Grover Search and Its Cryptographic Applications Henry - PowerPoint PPT Presentation

Warm up: Probabilistic Operations We can use stochastic matrix to describe the action of the swap gate on the register state.   1 0 0 0  0 1 / 2 1 / 2 0    S =   0 1 / 2 1 / 2 0   0 0 0 1 S | 10 � �→ 1 S | 00 � �→ | 00 � 2( | 01 � + | 10 � ) S | 01 � �→ 1 2( | 01 � + | 10 � ) S | 11 � �→ | 11 � ⇒ Computation is just a matrix-vector product. 6/40

Probabilistic Computation Register state: a vector in R 2 n . 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . We require that F i s: 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . We require that F i s: ◮ come from a fixed set of universal gates (AND, OR, etc.), 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . We require that F i s: ◮ come from a fixed set of universal gates (AND, OR, etc.), ◮ preserve the L 1 norm (i.e., are stochastic matrices). 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . We require that F i s: Probabilities sum ◮ come from a fixed set of universal gates (AND, OR, etc.), to one. ◮ preserve the L 1 norm (i.e., are stochastic matrices). 7/40

Probabilistic Computation Register state: a vector in R 2 n . Probabilistic Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability α y . We require that F i s: ◮ come from a fixed set of universal gates (AND, OR, etc.), ◮ preserve the L 1 norm (i.e., are stochastic matrices). 7/40

Quantum Computation Register state: a vector in C 2 n . (A “superposition”) Quantum Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability | α y | 2 , where α y is an “amplitude.” We require that the F i s: ◮ come from a fixed set of universal gates ( H , T , etc.), ◮ preserve the L 2 norm (i.e., are unitary matrices). 8/40

Quantum Computation Register state: a vector in C 2 n . (A “superposition”) Quantum Computation 1. Initialize the register to | x � , on input x ∈ { 0 , 1 } n . 2. Run the computation by computing a matrix-vector product F T · · · F 3 F 2 F 1 | x � (i.e., apply the circuit to the register). 3. Measure the register. If the output of the computation is � y α y | y � , we will measure y with probability | α y | 2 , where α y is an “amplitude.” We require that the F i s: Probabilities sum ◮ come from a fixed set of universal gates ( H , T , etc.), to one. ◮ preserve the L 2 norm (i.e., are unitary matrices). 8/40

Example: Quantum Circuit x 0 F 2 x 1 Measure F 1 x 2 F 3 x 3 9/40

Observations about QC 10/40

Observations about QC 1. Gates must represent unitary transformations ( UU † = I ), so all computation must be reversible . 10/40

Observations about QC 1. Gates must represent unitary transformations ( UU † = I ), so all computation must be reversible . 2. Amplitudes can be negative , unlike probabilities. – This is the source of QC’s apparent power. 10/40

Useful Tool: Hadamard Gate Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: � � 1 1 1 H = √ . 1 − 1 2 11/40

Useful Tool: Hadamard Gate Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: � � 1 1 1 H = √ . 1 − 1 2 H | 0 � �→ | 0 � + | 1 � √ 2 11/40

Useful Tool: Hadamard Gate Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: � � 1 1 1 H = √ . 1 − 1 2 H | 0 � �→ | 0 � + | 1 � √ 2 The operator H ⊗ n applies H to each of n qubits. 11/40

Useful Tool: Quantum Queries Fact (Lecerf 1963, Bennett 1973) If f : { 0 , 1 } n → { 0 , 1 } is computable with a T ( n ) -size classical circuit, then there is a size- O ( T ( n )) quantum circuit that maps: | x �| y � �→ | x �| y ⊕ f ( x ) � , possibly using O ( T ( n )) extra “work” bits. 12/40

Useful Tool: Quantum Queries Fact (Lecerf 1963, Bennett 1973) If f : { 0 , 1 } n → { 0 , 1 } is computable with a T ( n ) -size classical circuit, then there is a size- O ( T ( n )) quantum circuit that maps: | x �| y � �→ | x �| y ⊕ f ( x ) � , possibly using O ( T ( n )) extra “work” bits. Can make quantum queries to a classical function! 12/40

Useful Tool: Quantum Queries Fact (Lecerf 1963, Bennett 1973) If f : { 0 , 1 } n → { 0 , 1 } is computable with a T ( n ) -size classical circuit, then there is a size- O ( T ( n )) quantum circuit that maps: | x �| y � �→ | x �| y ⊕ f ( x ) � , possibly using O ( T ( n )) extra “work” bits. There is also a quantum circuit Q f of similar size that takes: ( − 1) f ( x ) | x � . | x � �→ 12/40

Useful Tool: Quantum Queries Fact (Lecerf 1963, Bennett 1973) If f : { 0 , 1 } n → { 0 , 1 } is computable with a T ( n ) -size classical circuit, then there is a size- O ( T ( n )) quantum circuit that maps: | x �| y � �→ | x �| y ⊕ f ( x ) � , possibly using O ( T ( n )) extra “work” bits. There is also a quantum circuit Q f of similar size that takes: ( − 1) f ( x ) | x � . | x � �→ This essentially changes the sign of “good” x s in a superposition. 12/40

