|φ2〉)∣∣∣∣∣∣. One can also check that if |φ1〉⊥|φ2〉 then
∣∣∣∣∣∣|φ1〉 − |φ2〉∣∣∣∣∣∣ =√
2. We use an intermediate
function, the all 0 function denoted f∅. Notice that Of∅ = I. We first show
Lemma 2. 12n∑
y
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≥ √2 · 2n−12n .
Proof. Let y0 ∈ 0, 1n that minimizes∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy0 〉∣∣∣∣∣∣. We have
1
2n − 1
∑y 6=y0
∣∣∣∣∣∣|ψq,fy〉 − |ψq,fy0 〉∣∣∣∣∣∣ =√
2.
from the orthogonality of those states. Moreover, by triangle inequality, we have
1
2n − 1
∑y 6=y0
∣∣∣∣∣∣|ψq,fy〉 − |ψq,fy0 〉∣∣∣∣∣∣ ≤ 1
2n − 1
∑y 6=y0
∣∣∣∣∣∣|ψq,fy〉 − |ψq,f∅〉∣∣∣∣∣∣+1
2n − 1
∑y 6=y0
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy0 〉∣∣∣∣∣∣≤ 2
2n − 1
∑y 6=y0
∣∣∣∣∣∣|ψq,fy〉 − |ψq,f∅〉∣∣∣∣∣∣From there, we get the result:
1
2n
∑y
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≥ 1
2n
∑y 6=y0
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≥ 1√2· 2n − 1
2n.
24
So now, our goal is to bound this quantity as a function of q. This will give us the desired lowerbound on q. We first prove the following:
Lemma 3. For any i ∈ [0, q − 1], for any y ∈ 0, 1n, we have∣∣∣∣∣∣|ψi+1,f∅〉 − |ψi+1,fy〉∣∣∣∣∣∣ ≤ ∣∣∣∣∣∣|ψi,f∅〉 − (Ofy ⊗ I)|ψi,f∅〉
∣∣∣∣∣∣+∣∣∣∣∣∣|ψi,f∅〉 − |ψi,fy〉∣∣∣∣∣∣.
Proof. We have∣∣∣∣∣∣|ψi+1,f∅〉 − |ψi+1,fy〉∣∣∣∣∣∣ =
∣∣∣∣∣∣U i+1|ψi,f∅〉 − U i+1(Ofy ⊗ I)|ψi,fy〉∣∣∣∣∣∣
≤∣∣∣∣∣∣U i+1|ψi,f∅〉 − U i+1(Ofy ⊗ I)|ψi,f∅〉
∣∣∣∣∣∣+∣∣∣∣∣∣U i+1(Ofy ⊗ I)|ψi,f∅〉 − U i+1(Ofy ⊗ I)|ψi,fy〉∣∣∣∣∣∣
=∣∣∣∣∣∣|ψi,f∅〉 − (Ofy ⊗ I)|ψi,f∅〉
∣∣∣∣∣∣+∣∣∣∣∣∣|ψi,f∅〉 − |ψi,fy〉∣∣∣∣∣∣.
We now prove our main proposition
Proposition 1.1
2n
∑y
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≤ 2q
2n/2.
Proof. Fix i and y. We write
|ψi,f∅〉 =∑
x∈0,1n
∑b∈0,1
αix,b|x, b〉XB|Eix,b〉E
From the definition of Ofy , we also have
(Ofy ⊗ I)|ψi,f∅〉 =∑x 6=y
∑b∈0,1
αix,b|x, b〉XB|Eix,b〉E +∑
b∈0,1
αix,b|y, b〉XB|Eiy,b〉E
for some unknown amplitudes αix,b (the superscripts f∅ are omitted). For each y, i, this gives∣∣∣∣∣∣|ψi,f∅〉 − (Ofy ⊗ I)|ψi,f∅〉∣∣∣∣∣∣ =
√∑x 6=y,b
|αix,b − αix,b|2 +∑b
|αiy,b − αiy,b〈Eiy,b|Eiy,b〉|
2
≤ 2√|αiy,0|2 + |αiy,1|2
Plugging this into the inequality of Lemma 2 and performing a recursion, we get
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≤ q−1∑i=0
2√|αiy,0|2 + |αiy,1|2
25
We average this over all y and get.
1
2n
∑y
∣∣∣∣∣∣|ψq,f∅〉 − |ψq,fy〉∣∣∣∣∣∣ ≤ 1
2n
∑y∈0,1n
q−1∑i=0
2√|αiy,0|2 + |αiy,1|2
≤ 1
2n/2
q−1∑i=0
2
√√√√√∑y
|αiy,0|2 + |αiy,1|2︸ ︷︷ ︸=1
≤ 2q
2n/2.
