Quantum Computing – Two Applications

Quantum Computing – Two Applications

Which two?

1. In Communication Complexity: [2].

2. In Cryptography: [1].

Bibliography

References

[1] Mark Adcock and Richard Cleve, “A quantum Goldreich-Levin theorem with cryptographic applications,” STACS 2002, 323–334.

[2] Harry Buhrman, Richard Cleve, John Watrous and Ronald de Wolf, “Quantum fingerprinting,” PRL, 87(16), 2001.

Communication Complexity

Communication Complexity – Model Description

Alice has x

E(x) E(y)

Bob has y

Figure 1: A protocol P for computing f (x, y) Model Description:

• |x| = |y| = n, E(v) : encoding of v(= x or y).

• f (x, y): a Boolean predicate of x and y.

(f : {0, 1}ⁿ × {0, 1}ⁿ 7−→ {0, 1})

Communication Complexity – Goal

Goal:

• Design a protocol P such that – Pr[P(x, y) = f (x, y)] ≥ 1 − ε.

(for 0 ∈ [0, ¹₂])

– The length of E(v) is as minimum as possible.

Communication Complexity – Definition

Definition:

• Communication Complexity of P:

C_P =^∆ max

(x,y){E(x), E(y)} (of the protocal P).

• Communication Complexity of f : C(f ) =^∆ min

P C_P.

SMM (Simultaneous Message Model)

Bob has y

E(x) E(y)

Alice has x

Referee R

Figure 2: A protocol P for computing f (x, y) in the SMM.

• Alice and Bob cannot interact with each other.

• E(x) and E(y) can be sent to the Referee R only.

EQ

(x,y) Problem

• (We only care the protocols in SMM hereafter.)

• (We only care f (x, y) = EQ_ε(x, y) hereafter.)

• Definition EQ_ε(x, y) :







Pr[EQ_ε(x, y) = 1] = 1, when x = y;

Pr[EQ_ε(x, y) = 0] ≥ 1 − ε, when x 6= y.

(1)

• Amazingly, C_SMM(EQ_ε) = Θ(√ n)!

Protocol s.t. C

(EQ

) = O( √

n) – Warmup!

Good code E(v) (Justesen code):

• E : {0, 1}ⁿ 7−→ {0, 1}^cn for c > 1

• d(x, y): Hamming distance between x and y.

For 0 ≤ ε ≤ 1

2, we have:







d(E(x), E(y)) = 0, x = y;

d(E(x), E(y)) ≥ (1 − ε)cn, x 6= y.

(2) (Compare with (1)).

Justesen code – construction (1)

` `

|v| = n

n = m`

v

v

v

` g(r)

`

Figure 3: Divide v into m piece of equal length ` (m ≤ 2<sup>`−1</sup>, suggested)

g(r) =^∆

m−1

X v_irⁱ (mod 2^`). (3)

Justesen code – construction (2)

g(r) rg(r)

h(r) = (g(r), rg(r))

2` 2` 2`

h(2

− 1) h(1)

h(0)

N = 2

2`

Justesen code – construction (3)

• Let h(r) = (g(r), rg(r)), then^∆

E(v) ← {h(r)}_{r∈GF (2}^{`</sup><sub>)</sub> ← {(3), r(3)}<sub>r∈GF (2</sub><sup>`}₎ (4) is a Justesen code of v for |E(v)| = 2<sup>`</sup>2`.

• Analysis of case m ≤ 2<sup>`−1</sup>: – c = <sup>|E(v)|</sup><sub>|v|</sub> ≥ <sup>2</sup><sub>m`</sub>^`2` = 4

– Hamming distance: at least δ(2<sup>`</sup> − m)2`.

– Compare with (2), we have ε ≥ 1 − ^δ₂ because δ(2<sup>`</sup> − m)2` ≥ 2δm` ≥ (1 − ε)cn ≥ 4(1 − ε)m`.

