Introduction to Quantum Computing

Fall 2022

Instructor: 李彤阳

September 7, 2022
Basic Information
• Except Lecture 1, we will teach by handwriting on iPad, and notes will be
posted to our course website after each lecture.

• Textbooks: No standard textbook. References:

➢Paul Kaye, Raymond Laflamme, and Michele Mosca, An Introduction to Quantum
Computing, Oxford University Press.
➢Michael A. Nielsen and Isaac L. Chuang, Quantum Computation and Quantum
Information, Cambridge University Press.

• The lecture notes are adopted from several books and lecture notes for
best fitting the course topics. Acknowledgement: Prof. Andrew M. Childs
and Prof. Ronald de Wolf.
Evaluation
Assignments 25% (5 assignments, 5% each)
Project 35% (5% proposal, 20% final report, 10% presentation)
Final exam 40%

Assignments
• Each assignment will be given around two weeks to finish.
• Late assignments will NOT be accepted. After each deadline, there will be a
prompt lecture to post solutions hosted by TAs.
• You are encouraged to discuss assignment problems with your peers, with the
TA, and with the course instructor. However, your solutions should be based on
your own understanding and should be written independently. For each
assignment, if you discussed the problems with other students in the class, you
must include a list of the students' name.
Project
Our course project will:
• Explore a topic in depth, especially considering that quantum computing is a rapidly advancing area;
• Give you experience in reading research literature and identifying possible future research directions;
• Practice your scientific communication skills through both a written report and an in-class presentation.

You may work either on your own or in a group of two students. Project types include:
- An expository paper on a quantum computing topic that is not covered in the course,
- An original research project on a theoretical aspect of quantum computing, or
- An implementation of a quantum algorithm or protocol using online quantum computing platforms.

The project is composed of a proposal (1 page), a final report (no more than 10 pages),
and a presentation (around 20 minutes, depending on the number of groups).
Project
A suggested range of topics will be given around the middle of the semester.

The final report will be required to be written in a given LaTeX template. Reference:
• https://www.overleaf.com/learn/latex/Learn_LaTeX_in_30_minutes
• https://texdoc.org/serve/latex2e.pdf/0

The evaluation of the final report will mainly depend on:

- Contents: The range and the level of details that the report covers.
- Novelty: Catch the up-to-date trend for expository papers and implementation projects. Full score on
novelty for original research projects.
- Clarity: The clarity of the contents discussed in the report, whether those are intuitive and understandable.
- Quality: Grammars, choice of words, typos, expression of mathematical formulas, etc.

The evaluation of the presentation will mainly depend on contents and clarity.
Final Exam

Time: Wednesday December 21, afternoon

Students are allowed to take one page of A4 paper (with two sides).
No other notes, books, devices, etc. are allowed.

The problems will follow similar styles to assignment problems.

 Tentative Schedule

Week 2: Assignment 1 announced

Week 4: Assignment 2 announced; Assignment 1 due on Sep 30 and Solution Lecture 1

Week 7: Assignment 3 announced; Assignment 2 due on Oct 19 and Solution Lecture 2

Week 8: Project proposal due on Oct 30
Week 9: Assignment 4 announced; Assignment 3 due on Nov 2 and Solution Lecture 3

Week 11: Assignment 5 announced; Assignment 4 due on Nov 16 and Solution Lecture 4

Week 13: Assignment 5 due on Nov 30 and Solution Lecture 5

Week 14: Project final report due on Dec 11
Week 15: Course presentation
Final exam: Dec 21 afternoon
FAQ
What is the prerequisite of this course?
• No restriction; familiarity with linear algebra is preferred. No requirement on
having learned quantum mechanics.

Is our course purely theoretical?

• My lectures will focus on the theory of quantum computing. In our assignments,
there will be a few problems which require programming. Interested students can
also choose to accomplish a programming-based final project.

How well will the grades be given?

• As long as you finish the assignments, final projects, and the final exam, I will try to
give you good scores :)
Contents
• An overview of quantum computing
• Online quantum computing platforms
• Syllabus
What’s quantum computing?
Quantum computing is a type of computation whose operations can harness the
phenomena of quantum mechanics, such as superposition, entanglement, etc.

Classical bit: 0 or 1.

Quantum bit (qubit): A vector

Here

What is the difference between manufacturing classical and qubits?

Classical bits and qubits
Classical bits and qubits
Accuracy of quantum gates
Accuracy of quantum gates
Number of qubits
Number of qubits
Quantum supremacy

Fault-tolerant
Current quantum
quantum computers computers
10-100 noisy qubits >106 qubits
??? years
Quantum
supremacy
Quantum supremacy
Current status of quantum computing research

Industry Giants

Start-ups

Academia
Online quantum computing platforms
• IBM Qiskit: https://qiskit.org/
Online quantum computing platforms
• IBM Qiskit: https://qiskit.org/
Online quantum computing platforms
• Tensorflow Quantum: https://www.tensorflow.org/quantum
• Paper: TensorFlow Quantum: A Software Framework for Quantum Machine
Learning, https://arxiv.org/abs/2003.02989
Online quantum computing platforms
• QuTiP: https://qutip.org/. Written in Python, focus on quantum simulation.
• QuTiP: An open-source Python framework for the dynamics of open quantum
systems, https://arxiv.org/abs/1110.0573
• QuTiP 2: A Python framework for the dynamics of open quantum systems,
https://arxiv.org/abs/1211.6518
Online quantum computing platforms
• TensorCircuit: a Quantum Software Framework for the NISQ Era,
https://arxiv.org/abs/2205.10091
Quantum computing by steps

Focus of this course: The top level, quantum algorithms

Why study quantum algorithms?

• After all, this is the very original motivation of studying quantum computing.

• In our school, this is at a similar level compared to the classical counterpart:

算法设计与分析

• We have companion courses on quantum information, quantum transportation,

etc., and this course focuses on the computer science side of quantum computing.
Syllabus
• Basic definitions: quantum state, quantum measurement, quantum circuits
• Superdense coding, quantum teleportation
• Algorithms with black-box inputs: Deutsch-Jozsa algorithm, Simon’s algorithm
• Quantum Fourier transform, phase estimation
• Shor’s algorithm
Syllabus
• Grover search
• Discrete-time quantum walk
• Hitting time
• Element distinctness
Syllabus
Quantum simulation:
• Hamiltonian simulation
• Trotter decomposition, high-order product formula
• Linear combination of unitaries
• Application: continuous-time quantum walks, glued tree
Syllabus
• Quantum algorithms for solving linear systems
• Applications
• Quantum complexity theory
Goals after you learn this course
• Have a basic understanding about quantum computing
• Being able to conduct research in quantum computing

Interested in quantum computing research?

My group meeting: Every Wednesday 7-9 pm, 静园五院102

Subscribe by sending an email to [email protected]. We announce

the group meeting each week by emails.
Any questions?

Next class: Basic definitions in quantum computing.

Introduction to Quantum Computing Lecturer: Tongyang Li, scribed by Shuo Zhou
Fall 2022, Peking University Date: September 9, 2022

Lecture 2

Basic Definition in Quantum Computing

- Cricuits
- Reversible computing
- Quantum states
- Quantum dynamics
- Composite systems

Last time we’ve mentioned that:

classcial bit : 0, 1 −→ quantum bit (qubit) : a |0i + b |1i , |a|2 + |b|2 = 1

What can we apply upon qubits?

1 Classcial gate
We call a set of gates universal if it can compute any f : {0, 1}n → {0, 1}m

• {AND, OR, NOT} is universal.

• {NAND} is universal.

• OR can be made by AND and NOT.

1
2 Reversible Computing
AND gate is NOT reversible: cannot recover(x,y) pairs with the output:

Nevertheless, in principle, any computation can be made reversible:

Toffoli is universal:

Ancilla: Extra bits not involved in the input or output.

By composing reversible gates, we can do any computation reversibly, Moreover, we can uncompute the
junk:

Whenever we compute x 7−→ f (x) efficiently, we can efficiently reversibly compute:

(x, y, 0) 7−→ (x, y ⊕ f (x), 0)

2
3 Postulates in quantum computing
3.1 Quantum states
( )
a0 a0 , a 1
Qubit : ∈C |a0 |2 + |a1 |2 = 1
a1 “amplitudes”
( )
1
= |0i
0
Basic vectors :
( )
0
= |1i
1

{|0i , |1i} is a computational basis for a qubit:

|ψi = a0 |0i + a1 |1i “ket”

We denote the dual vector (conjugate transpose) by:

hψ| = a∗0 h0| + a∗1 h1| “bra”

“ket”-column vector, “bra”-row vector

Bra-ket represents an inner product:
( )
( ) b
= a∗0 b0 + a∗1 b1
0
hψ|ϕi = a∗0 a∗1
b1
hψ|ψi = 1

Ket-bra represents an outer product:

( ) ( )
1 ( ) 0 ( )
|0i h1| + |1i h1| = 10 + 01
0 1
( )
1 0
= =I
0 1
How to express all quantum states? Bloch Sphere:

θ θ
|ψi = eiη cos |0i + eiϕ sin |1i
2 2
Since the global phase is irrelevant, set η = 0 WLOG:
θ θ
|ψi = cos |0i + eiϕ sin |1i
2 2

3
3.2 Quantum dynamics/evolutions
Time evolution in quantum mechanics is linear:

if |ψi 7−→ |ψ ′ i , |ϕi 7−→ |ϕ′ i , then :

α |ψi + β |ϕi 7−→ α |ψ ′ i + β |ϕ′ i

Recall that all quantum states are l2 -norm unit vectors. To keep quantum states being states =⇒ quantum
dynamics must be unitary:

|ψi 7−→ U |ψi

1 = hψ|ψi = hψ|U † U |ψi true for ∀ |ψi
†
⇒U U =I

The time evolution of a quantum system is described by a unitary operator:

( ) ( )† ( )
0 1 NOT |0i = |1i 0 1 0 1
NOT = =
1 0 NOT |1i = |0i 1 0 1 0

∴ NOT† NOT = I

For example:

Some Common single-qubit gates:

( ) ( ) ( ) ( )
1 0 0 1 0 −i 1 0
I= Identity X= Y = Z= Pauli X, Y, Z
0 1 1 0 i 0 0 −1
( ) ( ) ( ) ( π )
1 1 1 1 0 1 0 iπ e−i 8 0 π
H=√ Hadamard S= Phase T = π =e 8 π
2 1 −1 0 i 0 ei 4 0 ei 8 8

In physics, U comes from Schrödinger equation:

d
i |ψ(t)i = H |ψ(t)i
dt
H : the“Hamiltonian” H = H†

When H is time independent,

|ψ(t)i = e−iHt |ψ(0)i

This can be defined by Taylor Series:

(−iHt)2
e−iHt = I + (−iHt) + + ···
2!

