An Intensive Introduction to Cryptography — Boaz Barak

Index

\[ \newcommand{\undefined}{} \newcommand{\hfill}{} \newcommand{\qedhere}{\square} \newcommand{\qed}{\square} \newcommand{\ensuremath}[1]{#1} \newcommand{\bbA}{\mathbb A} \newcommand{\bbB}{\mathbb B} \newcommand{\bbC}{\mathbb C} \newcommand{\bbD}{\mathbb D} \newcommand{\bbE}{\mathbb E} \newcommand{\bbF}{\mathbb F} \newcommand{\bbG}{\mathbb G} \newcommand{\bbH}{\mathbb H} \newcommand{\bbI}{\mathbb I} \newcommand{\bbJ}{\mathbb J} \newcommand{\bbK}{\mathbb K} \newcommand{\bbL}{\mathbb L} \newcommand{\bbM}{\mathbb M} \newcommand{\bbN}{\mathbb N} \newcommand{\bbO}{\mathbb O} \newcommand{\bbP}{\mathbb P} \newcommand{\bbQ}{\mathbb Q} \newcommand{\bbR}{\mathbb R} \newcommand{\bbS}{\mathbb S} \newcommand{\bbT}{\mathbb T} \newcommand{\bbU}{\mathbb U} \newcommand{\bbV}{\mathbb V} \newcommand{\bbW}{\mathbb W} \newcommand{\bbX}{\mathbb X} \newcommand{\bbY}{\mathbb Y} \newcommand{\bbZ}{\mathbb Z} \newcommand{\sA}{\mathscr A} \newcommand{\sB}{\mathscr B} \newcommand{\sC}{\mathscr C} \newcommand{\sD}{\mathscr D} \newcommand{\sE}{\mathscr E} \newcommand{\sF}{\mathscr F} \newcommand{\sG}{\mathscr G} \newcommand{\sH}{\mathscr H} \newcommand{\sI}{\mathscr I} \newcommand{\sJ}{\mathscr J} \newcommand{\sK}{\mathscr K} \newcommand{\sL}{\mathscr L} \newcommand{\sM}{\mathscr M} \newcommand{\sN}{\mathscr N} \newcommand{\sO}{\mathscr O} \newcommand{\sP}{\mathscr P} \newcommand{\sQ}{\mathscr Q} \newcommand{\sR}{\mathscr R} \newcommand{\sS}{\mathscr S} \newcommand{\sT}{\mathscr T} \newcommand{\sU}{\mathscr U} \newcommand{\sV}{\mathscr V} \newcommand{\sW}{\mathscr W} \newcommand{\sX}{\mathscr X} \newcommand{\sY}{\mathscr Y} \newcommand{\sZ}{\mathscr Z} \newcommand{\sfA}{\mathsf A} \newcommand{\sfB}{\mathsf B} \newcommand{\sfC}{\mathsf C} \newcommand{\sfD}{\mathsf D} \newcommand{\sfE}{\mathsf E} \newcommand{\sfF}{\mathsf F} \newcommand{\sfG}{\mathsf G} \newcommand{\sfH}{\mathsf H} \newcommand{\sfI}{\mathsf I} \newcommand{\sfJ}{\mathsf J} \newcommand{\sfK}{\mathsf K} \newcommand{\sfL}{\mathsf L} \newcommand{\sfM}{\mathsf M} \newcommand{\sfN}{\mathsf N} \newcommand{\sfO}{\mathsf O} \newcommand{\sfP}{\mathsf P} \newcommand{\sfQ}{\mathsf Q} \newcommand{\sfR}{\mathsf R} \newcommand{\sfS}{\mathsf S} \newcommand{\sfT}{\mathsf T} \newcommand{\sfU}{\mathsf U} \newcommand{\sfV}{\mathsf V} \newcommand{\sfW}{\mathsf W} \newcommand{\sfX}{\mathsf X} \newcommand{\sfY}{\mathsf Y} \newcommand{\sfZ}{\mathsf Z} \newcommand{\cA}{\mathcal A} \newcommand{\cB}{\mathcal B} \newcommand{\cC}{\mathcal C} \newcommand{\cD}{\mathcal D} \newcommand{\cE}{\mathcal E} \newcommand{\cF}{\mathcal F} \newcommand{\cG}{\mathcal G} \newcommand{\cH}{\mathcal H} \newcommand{\cI}{\mathcal I} \newcommand{\cJ}{\mathcal J} \newcommand{\cK}{\mathcal K} \newcommand{\cL}{\mathcal L} \newcommand{\cM}{\mathcal M} \newcommand{\cN}{\mathcal N} \newcommand{\cO}{\mathcal O} \newcommand{\cP}{\mathcal P} \newcommand{\cQ}{\mathcal Q} \newcommand{\cR}{\mathcal R} \newcommand{\cS}{\mathcal S} \newcommand{\cT}{\mathcal T} \newcommand{\cU}{\mathcal U} \newcommand{\cV}{\mathcal V} \newcommand{\cW}{\mathcal W} \newcommand{\cX}{\mathcal X} \newcommand{\cY}{\mathcal Y} \newcommand{\cZ}{\mathcal Z} \newcommand{\bfA}{\mathbf A} \newcommand{\bfB}{\mathbf B} \newcommand{\bfC}{\mathbf C} \newcommand{\bfD}{\mathbf D} \newcommand{\bfE}{\mathbf E} \newcommand{\bfF}{\mathbf F} \newcommand{\bfG}{\mathbf G} \newcommand{\bfH}{\mathbf H} \newcommand{\bfI}{\mathbf I} \newcommand{\bfJ}{\mathbf J} \newcommand{\bfK}{\mathbf K} \newcommand{\bfL}{\mathbf L} \newcommand{\bfM}{\mathbf M} \newcommand{\bfN}{\mathbf N} \newcommand{\bfO}{\mathbf O} \newcommand{\bfP}{\mathbf P} \newcommand{\bfQ}{\mathbf Q} \newcommand{\bfR}{\mathbf R} \newcommand{\bfS}{\mathbf S} \newcommand{\bfT}{\mathbf T} \newcommand{\bfU}{\mathbf U} \newcommand{\bfV}{\mathbf V} \newcommand{\bfW}{\mathbf W} \newcommand{\bfX}{\mathbf X} \newcommand{\bfY}{\mathbf Y} \newcommand{\bfZ}{\mathbf Z} \newcommand{\rmA}{\mathrm A} \newcommand{\rmB}{\mathrm