Protocol s.t. C

(EQ

) = O( √

n) – Step 1

Step 1:

(v, |v| = n)

(E(v), |E(v)| = cn)

Figure 4: Encode v by Justesen code

Protocol s.t. C

(EQ

) = O( √

n) – Step 2

Step 2. Rearrange E(x) into a √

cn × √

cn square:

(E(v), |E(v)| = cn)

√ cn

√ cn

Protocol s.t. C

(EQ

) = O( n) – Step 3

Step 3:

E

(x)

E

(y)

Alice Bob

• Alice choose i ∈ {1, 2, . . . ,√

cn} and send E_i,∗(x) to Referee R.

√

Protocol s.t. C

(EQ

) = O( √

n) – Step 4

Step 4 Referee R checks whether E_i,j(x) = E_i,j(y):

E

(x)

E

(y)

E

(x) = E

(y)?

Referee

Protocol s.t. C

(EQ

) = O( √

n) – Analysis

Analysis:

• x = y: E_i,j(x) = E_i,j(y).

• x 6= y: Pr[E_i,j(x) 6= E_i,j(y)] ≥ 1 − ε.

(Because [d(E(x), E(y))] ≥ (1 − ε)cn)

EQ

(x,y) Problem in Quantum World M

Idea. Recall that encoding v by Justesen code:

(v, |v| = n)

(E(v))

1 2 cn

(Superposition)

~

v = P

v ~

Encode v in M (1)

Idea. Let x be encoded as |xi, and y as |yi (in M).

Bob has y Alice has x

Referee R

|xi |yi

Find a way of encoding s.t.

| hx | yi |



= 1, x = y,

Encode v in M (2)

Let m = cn = |E(v)|. Encode x into^∆

|xi =

m−1

X

i=0

√1

m |ii ⊗ |E_i(x)i , and y into

|yi =

m−1

X

i=0

√1

m |ii ⊗ |E_i(y)i . Then

hx | yi = 1 m

m

X

i=1

E_i(x)E_i(y)

Encode v in M (3)

• Here, dim(|ii) = m and dim(|E_i(v)i) = 2.

• It’s easy to verify that when x 6= y hx | yi = 1

m

m

X

i=1

E_i(x)E_i(y) ≤ 1

mεm because d[(E(x), E(y))] ≥ (1 − ε)m.

• What should Referee R do then?

Referee’s Circuit

H H

c-SWAP

|yi

|0i

|xi

Figure 5: A circuit for testing if |xi = |yi or | hx | yi | ≤ ε

What is H? (1)

H

H ^|0i

|0i

√1

2

|0i +

2

|1i

√1

2

|0i +

2

|1i

What is H? (2)

H

H ^|1i

|1i

√1

2

|0i −

2

|1i

√1

2

|0i −

2

|1i

What is c-SWAP? (1)

c-SWAP

c = |0i

|xi

|yi

|xi

|yi

What is c-SWAP? (2)

c-SWAP

|1i

|xi

|yi

|yi

|xi

Stage 1

|0i ⊗ |xi ⊗ |yi −→ 1

√2 |0i ⊗ |xi ⊗ |yi + 1

√2 |1i ⊗ |yi ⊗ |xi (5)

H H

c-SWAP

|0i

|xi

|yi

Stage 2

(5) −→ 1

2(|0i + |1i) ⊗ |xi ⊗ |yi + 1

2(|0i − |1i) ⊗ |yi ⊗ |xi

= 1

2 |0i ⊗ (|xi ⊗ |yi + |yi ⊗ |xi) + 1

2 |1i ⊗ (|xi ⊗ |yi − |yi ⊗ |xi)

= (2)

H H

c-SWAP

|0i

|xi

|yi

Stage 3

Referee R regards |0i as x = y, |1i as x 6= y.

Apply the Projection operation P_|0i to (2) = 1

2 |0i⊗(|xi⊗|yi+|yi⊗|xi)+ 1

2 |1i⊗(|xi⊗|yi−|yi⊗|xi), then

P_|0i(2) = |0i 1

2(hx| ⊗ hy| + hy| ⊗ hx|)1

2(|xi ⊗ |yi + |yi ⊗ |xi)



= |0i 1

2(1 + | hx | yi |²)

 .