4
3.3 Composite systems
The state space of a composite system is the tensor product of the individual space.
 
( ) ( ) p0 q 0
p q 
p0 q0  0 1
Vector : ⊗ = 
p1 q1 p1 q0 
p1 q 1
 
( ) ( ) a00 b00 a00 b01 a01 b00 a01 b01
a b a01 b11 
a00 a01 b00 b01  00 10 a00 b11 a01 b10 
⊗ = 
a10 a11 b10 b11 a10 b00 a10 b01 a11 b00 a11 b01 
a10 b10 a10 b11 a11 b10 a11 b11
If the first and second subsystem is denoted as |ψi, |ϕi respectively, then the overall state is:

|ψi ⊗ |ϕi = |ψi |ϕi = |ψ, ϕi

(U1 ⊗ U2 )(|ψi ⊗ |ϕi) = U1 |ψi ⊗ U2 |ϕi

For example:

n qubits C2 ⊗ C2 ⊗ · · · ⊗ C2 ∼
n
= C2
∑
|ψi = ax |xi
x∈{0,1}n

For example:

2 qubits states |00i , |01i

1 |0i + |1i
√ (|00i + |01i) = |0i ⊗ √
2 2
Independent operators on subsystem are described by a tensor product:

(A ⊗ B)(|ψi ⊗ |ϕi) = A |ψi ⊗ B |ϕi

( )
0 1 1
Act with X = on the second qubit of √ (|00i + |11i) :
1 0 2
 
 1   
0 1 0 0 √ 0
1 0 0 0  
2  
1   0   √1 
 =  2  = √1 (|01i + |10i)
(I ⊗ X) √ (|00i + |11i) =  
2 0 0 0 1     1 
 0   √2  2
√1
0 0 1 0 2 0
2-subsystem states with form |ψi |ϕi are called product states; otherwise they’re called entangled states:
For example:
1
√ (|00i + |11i) is entangled.
2
Proof. Assume that √1 (|00i
2
+ |11i) = (α0 |0i + α1 |1i)(β0 |0i + β1 |1i). Then α0 β0 = √1 , α0 β1
2
= 0, α1 β0 =

0, α1 β1 = √1 .α0 β0 α1 β1
2
= 1
2 6= 0 = α0 β1 α1 β0 , a contradiction.

5
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: September 16, 2022

Lecture 3

More on Basic Definitions, Protocols and Quantum Circuits

- Quantum measurements
- Superdense coding
- Teleportation
- Single-qubit gates
- Controlled gates

Last time we’ve introduced: quantum states, dynamics, and compositions.

How to determine what state we have?

1 Orthonormal basis
A group of vectors {|φi i} such that:
∑
hφi |φj i = δij and |φi i hφi | = I
i

For example: For 1-qubit system, {|0i , |1i} is orthonormal.

{ ( ) ( ) ( )
|+i = √12 (|0i + |1i) √1 ( ) √1 ( ) 1 0
Denote : |+i h+| + |−i h−| = 2 √1 √1 + 2 √1 − √1 =
|−i = √2 (|0i − |1i)
1 √1
2
2 2 − √12 2 2 0 1
Thus, {|+i , |−i} is orthonormal.
For 2-qubit system, {|+0i , |+1i , |−0i , |−1i} is orthonormal.

• Let B = {|φi i} be an orthonormal basis for the state space of a quantum system. Then if the system
∑
is in a state |ψi = i ai |φi i, a quantum measurement with respect to B outputs “i” with probability
|ai |2 , leaving the system in state |φi i.
∑
• If the system is in i ai |φi i ⊗ |ωi i where the states |ωi i is normalized. Then a measurement of the
first subsystem w.r.t. B gives “i” with probability |ai |2 , leaving the system in state |φi i ⊗ |ωi i.

• Global phase does not matter.

√
For example: Measure |ψi = 1
2 |0i + 23 |1i in the basis {|+i , |−i}.
( ) √ √ √
( ) 1 1+ 3 2+ 3 2− 3
h+|ψi = √1 √1
2 2
√2
3
= √ ⇒ Pr(+) = Pr(−) =
2 2 2 4 4
√ ( ) √ ( ) √ √
1 3 1 |+i + |−i 3 |+i − |−i 1+ 3 1− 3
Or : |ψi = |0i + |1i = √ + √ = √ |+i + √ |−i
2 2 2 2 2 2 2 2 2 2

1
 We could also realize this by a unitary followed by a computational basis measurement.
( ) ( ) ( √ )
1+√ 3
1 1 1 H |+i 7−→ |0i 1
H=√ H √23 = 1− 2 √2
2 1 −1 H |−i 7−→ |1i 2
√ 3
2 2

2 Partial measurement
For example: |ψi = √1 (|00i
2
+ |11i), measure 1st qubit in computational basis:

1 1
, |ψi 7−→ |00i Pr(1) = , |ψi 7−→ |11i
Pr(0) =
2 2
√ √ √ √
For example: |ψi = 10
1
|00i + 10
2
|01i + 103
|10i + 10
4
|11i, measure 1st qubit in computational basis:
√ √ √ √ √ √
3 1 2 7 3 4
|ψi = |0i ⊗ ( |0i + |1i) + |1i ⊗ ( |0i + |1i)
10 3 3 10 7 7
3 7
Pr(0) = , Pr(1) =
10 10
If we measure both qubits in the computational basis, we get:
1 2 3 4
Pr(00) = , Pr(01) = , Pr(10) = , Pr(11) = .
10 10 10 10

3 Superdense coding
Suppose Alice and Bob share an entangled state √12 (|00i + |11i).(ebit)
( ) ( ) ( ) ( )
1 0 0 1 1 0 0 1
Suppose Alice applies one of I = , X= , Z= , ZX = = iY
0 1 1 0 0 −1 −1 0

1 1
(I ⊗ I) √ (|00i + |11i) = √ (|00i + |11i) = |β00 i
2 2
1 1
(X ⊗ I) √ (|00i + |11i) = √ (|10i + |01i) = |β01 i
2 2
1 1
(Z ⊗ I) √ (|00i + |11i) = √ (|00i − |11i) = |β10 i
2 2
1 1
(ZX ⊗ I) √ (|00i + |11i) = √ (− |10i + |01i) = |β11 i
2 2
{|β00 i , |β01 i , |β10 i , |β11 i} forms an orthonormal basis, the Bell basis.
A procedure that Alice can send two classical bits to Bob:

1. If Alice wants to send ZX ∈ {0, 1}2 to Bob, she performs Z Z X X on √1 (|00i + |11i)
2
and obtains |βZX i.

2. Alice sends her qubit to B.

3. B measures in the Bell basis −→ leran X and Z

The procedure requires an ebit, sends a qubit, and Bob can decode two classical bits.

2
4 Teleportation
Now, Alice wants to send Bob a qubit, but she only has a classical channel.
Suppose they also share a Bell pair.
Mathematically, they share |ψi ⊗ |β00 i, where Alice has qubits 1 & 2, Bob has qubit 3.

Idea: Alice measures qubit 1 & 2 in Bell basis:

1
|ψi |β00 i = (a0 |0i + a1 |1i) √ (|00i + |11i)
2
1
= √ (a0 |000i + a0 |011i + a1 |100i + a1 |111i)
2
1
= (a0 (|β00 i + |β10 i) |0i + a0 (|β01 i + |β11 i) |1i + a1 (|β01 i − |β11 i) |0i + a1 (|β00 i − |β10 i) |1i)
2
1
= [|β00 i (a0 |0i + a1 |1i) + |β01 i (a0 |1i + a1 |0i) + |β10 i (a0 |0i − a1 |1i) + |β11 i (a0 |1i − a1 |0i)]
2
1
= [|β00 i |ψi + |β01 i X |ψi + |β10 i Z |ψi + |β11 i XZ |ψi]
2
Alice gets each outcome with probability 14 .

Procedure:
1. Alice measures qubit 1 & 2 in Bell basis.
 

 |β00 i 
 00

 |β i 
 10
01
2. If the outcome is , Alice sends XZ = to Bob.

 |β10 i 
 01

 

|β11 i 11

3. Bob applies Z Z X X to qubit 3.

• Superdense coding: The procedure requires an ebit, sends a qubit, and Bob can decode two classical
bits.

• Teleportation: The procedure requires an ebit, sends two classical bits, and Bob can decode a qubit.

In the following sections, we discuss about chapter of Quantum Circuits, which should have
been scheduled in the next lecture, but was put here corresponding with the lecture’s pace.

How do we draw quantum computing procedures, i.e., quantum cricuits?

For example:
|0i U1
U3
|0i
U2
|0i

3
Common rules:

• Quantum cricuits runs from left to right

• Qubits start in |0i

• Measure in the computational basis

• for quantum wire, for classical wire.

• for measurements.

