Quantum algorithms in group theory

Contemporary Mathematics arXiv:quant-ph/0310133v2 7 Nov 2003 Quantum Algorithms In Group Theory Michael Batty, Samuel L. Braunstein, Andrew J. Duncan, and Sarah Rees Abstract. We present a survey of quantum algorithms, primarily for an intended audience of pure mathematicians. We place an emphasis on algorithms involving group theory. Contents 1. Introduction 1 2. The basics of quantum computing 3 3. The Deutsch–Jozsa algorithm 17 4. Shor’s algorithm and factoring integers 22 5. Grover’s algorithm 40 6. Watrous’ algorithms for solvable groups 46 References 50 1. Introduction It has been known for some time that simulating quantum mechanics (on a computer based on classical mechanics) takes time which is exponential in the size of the system. This is because the total quantum state behaves as a tensor product of the individual states [35]. In 1982 Feynman [20] asked whether we could build a computer based on the principles of quantum mechanics to facilitate this task of simulation. Deutsch, in 1985, [14] extended the question and asked whether there are any problems which can be solved more efficiently on such a quantum computer. He answered the question in the affirmative, within the abstract setting of black boxes and query complexity. This was done by demonstrating a property of a black box function which requires two evaluations for its determination on a classical computer, but only one evaluation on a quantum computer. This work was generalised by Deutsch and Jozsa [15] in 1992 with an algorithm to distinguish between constant and balanced functions in a single evaluation. This is an exponential speed-up over the The project is supported by EPSRC MathFIT grant GR/87406. The second author currently holds a Royal Society – Wolfson Research Merit Award. c 0000 (copyright holder) 1 2 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES deterministic classical case. However, use of classical non–deterministic algorithms removes this exponential gap. Shor’s celebrated algorithm [53], [54] for factoring integers efficiently on a quantum computer gave the subject a huge boost in 1994, because of its applicability to the RSA cryptosystem. This factoring is possible due to the ability of the quantum computer to find the period of a function quickly, given that we are promised in advance that the function is periodic. It does this using the quantum Fourier transform, which can be constructed efficiently using a technique similar to that of the fast Fourier transform. Another well-known quantum algorithm √ is Grover’s algorithm [23], which performs an unstructured search in a list of size N in time O( N ). This uses a wholly different approach to Shor’s algorithm and is based on the geometric idea of rotating towards a solution within the quantum state. It is worth noting that a quantum computer can be simulated on a classical computer (albeit very slowly). So something which is classically algorithmically undecidable (for example the word problem for finitely presented groups) remains undecidable on a quantum computer. Thus we only gain improvements in efficiency: the impact of the model of quantum computing described here is on complexity theory. We note in passing that that our model of quantum computing, though the most generally accepted is not the only one that has been proposed. For example adiabatic quantum computing [18], [19] is based on a continuous version of the usual model, in which the evolution of the quantum system is given by its Hamiltonian which is dependent on a parameter which varies smoothly from 0 to 1. Interesting methods and questions arise from the study of this model: see [57]. What is interesting to us is that group theory is playing an increasingly important part in providing algorithms which are amenable to quantum computing. The modern setting for the class of quantum algorithms which use the Fourier transform (including Shor’s algorithm and the DeutschJozsa algorithm) is the hidden subgroup problem. We describe this and mention the cases where it has and has not been solved. The general case of the hidden subgroup problem (for an arbitrary finite group) is still open and is known to include the graph isomorphism problem as a special case. The main strand of group theory in quantum computing consists of efficient quantum algorithms in finite groups, of which the hidden subgroup problem is but one. Results relating to the group non-membership problem are proved by Watrous in [59], where he shows that this problem lies in a quantum complexity class analogous to Babai and Moran’s Merlin-Arthur games class MA (as defined in [2]). Our article culminates with another recent algorithm due to Watrous [60], which efficiently finds the order of a black box solvable group. This builds on Shor’s algorithm but also contains essential new ingredients which seem to crucially depend on group-theoretic structure. Sections 2,3,4 and 6 of these notes are based on a course of eight lectures given by the first named author to staff and postgraduate students at the University of Newcastle upon Tyne in the summer of 2002. He thanks all those who took part for their interest and enthusiasm. He also thanks John Watrous for useful conversations at the University of Calgary in March 2003. Sources we found especially useful while preparing this document were [8] and [49] for a first overview of quantum computing, [29] and [45] for further depth and general background, with [16] and [48] providing the more detailed aspects of Shor’s algorithm; the former for its exposition of the number-theoretic aspects in particular, and the latter for its account of implementing the quantum Fourier transform efficiently. It should be noted at this point that we have taken Shor’s approach to this algorithm rather than that of Kitaev [38], mainly because the former came to our attention first. For the Deutsch-Jozsa algorithm, [46] and [12] provided good recent accounts. We made use of Jozsa’s survey [33] for the hidden subgroup problem, as well as many sources quoted in Section 4.9. Watrous’ work was taken from the original sources, although we have changed some of the notation to make it clearer to ourselves. We thank the referee for careful reading of the manuscript many helpful remarks. QUANTUM ALGORITHMS 3 2. The basics of quantum computing 2.1. An overview. Before we start to describe the mathematical nuts and bolts of quantum computing it is perhaps worth describing informally what happens during a quantum computation, and how it differs from a classical computation. Later, in Section 2.3, we shall give a fuller and more formal account of our standing model of quantum computation. A quantum system is both constrained by and enriched by the quantum mechanics which apply to the physical device used to store and manipulate data. These devices may consist for example of ion traps, optical photons or nuclear magnetic resonance systems, among others (see [45] for a brief account of possible technologies). At this stage the reader may start to feel anxiety through lack of knowledge of quantum physics, but in fact no physics is required to understand the computational model described in this article: such knowledge is needed only to understand where the seemingly strange rules come from. In any case we shall cover what’s needed as and when required. The memory (register) of a classical computer consists of a set of classical bits, each of which can be in one of two states, 0 or 1. We can therefore view the memory of an n–bit computer as the set Zn2 , the direct sum of n copies of Z2 = Z/2Z. The states of such a computer are binary sequences of length n, which we regard as elements of Zn2 . Computations then consist of sequences of functions f : Zn2 → Zn2 , which allow the state of the system to be transformed. For example the classical NOT gate is the function ¬ : Z2 → Z2 given by ¬(i) = i + 1 mod 2. The final state determines the result of the computation. The memory of a quantum computer consists of a finite dimensional complex vector space V , with an inner product (in fact a Hilbert space). A state of this quantum computer is a unit vector in V . Given a set X we denote by CX the complex vector space with basis the elements of X. For example CZ2 is a 2–dimensional vector space. Corresponding to the classical n–bit computer above we have the n quantum bit or n–qubit quantum computer which has memory consisting of the 2n –dimensional vector space V = CZ⊗n 2 (by which we mean the n–fold tensor product of CZ2 ). Note that the dimension of CZ⊗n is the same as the dimension of C(Zn2 ): elements of the basis 2 of both vector spaces are in one to one correspondence with n–tuples of elements of Z2 . However the inner product in these spaces is not the same and we shall see, in due course, that it is the tensor product which best encapsulates the physical characteristics of quantum mechanics. A quantum computation consists of three phases, an input phase, an evolutionary phase and a measurement or output phase. We assume that we can prepare simple input states, for example states consisting of basis vectors. Computations then consist of sequences of unitary linear transformations φ : V → V which alter the state of the quantum computer from v to φ(v). For example, if Z2 has elements 0 and 1 we may identify these with basis vectors e0 , e1 of the vector space CZ2 . Then, corresponding to the classical NOT gate above, we have the quantum NOT gate: the β ∈ C. That unitary transformation ¬ : CZ2 → CZ2 given by ¬(αe0 + βe1 ) = αe1 + βe0 , for all α, √ is, ¬ permutes the basis of CZ2 . Observe that if the computer is in state √ (e0 − e1 )/ 2 then one application of the quantum NOT gate results in the state (−e0 + e1 )/ 2. This behaviour, and its higher dimensional analogues, give rise to what is known as quantum parallelism. Quantum computing also derives additional power from the existence of unitary transformations which, unlike the previous example, do not arise from permutations of the basis of the quantum system. For √ example there is√a unitary map, of CZ2 to itself, sending basis vectors e0 and e1 to (e0 + e1 )/ 2 and (e0 − e1 )/ 2, respectively. There is no corresponding classical transformation as the images of the basis vectors cannot be stored on a one–bit classical register. After a computation on a classical computer the output can be observed and preserved for future use if necessary. A major difficulty in quantum computation is that the process of observation, or measurement, of the state of the quantum computer may, according to the laws of quantum mechanics, alter the state of the system at the instant of measurement. That is, measurement 4 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES entails a transformation of the quantum state and the result observed is the transformed state. The process is, however, probabilistic rather than non–deterministic. For instance if the quantum state is α1 v1 + · · · αm vm , where αi ∈ C, {vi : i = 1, . . . , m} is an orthonormal basis for V and |α1 |2 +· · ·+|αm |2 = 1, then, under a standard measurement scheme, we observe vi with probability |αi |2 . Typically in a quantum algorithm states are manipulated to change probabilities so that some characteristic of the output can be detected. In fact most quantum algorithms are Monte Carlo algorithms which have some probability of success bounded away from zero. This allows us to make the probability of failure of the algorithm arbitrarily small, by repetition. 2.2. Dirac’s bra–ket notation and conventions for linear algebra. We refer the reader to [27] as standard reference for linear algebra and [37] for further details of linear operators. We consider only finite dimensional complex vector spaces equipped with inner products. A quantum state means a unit vector in such a space. A superposition means a linear combination of given vectors which is of unit length. An amplitude is a coefficient of a vector expressed in terms of some fixed basis. If we have a superposition of vectors in which all the (non–zero) amplitudes have equal size then we say we have a uniform superposition. These terms are all standard within the field of quantum computation. The use of ket |· i and bra h· | to denote vectors and their duals is also standard in quantum mechanics. Although we do not use it heavily in this article it is a concise and manageable notation, once it becomes familiar, so we include a description before moving on to a detailed discussion of quantum computation. A vector, with label ψ, is written using the ket notation as |ψi. For instance, if X is a set then {|xi : x ∈ X} denotes an orthonormal basis for CX, with the usual inner product. Also, if V is an m–dimensional inner product space then we write {|0i , . . . |m − 1i} to denote an orthonormal basis of V . Our convention, which seems to be the standard in quantum mechanics, is that the inner product on V is linear in the second variable and conjugate–linear in the first variable. Using the bra–ket notation we write the inner product of (|xi , |yi) ∈ V ×V as hx|yi. If W is also an inner product space and T is a linear operator from V to W then hx|T |yi denotes the inner product of (|xi , T (|yi), where x ∈ W and y ∈ V (and the inner product is that of W ). There is an immediate pay–off to the use of this notation as follows. If V has orthonormal basis {|v1 i , . . . , |vm i} and W has orthonormal basis {|w1 i , . . . , |wn i} then the matrix of T with respect to these bases is easily seen to have (i,j)th entry hwi |T |vj i. Given T as above we write T † for the adjoint of T : that is the unique linear operator T † from W to V such that T † (|xi)|y = hx|T |yi (where the inner product on the left hand side is that of V ). If A is the matrix of T then the matrix of T † is the conjugate transpose of A and is also denoted A† . A linear operator T is unitary if T † T = I = T T †. We may regard a vector |xi ∈ V as a linear operator from C to V , taking 1 to |xi. Then the † dual of |xi is |xi , the linear functional taking |yi to hx|yi. Using bra notation, we write hx| for † |xi and then hx| (|yi) = hx|yi. To reconcile this with the more familiar row and column notation for vectors and their duals, suppose that |xi and |yi are the column vectors (1, i, 2 − i)T and † (2i, 1 + i, 1)T , respectively. Then |xi is (1, −i, 2 + i) and so hx| (|yi) = (1, −i, 2 + i)(2i, 1 + i, 1)T = 3 + 2i = h(1, i, 2 − i)T , (2i, 1 + i, 1)T i = hx|yi . Continuing in the spirit of this example, suppose V and W have orthonormal bases {v1 , v2 , v3 } and {w1 , w2 }, respectively, with respect to which |xi = (a1 , a2 , a3 )T and |yi = (b1 , b2 )T . Then we can evaluate the outer, or tensor, product of |xi and |yi which is given by (a1 , a2 , a3 )T (b1 , b2 ). This is the 3 × 2 matrix with (i, j)th entry ai bj = hvi |xi hy|wj i. This suggests that if V and W are vector spaces, x ∈ W and y ∈ V , then |xi hy| be defined as the linear operator from V to W QUANTUM ALGORITHMS 5 given the rule |xihy| (|vi) = |xi hy|vi = hy|vi |xi , for v ∈ V, that is, |xihy| is the tensor product of |xi and |yi. In fact |xihy| ∈ W † ⊗ V , where W † denotes the dual space of W . We may also regard |xihy| as the bilinear map V × W † → C which sends |vihw| to hw| (|xihy|) |vi = hw|xi hy|vi . For example CZ2 has basis {|0i , |1i} and |0ih1| is the linear operator sending |1i to |0i and |0i to the zero vector 0. If we identify |0i and |1i with (1, 0)T and (0, 1)T , respectively, then this linear operator has matrix   0 1 0 0 The Dirac notation for the transformation is more concise than the matrix representation. In fact the size of matrices required to describe linear maps grows exponentially in the number of qubits of the quantum computer. As another example, the quantum NOT gate can be written as |0ih1| + |1ih0|. Tensor products of vector spaces are always over C. If |vi ∈ V and |wi ∈ W then |vi ⊗ |wi may be written as either |vi |wi or as |vwi and we use all these notations interchangeably, as convenient. Moreover this notation extends to n–fold tensor products in the obvious way. For example the tensor product CZ2 ⊗ CZ2 is a 4–dimensional vector space with basis consisting of |00i, |01i, |10i and |11i. More generally CZ⊗n is 2n dimensional and has a basis consisting of 2 |0 · · · 0i , . . . , |1 · · · 1i, which we can write as |0i , . . . , |2n − 1i, by identifying (i0 · · · in−1 ) ∈ Zn2 with the integer 2n−1 i0 × · · · × 20 in−1 ; that is, by regarding elements of Zn2 as binary expansions of integers. Note that if M and N are complex inner product spaces then M ⊗ N can be made into an inner product space by defining the inner product of a ⊗ b with c ⊗ d as ha ⊗ b|c ⊗ di = ha, cihb, di. Thus if xi , yi ∈ Vi and |xi = |x1 · · · xn i and |yi = |y1 · · · yn i are elements of an n–fold tensor product ⊗ni=1 Vi , then (2.1) hx|yi = n Y i=1 hxi |yi i . In particular if V = CZ⊗n and |xi and |yi are elements of Zn2 then 2 (2.2) hx|yi = where δij is the Kronecker delta. n Y δx i y i , i=1 Suppose that θ : V1 → V2 and φ : W1 → W2 are linear transformations. Then θ ⊗ φ is a linear transformation of V1 ⊗ W1 → V2 ⊗ W2 . Suppose that A and B are the matrices of θ and φ with respect to some fixed bases of Vi and Wi , i = 1, 2. These bases induce bases of V1 ⊗ W1 and V2 ⊗ W2 in a natural way: if v and w are basis vectors of V1 and W1 , respectively, then v ⊗ w is a basis vector of V ⊗ W . We adopt the convention that these natural induced bases are ordered so that the matrix A ⊗ B of θ ⊗ φ is the right Kronecker product   a11 B · · · a1m B  ..  ..  .  . an1 B of A and B. ··· anm B 6 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 2.3. The postulates of quantum mechanics. We shall now describe more thoroughly how the physical laws of quantum mechanics give rise to a model of quantum computation and establish a framework within which the theory of quantum computation may be developed. Our account is taken largely from [45], where further details may be found. A quantum computer consists of a quantum mechanical system, necessarily isolated from the surrounding environment, so that its behaviour may be externally controlled and is not disturbed by events unrelated to the control procedures. The following postulates provide a model for such a system. Discussion of whether this is the best or correct model of quantum mechanics is outside the scope of this article. Postulate 1: Quantum mechanical systems Associated to an isolated quantum mechanical system is a complex inner product space V . The state of the system at any time is described by a unit vector in V . As we are concerned with computation using limited resources we consider only finite dimensional systems. The basic system we shall consider is the 2-dimensional space CZ2 with basis {|0i , |1i}, known as a single qubit system. A state of a single qubit system is a vector α |0i + β |1i, where |α|2 + |β|2 √ = 1. If neither α nor β is zero the state is called a superposition. For example, (|0i + |1i) / 2 is a superposition, which is also uniform. We may also consider the n–dimensional space CZn with basis {|0i , . . . , |n − 1i} as a basic quantum system. However it seems likely that physical implementations of quantum computers will normally be restricted to systems built up from qubits. We defer consideration of more complex systems until after Postulate 4. Next we consider how transformation of the system from one state to another may be realised: that is how to program the computer. Postulate 2: Evolution Evolution of an isolated quantum mechanical system is described by unitary transformations. The states |v1 i and |v2 i of the system at times t1 and t2 , respectively, are related by a unitary transformation φ, which depends only on t1 and t2 , such that φ(|v1 i) = |v2 i. In the case of quantum computing evolution takes place at discrete intervals of time, finitely often, so evolution of the system is governed by a finite sequence of unitary transformations. In the classical setting, elementary computable functions are commonly referred to as gates. Analogously, certain basic unitary transformations of a complex vector space are referred to as quantum gates. In this article, since we do not wish to become involved in discussion of the technical details of implementation of unitary transformations on a quantum computer, we shall refer to any unitary transformation as a gate. Postulate 3: Measurement A measurement of a quantum system consists of a set {Mm : m = 1, . . . , k} of linear operators on V , such that (2.3) k X † Mm Mm = I. m=1 The measurement result is one of the indices m. If V is in state |vi then the probability that m observed is † p(m) = v|Mm Mm |v = hMm (|vi)|Mm |vii . If m is observed then the state of V is transformed from v to Mm |vi p . p(m) QUANTUM ALGORITHMS 7 Observe that (2.3) implies that p is a probability measure as k X m=1 p(m) = k X m=1 † v|Mm Mm |v = hv|I|vi = 1. We usually restrict attention to the special case of measurement where Mm is self–adjoint and 2 Mm = Mm , for all m, and Mm Mn = 0, when m 6= n. Such measurements are called projective measurements. In the case of projective measurement P there are mutually orthogonal subspaces P P1 , . . . , Pk of V such that V = m Pm and Mm = i |iihi|, for some orthonormal basis {|ii : i = 0, . . . , dm − 1} of Pm . That is Mm is projection onto Pm . It turns out, as shown in [45] that, with the use of Postulates 2 and 4, measurements of the type described in Postulate 3 can be achieved using only projective measurements. In fact most measurements we make will be of the form {Mm = |mihm| : m = 0, . . . , n − 1}, where V is n–dimensional and the basis used to describe the state vector and evolution of V is {|mi : m = 0, . . . , n − 1} . These are called measurements with respect to the computational basis. In this article all measurements are taken with respect to the computational basis, unless they’re explicitly defined. For example suppose we have a single qubit system in state Q = a |0i + b |1i, where |a|2 + |b|2 = 1. If we observe Q with respect to the computational basis we obtain 0 with probability hQ|0i h0| Qi = |a|2 and 1 with probability hQ|1i h1| Qi = |b|2 . The quantum system enters the state if 0 is measured and a |0i h0|Qi = |0i , |a| |a| b |1i h1|Qi = |1i , |b| |b| if 1 is measured. It turns out, as we’ll see in Section 2.4, that these factors, a/|a| and b/|b|, of modulus 1 can be ignored and we can assume that the system is either in state |0i or |1i after measurement. Note that if i was measured then further measurements in the computational basis will result in i with probability 1. We shall write pM (|ψi → a) for the probability that a is observed when a register containing |ψi is measured with a measurement M . We shall often abuse notation by saying that Mm |vi is observed when we mean that m is observed, as the result of a measurement. In particular, when measuring with respect to the computational basis it’s often convenient to say that |xi, instead of x, has been observed. This abuse extends to the notation for the probability that m is observed. We now consider how single qubit systems may be put together to build larger systems. Postulate 4: Composite systems Given quantum mechanical systems associated to vector spaces V and W there is a composite quantum mechanical system associated to V ⊗ W . By induction this extends to composites of any finite number of systems. The composite of 2 single qubit systems is CZ2 ⊗ CZ2 , a 4–dimensional space with basis vectors |00i,|01i, |10i,|11i. We call this a 2–qubit system or 2–qubit quantum register. Similarly an n–qubit system or quantum register is a copy of the 2n –dimensional space CZ⊗n 2 , which, as described in Section 2.2, has basis {|ii : i = 0, . . . , 2n − 1}. We shall by default assume that n–qubit system is equipped with this standard basis; and immediately introduce an exception. Given an m–qubit system Vm and an 8 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES n–qubit system Vn , we may form the mn–qubit system Vm ⊗ Vn , which is naturally equipped with the basis {|iji : i = 0, . . . , 2m − 1, j = 0, . . . , 2n − 1}. An n–qubit system is the quantum analogue of the classical n–bit computer. Note that whereas n–bits can contain, at any one time, one of 2n possible values, a quantum computer can be in a superposition of all of these values, in principle in infinitely many different ways. This completes our description of quantum mechanical systems. We shall investigate some of the consequences in the next few sections. 2.4. Phase factors. Suppose that we have measurement {Mm : m = 1, . . . , k} of an n–qubit system. The probability that m is observed when the system is in state |xi is then † p(m, |xi) = x|Mm Mm |x † = eiθ x|Mm Mm |eiθ x = p(m, eiθ |xi), for any real number θ. We call a complex number of modulus 1 a phase factor. Therefore, as far as the probabilities of what is observed are concerned, multiplication by a phase factor has no effect. Also, T (eiθ |xi) = eiθ T |xi, for any linear transformation T . Hence, if the system starts in state |xi and after evolution or measurement (or both) its final state is |yi then we can say that starting in state eiθ |xi the final state is eiθ |yi. Therefore the introduction of the phase factor eiθ is essentially invisible to the quantum computer. Consequently we regard the states |xi and eiθ |xi as the same state. We now see that after a measurement in the computational basis, as in Section 2.2, we may assume that the quantum system projects to a basis vector of the system (with coefficient 1). Note that what we have said about phase factors applies only to scalar multiples of the entire unit vector which comprises the state. Altering individual √ by a phase factor may √ coefficients of a state indeed change the state. For example i(|0i + |1i)/ 2 and (|0i + |1i)/√ 2 both correspond to the same state of a quantum system but are not the same as (|0i + i |1i)/ 2. 2.5. Multiple measurements. We’ll often have cause to employ more than one measurement as part of a single algorithm. One obvious question is whether or not applying first one measurement and then a second is equivalent to applying a single measurement. The answer is yes, and the single measurement is the obvious one, as we shall now see. Let M = {Mm : m = 1, . . . , k} and N = {Nn : n = 1, . . . , l} be measurements. Then, from the definition of measurement, we have X X X X X † † † (Mm Nn ) (Mm Nn ) = M m Nn = Nn† Mm Nn† ( Mm Mm )Nn = Nn† INn = I. m,n m,n n m n Therefore L = {L(n,m) = Mm Nn : m = 1, . . . , k, n = 1, . . . , l} is a measurement. We claim that measurement using N followed by measurement using M is equivalent to measurement using L. Suppose then that our system is in state |xi and that we first measure using N . Then the probability of observing n is pN (n) = x|Nn† Nn |x and, if n is observed, the system will then be in state Nn |xi . |yi = p pN (n) QUANTUM ALGORITHMS 9 Now, with the system in state |yi, making a measurement using M the probability of observing m is 1 † † Mm Nn |x pM (m) = y|Mm Mm |y = x|Nn† Mm pN (n) and, if m is observed, the system will be in state Mm |yi Mm Nn |xi p |zi = p =p . pM (m) pM (m) pN (n) Hence the probability of measuring n and then m, or (n, m), is † Mm Nn |x pN (n)pM (m) = x|Nn† Mm which is, by definition, the probability pL (n, m) of observing (n, m) using L. Also, if (n, m) is observed using L then the system will be in state M N |xi pm n = |zi . pL (n, m) Therefore measurement using L is equivalent to measurement using N then M . 2.6. Distinguishing states. In classical computation it is reasonable to assume that if we have a register which may take one of two distinct values then we can tell which of these values the register contains. One consequence of the measurement postulate is that this is not always the case in quantum computation. In fact we can tell apart orthogonal states but we cannot tell apart states which are not orthogonal. Following [45], to see that we can’t distinguish non–orthogonal states, assume that we have a quantum system which we know contains either the state |ψ1 i or the state |ψ2 i, and that we know what both of these states are. If |ψ1 i and |ψ2 i are not orthogonal then we can write |ψ2 i = α |ψ1 i + β |θi, for some unit vector |θi orthonormal to |ψ1 i and α, β ∈ C, with α 6= 0 and so |β| < 1. Now assume that we have a measurement {Mm : m = 1, . . . , k} with which we can distinguish between |ψ1 i and |ψ2 i. That is to say we have sets S1 and S2 such that {1, . . . , k} = S1 ∪ S2 , where S1 ∩ S2 = ∅ and we observe m ∈ Si if and only if the system is in state |ψi i (before the measurement). P † Mm , for i = 1, 2, then If we define Ei = m∈Si Mm (2.4) hψi |Ei |ψi i = 1, for i = 1, 2, since the probability of observing m ∈ Si is 1 if the system is in state |ψi i. Also, E1 + E2 = I so hψi |E1 + E2 |ψi i = 1, for i = 1, 2, which implies that hψ1 |E2 |ψ1 i = 0 = hψ2 |E1 |ψ2 i . √ † As Mm Mm is a positive operator (see [37], for example) so is Ei and so Ei is defined (and is a self–adjoint). We now have E D p †p hψ1 |E2 |ψ1 i = ψ1 | E2 E2 |ψ1 = 0, √ √ √ √ so E2 |ψ1 i = 0. This implies that E2 |ψ2 i = E2 (α |ψ1 i + β |θi) = β E2 |θi so hψ2 |E2 |ψ2 i = |β|2 hθ|E2 |θi ≤ |β|2 < 1, contrary to (2.4) (where the first inequality follows from (2.3).) The conclusion is that there is no such measurement. On the other hand, suppose we start with known states |ψ1 i , . . . , |ψk i which are pairwise orthogonal. To see that we can distinguish between them define a measurement {Mm : m = 0, . . . , k}, where Mm = |ψi ihψi |, m ≥ 1, and Pk M D 0 = I − Em=1 Mm . Then, if the system is in state |ψi i the probability of measuring i is ψi |Mi† Mi |ψi = 1. Thus, given that we know the system is in one of these k states, this measurement allows us to determine which one. 10 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 2.7. No cloning. Many classical algorithms make use of a copy function which replicates, or clones, the contents of a given register, whatever they happen to be. This can be achieved using the classical conditional not gate, CNOT, as follows. Suppose we have a 1–bit register, L that is a copy of Z2 , and we wish to copy its contents. Define the function CNOT from Z2 Z2 to itself by CNOT(x, y) = (x, x ⊕ y), where ⊕ denotes addition modulo 2. To our 1–bit register we adjoin a second 1–bit L register in state 0: so if the first register is in state x we now have a 2-bit register, Z2 , in state (x, 0). Applying the conditional not function to this register we obtain that is Z2 CNOT(x, 0) = (x, x). Both the first and second 1–bit registers now contain the original contents of the first register. This process easily generalises to allow copying of n–bit registers. The question is whether we can do the same thing on a quantum computer. This would mean, given an n–qubit register V , finding some fixed state |si of V and a unitary transformation U of V ⊗ V such that (2.5) U |xi |si = |xi |xi , for all x ∈ V. It turns out that, as a consequence of the following lemma, this is impossible. Lemma 2.1. Let |x1 i and |x2 i be distinct unit vectors in V and let T be a unitary transformation of V ⊗ V . If there is a unit vector |si ∈ V such that T |xi i |si = |xi i |xi i, for i = 1 and 2, then |x1 i and |x2 i are orthogonal. Proof. Since T is unitary we have That is, using (2.1), hx1 s|x2 si = x1 s|T † T |x2 s = hx1 x1 |x2 x2 i . hx1 |x2 i = hx1 |x2 i hs|si = (hx1 |x2 i)2 , so hx1 |x2 i = 0 or 1. As |x1 i = 6 |x2 i, and |x1 i and |x2 i are unit vectors, it follows from the Cauchy–Schwarz inequality that |x1 i and |x2 i are orthogonal, as required.  Now let U be a unitary transformation of V ⊗ V and, for a fixed |si ∈ V , set R = {|xi ∈ V : U |xi |si = |xi |xi}. The dimension of V is 2n so it follows, from the lemma above, that |R| ≤ 2n . This applies to any unitary transformation U and any |si ∈ V , so there can be no U satisfying (2.5). Moreover we can copy at most 2n fixed, predetermined states, but they must be orthonormal. In fact, given a set {|xi i : i = 1, . . . , 2n } of 2n orthonormal vectors of V , we have a set {|xi i |si : i = 1, . . . , 2n } of 2n orthonormal vectors of V ⊗ V . We can extend this set to a basis of V ⊗ V . Since {|xi i |xi i : i = 1, . . . , 2n } can also be extended to a basis of V ⊗ V , we may define a unitary transformation of V ⊗ V which maps |xi i |si to |xi i |xi i, for all i. Hence we may copy up to 2n fixed orthonormal states. In a classical probabilistic algorithm we may repeat a calculation a fixed number of times (in order to have a high probability of success) by first copying the input and then performing the calculation on each copy. However on a quantum computer, due to the fact that we cannot copy arbitrary states, to repeat the calculation we must repeat the entire algorithm. 