Stage 3 (Cont.)

Thus,

1

2(1 + | hx | yi |²)







= 1, x = y;

≤ ¹₂(1 + ε²), x 6= y.

(6)

EQ

(x,y) Protocol in M – Analysis

Figure 6: What is sent by Bob – classical vs quantum

EQ

(x,y) Protocol in M – Analysis

Comparison

• Classically Bob sends j and E_∗,j(y): lg n + c√

n bits (Θ(√

n) de facto).

• Quantumly Bob sends |yi: O(lg n) qubits.

Reduce error

• – Can we reduce the one side error  =^{∆ 1}₂(1 + ε²)?

– Naively, repeat the protocol k times, we have an error bound (^1+ε₂ ²)^k.

• Moreover it can be reduced to √

πk(^1+ε₂ )^2k.

• But it cannot be less than ¹₄(^1+ε₂ )^2k.

Reduce to √

πk(

)

(0)

Idea:

• Know fact:

hx | yi ≤ ε (7)

• Duplicate |xi and |yi k times respectively we have

|Xi = |xi^{∆ (k)} and |Y i = |yi^{∆ (k)}.

Reduce to √

πk(

)

(1)

Prepare two kinds of quantum registers

• Permutation register |P i.

• Data register |Di = |XY i.^∆

Reduce to √

πk(

)

(2)

Permutation register |si:

• Defined by the permutition group S_2k for σ_s ∈ S_2k. (Note s = 0: the index of identity permutition)

• Define C = |S_2k|

• Initially, we prepare |si = |0i^(C).

Reduce to √

πk(

)

(3)

H H

|Di

PERM

|P i = |0i

Figure 7: The algorithm for reducing err to√

πk(^1+ε₂ )^2k (|Di = |XY i = |xi^(k) |yi^(k))

Reduce to √

πk(

)

(4)

H H

|Di

PERM

|P i = |0i

Figure 8: |P i = ^√1

C

PC−1

s=0 |si: generate all possible permuta- tion uniformly

Reduce to √

πk(

)

(5)

H H

|Di

PERM

|P i = |0i

|P i ⊗ |Di = 1

√C

C−1

X

s=0

|si ⊗ σ_s(|Di)

= 1

√C

C−1

X

s=0

|si ⊗ |σ_s(D)i (8)

Reduce to √

πk(

)

(6)

Measure

H H

|Di

PERM

|P i = |0i

|P i

Figure 9: We only care whether |P i = |0i^(C) thus measure

|P i ⊗ |Di = (h0|^(C) H^(C) ⊗ I)(8)

= 1

√C

C−1

X

s=0

h0|^(C) H^(C) |si ⊗ |σ_s(D)i

= 1

√C

C−1

X

s=0

( 1

√C

C−1

X

t=0

ht|)|si ⊗ |σ_s(D)i

= 1 C

C−1

X

s=0

|si ⊗ |σ_s(D)i (9)

h0|^(C) (9) = 1 C

C−1

X

s=0

|σ_s(D)i (10)

Reduce to πk(

) (7)

The probability that we measure |P i = |0i^(C) is (10)^†(10) = ( 1

C

C−1

X

t=0

hσ_t(D)|)( 1 C

C−1

X

s=0

|σ_s(D)i)

= 1 C²

C−1

X

t=0

C−1

X

s=0

hσ_t(D) | σ_s(D)i = 1 C²

C−1

X

t=0

C−1

X

s=0

hD| σ_t⁻¹σ_s |Di

= 1 C²

C−1

X

s=0

hD| Cσ_s(|Di) 1 ^C−1X

hD| σ 1 ^C−1X

hx|^(k) hy|^{(k) (k)} |yi^(k)

Reduce to √

πk(

)

(8)

Because hx | yi ≤ ε and C = |S_2k| = (2k)!, we have (11) = 1

C

C−1

X

s=0

hx|^(k) hy|^(k) σ_s(|xi^(k) |yi^(k))

≤ (k!)² (2k)!