5 Single-qubit gates

|ψi = cos θ2 |0i + eiϕ sin θ2 |1i

2 × 2 unitary matrix ←→ rotation on Bloch sphere

( ) ( ) ( )
0 1 0 −i 1 0
Recall X = Y = Z= X 2 = Y 2 = Z 2 = I Consider :
1 0 i 0 0 −1

θ (i θ )2 (i θ )3 (i θ )4
RX (θ) = e−i 2 X = I − i X + 2 X 2 − 2 X 3 + 2 X 4 + · · ·
θ

( 2 2! ) (3! 4! )
θ 2 θ 4 θ 3
(2) (2) θ (2) ( θ2 )5
=I 1− + + · · · − iX − + + ···
2! 4! 2 3! 5!
( )
θ θ cos θ2 −i sin θ2
= cos I − i sin X =
2 2 −i sin θ2 cos θ2

Similarly, we can define RY (θ) = e−i 2 Y , RZ (θ) = e−i 2 Z :

θ θ

( )
θ θ cos θ2 − sin θ2
RY (θ) = cos I − i sin Y =
2 2 sin θ2 cos θ2
( θ )
θ θ e−i 2 0
RZ (θ) = cos I − i sin Z = θ
2 2 0 ei 2

Consider acting RZ (θ) on |ψi = cos 2ξ |0i + eiϕ sin 2ξ |1i:

( )
−i θ2 ξ ξ ξ ξ
cos |0i + ei 2 eiϕ sin |1i = e−i 2
θ θ
RZ (θ) |ψi = e cos |0i + ei(θ+ϕ) sin |1i
2 2 2 2
=⇒ RZ (θ) is a rotation about z − axis by θ
More generally, n̂ = (nx , ny , nz ) ∈ R3 , Rn̂ (θ) = e−i 2 (nX X+nY Y +nZ Z)
θ

Fact: Any 1-qubit unitary can be decomposed as eiϕ RZ (θ3 )RX (θ2 )RZ (θ1 ) where ϕ, θ1 , θ2 , θ3 ∈ R

4
6 Controlled-U gates

CNOT In general: Controlled -U

|xi • |xi •
|yi |x ⊕ yi U

|00i 7−→ |00i , |01i 7−→ |01i |0i |ψi 7−→ |0i |ψi
|10i 7−→ |11i , |11i 7−→ |10i |1i |ψi 7−→ |0i U |ψi
( )
x, y ∈ {0, 1} I 0
|0i h0| ⊗ I + |1i h1| ⊗ U =
0 U
For example:

• • • |+i • |−i
Z
= ⇐⇒
X −I |−i |−i

5
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: September 21, 2022

Lecture 4

Quantum Gate Universality; Deutsch-Jozsa Problem

- Universality
- Phase kickback
- Deustsch’s problem
- Deustsch-Jozsa problem

1 Universality
We would like to use a finite gate set to quantify complexity an fault tolerance.
This needs approximation and a metric between states.
√
k|ψi − |ϕik := (hψ| − hϕ|)(|ψi − |ϕi)
√
k|ψi − |ψik = 0, k|ψi − |−ψik = 2, hψ|ϕi = 0 ⇒ k|ψi − |ϕik = 2

Distance between unitaries:

E(U, V ) = max kU |ψi − V |ψik
|ψ⟩

For example:
kX |−i − I |−ik = 2 ⇒ E(X, I) = 2

Note that E is subadditive:

E(U1 U2 , V1 V2 ) ≤ E(U1 , V1 ) + E(U2 , V2 )

Definition: A set of quantum gates is universal if for any positive integer n, any n-qubot unitary U and
any ϵ > 0, we can find gates V1 , V2 , · · · , Vk from the set s.t. E(U, V1 V2 · · · Vk ) ≤ ϵ
For example: {Toffoli} can only map product states to product states: not universal.
For example: {CNOT,X,Y,Z} can only map product states to product states: not universal.
Facts about universality:

• If we can rotate by an angle that is not a rational multiple of π, then we can approximate a rotation
about that axis by any angle arbitrarily closely.

• If we can rotate about two non-parallel axes by arbitrary angles, we can perform an arbitrary rotation.

• For multi-qubit gates, universal set must include an entangling gate (can map product state to entangled
state).

1
 • In fact, universal 1-qubit gate set + any entangling gate gives universality.
( )
π 1 0
Common universal set: {CNOT,H,T}, where T = RZ ( 4 ) = π
0 ei 4
HT HT, T HT H → irrational angle.
Efficiency: NOT every unitary on n qubits has a cricuit of poly(n) gates by a counting argument.
Classically:

• Number of permutations of the 2n strings with n bits: (2n )!

• Number of cricuits consisting of m gates is only exponentially large in m.

( )m
For example: 3C73 for Toffoli gates.

Similarly, exponentially many gates are needed to do an arbitrary unitary.

Good approximation, Solovay-Kitaev Theorem:
With any fixed universal set of 1-qubit gates that is closed under inverses, any 1-qubit gate can be
approximated within ϵ using O(log4 ( 1ϵ )) gates.
This can be generalized to multiple qubits.

2 Phase kickback
Simplest query problem:
x f1 (x) f2 (x) f3 (x) f4 (x)
|xi |xi 0 0 1 0 1
Uf
|yi |y ⊕ f (x)i 1 0 1 1 0
constant balanced
Put |−i = √1 (|0i − |1i) in the second register.
2
|xi |−i = √1 (|xi |0i − |xi |1i) 7−→ √1 |xi (|f (x)i − |f (x)i)
2  2
|−i f (x) = 0
√1 |xi (|f (x)i − |f (x)i) = |xi = (−1)f (x) |xi |−i
2 − |−i f (x) = 1
Hence, |xi |−i 7−→ (−1)f (x) |xi |−i. This is formally known as phase kickback.

3 Deustsch’s problem
Given black box for f : {0, 1} −→ {0, 1}. Problem: Is f constant or balanced?(Or the parity of f (0) ⊕ f (1))
Quantumly, query in superposition:

|0i H H⊗I Uf
Uf |0i |0i 7−→ |+i |0i 7−→ √1
2
(|0, f (0)i + |1, f (1)i)
|1i

Not so helpful... cannot get the information of both f (0) and f (1) at the same time.
Instead, we use phase kick:

|0i H H⊗I Uf ( )
Uf |0i |−i 7−→ |+i |−i 7−→ √1
2
(−1)f (0) |0i + (−1)f (1) |1i |−i
|−i

2
 
( ) ( ) |+i |−i f (0) ⊕ f (1) = 0
(−1)f (0)
√1 (−1)f (0) |0i + (−1)f (1) |1i |−i = √ |0i + (−1)f (0)⊕f (1) |1i |−i ∝
2 2 |−i |−i f (0) ⊕ f (1) = 1

|0i H H |f (0) ⊕ |f (1)ii

Uf Here we leave out the global phase:(−1)f (0)
|−i |−i

4 Deustch-Jozsa problem
• Given: f : {0, 1}n 7−→ 0, 1(by a black box)

• Promise: f is either constant or balanced.

• Determine for sure which holds in the promise.

Classically, we need 2n−1 + 1 queries.

Quantumly: |xi |−i 7−→ √12 |xi (|f (x)i − |f (x)i) = (−1)f (x) |xi |−i

|x1 i |x1 i
.. ··· ··· ..
. Uf .
|xn i |xn i
|−i (−1)f (x) |−i
Algorithm:
|0i H H
.. ··· ··· ..
. Uf .
|0i H H
|−i |−i
⊗n ⊗n
∑ 1 Uf 1 ∑
(H |0i ) |−i = |+i |−i = √ |xi |−i 7−→ √ (−1)f (x) |xi |−i (*)
2 n 2n
x∈{0,1}n x∈{0,1}n

Recall H |xi = |0⟩+(−1) |1⟩ x

√
2
, x ∈ {0, 1}
As a result, for a certain x ∈ {0, 1}n , rewrite as |x1 i |x2 i . . . |xj i

⊗n
|0i + (−1)xj |1i 1 ∑ ∏
n
1 ∑
H ⊗n |xi = √ =√ (−1)xj yj |yi = √ (−1)x·y |yi
j=1
2 2n y∈{0,1}n j=1
2n y∈{0,1}n

Here x · y means bite-wise product x · y = x1 y1 + x2 y2 + · · · + xn yn

Plugging this into (*):
1 ∑ H ⊗n ⊗I 1 ∑ ∑ ∑
√ (−1)f (x) |xi |−i 7−→ (−1)f (x) (−1)x·y |yi |−i = ay |yi |−i
2n 2n
x∈{0,1}n x∈{0,1}n y∈{0,1}n y∈{0,1}n

∑ f ∑
Where ay = 21n {0,1}n (−1)f (x)+x·y . If f is a constant, then ay = (−1) 2n x∈{0,1}n (−1)
x·y

a0...0 = (−1) , ay = 0 when y 6= 0 . . . 0 (say yi 6= 0, then xi = 0 and xi = 0 cancel each other)

f
∑
If f is balanced, a0...0 = 21n x∈{0,1}n (−1)f (x) = 0,

3
  if y = 0 . . . 0, output ”constant”. If y 6= 0 . . . 0, output “balanced”.
Conclusion: after we measure,
Classically, 2n−1 + 1 (determinisic) queries
Succeed with probability 1:
Quantumly, 1 query
( )
But with classical randomized algorithm. O log 1ϵ queries with success probability ≥ 1 − ϵ:
( )
Take O log 1ϵ samples. If all same, output “constant”. Otherwise output “balanced”.

4
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: September 23, 2022

Lecture 5

Simon’s problem; Quantum Fourier Transform

- Simon’s problem
- Quantum Fourier transform

1 Simon’s problem
• Given: a function f : {0, 1}n → X where |X| ≥ 2n−1 .“A structured 2-to-1 function”

• Promise: ∃ some s ∈ {0, 1}n , s 6= 0n such that f (x) = f (y), if and only if x = y or x = y ⊕ s.

• Find s.

Classically, wihtout randomization, 2n−1 + 1 queries.

