Quantum Algorithms
Andr´e Chailloux
Chapter 0
Prequel
Quantum algorithms:
• Potentially much faster than classical algorithms. • examples: Deutsch-Jozsa, Simon, Grover.
• Shor’s quantum algorithm for factoring1: probably the most important for quantum algo-rithms (1994).
Factoring Problem Input: a number N of nbits.
Goal: find the decomposition of N in prime numbers N = Πipαii.
Best known classical algorithm : general number field sieve which runs inO(eO(n1/3log2/3(n))) (heuris-tic complexity)2
Shor’s quantum algorithm runs in O(n2log2(n)). • Exponential speedup.
• Breaks RSA based cryptosystems (that’s a lot!).
Extends to Discrete logarithm (Diffie Hellman key exchange, elliptic curve crypto). Organisation of the lecture:
• Chapter 1: the quantum Fourier transform. • Chapter 2: Shor’s quantum factoring algorithm.
Chapters 1 and 2 will follow very closely chapters 4 and 5 from Ronald de Wolf’s lecture notes3.
1
Peter Shor,Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Com-puter, full version available herehttps://arxiv.org/abs/quant-ph/9508027
2
Carl Pomerance,A tale of two sieves, Notices Amer. Math. Soc, 1996,https://www.ams.org/notices/199612/ pomerance.pdf
3
Chapter 1
The quantum Fourier transform
The quantum Fourier will be one of our main tools when constructing quantum algorithms. It will be at the heart of Shor’s factoring algorithm.
1.1
The classical Fourier transform
Widely used: data compression, signal processing, complexity theory. Here, we will consider only the discrete Fourier transform.
1.1.1 Definition
Fourier transform FN: N ×N unitary matrix, with elements of the same magnitude.
F2:=H= 1 √ 2 1 1 1 −1 .
N = 3 (for example): impossible to achieve with real numbers. Use complex numbers. We will use roots of unityωN =e
2iπ
N . The discrete Fourier transformFN is defined as
FN := √1N . .. ... . .. . . . ωjkN . . . . .. ... . ..
meaning that for any line j ∈ {0, . . . , N −1} and any column
k∈ {0, . . . , N−1}, we have (FN)jk :=ωNjk. Properties • Each columnCk = √1N 1 ωNk .. . ωN(N−1)k
has norm 1 and any two columns are orthogonal. Indeed
∀k, k0 ∈ {0, . . . , N−1}, 1 N N−1 X j=0 ωjkNω−Njk0 = 1 N N−1 X j=0 ωNj(k−k0)=δkk0.
1.1.2 Computing the classical Fourier transform
Computing the classical Fourier transform problem
Input: a column vectorv= v0 .. . vN−1 . Goal: compute ˆv =FN ·v.
Naive way: Perform the whole multiplication entry-wise • O(N) operations (+ and ×) per entry.
• O(N2) operations in total. Fast Fourier transform
• O(Nlog(N)) operations in total. • recursive algorithm.
1.2
The quantum Fourier transform
1.2.1 Definition of the problem
Take N = 2n. Since F
N is a N ×N unitary matrix, we can interpret it as a quantum unitary
operation acting onnqubits.
Computing the quantum Fourier transform problem Input: a quantum state|ψiof nqubits.
Goal: outputFN(|ψi).
How efficiently can we implement this quantum Fourier transform?
• QF T can be implemented with a quantum circuit of sizeO(n2). The rest of the chapter will be devoted to the construction of this algorithm.
• Exponentially faster than classical FFT which runs inO(Nlog(N)).
"In the classical setting, we are given an explicit (written) description of a vectorv=
v0 .. . vN−1
as an input and ask to have a similar description of the output. In the quantum setting, we are given a quantum state|ψi=PN−1
i=0 vi|iiand ask to output the stateFN(|ψi) =
PN−1
i=0 vˆi|ii. Notice
that we cannot fully recover the vector ˆv= ˆ v0 .. . ˆ vN−1 from FN(|ψi).
Even though the speedup is exponential, it doesn’t allow to recover ˆv, which makes it incompa-rable with the FFT. The quantum algorithm in particular doesn’t help in computing the classical Fourier transform. It will still have other important uses.
1.2.2 Efficient quantum circuit for QFT Elementary gates • Hadamard gate H= √1 2 1 1 1 −1 . • Phase rotationRs= 1 0 0 e2i2sπ ! .
• ControlledRs gate written C-Rs and acting on 2 qubits.
C-Rs(|0i|xi) :=|0i|xi ; C-Rs(|1i|xi) :=|1iRs(|xi) which gives C-Rs(|bi|xi) =|bie
2iπbx 2s |xi.
For eachk, we haveFN(|ki) = √1NPNj=0−1ω jk
N|ji. For any integerj, we write its binary
decomposi-tionj =j1, . . . , jn wherej1 is the bit of highest weight. This means we can writej=Pnl=12n−ljl.
We have FN(|ki) = 1 √ N N−1 X j=0 e2i2πjkn |ji = √1 N N−1 X j=0 e2iπ( Pn l=1jl2−l)k|j 1, . . . , jni = √1 N N−1 X j=0 Πnl=1e2iπjl2−lk|j 1, . . . , jni = n O l=1 1 √ 2 |0i+e2iπk2−l|1i
To prove the last equality, recall that the tensor product satisfies
(α|0i+β|1i)⊗(α0|0i+ β0|1i) =αα0|00i+αβ0|01i+βα0|10i+ββ0|11i.
For any integer k, with binary decompositionk=k1, . . . , kn, we define 0.k:= 2kn = Pn
l=1kl2
−l.
For example, 0.010 = 14 and 0.101 = 58. Notice that
e2iπk2−l =e2iπ(Pnm=12n −mk m)2−l =e2iπ(Pnm=n−l+1km2m−(n−l+1))2−l =e2iπ Pl m0=1kn−m0+12−m 0 = 0.kn. . . kn−l+1.
The second equality uses the fact e2iπC = 1 for any C ∈ N which implies that only the l−1 bits of kof least weight matter in the term e2iπk2−l. We can therefore rewrite
FN(|ki) = n O l=1 1 √ 2 |0i+e2iπk2−l|1i= √1 2(|0i+e 2iπ0.kn|1i)⊗√1 2(|0i+e 2iπ0.kn−1kn|1i)⊗· · ·⊗√1 2(|0i+e 2iπ0.k1...kn|1i).
The n= 3 (N = 8) case
From the above, we have
F8(|k1k2k3i) = 1 √ 2(|0i+e 2iπ0.k3|1i)⊗√1 2(|0i+e 2iπ0.k2k3|1i)⊗√1 2(|0i+e 2iπ0.k1k2k3|1i).