Using Lemma 2, we immediately have q ≥ Ω(2n/2).
5.2 Quantum complexity
5.2.1 Definitions
This part will be self contained but will be easier to read with basic notions of complexity theory.We start with the definitions of basic complexity classes.
Definition 1. A language L is in P iff. there exists an algorithm A (x) running in polynomialtime (in its input’s size |x|) such that
• ∀x ∈ L, A (x) outputs 1.
• ∀x /∈ L, A (x) outputs 0.
Definition 2. A language L is in BPP iff. there exists a randomized algorithm A (x) running inexpected polynomial time (in its input’s size |x|) such that
• ∀x ∈ L, Pr[A (x) outputs 1] ≥ 2/3.
• ∀x /∈ L, Pr[A (x) outputs 1] ≤ 1/3.
Definition 3. A language L is in BQP iff. there exists a quantum algorithm A (x) running inexpected polynomial time (in its input’s size |x|) such that
• ∀x ∈ L, Pr[A (x) outputs 1] ≥ 2/3.
• ∀x /∈ L, Pr[A (x) outputs 1] ≤ 1/3.
Definition 4. A language L is in NP iff. there exists an algorithm A (x, y) running in polynomialtime (in its input’s size |x|, |y|) such that
• ∀x ∈ L, ∃y ∈ 0, 1poly(|x|), A (x, y) outputs 1.
• ∀x /∈ L, ∀y ∈ 0, 1poly(|x|), A (x, y) outputs 0.
26
Figure 5.1: Poll on P vs. NP, taken from [Gas12]
5.2.2 Comparing BQP and NP
Chapter 2 showed that factoring can be solved in polynomial time with a quantum computer. Interms of complexity this means in terms of complexity that the decision problem FACTORD (seeFigure 1) is in BQP. While we have by definition that P ⊆ BPP ⊆ BQP, we have no idea if thoseinclusions are tight. For example, many people believe that BPP can be derandomized meaningthat P = BPP. Also, we could also have BPP = BQP but this would have drastic consequences. Inparticular, this would imply FACTORD ∈ BPP, where FACTORD is a decision problem associatedto factoring.
FACTORD Problem
Input: a number N of n bits and a number k ∈ N.(N, k) ∈ FACTORD iff. ∃M ∈ [2, k] st. M |N .
Remark: If one has a polynomial algorithm (classical or quantum) to solve the FACTORD
Problem then one can use it to solve the Factoring problem defined in Chapter 2 also in polynomialtime in n. Can you find how?
So we have FACTORD ∈ BQP while we don’t know (and don’t believe) that FACTORD ∈ BPP.FACTORD ∈ NP but is not an NP-complete problem. However, we also don’t know and don’tbelieve that NP ⊆ BQP. This means that we have no polynomial algorithm for NP-completeproblems such as 3-SAT. The black box quantum lower bound for Grover’s algorithm is one of thereasons why we don’t believe NP ⊆ BQP.
Of course, we could have P = NP (or even P = PSPACE) but this not believed, see Figure5.1.
5.2.3 Quantum equivalent of NP
The natural quantum equivalent of quantum NP is QMA.
Definition 5. A language L is in QMA iff. there exists a quantum algorithm A (x) running inexpected polynomial time (in its input’s size |x|) such that
• ∀x ∈ L,∃|φ〉 of size poly(|x|), Pr[A (x, |φ〉) outputs 1] ≥ 2/3.
27
Figure 5.2: Currently believed inclusions of complexity classes
Figure 5.3: Another possibility: full collapse
• ∀x /∈ L,∃|φ〉 of size poly(|x|), Pr[A (x, |φ〉) outputs 1] ≤ 1/3.
There aren’t actually many problems which are known to be in QMA but not in MA (theprobabilistic version of NP). The more we go higher in complexity, the less difference there isbetween classical and quantum. We even have QPSPACE = PSPACE, where PSPACE (resp.QSPACE) is the complexity class of languages that can be solved with an algorithm (resp. quan-tum algorithm) running in polynomial space - but potentially exponential time.