B} \newcommand{\rmC}{\mathrm C} \newcommand{\rmD}{\mathrm D} \newcommand{\rmE}{\mathrm E} \newcommand{\rmF}{\mathrm F} \newcommand{\rmG}{\mathrm G} \newcommand{\rmH}{\mathrm H} \newcommand{\rmI}{\mathrm I} \newcommand{\rmJ}{\mathrm J} \newcommand{\rmK}{\mathrm K} \newcommand{\rmL}{\mathrm L} \newcommand{\rmM}{\mathrm M} \newcommand{\rmN}{\mathrm N} \newcommand{\rmO}{\mathrm O} \newcommand{\rmP}{\mathrm P} \newcommand{\rmQ}{\mathrm Q} \newcommand{\rmR}{\mathrm R} \newcommand{\rmS}{\mathrm S} \newcommand{\rmT}{\mathrm T} \newcommand{\rmU}{\mathrm U} \newcommand{\rmV}{\mathrm V} \newcommand{\rmW}{\mathrm W} \newcommand{\rmX}{\mathrm X} \newcommand{\rmY}{\mathrm Y} \newcommand{\rmZ}{\mathrm Z} \newcommand{\paren}[1]{( #1 )} \newcommand{\Paren}[1]{\left( #1 \right)} \newcommand{\bigparen}[1]{\bigl( #1 \bigr)} \newcommand{\Bigparen}[1]{\Bigl( #1 \Bigr)} \newcommand{\biggparen}[1]{\biggl( #1 \biggr)} \newcommand{\Biggparen}[1]{\Biggl( #1 \Biggr)} \newcommand{\abs}[1]{\lvert #1 \rvert} \newcommand{\Abs}[1]{\left\lvert #1 \right\rvert} \newcommand{\bigabs}[1]{\bigl\lvert #1 \bigr\rvert} \newcommand{\Bigabs}[1]{\Bigl\lvert #1 \Bigr\rvert} \newcommand{\biggabs}[1]{\biggl\lvert #1 \biggr\rvert} \newcommand{\Biggabs}[1]{\Biggl\lvert #1 \Biggr\rvert} \newcommand{\card}[1]{\lvert #1 \rvert} \newcommand{\Card}[1]{\left\lvert #1 \right\rvert} \newcommand{\bigcard}[1]{\bigl\lvert #1 \bigr\rvert} \newcommand{\Bigcard}[1]{\Bigl\lvert #1 \Bigr\rvert} \newcommand{\biggcard}[1]{\biggl\lvert #1 \biggr\rvert} \newcommand{\Biggcard}[1]{\Biggl\lvert #1 \Biggr\rvert} \newcommand{\norm}[1]{\lVert #1 \rVert} \newcommand{\Norm}[1]{\left\lVert #1 \right\rVert} \newcommand{\bignorm}[1]{\bigl\lVert #1 \bigr\rVert} \newcommand{\Bignorm}[1]{\Bigl\lVert #1 \Bigr\rVert} \newcommand{\biggnorm}[1]{\biggl\lVert #1 \biggr\rVert} \newcommand{\Biggnorm}[1]{\Biggl\lVert #1 \Biggr\rVert} \newcommand{\iprod}[1]{\langle #1 \rangle} \newcommand{\Iprod}[1]{\left\langle #1 \right\rangle} \newcommand{\bigiprod}[1]{\bigl\langle #1 \bigr\rangle} \newcommand{\Bigiprod}[1]{\Bigl\langle #1 \Bigr\rangle} \newcommand{\biggiprod}[1]{\biggl\langle #1 \biggr\rangle} \newcommand{\Biggiprod}[1]{\Biggl\langle #1 \Biggr\rangle} \newcommand{\set}[1]{\lbrace #1 \rbrace} \newcommand{\Set}[1]{\left\lbrace #1 \right\rbrace} \newcommand{\bigset}[1]{\bigl\lbrace #1 \bigr\rbrace} \newcommand{\Bigset}[1]{\Bigl\lbrace #1 \Bigr\rbrace} \newcommand{\biggset}[1]{\biggl\lbrace #1 \biggr\rbrace} \newcommand{\Biggset}[1]{\Biggl\lbrace #1 \Biggr\rbrace} \newcommand{\bracket}[1]{\lbrack #1 \rbrack} \newcommand{\Bracket}[1]{\left\lbrack #1 \right\rbrack} \newcommand{\bigbracket}[1]{\bigl\lbrack #1 \bigr\rbrack} \newcommand{\Bigbracket}[1]{\Bigl\lbrack #1 \Bigr\rbrack} \newcommand{\biggbracket}[1]{\biggl\lbrack #1 \biggr\rbrack} \newcommand{\Biggbracket}[1]{\Biggl\lbrack #1 \Biggr\rbrack} \newcommand{\ucorner}[1]{\ulcorner #1 \urcorner} \newcommand{\Ucorner}[1]{\left\ulcorner #1 \right\urcorner} \newcommand{\bigucorner}[1]{\bigl\ulcorner #1 \bigr\urcorner} \newcommand{\Bigucorner}[1]{\Bigl\ulcorner #1 \Bigr\urcorner} \newcommand{\biggucorner}[1]{\biggl\ulcorner #1 \biggr\urcorner} \newcommand{\Biggucorner}[1]{\Biggl\ulcorner #1 \Biggr\urcorner} \newcommand{\ceil}[1]{\lceil #1 \rceil} \newcommand{\Ceil}[1]{\left\lceil #1 \right\rceil} \newcommand{\bigceil}[1]{\bigl\lceil #1 \bigr\rceil} \newcommand{\Bigceil}[1]{\Bigl\lceil #1 \Bigr\rceil} \newcommand{\biggceil}[1]{\biggl\lceil #1 \biggr\rceil} \newcommand{\Biggceil}[1]{\Biggl\lceil #1 \Biggr\rceil} \newcommand{\floor}[1]{\lfloor #1 \rfloor} \newcommand{\Floor}[1]{\left\lfloor #1 \right\rfloor} \newcommand{\bigfloor}[1]{\bigl\lfloor #1 \bigr\rfloor} \newcommand{\Bigfloor}[1]{\Bigl\lfloor #1 \Bigr\rfloor} \newcommand{\biggfloor}[1]{\biggl\lfloor #1 \biggr\rfloor} \newcommand{\Biggfloor}[1]{\Biggl\lfloor #1 \Biggr\rfloor} \newcommand{\lcorner}[1]{\llcorner #1 \lrcorner} \newcommand{\Lcorner}[1]{\left\llcorner #1 \right\lrcorner} \newcommand{\biglcorner}[1]{\bigl\llcorner #1 \bigr\lrcorner} \newcommand{\Biglcorner}[1]{\Bigl\llcorner #1 \Bigr\lrcorner} \newcommand{\bigglcorner}[1]{\biggl\llcorner #1 \biggr\lrcorner} \newcommand{\Bigglcorner}[1]{\Biggl\llcorner #1 \Biggr\lrcorner} \newcommand{\expr}[1]{\langle #1 \rangle} \newcommand{\Expr}[1]{\left\langle #1 \right\rangle} \newcommand{\bigexpr}[1]{\bigl\langle #1 \bigr\rangle} \newcommand{\Bigexpr}[1]{\Bigl\langle #1 \Bigr\rangle} \newcommand{\biggexpr}[1]{\biggl\langle #1 \biggr\rangle} \newcommand{\Biggexpr}[1]{\Biggl\langle #1 \Biggr\rangle} \newcommand{\e}{\varepsilon} \newcommand{\eps}{\varepsilon} \newcommand{\from}{\colon} \newcommand{\super}[2]{#1^{(#2)}} \newcommand{\varsuper}[2]{#1^{\scriptscriptstyle (#2)}} \newcommand{\tensor}{\otimes} \newcommand{\eset}{\emptyset} \newcommand{\sse}{\subseteq} \newcommand{\sst}{\substack} \newcommand{\ot}{\otimes} \newcommand{\Esst}[1]{\bbE_{\substack{#1}}} \newcommand{\vbig}{\vphantom{\bigoplus}} \newcommand{\seteq}{\mathrel{\mathop:}=} \newcommand{\defeq}{\stackrel{\mathrm{def}}=} \newcommand{\Mid}{\mathrel{}\middle|\mathrel{}} \newcommand{\Ind}{\mathbf 1} \newcommand{\bits}{\{0,1\}} \newcommand{\sbits}{\{\pm 1\}} \newcommand{\R}{\mathbb R} \newcommand{\Rnn}{\R_{\ge 0}} \newcommand{\N}{\mathbb N} \newcommand{\Z}{\mathbb Z} \newcommand{\Q}{\mathbb Q} \newcommand{\mper}{\,.} \newcommand{\mcom}{\,,} \DeclareMathOperator{\Id}{Id} \DeclareMathOperator{\cone}{cone} \DeclareMathOperator{\vol}{vol} \DeclareMathOperator{\val}{val} \DeclareMathOperator{\opt}{opt} \DeclareMathOperator{\Opt}{Opt} \DeclareMathOperator{\Val}{Val} \DeclareMathOperator{\LP}{LP} \DeclareMathOperator{\SDP}{SDP} \DeclareMathOperator{\Tr}{Tr} \DeclareMathOperator{\Inf}{Inf} \DeclareMathOperator{\poly}{poly} \DeclareMathOperator{\polylog}{polylog} \DeclareMathOperator{\argmax}{arg\,max} \DeclareMathOperator{\argmin}{arg\,min} \DeclareMathOperator{\qpoly}{qpoly} \DeclareMathOperator{\qqpoly}{qqpoly} \DeclareMathOperator{\conv}{conv} \DeclareMathOperator{\Conv}{Conv} \DeclareMathOperator{\supp}{supp} \DeclareMathOperator{\sign}{sign} \DeclareMathOperator{\mspan}{span} \DeclareMathOperator{\mrank}{rank} \DeclareMathOperator{\E}{\mathbb E} \DeclareMathOperator{\pE}{\tilde{\mathbb E}} \DeclareMathOperator{\Pr}{\mathbb P} \DeclareMathOperator{\Span}{Span} \DeclareMathOperator{\Cone}{Cone} \DeclareMathOperator{\junta}{junta} \DeclareMathOperator{\NSS}{NSS} \DeclareMathOperator{\SA}{SA} \DeclareMathOperator{\SOS}{SOS} \newcommand{\iprod}[1]{\langle #1 \rangle} \newcommand{\R}{\mathbb{R}} \newcommand{\cE}{\mathcal{E}} \newcommand{\E}{\mathbb{E}} \newcommand{\pE}{\tilde{\mathbb{E}}} \newcommand{\N}{\mathbb{N}} \renewcommand{\P}{\mathcal{P}} \notag \]
\[ \newcommand{\sleq}{\ensuremath{\preceq}} \newcommand{\sgeq}{\ensuremath{\succeq}} \newcommand{\diag}{\ensuremath{\mathrm{diag}}} \newcommand{\support}{\ensuremath{\mathrm{support}}} \newcommand{\zo}{\ensuremath{\{0,1\}}} \newcommand{\pmo}{\ensuremath{\{\pm 1\}}} \newcommand{\uppersos}{\ensuremath{\overline{\mathrm{sos}}}} \newcommand{\lambdamax}{\ensuremath{\lambda_{\mathrm{max}}}} \newcommand{\rank}{\ensuremath{\mathrm{rank}}} \newcommand{\Mslow}{\ensuremath{M_{\mathrm{slow}}}} \newcommand{\Mfast}{\ensuremath{M_{\mathrm{fast}}}} \newcommand{\Mdiag}{\ensuremath{M_{\mathrm{diag}}}} \newcommand{\Mcross}{\ensuremath{M_{\mathrm{cross}}}} \newcommand{\eqdef}{\ensuremath{ =^{def}}} \newcommand{\threshold}{\ensuremath{\mathrm{threshold}}} \newcommand{\vbls}{\ensuremath{\mathrm{vbls}}} \newcommand{\cons}{\ensuremath{\mathrm{cons}}} \newcommand{\edges}{\ensuremath{\mathrm{edges}}} \newcommand{\cl}{\ensuremath{\mathrm{cl}}} \newcommand{\xor}{\ensuremath{\oplus}} \newcommand{\1}{\ensuremath{\mathrm{1}}} \notag \]
\[ \newcommand{\transpose}[1]{\ensuremath{#1{}^{\mkern-2mu\intercal}}} \newcommand{\dyad}[1]{\ensuremath{#1#1{}^{\mkern-2mu\intercal}}} \newcommand{\nchoose}[1]{\ensuremath{{n \choose #1}}} \newcommand{\generated}[1]{\ensuremath{\langle #1 \rangle}} \newcommand{\bra}[1]{\ensuremath{\langle #1 |}} \newcommand{\ket}[1]{\ensuremath{| #1 \rangle}} \notag \]