Because of this product structure, we can easily construct each qubit separately. Notice that with the 0.k notation, we can write C-Rs(|bi|xi) =|bie
2iπbx 2s |xi=|bie2ixπ·0.0...0b|xi.where 0.0. . .0b | {z } sbits . 1st qubit: |k3i H −→ √1 2(|0i+ (−1) k3|1i) = √1 2(|0i+e 2iπ0.k3|1i). 2nd qubit: |k2i H −→ √1 2(|0i+ (−1) k2|1i) = √1 2(|0i+e 2iπ0.k2|1i) |k3i 1 √ 2(|0i+e 2iπ0.k2|1i)−−−→ |C-R2 k 3i 1 √ 2(|0i+e 2iπ0.k2k3|1i) 3rd qubit: |k1i H −→ √1 2(|0i+ (−1) k1|1i) = √1 2(|0i+e 2iπ0.k1|1i) |k2i 1 √ 2(|0i+e 2iπ0.k1|1i)−−−→ |C-R2 k 2i 1 √ 2(|0i+e 2iπ0.k1k2|1i) |k3i 1 √ 2(|0i+e 2iπ0.k1k2|1i)−−−→ |C-R3 k3i 1 √ 2(|0i+e 2iπ0.k1k2k3|1i)
The 3rd qubit is stored in the quantum register where |k1i is and uses|k2i and |k3i as control
qubits. The 2nd qubit is be stored in the quantum register where|k2i is and uses|k3i as a control
qubit. The 1st qubit is stored where |k3i is. In order to do this, we must first construct the 3rd
qubit, then the 2nd and finally the 1st qubit. In order to have the good ordering of qubits, we end up inverting the order of all the qubits.
The circuit of F8 is the following
The number of gates used here is 3 + 2 + 1 gates + the gates in the SWAP.
General case
The construction forn= 3 can be extended to anynfollowing the same pattern. The first qubit will consist only of an H gate while the last qubit will require applying H,C-R2, . . . , C-Rn. Similarly
as in the n= 3 case, we finish by inverting the order of all the qubits. The total number of gates used is therefore n+n−1 +· · ·+ 1 + SWAP =O(n2)gates.
Improvements: we can reduce the number of gates if we allow for some small errors: • Assgrows, C-Rs fastly converges to the identity gate.
• We remove all those gates for s≥Ω(log(n)). By a careful error analysis, we can show that the result will beO(poly1(n)) close to the desired state.
Chapter 2
Shor’s quantum factoring algorithm
Shor’s idea:
• There exists an efficient quantum algorithm for finding the period of a function.
• Factoring can be reduced to period findingi.e.an efficient algorithm for period finding⇒ an efficient algorithm for factoring.
Period finding problem
Input: a functionf :N→ {0, . . . , N−1}such that∃r ∈ {0, . . . , N−1}(unknown) such that
f(a) =f(b)⇔a=b mod r.
Goal: outputr.
2.1
From factoring to period finding
2.1.1 Classical algorithm for factoring a number N using period finding
Equivalent to finding a non trivial factor of N.
1. Pick a randomx∈ {2, . . . , N−1}.
2. Calculate x∧N (efficient, use Euclid’s algorithm). • ifx∧N =c6= 1→cdividesN.
• ifx∧N = 1→ continue.
3. Consider the smallest r ∈ {0, . . . , N −1} such that xr = 1 mod N. Since x∧N = 1, such an r exists.
4. r is the period of the function f(k) = xk mod N. Use the period finding algorithm to find
r. Ifr is odd, go back to step 1.
5. Calculate (xr/2+ 1)∧N and (xr/2−1)∧N. If one of those values is different than 1 or N
then this value is a non trivial factor of n. If both of those values are equal to 1 orN, start again from step 1.
2.1.2 Proof that the algorithm works
The main part of the proof will be the following lemma from number theory. The proof will be omitted.
Lemma 1. For any odd N, for a randomly chosenx such thatx∧N = 1 and r begin the smallest element in {0, . . . , n−1} satisfying xr= 1 modN, the event
E : r is even ∧ (xr/2+ 1)6= 0 mod N ∧ (xr/2+ 1)6= 0 mod N
occurs with probability ≥ 1 2.
Ifr is even, we have
xr= 1 mod N ⇔(xr/2+ 1)(xr/2−1) = 0 mod N
⇔ ∃k∈N∗, (xr/2+ 1)(xr/2−1) =kN.
Notice first that (xr/2+ 1)>0 and we also have (xr/2−1)>0 becausex≥2 and r≥2.
IfE holds, both (xr/2+ 1) and (xr/2−1) are not multiples ofN. Therefore, they will both have a non trivial factor ofN and we actually have (xr/2−1)∧N 6= 1 and (xr/2+ 1)∧N 6= 1.
Conclusion: if E holds then step 5 outputs a non trivial factor ofN. Since Pr[E]≥ 1
2, we require
O(1) calls to the period finding algorithm for the algorithm to succeed with a high (constant) probability.
2.2
Shor’s period finding algorithm
Our goal here is to present Shor’s quantum algorithm for period finding. Let n:=dlog(N)e, q :=
dlog(N2)e and Q := 2q ∈ [N2,2N2]. We have a quantum access to f : N → {0, . . . , N −1}. We restrict the input space toq input bits and consider the quantum unitary
Of :|xiq|0in→ |xiq|f(x)in.
The subscripts represent the number of qubits in each register. This means for example that register
|xiq containsq qubits and register |0in containsnqubits.
2.2.1 Algorithm for period finding
1. Initialize the protocol at the state
|0iq|0in.
2. ApplyQF TQ on the first register. We get
1 √ Q Q−1 X a=0 |aiq|0in.
3. ApplyOf on the whole state to obtain
1 √ Q Q−1 X a=0 |aiq|f(a)in.
4. Measure the second register: it gives some value f(s) for some s < r. Let m := #{a ∈ {0, . . . , Q−1}:f(a) =f(s)}. We have
{a∈ {0, . . . , Q−1}:f(a) =f(s)}={s, s+r, . . . , s+ (m−1)r}
={jr+s}0≤j<m
When measuringf(s) in the second register, the first register collapses to
1 √ m m−1 X j=0 |jr+si.
5. ApplyQF TQ on this first register.
1 √ m m−1 X j=0 1 √ Q Q−1 X b=0 e 2iπ(jr+s)b Q |bi = √1 mQ Q−1 X b=0 e2iπsbQ m−1 X j=0 e2iπjrbQ |bi
6. Measure the first register. What is the probability of outputting each specificb? Special case developed here : r dividesQ.