2.8. Entangled states. Let x ∈ V ⊗ W . Then x is said to be disentangled if there exist v ∈ V and w ∈ W such that x = v ⊗ w. Otherwise x is said to be entangled. The definition extends in the obvious way to n-fold tensor products. An entangled unit vector of an n–qubit system is called an entangled state. For example, |00i + |11i is an entangled state. In fact, if there exist a, b, c, d ∈ C such that |00i + |11i = = (a |0i + b |1i) ⊗ (c |0i + d |1i) ac|00i + bc|10i + ad|01i + bd|11i, then bc = ad = 0 and ac = bd = 1, which is impossible. QUANTUM ALGORITHMS 11 Entangled states play an important role in quantum teleportation and in super–dense coding. For details of these applications see, for example, [45] or [9]. 2.9. Observing multiple qubit systems. A quantum algorithm may use different parts of its register for different purposes and so it is often convenient to view a quantum system as a composite of sub–systems. This amounts to decomposing the vector space comprising the system into a tensor product of vector sub–spaces. The purpose of doing this is usually so that measurement may be taken on one part of the system but not the other. We now consider how this may be arranged. Suppose that the mn–qubit system V is the tensor product of m and n–qubit systems Q and R, respectively. Assume that we have measurements M = {Ma : a = 1, . . . , k} and N = {Nb : b = 1, . . . , l} of Q and R. Then we may define measurements M̂ = {M̂a = Ma ⊗ I : a = 1, . . . , k} and N̂ = {N̂b = I ⊗ Nb : b = 1, . . . , l} of Q ⊗ R. As in Section 2.5 we obtain a measurement Lab = {M̂a N̂b : a = 1, . . . , k, b = 1, . . . l}. This time we have M̂a N̂b = (Ma ⊗ I)(I ⊗ Nb ) = (I ⊗ Nb )(Ma ⊗ I) = N̂b M̂a , for all a, b. Therefore, as in Section 2.5 measurement with N̂ followed by M̂ is equivalent to measurement with L and, in addition, the same is true of measurement with M̂ followed by N̂ . We call a measurement M̂ induced in this way from a measurement on Q a measurement of register Q and say that a is observed in register Q. Example 2.2. Suppose that we have a 2–qubit system V = CZ2 ⊗ CZ2 and Q = R = CZ2 and we have measurements M = {M0 , M1 } and N = {N0 , N1 }, where Mi = Ni = |iihi|. Then M̂i = |iihi| ⊗ I, N̂j = I ⊗ |jihj| and Lij = |iihi| ⊗ |jihj|. Consider the state |ψi = a|00i + b|01i + c|10i + d|11i. where |a|2 + |b|2 + |c|2 + |d|2 = 1. To see what happens if we measure with M̂ we may rewrite |ψi as |0i ⊗ (a |0i + b |1i) + |1i ⊗ (c |0i + d |1i). Then it’s clear that M̂0 |ψi = |0i ⊗ (a |0i + b |1i) and M̂1 |ψi = |1i ⊗ (c |0i + d |1i). Hence pM̂ (|ψi → 0) = |a|2 + |b|2 = u2 and pM̂ (|ψi → 1) = |c|2 + |d|2 = v 2 , where u, v ≥ 0. Observations of 0 or 1 in register Q will therefore result in the quantum state     b d c a |0i + |1i or |1i ⊗ |0i + |1i respectively. |0i ⊗ u u v v Similarly, if w, x ≥ 0 are such that w2 = |a|2 + |c|2 and x2 = |b|2 + |d|2 then measuring V with N̂ the probabilities of observing 0 and 1 in register R are pN̂ (|ψi → 0) = w2 and pN̂ (|ψi → 1) = x2 . If 0 or 1 is observed in register R then the resulting quantum state is   a  c d b |0i + |1i ⊗ |0i or |0i + |1i ⊗ |1i respectively. w w x x We now consider the effect of measurements in registers Q and R on a disentangled state |xyi = |xi ⊗ |yi, where |xi ∈ Q and |yi ∈ R. We shall see that in this case the probabilities of observing a in register Q or b in register R are independent. We have M̂a† M̂a = Ma† Ma ⊗ I so the probability of observing a if we measure V with M̂ is D E pM̂ (|xyi → a) = xy|M̂a† M̂a |xy = x ⊗ y|Ma† Ma ⊗ I|x ⊗ y = x|Ma† Ma |x hy|yi . 12 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES Since |xyi is a unit vector we may assume that |xi and |yi are unit vectors, by writing |xyi = 1 |xi |yi |xyi = , | |xyi | | |xi | | |yi | if necessary. Hence hy|yi = 1 and pM̂ (|xyi → a) = x|Ma† Ma |x = pM (|xi → a), the probability that a is observed if Q is measured with M . Similarly pN̂ (|xyi → b) = pN (|yi → b) the probability that b is observed if R is measured with N . The probability of observing both a in register Q and b in register R when V is in state |xyi is E D E D pL (ab) = xy|L†ab Lab |xy = x ⊗ y|Ma† Ma ⊗ Nb† Nb |x ⊗ y E D = x|Ma† Ma y|Nb† Nb |y = pM̂ (a)pN̂ (b). Hence pM̂ (|xyi → a) and pN̂ (|xyi → b) are independent. Example 2.3. With V , Q, R, M and N as in the previous example, let |xi = α |0i + β |1i and |yi = γ |0i + δ |1i, where where |α|2 + |β|2 = 1 and |γ|2 + |δ|2 = 1. Then |xi ⊗ |yi = αγ|00i + αδ|01i + βγ|10i + βδ|11i. Hence pM̂ (0) = |(αγ)|2 + |αδ|2 and pN̂ (0) = |(αγ)|2 + |βγ|2 , while pL (00) = |αγ|2 . Hence pM̂ (0)pN̂ (0) = |αγ|2 (|αγ|2 + |βγ|2 + |αδ|2 + |βδ|2 ) = |αγ|2 = pL (00). On the other hand, in general, the measurements of individual registers do not have independent √ probabilities. To see this consider the entangled state (|00i+|11i)/ 2 in the system of the previous example. Measuring in register Q we observe either 0 or 1, each with a probability of 1/2. The same holds for register R. If these probabilities are independent then the probability of observing 00 should be 1/4. However, it’s easy to see that the probability of observing 00 is also 1/2. In fact after the first measurement the system projects to one of the states |00i or |11i. Measuring the former we observe 00 with probability 1 and 11 with probability 0. The above example illustrates the fact that if |ψi is disentangled then probabilities of observing a in register Q and b in register R are independent, where |ai and |bi range over basis vectors of Q and R. The converse is not true. For example take |ψi = [|00i + |01i + |10i − |11i]/2. The probability pM̂ (a) of observing a in register Q is 1/2, as is the probabilty pN̂ (b) of observing b in register R, for all a and b in {0, 1}. As the probabilty pL (ab) of observing |abi is 1/4, the probabilities pM̂ and pN̂ are independent. However |ψi is entangled. 2.10. Quantum parallelism. We develop here the notion of parallel quantum computation which we touched on briefly in Section 5.1. A basic tool in the operation of this scheme is the family of functions we describe next. QUANTUM ALGORITHMS 13 The single qubit Walsh–Hadamard transformation is the unitary operator W on a single qubit system given by (2.6) 1 W (|0i) = √ (|0i + |1i) and 2 1 W (|1i) = √ (|0i − |1i) . 2 We can express W more concisely by writing 1 W (|xi) = √ (|0i + (−1)x |1i) 2 1 1 X (−1)kx |ki . =√ 2 k=0 It is easy to see by direct calculation that W is an involution, that is W 2 = I2 . Moreover, if we ignore the complex coefficients W is reflection in the line which makes an angle of π/8 with the |0i–axis. The n–bit Walsh–Hadamard transformation Wn is defined to be W ⊗n . As W is an involution we ⊗n have Wn2 = I2⊗n = I2n , so Wn is also an involution. Applied to |0i , Wn generates a uniform n linear combination of the integers from 0 to 2 − 1, i.e. n 2 −1 1 X |xi. Wn (|0 · · · 0i) = √ 2n x=1 For example, W2 |00i = (W ⊗ W )(|0i ⊗ |0i) = W |0i ⊗ W |0i 1 = ((|0i + |1i) ⊗ (|0i + |1i)) 2 1 = (|0i ⊗ |0i + |0i ⊗ |1i + |1i ⊗ |0i + |1i ⊗ |1i) 2 1 = √ (|00i + |01i + |10i + |11i) . 22 This generalises in the obvious way to Wn and allows us, starting with the simple basis state |0 · · · 0i, to prepare a uniform superposition of all basis vectors. For computation a more concise notation is convenient and to this end we define the following notation. Let |xi and |yi be basis vectors in an n–qubit system, where x and y are n–bit binary integers. Define x·y = n−1 X xi yi . i=0 (Note that this is not the inner product of |xi and |yi (see page 5). It extends to a symmetric bilinear form on |xi and |yi regarded as vectors in a 2n –dimensional space over Z2 . However it 14 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES may be zero when |xi and |yi are both non–zero.) Now, setting m = 2n , we have Wn |xi = = n−1 O i=0 W |xi i n−1 1 O 1 X √ (−1)ki xi |ki i 2 i=0 ki =0 1 1 X 1 X ··· (−1)x0 k0 · · · (−1)xn−1 kn−1 |k0 · · · kn−1 i =√ 2n k0 =0 kn−1 =0 1 =√ 2n (2.7) m−1 X (−1)x0 k0 · · · (−1)xn−1 kn−1 |k0 · · · kn−1 i k0 ···kn−1 =0 m−1 1 X (−1)x·k |ki . =√ 2n k=0 The Walsh–Hadamard functions allow us to prepare the input to parallel computations. Now we k consider the computations themselves. Let f : Zm 2 → Z2 be a function, not necessarily invertible. As we’re not assuming that f is invertible we cannot use it, as it is, as a transformation in a quantum computer. However, at the expense of introducing some extra storage space we can devise a unitary transformation to simulate f . We require a quantum system V which is the tensor product of an m–qubit quantum system with a k–qubit quantum system. Recall that V has basis consisting of the vectors |xi ⊗ |yi, where x and y are binary representations of integers k k in {0, . . . , 2m − 1} = Zm 2 and {0, . . . , 2 − 1} = Z2 respectively. Define the linear transformation Uf : |xi ⊗ |yi 7→ |xi ⊗ |y ⊕ f (x)i , where ⊕ denotes addition in the group Zk2 (known as “bitwise exclusive OR” in the literature). For fixed x, we see that y ⊕ f (x) takes every value in Zk2 exactly once, as y varies over {0, . . . , 2k − 1}. Therefore Uf simply permutes all 2m+k basis elements of V and it follows that it is unitary. Moreover Uf (|xi ⊗ |0i) = |xi ⊗ |f (x)i and in this sense Uf simulates f . The map Uf is referred to as the standard oracle for the function f . The standard oracle may thus be used to simulate any function, invertible or not, on a quantum computer. It follows that any function which may be carried out by a classical computer may also be carried out by a quantum computer. In the case where f is a bijection, and only in this case, we can define the simpler and more obvious oracle |xi → |f (x)i. This is called the minimal or erasing oracle for f . Its relation to the standard oracle is considered in [36]. Furthermore, in [1] a problem is given in which a minimal oracle is shown to be exponentially more powerful than a standard oracle.) The form of Uf above may seem strange, but in fact it originates in classical reversible computing and has been adapted for the purposes of quantum computing. See [39] for more details of reversible computing. If we apply Uf to ⊗m Wm (|0i we obtain Uf ! 2m −1 1 X √ |xi ⊗ |0i 2m x=0 ⊗k ) ⊗ |0i m = 2 −1 1 X √ Uf (|xi ⊗ |0i) 2m x=0 m = 2 −1 1 X √ |xi ⊗ |f (x)i . 2m x=0 We can view this as a simultaneous computation of f on all possible values of x, although the fact that |f (x)i is associated with the state |xi, for all x, may sometimes be a problem. Creation of this kind of state is often referred to as quantum parallelism and is an easy and standard first QUANTUM ALGORITHMS y 15 y x |0i ⊗ |1i x − |3i ⊗ |2i Figure 1. Basis states. y x (W |0i) ⊗ |0i Figure 2. A uniform superposition in the first register y x Uf ((W |0i) ⊗ |0i) Figure 3. A quantum state corresponding to the graph of f step in many quantum computations. The tricky part is to glean useful information from this (extremely entangled) output state. k 2 Example 2.4. Suppose that m = k = 2, so that Zm 2 = Z2 = Z2 = {0, . . . , 3}. Let f be the function defined by f (0) = 1, f (1) = 2, f (2) = 0 and f (3) = 3. The quantum system V is the tensor product CZ22 ⊗ CZ22 and has basis {|xi ⊗ |yi : 0 ≤ x, y ≤ 3}. We can represent the elements of this basis on a 3 × 3 grid, with x indexing the horizontal squares and y the vertical ones. For many of the algorithms we consider, the quantum state is always in a uniform √ superposition of an r–element subset of the set of basis elements, with phase (coefficient) ±1/ r. We represent √ such√states by using a black square for a coefficient of 1/ r, a grey square for a coefficient of −1/ r and a white square for a coefficient of 0. For example, a basis state is represented by a single square as in Figure 1 and the state (W |0i) ⊗ |0i is represented as in Figure 2. If we apply Uf to this state we obtain the state shown in Figure 3, which can be considered as a uniform superposition over all of the points of the graph of f . It’s useful, as an exercise, to calculate Uf applied to (W |0i) ⊗ |1i, (W |0i) ⊗ |2i and (W |0i) ⊗ |3i in turn, to understand how Uf is constructed, and why it is reversible. In fact, Uf is always an involution (i.e. Uf ◦ Uf = I), regardless of what f is. Example 2.5. Pictures of the quantum system, as in the previous example, can also be used to help understand measurements of quantum states, and how they relate to entanglement. All 16 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES register 2 register 1 Figure 4. A disentangled state measurements are taken with respect to the computational basis (see Section 2.3). A disentangled state such as, for example, 1 |2i ⊗ √ (|0i + |1i + |3i) 3 looks the same in every nonzero column (up to phase), so measuring the first register (which always results in 2) doesn’t affect the distribution of non–zero coefficients in the second register (see Figure 4). On the other hand, if we have an entangled state such as, for example, 1 √ (|0i ⊗ |0i + |0i ⊗ |2i − |2i ⊗ |1i + |2i ⊗ |2i − |2i ⊗ |3i + |3i ⊗ |3i) 6 we can see directly from Figure 5 how measurements of the first register affect the distribution on the second. If we observe 0 in the first register, then there is a probability of 1/2 of observing 0 Register 1 1 3 1 2 1 2 0 1 2 1 6 1 3 Probability of observing x 1 1 3 1 3 Figure 5. Measurement of an entangled state in the second register, and a probability of 1/2 of observing 2. If we observe 2 in the first register then we have probabilities of 1/3 of observing either 2, 3 or 4 and if we observe 3 in the first register then we observe 3 with certainty in the second register. Some care is required in the interpretation of these diagrams. For example, the diagram of the entangled state |00i − |01i − |10i + |11i will suggest different results in the second register after measurement of the first register: depending on whether 0 or 1 is observed. However these results differ only by a phase factor (of −1) so are, in fact, the same. QUANTUM ALGORITHMS 17 3. The Deutsch–Jozsa algorithm 3.1. Oracles and query complexity. Deutsch [14] was the first to show that a speed–up in complexity is possible when passing from classical to quantum computations. It is important to understand that the complexity referred to is query complexity. The idea is that we have a “black box” or “oracle”, as described in Section 2.10, which evaluates some function (classically this would be a function on integers, but in the quantum scenario we allow evaluations on complex vectors). Query complexity simply addresses how many times we have to ask the oracle to evaluate the function on some input, in order to determine some property of f . It ignores how many quantum gates we require to actually implement the function. For a genuine upper bound on time complexity we must demonstrate efficient implementation of the oracle. For example, this is the case in Shor’s algorithm in the next section where we show that the quantum Fourier transform can be implemented using a number of gates logarithmic in the size of the input. Again, a lower bound on the query complexity of a given algorithm, with respect to a specific oracle, does not necessarily give a lower bound on time complexity of the algorithm. This is because we know nothing about the operation of the oracle: if we knew how the oracle worked then perhaps we could see how to do without it. Within the context of query complexity (relative to a specific oracle) many quantum algorithms have been proved to be more efficient than any classical counterpart. However, so far, not a single instance exists where we can say the same about true time complexity. To do so would usually require a lower bound on the classical complexity of a given problem and this often brings us up against difficult open problems in classical complexity theory. For example, Shor’s algorithm is a (non–deterministic) quantum algorithm for factoring integers. Although no classical polynomial time algorithm is known for this problem, whether or not such an algorithm exists is an open question. Given two functions f and g from N to R we say that f = O(g) if there exist constants c, k ∈ R such that |f (n)| ≤ c|g(n)| + k, for all n ∈ N. We also say that f = Ω(g) if g = O(f ). Thus O is used to describe upper bounds and Ω to describe lower bounds. 