Quantum computing and cryptography II

Shor’s Algorithm

Bell’s Inequality is powerful demonstration that there is something very strange going on with quantum mechanics. But could this “strangeness” be of any use to solve computational problems not directly related to quantum systems? A priori, one could guess the answer is no. In 1994 Peter Shor showed that one would be wrong:

Theorem (Shor’s Theorem): The map that takes an integer \(m\) into its prime factorization is efficiently quantumly computable. Specifically, it can be computed using \(O(\log^3 m)\) quantum gates.

This is an exponential improvement over the best known classical algorithms, which as we mentioned before, take roughly \(2^{\tilde{O(\log^{1/3}m)}}\) time.

We will now sketch the ideas behind Shor’s algorithm. In fact, Shor proved the following more general theorem:

Theorem: There is a quantum polynomial time algorithm that given a multiplicative Abelian group \(\mathbb{G}\) and element \(g\in\mathbb{G}\) computes the order of \(g\) in the group.

Recall that the order of \(g\) in \(\mathbb{G}\) is the smallest positive integer \(a\) such that \(g^a = 1\). By “given a group” we mean that we can represent the elements of the group as strings of length \(O(\log |\mathbb{G}|)\) and there is a \(poly(\log|\mathbb{G}|)\) algorithm to perform multiplication in the group.

From order finding to factoring and discrete log

The order finding problem allows not just to factor integers in polynomial time, but also solve the discrete logarithm over arbitrary Abelian groups, hereby showing that quantum computers will break not just RSA but also Diffie Hellman and Elliptic Curve Cryptography. We merely sketch how one reduces the factoring and discrete logarithm problems to order finding: (see some of the sources above for the full details)

  • For factoring, let us restrict to the case \(m=pq\) for distinct \(p,q\). Recall that we showed that finding the size \((p-1)(q-1)=m-p-q-1\) of the group \(\Z^*_m\) is sufficient to recover \(p\) and \(q\). One can show that if we pick a few random \(x\)’s in \(\Z^*_m\) and compute their order, the least common multiplier of these orders is likely to be the group size.
  • For discrete log in a group \(\mathbb{G}\), if we get \(X=g^x\) and need to recover \(x\), we can compute the order of various elements of the form \(X^ag^b\). The order of such an element is a number \(c\) satisfying \(c(xa+b) = 0 \pmod{|\mathbb{G}|}\). Again, with a few random examples we will get a non trivial example (where \(c \neq 0 \pmod{|\mathbb{G}|}\) ) and be able to recover the unknown \(x\).

Finding periods of a function: Simon’s Algorithm

Let \(\mathbb{H}\) be some Abelian group with a group operation that we’ll denote by \(\oplus\), and \(f\) be some function mapping \(\mathbb{H}\) to an arbitrary set (which we can encode as \(\{0,1\}^*\)). We say that \(f\) has period \(h^*\) for some \(h^*\in\mathbb{H}\) if for every \(x,y \in \mathbb{H}\), \(f(x)=f(y)\) if and only if \(y = x \oplus kh^*\) for some integer \(k\). Note that if \(\mathbb{G}\) is some Abelian group, then if we define \(\mathbb{H}=\Z_{|\mathbb{G}|}\), for every element \(g\in \mathbb{G}\), the map \(f(a)=g^a\) is a periodic map over \(\mathbb{H}\) with period the order of \(g\). So, finding the order of an item reduces to the question of finding the period of a function.

How do we generally find the period of a function? Let us consider the simplest case, where \(f\) is a function from \(\R\) to \(\R\) that is \(h^*\) periodic for some number \(h^*\), in the sense that \(f\) repeats itself on the intervals \([0,h^*]\), \([h^*,2h^*]\), \([2h^*,3h^*]\), etc.. How do we find this number \(h^*\)? The key idea would be to transform \(f\) from the time to the frequency domain. That is, we use the Fourier transform to represent \(f\) as a sum of wave functions. In this representation wavelengths that divide the period \(h^*\) would get significant mass, while wavelengths that don’t would likely “cancel out”.

If \(f\) is a periodic function then when we represent it in the Fourier transform, we expect the coefficients corresponding to wavelengths that do not evenly divide the period to be very small, as they would tend to “cancel out”.

Similarly, the main idea behind Shor’s algorithm is to use a tool known as the quantum fourier transform that given a circuit computing the function \(f:\mathbb{H}\rightarrow\R\), creates a quantum state over roughly \(\log |\mathbb{H}|\) qubits (and hence dimension \(|\mathbb{H}|\)) that corresponds to the Fourier transform of \(f\). Hence when we measure this state, we get a group element \(h\) with probability proportional to the square of the corresponding Fourier coefficient. One can show that if \(f\) is \(h^*\)-periodic then we can recover \(h^*\) from this distribution.

Shor carried out this approach for the group \(\mathbb{H}=\Z^*_q\) for some \(q\), but we will start be seeing this for the group \(\mathbb{H} = \{0,1\}^n\) with the XOR operation. This case is known as Simon’s algorithm (given by Dan Simon in 1994) and actually preceded (and inspired) Shor’s algorithm:

Theorem (Simon’s Algorithm): If \(f:\{0,1\}^n\rightarrow\{0,1\}^*\) is polynomial time computable and satisfies the property that \(f(x)=f(y)\) iff \(x\oplus y = h^*\) then there exists a quantum polynomial-time algorithm that outputs a random \(h\in \{0,1\}^n\) such that \(\iprod{h,h^*}=0 \pmod{2}\).

Note that given \(O(n)\) such samples, we can recover \(h^*\) with high probability by solving the corresponding linear equations.