With randomization: Query f (x1 ), . . . f (xk ) with xi (1 ≤ i ≤ k) chosen at random from {0, 1}n , until we
find xi 6= xj such that f (xi ) = f (xj ). Then return s = xi ⊕ xj
n

By the analysis of the birthday paradox, we expect to find a collsion after Θ 2 2 queries. In fact, this is
optimal.    
1 M
Pr[all different] = 1 − ··· 1 −
N N
√
1 + ··· + M 7 N
≥1− ≥ when M =
N 8 2
Uf
Quantum algorithm: quantum black-box: |x, yi 7−→ |x, y ⊕ f (x)i

 X
|0i  H H ⊗n ⊗m H
⊗n ⊗m
I 1
|xi  |0i |0i 7−→ √ |xi |0m i
.. ··· ··· .. 2n x∈{0,1}n
.  .
 Uf 1 X
|0i H H 7−→ √ |xi |f (x)i
 Uf 2n x∈{0,1}n
|0i  X |xi + |x ⊕ si
|yi  = √
1
√ |f (x)i
.. ··· ··· ..
. . 2n−1 2

 x∈R
|0i |R| = 2n−1 , coset representation of f

H ⊗n P
Recall the effect of H ⊗n (Hadamard transformation), |xi 7−→ √12n y∈{0,1}n (−1)x·y |yi
Recall: x · y means bit-wise product x · y = x1 y1 + · · · xn yn (mod 2)

1
 Plugging this into above:

1 X |xi + |x ⊕ si H (⊗n I ⊗m 1 1 X X h i
√ √ |f (x)i −→ √ √ (−1)x·y + (−1)(x⊕s)·y |yi|f (x)i
2n−1 x∈R
2 2n−1 2n+1 x∈R y∈{0,1}n
1 X X
= n (−1)x·y [1 + (−1)s·y ] |yi|f (x)i
2 n
x∈R y∈{0,1}

We measure this state, for the first register, we get:

X 1 1
Pr[y] = | n (−1)x·y [1 + (−1)s·y ]|2 = n+1 |1 + (−1)s·y |2
2 2
x∈R

Either s · y = 0 ⇒ Pr[y] = 2n−1

1
or s · y = 1 ⇒ Pr[y] = 0 mod 2
Therefore, we get a random y, s.t. s ·y =0
 s · y1 = 0



.
Now we repeat this k times, we get ..



s · y = 0
k
If we get n − 1 linearly independent equations, we can solve for s. Each halves the possible solution space.
What’s the probability?

Yn   Y∞  
2n − 1 2n − 2 2n − 2n−1 1 1 1
Pr[linearly independent] = n
· n
······ · n
= 1− i ≥ 1 − i ≈ 0.289 · · · >
2 2 2 i=1
2 i=1
2 4

Therefore, with constant probability, n − 1 quantum queries suffice.

2 Quantum Fourier transform

H ⊗n P
Hadamard transform: |xi 7−→ √12n y∈{0,1}n (−1)x·y |yi where x is an integer modulo 2n .
This is a Fourier transform over Z2 ⊗ · · · ⊗ Z2 .
| {z }
n
How about Fourier transform over Z2n ? That has the form:
1 X 2πixy
|xi 7−→ √ e 2n |yi := |x̃i
2n y∈Z n
2

Where x ∈ Z2n represents an integer modulo 2 . n

These states form an orthonormal basis, the Fourier basis: hx̃ | x̃′ i = δx,x′ .
When do we need the quantum Fourier transform?

2.1 Phase estimation

Given: Ability to implement a controlled unitary operator U:
•
And a quartum state |ψi with U |ψi = eiθ |ψi.
Problem: Learn θ. U

2
2.2 Hadamard test H⊗I 1 1
controlled-U
|0i|ψi 7−→ √ (|0i + |1i)|ψi √ (|0i|ψi + |1iU |ψi)
7−→
2 2
|0i H • H 1

= √ |0i + eiθ |1i |ψi
|ψi U |ψi 2
 
H⊗I 1   1 + eiθ 1 − eiθ
7−→ (|0i + |1i) + e (|0i − |1i) |ψi =
iθ
|0i + |1i |ψi
2 2 2
2 2
1 + eiθ1  1 − eiθ θ
Pr(0) = (1 + cos θ)2 + sin2 θ
= Pr(1) = = sin2 .
2 4 2 2
1 θ
= [2 + 2 cos θ] = cos2
4 2
If θ = 0 or θ = π, we learn θ perfectly. If 0 < θ < π. learn the probability distribution by samples to get
information of θ.
n bits
Pn x z }| {
Next, suppose θ = 2π · j=1 2jj . i.e., θ = 2π · 0. x1 . . . xn
k
Consider what happens if we apply U 2 .

k k
U 2 |ψi = ei2 θ |ψi = e2πi·x1 ...xk .xk+1 ...xn |ψi = e2πi·0.xk+1 ...xn |ψi
n−1
In particular, U 2 |ψi = e2πi·0.xn |ψi.

n−1
|ψi xn = 0 |0i H • H xn
In other words, U 2 |ψi =
− |ψi xn = 1
|ψi U2
n−1

Idea: Combine n such experiments for different exponents of U :

|0i H ··· • √1
2
|0i + e2πi·0.xn |1i


|0i H ··· • √1
2
|0i + e2πi·0.xn−1 xn |1i

.. .. .. ...
. . .


|0i H • ··· √1
2
|0i + e2πi·0.x2 ...xn |1i


|0i H • ··· √1
2
|0i + e2πi·0.x1 ...xn |1i

|ψi U U2 ··· U2
n−2
U2
n−1
|ψi
The output state is:
On
1

√ |0i + e2πi·0.xn+1−i ...xn |1i
i=1
2
2 −1
1 X 2πi·2n−1n xyn−1
n
2πi·2n−2 xyn−2 2πixy0
=√ e 2 |yn−1 i e 2n |yn−2 i · · · e 2n |y0 i
n
2 y=0

1 X 2πixy
n−1
2
=√ e 2n |yi = |x̃i
2n y=0

3
 Ideally, for phase estimation, we want to have x1 , · · · , xn directly as outputs.
P2n −1 2πixy
Note: QF T : |xi −→ |x̃i = √12n y=0 e 2n |yi x ∈ {0, 1, · · · , 2n − 1}
So the transformation sending |x̃i 7→ |xi is exactly QF T −1 .
How do we implement this?
The first qubit is |0⟩+e √2 |1⟩ = H |xn i. So applying H reveals xn .
2πi·0.xn

Second qubit: e2πi·0.xn−1 xn = e2πi·0.xn−1 · e2πi·0.0xn = (−1)xn−1 · ixn .

We can remove the dependence on xn :
!†
1 0
If xn = 0, do I; if xn = 1, do .
0 i
Then the state becomes √12 (|0i + (−1)xn−1 |1i). Then H reveals xn−1 .
Inverse QF T with n = 2 :


√1
2
|0i + e2πi·0.x2 |1i H • |x2 i
!†

1 0
√1
2
|0i + e2πi·0.x1 x2 |1i H |x1 i
0 i

n−k+1 n+12x xn x
Move generally, since e2πi·0·xn−k+1 ...xn = e2πi( 21 + 22 +···+ 2k )

x x
the k th qubit is √12 |0i + e2πi·0.xn−k+1 ...xn |1i = Rkxn · · · R3 n−k+3 R2 n−k+2 H |xn−k+1 i.
−1
As a result, the QF T circuit is:


√1
2
|0i + e2πi·0.xn |1i H • ··· • ··· • ··· |xn i

√1
2
|0i + e2πi·0.xn−1 xn |1i R2† H ··· • ··· • ··· |xn−1 i

.. • ..
. .

† †
√1
2
|0i + e2πi·0.x2 ...xn |1i ··· Rn−1 Rn−2 ··· R2† H ··· • |x2 i

†
√1
2
|0i + e2πi·0.x1 ...xn |1i ··· ··· Rn† Rn−1 ··· R2† H |x1 i

Gate complexity: O(n2 )

4
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: September 30, 2022

Lecture 6

Phase Estimation; Order Finding

- Phase Estimation
- Order finding
- Shor’s algorithm

1 Phase Estimation
Big picture of phase estimation:

|0i H ··· • |xn i

|0i H ··· • |xn−1 i

.. .. .. QF T −1
. . .

|0i H • ··· |x2 i

|0i H • ··· |x1 i

|ψi U U2 ··· U2
n−2
U2
n−1
|ψi

If U |ψi = e2πi·0.x1 ...xn |ψi, this works. How about e2πiφ for general φ ∈ [0, 1) ?

2X −1 i−1 
n
⊗n 1 Xn
2 |xi i if xi = 0
|0i⊗n 7−→ √
H c−U
|xi x= xi · 2n−i |xi i 7−→
n
2 x=0 eiφ2i−1 |xi i if xi = 1
i=1
2X
n
−1
c−Us 1 Y
n
7−→ √ eiφx |xi
i−1

n
|x1 . . . xn i 7−→ eiφxi 2 |xi i
2 x=0
−1
P2n −1 P2n −1 2πixy
i=1
The QF T is x=0 |xi hx̃| = √12n x,y=0 e− 2n |xi hy|.
P2n −1 iφx QF T −1 P2n −1 P2n −1 P2n −1 i(φ− 2πy
2n ) x .
2πixy
√1
2n x=0 e |xi 7−→ 21n x,y=0 eiφx e− 2n |yi = y=0 αy |yi, αy := 1
2n x=0 e
αy is a geometric series. Denote φ̃ = φ − 2πy
2n
  2

e−iφ̃2
n−1 n−1 n−1
2X −1 − eiφ̃2 2X
n n−1
e n
1 − eiφ2 eiφ̃2 e n−1
sin2 φ2
e iφ̃x
= =
⇒ eiφ̃x =
x=0
1 − eiφ̃ eiφ̃/2 e−iφ̃/2 − eiφ̃/2 x=0
sin2 (φ̃/2)

1
 2πy
1 sin ((φ− 2n )·2
2 n−1
2 )
Therefore: Pr(y) = |αy | = 22n 2πy
sin (φ− 2 )· 12 )
2
. sin mx
sin x → m when x → 0.