3.2. The single qubit case of Deutsch’s algorithm. The unitary maps involved in quantum computing can often be represented pictorially via quantum circuit diagrams. An operator U on a single quantum register is represented as in Figure 6. We also draw gates for operators on x U Ux Figure 6. A single–qubit gate two or more quantum registers: the set–up for quantum parallelism as described in Section 2.10 is shown in Figure 7. A similar circuit is shown in Figure 8. Here an additional Walsh–Hadamard m qubits |0i |0i W x x Uf y k qubits y ⊕ f (x) m 2 −1 1 X √ |xi ⊗ |f (x)i 2m x=0 Figure 7. The circuit for quantum parallelism 18 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES gate operates on the second register, transforming its contents into a uniform superposition, before entering the Uf gate. m qubits |0i x W x Uf |0i y W y ⊕ f (x) k qubits Figure 8. An insensitive quantum circuit Computing the final state of this system we have m |0i ⊗ |0i W ⊗W 7→ 1 Uf √ 2m+k 7→ k 2X −1 2X −1 1 √ |xi ⊗ |yi 2m+k x=0 y=0 m k 2X −1 2X −1 x=0 y=0 m |xi ⊗ |y ⊕ f (x)i k −1 2X −1 2X 1 √ |xi ⊗ |yi , 2m+k x=0 y=0 = because y ⊕ f (x) takes each possible value exactly once, as y ranges over {0, . . . , 2k − 1}. This computation can certainly not be used to gain any information about f , because its final state is the same, whatever f is. However, Deutsch showed that, with k = 1, if we alter input to the second register to |1i then we can obtain some information on the nature of f . Deutsch’s algorithm concerns functions f : {0, 1} → {0, 1}. We call such a function constant if f (0) = f (1) and balanced if f (0) 6= f (1). Given such a function suppose that we wish to determine whether f is constant or balanced (it must be one or the other). Classically, this requires two evaluations of f . Let Uf be the standard oracle for f (see Section 2.10). We shall show that a quantum computer only needs a single evaluation of the oracle to determine whether f is constant or balanced (with certainty). The quantum circuit for the algorithm is shown in Figure 9. After 1 qubit |0i W |1i W x x W Uf y y ⊕ f (x) 1 qubit Figure 9. The quantum circuit for Deutsch’s algorithm passing through the Walsh–Hadamard gates, the registers are in the state     |0i − |1i |0i + |1i √ √ ⊗ . (W ⊗ W )(|0i ⊗ |1i) = 2 2 QUANTUM ALGORITHMS 19 Now, if x ∈ {0, 1}, we have      |0i − |1i |0 ⊕ f (x)i − |1 ⊕ f (x)i √ √ = |xi ⊗ Uf |xi ⊗ 2 2   1 |0i − |1i if f (x) = 0 = |xi ⊗ √ |1i − |0i if f (x) = 1 2   |0i − |1i f (x) √ = (−1) |xi ⊗ 2 Therefore, by linearity, after passing through the Uf gate the system is in state     |0i − |1i (−1)f (0) |0i + (−1)f (1) |1i √ √ ⊗ 2 2 which is equal to     |0i + |1i |0i − |1i √ √ ± ⊗ , if f is constant, 2 2 and     |0i − |1i |0i − |1i √ √ ⊗ , if f is balanced. ± 2 2 After passing through the final Walsh–Hadamard gate, the first qubit is in state ± |0i if f is constant . ± |1i if f is balanced So measuring this qubit, with respect to the computational basis, we observe 0 with probability 1, if f is constant, and 1 with probability 1, if f is balanced. Since f has only been evaluated once, this demonstrates that quantum computers are strictly more efficient than classical computers, when we are referring to deterministic black box query complexity. In fact Deutsch’s algorithm puts each of the functions in Figure 10 in one of the two classes: constant or balanced. With the notation of Figure 10, write Ui = Ufi . Then the operation of f1 f2 f3 f4 Figure 10. The four possible functions {0, 1} → {0, 1} Deutsch’s algorithm on each function can be pictorially represented as in Figure 11. 3.3. The general Deutsch–Jozsa algorithm. The generalisation of the algorithm of the previous section to m qubits is due to Deutsch and Jozsa [15] (see also [12] for the improved −1 version which we present here). A function f : CZm (0)| = 2 → {0, 1} is called balanced if |f −1 m−1 |f (1)| = 2 . Assume we know only that f is either constant or balanced, and we that wish to determine which of these properties f has. Classically this requires 2m−1 + 1 evaluations. However on a quantum computer it can be done with a single evaluation of an oracle. The circuit for this algorithm is the same as the Deutsch algorithm, apart from the number of input qubits in the first register, and is shown in Figure 12. Assume then that we have a function f : Zm 2 → {0, 1} which is either balanced or constant. Again, we employ the standard oracle Uf for f . We use a composite system with an m–qubit and 20 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES U1 W ⊗I constant I ⊗W ❀ |0i U2 y constant U3 x balanced ❀ |1i U4 balanced Figure 11. Quantum states created by Deutsch’s algorithm m qubits |0i x Wm x Wm Uf |1i W y ⊕ f (x) y 1 qubit Figure 12. The quantum circuit for the Deutsch–Jozsa algorithm ⊗m a 1–qubit register. This time we begin with the basis state |0i to obtain the state 2m −1 1 X √ |xi ⊗ W |1i . 2m x=0 |1i to which we apply Wm ⊗ W Passing this through the Uf gate the state of the system becomes m 2 −1 1 X √ (−1)f (x) |xi ⊗ W |1i . m 2 x=0 Ignoring the second qubit, which is the same for any function, what we have done here is to encode the function as the coefficients of a em single state. We shall define D(f ) to be the state m (3.1) 2 −1 1 X D(f ) = √ (−1)f (x) |xi . 2m x=0 If f is constant then applying Wm to D(f ) will give ± |0i, and if we measure the state we will always observe 0. If f is balanced then we need to make a more careful analysis of the resulting state. In any case, after applying Wm to D(f ) we have, using (2.7), m m 2 −1 2 −1 1 X X (−1)f (x)⊕(x·y) |yi . 2m x=0 y=0 QUANTUM ALGORITHMS 21 Since f is balanced the coefficient of |0i in this state is m 2 −1 1 X (−1)f (x) = 0. 2m x=0 Hence, when we measure the state we never observe 0. Thus we can distinguish between balanced and constant functions. Note that we can only create D(f ) for functions f : {0, . . . , 2m−1 } → {0, . . . , 2k−1 } in the case where k = 1, but the general idea is that it is easier to manipulate a single register to gain information about a function than a register pair containing the standard 2–register functional superposition provided by the Uf gate. This will also apply later, in Shor’s algorithm where a measurement of the second register puts the first register into a certain state which we work with, and also in Grover’s algorithm, which manipulates the amplitudes of D(f ) to ensure that we have a high probability of observing an x for which f (x) = 1. In conclusion, we have exhibited a problem which takes time O(2m ) classically but takes time O(1) on a quantum computer. The black box query complexity speed–up is hence exponential, from the classical to quantum setting. However the exponential speed up is not really robust when compared to probabilistic algorithms. If one is willing to accept output which is not correct with absolute certainty then, given any ε > 0, an answer correct with probability 1 − ε is classically attainable using at most log2 (1/ε) queries. Thus, effectively, we have only a constant factor speed up, for any fixed permissible probability of error. In this section we have studied properties of functions which can be deduced exactly from D(f ) with a single quantum measurement. P In a related work [32], properties of functions which can be deduced from the standard state x |xi ⊗ |f (x)i with a single measurement are studied . Even when a certain probability of failure is allowed this class of functions turns out to be very restricted. 22 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 4. Shor’s algorithm and factoring integers 4.1. Overview. Shor’s Algorithm, first published in 1994, factors an integer N in time O(L2 log(L) log log(L)), where L = log(N ). No classical algorithm of this time complexity is known. The problem of factoring integers turns out to be reducible to that of finding the order of elements of a finite cyclic group. That is, given an order finding algorithm, an algorithm may be constructed which will, with high probability return a non–trivial factor of a given composite integer. Moreover this algorithm may be run quickly on a classical computer. We describe the reduction of factoring to order finding below. Order finding in a cyclic group is a special case of the more general problem of finding the period of a function which is known to be periodic. Definition 4.1. If f is a function from a cyclic group A (written additively) to a set S then we say that f is periodic, with period r ∈ A, if the following two conditions hold. For all x ∈ A (i) f (x) = f (x + r) and (ii) if f (x) = f (x + y) then r|y. Given a periodic function from Z to ZN the best known classical algorithm to determine r requires O(N ) steps. By contrast, using Shor’s algorithm, [53] [54], on a quantum computer only O((log N )2 ) steps are required. As shown by Kitaev [38], the essential element of Shor’s algorithm is the use of the Quantum Fourier transform to find an eigenvalue of a unitary transformation. This technique was first used in this way by Simon [55] [56] to generalise Deutsch’s algorithm. Deutsch’s algorithm, Simon’s generalisation and the problems of period finding can all be regarded as cases of a problem known as the hidden subgroup problem. We shall describe this problem and various other applications of the Fourier transform in 4.9. Here we first outline the reduction of factoring of integers to order finding, in Section 4.2. We then describe the essential ingredient to Shor’s algorithm, namely the Quantum Fourier transform and in Section 4.3. The algorithm itself is described in Section 4.5 and we end the section with a brief description of the implementation of the Quantum Fourier transform and an outline of the continued fractions algorithm which is necessary to extract information from the quantum part of the main algorithm. 4.2. Factoring and period finding. It is well known that the ability to find the period of functions effectively would lead to an efficient algorithm for factoring integers. In order to see this suppose we wish to factor the integer N . We may clearly assume that N is odd and, since there exist effective probabilistic tests for prime powers [40], that N is divisible by more than one odd prime. Consider the function FN : ZN → ZN given by FN (a) = y a mod N, where y is a randomly chosen integer in the range 0 6 y < N . Using the Euclidean algorithm on y and N we either find a factor of N or we find that y is coprime to N . We may therefore assume that gcd(y, N ) = 1. If y and N may both be represented as strings of at most L bits then the total resource required by this step is O(L3 ) since this is a bound on the cost of running the Euclidean algorithm [40, p. 13]. With gcd(y, N ) = 1 the function FN takes distinct values 1, y, . . . , y r−1 , where r is the (unknown to us) multiplicative order of y modulo N . Thus F is periodic of period r. Suppose now that we have computed the multiplicative order r of y modulo N , using our hypothetical period finding algorithm on FN . Since N |y r − 1 the Euclidean algorithm applied to N and y r − 1 merely returns the factor N of N . On the other hand, if r is even then 1 = y r = (y r/2 − 1)(y r/2 + 1) mod N. As r is minimal with the property that y r = 1 mod N it follows that N ∤ y r/2 − 1, from which we see that N and y r/2 + 1 have a common factor greater than 1. We now run the Euclidean QUANTUM ALGORITHMS 23 algorithm with input N and y r/2 + 1. If N ∤ y r/2 + 1 then we obtain a non–trivial factor of N , again in time at most O(L3 ). This step succeeds if and only if we happen to choose y such that y has even order, r, and in addition N ∤ y r/2 + 1. What is the probability of success? Following [16] we count the number of integers y which result in failure. We have 1 ≤ y ≤ N and gcd(y, N ) = 1, so that y ∈ Z∗N the group of units of ZN , and r is the order of y in this group. Note that the order of Z∗N is φ(N ), where φ is Euler’s totient function: that is, φ(N ) is the number of integers between 1 and N which are coprime to N (see [40, p. 19] for example). The notation of the following lemma is ambiguous, as |x| denotes the order of a group element x and |X| denotes the cardinality of a set X, but the meaning should be clear from the context. αm 1 Lemma 4.2 ([16]). Let N = pα 1 · · · pm be the collected prime factorisation of an odd composite integer N and let S = {s ∈ Z∗N : |s| is odd or s|s|/2 = −1}. Then |S| ≤ φ(N )/2m . Proof. For n ∈ Z define l(n) to be the greatest integer d such that 2d |n. Consider first the group Z∗pα , where p is an odd prime and α a positive integer. This group is cyclic of even order φ = φ(pα ) = pα−1 (p − 1) with generator x, say. Every element of Z∗pα is of the form xk , for some k ≥ 0, and for exactly half the elements k is even. Let g = xk be an element of Z∗pα and suppose the order of g is r. If k is even then g φ/2 = xkφ/2 = (xφ )k/2 = 1, so r|φ/2 and it follows that l(r) < l(φ). Conversely if k is odd then 1 = g r = xkr so φ|rk and, since φ is even, this implies l(φ) ≤ l(r). Therefore precisely half of the elements g of Z∗pα satisfy l(|g|) < l(φ). Now consider y ∈ Z∗N . The Chinese remainder theorem [28] states that Z∗N is isomorphic to L m ∗ ∗ i under the map taking y to (y1 , . . . , ym ), where y = yi ∈ Zpαi , for i = 1, . . . , m. Let y i=1 Zpα i i have order r in Z∗N and let yi have order ri in Z∗pαi . Applying the above isomorphism we see that ri |r so l(ri ) ≤ l(r). First suppose that r is odd. Then l(r) = 0 so l(ri ) = 0, for i = 1, . . . , m. Now suppose that r is even but that y r/2 = −1 in Z∗N . Using the Chinese remainder theorem again it r/2 follows that yi = −1 in Z∗pαi and so ri ∤ r/2. Hence l(ri ) = l(r), for i = 1, . . . m. We have shown that if y ∈ S then l(ri ) = l(r), for i = 1, . . . , m. To complete the proof we need only show that this is possible for at most φ(N )/2m−1 elements of Z∗N . Fix y1 ∈ Z∗pα1 and let r1 = |y1 |. From the first paragraph of the proof it follows that there are at 1 most m Y φ(pαi ) i 2 i=2 L ∗ elements (y2 , . . . , ym ) of m i such that l(r1 ) = l(|yi |), for i = 2, . . . = m. Summing over all i=2 Zpα i ∗ elements of Zpα1 , there are at most 1 1 φ(pα 1 ) m Y φ(pαi ) i i=2 elements (y1 , . . . , ym ) of Lm ∗ i i=1 Zpα i 2 = φ(N )/2m−1 with l(|y1 |) = · · · = l(|ym |).  Now let y be an integer chosen uniformly at random from {y ∈ Z : 1 ≤ y ≤ N − 1 and gcd(y, N ) = 1}. Then from Lemma 4.2 the probability that y has even order in Z∗N and y |y|/2 6= −1 mod N is at least 1 − 1/2m−1. The resource cost of the procedure is O(L3 ), in addition to the cost of the order 24 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES finding routine, and repeating it sufficiently often we can find a factor of N , with probability as close to 1 as we like. Shor’s quantum algorithm, described below, finds the order of y ∈ Z∗N , with probability 1 − ε, for given ε > 0, in time polynomial in L. Hence combining Shor’s algorithm with the above we have a probabilistic algorithm for factoring integers which runs in time polynomial in L = log(N ). 4.3. The quantum Fourier transform. The Quantum Fourier Transform is more commonly known (to mathematicians) as the Discrete Fourier Transform. That is a Fourier transform on a discrete group: which is defined using characters of irreducible representations. Since we’ll be mainly concerned with Abelian groups we need to know very little about characters, and we summarise what is necessary here (for more detail see [31] or [22]). A character of a finite Abelian group G over a field k is a homomorphism from G to the multiplicative group k ∗ of non–zero elements of k. (More generally a character is the trace of a representation.) We shall only consider characters over C here. The set of characters of G is denoted Ĝ. Since G is finite, characters must be roots of unity. In particular the characters of the finite cyclic group Zm are the homomorphisms χcm = χc defined by χc (a) = e2πiac/m , where a ∈ Zm , for c = 0, . . . , m − 1. It’s easy to verify that the map χ : Zm → Ẑm defined by χ(a) = χa is an isomorphism from Zm to Ẑm . (This result extends to all finite Abelian groups.) We shall use the following simple property of characters of cyclic groups. Lemma 4.3. The characters of Zm satisfy (i)  m−1 X m (4.1) χc (a) = 0 if c = 0 mod m . if c = 6 0 mod m a=0 (ii) (Orthogonality of characters) (4.2) m−1 X χc (a)χd (a) = a=0  m 0 if c = d if c = 6 d mod m . mod m Proof. (i) This is easy to see if c = 0. If c 6= 0 then χc (1) = e2πic/m so χc (1) 6= 1 and is a root of the polynomial z m − 1 = (z − 1)(z m−1 + · · · + 1). The result follows, since [χc (1)]k = χc (k). (ii) This follows easily from (4.1), given the observations that χc (x) = χc (−x), χc (−x) = χ−c (x) and χc (x)χd (x) = χc+d (x).  