k

X

i=0

(k i



εⁱ)² ≤ (k!)²

(2k)!(1 + ε)^2k ≤ √

πk(1 + ε

2 )^2k (12)

Cannot be smaller than

(

)

(1)

Extremal case:

• |φi = |x₁i^(k) |y₁i^(k) and |ψi = |x₂i^(k) |y₂i^(k)

• Set cos(θ) = hx₂ | y₂i = ε, |x^∆ ₁i = |0i, |y₁i = |0i;

|x₂i = cos(^θ₂) |0i + sin(^θ₂) |1i,

|y₂i = cos(^θ₂) |0i − sin(^θ₂) |1i.

• hφ | ψi = cos^2k(^θ₂) = (^1+cos(θ)₂ )^k = (^1+ε₂ )^{k ∆}= cos(β)

Cannot be smaller than

(

)

(2)

|noi

|yesi |ψi

|φi

β 2 β 2

π 4

Figure 10: Indistinguishable case for |φi and |ψi

Cannot be smaller than

(

)

(3)

• |yesi: |φi and |ψi are the same.

|noi: |φi and |ψi are different.

Pr[Answer yes when different]

+Pr[Answer no when the same]

= 1

2 sin²(π

4 − β

2 ) + 1

2 sin²(π

4 − β 2 )

= 1 − sin(β)

2 ≥ 1

4 cos²(β) = 1

4(1 + ε

2 )^2k (13)

Cryptography

Goldreich Levin Theorem

• OWF: one-way function f : {0, 1}ⁿ → {0, 1}ⁿ

• HCP: hardcore predicate h : {0, 1}ⁿ → {0, 1}

• Predicting a HCP is as hard as inverting a OWF.

• We only care about the efficeincy of the reduction from OWF to HCP.

Main Results

The efficeincy of the reduction:

• Classical world: Ω(^δn_ε2 )

• Quantum world: O(¹_ε) Modified Reduction/Problem:

• EQ query corresponds to computing (b, x) = (f (a), x).^∆

• IP query corresponds to computing h(a, x) = a · x.^∆

The Problem

• Input: a ∈ {0, 1}ⁿ

(given but kept confidential in a black box.)

• Output: a (rechieve it from the black box!)

• Allowed operations: black-box queries only.

• Goal: determine a with a minimun number of black-box queries.

Classical black boxes

1. IP. for a set S(⊆ {0, 1}ⁿ) which satisfies

|S| ≥ (0.5 + ε)2ⁿ:

IP(x) =^∆







a · x, x ∈ S;

a · x, x 6∈ S.

Alternative speaking, Pr_x∈{0,1}ⁿ[IP(x) = a · x] ≥ 0.5 + ε 2. EQ.

EQ(x) =^∆







1, x = a;

0, x 6= a.

Classical Theorem

Given

• success probability: δ(> 0) and

• ε ≥ √

n2⁻ⁿ³ .

We should determine a by

• at lease 2ⁿ² EQ queries; or

• Ω(^δn_ε2 ) IP queries.

From randomized to deterministic

• Let

– I: the set of all possible inputs;

p: chosen distribution of all possible algorithms;

R_ε: a randomized algorithm with err prob ε.

– A: the set of all possible algorithms.

q: chosen distribution of all possible inputs;

D_2ε: a deterministic algorithm with err prob 2ε.

Then we have

2 max

I∈I E_p[R_ε] ≥ min

A∈A E_q[D_2ε] (14)

From randomized to deterministic

• a deterministic algorithm with error inputs can lower bounded corresponding randomized ones.

• That’s the reason we define IP which might have error string in.

Classical black box algorithm

• Do IP queries for m times first.

• Then do EQ queries for 2ⁿ² times.

• Analyze the conditional mutual information about a:

– Lower bound: determined by IP queries.

– Upper bound: determined by EQ queries.

• estimate m from the conditional mutual information about a.

H(A|Y

, . . . , Y

, Y

)

H(A|Y ₁, . . . , Y _m−1, Y _m):

• the quality of information on the input a ∈ {0, 1}ⁿ (which corresponds to the random variable A)

we gained after applying m queries.