2n ≈ φ.
This distribution is tightly peaked around those y for which 2πy
2π(k+1)
Claim. Let 2n ⩽ φ ⩽ 2n . Then the probebility of outputting either k or k + 1 is at least
2πk 8
π2 .

Proof. The probability of success is Pr(k) + Pr(k + 1).




1  sin2 2n−1 φ − πk sin2 2n−1 φ − π(k + 1)
Pr(k) + Pr(k + 1) = 2n
+   
2 sin2 φ2 − πk 2n sin2 φ2 − π(k+1)
n
2

!


2π k + 21
2 sin π k + 2 − πk
2 1
when φ = = 2n  
2n 2 π (k+ 12 )
sin 2
2n − 2nπk

1 1
= ·
22n−1 sin2 2n+1
π

1 1 8
⩾ 2n−1 ·
2 = 2 .
2 π
n+1
π
2

Summary. Given |ψi with U |ψi = eiφ |ψi. we can produce an estimate of φ thet differs from the true value by

−1


at most ε 2π 8
2n with probability at π 2 . This use QF T with gate complexity O n2 and O(1/ε) controlled−
Us (2n ).

2 Order finding
Order definition: The order of an integer a modulo N is the smallest integer such that:

ar ≡ 1 (mod N )

For example: N = 15, a = 2, r = 4.

The order only exists if gcd(a, N ) = 1. gcd= greatest common divisor
Consider the multiplication-by-a map: U |xi = |axi for x ∈ ZN .
We can do this efficiently:
mutiply by a swap substract 2nd register by (1st/a mod N )⊕x
|x, 0i 7−→ |x, axi 7−→ |ax, xi 7−→ |ax, 0i

What are the eigenvectors/eigenvalues?

Let P be a cyclic shift modulo r : P |xi = |x + 1 mod ri.
Isomorphism: x mod r ←→ ax mod N
addition ←→ multiplication
Eigenvectors of P : ∀k ∈ {0, · · · , r − 1}

1 X 2πikx 1 X 2πikx 1 X 2πik (x−1)

r−1 r−1 r−1
|xi = e− r |k̃i.
2πik
|k̃i = √ e r |xi P |k̃i = √ e r |x + 1i = √ e r
r x=0 r x=0 r x=0
Pr−1 2πikx −2πik
Therefore, |uk i = √1r x=0 e r | ax mod N i is an eigenvector of U with eigenvalue e r .
Applying phase estimation of U on |uk i, we get an estimation of kr .

Problems:

2
 1. We don’t know r, and as a result, how can we make |uk i ?
k
2. We only get an approximation of r; which precise fraction it is?

3. What if k and r have common factors? Since we don’t know r, can confuse with factor cancellation.

k
2.1 Estimate r
in superposition
2πi −1 n
For any n ⩾ 2, if w = e n , 1 + w + · · · + wn−1 = ww−1 = 0.
P r−1 P r−1 2πikx
Consider r k=0 |uk i = r k,x=0 e
1
√ 1 r | a mod N i = |1i
x

Phase estimation:
Pr−1 phase estimation 1 Pr−1 f
|0i ⊗ |1i = √1r k=0 |0i ⊗ |uk i 7−→ √
r k=0 |k|ri ⊗ |uk i
Measuring the first register gives an estimate of kr , where k is chosen uniformly at random.
n
Note: c − U 2 can be implenented in tine poly (n) by square-and-multiply.

k
2.2 Reconstructing r
from the approximation
n  2n
  n
Main idea: We can have an integer y close to k · 2r (either k · r or k · 2r with probability ⩾ 8
π2 ).
Compute the continuous fraction expansion (CF E) : 2yn = a 1
1 a1 , a 2 ∈ N
1 + a +···
2
5 1 1 1 1 1 1
For example: 8 = 1·6 = 1+0.6 = 1
1+ 5/3
= 1
1+ 1+2/3
= 1+ 1 = 1+ 1
1+ 1 1+ 1
1+ 1 1+ 1
2 1+1
1 1 2 3 5
Each time, deleting the term in (0, 1], get: 1, 2, 3, 5, 8.
End when we reach 1 .
1 1
Consider the sequence a1 , a + 1 , . . . (truncate the CF E ).
1 a2
Since 2yn is rational, this must ends finally. Denote the sequence of fractions we get ane p1 p2
q1 , q2 , . . .
Can prove: qi+2 ⩾ 2qi ∀i ∈ [n]. This implies that the length ⩽ 2n.
Furthermove, CF E has very strong convengence property:
Fact. If we estimate x by CF E, then x − pqii < q12 .
i
n
In our case, we know y − k · 2r ≤ 1 ⇔ 2yn − kr ≤ 21n .
Taking 2n > 2r2 and using CF E theory, we can prove that kr must appear in the CF E. Also due to
the CF E hos O(n) terms and whether ar ≡ 1 (mod N ) or not can be verified in poly (log N ) time using
square-and-multiply, taking n = C · log N for a large enough C, 2n > 2r2 can be satisfied the overall cost is
poly (log N ).

2.3 Common factors

Althongh phase estimation works for any k ∈ {0, 1, · · · , r − 1}, only when gcd(k, r) = 1. the denominator of
k
r is directly r.
1 . . . pl for different primes p1 , · · · , pl , α1 , · · · , αl ∈ N, then ϕ(N ) :=
αl
 Euler’s
 totient
 function:
 If N = pα 1

1− 1
··· 1 − 1
N is the number of integers in [N] that has gcd = 1 with N .
p1

pN

ϕ(r) 1
Fact: r = Ω log(log r) .
Therefore, O(log log r) repititions suffice.
Finally, it comes to Shor’s algorithm:

3
3 Shor’s algorithm
3.1 Factorization(N)
1. If N is even, return factor 2 ;

2. If N = pα for a prime p and α ⩾ 2, compute the 2nd (square) root, 3rd, · · · , dlog2 N e root, and return
one of them being an integer;

3. Uniformly randomly choose x in {1, 2, . . . , N − 1}. If gcd(x, N ) > 1, then return factor gcd(x, N );

4. Use the order-finding subroutine to find the order r of x, modulo N ;

5. If r is even and xr/2 6= −1 (mod N ), compute gcd xr/2 − 1, N and gcd xr/2+1 , N . If one of them
> 1, return that. Otherwise, start over.

3.2 Observations


1. Primality testing, i.e., testing whether N is a prime or not, can be done in Õ (log N )6 time on a
classical computer. (Õ omits poly-logarithmic factors, i.e., Õ(f ) = O(f · poly (log f )).)
This is called the Agrawal-Kayal-Saxena (AKS) primality test, won Gödel Prize and Fulkerson Prize
in 2006.
Therefore, the above algorithm is written as factoring a composite number, as we can run AKS as a
preprocessing step. Nevertheless, we can also run Shor’s algorithm for poly(log N ) rounds and return
“prime” if it cannot find a factor.

2. Steps 1 and 2 has O(log n) iterations, and each root computation takes poly(log N ) cost on a classical
computer. In the rest of the algorithm, we can assume that N is an odd integer with more than one
primer factor.


3. gcd(x, N) can be computed classically using Euclid’s algorithm. This takes cost O log2 N .

4. If gcd(x, N ) = 1 and r is the order of x mod N , and the condition in step 5 holds, then N ∤ xr/2 + 1, N ∤




xr/2 − 1 (r/2 is not the other) but N | xr/2 + 1 xr/2 − 1 = xr − 1 ⇒ both gcd xr/2 − 1 ,


gcd xr/2 + 1 6= 1, and the factorization problem is solved.

In the remaining, we prove:

Theorem. Suppose N = p1α1 · · · pα
l with different primes p1 , · · · , pl , l ⩾ 2, α1 , · · · , αl ∈ N. Let x be chosen
l

∗
uniformly at random from ZN := {x ∈ ZN | gcd(x, N ) = 1}, and let r be the order of x mod N . Then
h i 1
Pr r is even and xr/2 6= −1 (mod N ) ⩾ 1 −
2l−1
.
We first prove a lemma:
Lemma. Let p be an odd prime. Let 2d be the largest power of 2 dividing φ (pα ), i.e., 2d kφ (pα ): 2d ∤ φ(pα )
but 2d+1 ∤ φ(pα ).
Then with probability exactly 21 , 2d divides the order mod pα of a uniformly random chosen element of
Z∗pα .
Proof of lemma. Note that φ (pα ) = pα−1 (p − 1). Therefore 2d kp − 1 and d ⩾ 1.

4
 It is known in elementary number theory that there exists primitive roots mod pα , i.e., ∃g ∈ Z∗pα s.t.

g, g 2 , · · · , g φ(p ) = Z∗pα .
α

Let rk be the order of g k modulo pα and consider two cases.

1) k is odd. From g krk ≡ 1 (mod p)α we have φ (pα ) | krk . an k is odd ⇒ 2d | rk .
α α
k/2
2) k is even. Then g kφ(p )/2 = g φ(p ) = 1k/2 = 1 (mod p)α
⇒ rk | φ (pα ) /2. However 2d kp − 1 ⇒ 2d ∤ rk .
In summary. Z∗p2 may be partitioned into two sets of equal size: those which may be written as g k with
k odd. for which 2d | rk , and those which may ke written as g k with k even, for which 2d ∤ r. Thus with
probability 1/2 the integer 2d divides the order r of a randomly chosen element of Zp∗α . and with probability
1/2 it does not.
Corollary. Let x be a uniformly random chosen element of Z∗pα . Then for any nonegative integer dx =
0, 1, . . ., the probability that 2dx is the largest pover of 2 dividing the order of x mod pα is ⩽ 1/2. (The
lemma is Pr[dx ≥ d] = 21 ).
Proof of theorem. Note that choosing x uniformly at random from Z∗N is equivalent to choosing xj
α

independently and uniformly at random from Z∗αj , and requiring that x ≡ xj med pj j for each j ∈ [l].
pj

To prove the theorem. it suffices to prove: Pr [r is odd or xr/2 ≡ −1 (mod N ) ⩽ 2l−1 1
. (*)
αj
Let rj ke the order of xj modulo pj . Let 2 krj (the largest power of 2 that divides rj ). and let 2d kr.
dj

If r is odd, because vj | r for j ∈ [l], it implies that all rj are odd, hence dj = d = 0 ∀j ∈ [l].
α α α
If xr/2 ≡ −1 (mod N ), N xr/2 + 1 ⇒ pj j xr/2 +1 ∀j ∈ [l] ⇒ rj ∤ r/2 (otherwise pj j | xr/2 −1 ⇒ pj j | 2,
but pj is odd)
However, rj | r ∀j ∈ [l], hence dj = d ∀j ∈ [l].
Therefore: When the event in (*) holds, all dj must take the same valse for all j ∈ [l].
α
Each chunk represents the largest power of 2 dividing the order of xj mod pj j , and by the corollary, each
chunk has probability ≤ 2 . It directly follows that this occurs with probability ⩽ 2l−1
1 1
.