For a finite group G the |G|–dimensional complex vector space M CG = C |gi g∈G is a ring called the complex group algebra, with multiplication defined by   ! X X X  a(g) |gi b(h) |hi = c(g) |gi , g∈G h∈G g∈G where a(g), b(g) ∈ C, for all g ∈ G, and c(g) = x∈G a(x)b(x−1 g). The group algebra may also be P regarded as the ring of maps from G to C, the map a sending g to a(g) corresponding to g∈G a(g) |gi. An element of CZn will be said to be periodic if it is periodic as a map from Zn to C. P QUANTUM ALGORITHMS 25 The quantum Fourier transform on Zn is a C–linear map Q = Qn from CZn to itself defined on the basis vector |xi by n−1 1 X c χ (x) |ci , Q |xi = √ n c=0 where z̄ denotes the complex conjugate of z. Extending by linearity we obtain the image of a general element: ! n−1 n−1 X X Q α(x) |xi = α̂(c) |ci , x=0 c=0 where (4.3) n−1 2πcxi 1 X α̂(c) = √ α(x)e− n . n x=0 We have seen one instance of the Fourier transform already: the single bit Walsh–Hadamard transformation W is equal to Q2 . By comparing coefficients of basis vectors it is easy to see that Wn 6= Qn , for n ≥ 2, although it is true that Wn |0i = Qn |0i, for all n. To see that the quantum Fourier transform is a unitary transformation consider its matrix Q, relative to the basis |xi, x ∈ Zn , for CZn . We have Q = (ac,x ), where the row c, column x entry is 1 ac,x = √ χc (x), 0 ≤ c, x ≤ n − 1. n Therefore the conjugate transpose of Q is Q† = (bc,x ), where 1 bc,x = √ χx (c), n and a straightforward computation using (4.2) shows that QQ† = I. This shows that Q is a unitary transformation and allows us to write down the image of its inverse, the inverse Fourier transform Q−1 on a basis vector |xi. That is Q −1 n−1 1 X c √ |xi = χ (x) |ci . n c=0 In Section 4.7 we shall show how the Fourier transform may be implemented using standard quantum gates. A crucial property of the quantum Fourier transform is that it identifies periods. That is, if f is periodic, with period r, and r divides n then Q(f ) has non–zero coefficients only at basis vectors |ci which are multiples of n/r. Lemma 4.4. Let f ∈ CZn and suppose that f is periodic of period r, where r|n. Then (4.4)  √ r−1 X    n f (s)χcn (s), r s=0 fˆ(c) =    0, if c = 0 mod n/r otherwise . 26 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES Proof. n−1 1 X f (k)χc (k) fˆ(c) = √ n k=0 n r−1 r −1 1 XX f (a + sr)χc (a + sr) = √ n a=0 s=0 n r−1 −1 r X 1 X χc (sr). = √ f (a)χc (a) n a=0 s=0 The result follows on applying Lemma 4.3 modulo n/r.  4.4. Period finding for beginners. It is instructive to look first at a restricted case of the period finding algorithm. Assume that we have a function f : Z → ZN which is periodic of period r, as in Definition 4.1. In the restricted case we shall assume that N –ary quantum bits are available, so a basic quantum system is an N -dimensional vector space. Consequently we shall assume, for this section only, that transformations that we’ve previously defined using qubits are also defined and implemented for such N –ary quantum bits. We shall in addition assume that r|N so that f induces a periodic function from ZN to itself. Of course this is an artificial constraint, especially since it is r we’re trying to find, but it illustrates the operation of the algorithm without involving the technical detail of the general case. We begin with two registers, of one N -ary quantum bit each, in initial state |0i |0i. To the first register we apply the Walsh–Hadamard transform to obtain the state N −1 1 X √ |xi |0i . N x=0 As in previous sections, we assume that a Uf –gate which evaluates f is available. We now apply this to our state to obtain the superposition N −1 1 X √ |xi |f (x)i . N x=0 At this point we could apply the quantum Fourier transform to the first register of the state. However it simplifies notation and makes no difference to the outcome if we observe the second register first (see Example 4.5 below). So, we now observe the second register and obtain, uniformly at random, some value y0 in the image of f . The system then projects to the state X 1 p |xi |y0 i . |f −1 (y0 )| x∈f −1 (y ) 0 Since f is periodic in the sense of Definition 4.1, there is precisely one value x0 with 0 ≤ x0 < r such that f (x0 ) = y0 . If we set K = N/r then, in the first register, we have the state K−1 1 X |ψi = √ |x0 + kri K k=0 = N −1 X x=0 where ψ(x) |xi ,  r  r  √1 = , N ψ(x) = K   0, if r|x − x0 otherwise . QUANTUM ALGORITHMS 27 |f (x)i r2 ❀ |2i |xi Figure 13. Collapsing to a periodic state Thus ψ ∈ CZN is periodic with period r. For example, for the function drawn in Figure 13, where N = 8 and r = 4, we have observed |2i in the second register and this has set the value x0 to 1. Notice that, since y0 is a random element of the image of f , observation of the first register at this stage returns a value x0 + kr, for some uniformly random k ∈ {0, . . . , N/r − 1}. That is, observation of the periodic state |ψi will simply give a uniformly random value in {0, . . . , N − 1} and yields no information on the value of r at all! Now, if we apply Q to the first register then, using Lemma 4.4, we obtain Q |ψi = N −1 X c=0 ψ̂(c) |ci , where  √ r−1  N X    ψ(s)χc (s), if c = 0 mod r s=0 ψ̂(c) =     0, otherwise  1 c    √r χ (x0 ), if c = 0 mod =    0, otherwise N r N r , √ since ψ(x0 ) = 1/ K and ψ(s) = 0 for all s 6= x0 . Therefore, setting c(s) = sN/r, (4.5) r−1 1 X c(s) Q |ψi = √ χ (x0 ) |c(s)i . r s=0 Now we observe this state. We obtain a value c = c(s) which is a multiple of N/r. In fact, for a uniformly random s ∈ {0, . . . , r − 1} we have c=s N c s =⇒ = r N r where the fraction c/N is known. If we reduce c/N down to lowest terms (using the Euclidean algorithm) then we may determine r, as the denominator of this irreducible fraction, provided that gcd(s, r) = 1. If s and r are not coprime then we will obtain a proper factor of r and not r itself. To see that this is not really a problem, we appeal to a result from number theory (see [28] for example):   φ(n) = e−γ lim inf n/ loge loge n 28 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES where γ is a constant known as Euler’s constant. This means that if we choose a random number from {0, . . . , n − 1} then the probability p(n) that it is coprime to n satisfies (4.6) p(n) = e−γ φ(n) > . n loge loge n So we obtain a number coprime to N with probability 1 − ε, where ε > 0 can be made arbitrarily small, by repeating the above observation O(loge loge N ) times. In summary, at each iteration the process outputs a number c. A value r may then be read off from the equality c/N = s/r, where gcd(r, s) = 1. Repeating the process sufficiently many times we may compute the period of f , to within a given probability, as the least common multiple of the non–zero r values. Example 4.5. Suppose we wish to factorise 21. We begin by choosing an integer coprime to 21, say 4, as described in Section 4.2. The function f : Z21 → Z21 is given by f (k) = 4k and has period r, which we wish to find. After applying W21 and Uf we have the state 1 √ [(|0i + |3i + |6i + |9i + |12i + |15i + |18i) |1i 21 +(|1i + |4i + |7i + |10i + |13i + |16i + |19i) |4i +(|2i + |5i + |8i + |11i + |14i + |17i + |20i) |16i]. Observing the second register we obtain, with probability 1/3, one of 1, 4 or 16. The first register P6 then contains |ψ0 i, |ψ1 i or |ψ2 i, where |ψs i = k=0 |s + 3ki. Applying Q21 to these states we have 1 Q |ψ0 i = √ (|0i + |7i + |14i) or 3 1 Q |ψ1 i = √ (|0i + ω |7i + ω 2 |14i) or 3 1 Q |ψ2 i = √ (|0i + ω 2 |7i + ω |14i), 3 where ω = e−2πi/3 . Whichever of these we have, observation now yields, with equal probabilities, c = 0, c = 7 or c = 14. If we observe c = 0 then the process must be run again. If we observe c = 7 then c/N = 7/21 = 1/3 and the denominator of this fraction is r. Similarly, if c = 14 we read r off from c/N = 14/21 = 2/3. (Of course the example has been set up in the knowledge that the order of 4 divides 21, merely for purposes of illustration. We should not be misled to the conclusion that the example generalises to a simple method for factoring integers.) Notice that if we had omitted the observation of the second register before application of Q then, applying Q would have resulted in the state 1 [(|0i + |7i + |14i) |1i + (|0i + ω |7i + ω 2 |14i) |4i + (|0i + ω 2 |7i + ω |14i) |16i] 3 and observation would have given the same result as before. 4.5. Advanced period finding. There are two immediate problems to be overcome in implementation of the algorithm in general. First of all we have defined quantum computation in terms of qubits, not N –ary bits. In this setting we need at least L = ⌈log(N )⌉ qubits to represent N as an binary integer. This means that we shall have to run the algorithm using the quantum Fourier transform Qq for some q which is not equal to N . Secondly, we cannot assume that the period r divides q (or N ). If q/r is not an integer then a periodic function f : Z → ZN of period r does not induce a well–defined function from Zq to ZN . QUANTUM ALGORITHMS 29 exact case Q x0 x0 + r x0 + 2r 0 q r 2q r 0 q r 2q r 3q r Q 3q r non–exact case Figure 14. Exact and non–exact cases for the quantum Fourier transform Suppose then that we have a periodic function f : Z → ZN of period r, as before, but now we do not assume r|N . To address the first problem above we choose q = 2n > N , for some integer n. We shall see below that the success of the algorithm depends on making a good choice for q. Recall that we identify a0 ⊗ · · · ⊗ an−1 ∈ Z⊗n with a binary integer via the map b such that 2 b(a0 ⊗ · · · ⊗ an−1 ) = 2n−1 a0 + · · · an−1 . We use the composite f ◦ b : Z⊗n → ZN to simulate 2 f . Replacing f by this function observe that it satisfies the conditions that, for all x such that 0 ≤ x < q − r, (i) f (x) = f (x + r) and (ii) f (x + y) = f (x) implies r|y, if 0 ≤ y < q − r − x. We shall also use the map b to identify Z⊗n with the set {0, . . . , q − 1}, which we regard as Zq . In 2 particular this identification allows us to apply the Fourier transform Qq to Z⊗n 2 . We can set up our algorithm, along the lines of Section 4.4, starting with two registers, the first of n qubits and the second of L qubits in initial state |0i |0i. As before we apply Walsh–Hadamard Wn and a Uf gate to obtain the state (4.7) q−1 1 X |xi |f (x)i . √ q x=0 However, if q/r is not an integer then after applying the quantum Fourier transform Qq to the first register of (4.7) there may be non–zero coefficients ψ̂(c) at values of c which are not multiples of q/r. Nevertheless it turns out that the non–zero coefficients are clustered around points close to multiples of q/r (see Figure 14). This means that, if a good choice of q is made, there is a high probability of an observation returning a value close enough to one of these multiples to allow the use of a classical algorithm, based on properties of continued fractions, to yield the value of r. First we shall state the required property of continued fractions and describe how it can be used to extract information from the algorithm. Then we’ll complete the description of the algorithm. The property we need of continued fractions is the following. The necessary definitions and background can be found in Section 4.8. Theorem 4.6. [28] If x ∈ Q satisfies 1 p −x < 2 r 2r then p/r is a convergent of the continued fraction expansion of x. 30 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES (This theorem holds for all x ∈ R, but we do not need this here and we’ve only defined continued fractions for rational numbers.) To see how this helps suppose that, as in Section 4.4, we apply Qq to the first register of (4.7) and then observe to obtain a value c. If q c s q < 2, c−s =q − r q r 2r for some integer s then Theorem 4.6 implies that s/r is a convergent of the continued fraction expansion of c/q. As c and q are known these convergents may all be calculated using the Euclidean algorithm. If, in addition, gcd(s, r) = 1 then the denominator of one of the convergents is r. Furthermore, given s with 0 ≤ s < r there is a unique integer cs such that −r/2 ≤ cs r − sq < r/2 and for such cs we have s 1 cs − < . q r 2q (4.8) This motivates the choice of q as the unique integer q = 2n such that N 2 ≤ q < 2N 2 : for then, with s and cs as above, (4.9) cs 1 s 1 1 < 2, − < ≤ q r 2q 2N 2 2r since r < N . Given this choice of q, if we observe cs for s such that gcd(r, s) = 1, then we can compute the convergents of the continued fraction expansion of cs /q using the continued fraction algorithm, as described in Section 4.8. From Theorem 4.6 and (4.9), s/r is among these convergents. It is a further consequence of our choice of q that s/r is the unique convergent of cs /q satisfying the inequality (4.8). To see this suppose that a and b are positive integers with b < N such that a/b also satisfies (4.8). Then c a 1 s c s a − − + − < . ≤ r b r q q b q This implies that |sb − ar| < rb/q and as N 2 ≥ q it follows that |sb − ar| < 1 so that s/r = a/b. Therefore, as claimed, s/r is the unique convergent satisfying (4.8). This being the case we can use (4.8) to find s/r amongst the convergents of cs /q and this allows us to compute r. The time taken to do this, once cs has been observed, is therfore O(L3 ). Therefore we shall need to know the probability of observing cs , for s such that gcd(r, s) = 1. To start with we observe the second register of (4.7) and obtain some value b ∈ ZN . As before, there is a such that f (a) = b and 0 ≤ a < r, and so f −1 (b) = {a + kr : 0 ≤ k < Ka }, where Ka is the greatest integer such that (Ka − 1)r + a < q. In the first register we now have Ka −1 1 X |ψi = √ |a + kri K a k=0 = q−1 X x=0 where ψ(x) |xi ,   √1 , Ka ψ(x) =  0, We now apply Q to the first register and obtain (4.10) Q |ψi = q−1 X c=0 if r|x − a otherwise ψ̂(c) |ci , . QUANTUM ALGORITHMS 31 where, using (4.3) and an arguement similar to that of the proof of Lemma 4.4, (4.11) ψ̂(c) = √ KX a −1 1 e−2πic(a+kr)/q . Ka q k=0 We now observe the first register and use the following estimate, which we prove in Section 4.6, following [16] and [29]. Proposition 4.7. The probability of observing (4.10) and obtaining a value cs such that s 1 cs − < 2 q r 2r and gcd(s, r) = 1 is at least 4φ(r) π 2 r2 1−  πr 2q 2 ! . In particular, if N ≥ 158 and r ≥ 19 then this probability is at least 1/10 loge loge (N ). Summary: the period finding algorithm Given a function f : Z → ZN which is periodic of period r perform the following steps. (1) First check whether f has period r < 19. The number of operations this requires depends on f . For example if f is modular exponentiation, as in Shor’s algorithm, then then this step requires O(log 3 (N )) operataions. (2) Compute L = ⌈log(N )⌉ and set q = 2n , where 2 log(N ) ≤ n < 2 log(N ) + 1. This may be done using a classical algorithm in O(L) operations. (3) Prepare first and second registers Q and R of n and L qubits, respectively, in state |0i |0i ∈ Q ⊗ R. (4) Apply Wn ⊗ IL to the state of (3). The Walsh–Hadamard transformation Wn may be implemented using n single qubit Walsh–Hadamard gates so the number of operations required in this step is O(n) = O(L). (5) In this step we assume the existence of a unitary transformation Uf from Q ⊗ R to itself, which maps basis vector |xi |yi to |xi |f (x) ⊕ yi. Apply Uf to the output of (4) to give (4.7). The complexity of this step is dependent on f . For example if f is modular exponention then Uf may be implemented using O(L3 ) operations. (6) Observe the second register of (4.7) and project to a state |ψi |bi, where |ψi ∈ Q and b ∈ ZN . (7) Apply Qq ⊗ IL to |ψi |bi to obtain (4.10) in the first register (and |bi in the second). We show in Section 4.7 that Qq may be implemented in O(n2 ) = O(L2 ) operations. (8) Observe the state of (7) and obtain a basis vector |ci |bi. (9) Use the continued fraction algorithm (see Section 4.8) to find the convergents of c/q and output a candidate r′ for the period of f . This requires O(L3 ) operations. Modulo the complexity of f the above procedure requires O(L3 ) operations. ¿From Proposition 4.7 the final step is succesful with probability 1/10 loge loge (N ). Hence we repeat the algorithm O(log log(N )) = O(log(L)) times and compute the least common multiple l of the non–zero values r′ output in the last step. Then with high probability, l = r, the period of f . Hence we have computed r in O(L3 log(L)) operations, subject to the time required to compute f and the probability of error. In the case of Shor’s algorithm, where f is exponentiation modulo N , it follows that we can perform quantum modular exponentiation in time O(L3 log(L)), where L = log(N ). As the reduction of factoring to period finding described in Section 4.2 requires O(L3 ) operations we have a quantum algorithm for factoring an integer N in time O(L3 log(L)). In fact this bound is not tight and, by using faster algorithms for integer arithmetic, Shor [54] obtains the bound of O(L2 log(L) log log(L)) mentioned at the begining of this section. 