Proof: Let \(HAD\) be the \(2\times 2\) unitary matrix corresponding to the one qubit operation \(\ket{0} \mapsto \tfrac{1}{\sqrt{2}}(\ket{0}+\ket{1})\) and \(\ket{1} \mapsto \tfrac{1}{\sqrt{2}}(\ket{0}-\ket{1})\) or \(\ket{a}\mapsto \tfrac{1}{\sqrt{2}}(\ket{0}+(-1)^a\ket{1})\). Given the state \(\ket{0^{n+m}}\) we can apply this map to each one of the first \(n\) qubits to get the state \(2^{-n/2}\sum_{x\in\{0,1\}^n}\ket{x}\ket{0^m}\) and then we can apply the gates of \(f\) to map this to the state \(2^{-n/2}\sum_{x\in\{0,1\}^n}\ket{x}\ket{f(x)}\) now suppose that we apply this operation again to the first \(n\) qubits then we get the state \(2^{-n}\sum_{x\in\{0,1\}^n}\prod_{i=1}^n(\ket{0}+(-1)^{x_i}\ket{1})\ket{f(x)}\) which if we open up each one of these product and look at all \(2^n\) choices \(y\in\{0,1\}^n\) (with \(y_i=0\) corresponding to picking \(\ket{0}\) and \(y_i=1\) corresponding to picking \(\ket{1}\) in the \(i^{th}\) product) we get \(2^{-n}\sum_{x\in\{0,1\}^n}\sum_{y\in\{0,1\}^n}(-1)^{\iprod{x,y}}\ket{y}\ket{f(x)}\). Now under our assumptions for every particular \(z\) in the image of \(f\), there exist exactly two preimages \(x\) and \(x\oplus h^*\) such that \(f(x)=f(x+h^*)=z\). So, if \(\iprod{y,h^*}=0 \pmod{2}\), we get that \((-1)^{\iprod{x,y}}+(-1)^{\iprod{x,y+h^*}}=2\) and otherwise we get \((-1)^{\iprod{x,y}}+(-1)^{\iprod{x,y+h^*}}=0\). Therefore, if measure the state we will get a pair \((y,z)\) such that \(\iprod{y,h^*}=0 \pmod{2}\). QED

Simon’s algorithm seems to really use the special bit-wise structure of the group \(\{0,1\}^n\), so one could wonder if it has any relevance for the group \(\Z^*_m\) for some exponentially large \(m\). It turns out that the same insights that underlie the well known Fast Fourier Transform (FFT) algorithm can be used to essentially follow the same strategy for this group as well.

From Simon to Shor

(Note: The presentation here is adapted from the quantum computing chapter in my textbook with Arora.)

We now describe how to achieve Shor’s algorithm for order finding. We will not do this for a general group but rather focus our attention on the group \(\Z^*_{\ell}\) for some number \(\ell\) which is the case of interest for integer factoring and the discrete logarithm modulo primes problems.

That is, we prove the following theorem:

Theorem (Shor’s Algorithm): For every \(\ell\) and \(a\in\Z^*_\ell\), there is a quantum \(poly(log \ell)\) algorithm to find the order of \(a\) in \(\Z^*_\ell\).

The idea is similar to Simon’s algorithm. We consider the map \(x \mapsto a^x (\mod \ell)\) which is a periodic map over \(\Z_m\) where \(m=|\Z^*_\ell|\) with period being the order of \(a\).
To find the period of this map we will now need to perform a Quantum Fourier Transform (QFT) over the group \(\Z_m\) instead of \(\{0,1\}^n\). This is a quantum algorithm that takes a register from some arbitrary state \(f \in \mathbb{C}^{m}\) into a state whose vector is the Fourier transform \(\hat{f}\) of \(f\). The QFT takes only \(O(\log^2 m)\) elementary steps and is thus very efficient. Note that we cannot say that this algorithm “computes” the Fourier transform, since the transform is stored in the amplitudes of the state, and as mentioned earlier, quantum mechanics give no way to “read out” the amplitudes per se. The only way to get information from a quantum state is by measuring it, which yields a single basis state with probability that is related to its amplitude. This is hardly representative of the entire Fourier transform vector, but sometimes (as is the case in Shor’s algorithm) this is enough to get highly non-trivial information, which we do not know how to obtain using classical (non-quantum) computers.

The Fourier transform over \(\Z_m\)

We now define the Fourier transform over \(\Z_m\) (the group of integers in \(\{0,\ldots,m-1\}\) with addition modulo \(m\)). We give a definition that is specialized to the current context. For every vector \(f\in\mathbb{C}^m\), the Fourier transform of \(f\) is the vector \(\hat{f}\) where the \(x^{th}\) coordinate of \(\hat{f}\) is defined asIn the context of Fourier transform it is customary and convenient to denote the \(x^{th}\) coordinate of a vector \(f\) by \(f(x)\) rather than \(f_x\).

\(\hat{f}(x) = \tfrac{1}{\sqrt{m}}\sum_{y\in\Z_m} f(x)\omega^{xy}\)

where \(\omega = e^{2\pi i/m}\).

The Fourier transform is simply a representation of \(f\) in the Fourier basis \(\set{ \chi_x }_{x \in \Z_m}\), where \(\chi_x\) is the vector/function whose \(y^{th}\) coordinate is \(\tfrac{1}{\sqrt{m}\omega^{xy}}\). Now the inner product of any two vectors \(\chi_x,\chi_z\) in this basis is equal to \[\iprod{\chi_x,\chi_z} = \tfrac{1}{m}\sum_{y\in\Z_m} \omega^{xy} \overline{\omega^{zy}} = \tfrac{1}{m}\sum_{y\in\Z_m} \omega^{(x-z)y} \;.\] But if \(x=z\) then \(\omega^{(x-z)}=1\) and hence this sum is equal to \(1\). On the other hand, if \(x \neq z\), then this sum is equal to \(\tfrac{1}{m} \tfrac{1 -\omega^{(x-y)m}}{1-\omega^{x-y}}= \tfrac{1}{m}\tfrac{1-1}{1-\omega^{x-y}}=0\) using the formula for the sum of a geometric series. In other words, this is an orthonormal basis which means that the Fourier transform map \(f \mapsto \hat{f}\) is a unitary operation.