Remark 1. Shor’s algorithm can factorize integers with constant h

probability
q in poly (log N ) time on quan-
i
64
tun computer. The best-known classical algorithm takes time exp 3
9 + o(1) (log n)1/3 (log log n)2/3 .
Shor’s algorithm gives a superpolynomial quentum speedup.
Remark 2. Shor’s algorithm has many extensions.

Example 1. Computing discrete logarithms

Problem: Given g ∈ Zp and a ∈ Z where g is a primitive root. Find x so that g x ≡ a (mod p) (i.e.,
x = logg a )
Interesting fact: Historically, Peter W. Shor first found an efficient quantum algorithm for the discrete
logarithm problem, and then found the factorization algorithm.

5
Example 2. Hidden subgroup problem

Given a group G and a black-box function satisfying f (x) = f (y) iff(if and only if) y = xh for some x ∈ H,
a subgroup of G.
Problem: Find H (say, find the generating set).
This can be done efficiently on quantum computers for any Abelian group G.

Reference.

Childs and van Dam. Quantum algorithms for algebraic problens. Rev. Mod. Physics 2010, arxiv: 0812.0380

Example 3.

Deeper in number theory: Can solve the Pell’s equation Input: d ∈ N not a square, and denote  the smallest
√ √ n
nontrivial solution of x −dy = 1 as (x1 , y1 ). All the solutions can be written as xn +yn d = x1 + y1 d
2 2

for n ∈ N. There exists an algorithm for finding (x1 , y1 ) in time poly (log d).

Reference.

Hallgren. Polynomial-time quantum algorithms for Pell’s equation and the prinpical ideal problem. JACM
2007, earlier version at STOC 2002.
Eisentraeger. Hallgren, Kitaev, Song, A quantum algorithm for computing the unit group of an
arbitrary degree number field.
poly(log N, deg). STOC 2014.

6
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: October 5, 2022

Lecture 7

Shor’s Algorithm
- Order finding
- Shor’s algorithm

1 Order finding
Order definition: The order of an integer a modulo N is the smallest integer such that:

ar ≡ 1 (mod N )

For example: N = 15, a = 2, r = 4.

The order only exists if gcd(a, N ) = 1. gcd= greatest common divisor
Consider the multiplication-by-a map: U |xi = |axi for x ∈ ZN .
We can do this efficiently:
mutiply by a swap substract 2nd register by (1st/a mod N )⊕x
|x, 0i 7−→ |x, axi 7−→ |ax, xi 7−→ |ax, 0i

What are the eigenvectors/eigenvalues?

Let P be a cyclic shift modulo r : P |xi = |x + 1 mod ri.
Isomorphism: x mod r ←→ ax mod N
addition ←→ multiplication
Eigenvectors of P : ∀k ∈ {0, · · · , r − 1}

1 X 2πikx 1 X 2πikx 1 X 2πik (x−1)

r−1 r−1 r−1
|xi = e− r |k̃i.
2πik
|k̃i = √ e r |xi P |k̃i = √ e r |x + 1i = √ e r
r x=0 r x=0 r x=0
Pr−1 2πikx −2πik
Therefore, |uk i = √1r x=0 e r | ax mod N i is an eigenvector of U with eigenvalue e r .
Applying phase estimation of U on |uk i, we get an estimation of kr .

Problems:

1. We don’t know r, and as a result, how can we make |uk i ?

k
2. We only get an approximation of r; which precise fraction it is?

3. What if k and r have common factors? Since we don’t know r, can confuse with factor cancellation.

1
 k
1.1 Estimate r
in superposition
2πi −1 n
For any n ⩾ 2, if w = e n , 1 + w + · · · + wn−1 = ww−1 = 0.
P r−1 P r−1 2πikx
Consider √r k=0 |uk i = r k,x=0 e r | a mod N i = |1i
1 1 x

Phase estimation:
Pr−1 phase estimation 1 Pr−1 f
|0i ⊗ |1i = √1r k=0 |0i ⊗ |uk i 7−→ √
r k=0 |k|ri ⊗ |uk i
k
Measuring the first register gives an estimate of r , where k is chosen uniformly at random.
n
Note: c − U 2 can be implenented in tine poly (n) by square-and-multiply.

k
1.2 Reconstructing r
from the approximation
n  2n
  n
Main idea: We can have an integer y close to k · 2r (either k · r or k · 2r with probability ⩾ 8
π2 ).
Compute the continuous fraction expansion (CF E) : 2yn = a 1
1 a1 , a 2 ∈ N
1 + a +···
2
5 1 1 1 1 1 1
For example: 8 = 1·6 = 1+0.6 = 1
1+ 5/3
= 1
1+ 1+2/3
= 1+ 1 = 1+ 1
1+ 1 1+ 1
1+ 1 1+ 1
2 1+1

Each time, deleting the term in (0, 1], get: 11 , 12 , 23 , 35 , 58 . End when we reach 1 .
Consider the sequence a11 , a +1 1 , . . . (truncate the CF E ).
1 a2
Since 2yn is rational, this must ends finally. Denote the sequence of fractions we get ane p1 p2
q1 , q2 , . . .
Can prove: qi+2 ⩾ 2qi ∀i ∈ [n]. This implies that the length ⩽ 2n.
Furthermove, CF E has very strong convengence property:
Fact. If we estimate x by CF E, then x − pqii < q12 .
i
n
In our case, we know y − k · 2r ≤ 1 ⇔ 2yn − kr ≤ 21n .
Taking 2n > 2r2 and using CF E theory, we can prove that kr must appear in the CF E. Also due to
the CF E hos O(n) terms and whether ar ≡ 1 (mod N ) or not can be verified in poly (log N ) time using
square-and-multiply, taking n = C · log N for a large enough C, 2n > 2r2 can be satisfied the overall cost is
poly (log N ).

1.3 Common factors

Althongh phase estimation works for any k ∈ {0, 1, · · · , r − 1}, only when gcd(k, r) = 1. the denominator of
k
r is directly r.
1 . . . pl for different primes p1 , · · · , pl , α1 , · · · , αl ∈ N, then ϕ(N ) :=
αl
 Euler’s
 totient
 function:
 If N = pα 1

1− 1
··· 1 − 1
N is the number of integers in [N] that has gcd = 1 with N .
p1

pN

Fact: ϕ(r)
r = Ω 1
log(log r) .
Therefore, O(log log r) repititions suffice.
Finally, it comes to Shor’s algorithm:

2 Shor’s algorithm
2.1 Factorization(N)
1. If N is even, return factor 2 ;

2. If N = pα for a prime p and α ⩾ 2, compute the 2nd (square) root, 3rd, · · · , dlog2 N e root, and return
one of them being an integer;

2
 3. Uniformly randomly choose x in {1, 2, . . . , N − 1}. If gcd(x, N ) > 1, then return factor gcd(x, N );

4. Use the order-finding subroutine to find the order r of x, modulo N ;

5. If r is even and xr/2 6= −1 (mod N ), compute gcd xr/2 − 1, N and gcd xr/2 + 1, N . If one of them
> 1, return that. Otherwise, start over.

2.2 Observations


1. Primality testing, i.e., testing whether N is a prime or not, can be done in Õ (log N )6 time on a
classical computer. (Õ omits poly-logarithmic factors, i.e., Õ(f ) = O(f · poly (log f )).)
This is called the Agrawal-Kayal-Saxena (AKS) primality test, won Gödel Prize and Fulkerson Prize
in 2006.
Therefore, the above algorithm is written as factoring a composite number, as we can run AKS as a
preprocessing step. Nevertheless, we can also run Shor’s algorithm for poly(log N ) rounds and return
“prime” if it cannot find a factor.

2. Steps 1 and 2 has O(log n) iterations, and each root computation takes poly(log N ) cost on a classical
computer. In the rest of the algorithm, we can assume that N is an odd integer with more than one
primer factor.


3. gcd(x, N) can be computed classically using Euclid’s algorithm. This takes cost O log2 N .

4. If gcd(x, N ) = 1 and r is the order of x mod N , and the condition in step 5 holds, then N ∤ xr/2 + 1, N ∤




xr/2 − 1 (r/2 is not the other) but N | xr/2 + 1 xr/2 − 1 = xr − 1 ⇒ both gcd xr/2 − 1 ,


gcd xr/2 + 1 6= 1, and the factorization problem is solved.

In the remaining, we prove:

Theorem. Suppose N = p1α1 · · · pα
l with different primes p1 , · · · , pl , l ⩾ 2, α1 , · · · , αl ∈ N. Let x be chosen
l

uniformly at random from Z∗N := {x ∈ ZN | gcd(x, N ) = 1}, and let r be the order of x mod N . Then
h i 1
Pr r is even and xr/2 6= −1 (mod N ) ⩾ 1 −
2l−1
.
We first prove a lemma:
Lemma. Let p be an odd prime. Let 2d be the largest power of 2 dividing φ (pα ), i.e., 2d kφ (pα ): 2d ∤ φ(pα )
but 2d+1 ∤ φ(pα ).
Then with probability exactly 21 , 2d divides the order mod pα of a uniformly random chosen element of
Z∗pα .
Proof of lemma. Note that φ (pα ) = pα−1 (p − 1). Therefore 2d kp − 1 and d ⩾ 1.
It is known in elementary number theory that there exists primitive roots mod pα , i.e., ∃g ∈ Z∗pα s.t.
 2
g, g , · · · , g φ(p ) = Z∗pα .
α

Let rk be the order of g k modulo pα and consider two cases.