32 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 4.6. Probability estimates. We shall need the following result from [51]. Theorem 4.8. For r ≥ 3, where γ = limn→∞ (1 + 1 2 + 2.50637 r < eγ loge loge (r) + , φ(r) loge loge (r) 1 3 + ···+ 1 n − loge (n)) = 0.57721556649 . . . is Euler’s constant. Recall from Section 4.5 that f is a periodic function from Zq to ZN of period r, that L, n, N, r, q ∈ Z, with 1 ≤ r < N , q = 2n , N 2 ≤ q < N and L = log⌈N ⌉. We have a 2 register quantum system with first and second registers of n and L qubits, respectively. The first register is in the state given by (4.10) and the second in state |bi, where b = f (a). In addition Ka is the largest integer such that (Ka − 1)r + a < q. In the special case of Section 4.4 we measured (4.5) and, with high probability, observed c such that cr − N s = 0, for some s with gcd(r, s) = 1. In the general case we shall show that when we measure (4.10) there is a high probability of observing c such that −r/2 ≤ cr − sq < r/2, for some integer s such that gcd(r, s) = 1. This will be enough to allow us to compute r. Proof of Proposition 4.7. Recall that, given s ∈ Z, we write cs for the unique integer such that −r/2 ≤ cs r − sq < r/2. Simple calculations show that 0 ≤ cs < q if and only if 0 ≤ s < r and also that if cs = ct then s = t. Hence the integers c0 , . . . , cr−1 are distinct and lie in [0, q). For each s with 0 ≤ s < r write ǫs = cs r − sq and define 2πǫs θs = . q The conditions on Ka imply that q q (4.12) − 1 < Ka < + 1. r r Therefore, for s such that 0 ≤ ǫs < r/2 and for k such that 0 ≤ k < Ka , we have πkr 0 ≤ kθs < < π. q Hence, for such s, the points e−ikθs lie in the lower half–plane, for k = 0, . . . , Ka − 1 (see Figure 15). Similarly, for s such that −r/2 ≤ ǫs < 0 the points e−ikθs lie in the upper half–plane, for Figure 15. The points e−ikθs , for s such that 0 ≤ ǫs < r/2. k = 0, . . . , Ka − 1. It follows (see Figure 16) that for all s such that 0 ≤ s < r (4.13) KX a −1 e −iθs k k=0 This is known as constructive interference. ≥ KX a −1 k=0 e −iπrk q . QUANTUM ALGORITHMS πr q 33 θs Figure 16. Different rates of constructive interference We shall denote by p1 (c) the probability that c is observed when the first register is measured with respect to the computational basis. The state (4.10) has coefficients given by (4.11) so KX a −1 2πic(kr+a) 1 q e− p1 (c) = Ka q 2 k=0 Ka −1 2πica X 2πickr 1 = e− q e− q Ka q 2 k=0 KX a −1 2πickr 1 e− q = Ka q (4.14) 2 . k=0 Since −2πics r −2πi(sq + ǫs ) 2πiǫs = = −2πis − , q q q we have e(−2πics r)/q = e(2πiǫs )/q = e−iθs k , (4.15) for 0 ≤ s < r. Combining (4.13), (4.14) and (4.15) we have KX a −1 1 e−(iπrk)/q p1 (c) ≥ Ka q 2 k=0 1 = Ka q = (4.16) using the identity eix − 1 2
Ka −1 e−(iπr)/q −(iπr)/q e −1 2 sin2 (πrKa /2q) , Ka q sin2 (πr/2q) = 4 sin2 (x/2), for x ∈ R. ¿From (4.12) we have 0< π 2 so (4.17) sin      r Ka πr r π 1− < 1+ < π, < q 2q 2 q Ka πr 2q  > sin  π 2    r 1 + (−1)d , q 34 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES for d = 1 or for d = −1. As r/q is small we have (using a Taylor series expansion)   2   r πr π 2 1± ≥1− (4.18) sin 2 q 2q and (4.19) sin(πr/2q) ≤ πr/2q. Combining (4.16), (4.17), (4.18) and (4.19) we see that the probability of observing cs , for some s such that 0 ≤ s < r, is  2 !  2 1 πr 2q 1− p1 (cs ) ≥ Ka q 2q πr q = Ka rq > r+q (4.20) 4 ≥ 2 π r 1−  1− 1− πr 2q   2 !  πr 2q πr 2q 2 πr 2 !  2 ! 2 2 πr 2 . As discussed in Section 4.4 the probability that s ∈ {0, . . . , r − 1} is coprime to r is φ(r)/r. Together with (4.9) and (4.20) this yields the first statement of the proposition. For the final statement we note that if N ≥ 158 then  2 ! 2 4 πr ≥ . 1− π2 2q 5 Since there are r distinct integers, c0 , . . . , cr−1 this implies that p1 (cs ) ≥ 2/5. From Theorem 4.8 it follows that if r ≥ 19 then φ(r) 1 1 > > , r 4 loge loge (r) 4 loge loge (N ) and the final statement of the proposition follows.  4.7. Efficient implementation of the quantum Fourier transform. As in the case of the Deutsch–Jozsa algorithm it is the complexity of Shor’s algorithm which is of interest. Shor showed that his algorithm could be implemented efficiently using small quantum circuits because this is also true of the quantum Fourier transform on Z2n . In fact this implementation of the quantum Fourier transform is essentially an adaptation of the standard fast Fourier transform technology to quantum computation. Here we’ll show that it is possible to implement the quantum Fourier transform on Zn using at most n2 2–qubit gates. If U is a single qubit quantum gate, then we define the controlled U –gate, a unitary transformation of a 2–qubit system, by |0i h0| ⊗ I + |1i h1| ⊗ U. If the first qubit is |1i then U is applied to the second qubit. If it is |0i then the identity I is applied to the second qubit. The controlled U –gate is depicted in a quantum circuit diagram in Figure 17. Let Rφ be the unitary transformation (called a phase shift) on a single qubit given by the matrix   1 0 0 e−iφ QUANTUM ALGORITHMS 35 U Figure 17. A controlled U –gate Let Bk (k ∈ N) denote Rπ/2k . Now consider the 4–qubit circuit in Figure 18, which is constructed using controlled Bk –gates. We claim that this performs the quantum Fourier transform on Z24 . The first Walsh–Hadamard gate applies W ⊗ I ⊗3 to |k3 k2 k1 k0 i and results in |k3 i W |b3 i |k2 i |k1 i B2 |k0 i |b2 i W B1 W B1 B2 B3 phase 1 phase 2 |b1 i B1 phase 3 |b0 i W phase 4 Figure 18. A quantum circuit for the 4–qubit quantum Fourier transform W ⊗I ⊗3 |k3 k2 k1 k0 i = ( √1 (|0i 2 √1 (|0i 2 + |1i) ⊗ |k2 k1 k0 i − |1i) ⊗ |k2 k1 k0 i if k3 = 0 . if k3 = 1 This can be written as 1 √ (|0i + e−πik3 |1i) ⊗ |k2 k1 k0 i. 2 The map corresponding to the first controlled–B1 gate is |0i h0| ⊗ I ⊗3 + |1i h1| ⊗ Rπ/2 ⊗ I ⊗2 . After passing through this gate the quantum state becomes (
−πik3 √1 |10k k i |00k k i + e 1 0 1 0 2
√1 |01k1 k0 i + e−πik3 |1i ⊗ e−πi/2 |1i ⊗ |k1 k0 i 2 which can be written as if k2 = 0 if k2 = 1  k2 1  √ |0i + e−πi(k3 + 2 ) |1i ⊗ |k2 k1 k0 i. 2 Using similar calculations, after phase 1 the state becomes  k1 k0 k2 1  √ |0i + e−πi(k3 + 2 + 4 + 8 ) |1i ⊗ |k2 k1 k0 i. 2 That is, we have  2πki 1  |ki 7→ √ |0i + e− 16 |1i ⊗ |k2 k1 k0 i, 2 where |ki = |k3 k2 k1 k0 i, and we can further rewrite the right hand side as 1 1 X − 2πikb0 √ e 16 |b0 k2 k1 k0 i. 2 b0 =0 36 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES Similarly, after phase 2 we obtain 1 1 1 X X − 2πi(b0 +2b1 ) 16 √ |b0 b1 k1 k0 i e 22 b0 =0 b1 =0 and after phase 4 the state becomes 1 1 1 1 1 X X X X − 2πi(b0 +2b16 1 +4b2 +8b3 ) √ |b0 b1 b2 b3 i. e 4 2 b0 =0 b1 =0 b2 =0 b3 =0 Swapping qubits 3 ↔ 0 and 1 ↔ 2, and setting |bi = |b3 b2 b1 b0 i, gives 4 2 −1 1 X − 2πikb √ e 24 |bi = Q24 |ki , 24 b=0 the quantum Fourier transform on Z24 applied to |ki ∈ Z24 . This generalises in a straightforward manner to give the quantum Fourier transform of Z2n , for arbitrary n. Note that all the gates used are 2–qubit gates. In the general case the number of gates used is (n + 1)n/2 ≤ n2 , as claimed. 4.8. The continued fractions algorithm. A (finite) continued fraction is an expression of the form 1 a0 + a1 + a2 + 1 1 ···+ 1 an where a0 ∈ Z, ai ∈ N, for each i > 0, and n ≥ 0. This finite continued fraction is denoted [a0 , . . . , an ] and clearly represents a unique rational number. Conversely, using the Euclidean algorithm, it can be seen that a positive rational number can be expressed uniquely as a finite continued fraction [a0 , . . . , an ], with an > 1 (see [28] or [40]). Example 4.9. As 125 = 3 · 37 + 14 37 = 2 · 14 + 9 14 = 1 · 9 + 5 9 = 1·5+4 5 = 1·4+1 we have 37 14 125 =3· + 37 37 37 1 = 3 + 37 14 =3+ =3+ 2· 1 + 14 14 9 14 1 1 2 + 14 9 .. . =3+ 1 2+ 1 1+ 1+ 1 1 1+ 1 4 and so the continued fraction representing 125/37 is [3, 2, 1, 1, 1, 4]. QUANTUM ALGORITHMS 37 The j th convergent of the continued fraction [a0 , . . . , an ] is the expression [a0 , . . . , aj ] = pj /qj , say. Continuing the above example the convergents of 125/37 are [3] = 3, [3, 2] = 7/2, [3, 2, 1] = 10/3, [3, 2, 1, 1] = 17/5, [3, 2, 1, 1, 1] = 27/8, and 125/37. Clearly we may compute the convergents of a given rational number using the Euclidean algorithm as in the above example and this allows us to make use of Theorem 4.6 in Shor’s algorithm. The complexity of this algorithm, known as the continued fraction algorithm is the same as that of the Euclidean algorithm: that is O(L3 ) operations are required to compute the continued fraction of p/q, where L = max{log(p), log(q)}. 4.9. The hidden subgroup problem. The problems of factoring integers and finding the period of functions may both be regarded as instances of the “hidden subgroup problem” which we discuss in this section. Let G be a group and X a set and let f : G → X be a function. Assume that there is a subgroup K ≤ G such that (i) f restricted to gK is constant, for all g ∈ G, and (ii) if gK 6= hK then f (g) 6= f (h). Then we say that f is a hidden subgroup function which hides the subgroup K and that K is the hidden subgroup of f . The hidden subgroup problem is to find the hidden subgroup of a given hidden subgroup function. That is, to solve the problem we must find a generating set for K. (In some weaker versions of the problem it is only required that random elements of K are found.) We are concerned here with the complexity of this problem and, in particular, whether or not it can be solved more quickly using quantum rather than classical techniques. We shall say that the hidden subgroup problem can be solved efficiently if there is an algorithm which outputs generators of K in time bounded by some polynomial in log |G|. This is a simplification, as in practice it is necessary to consider how G is encoded and the effect of this encoding on the complexity of the problem. However for the purposes of the present brief discussion it is enough to assume that our quantum system has access to elements of G in some appropriate form. First of all we point out that the hidden subgroup problem has a number of intrinsically interesting special cases. For example, a periodic function f with period r, in the sense of Section 4.1, on a cyclic group C = hxi, hides the subgroup hxr i. Therefore, period finding, and hence factoring of integers are, as claimed, particular cases of this problem. Another problem which may be described in this way is that of finding discrete logarithms. Given a cyclic group G of order n generated by an element g the discrete logarithm problem is, given a ∈ G, to find the least positive integer r such that a = g r . To formulate this as a hidden subgroup problem consider the function f : Zn × Zn → Zn given by f (x, y) = g x a−y . This is a homomorphism with kernel the subgroup K generated by (r, 1) ∈ Zn × Zn . Therefore f hides the subgroup K. Clearly finding the generator of K gives us r. In fact if we can obtain any element (s, t) ∈ K then we can compute r = s/t (in time O(log2 (n))) as long as we know that K is generated by an element of the form (r, 1). The U.S. Digital Signature Algorithm is based on the assumption that no polynomial algorithm is known for the discrete logarithm problem [42]. Details of an efficient quantum algorithm for this problem may be found in [45]. As a third example consider a group G acting on a set X. If x ∈ X then we may define a function f : G → X by f (g) = g · x, for g ∈ G. Then f hides the stabiliser of x. As a further example we mention that the graph isomorphism problem may be viewed as a special case of the hidden subgroup problem (see [33, Section 6]). No polynomial time algorithm for the graph isomorphism problem is known but on the other hand it is not known to be NP–complete. (A problem is NP if there is a classical non–deterministic polynomial time algorithm for its solution. A problem is NP–complete if every problem which is NP may be reduced, efficiently, to this problem. See [47] for further details.) As a problem which seems likely to lie outside the class of 38 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES problems classically solvable in polynomial time and which also seems unlikely to be NP–complete, the graph isomorphism problem is a good test case for the power of quantum computation. In its formulation as a hidden subgroup problem it becomes a question of finding a hidden subgroup of a permutation group (of degree twice the number of vertices of the graphs in question). An efficient quantum algorithm for the hidden subgroup problem in permutation groups would therefore give rise to an efficient quantum algorithm for the graph isomorphism problem. However, at the time of writing, there are very few non–Abelian groups for which polynomial time quantum algorithms for the hidden subgroup problem have been found. The first quantum algorithm for a hidden subgroup problem appears to be Deutsch’s algorithm, where the hidden subgroup of Z2 is either trivial or the entire group. However the subject begins in earnest with Simon’s algorithm, [55] and [56], for a restricted case of the hidden subgroup problem in Zn2 . Simon’s algorithm uses the Walsh–Hadamard transform on Zn2 to extract information from a quantum state, but the hidden subgroup here must have order 2. Shor [53] realised that it was possible to implement the quantum Fourier transform for Z2n and used it instead of the Walsh– Hadamard transform to generalise Simon’s algorithm. This resulted in the factorisation algorithm described above. Subsequently methods for implementing and applying the quantum Fourier transform to a wider class of Abelian groups were developed by a number of people including Shor [54], Cleve [11], Coppersmith [13] and Deutsch. Kitaev implemented the quantum Fourier transform [38] for arbitrary finitely generated Abelian groups and used it to construct his phase estimation algorithm which finds eigenvalues of unitary transformations. More precisely, Kitaev’s phase estimation algorithm, given a unitary transformation and one of its eigenvectors |ui, will return a value φ, where e2πiφ is the eigenvalue corresponding to |ui (see for example [45]). Kitaev used the phase estimation algorithm to solve the problem of finding stabilisers, as described above, where G is a finitely generated Abelian group, and showed how this gives rise to efficient algorithms for factoring integers and for the discrete logarithm problem. Mosca and Ekert [44] have shown that the phase estimation algorithm can be used to solve the general hidden subgroup problem in finitely generated Abelian subgroups. Moving away from Abelian groups Ettinger and Hoyer construct an algorithm which solves the hidden subgroup problem in the finite dihedral group G, using at most a polynomial (in log |G|) number of calls to the unitary transformation Uf simulating f (as in Section 4.4). However their algorithm requires exponential time to interpret the output. That is, the part of the algorithm analagous to the continued fractions post processing in Shor’s algorithm requires exponentially many operations. Ettinger, Hoyer and Knill [17] generalise this to show that there is a quantum algorithm for the hidden subgroup problem in an arbitrary finite group G which requires O(log |G|) calls to Uf . However they do not give explicit implementation of the measurements required, and the post processing part of the algorithm is again exponential. Püschel, Rötteler and Beth [50], [52] have implemented the quantum Fourier transform for the wreath product Zn2 ≀ Z2 and hence solve the hidden subgroup problem efficiently in these groups. Hallgren, Russell and Ta-Shma [26] have shown that the special case of the hidden subgroup problem where K is a normal subgroup of a finite group G can be solved efficiently on a quantum computer. Their algorithm uses the Fourier transform for an arbitrary finite group to distinguish K. Ivanyos, Magniez and Santha [30] generalise [52] by constructing polynomial time quantum algorithms for the hidden subgroup problem in specific finite groups: namely groups having small commutator subgroups and groups which have an elementary Abelian normal 2–subgroup of small index or with cyclic factor group. (Here small means of order polynomial in log |G|.) Friedl, Ivanyos, Magniez, Santha and Sen [21] complete and generalise much of the above by extending these last results to solvable groups satisfying the following condition on their commutator subgroups. A finite Abelian group A is said to be smooth if it is the direct sum of an elementary Abelian p–group, for some prime p, with a group of order polynomial in |A|. A finite solvable group G is said to be smoothly solvable if the Abelian factors of its derived series are smooth Abelian groups. In [21] efficient quantum algorithms are constructed for the hidden subgroup QUANTUM ALGORITHMS 39 problem in finite solvable groups which have smoothly solvable commutator subgroups. These include semidirect products of the form Zkp ⋊ Z2 , where p is a prime (which reduce to finite dihedral groups of order 2p when k = 1) and groups of upper triangular matrices of bounded dimension over a finite field. In fact their work builds on quantum algorithms for solvable groups developed by Watrous [60] and Cheung and Mosca [10]. Moore, Rockmore, Russell and Schulman [43] show that q–hedral groups Zp ⋊ Zq have quantum efficiently solvable hidden subgroup problem, when q = (p − 1)/g(log(p)), for some polynomial g. They also prove that quantum efficiency of the hidden subgroup problem is closed under taking certain extensions, as follows. Suppose that there is an efficient quantum algorithm for the hidden subgroup problem in the group H. Let G be a group with normal subgroup N such that G/N = H and |N | = g(log |H|), for some polynomial g. Then there is an efficient quantum algorithm for the hidden subgroup problem in G. Hallgren [25] considers the problem of finding the period of a periodic function f from the group R to a set X, where the period may be irrational. Hallgren’s quantum algorithm runs in time polynomial in an appropriatly defined input size. This gives rise to efficient algorithms for a number of computational problems of algebraic number theory: the solution of Pell’s equation, the pricipal ideal problem and determination of the class group. No efficient classical algorithms are known for any of these problems. (A full and self–contained exposition of Hallgren’s algorithm and it’s application to number theoretic problems may be found in [34].) In [41] Lomonaco and Kauffman consider the hidden subgroup problem in R and various other Abelian groups which are not finitely generated. 