28
Chapter 6
Quantum SupremacyThe problem Google solved
On October 24 2019, a research group lead by John Martinis announced to have achieved QuantumSupremacy, meaning that they performed a task using a programmable quantum architecture -calling this a quantum computer is still premature - that can’t be solved with current classicalcomputers. More precisely, they constructed an architecture of 53 qubits that they used to solvea sampling problem in 3 minutes which would take 10000 years to solve on a desktop computer.IBM, Google’s main competitor, announced that this problem could be solved in only a few daysusing the best existing super computers, diminishing Google’s claims.
In this Chapter, we will present the sampling problem solved for this Quantum SupremacyExperiment, the associated quantum architecture that was built and a discussion on the classicaldifficulty of this problem. A good part of this lecture is a rewriting of parts of the Google article.
6.1 Sampling Random Quantum Circuits
Circuit Sampling: The input is a description of a n-qubit quantum circuit U , described by asequence of one and two-qubit gates. The task of the problem is to sample from the probabilitydistribution of outcomes
pU (x) = |〈x|U |0n〉|2.
If we run U on input |0n〉 and measure the whole output, pU (x) is the probability that we measurex.
A classical algorithm for (perfect) circuit sampling can be thought of, without loss of generality,as a function A, mapping m ∈ poly(n) bits r = (r1, . . . , rm) to n bits such that
∀x ∈ 0, 1, 1
2m|(r1, . . . , rm) : A(r1, . . . , rm) = x| = pU (x).
6.1.1 Brief overview of the difficulty of the problem
In the quantum setting, it is easy to sample from distribution pU : run U on input |0n〉, and measurethe output. By definition of pU , the output will be x with probability exactly pU (x) (on a perfectquantum computer). However, it is believed to take an exponential time in n to perform with aclassical computer. This is the starting point of the quantum supremacy experiment: build a smallquantum unitary U from which we will be able to sample pU while the problem should be hard fora classical computer. These are the hurdles that have to be overcome in order for this approach towork:
29
• First, build a quantum architecture for which we will be able to compute the unitary U fora randomly chosen U . The quantum supremacy experiment uses n = 53 but there are a lotof practical imperfections so the sampling problem solved has a lot of errors.
• Taking into account these imperfections, the classical problem should still be hard.
6.2 The Quantum Sampling Problem
6.2.1 The architecture used
When we look at circuits of 1 and 2 (qu)bit, we usually consider the case where any pair of wirescan be put together in order to perform a 2 (qu)bit gate. However, in the quantum setting, this ischallenging and we only have near neighbor interactions. In the quantum supremacy experiment,the interactions can be done as follows:
Each square represents a qubit and only 2 squares (i.e. qubits) that have a common edge canbe used together to perform 2 qubit gates. Now that we have our qubit layout, what unitary Ucould be performed by the Google team? They apply 20 times the following procedure:
• For each qubit, apply one of the 3 following single qubit unitaries, which hasn’t been appliedin the previous round
X ′ =1√2
(1 −i−i 1
); Y ′ =
1√2
(1 -11 1
); W ′ =
1√2
(1
√−i√
−i 1
)• Then, we apply the following 2 qubit gate G2, on pairs, according to one of the layouts below.
G2 =
1 0 0 00 cos(θ) −i sin(θ) 00 −i sin(θ) cos(θ) 00 0 0 eiφ
.
with θ ≈ π2 and φ ≈ π
6 .
30
The device here constructed is programmable in the sense that we can choose between thedifferent gates X ′, Y ′,W ′ as well as the places where we apply G2. Moreover, they showed that theset X ′, Y ′,W ′, G2 forms a universal set of quantum gates so if they could scale up this technologythen they could construct a full quantum computer.
6.2.2 Errors in the quantum sampling
We showed how to construct this random unitary U and we said that by running U quantumly,we could sample from the distribution pU . However, in the real quantum supremacy experiment,we can only sample U with a lot of errors. The quantum supremacy experiment says that each oftheir have around 0.3% of errors. We will consider here a simplified model where we assume thata gate function correctly with probability 99.7% and that it outputs a random state otherwise1.
In each of the 20 rounds, there are 53 single qubit gates and ≤ 24 2-qubit gates, dependingon the layout. This means that the whole unitary is correctly performed with probability at least0.997(53+24)∗20 ≈ 1%. The rest of the time, because the noise is a random noise, the measuredoutput is a uniform random string. Therefore, the quantum supremacy experiment can samplefrom the distribution pU defined as
pU := FpU + (1− F )Unif.
with F = 1%.