In this case, we havem= Qr. We have
b is a multiple of Q
r ⇔e
2iπrb Q = 1.
Any such bwill therefore have squared amplitude
1 √ mQe 2iπsb Q m−1 X j=0 e 2iπjrb Q 2 = 1 √ mQe 2iπsb Q m−1 X j=0 1 2 = m Q = 1 r
Each b ∈ {0, . . . , Q−1} which is a multiple of Qr will be measured with probability ex-actly 1r. Notice also that there are exactly r such multiples, which are the elements of
{0,Qr, . . . ,(r−r1)Q}. Therefore, the measurement will always output a multiple of Qr.
Outputb: a uniformly random multiple of Q
r.
This means there exists a random (unknown) c ∈ {0, . . . , r−1} such that b = cQr . or equivalently Qb = cr.
• b, Q are known,c, r are unknown. We can rewrite Qb = Qb00 withb0∧Q0 = 1.
• c is a random number in {0, . . . , r−1}. This implies that c∧r = 1 with probability greater than Ω(log(log(1 r))). When this happens, we necessarily have c=b0 andr =Q0. • Check thatQ0 is a period of f. If yes: done. If no, go back to step 1.
General case (Sketch) : r does not divide Q.
If we measure the first register, we obtainbsuch that|Qb −rc| ≤ 21Q with high probability for some randomc. If this is the case, cr is the only fraction withc∧r = 1 andr ≤N such that
|Qb −cr| ≤ 21Q (proof omitted). This is because we chose Qsuch that Q≥N2.
If we indeed havec∧r= 1, which still happens with probability greater than Ω(log(log(1 r))), we can use the continuous fraction method to find the unique fraction cr satisfying |b
Q− c r| ≤
1 2Q
from which we can get r. DONE :)
Complexity of the period finding algorithm
We apply the above procedure until we find c such that c∧ r = 1. This means we perform
O(log(log(r))) loops. Each loop makes 2 calls toQF TQ and 1 call toOf.
The running time is thereforeP F Af ≤O(log(log(r))(QF TQ+Of)).
2.2.2 Complexity of Shor’s algorithm
Shor’s algorithm: O(1) calls to P F Af with f(k) =xk mod N for some randomx.
One can show that Of can be calculated in O(log2(N) log(log(N)) log(log(log(N)))) using
effi-cient squaring. (Perfect)QF TQ is made inO(Q2) =O(log2(N)).
From there, we conclude that the total running time of Shor’s algorithm is
O log(log(r))∗ log2(N) + log2(N) log(log(N)) log(log(log(N)))≤O log(n)∗ n2+n2log(n) log(log(n)) =O(n2polylog(n)).
Chapter 3
Collision algorithms
3.1
Cryptographic hash functions
A cryptographic hash functionH:{0,1}∗ → {0,1}n must satisfy the following properties.
• One-wayness: for a randomy∈ {0,1}n, it should be hard to find x, such thatH(x) =y.
• Second-preimage resistance: for a fixed x, it should be hard to findx06=xsuch that H(x) =
H(x0).
• Collision resistance: it should be hard to findx, x0 6=x such thatH(x) =H(x0).
Brute force complexity of those algorithms classically: One-wayness: O(2n), second-preimage:
O(2n), collision resistance: O(2n/2).
Quantum brute force complexity: One-wayness: O(2n/2), second-preimage: O(2n/2), collision resistance: ??.
Collision problem. Here, we fix the input space to be of n bits as well, and we consider a random functionf.
Collision problem Input: a random functionf :{0,1}n→ {0,1}n.
Goal: find (x, y) such thatf(x) =f(y) andx6=y. Becausef is random, many such couples.
3.2
A classical algorithm
1. Pick a parameter r. Pick a random subset I ⊆ {0,1}n of size r. Construct the list L =
{f(i)}i∈I and sort it. If we find 2 values i, j ∈ I such that f(i) = f(j) and i 6= j, output
(i, j). Else:
2. Compute f(x) for random values x /∈ I and for each such f(x), we test if f(x) ∈ L. We continue until we find f(x) ∈ L. Since f is random, each x /∈ I will satisfy f(x) ∈ L with probability 2rn. We need to test on average O(2
n
r ) to find one with high probability.
This algorithm uses the well known birthday paradox. The first step takes timeO(rlog(r)) and the second oneO(2nlog(r r)). By takingr= 2n/2, we have an algorithm running in time O(poly(n)2n/2).
There are also algorithms that use a smaller amount of memory.
3.3
Quantum algorithms
3.3.1 A naive way
Consider the function g(x, y) = 1 if (f(x) =f(y)∧x6=y) and g(x, y) = 0 otherwise. We apply Grover ong. Becausef is random, there are on averageO(2n) couples (x, y) such thatg(x, y) = 1. We perform Grover on g which takes time O(
q
22n
2n) = O(2n/2). This is not significantly better
than the classical algorithm.
3.3.2 The quantum BHT (Brassard,Hoyer and Tapp) Algorithm
1. Pick a parameter r. Pick a random subset I ⊆ {0,1}n of size r. Construct the list L =
{f(i)}i∈I.
2. Let g:{0,1}n → {0,1} satisfying g(x) = 1⇔ [x /∈I and∃i∈I, f(x) =f(i)]. ≈r solutions
when r2n.
3. Apply Grover ong. Find y such that g(y) = 1.
4. Find i∈I st. f(i) =f(y). Output (i, y).
Time analysis of BHT LetT ime(f) the time required to compute f. • List creation: timeT ime(f)∗rlog(r).
• Time to compute Og : classically, g takes time nlog(r). Can we use the standard reduction
to construct Og from g?
"We have to be careful here, because we don’t actually have a classical circuit that runs innlog(r).
We use a RAM that will perform the dichotomic search. We will assume for now that this is not a problem.
• Time to computeOg : nlog(r).
• Grover on g. g is a function from{0,1}n\I → {0,1}. The input space is of size 2n−r and
there are on averager solutions. So we need to iterate Grover≈q2n−r
r to find a solution to
g.
QT ime(BHT) =T ime(f)∗rlog(r)
| {z } List L creation + r 2n−r r | {z } nb. of Grover iterations · nlog(r) | {z } time to computeOg .
We assume f is efficiently computablei.e. T ime(f) =poly(n). If we taker= 2n/3, we obtain
On quantum RAM, and on how to compute Og.