• Y _i: the {0, 1}-valued random variable corresponding to the output of the i-th time IP query.

Conditional and Joint Entropy

• Let X and Y are two random variables, then

• Conditional Entropy:

H(X|Y ) =^∆ − X

y∈Y

Pr[y] X

x∈X

Pr[x|y] lg(Pr[x|y])(15)

= H(X, Y ) − H(Y ) (16)

• Joint Entropy:

H(X, Y ) =^∆



− X

y∈Y

X

x∈X

Pr[x, y] lg(Pr[x, y])



(17)

= H(X) + H(Y |X) (18)

Compute H(A|Y

, . . . , Y

, Y

)

Let Y ^{m−1 ∆}= {Y ₁, . . . , Y _m−1}, then H(A|Y ₁, . . . , Y _m−1, Y _m)

=∆ H(A|Y ^m−1, Y _m)

= H(A, Y ^m−1, Y _m) − H(Y ^m−1, Y _m)

= 

H(Y _m|A, Y ^m−1) + H(A, Y ^m−1) 

− H(Y _m|Y ^m−1) + H(Y ^m−1)

=



H(Y _m|A, Y ^m−1) + H(A|Y ^m−1) + H(Y ^m−1)



Compute H(A|Y

, . . . , Y

, Y

)

Thus (19) can be spreaded as follows:

H(A|Y ₁, . . . , Y _m) = H(A|Y ₁, . . . , Y _m−1)

+ H(Y _m|A, Y ₁, . . . , Y _m−1)

− H(Y _m|Y ₁, . . . , Y _m−1) H(A|Y ₁, . . . , Y _m−1) = H(A|Y ₁, . . . , Y _m−2)

+ H(Y _m−1|A, Y ₁, . . . , Y _m−2)

− H(Y _m−1|Y ₁, . . . , Y _m−2) H(A|Y ₁, Y ₂) = H(A|Y ₁) + H(Y ₂|A, Y ₁)

− H(Y ₂|Y ₁)

H(A|Y ) = H(A) + H(Y |A)

Compute H(A|Y

, . . . , Y

, Y

)

Recursively plug the above equations into (19), we have H(A|Y ₁, . . . , Y _m) = H(A) +

m

X

ı=1

H(Y _i|A, Y ₁, . . . , Y _ı−1)

−

m

X

ı=1

H(Y _i|Y ₁, . . . , Y _i−1)

=∆ (X) + (Y) − (Z) (20)

We will analyze the above terms.

Analyze (X)

Because A is a random variable

(which corresponds to the input a of our algorithm) uniformly chosen from {0, 1}ⁿ, it’s trivial that

(X) = H(A)^∆ = − X

a∈{0,1}ⁿ

Pr[a] lg(Pr[a])

= −2ⁿ 1

2ⁿ lg( 1

2ⁿ) = n (21)

Analyze (Y): algorithm IPQuery

IPQuery(m)

1 U ← {0, 1}ⁿ

2 S ← nil, S ← nil 3 j ← 0

4 for i ← 1 to m 5 do x ∈_R U

6 w.p. ((0.5 + ε)2ⁿ − j)/(2ⁿ − (i − 1))

7 do S ← S ∪ x

8 j ← j + 1

9 or S ← S ∪ x

10 U ← U \ {x}

Analyze (Y)

• S can be regarded as the success set {x | IP(x) = a · x}

and

S as the fail set {x | IP(x) = a · x}.

• Let p_i be the probability that x is put into the success set at the i-th query, then

0.5−2ε ≤ (0.5 + ε)2ⁿ − (i − 1)

2ⁿ − (i − 1) ≤ p_i ≤ (0.5 + ε)2ⁿ

2ⁿ − (i − 1) ≤ 0.5+2ε (22)

Analyze (Y)

Thus, the information on the output of the i-th query (when a and the information on the output of previous queries are known) has a lower bound determined by (22) because H(p) is convex for p ∈ [0, 1], max when p = 0.5.