Verifying that succeeded the sampling task. Notice that pU (resp. pU ) are each charac-terized by 253 probabilities corresponding to the different pU (x) (resp. pU (x)). For a given U ,we therefore don’t know the full distributions pU and pU so how can we check that the quantumsupremacy experiment indeed samples from pU? Well right now, we can’t. The only thing we cando is to analyze the behavior of the quantum architecture on smaller values of n, for which we cancompute pU , and then, to extrapolate this behavior for n = 53. There are different advanced ex-trapolation arguments to show that the quantum supremacy experiment does what is says it does2
but only a future calculation of pU will determine if they indeed sampled from pU (or somethingapproaching) or not.
1This is actually not an necessary assumption in the Google experiment. They use the notion of cross entropythat allows to deal with any kind of errors and not just random errors.
2In particular, they study a regime where n = 53 but the unitary U is a product unitary U1 ⊗ U2 over 2 chunksand pU becomes computable
31
6.3 Classical hardness of the sampling problem
6.3.1 A bit of complexity: the language AM.
Definition 6. A language L is in AM iff. there exists a randomized algorithm A (x) running inexpected polynomial time (in its input’s size |x|) and 2 polynomials p, q such that
• ∀x ∈ L, Pry∈0,1p(|x|) [∃z ∈ 0, 1q(|x|), A (x, y, z) outputs 1] ≥ 2/3.
• ∀x /∈ L, Pry∈0,1p(|x|) [∀z ∈ 0, 1q(|x|), A (x, y, z) outputs 1] ≤ 1/3.
AM can be seen as the complexity class for which there exists a 2 message interactive proofbetween a polynomial time verifier and an all powerful prover where:
• V first sends a random string y ∈ 0, 1p(|x|).
• P sends a string z to the verifier.
• V uses A and accepts if A (x, y, z) outputs 1.
6.3.2 Classical hardness of the problem
In order to argue about the classical hardness, we will use the following proposition and conjectures.
Proposition 2. For a random unitary U , if one can approximately compute |〈0|U |0〉|2 then onecan compute Permanents3 of random matrices. This is #P -complete.
#P is the complexity class that corresponds to counting the number of solutions of a givenproblem. We present below some examples of #P -complete problems, taken from Wikipedia.
3For a matrix A = (ai,j), we have Perm(A) =∑σ∈Sn
Πni=1ai,σ(i) where Sn is the set of permutations of 1, . . . , n.
32
Proposition 3. If there is a polynomial classical algorithm to sample from pU for a random Uthen there is an AM protocol to solve the problem of computing |〈0|U |0〉|2 for a random U .
Conjecture 1. #P 6⊆ AM.
If this conjecture is false, i.e. if #P ⊆ AM then crazy things happen in complexity theory. Inparticular, the polynomial hierarchy collapses to the third level.
Putting the 2 Propositions together, we conclude that if there exists a polynomial time classicalalgorithm for the sampling problem then Conjecture 1 is false and the polynomial hierarchy collapsesto the third level.
6.3.3 Best classical algorithms of the sampling problem
In the previous section, we sketched the argument that shows that the sampling problem shouldbe hard for quantum computers. We present here what corresponds to the 10000 years claimed byGoogle and the 2− 3 days claimed by IBM. Here are the running times expected by Google, takenfrom their paper. Plots (a) and (c) correspond to running times of the actual sampling problem.Plot (b) is the time to compute a verification circuit, as an indicator that the extrapolation of thebehavior of their quantum architecture behaves well.
The plot (a) shows fast running times but the RAM requirements are out of reach. What theIBM team was to find ways to optimize the RAM requirements and push the purple dotted linemore on the right to include the quantum architecture from Google. However, as soon as we move
33
towards 70 or 80 qubits, the RAM requirements will be way too large again in order to be used ona supercomputer and as we can see, other known methods stay very slow.
34
Don’t put in course.
6.4 Sketch of Proof of Proposition 3
The goal of this Section is to prove the following proposition
Proposition 3. If there is a polynomial classical algorithm to sample from pU for a random Uthen there is an AM protocol to solve the problem of approximating |〈0|U |0〉|2 for a random U .
The problem we will solve is the following:
Approximating |〈0|U|0〉|2 problem
Input: a random matrix U . Language L:
• U ∈ L iff. |〈0|U |0〉|2
Proof sketch. Assume there is a classical algorithm to sample from pU for a random U . As wewrote before, this means that there is an efficiently computable function A mapping m bits to nbits such that
∀x ∈ 0, 1, 1
2m|(r1, . . . , rm) : A(r1, . . . , rm) = x| = pU (x).
We will construct an AM
35
Bibliography
[Gas12] William Gasarch. Guest column: the second p =?np poll. 43:53–77, 06 2012.
36