The classical algorithm to compute g has a sorted list L = (y1, . . . , yr) that contains the values
f(x) for x∈I and performs a dichotomic search on the memory.
We can perform this algorithm classically if we have access to a RAM operationC(i) =yi. And
this takes timeO(nlog(r)).
In the quantum setting, we want to construct the quantum membership oracle
OL(|xi|0i) =|xi|“x∈L”i.
where “x∈L” is the bit which is equal to 1 ifx∈Land 0 otherwise. In order to perform this, we need:
• r quantum bits of memory each storing |yii.
• to perform the quantum operation U such thatU(|ii|0i) = |ii|yii. This essentially requires
having a reading head that can be in a superposition of states. This operation is called the QRAM operation.
There is still some debate in the community whether such an operation is as hard as building a quantum circuit or significantly harder. We’ll consider here that a QRAM operation is theoretically feasible but very hard to do in practice. In order to compute Og, we are given a sorted list
L= (y1, . . . , yr).
If we have access to the elements in L in quantum registers |y1i, . . . ,|yri as well as access to
quantum RAM, then we can perform the membership oracle forLin timeO(nlog(r)) via dichotomic search. The proof will be omitted here but the idea is that with RAM access, classical dichotomic search can be expressed as a classical circuit of sizeO(nlog(r)). Similarly as in the transformation from classical circuits to quantum circuits, we can create the quantum membership oracle from dichotomic search.
If we don’t have access to that QRAM, then the above can be done in timenrby checking each element separately. This is way worst for very large lists like in our example.
Quantum collision protocols without QRAM and with small quantum memory. Since 2016, we know that there exists a quantum algorithm that runs in time O(22n/5poly(T ime(f)))
that solves the collision problem withnqubits and no QRAM.
Overview of known quantum algorithm for cryptography Here is an overview of quantum algorithms so far.
Algorithm Qtime Qspace Applications
Shor poly(n) n RSA
(factoring)
Discrete log poly(n) n Diffie Hellman, ECDH, ECDSA (elliptic curves)
Dihedral subgroup subexp(n) n NTRU, lattice based (solves SVP)
Grover 2n/2 n generic
(hash functions, AES, ...) Collision 2n/3 or 22n/5 2n/3 orn generic
3.4
Quantum collision with low memory
Idea of distinguished points
• Fix a parameterv. DPv ={x∈ {0,1}n:∃y∈ {0,1}n−v, f(x) = 0vy}.
• DPv is the set of inputs x such thatf(x) starts with v zeros.
• DPv becomes will become our new input (or search) space.
• We will also reduce the size of the list and put there only images of distinguished points.
3.4.1 Modified quantum algorithm for collision with low quantum memory
1. Pick parameters u, v. Construct a list of couples L= (x1, f(x1)), . . .(x2u, f(x2u)) where the
xi are independent random elements ofDPv.
2. Letg:DPv → {0,1}satisfyingg(x) = 1⇔[(x, f(x))∈/ L and∃(xi, f(xi))∈L, f(x) =f(xi)].
3. Apply Grover ong. Get y st. g(y) = 1.
4. Find (xi, f(xi))∈L st. f(xi) =f(y). Output (xi, y).
3.4.2 Running time of the algorithm
• Finding a random element xi of DPv: apply Grover on the function h : {0,1}n → {0,1}.
h(x) = 1 ⇔ f(x) starts withv zeros . There are 2n−v solutions so takes time O( q
2n
2n−v) =
2v/2.
• ⇒ time to create the listL= 2u·2v/2 = 2u+v/2. • Number of solutions tog= 2u so the total time is
2u+v/2+ r 2n−v 2u QT ime(Ref|ψ1i) + 1 .
• How much isQT ime(Ref|ψ1i) now? • Recall|ψ1ifrom Grover’s algorithm
|ψ1i= r 1 2n−v X x∈DPv |xi|g(x)i.
3.4.3 Time analysis of |ψ1i construction
1. To construct|ψ1i, we first constructPx∈DPv|xi|0i and then applyOg:|xi|0i → |xi|g(x)i.
2. How to construct Og? Let Lf be L restricted to the second component. We do |xi|0i|0i →
|xi|f(x)i|0i and then need an operation that performs |xi|f(x)i|0i → |xi|f(x)i|f(x) ∈ Lfi.
Then undo the f on the second register to getP
3. We also need to check that (x, f(x))∈/ Lto finally get X
x∈DPv
|xi|0i|f(x)∈Lf ∧(x, f(x))∈/ Li.
• From the membership test, 2 takes time|L|= 2u.
• But now, 1 starts from a superposition over elements in DPv. How to construct this
super-position? Use Grover.
• What is the QTIME to construct q 1 2n−v P x∈DPv|xi? • Consider l : {0,1}n → {0,1} st. l(x) = 1 iff. x ∈ DP
v. l is efficiently computable and has
2n−v solutions
• If we apply Grover onl, we end up (close to) the state
|ψGoodl i= X
x:l(x)=1
r 1
2n−v|xi|h(x)i
• By undoingl, we have finally X x:l(x)=1 r 1 2n−v|xi|0i= r 1 2n−v X x∈DPv |xi|0i. • Time required = q 2n 2n−v = 2v/2. 3.4.4 Running time
Running time of the algorithm
• Total time is 2u+v/2+ r 2n−v 2u QT ime(Ref|ψ1i) =2u+v/2+ 2n−v2−u 2u+ 2v/2.
• Takeu=v/2 and u= n5;v= 25n. Total time = 22n/5.
3.4.5 Membership oracle with small quantum memory and no QRAM
Quantum membership oracle or the difficulty of efficient quantum data structures
• The problem is that the membership process is adaptative in x.
• Naive idea: check membership with each element of the list as if it was unsorted.
|xi|0i → |xi|x==y1i → |xi|(x==y1)∨(x=y2)i → · · ·
→ |xi|[(x==y1)∨(x==y2)∨ · · · ∨(x==yr)]i.
• This can be done with a classical memory y1, . . . , yr. But takes time r!
Recap We constructed a quantum algorithm for collision finding of a random function f with the following properties
• Time 22n/5 iff is efficiently computable.
• What are the memoty requirements? Classically, the size of the list = 2n/5. Quantumly: n+ 1 qubits for Grover’s algorithm.
Chapter 4
Other quantum algorithms
4.1
Phase estimation
Our first protocol is a direct application of the quantum Fourier transform. Phase estimation
Input: a quantum unitaryU acting on nqubits. An eigenvector|ψi ofU with eigenvalueλ
given as a quantum state. Goal: outputλ.