Analyze (Y)

0.5 0

H(p)

ε

p ε

1 1

Figure 11: H(p) is convex for p ∈ [0, 1]

Analyze (Y)

That is

H(Y _i|A, Y ₁, . . . , Y _ı−1)

≥ H(0.5 − 2ε) (≡ H(0.5 + 2ε))

=∆ −(0.5 − 2ε) lg(0.5 − 2ε) − (0.5 + 2ε) lg(0.5 + 2ε)

≥ 1 − 16

ln 2ε² (Taylor expansion)

(Y) =

m

XH(Y _i|A, Y ₁, . . . , Y _ı−1) ≥ (1 − 16

ln 2ε²)m(23)

Analyze (Z)

Because Y _i is a random variable chosen from {0, 1}

(which corresponds to the output y_i after the ith query) and the entropy of an 1-bit string is at most 1, we have

H(Y _i|Y ₁, . . . , Y _i−1) ≤ 1

=⇒ (Z) =^∆

m

X

ı=1

H(Y _i|Y ₁, . . . , Y _i−1) ≤ m (24)

Lower bound of H(A|Y

, . . . , Y

, Y

)

Substituting (21), (23) and (24) into (20), we have H(A|Y ₁, . . . , Y _m) =^∆ (X) + (Y) − (Z)

≥ (n) +



(1 − 16

ln 2ε²)m



− (m)

= n −  16 ln 2ε²



m (25)

Two tuned parameters

• the number of EQ queries: 2⁻ⁿ²

• the upper bound of ε: δ√

n2⁻ⁿ³

Upper bound of H(A|Y

, . . . , Y

, Y

)

Achieve maximum entropy when δ(> 0) is fixed:

• 2^n/2 elements each have EQUAL probability _2n/2^δ .

• 2ⁿ − 2^n/2 elements each have EQUAL probability

1−δ 2ⁿ−2^n/2.

Therefore,

H(A|Y ₁, . . . , Y _m−1, Y _m)

≤ H( δ

2^n/2 , · · · , δ 2^n/2

| {z }

2^n/2

, 1 − δ

2ⁿ − 2^n/2, · · · , 1 − δ 2ⁿ − 2^n/2)

| {z }

2ⁿ−2^n/2

= δ lg(2^n/2) + H(δ) + (1 − δ) lg(2ⁿ − 2^n/2)

< δn/2 + 1 + (1 − δ)n = n − δn/2 + 1 (26)

Estimate m: the number of queries to IP

Combine (25) with (26), we have n −  16

ln 2ε²



m ≤ H(A|Y ₁, . . . , Y _m−1, Y _m) < n − δn

2 + 1 Finally,

m > δn − 2

32ε² ln 2 ∈ Ω(δn

ε² ) (27)

The Problem in quantum model

• Input: a ∈ {0, 1}ⁿ

(given but kept confidential in a black box.)

• Output: a (rechieve it from the black box!)

• Allowed operations: quantum black-box queries only.

• Goal: determine a with a minimun number of quantum black-box queries.

Quantum black boxes

• U_IP:

U_IP

n qubits

z}|{|xi |0^mi

1 qubit

z}|{|oi

=∆ |xi (α_x |v_xi |a · xi + β_x |w_xi |a · xi) |oi

1 2ⁿ





X

x∈{0,1}ⁿ

α²_x



 ≥ 1

2 + ε, 1 2ⁿ





X

x∈{0,1}ⁿ

β_x²



 ≤ 1

2 − ε

• U_EQ:

U_EQ |xi 

0^m−1

1 qubit

z}|{|bi |oi =







|xi 

0^m−1 

¯b |oi , x = a;

|xi 

0^m−1 |bi |oi , x 6= a.

What is U

?

For x, a ∈ {0, 1}ⁿ and b ∈ {0, 1},

• if |ai |0i is in the form of a 2ⁿ⁺¹-dimention column vector −e→_K ^a,

then U_EQ can be represented as the following

2ⁿ⁺¹ × 2ⁿ⁺¹ matrix: (for the first 0 in the frame box 0 1

1 0

is located at (K, K))















































 1

. ..