What is so special about the Fourier basis? For one thing, if we identify vectors in \(\mathbb{C}^m\) with functions mapping \(\Z_m\) to \(\mathbb{C}\), then it’s easy to see that every function \(\chi\) in the Fourier basis is a homomorphism from \(\Z_m\) to \(\mathbb{C}\) in the sense that \(\chi(y+z)= \chi(y)\chi(z)\) for every \(y,z \in \Z_m\). Also, every function \(\chi\) is periodic in the sense that there exists \(r\in \Z_m\) such that \(\chi(y+r)=\chi(z)\) for every \(y\in \Z_m\) (indeed if \(\chi(y) = \omega^{xy}\) then we can take \(r\) to be \(\ell/x\) where \(\ell\) is the least common multiple of \(x\) and \(m\)). Thus, intuitively, if a function \(f:\Z_m\rightarrow\mathbb{C}\) is itself periodic (or roughly periodic) then when representing \(f\) in the Fourier basis, the coefficients of basis vectors with periods agreeing with the period of \(f\) should be large, and so we might be able to discover \(f\)’s period from this representation. This does turn out to be the case, and is a crucial point in Shor’s algorithm.

Fast Fourier Transform.

Denote by \(FT_m\) the operation that maps every vector \(f\in\mathbb{C}^m\) to its Fourier transform \(\hat{f}\). The operation \(FT_m\) is represented by an \(m\times m\) matrix whose \((x,y)\)th entry is \(\omega^{xy}\). The trivial algorithm to compute it takes \(m^2\) operations. The famous Fast Fourier Transform (FFT) algorithm computes the Fourier transform in \(O(m\log m)\) operations. We now sketch the idea behind the FFT algorithm as the same idea is used in the quantum Fourier transform algorithm.

Note that

\(\hat{f}(x) = \tfrac{1}{\sqrt{m}}\sum_{y\in\Z_m} f(y)\omega^{xy} =\)

\(\tfrac{1}{\sqrt{m}}\sum_{y\in\Z_m,y \;even} f(y)\omega^{-2x(y/2)} + \omega^x\tfrac{1}{\sqrt{m}}\sum_{y\in\Z_m,y \;odd} f(y)\omega^{2x(y-1)/2} \;.\)

Now since \(\omega^2\) is an \(m/2\)th root of unity and \(\omega^{m/2}=-1\), letting \(W\) be the \(m/2 \times m/2\) diagonal matrix with diagonal entries \(\omega^0,\ldots,\omega^{m/2-1}\), we get that

\(FT_m(f)_{low} = FT_{m/2}(f_{even}) + W FT_{m/2}(f_{odd})\)

\(FT_m(f)_{high} = FT_{m/2}(f_{even}) - W FT_{m/2}(f_{odd})\)

where for an \(m\)-dimensional vector \(\vec{v}\), we denote by \(\vec{v}_{even}\) (resp. \(\vec{v}_{odd}\)) the \(m/2\)-dimensional vector obtained by restricting \(\vec{v}\) to the coordinates whose indices have least significant bit equal to \(0\) (resp. \(1\)) and by \(\vec{v}_{low}\) (resp. \(\vec{v}_{high}\)) the restriction of \(\vec{v}\) to coordinates with most significant bit \(0\) (resp. \(1\)).

The equations above are the crux of the divide-and-conquer idea of the FFT algorithm, since they allow to replace a size-\(m\) problem with two size-\(m/2\) subproblems, leading to a recursive time bound of the form \(T(m) = 2T(m/2) + O(m)\) which solves to \(T(m)=O(m\log m)\).

Quantum Fourier Transform over \(\Z_m\)

The quantum Fourier transform is an algorithm to change the state of a quantum register from \(f \in \mathbb{C}^m\) to its Fourier transform \(\hat{f}\).

Theorem (Quantum Fourier Transform, Bernstein Vazirani): For every \(m\) and \(m =2^m\) there is a quantum algorithm that uses \(O(m^2)\) elementary quantum operations and transforms a quantum register in state \(f = \sum_{x\in\Z_m} f(x)\ket{x}\) into the state \(\hat{f}= \sum_{x\in\Z_m} \hat{f}(x) \ket{x}\), where \(\hat{f}(x) = \tfrac{1}{\sqrt{m}} \sum_{y\in \Z_m} \omega^{xy}f(x)\).

The crux of the algorithm is the FFT equations, which allow the problem of computing \(FT_m\), the problem of size \(m\), to be split into two identical subproblems of size \(m/2\) involving computation of \(FT_{m/2}\), which can be carried out recursively using the same elementary operations. (Aside: Not every divide-and-conquer classical algorithm can be implemented as a fast quantum algorithm; we are really using the structure of the problem here.)

Operation State (neglecting normalizing factors)
intial state: \(f= \sum_{x\in\Z_m} f(x)\ket{x}\)
Recursively run \(FT_{m/2}\) on \(m-1\) most significant qubits \((FT_{m/2}f_{even})\ket{0} + (FT_{m/2}f_{odd})\ket{1}\)
If LSB is \(1\) then compute \(W\) on \(m-1\) most significant qubits (see below). \((FT_{m/2}f_{even})\ket{0} + (W FT_{m/2}f_{odd})\ket{1}\)
Apply Hadmard gate \(H\) to least significant qubit. \((FT_{m/2}f_{even})(\ket{0}+\ket{1})\) \(+\) \((W FT_{m/2}f_{odd})(\ket{0}-\ket{1}) =\)
- \((FT_{m/2}f_{even}+ W FT_{m/2}f_{odd})\ket{0} + (FT_{m/2}f_{even}-W FT_{m/2}f_{odd})\ket{1}\)
Move LSB to the most significant position \(\ket{0}(FT_{m/2}f_{even}+ W FT_{m/2}f_{odd}) + \ket{1}(FT_{m/2}f_{even}- W FT_{m/2}f_{odd}) = \hat{f}\)
The transformation \(W\) on \(m-1\) qubits can be defined by \(\ket{x} \mapsto \omega^x = \omega^{\sum_{i=0}^{m-2} 2^ix_i}\) (where \(x_i\) is the \(i^{th}\) qubit of \(x\)). It can be easily seen to be the result of applying for every \(i\in \set{0,\ldots,m-2}\) the following elementary operation on the \(i^{th}\) qubit of the register:

\(\ket{0} \mapsto \ket{0}\) and \(\ket{1} \mapsto \omega^{2^i}\ket{1}\).