Recall that an eigenvector |ψi of U with eigenvalue λmeans that U(|ψi) = λ|ψi. Because U is a unitary,|λ|= 1 so we can writeλ=e2iπφfor some real numberφ∈[0,1) ([0,1[ in French notation). We assume first that φ can be fully described with l bits of precision, i.e. there exists a natural number C∈N such thatφ= 2Cl.
We consider a quantum unitaryQ satisfying
Q(|ki|ψi) =|kiUk(|ψi).
for any k∈ {0, . . . ,2l−1}and any state |ψi. We perform the following algorithm:
1. Start from|0i|ψi and apply F2l on the first register. The resulting state is
1 √ 2l 2l−1 X k=0 |ki|ψi.
2. ApplyQon both registers.
1 √ 2l 2l−1 X k=0 Uk|ki|ψi= √1 2l 2l−1 X k=0 λk|ki|ψi = √1 2l 2l−1 X k=0 e2iπkC2l |ki|ψi.
3. Apply the inverse Fourier transform F2−l1 on the first register. The resulting state is |Ci|ψi.
General case Ifφcannot be written withlbits of precision, we consider the closest approximation of φof the form 2Cl. An error analysis (not detailed here) shows that the above procedure will find
this C with probability at least π42. By performing several iterations of this procedure, we can find the correctC,i.e. a good approximation of φwith a probability that exponentially converges to 1 in the number of iterations.
Efficiency of the algorithm IfU can be computed efficiently and if, for anyk∈ {0, . . . ,2l−1},
Uk can be computed efficiently then Q can be computed efficiently and the whole algorithm is efficient. This means that if we want our algorithm to run in time poly(n) (assuming U can be computed in time poly(n)), we have to takel=O(log(n)).
4.2
Application 1: Counting algorithm
4.2.1 Quick reminder of Grover’s algorithm
We present here a quick reminder of Grover’s algorithm. Search problem Input: a functionf :{0,1}n→ {0,1}.
Goal: findx such thatf(x) = 1.
We have a quantum access tof i.e. we have access to the quantum unitaryOf satisfying:
∀x∈ {0,1}n, Of(|xi|0i) =|xi|f(x)i.
Grover’s algorithm: if there areT solutions, finds one withO( q
2n
T ) calls to Of and in time
e
O( q
2n
T ·T ime(f)) where we use the notationOe(b(n)) =O
b(n)·polylog(b(n))
for any b(n).
Grover’s algorithm
1. Create the state|ψ1i=Of
1 2n/2 P x∈{0,1}n|xi|0i = √1 2n P x∈{0,1}n|xi|f(x)i.
2. Decompose into the goodx and badx (recall there are T solutions).
|ψ1i= r T 2n X x:f(x)=1 1 √ T|xi|f(x)i | {z } |ψGoodi + r 1− T 2n X x:f(x)=0 r 1 2n−T|xi|f(x)i | {z } |ψBadi = r T 2n|ψGoodi+ r 1− T 2n|ψBadi
3. Alternate the following 2 operations to transform |ψ1i into a state close to|ψGoodi
• Phase flip over f(x) register: OZ(|xi|f(x)i= (−1)f(x)|xi|f(x)i.
• Reflexion over|ψ1i: Ref|ψ1i(|ψ1i) =|ψ1i; Ref|ψ1i(|ψ
⊥
1i) =−|ψ1i⊥for any |ψ1i⊥
orthog-onal to|ψ1i.
• OZ is a reflexion over|ψBadi.
• Ref|ψ1i is a reflexion over|ψ1i. • OZ◦Ref|ψ1i
is a 2θ counter clockwise rotation where cos(θ) :=hψ1|ψBadi
• hψ1|ψBadi= q 1− T 2n soθ≈ q T 2n whenT 2n.
5. Perform this rotation 21θ−1 times to be close to |ψGoodi.
Picturing the algorithm
. . .
4.2.2 Going back to the counting algorithm
Counting problem Input: a functionf :{0,1}n→ {0,1}.
Goal: outputT =|{x:f(x) = 1}|.
Description of the algorithm: consider the state |ψi and the operations Ref|ψ1i and OZ from the Grover’s algorithm section (Section 4.2.1) and let U = OZ ◦Ref|ψ1i. From the analysis of Grover’s algorithm, U is a 2θ counter clockwise rotation in the basis {|ψBadi,|ψGoodi} with θ =
arccos(hψ1|ψBadi) = arccos(
q 1− T
2n). We can therefore write U = cos(2θ) −sin(2θ) sin(2θ) cos(2θ) in this basis.
U has 2 eigenvalues|e0i= √12(|ψBadi+i|ψGoodi) and|e1i= √12(|ψBadi −i|ψGoodi) with respective
eigenvalues e−2iπ(2θ) and e2iπ(2θ). Take the state
|ψ1i= r T 2n|ψGoodi+ r 1− T 2n|ψBadi =α|e1i+β|e2i for someα, β ∈C
which is efficiently computable. What happens when we apply the phase estimation algorithm on
|ψ1i and U? Well, |ψ1i is not an eigenstate of U but a superposition of its 2 eigenstates. The
algorithm will output −2θ (actually 2π−2θ) with probability |α|2 and 2θ with probability |β|2.
We can easily distinguish between the 2 cases and always output the good value forθ. From there, using the relation betweenθ and T, we can recover T.
If we want an algorithm running inpoly(n) then we can do this up to an additive error of poly1(n) in the angle 2θ we find.
4.3
Application 2: Fourier transform
F
Nfor any
N
∈
N
In Chapter 1, we showed how to perform the Fourier transform FN whenN = 2nfor some n∈N. Here, we show how to perform the Fourier transform for anyN. FN will act on a quantum register
that can take N values from 0 toN −1 and
∀k∈ {0, . . . , N−1}, FN(|ki) = 1 √ N N−1 X j=0 ωjk|ji.
whereω :=e2iNπ. LetU1 and U2 two unitaries that do the following, ∀k∈ {0, . . . , N−1}.
U1(|ki|0i) =|kiFN(|ki) ; U2(FN|ki|0i) =FN(|ki)|ki.
From those two unitaries, we can perform FN as follows
|ki|0i U1 −→ |kiFN(|ki) SW AP −−−−→FN(|ki)|ki U2 −→FN(|ki)|0i.
what is left to show is how to performU1 and U2. U1 can be performed quite easily.