Overview Motivation Background Grover’s Algorithm Unstructured Search The Algorithm Lower Bound Applications Conclusion

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. A few interesting variants: 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. A few interesting variants: Unique solution, 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions, 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions, Unknown # of solutions. 14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [ N ] → { 0 , 1 } , find a value x ∈ [ N ] such that f ( x ) = 1 . Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions, Unknown # of solutions. Fact A classical algorithm for unstructured search that succeeds with constant probability must make Ω( N ) queries. 14/40

Theorem (Grover 1996) 15/40

Theorem (Grover 1996) There is a quantum algorithm for unstructured √ search that makes O ( N ) quantum queries and succeeds with probability at least 2 / 3 . 15/40

Grover’s Algorithm Let f : { 0 , 1 } n → { 0 , 1 } and let N = 2 n . 16/40

Grover’s Algorithm Let f : { 0 , 1 } n → { 0 , 1 } and let N = 2 n . ◮ Oracle: operator Q f that maps | x � �→ ( − 1) f ( x ) | x � . ◮ We can define an operator Q 0 that inverts the sign of | 0 n � . ◮ H ⊗ n is the quantum n -bit flip operator. 16/40

Grover’s Algorithm Let f : { 0 , 1 } n → { 0 , 1 } and let N = 2 n . ◮ Oracle: operator Q f that maps | x � �→ ( − 1) f ( x ) | x � . ◮ We can define an operator Q 0 that inverts the sign of | 0 n � . ◮ H ⊗ n is the quantum n -bit flip operator. The Algorithm. 1. Initialize an n -bit register to the state H ⊗ n | 0 n � . √ 2. Apply the following operator O ( N ) times: G = − H ⊗ n Q 0 H ⊗ n Q f . 3. Measure the state of the register and output it. 16/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and 17/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and B = { x | f ( x ) = 0 } (“bad strings”), with b = | B | . 17/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and B = { x | f ( x ) = 0 } (“bad strings”), with b = | B | . Define: � 1 | A � = x ∈ A | x � , and √ a � 1 | B � = x ∈ B | x � . √ b 17/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and B = { x | f ( x ) = 0 } (“bad strings”), with b = | B | . Orthogonal unit Define: � 1 vectors | A � = x ∈ A | x � , and √ a � 1 | B � = x ∈ B | x � . √ b 17/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and B = { x | f ( x ) = 0 } (“bad strings”), with b = | B | . Define: � 1 | A � = x ∈ A | x � , and √ a � 1 | B � = x ∈ B | x � . √ b 17/40

Analysis of Grover’s Algorithm (Following expositions of Watrous and Jozsa) Define: A = { x | f ( x ) = 1 } (“awesome strings”) with a = | A | , and B = { x | f ( x ) = 0 } (“bad strings”), with b = | B | . Define: � 1 | A � = x ∈ A | x � , and √ a � 1 | B � = x ∈ B | x � . √ b After initialization, the register is in the uniform superposition over strings: � a � 1 b � H ⊗ n | 0 n � = | h � = √ | x � = N | A � + N | B � N x � �� � � �� � Awesome Bad 17/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | B �

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � Initial | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � Initial | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f Claim : H ⊗ n Q 0 H ⊗ n reflects | A � over plane orthogonal to | h � . | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f Claim : H ⊗ n Q 0 H ⊗ n reflects | A � over plane orthogonal to | h � . | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 18/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � And so on. . . | h � | B � 19/40

Analysis of Grover’s Algorithm G = − H ⊗ n Q 0 H ⊗ n Q f | A � | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm Where θ = sin − 1 � � a a N ≈ N | A � 2 θ | h � θ | B � 19/40

Analysis of Grover’s Algorithm After t Grover iterations, the angle between the register state and | B � is ≈ 2 θt . We want the bad state | B � and the register state to be orthogonal: 2 θt = π 2 . 20/40

Analysis of Grover’s Algorithm After t Grover iterations, the angle between the register state and | B � is ≈ 2 θt . We want the bad state | B � and the register state to be orthogonal: 2 θt = π 2 . Num. Solutions Iterations √ π 1 4 · N � π N a 4 · a √ Unknown t ← R { 1 , . . . , N } 20/40

Analysis of Grover’s Algorithm After t Grover iterations, the angle between the register state and | B � is ≈ 2 θt . We want the bad state | B � and the register state to be orthogonal: 2 θt = π 2 . Num. Solutions Iterations √ π 1 4 · N � π N a 4 · a √ Unknown t ← R { 1 , . . . , N } √ One query per iteration ⇒ O ( N ) queries. 20/40

Lower Bound Definition (Decision Grover Problem) Given oracle access to f : [ N ] → { 0 , 1 } , decide whether there exists an x such that f ( x ) = 1 with probability better than 2/3. 21/40