The final state is equal to \(\hat{f}\) by the FFT equations (we leave this as an exercise)

Shor’s Order-Finding Algorithm.

We now present the central step in Shor’s factoring algorithm: a quantum polynomial-time algorithm to find the order of an integer \(a\) modulo an integer \(\ell\).

Theorem (order finding algorithm, restated): There is a polynomial-time quantum algorithm that on input \(A,N\) (represented in binary) finds the smallest \(r\) such that \(A^r=1 \pmod{N}\).

Let \(m=\ceil{5\log m}\) and let \(m=2^m\). Our register will consist of \(m+polylog(N)\) qubits. Note that the function \(x \mapsto A^x \pmod{N}\) can be computed in \(polylog(N)\) time and so we will assume that we can compute the map \(\ket{x}\ket{y} \mapsto \ket{x}\ket{y\oplus (A^x \pmod{N})}\) (where we identify a number \(X \in \set{0,\ldots,N-1}\) with its representation as a binary string of length \(\log N\)).To compute this map we may need to extend the register by some additional \(polylog(N)\) many qubits, but we can ignore them as they will always be equal to zero except in intermediate computations. Now we describe the order-finding algorithm. It uses a tool of elementary number theory called continued fractions which allows us to approximate (using a classical algorithm) an arbitrary real number \(\alpha\) with a rational number \(p/q\) where there is a prescribed upper bound on \(q\) (see below)

Operation State (including normalizing factors)
Apply Fourier transform to the first \(m\) bits. \(\tfrac{1}{\sqrt{m}}\sum_{x\in\Z_m}\ket{x})\ket{0^n}\)
Compute the transformation \(\ket{x}\ket{y} \mapsto \ket{x}\ket{y \oplus (A^x \pmod{N})}\). \(\tfrac{1}{\sqrt{m}}\sum_{x\in\Z_m} \ket{x}\ket{A^x \pmod{N}}\)
Measure the second register to get a value \(y_0\). \(\tfrac{1}{\sqrt{K}}\sum_{\ell=0}^{K-1}\ket{x_0 + \ell r}\ket{y_0}\) where \(x_0\) is the smallest number such that \(A^{x_0} = y_0 \pmod{N}\) and \(K= \floor{(m-1-x_0)/r}\).
Apply the Fourier transform to the first register. \(\tfrac{1}{\sqrt{m}\sqrt{K}} \left(\sum_{x\in\Z_n}\sum_{\ell=0}^{K-1} \omega^{(x_0+\ell r)x}\ket{x} \right) \ket{y_0}\)
In the analysis, it will suffice to show that this algorithm outputs the order \(r\) with probability at least \(\Omega(1/\log N)\) (we can always amplify the algorithm’s success by running it several times and taking the smallest output).

Analysis: the case that \(r|m\)

We start by analyzing the algorithm in the case that \(m = rc\) for some integer \(c\). Though very unrealistic (remember that \(m\) is a power of \(2\)!) this gives the intuition why Fourier transforms are useful for detecting periods.

Claim: In this case the value \(x\) measured will be equal to \(ac\) for a random \(a \in \{0,\ldots,r-1\}\).

The claim concludes the proof since it implies that \(x/m = a/r\) where \(a\) is random integer less than \(r\). Now for every \(r\), at least \(\Omega(r/\log r)\) of the numbers in \([r-1]\) are co-prime to \(r\). Indeed, the prime number theorem says that there at least this many primes in this interval, and since \(r\) has at most \(\log r\) prime factors, all but \(\log r\) of these primes are co-prime to \(r\). Thus, when the algorithm computes a rational approximation for \(x/m\), the denominator it will find will indeed be \(r\).

To prove the claim, we compute for every \(x \in \Z_m\) the absolute value of \(\ket{x}\)’s coefficient before the measurement. Up to some normalization factor this is

\(\left| \sum_{\ell=0}^{c-1} \omega^{(x_0+\ell r)x} \right| = \left| \omega^{x_0c'c} \right| \left| \sum_{\ell=0}^{c-1} \omega^{r\ell x} \right| = 1 \cdot \left| \sum_{\ell=0}^{c-1} \omega^{r\ell x} \right| \;.\)

If \(c\) does not divide \(x\) then \(\omega^r\) is a \(c^{th}\) root of unity, so \(\sum_{\ell=0}^{c-1} w^{r \ell x} =0\) by the formula for sums of geometric progressions. Thus, such a number \(x\) would be measured with zero probability. But if \(x = cj\) then \(\omega^{r\ell x} = w^{r c j \ell} = \omega^{Mj} = 1\), and hence the amplitudes of all such \(x\)’s are equal for all \(j \in \{0, 2, \ldots, r-1\}\).

The general case

In the general case, where \(r\) does not necessarily divide \(m\), we will not be able to show that the measured value \(x\) satisfies \(m | xr\). However, we will show that with \(\Omega(1/\log r)\) probability, (1) \(xr\) will be “almost divisible” by \(m\) in the sense that \(0 \leq xr \pmod{m} < r/10\) and (2) \(\floor{xr/m}\) is coprime to \(r\).

Condition (1) implies that \(|xr - cM| < r/10\) for \(c=\floor{xr/m}\). Dividing by \(rM\) gives \(\left| \frac{x}{m} - \tfrac{c}{r} \right| < \tfrac{1}{10M}\). Therefore, \(\tfrac{c}{r}\) is a rational number with denominator at most \(N\) that approximates \(\frac{x}{m}\) to within \(1/(10M) < 1/(4N^4)\). It is not hard to see that such an approximation is unique (again left as an exercise) and hence in this case the algorithm will come up with \(c/r\) and output the denominator \(r\).

Thus all that is left is to prove the next two lemmas. The first shows that there are \(\Omega(r/\log r)\) values of \(x\) that satisfy the above two conditions and the second shows that each is measured with probability \(\Omega((1/\sqrt{r})^2) =\Omega(1/r)\).

Lemma 1: There exist \(\Omega(r/\log r)\) values \(x \in \Z_m\) such that:

  1. \(0 < xr \pmod{m} < r/10\)
  2. \(\floor{xr/m}\) and \(r\) are coprime

Lemma 2: If \(x\) satisfies \(0 < xr \pmod{m} < r/10\) then, before the measurement in the final step of the order-finding algorithm, the coefficient of \(\ket{x}\) is at least \(\Omega(\tfrac{1}{\sqrt{r}})\).