LetSN a quantum unitary such thatSN(|0i) = √1N PNj=0−1|ji. SinceN is not a power of 2,SN
cannot be expressed as Hadamards but we can still easily construct such a unitary. Let also Omult
satisfying Omult(|ki|ji|0i) =|ki|ji|kj mod Ni.
Let’s now construct U1.
1. Start from|ki|0i|0i and apply SN on the second register. The resulting state is
|ki√1
N
X
j
|ji|0i.
2. ApplyOmult on the three registers.
|ki√1
N
X
j
|ji|kj mod Ni.
3. Apply the unitary |xi →ωx|xi on the third register.
|ki√1
N
X
j
ωkj|ji|kj mod Ni.
4. ApplyOmult−1 on the three registers. We obtain
|ki√1
N
X
j
Swapping registers is then easy. What is left to do is to perform unitary U2. We consider the
unitary Oadd such thatOadd(|ki) =|k+ 1 mod Ni. The idea is that FN(|ki) is a eigenvector of
Oadd with eigenvalueλkand that it will be easy to recoverkfromλk. Doing this in a coherent way
will give U2.
First see that
OaddFN(|ki) = 1 √ N N−1 X j=0 ωjk|j+ 1 mod Ni=ω−k√1 N N−1 X j=0 ωjk|ji
which means that FN(|ki) is an eigenvector of Oadd with eigenvalue ω−k = ωN−1−k. If we apply
the phase estimation from the previous section, withl=dlog(N)e, we obtain
FN(|ki)|0i
Phase Estimation withOadd
−−−−−−−−−−−−−−−−−→FN(|ki)|N−1−ki.
Which by applying |N −1−xi → |xi gives the correct result. Actually, the phase estimation will only giveN−kwith some (high) probability so this whole process will construct an approximation of U2.
Putting everything together, we managed to construct FN(|ki). This unitary has many
Chapter 5
Lower bound for Grover’s algorithm
5.1
Lower bound for Grover’s algorithm and quantum complexity
Here, we show that for the search problem, Grover’s algorithm is essentially optimal so we cannot expect anything better than 2n/2.
Framework
• Input: functionf :{0,1}n→ {0,1}. Goal: findx st. f(x) = 1.
• Access toOf(|xiX|biB) =|xiX|b⊕f(x)iB.
• How many calls do I have to make to Of to find xin the worst case?
• Result here: need Ω(2n/2) calls toOf to work wp. 1.
General structure of a q-query search algorithm
• Initialize: |ψ0,fi=|ψ0i= X x∈{0,1}n X b∈{0,1} α0x,b|x, biXB|Ex,b0 iE st. X x,b |α0x,b|2= 1
• 1 step: apply a unitaryOf on XB and Ui+1 independent off on XBE. |ψi+1,fi=Ui+1(Of ⊗IE)(|ψi,fi) = X x∈{0,1}n X b∈{0,1} αix,b+1,f|x, biXB|Ex,bi+1,fiE Again,P x,b|α i+1,f x,b |2 = 1.
• Final state: |ψq,fi. Procedure to extract a solution from this state.
Main idea
• For anyy∈ {0,1}n, we define f
y satisfyingfy(y) = 1 and fy(x) = 0 for x6=y.
• Consider any y, z ∈ {0,1}n. The search procedure should output y when querying f
y and z
when queryingfz.
⇒ |ψq,fyi and|ψq,fzi are orthogonal.
• But |ψ0,fyi = |ψ0,fzi. Idea is to show that each query cannot separate those 2 states too
much (on average ony, z).
The Euclidian norm on quantum states We consider the Euclidian · . Recall that X i αi|ii = s X i |αi|2.
For any 2 quantum states |φ1i,|φ2i and any Unitary U, we have
|φ1i − |φ2i = U(|φ1i)− U(|φ2i)
. One can also check that if|φ1i⊥|φ2i then |φ1i − |φ2i = √ 2.We use an intermediate function, the all 0 function denotedf∅. Notice that Of∅ =I. We first show
Lemma 2. 21n P y |ψ q,f∅i − |ψq,fyi ≥ √ 2·2n2−n1.
Proof. Let y0∈ {0,1}n that minimizes
|ψ q,f∅i − |ψq,fy0i . We have 1 2n−1 X y6=y0 |ψ q,fyi − |ψq,fy0i = √ 2.
from the orthogonality of those states. Moreover, by triangle inequality, we have 1 2n−1 X y6=y0 |ψ q,fyi − |ψq,fy0i ≤ 1 2n−1 X y6=y0 |ψ q,fyi − |ψq,f∅i + 1 2n−1 X y6=y0 |ψ q,f∅i − |ψq,fy0i ≤ 2 2n−1 X y6=y0 |ψ q,fyi − |ψq,f∅i
From there, we get the result: 1 2n X y |ψ q,f∅i − |ψq,fyi ≥ 1 2n X y6=y0 |ψ q,f∅i − |ψq,fyi ≥ 1 √ 2· 2n−1 2n .
So now, our goal is to bound this quantity as a function of q. This will give us the desired lower bound onq. We first prove the following:
Lemma 3. For any i∈[0, q−1], for anyy ∈ {0,1}n, we have
|ψ i+1,f∅i − |ψi+1,fyi ≤ |ψ i,f∅i −(O fy⊗I)|ψ i,f∅i + |ψ i,f∅i − |ψi,fyi . Proof. We have |ψ i+1,f∅i − |ψi+1,fyi = U i+1|ψi,f∅i −Ui+1(O fy⊗I)|ψ i,fyi ≤ U i+1|ψi,f∅i −Ui+1(O fy⊗I)|ψ i,f∅i + U i+1(O fy⊗I)|ψ i,f∅i −Ui+1(O fy⊗I)|ψ i,fyi = |ψ i,f∅i −(O fy⊗I)|ψ i,f∅i + |ψ i,f∅i − |ψi,fyi .
We now prove our main proposition
Proposition 1. 1 2n X y |ψ q,f∅i − |ψq,fyi ≤ 2q 2n/2.