40 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 5. Grover’s algorithm 5.1. Overview. Grover’s algorithm [24] operates in a quite different way to Shor’s. The basic problem is an unstructured search: We are given an N element set X and a map P : X → {0, 1} and are required to find x ∈ X such that P (x) = 1. We call a value of x such that P (x) = 1 a solution to the search problem. In the first four parts of this Section we consider the algorithm for the case where we know that there are exactly M ≥ 1 solutions. Then, in Section 5.5, we show how techniques developed by Brassard, Høyer and Tapp can be used to remove this constraint. In Section 5.2 we describe the algorithm and then in Sections 5.3 and 5.4 we explain why it works. No extra information is known about P , we merely have an oracle to evaluate P (x) for a given x ∈ X. Classically, the best algorithm (exhaustive testing) requires N − M + 1 evaluations to find a solution x with certainty, since the first N − M elements tested may be non–solutions. Probabilistically, we would expect to find a result after p N/2M evaluations. In contrast, Grover’s quantum algorithm performs the search in time O( N/M ) on a quantum computer. The idea of the algorithm is, roughly speaking, the following. Suppose that N has size 2n and, as before, we prepare the standard superposition of all possible outputs (entangled with inputs): n 2 −1 1 X √ |xi ⊗ |P (x)i . 2n x=0 We wish to find a √ state |xi ⊗ |1i for some x. By direct measurement at this stage, there is only a probability of √ M/ 2n of finding such a state. In the worst case when there is only one solution this falls to 1/ 2n . The strategy is to increase the amplitude of vectors of the form |xi ⊗ |1i and decrease the amplitude of those of the form |xi ⊗ |0i, until the state approximates M 1 X √ |xi i ⊗ |1i , M i=1 (5.1) where the solution set is {x1 , . . . , xM }. Measuring this altered state then gives a solution with high probability. 5.2. A circuit for Grover’s algorithm. Let us consider how this strategy may be carried out in practice. We assume, for simplicity, that N = 2n , for some positive integer n and that we know in advance that there are exactly M solutions, where M ≥ 1. The algorithm uses the standard oracle UP for the function P which, as in Section 2.10 maps |xi ⊗ |yi to |xi ⊗ |P (x) ⊕ yi. Thus the quantum system underlying the algorithm consists of a first register of n qubits and second register, called the oracle workspace, of a single qubit. As in the description of Deutsch’s ⊗n algorithm in Section 3.3, we begin with the state |0i ⊗ |1i to which is applied W n ⊗ W followed by UP . As in Section 3.3, the first register then contains n 2 −1 1 X √ (−1)P (x) |xi = D(P ), 2n x=0 (5.2) as defined in (3.1). Note that the oracle maps the state |xi ⊗ |wi to (−1)P (x) |xi ⊗ |wi, so we may regard the second register as unchanged and the amplitude of the first register as multiplied by −1 if and only if x is a solution. We now need to magnify the amplitudes of the vectors |xi where x is a solution. This is accomplished using inversion about the mean which may be defined as the unitary transformation F = Wn T Wn , where T is the conditional phase shift operator given by T |0i = |0i and T |xi = − |xi , for all x 6= 0. We shall discuss inversion about the mean in more detail in Section 5.3, for the time being assuming that it does what we require of it: that is to increase negative amplitudes and decrease positive QUANTUM ALGORITHMS 41 oracle action inversion about the mean p after O( N/M ) operations Figure 19. Operation of Grover’s algorithm ones. With this assumption apply F to the state D(P ) of (5.2) (that is we apply F ⊗ I to our quantum system). As shown in Figure 19 we then repeat the process, applying UP followed by √ F untill the amplitudes of the solutions approach 1/ M and the amplitudes of all other basis vectors approach zero, as in (5.1). We call the composite function G = (F ⊗ I) ◦ UP the Grover operator. The question is how do we know how many iterations of G to allow before halting. It will become apparent in Section 5.4, where we answer this question, that we must choose the number R of iterations carefully, as the amplitudes of the solutions do not approach a steady state but rather oscillate, so too many p iterations will be as bad as too few. As we shall see, the required number of iterations is O( N/M ). Grover’s algorithm can be depicted using the circuit diagrams in Figures 20 and 21. n qubits W ⊗n G oracle workspace G G G p O( N/M ) copies Figure 20. The quantum circuit for Grover’s algorithm 5.3. Inversion about the mean. We now explain why the operation F of Section 5.1 is called “inversion about the mean” and behaves as shown in Figure 19. It is easy to verify that the conditional phase shift operator T satisfies T = 2|0ih0| − I. Inversion about the mean is then given by (5.3) F = W ⊗n (2|0ih0| − I)W ⊗n . 42 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES G phase shift T oracle |0i 7→ |0i |xi 7→ − |xi if x 6= 0 W ⊗n |xi 7→ W ⊗n (−1)P (x) |xi Figure 21. Decomposition of the Grover operator If we let |ψi = W ⊗n then we have N −1 1 X √ |xi |0i = N x=0 N −1 1 X hx|. hψ| = h0|W ⊗n = √ N x=0 It follows, from (5.3), that F = 2|ψihψ| − I. (5.4) Now consider the action of this operator on a general quantum state. We have X X X (2|ψihψ| − I) αk |ki = 2 αk |ψihψ|ki − αk |ki. k k k Now, X k αk |ψihψ|ki N −1 X = k=0 N −1 1 X hx|ki|ψi αk · √ N x=0 N −1 1 X √ αk |ψi N k=0 = N −1 1 X 1 X √ |xi αk √ N k N x=0 = = A N −1 X x=0 |xi, where A= 1 X αk N k is the average (mean) of {αk }. So F N −1 X k=0 ! αk |ki = N −1 X k=0 (2A − αk )|ki. Therefore F acts by reflecting the amplitudes αk about their mean value A. QUANTUM ALGORITHMS 43 5.4. The Grover operator as a rotation. Suppose that there are M ≥ 1 solutions in a search set of size N . Let X X 1 1 |xi. |ai = √ |xi, |bi = √ N − M P (x)=0 M P (x)=1 The initial state of the system is N −1 1 X |ψi = √ |xi, N x=0 which can be written as (5.5) |ψi = r N −M |ai + N r M |bi. N We claim that the Grover operator keeps the quantum state in the plane spanned by |ai and |bi, i.e. that the subspace S = span{|ai, |bi} of the quantum system is invariant under operation of G. Since the oracle UP acts on both the first and second registers it is convenient to define an operator O of the first register by UP (|xi ⊗ |wi) = (O |xi) ⊗ |wi. This is possible since UP leaves |wi unchanged. Thus O determins the action of the oracle on the first register, given that the second register is in state |wi. Now let G = F ◦ O. Then the operation of G on the first register is determined by G. We aim to show that S is invariant under G. We first consider the action of the oracle on S. We have O|ai = |ai and O|bi = −|bi. Thus O(α|ai + β|bi) = α|ai − β |bi ∈ span{|ai , |bi}, so S is invariant under the action of the oracle. Geometrically, O|S is a reflection in the line through the origin defined by |ai (by which we mean the set of points α |ai, for α ∈ C). Next we consider the action of inversion about the mean, that is the operator F , on S. From (5.4) we have F (α|ai + β|bi) = 2αhψ|ai|ψi + 2βhψ|bi|ψi − α|ai − β|bi. Since |ψi ∈ S it follows that S is invariant under F and, with the above, this implies that S is invariant under G, as required. Moreover, it is easy to see that F |ψi = |ψi and that if |φi is orthogonal to |ψi then F |φi = −|φi. Thus F |S is a reflection in the line through the origin defined by |ψi. Thus G|S , being the composition of two reflections in lines through the origin, is a rotation about p the origin of the plane S. To find the angle of rotation note that since 1 ≤ M ≤p N we have 0 ≤ N − M/N < 1, so that there exists θ ∈ R such that 0 < θ ≤ π and cos(θ/2) = N − M/N . From (5.5) we have therefore     θ θ |ai + sin |bi. |ψi = cos 2 2 Thus G|S is an anticlockwise rotation about the origin, through an angle θ, as shown in Figure 22. Hence     3θ 3θ G|ψi = cos |ai + sin |bi 2 2 and in general,    2(k + 1)θ 2(k + 1)θ |ai + sin |bi. 2 2 p  If we rotate |ψi through cos−1 M/N radians then we obtain a state close to the desired vector Gk |ψi = cos  |bi. Measuring this state we will, with high probability, observe x such that P (x) = 1, that is a 44 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES |bi G |ψi |ψi θ θ/2 |ai θ/2 O |ψi Figure 22. Geometric interpretation of the Grover operator solution to the search problem. Thus the number of times we should iterate the Grover operator is given by     cos−1 pM/N    . R= θ p If M 6 N/2 then θ/2 > sin (θ/2) = M/N . Thus we obtain, in this case, r π N 4 M p as an upper bound for R. Note that if we iterate approximately π N/M /2 times, then we have rotated back almost to −|ai, and the probability of obtaining a solution is much worse again. So determining the appropriate number of iterations is a delicate matter. In the case√where M = 1 as in Grover’s original paper, the number of iterations required is approximately π N /4. It can be shown that if M > N/2, i.e. more than half of the elements of the search set are solutions, then the number of iterations required increases with M ! (See [45].) However, if we know in advance that M ≥ N/2 then sampling the set X at random, and checking for a solution using the oracle, we’ll find a solution with probability at least 1/2, with only one call to the oracle. Even when it is not known in advance whether or not M ≥ N/2, by doubling the size of the first register and padding it with non–solutions we can assume, at very low cost, that in fact M ≤ N/2 and so use the above bound R on the number of iterations required (see [45] for details). In conclusionp the number of Grover operations G required for a solution to be found with high probability is O( N/M ). We show in the next section, how we can estimate M when it is not known in advance. Also, note the following. (i) If the required probability of error is less than√a given constant then the oracle in Grover’s algorithm can also be implemented in time O( N ) to search an unstructured database. (See [45].) √ (ii) The time complexity of unstructured quantum search algorithms is known to be Ω( N ) (see [5]). 5.5. The Brassard–Høyer–Tapp counting algorithm. In [6], Brassard, Høyer and Tapp describe general conditions under which Grover’s techniques may be used. They also give a novel method for approximating the number of values x for which a boolean function P satisfies QUANTUM ALGORITHMS 45 P (x) = 1. Some related work, on the eigenvalue analysis of the operator described in this section, is also due to Mosca. A more developed version by all four authors above appears in [7]. Given a system in state |ψi the idea is to find a superposition of Gm |ψi, for all values of m in a given range, where ψ and G are defined in Section 5.4. Since G is a rotation, the above state will be periodic in m. So as in Shor’s algorithm, we may apply the quantum Fourier transform of m which will find the period of the above state (efficiently). ¿From this we can estimate the number of solutions (without actually finding any!) and hence the number of rotations required for Grover’s algorithm above to find a solution with high probability. Given the Grover operator G for P , define the counting operator for P to be C : |mi ⊗ |ψi 7→ |mi ⊗ Gm |ψi . Assume that the value m can take any value in {0, . . . , R = 2r − 1} Then the quantum circuit in Figure 23 will estimate the period of C ◦ (W ⊗ W ) |0i ⊗ |0i. The accuracy to which we can |0i W |0i W |mi |mi QR measure C |ψi Gm |ψi measure Figure 23. Brassard, Høyer and Tapp’s counting circuit estimate this period depends on how large a value of R we take. More precisely, it is shown in [6] (theorem 5) that if t = |P −1 (1)| 6 N/2 and c is the output of this circuit, then 2π √ π2 8 |c − t| < tN + 2 N with probability at least 2 . R R π 46 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 6. Watrous’ algorithms for solvable groups Watrous [59],[60] has recently produced some group-theoretic work in quantum computing which has quite a different nature to the hidden subgroup problem. In particular, he describes a Monte Carlo quantum algorithm which finds the order of a finite solvable group in polynomial time. This uses some of the techniques of Shor’s algorithm, but also provides some new methods which depend critically on group structure. The group G which is input to the algorithm is given as a finite black box group [4]. This means that we assume the existence of some description of G as a set of binary strings of fixed length n. Multiplication and inversion of elements are performed, each at unit cost, by an oracle which knows this description. The input to the algorithm is a finite generating set for G, together with the oracle. The representation of the elements of G as binary strings gives us a natural association between the elements of G and a subset of the basis elements of a 2n dimensional vector space (that is, a register of n qubits). The notation |gi will be used to denote the basis element associated with the group element g. One useful byproduct of Watrous’ algorithm (and a vital step within the algorithm) is the computation of a uniform superposition 1 X p |gi |G| g∈G in one of the registers. Classical Monte Carlo algorithms are already known which compute a polycyclic generating set for a finite solvable group in polynomial time [3]. Hence we can assume that our starting point for the algorithm is a generating set g1 , . . . gk for which the subgroups Hj = hg1 , . . . gj i form a subnormal series (that is Hj ✁ Hj+1 , for each j). In this case, each quotient group Hj /Hj−1 is cyclic, of order rj (we define H0 to be the identity subgroup). The set of products of the form gkak . . . g1a1 , with each aj ranging from 0 to rj − 1, provides a normal form, and the group order is the product of the integers rj . The problem is reduced to finding the rj , as the orders of the cyclic factor groups. The algorithm works up the chain of the subgroups Hj , and so splits naturally into k steps. We shall describe just one such step, the j-th step, which computes rj . 