. .. 1

0 1 1 0

1

. .. 1

















































The circuit C

n

m

H H H

X Z

H H U

U

H

qubits

qubits

Figure 12: The circuit C



1 1

 

0 1

 

1 0



goal

• Circuit input: |0ⁿ, 0^m, 0i.

• Ideal output: |a, 0^m, 1i, actual output: C |0ⁿ, 0^m, 0i.

• Prove that

ha, 0^m, 1| · C |0ⁿ, 0^m, 0i ≥ 2ε, or

|ha, 0^m, 1| · C |0ⁿ, 0^m, 0i|² ≥ 4ε²

• Thus when repeating the quantum algorithm ^a for O(_ε¹2) times, the input a can be found w.h.p.

aThat is, feed |0ⁿ, 0^m 0i into the circuit C

Decompose C

n

m

H H H

X Z

H H U

U

H

qubits

qubits

C

C

C

C

C

goal in detail

ha, 0^m, 1| · C |0ⁿ, 0^m, 0i

= ha, 0^m, 1| · C₅C₄C₃C₂C₁ |0ⁿ, 0^m, 0i

= C₄⁻¹C₅⁻¹ ha, 0^m, 1| · C₃C₂C₁ |0ⁿ, 0^m, 0i

= C₄⁻¹C₅⁻¹ ha| h0^m| h1| · C₃C₂C₁ |0ⁿi |0^mi |0i

= (A) · (B) ≥ 2ε (28)

Compute (B): stage C

H H H

X Z

H H U

U

H

C

|0

i

|0

i

|0i

C₁ |0ⁿi |0^mi |0i

= ^√1

2ⁿ

P

x∈{0,1}ⁿ |xi |0^mi |1i (29)

Compute (B): stage C

H H H

X Z

H H U

U

H

C

|0

i

|0

i

|0i

C₂(29) = C₂ 1

√2ⁿ

X

x∈{0,1}ⁿ

|xi |0^mi |1i

= 1

√2ⁿ

X

x∈{0,1}ⁿ

|xi (α_x |v_xi |a · xi + β_x |w_xi |a · xi) |1i (30)

Compute (B): stage C

H H H

X Z

H H U

U

H

C

|0

i

|0

i

|0i

C₃(30)

= C₃ 1

√2ⁿ

X

x∈{0,1}ⁿ

|xi (α_x |v_xi |a · xi + β_x |w_xi |a · xi) |1i

= 1

√2ⁿ

X

x∈{0,1}ⁿ

|xi (α_x(−1)^a·x |v_xi |a · xi) |1i

+ 1

√2ⁿ

X

x∈{0,1}ⁿ

|xi β_x(−1)^a·x |w_xi |a · xi
|1i

= 1

√2ⁿ

X

x∈{0,1}ⁿ

(−1)^a·x |xi (α_x |v_xi |a · xi) |1i

− 1

√2ⁿ

X

x∈{0,1}ⁿ

(−1)^a·x |xi (β_x |w_xi |a · xi) |1i

= (B) (31)

Compute (A): stage C

H H H

X Z

H H U

U

H

C

|ai

|0

i

|1i

C₅⁻¹ |ai |0^mi |1i

= 1

√2ⁿ

X

x∈{0,1}ⁿ



(−1)^a·x |xi |0^mi |1i

(32)

Compute (A): stage C

H H H

X Z

H H U

U

H

C

|ai

|0

i

|1i

C₄⁻¹(32)

= C₄⁻¹ 1

√2ⁿ

X

x∈{0,1}ⁿ

((−1)^a·x |xi |0^mi |1i)

= 1

√2ⁿ

X

x∈{0,1}ⁿ

(−1)^a·x |xi (α_x |v_xi |a · xi) |1i

+ 1

√2ⁿ

X

x∈{0,1}ⁿ

(−1)^a·x |xi (β_x |w_xi |a · xi) |1i

= (A⁻¹) (33)

Compute (A) · (B): warmup!