1) k is odd. From g krk ≡ 1 (mod p)α we have φ (pα ) | krk . an k is odd ⇒ 2d | rk .
α α
k/2
2) k is even. Then g kφ(p )/2 = g φ(p ) = 1k/2 = 1 (mod p)α
⇒ rk | φ (pα ) /2. However 2d kp − 1 ⇒ 2d ∤ rk .

3
 In summary. Z∗p2 may be partitioned into two sets of equal size: those which may be written as g k with
k odd. for which 2d | rk , and those which may ke written as g k with k even, for which 2d ∤ r. Thus with
probability 1/2 the integer 2d divides the order r of a randomly chosen element of Zp∗α . and with probability
1/2 it does not.
Corollary. Let x be a uniformly random chosen element of Z∗pα . Then for any nonegative integer dx =
0, 1, . . ., the probability that 2dx is the largest pover of 2 dividing the order of x mod pα is ⩽ 1/2. (The
lemma is Pr[dx ≥ d] = 21 ).
Proof of theorem. Note that choosing x uniformly at random from Z∗N is equivalent to choosing xj
α

independently and uniformly at random from Z∗αj , and requiring that x ≡ xj med pj j for each j ∈ [l].
pj

To prove the theorem. it suffices to prove: Pr [r is odd or xr/2 ≡ −1 (mod N ) ⩽ 2l−1 1
. (*)
αj
Let rj ke the order of xj modulo pj . Let 2 krj (the largest power of 2 that divides rj ). and let 2d kr.
dj

If r is odd, because vj | r for j ∈ [l], it implies that all rj are odd, hence dj = d = 0 ∀j ∈ [l].
α α α
If xr/2 ≡ −1 (mod N ), N xr/2 + 1 ⇒ pj j xr/2 +1 ∀j ∈ [l] ⇒ rj ∤ r/2 (otherwise pj j | xr/2 −1 ⇒ pj j | 2,
but pj is odd)
However, rj | r ∀j ∈ [l], hence dj = d ∀j ∈ [l].
Therefore: When the event in (*) holds, all dj must take the same valse for all j ∈ [l].
α
Each chunk represents the largest power of 2 dividing the order of xj mod pj j , and by the corollary, each
chunk has probability ≤ 12 . It directly follows that this occurs with probability ⩽ 2l−1 1
.

Remark 1. Shor’s algorithm can factorize integers with constant h

probability
q in poly (log N ) time on quan-
i
64
tun computer. The best-known classical algorithm takes time exp 3
9 + o(1) (log n)1/3 (log log n)2/3 .
Shor’s algorithm gives a superpolynomial quentum speedup.
Remark 2. Shor’s algorithm has many extensions.

Example 1. Computing discrete logarithms

Problem: Given g ∈ Zp and a ∈ Z where g is a primitive root. Find x so that g x ≡ a (mod p) (i.e.,
x = logg a )
Interesting fact: Historically, Peter W. Shor first found an efficient quantum algorithm for the discrete
logarithm problem, and then found the factorization algorithm.

Example 2. Hidden subgroup problem

Given a group G and a black-box function satisfying f (x) = f (y) iff(if and only if) y = xh for some x ∈ H,
a subgroup of G.
Problem: Find H (say, find the generating set).
This can be done efficiently on quantum computers for any Abelian group G.

4
Reference.

Childs and van Dam. Quantum algorithms for algebraic problens. Rev. Mod. Physics 2010, arxiv: 0812.0380

Example 3.

Deeper in number theory: Can solve the Pell’s equation Input: d ∈ N not a square, and denote  the smallest
√ √ n
nontrivial solution of x −dy = 1 as (x1 , y1 ). All the solutions can be written as xn +yn d = x1 + y1 d
2 2

for n ∈ N. There exists an algorithm for finding (x1 , y1 ) in time poly (log d).

Reference.

Hallgren. Polynomial-time quantum algorithms for Pell’s equation and the prinpical ideal problem. JACM
2007, earlier version at STOC 2002.
Eisentraeger. Hallgren, Kitaev, Song, A quantum algorithm for computing the unit group of an
arbitrary degree number field.
poly(log N, deg). STOC 2014.

5
Introduction to Quantum Computing Lecturer: Tongyang Li, scribed by Yecheng Xue
Fall 2022, Peking University Date: November 16, 2022

Lecture 8

Shor’s Algorithm (continued); Unstructured Search

- Shor’s algorithm
- Unstructured search

Find conclusion: Quantum computer can solve order finding with cost poly(log N ) (with high probability).

Finally, it comes to Shor’s algorithm:

Factorization(N)
Input: N , output: A nontrivial factor of N (assume N is composite)

1) If N is even, return 2;
√ √
2) If N = pα for a prime p and α ≥ 2, compute N, 3
N , · · · , ⌈log3 N ⌉ root, and return one of them being
an integer;

3) Uniformly random choose a ∈ {1, 2, · · · , N − 1}, If gcd(a, N ) > 1, return gcd(a, N );

4) Use the order-finding subroutine to find the order r of a module N .

5) If r is even and ar/2 ̸≡ −1( mod N ), compute gcd(ar/2 − 1, N ) and gcd(ar/2 + 1, N ), If one of them > 1,
return that.
Otherwise, start over.

N | (ar/2 + 1)(ar/2 − 1) N ∤ ar/2 − 1 N ∤ ar/2 + 1

Now, we only need to prove:

αl
Theorem. Suppose N = pα ∗
1 · · · pl with different odd prime and l ≥ 2, α1 , · · · , αl ∈ N . Let x be chosen
1

uniformly at random from Z∗N = {x ∈ ZN | gcd(x, N ) = 1}, and let r be the order of x mod N . Then
1
Pr{r is even and xr/2 ̸≡ −1( mod N )} ≥ 1 −
2l−1
Remark. Not required for understanding qunatum computing – only for the completeness of Shor’s algorithm.

We first prove a lemma:

lemma. Let p be an odd prime. Let 2d be the largest power of 2 dividing φ(pα ), 2d ∥ φ(pα ) (i.e., 2d | φ(pα ),
2d+1 ∤ φ(pα )).
Here φ(N ) = (1 − p11 ) · · · (1 − p1l ), N = |Z∗N |.

1
Then with probability 12 , 2d divides the order mod pα of a uniformly random chosen element of Z∗pα .

Definition. Primitive root is a g ∈ Z∗N s.t. {g, g 2 , · · · , g φ(N ) } = Z∗N ( mod N ).

N = 7. 21 , 22 , 23 g = 2, {g, g 2 , g 3 , g 4 , g 5 , g 6 } φ(7) = 7 · (1 − 1/7) = 6

mod 7 : 2, 4, 1 {2, 4, 1, 2, 4, 1} = {1, 2, 3, 4, 5, 6}
1 2 3 4 5 6
N = 7. 3 , 3 , 3 , 3 , 3 , 3
mod 7 : 3, 2, 6, 4, 5, 1 g = 3 is a primitive root of 7.

Theorem. N = 2, 4, pα , 2pα (p is odd prime) has primitive roots.

Proof of lemma. φ(pα ) = pα · (1 − p1 ) = pα−1 (p − 1). 2d ∥ φ(pα ) ⇒ 2d ∥ p − 1. d ≥ 1.

From the theorem, there exists a primitive root g of pα , i.e,

α
{g, g 2 , · · · , g p (p−1)
} = Z∗pα

Let rk be the order of g k mod pα and consider two cases.

(i.e., k is unifromly random from {1, 2, · · · , pα−1 (p − 1)})

1) k is odd. Since g is a primitive root, by the definition of rk , (gk )rk ≡ 1( mod pα ) ⇒ φ(pα ) | krk . Here
(g k )rk ≡ 1( mod pα ) ⇒ g krk ≡ 1( mod pα ), φ(pα ) | krk ⇒ 2d | rk .
α α α
2) k is even. (g k )φ(p )/2 = g kφ(p )/2 = (g φ(p ) )k/2 ≡ 1k/2 ≡ 1( mod pα )
⇒ rk | φ(pα )/2. However 2d ∥ φ(pα ) ⇒ 2d ∤ rk .

In summary, Z∗pα may be partitioned into two sets of equal size: those may be written as g k where k is
odd, for which sd | rk , and those which may be writeen as g k with k is even, for which 2d ∤ rk . Thus with
probability 12 , 2d divides the order r of a randomly chosen element of Z∗pα . □

Corollary. Let x be a uniformly random chosen element of Z∗pα . Then for any nonnegative integer dx =
0, 1, · · · , the probability that 2dx is the largest power of 2 dividing the order x mod pα ≤ 12 .

Reason: The lemma proved P r[dx ≥ d] = 12 , also P r[dx ≤ d − 1] = 12 .

Therefore, for any n ∈ N, P r[dx = n] ≤ 12 . □

αl
Proof of theorem. Recall N = pα 1 · · · pl l ≥ 2.
1
Z∗N
Note that choosing x at random Z∗N is equivalent to choosing xj independently and uniformly at random
α
from Z∗αj , and requiring that x ≡ xj ( mod pj j ) for each j ∈ [l].
pj

1
To prove the theorem, it suffices to prove: Pr[r is odd or xr/2 ≡ −1( mod N )] ≤ 2l−1
(∗).

α
Let rj be the order of xj modulo pj j . Let 2dj ∥ rj (the largest power of 2 that divides rj ). And let
2d ∥ r, where r is the order of x modulo N .
α
xr ≡ 1( mod N ) ⇒ xr ≡ 1( mod pj j )

2
If r is odd, because rj | r for all j ∈ [l] ⇒ all rj are odd.
⇒ dj = d = 0∀j ∈ [l].

α
If xr/2 ≡ −1( mod N ) ⇒ N | xr/2 + 1 ⇒ pj j | (xr/2 + 1)∀j ∈ [l]
α α
This means rj ∤ r/2. (Otherwise, pj j | xr/2 − 1) ⇒ pj j | 2, but pj is odd).
But otherhand rj | r∀j ∈ [l] ⇒ dj = d∀j ∈ [l].