6.1. Step j of the algorithm. The j-th step of the algorithm splits into two phases. The first phase computes rj , as the period of the function fj : Z → Hj /Hj−1 defined by the rule fj (a) = gja Hj−1 using a fairly straightforward variant of Shor’s algorithm. The second phase, which involves some rather intricate calculation, uses knowledge of the integer rj to compute a uniform superposition of the elements of Hj . This superposition is then used as input for the first phase of the next step. We shall describe both phases below. To make the notation easier, from now on we shall abbreviate rj to r, gj to g and Hj−1 to H. In this case, Hj is equal to hgi H. Following Watrous we use the notation |Hi for the superposition 1 X p |hi |H| h∈H and analogously |hgi Hi for the superposition over hgi H. QUANTUM ALGORITHMS 47 The computation takes place in a large tensor product space with a number of different registers, of two different types, which (like Watrous) we call R registers and A registers. The R registers are used to store superpositions of basis vectors indexed by the elements of G. The A registers are used to store superpositions of basis vectors indexed by the integers in some finite range 0, . . . M −1 (We call the set of such integers ZM . Note that this is a subset of Z which is not quite the same as the cyclic group of integers mod M .) How big M needs to be differs between the two phases. Recall that the quantum Fourier transform QM acts on an A register as 1 X −2πiab/M e |bi . QM : |ai 7→ √ M b∈ZM (In fact, Watrous uses the convention which calls this the inverse transform, but for consistency we use the notation of the rest of this article.) Group multiplication is provided by the unitary transformation UG which acts on pairs of R registers as UG : |gi ⊗ |hi 7→ |gi ⊗ |ghi . A related unitary transformation VGg acts on a pair of registers, one an A register the other an R register, as VGg : |ai ⊗ |hi 7→ |ai ⊗ |g a hi and is a vital ingredient to the variant of Shor’s algorithm. 6.2. The first phase of step j. We shall describe this phase only briefly, aiming only to exhibit it as a variant of Shor’s algorithm, which is described in detail in Section 4. Here the A register needs to cover integers in the range ZN , where N is ‘large enough’, basically 22n+O(log1/ǫ) , where ǫ is to bound the probability of error. At the beginning of the j-th step the A register contains |0i, and the R register contains the uniform superposition |Hi. g We apply the inverse quantum Fourier transform Q−1 N to the A register, then VG to the pair of registers, then the quantum Fourier transform QN to the A register. |0i ⊗ |Hi ↓ Q−1 N ⊗I 1 X √ |ai ⊗ |Hi N a∈ZN ↓ VGg 1 X √ |ai ⊗ |g a Hi N a∈ZN ↓ QN ⊗ I 1 X X −2πiab/r e |bi ⊗ |g a Hi N a∈ZN b∈ZN Observing A gives some b in ZN which is (with high probability) a good approximation for κ/rj , for κ random. 48 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES ¿From now on we follow Shor’s standard procedure, as described in Section 4. Using continued fractions, we can find integers u, v such that u/v = κ/r, and with high probability u and v are coprime. We repeat this process an appropriate number of times to give the required bound on the probability of error, and then find r as the lcm of the v values. 6.3. The second phase of step j. The second phase has to extend the uniform superposition of H in the R register to a uniform superposition of hgi H, using the knowledge of r acquired during the first phase. The aim of this section is to explain that computation of |hgi Hi from |Hi. In fact we produce several copies of |hgi Hi from several copies of |Hi. More precisely, we use m = k − j + 2 A registers and m R registers to produce m − 1 copies of |hgi Hi from m copies of |Hi. At the beginning of this calculation, each of the m R registers contains the superposition |Hi. At the end, m − 1 of them contain |hgi Hi, and can be used in the next step, and the other must be discarded. In this phase the A register is used to store the integers in Zr . During the phase we use the inverse quantum Fourier transform Qr−1 , the transformation VGg , and UG . The computation has two stages. During the first stage, we work with pairs of registers, each pair consisting of one A register and one R register. We do the same computation with each pair, so to describe this stage we need only say what happens to one such pair. At the beginning of the stage the A register is set to |0i and the R register to |Hi. First we apply the inverse quantum Fourier transform Q−1 to the contents of the A register only, then we apply VGg to the pair of registers, r −1 and then Qr again to the A register. Then we observe the A register, which projects onto the observed value. Denote the output state of this stage by |ψi. Then we have |0i ⊗ |Hi ↓ Q−1 r ⊗I 1 X √ |ai ⊗ |Hi r a∈Zr ↓ VGg 1 X √ |ai ⊗ |g a Hi r a∈Zr ↓ Q−1 r ⊗I 1 X X 2πiab/r e |bi ⊗ |g a Hi r a∈Zr b∈Zr ↓ measure A 1 X 2πiab/r a √ e |g Hi = |ψi r a∈Zr The state |ψi is almost what we want. It is precisely what we want if we struck lucky and observed |0i in the A register. But otherwise it contains coefficients e2πiab/r which we would like to be able to replace by 1’s. QUANTUM ALGORITHMS 49 What follows forms the crucial part of Watrous’ argument. He shows that if we have superpositions |ψi and |ψ ′ i in two distinct R registers, then we can operate on the pair of registers in such a way that afterwards |ψi is set to exactly the superposition we want, and |ψ ′ i is unchanged (and hence it can be used again to ‘correct’ a different |ψi, in a different R register). In fact we apply the operator UG to the pair of registers c times in succession for a carefully chosen value of c. The c notation UG is used to denote the composition of UG , with itself, c times. We suppose that 1 X 2πiab/r a e |g Hi , |ψi = √ r a∈Zr c UG 1 X 2πia′ b′ /r a′ E |ψ ′ i = √ e g H . r ′ a ∈Zr ′ In order to calculate the effect of on |ψi ⊗ |ψ i, it helps first to consider the effect on |ψ ′ i alone of the R register operator Mga h , which is defined by the rule Mga h : |xi 7→ |g a hxi . We see that E X X ′ ′ ′ 1 X 2πia′ b′ /r a′ E 1 |ψ ′ i = √ e g H = p e2πia b /r g a h′ r ′ r|H| a′ ∈Zr h′ ∈H a ∈Zr ↓ Mg a h = = = = = = E X X ′ ′ ′ 1 p e2πia b /r g a hg a h′ r|H| a′ ∈Zr h′ ∈H E X X ′ ′ ′ 1 p e2πia b /r g a+a h′′ h′ , for some h′′ (since H ✁ hgi H) r|H| a′ ∈Zr h′ ∈H E X X ′ ′ ′ 1 p e2πia b /r (rewriting h′ for h′′ h′ ) g a+a h′ r|H| a′ ∈Zr h′ ∈H E X X ′ ′ ′ ′ 1 p e−2πiab /r e2πi(a +a)b /r g a +a h′ r|H| a′ ∈Zr h′ ∈H E X ′ ′ ′ ′ 1 √ e−2πiab /r e2πi(a +a)b /r g a +a H r a′ ∈Zr E X ′′ ′ ′′ ′ 1 √ e−2πab /r e2πia b /r g a H , for a′′ ∈ Zr , a′′ ≡ a′ + a mod r r ′′ e −2πiab′ /r ′ a ∈Zr |ψ i . ′ ′′ Note that in going from the third last to the second last line, the equation g a +a H = g a H follows from the fact gH has order r in hgi H/H. Now, since UG (|g a hi ⊗ |h′ i) = |g a hi ⊗ Mga h |h′ i, 1 X 2πiab/r a |ψi ⊗ |ψ ′ i = √ e |g Hi ⊗ |ψ ′ i r a ↓ UG = 1 X 2πiab/r X a √ e |g hi ⊗ Mga h |ψ ′ i r a h ′ 1 X 2πiab/r X a √ e |g hi ⊗ e−2πiab /r |ψ ′ i r a h = e −2πiab′ /r Hence, provided that cb′ = b mod r, |ψi ⊗ |ψ ′ i . 50 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES |ψi ⊗ |ψ ′ i c ↓ UG = = = ′ e−2πiab c/r |ψi ⊗ |ψ ′ i ′ e−2πiab /r |ψi ⊗ |ψ ′ i 1 X a √ |g Hi ⊗ |ψ ′ i r a∈Zr = |hgi Hi ⊗ |ψ ′ i . The first of the two R-registers thus contains the state |hgi Hi. References [1] S. Aaronson, Quantum Lower Bound for the Collision Problem STOC’02 May 19–21, 2002, Montreal, Quebec, Canada. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0111102 . [2] L. Babai and S. Moran, Arthur–Merlin Games: A Randomized Proof System and a Hierarchy of Complexity Classes, Journal of Computer and Systems Sciences 36 2 (1988), 254–276. [3] L. Babai, G. Cooperman, L. Finkelstein, E. Luks and A. Seress, Fast Monte Carlo algorithms for permutation groups, Journal of Computer and System Sciences, 50, 296–3097, 1995. [4] L. Babai and E. Szemeredi, On the complexity of matrix group problems I, Proceedings of the 25th Annual Symposium on Foundations of Computer Science, 229–240, 1984. [5] M. Boyer, G. Brassard, P. Høyer and A. Tapp, Tight Bounds on Quantum Search In Proceedings of the Workshop on Physics Of Computation: PhysComp ’96 (Los Alamitos, CA, 1996), Institute of Electrical and Electronic Engineers Computer Society Press. Quantum Physics Archive http://arxiv.org/abs/quant--ph/9605034 . [6] G. Brassard, P. Høyer and A. Tapp, Quantum Counting. Quantum Physics Archive http://arxiv.org/abs/quant--ph/9805082 . [7] G. Brassard, P. Høyer, M. Mosca and A. Tapp, Quantum Amplitude Amplification Quantum Physics Archive http://arxiv.org/abs/quant--ph/0005055 . [8] S. L. Braunstein, Quantum Computation. Encyclopedia of Applied Physics, Update 1, Wiley-VCH, Berlin (1999) 239–256. [9] S.L. Braunstein, G. M. D’Ariano, G.J. Milburn and M.F. Sacchi Universal Teleportation with a Twist Phys. Rev. Lett. 85 (2000), 2733–2736. [10] K. Cheung and M. Mosca, Decomposing finite Abelian groups. J. Quantum Inf. Comp., 1 (3) (2001) 26–32. [11] R. Cleve, A note on computing Fourier transforms by quantum programs, Unpublished, http://pages.cpsc.ucalgary.ca∼cleve/papers.html. [12] R. Cleve, A. Ekert, C. Macchiavello and M. Mosca, Quantum Algorithms Revisited, Proceedings of the Royal Society of London, Series A 454, 339 (1998), 339–354. [13] D. Coppersmith, An approximate Fourier transform useful in quantum factoring, IBM Research Report RC19642 (1994). [14] D. Deutsch, Quantum Theory, the Church–Turing Principle and the Universal Quantum Computer, Proceedings of the Royal Society of London, Series A 400 (1985), 97–117. [15] D. Deutsch and R. Jozsa, Rapid Solution of Problems by Quantum Computation, Proceedings of the Royal Society of London, Series A 439 (1992), 553–558. [16] A. Ekert and R. Jozsa, Quantum Computation and Shor’s Factoring Algorithm Rev. Mod. Phys. 68 (3) (1996), 733–753. [17] M. Ettinger, P. Hoyer and E. Knill, Hidden Subgroup States are Almost Orthogonal. Quantum Physics Archive http://arxiv.org/abs/quant--ph/9901034 . [18] E. Farhi, J. Goldstone, S. Gutmann and M. Sipser, Quantum Computation by Adiabatic Evolution. Quantum Physics Archive http://arxiv.org/abs/quant-ph/0001106 [19] E. Farhi, J. Goldstone, S. Gutmann, J. Lapan, A. Lundgren and D. Preda, A Quantum Adiabatic Evolution Algorithm Applied to Random Instances of an NP-Complete Problem. Science, 292, April (2001) 472–476. [20] R. Feynman, Simulating Physics with Computers, International Journal of Theoretical Physics, 21 467–488. [21] K. Friedl, G. Ivanyos, F. Magniez, M. Santha, and P. Sen, Hidden Translation and Orbit Coset in Quantum Computing. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0211091 . [22] W. Fulton and F. Harris, Representation Theory: A First Course (Graduate Texts in Mathematics 129) Springer Verlag; (1991) QUANTUM ALGORITHMS 51 [23] L. K. Grover, A Fast Quantum Mechanical Algorithm for Database Search Proc. 28th ACM Symp. Theory of Computing, 212–219. [24] L. K. Grover, Quantum Mechanics Helps in Searching For a Needle in a Haystack, Physical Review Letters, 79, 325–328. [25] S. Hallgren, Polynomial-Time Quantum Algorithms for Pell’s Equation and the Principal Ideal Problem. In Proceedings of the Thirty-Fourth Annual ACM Symposium on Theory of Computing, Montreal, Quebec, Canada, (2002). [26] S. Hallgren, A. Russell and A. Ta–Shma, Normal subgroup reconstruction and quantum computing using group representations. Proc. 32nd Annual ACM Symposium on the Theory of Computing – STOC, ACM Press, New York (2000) 627–635. [27] P. Halmos, Finite dimensional vector spaces, Springer Verlag; 2nd edition (December 1986). [28] G.H. Hardy and E.M. Wright, An Introduction To The Theory of Numbers (5th Edition), Oxford University Press (1938) (1993 reprint). [29] M. Hirvensalo, Quantum Computing, Natural Computing Series, Springer–Verlag, (2001). [30] G. Ivanyos, F. Magniez and M. Santha, Efficient quantum algorithms for some instances of the non–Abelian hidden subgroup problem. In Proc. 13th ACM SPAA (2001) 263–270. [31] G.D. James and M.W. Liebeck, Representations and Characters of Groups, Cambridge University Press; (1993) [32] R. Jozsa, Characterizing Classes of Functions Computable By Quantum Parallelism. Proceedings of the Royal Society of London, Series A (1991) 435, 563–574. [33] R. Jozsa, Quantum factoring, discrete logarithms and the hidden subgroup problem. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0012084 . [34] R. Jozsa, Notes on Hallgren’s efficient quantum algorithm for solving Pell’s equation. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0302134 . [35] R. Jozsa and N. Linden, On the role of entanglement in quantum computational speed–up. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0201143 . [36] E. Kashefi, A. Kent, V. Vedral and K. Banaszek, A Comparison of Quantum Oracles. Quantum Physics Archive http://arxiv.org/abs/quant--ph/0109104 . [37] R.V. Kadison and J.R. Ringrose, Fundamentals of Operator Algebras, Volume I, Academic Press, New York (1983). [38] A. Yu Kitaev, Quantum measurements and the Abelian stabiliser problem. Quantum Physics Archive http://arxiv.org/abs/quant-ph/9511026 [39] A. Yu Kitaev, Quantum Computations: Algorithms and Error Correction Russian Mathematical Surveys, 52 6 (1997), 1191–1249. [40] N.I. Koblitz, A Course in Number Theory and Cryptography, (Graduate Texts in Mathematics, 114), Springer Verlag (1994). [41] S.J. Lomonaco and L.H. Kauffman Continuous Quantum Hidden Subgroup Algorithms. Quantum Physics Archive http://arxiv.org/abs/quant-ph/0304084 . [42] A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of applied cryptography, Series on Discrete Mathematics and its Applications, CRC Press (1997). [43] C. Moore, D. Rockmoore, A. Russell and L.J. Schulman, The hidden subgroup problem in affine groups: basis selection and Fourier sampling. Quantum Physics Archive http://arxiv.org/abs/quant-ph/0211124 . [44] M. Mosca and A. Ekert, The Hidden Subgroup Problem and Eigenvalue Estimation on a Quantum Computer. Proceedings of the 1st NASA International Conference on Quantum Computing and Quantum Communication, Palm Springs, USA, Lecture Notes in Computer Science 1509 (1999). [45] M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum Information, CUP (2000). [46] N.T. Ouellette, Quantum Computation. notes available at http://newton.swarthmore.edu/research/Nick.pdf [47] C.M. Papadimitrou, Computational Complexity. Addison–Weseley, Reading, Massachussets (1994). [48] A.O. Pittenger, An Introduction To Quantum Computing Algorithms Progress in Computer Science and Applied Logic 19, Birkhäuser (Boston), (2000). [49] E. Rieffel and W. Polak, An Introduction To Quantum Computing for Non–Physicists. ACM Computing Surveys, 32 (3), (2000) 300–335. [50] M. Püschel, M. Rötteler and T. Beth, Fast Quantum Fourier Transforms for a Class of non-abelian Groups. Quantum Physics Archive http://arxiv.org/abs/quant-ph/9807064 . [51] J.B. Rosser and L. Schoenfeld, Approximate formulas for some functions of prime numbers, Illinois Journal of Mathematics 6:1 (1962), 64–94. [52] M. Rötteler and T. Beth, Polynomial-Time Solution to the Hidden Subgroup Problem for a Class of non-abelian Groups. Quantum Physics Archive http://arxiv.org/abs/quant-ph/9812070 . [53] P.W. Shor, Algorithms For Quantum Computation: Discrete Logs and Factoring, Proceedings of the 35th Symposium on the Foundations of Computer Science (1994), 124–134. [54] P.W. Shor, Polynomial–Time Algorithms for Prime Factorisation and Discrete Logarithms on a Quantum Computer, SIAM Journal on Computing 26 5 (1997), 1484–1509. [55] D. Simon, On the power of quantum computation, roc. of 35th Annual Symposium on the Foundations of Computer Science, (IEEE Computer Society, Los Alamitos) (1994), 116–123. 52 M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES [56] D. Simon, On the power of quantum computation, SIAM J. Comput. 26(5) (1997), 1474–1483. [57] W. van Dam, M. Mosca and U. Vazirani, How Powerful is Adiabatic Quantum Computation? Quantum Physics Archive http://arxiv.org/abs/quant--ph/0206003 [58] J. Wallace, A Brief History of Quantum Computation, http://www.dcs.ex.ac.uk∼jwallace/history.htm [59] J. Watrous, Succinct Quantum Proofs For Properties Of Finite Groups, Proceedings of the 41st Annual Symposium on Foundations of Computer Science (2000), 537–546. [60] J. Watrous, Quantum Algorithms For Solvable Groups, Proceedings of the 33rd ACM Symposium on Theory of Computing (2001), 60–67. Michael Batty† , e-mail: [email protected] Samuel L. Braunstein‡ , e-mail: [email protected] Andrew J. Duncan† , e-mail: [email protected] Sarah Rees† , e-mail: [email protected] † Department of Mathematics, School Of Mathematics and Statistics, Merz Court, University of Newcastle upon Tyne, Newcastle upon Tyne, NE1 7RU, UK. ‡ Department of Computer Science, University of York, York, YO10 5DD, UK. View publication stats