Proof of Lemma 2 We prove the lemma for the case that \(r\) is coprime to \(m\), leaving the general case to the reader. In this case, the map \(x \mapsto rx \pmod{m}\) is a permutation of \(\Z^*_m\). There are at least \(\Omega(r/\log r)\) numbers in \([1..r/10]\) that are coprime to \(r\) (take primes in this range that are not one of \(r\)’s at most \(\log r\) prime factors) and hence \(\Omega(r/\log r)\) numbers \(x\) such that \(rx \pmod{m} = xr - \floor{xr/m}m\) is in \([1..r/10]\) and coprime to \(r\). But this means that \(\floor{rx/m}\) can not have a nontrivial shared factor with \(r\), as otherwise this factor would be shared with \(rx \pmod{m}\) as well.

Proof of Lemma 1: Let \(x\) be such that \(0 < xr \pmod{m} < r/10\). The absolute value of \(\ket{x}\)’s coefficient in the state before the measurement is \[\tfrac{1}{\sqrt{K}\sqrt{m}}\left| \sum_{\ell=0}^{K-1} \omega^{\ell r x} \right| \;,\] where \(K = \floor{(m-x_0-1)/r}\). Note that \(\tfrac{m}{2r} < K < \tfrac{m}{r}\) since \(x_0 < N \ll m\).

Setting \(\beta=\omega^{rx}\) (note that since \(m \not| rx\), \(\beta \neq 1\)) and using the formula for the sum of a geometric series, this is at least \(\tfrac{\sqrt{r}}{2M}\left| \tfrac{1 - \beta^{\ceil{m/r}}}{1-\beta} \right| = \tfrac{\sqrt{r}}{2M}\tfrac{\sin(\theta\ceil{m/r}/2)}{\sin(\theta/2)} \;,\) where \(\theta=\tfrac{rx \pmod{m}}{m}\) is the angle such that \(\beta = e^{i\theta}\) (see Figure [quantum:fig:theta] for a proof by picture of the last equality). Under our assumptions \(\ceil{m/r}\theta<1/10\) and hence (using the fact that \(\sin \alpha \sim \alpha\) for small angles \(\alpha\)), the coefficient of \(x\) is at least \(\tfrac{\sqrt{r}}{4M}\ceil{m/r} \geq \tfrac{1}{8\sqrt{r}}\)

This completes the proof of the main lemma. QED

Rational approximation of real numbers

In many settings, including Shor’s algorithm, we are given a real number in the form of a program that can compute its first \(t\) bits in \(poly(t)\) time. We are interested in finding a close approximation to this real number of the form \(a/b\), where there is a prescribed upper bound on \(b\). Continued fractions is a tool in number theory that is useful for this.

A continued fraction is a number of the following form: \(a_0 + \frac{1}{a_1 + \frac{1}{a_2 + \tfrac{1}{a_3 + \ldots}} }\) for \(a_0\) a non-negative integer and \(a_1,a_2,\ldots\) positive integers.

Given a real number \(\alpha>0\), we can find its representation as an infinite fraction as follows: split \(\alpha\) into the integer part \(\floor{\alpha}\) and fractional part \(\alpha - \floor{\alpha}\), find recursively the representation \(R\) of \(1/(\alpha - \floor{\alpha})\), and then write \[\alpha = \floor{\alpha} + \frac{1}{R} \;.\] If we continue this process for \(n\) steps, we get a rational number, denoted by \([a_0,a_1,\ldots,a_n]\), which can be represented as \(\tfrac{p_n}{q_n}\) with \(p_n,q_n\) coprime. The following facts can be proven using induction:

Furthermore, it is known that \(\Bigl|\tfrac{p_n}{q_n} - \alpha\Bigl| < \tfrac{1}{q_nq_{n+1}} (*)\) which implies that \(\tfrac{p_n}{q_n}\) is the closest rational number to \(\alpha\) with denominator at most \(q_n\). It also means that if \(\alpha\) is extremely close to a rational number, say, \(\left|\alpha - \tfrac{a}{b} \right| < \tfrac{1}{4b^4}\) for some coprime \(a,b\) then we can find \(a,b\) by iterating the continued fraction algorithm for \(polylog(b)\) steps. Indeed, let \(q_n\) be the first denominator such that \(q_{n+1} \geq b\). If \(q_{n+1} > 2b^2\) then \((*)\) implies that \(\bigl|\tfrac{p_n}{q_n}-\alpha\bigr| < \tfrac{1}{2b^2}\). But this means that \(\tfrac{p_n}{q_n} = \tfrac{a}{b}\) since there is at most one rational number of denominator at most \(b\) that is so close to \(\alpha\). On the other hand, if \(q_{n+1} \leq 2b^2\) then since \(\tfrac{p_{n+1}}{q_{n+1}}\) is closer to \(\alpha\) than \(\tfrac{a}{b}\), \(\bigl|\tfrac{p_{n+1}}{q_{n+1}}-\alpha\bigr| < \tfrac{1}{4b^4}\;,\) again meaning that \(\tfrac{p_{n+1}}{q_{n+1}}=\tfrac{a}{b}\). It’s not hard to verify that \(q_n \geq 2^{n/2}\), implying that \(p_n\) and \(q_n\) can be computed in \(polylog(q_n)\) time.

Quantum cryptogrpahy

There is another way in which quantum mechanics interacts with cryptography. These “spooky actions at a distance” have been suggested by Weisner and Bennet-Brassard as a way in which parties can create a secret shared key over an insecure channel. On one hand, this concept does not require as much control as general-purpose quantum computing, and so it has in fact been demonstrated physically. On the other hand, unlike transmitting standard digital information, this “insecure channel” cannot be an arbitrary media such as wifi etc.. but rather one needs fiber optics, lasers, etc.. Unlike quantum computers, where we only need one of those to break RSA, to actually use key exchange at scale we need to setup these type of networks, and so it is unclear if this approach will ever dominate the solution of Alice sending to Bob a Brink’s truck with the shared secret key. People have proposed some other ways to use the interesting properties of quantum mechanics for cryptographic purposes including quantum money and quantum software protection.