Proof. Fix iand y. We write
|ψi,f∅i= X
x∈{0,1}n X
b∈{0,1}
αix,b|x, biXB|Ex,bi iE
From the definition of Ofy, we also have
(Ofy⊗I)|ψ i,f∅i=X x6=y X b∈{0,1} αix,b|x, biXB|Ex,bi iE + X b∈{0,1} αix,b|y, biXB|Ey,bi iE
for some unknown amplitudes αix,b (the superscriptsf∅ are omitted). For each y, i, this gives
|ψ i,f∅i −(O fy⊗I)|ψ i,f∅i = s X x6=y,b |αi x,b−αix,b|2+ X b |αi y,b−αiy,bhE i y,b|Ey,bi i| 2 ≤2 q |αiy,0|2+|αi y,1|2
Plugging this into the inequality of Lemma 2 and performing a recursion, we get |ψ q,f∅i − |ψq,fyi ≤ q−1 X i=0 2 q |αiy,0|2+|αi y,1|2
We average this over all y and get. 1 2n X y |ψ q,f∅i − |ψq,fyi ≤ 1 2n X y∈{0,1}n q−1 X i=0 2 q |αiy,0|2+|αi y,1|2 ≤ 1 2n/2 q−1 X i=0 2 v u u u t X y |αiy,0|2+|αiy,1|2 | {z } =1 ≤ 2q 2n/2.
Using Lemma 2, we immediately have q≥Ω(2n/2).
5.2
Quantum complexity
5.2.1 Definitions
This part will be self contained but will be easier to read with basic notions of complexity theory. We start with the definitions of basic complexity classes.
Definition 1. A language L is in P iff. there exists an algorithm A(x) running in polynomial time (in its input’s size |x|) such that
• ∀x∈L, A(x) outputs 1.
• ∀x /∈L, A(x) outputs 0.
Definition 2. A language L is in BPP iff. there exists a randomized algorithm A(x) running in expected polynomial time (in its input’s size |x|) such that
• ∀x∈L, Pr[A(x) outputs1]≥2/3.
• ∀x /∈L, Pr[A(x) outputs1]≤1/3.
Definition 3. A language L is in BQP iff. there exists a quantum algorithm A(x) running in expected polynomial time (in its input’s size |x|) such that
• ∀x∈L, Pr[A(x) outputs1]≥2/3.
• ∀x /∈L, Pr[A(x) outputs1]≤1/3.
Definition 4. A language L is in NPiff. there exists an algorithm A(x, y) running in polynomial time (in its input’s size |x|,|y|) such that
• ∀x∈L, ∃y∈ {0,1}poly(|x|), A(x, y) outputs 1.
Figure 5.1: Poll on P vs. NP, taken from [Gas12]
5.2.2 Comparing BQP and NP
Chapter 2 showed that factoring can be solved in polynomial time with a quantum computer. In terms of complexity this means in terms of complexity that the decision problem FACTORD (see
Figure 1) is inBQP. While we have by definition that P ⊆BPP⊆BQP, we have no idea if those inclusions are tight. For example, many people believe that BPP can be derandomized meaning thatP=BPP. Also, we could also have BPP=BQP but this would have drastic consequences. In particular, this would imply FACTORD∈BPP, where FACTORDis a decision problem associated
to factoring.
FACTORD Problem
Input: a number N of nbits and a number k∈N. (N, k)∈FACTORD iff. ∃M ∈[2, k] st. M|N.
Remark: If one has a polynomial algorithm (classical or quantum) to solve the FACTORD
Problem then one can use it to solve the Factoring problem defined in Chapter 2 also in polynomial time inn. Can you find how?
So we have FACTORD∈BQPwhile we don’t know (and don’t believe) that FACTORD∈BPP.
FACTORD ∈ NP but is not an NP-complete problem. However, we also don’t know and don’t
believe that NP ⊆ BQP. This means that we have no polynomial algorithm for NP-complete problems such as 3-SAT. The black box quantum lower bound for Grover’s algorithm is one of the reasons why we don’t believeNP⊆BQP.
Of course, we could have P =N P (or evenP =P SP ACE) but this not believed, see Figure 5.1.
5.2.3 Quantum equivalent of NP
The natural quantum equivalent of quantum NPisQMA.
Definition 5. A language L is in QMA iff. there exists a quantum algorithm A(x) running in expected polynomial time (in its input’s size |x|) such that
Figure 5.2: Currently believed inclusions of complexity classes
Figure 5.3: Another possibility: full collapse • ∀x /∈L,∃|φi of size poly(|x|), Pr[A(x,|φi) outputs 1]≤1/3.
There aren’t actually many problems which are known to be in QMA but not in MA (the probabilistic version of NP). The more we go higher in complexity, the less difference there is between classical and quantum. We even have QP SP ACE=P SP ACE, whereP SP ACE (resp.
QSP ACE) is the complexity class of languages that can be solved with an algorithm (resp. quan-tum algorithm) running in polynomial space - but potentially exponential time.
Chapter 6
Quantum Supremacy
The problem Google solved
On October 24 2019, a research group lead by John Martinis announced to have achieved Quantum Supremacy, meaning that they performed a task using a programmable quantum architecture -calling this a quantum computer is still premature - that can’t be solved with current classical computers. More precisely, they constructed an architecture of 53 qubits that they used to solve a sampling problem in 3 minutes which would take 10000 years to solve on a desktop computer. IBM, Google’s main competitor, announced that this problem could be solved in only a few days using the best existing super computers, diminishing Google’s claims.
In this Chapter, we will present the sampling problem solved for this Quantum Supremacy Experiment, the associated quantum architecture that was built and a discussion on the classical difficulty of this problem. A good part of this lecture is a rewriting of parts of the Google article.
6.1
Sampling Random Quantum Circuits
Circuit Sampling: The input is a description of a n-qubit quantum circuit U, described by a sequence of one and two-qubit gates. The task of the problem is to sample from the probability distribution of outcomes
pU(x) =|hx|U|0ni|2.
If we runU on input|0niand measure the whole output, pU(x) is the probability that we measure
x.
A classical algorithm for (perfect) circuit sampling can be thought of, without loss of generality, as a function A, mappingm∈poly(n) bits r= (r1, . . . , rm) to nbits such that
∀x∈ {0,1}, 1
2m|{(r1, . . . , rm) :A(r1, . . . , rm) =x}|=pU(x).
6.1.1 Brief overview of the difficulty of the problem
In the quantum setting, it is easy to sample from distributionpU: runU on input|0ni, and measure
the output. By definition ofpU, the output will be x with probability exactlypU(x) (on a perfect
quantum computer). However, it is believed to take an exponential time in n to perform with a classical computer. This is the starting point of the quantum supremacy experiment: build a small quantum unitaryU from which we will be able to samplepU while the problem should be hard for
a classical computer. These are the hurdles that have to be overcome in order for this approach to work:
• First, build a quantum architecture for which we will be able to compute the unitary U for a randomly chosenU. The quantum supremacy experiment uses n= 53 but there are a lot of practical imperfections so the sampling problem solved has a lot of errors.
• Taking into account these imperfections, the classical problem should still be hard.