(A) = 1

√2ⁿ

X

x∈{0,1}ⁿ

α_x((−1)^a·x |xi |v_xi |a · xi |1i)

+ 1

√2ⁿ

X

x∈{0,1}ⁿ

β_x((−1)^a·x |xi |w_xi |a · xi |1i)

(B) = 1

√2ⁿ

X

x∈{0,1}ⁿ

α_x((−1)^a·x |xi |v_xi |a · xi |1i)

− 1

√2ⁿ

X

n

β_x((−1)^a·x |xi |w_xi |a · xi |1i)

Compute (A) · (B)

(A) · (B)

= 1

2ⁿ

X

x∈{0,1}ⁿ

α²_x − β_x²

=



 1 2ⁿ

X

x∈{0,1}ⁿ

α²_x



 −



 1 2ⁿ

X

x∈{0,1}ⁿ

β_x²





≥  1

2 + ε



−  1

2 − ε



= 2ε (34)

Boosting: achieve the goal in another way

• Previously known: repeat the quantum algorithm for O(ε⁻²) times.

• More effeciently: do the quantum algorithm once then apply the boosting algorithm :

Q = −C(U^∆ ₀ ⊗ I)C⁻¹(U_a ⊗ I)

for O(ε⁻¹) times. That is, compute Q^(t) · (C |0ⁿ, 0^m, 0i) for t = O(ε⁻¹).

Q = −C(U

⊗ I)C

(U

⊗ I)

• Revise C s.t. (ha, 0^m, 1|) · (C |0ⁿ, 0^m, 0i) ≡ 2ε.

• U_a or U₀: apply to the first n qubit.

• I: apply to the last m + 1 qubits.

• U_a:

U_a |xi =^∆







|xi x 6= a,

− |xi x = a.

Alternative speaking, U_a = I − 2 |aiha|.

• U₀: a kind of U_a when a = 0ⁿ.

(U

⊗ I)

−→ U

|ai

|φi

U

|φi

−|ai = U

|ai

sp{|ai

}

Figure 19: U_a: refection in the hyperplane sp{|ai^⊥}

C(U

⊗ I)C

= U

• For z ∈ {0, 1}^m+1:

C(U₀ ⊗ I)C⁻¹
· C |0ⁿ, zi

= C(U₀ ⊗ I) C⁻¹C
|0ⁿ, zi = CU₀ |0ⁿ, zi

= C (− |0ⁿ, zi) = −C |0ⁿ, zi (35)

• For y ∈ {0, 1}ⁿ and y 6= 0ⁿ:

C(U₀ ⊗ I)C⁻¹
· C |y, zi = C(U₀ ⊗ I) C⁻¹C
|y, zi

= CU₀ |y, zi = C |y, zi (36)

• Thus, C(U₀ ⊗ I)C⁻¹ = U_C|0ⁿ_,zi

−C(U

⊗ I)C = −U

θ θ

2θ

|ψi = U

|φi

−U

|ψi

θ θ

|ψi 3θ

sp{C|0i

}

|φi ≡ C|0

i

sp{|ai

}(3 |0

i)

Figure 20: −U_C|0ⁿ_i: rotate |φi to alternative direction.

• Recall that Q = −C(U ⊗ I)C⁻¹(U ⊗ I)

Ratate towards |ai

|ai

−|ai = U

|ai

sp{|ai

} θ

|φi ≡ C|0

i

U

|φi

Figure 21: θ ≡ sin⁻¹(ha| · C |0ⁿi) = sin⁻¹(2ε)

Boost the probability that |ai happens

• When sin((2k + 1)θ) = 1, Q^(k) |0ⁿ, 0^m, 0i = |a, 0^m, 1i.

• The minimun k which satisfies

sin((2k + 1)θ) = 1 ⇐⇒ (2k + 1)θ = π

2 (37) is ^π−sin_{2 sin}−1⁻¹(2ε)^(2ε).

• Because sin⁻¹(2ε) ≥ 2ε holds for small ε, we can estimate that

π − sin⁻¹(2ε) π − 2ε π 1 1