6.2
The Quantum Sampling Problem
6.2.1 The architecture used
When we look at circuits of 1 and 2 (qu)bit, we usually consider the case where any pair of wires can be put together in order to perform a 2 (qu)bit gate. However, in the quantum setting, this is challenging and we only have near neighbor interactions. In the quantum supremacy experiment, the interactions can be done as follows:
Each square represents a qubit and only 2 squares (i.e. qubits) that have a common edge can be used together to perform 2 qubit gates. Now that we have our qubit layout, what unitary U
could be performed by the Google team? They apply 20 times the following procedure:
• For each qubit, apply one of the 3 following single qubit unitaries, which hasn’t been applied in the previous round
X0 = √1 2 1 −i −i 1 ; Y0 = √1 2 1 -1 1 1 ; W0 = √1 2 1 √−i √ −i 1
• Then, we apply the following 2 qubit gateG2, on pairs, according to one of the layouts below.
G2 = 1 0 0 0 0 cos(θ) −isin(θ) 0 0 −isin(θ) cos(θ) 0 0 0 0 eiφ . withθ≈ π 2 and φ≈ π 6.
The device here constructed is programmable in the sense that we can choose between the different gatesX0, Y0, W0 as well as the places where we applyG2. Moreover, they showed that the
set{X0, Y0, W0, G2}forms a universal set of quantum gates so if they could scale up this technology
then they could construct a full quantum computer.
6.2.2 Errors in the quantum sampling
We showed how to construct this random unitary U and we said that by running U quantumly, we could sample from the distribution pU. However, in the real quantum supremacy experiment,
we can only sampleU with a lot of errors. The quantum supremacy experiment says that each of their have around 0.3% of errors. We will consider here a simplified model where we assume that a gate function correctly with probability 99.7% and that it outputs a random state otherwise1.
In each of the 20 rounds, there are 53 single qubit gates and ≤ 24 2-qubit gates, depending on the layout. This means that the whole unitary is correctly performed with probability at least 0.997(53+24)∗20 ≈ 1%. The rest of the time, because the noise is a random noise, the measured output is a uniform random string. Therefore, the quantum supremacy experiment can sample from the distributionpeU defined as
e
pU :=F pU+ (1−F)U nif.
withF = 1%.
Verifying that succeeded the sampling task. Notice that pU (resp. peU) are each charac-terized by 253 probabilities corresponding to the different pU(x) (resp. peU(x)). For a given U, we therefore don’t know the full distributions pU and peU so how can we check that the quantum supremacy experiment indeed samples from peU? Well right now, we can’t. The only thing we can
do is to analyze the behavior of the quantum architecture on smaller values of n, for which we can compute peU, and then, to extrapolate this behavior forn = 53. There are different advanced ex-trapolation arguments to show that the quantum supremacy experiment does what is says it does2 but only a future calculation of peU will determine if they indeed sampled from peU (or something approaching) or not.
1
This is actually not an necessary assumption in the Google experiment. They use the notion of cross entropy that allows to deal with any kind of errors and not just random errors.
2
In particular, they study a regime wheren= 53 but the unitaryU is a product unitary U1⊗U2 over 2 chunks
6.3
Classical hardness of the sampling problem
6.3.1 A bit of complexity: the language AM.Definition 6. A language L is in AM iff. there exists a randomized algorithm A(x) running in expected polynomial time (in its input’s size |x|) and 2 polynomials p, q such that
• ∀x∈L, Pry∈{0,1}p(|x|)[∃z∈ {0,1}q(|x|), A(x, y, z) outputs1]≥2/3. • ∀x /∈L, Pry∈{0,1}p(|x|)[∀z∈ {0,1}q(|x|), A(x, y, z) outputs1]≤1/3.
AM can be seen as the complexity class for which there exists a 2 message interactive proof between a polynomial time verifier and an all powerful prover where:
• V first sends a random stringy∈ {0,1}p(|x|).
• P sends a stringz to the verifier.
• V usesA and accepts ifA(x, y, z) outputs 1.
6.3.2 Classical hardness of the problem
In order to argue about the classical hardness, we will use the following proposition and conjectures.
Proposition 2. For a random unitary U, if one can approximately compute |h0|U|0i|2 then one
can compute Permanents3 of random matrices. This is#P-complete.
#P is the complexity class that corresponds to counting the number of solutions of a given problem. We present below some examples of #P-complete problems, taken from Wikipedia.
3
For a matrixA= (ai,j), we haveP erm(A) =Pσ∈SnΠ
n
Proposition 3. If there is a polynomial classical algorithm to sample from peU for a random U
then there is an AM protocol to solve the problem of computing |h0|U|0i|2 for a random U.
Conjecture 1. #P 6⊆AM.
If this conjecture is false, i.e. if #P ⊆AM then crazy things happen in complexity theory. In particular, the polynomial hierarchy collapses to the third level.
Putting the 2 Propositions together, we conclude that if there exists a polynomial time classical algorithm for the sampling problem then Conjecture 1 is false and the polynomial hierarchy collapses to the third level.
6.3.3 Best classical algorithms of the sampling problem
In the previous section, we sketched the argument that shows that the sampling problem should be hard for quantum computers. We present here what corresponds to the 10000 years claimed by Google and the 2−3 days claimed by IBM. Here are the running times expected by Google, taken from their paper. Plots (a) and (c) correspond to running times of the actual sampling problem. Plot (b) is the time to compute a verification circuit, as an indicator that the extrapolation of the behavior of their quantum architecture behaves well.
The plot (a) shows fast running times but the RAM requirements are out of reach. What the IBM team was to find ways to optimize the RAM requirements and push the purple dotted line more on the right to include the quantum architecture from Google. However, as soon as we move
towards 70 or 80 qubits, the RAM requirements will be way too large again in order to be used on a supercomputer and as we can see, other known methods stay very slow.
Don’t put in course.
6.4
Sketch of Proof of Proposition 3
The goal of this Section is to prove the following proposition
Proposition 3. If there is a polynomial classical algorithm to sample from peU for a random U
then there is an AM protocol to solve the problem of approximating |h0|U|0i|2 for a random U.
The problem we will solve is the following:
Approximating |h0|U|0i|2 problem
Input: a random matrix U. LanguageL: • U ∈L iff. |h0|U|0i|2
Proof sketch. Assume there is a classical algorithm to sample from peU for a randomU. As we
wrote before, this means that there is an efficiently computable function A mapping m bits to n
bits such that
∀x∈ {0,1}, 1
2m|{(r1, . . . , rm) :A(r1, . . . , rm) =x}|=peU(x). We will construct an AM