Therefore: When the event in (∗) holds, all dj must take the same value for j ∈ [l].

□ □ ··· □
□ □ ··· □
□ □ ··· □
p1 p2 ··· pl
α
Each chunk represents the largest power of 2 dividing the order xj mod pj j , and by our corollary, each
chunk has probability ≤ 12 .
1
⇒ It directly follows that (∗) holds with probability ≤ 2l−1 . □

2
Remark 1. Shor’s algorithm can factorize integers with constant probability (say ≥ 3) in poly(log N )
time on quantum computer, the best-known classical algorithm takes time
r
3 64 1 2
exp[( + o(1))(log n) 3 (log log n) 3 ]
9
Shor’s algroithm gives super-polynomial quantum speedup.

Remark 2. Shor’s algroithm has many extnesions.

Example 1. Compute discrete logarithm
Problem: Given g ∈ Zp and a ∈ Zp where g is a primitive root. Find x so that gx ≡ a( mod p) (i.e.,
x = logg a).

Interesting fact: Peter W. Shor first found an efficient quantum alrgotihm for the discrete logarithm, and
then found the factorization algorithm.

Example 2. Hidden subgroup problem (HSP)

Given a group G and a black-box f satisfying f (x) ◦ f (y) (x, y ∈ G) iff y = xh for som h ∈ H, where H is a
subgroup of G.
Probelm: Find H (Say, find the generating set).
This can be done efficiently on quantum computers for any Abelian group G.

Reference. Childs and van Dam. Quantum algorithms for algebraic problems. Rev.Med.Physics. arXiv:0812.0380

Example 3. Deeper in number theory: Can solve Pell’s equation.

x2 − dy 2 = 1, d is not square, x,y,d ∈ N.
On quantum computer: Can solve Pell’s equation in poly(log d) time.
Hallgren Polynomial-time quantum algorithms for Pell’s equation and principle ideal problem. JACM 2007

3
(quadratic field)
Eisenfraeger, Hallen, Kifaev, Song STOC14 ⇒ arbitrary constant degree number field.

So far:

• Deutsch-Jozsa
f : {0, 1}n → {0, 1}
constant or balanced
”structure”
↓ less requirement, but still structured

• Simon’s problem
f : {0, 1}n → X
f (x) = f (y) iff x = y or x = y ⊕ s

• phase estimation
U |φ⟩ = eiθ |φ⟩, find θ
A genuinely quantum problem, O( 1ε ) queries, w.p. ≥ π82
Note: Going beyound Hadamard. QFT from Z2 ⊗ · · · ⊗ Z2 to Z2n
Application: Order finding ⇒ Shor’s algorithm

For all of these, we have structured assumptions:

• Deutsch-Jozsa and Simon’s problem: special f

• Order finding and Shor’s algorithm: Cyclic group ZN

How about we characterize ”very general functions”?

Start with boolean functions.

Total function. A function F : {0, 1}N → {0, 1} which has definition on all 2N inputs.
n
Deutsch-Jozsa: N = 2n f : {0, 1}2 → {0, 1}, definition domain is {s = s1 · · · s2n |# of 1 is 0, 2n−1 , 2n }
Note: Deutsch-Jozsa is NOT a total function.
If a function is defined on a proper set of {0, 1}N , it’s called a partial function.

A very typical problem is to compute the OR function AND is symmetric

fOR : {0, 1}n → {0, 1}
(
0,ifs1 · · · sn = 0
fOR (s1 , · · · , sn ) = s1 ∨ s2 ∨ · · · ∨ sn =
1,othersize

Classically: With string s and the ability ot query si for some i ∈ [n], need Θ(n) queries to output the value
f for any input s.
Uf
Quantumly: |i, z⟩ −−→ |i, z ⊗ si ⟩ ∀i ∈ [n], z ∈ {0, 1} (∗)

4
This is also called the unstructured search problem.

Another formulation: How hard is it to search a space of n items?

Formally: Given a black-box function f : {1, 2, · · · , n} → {0, 1}, decide whether there is an x such that
f (x) = 1. (Or: Find such an x).
Call such an x a marked item.

Uf
Black-box:|x, z⟩ −−→ |x, f (x) ⊗ z⟩ x ∈ [n], z ∈ {0, 1}.
Here Uf Equivalent to the oracle above: f (x) = sx ∀x ∈ [n] in (∗)

5
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: November 13, 2022

Lecture 9

Unstructured Search
- Grover’s algorithm
- Amplitude amplification

Last class: from special partial functions to total functions.

1 Fundamental Subroutines
1.1 Unstructured search problem:
Given a black-box function f : {1, 2, · · · , n} → {0, 1},
decide whether there is an x such that f (x) = 1. (Or find such an x)
Call such an x (f (x) = 1) a marked item.
Uf
Black-box: |x, zi 7−→ |x, f (x) ⊕ zi x ∈ [n], z ∈ {0, 1}.

1.2 Phase kick-back:

Uf
Phase kick-back: |xi|−i −→ (−1)f (x) |xi|−i
It means that we can perform a phase query, |xi(7−→ (−1)f (x) |xi )
∑n phase query 1 ∑ ∑
We start from |ψi = √1n x=1 |xi 7−→ √
n x:f (x)=0 |xi − x:f (x)=1 |xi
This looks like a reflection. For simplicity,
{ consider a unique marked item w s.t.
U |wi = −|wi
f (w) = 1, f (x) = 0 ∀x 6= w. U = I − |ωi hω|
U |xi = |xi x 6= w
On the one hand: {|wi, |xi x 6= w} is the computational basis, so it spans the whole space.
On the other hand: U is unitary: (|βi hα|)† = |αi hβ|

(I − 2 |ωi hω|)(I − 2 |ωi hω|)

=I 2 − 2 |ωi hω| − 2 |ωi hω| + 4 |ωi hω|ωi hω| = I

∀x 6= ω (I − 2 |ωi hω|)|xi = |xi − 2|ωihω|xi = |xi.

(I − 2 |ωi hω|)|ωi = |ωi − 2|ωihω|ωi = |ωi − 2|ωi = −|ωi.
Another reflection? I − 2 |·i h·|
∑n
Consider V = 2|ψihψ| − I. where |ψi = √1
n x=1 |xi.
V is also a reflection, V V † = I.

1
 V is independent of queries. In the following discussion. WLOG, assume n = 2m . (Otherwise, there
exists m ∈ N s.t. 2m−1 ⩽ n ⩽ 2m . Can consider n = 2m where f (n + 1) = f (n + 2) = · · · = f (2m ) = 0).
How to apply V? H ⊗m |0i = |ψi ⇒ V = H ⊗m R0 H ⊗m (similar to Deutsch-Jozsa), where R0 = 2 |0m i h0m |−I

H ⊗m (2 |0m i h0m | − I)H ⊗m = 2 |ψi hψ| − I


|0m i |0i 7−→ − |0m i |0i 7−→ |0m i |0i 

.. 

. |0m i |1i 7−→ − |0m i |1i 7−→ |0m i |1i
Circuit: 2 |0m i h0m |−I
|xi|0i 7−→ −|xi|0i 7−→ −|xi|0i(x 6= 0m ) 

−I −I 

|xi|1i 7−→ −|xi|1i 7−→ −|xi|1i(x 6= 0m )

Conclusion: V can be efficiently implemented with O(log n) cost.

Algorithm: |ψi = H ⊗m |0i can be implemented with O(log n) cost.

• - Prepare |ψi U |ψi = (I − 2|ωihω|)|ψi = |ψi − 2hω|ψi|ωi
π√
2
• - Repeat t = = |ψi − √ |ωi.
4 n n
Apply U ; U |ωi = − |ωi
Apply V ; V |ψi = |ψi
2
• - Measure V |ωi = (2|ψihψ| − I)|ωi = 2(hψ|ωi|ψi − |ωi) = √ |ψi − |ωi
n
Therefore, the subspace span{|ψi , |ωi} is invariant under U and V .
However, hψ|ωi 6= 0. It will read better to consider an orthonormal basis:

span{|ωi, |ω ⊥ i} ⊥ : perpendicular
|ψi − hω|ψi |ωi
hω|ω ⊥ i = hω|ψi − hω|ψi hω|ωi = 0 |ω ⊥ i = hω ⊥ |ω ⊥ i = 1
√ normalization
( )
1 1 ⊥ ⊥ 1
|ψi = √ |ωi + 1 − |ω i = sin θ|ωi + cos θ |ω i θ = arcsin √ .
n n n
( )
sin θ
V = 2 |ψi hψ| − I = 2 (sin θ cos θ) − I
cos θ
( ) ( )
2 sin2 θ − 1 2 sin θ cos θ − cos 2θ sin 2θ
= =
2 sin θ cos θ 2 cos2 θ − 1 sin 2θ cos 2θ
( )( ) ( )
− cos 2θ sin 2θ −1 0 cos 2θ sin 2θ
VU = = .
sin 2θ cos 2θ 0 1 − sin 2θ cos 2θ
( )
t cos 2tθ sin 2tθ
(V U ) = This can be proved by induction.
− sin 2tθ cos 2tθ
( )( ) ( ) ( )
cos 2tθ sin 2tθ sin θ cos 2tθ sin θ + sin 2tθ cos θ sin(2t + 1)θ
(V U ) |ψi =
t
= =
− sin 2tθ cos 2tθ cos θ − sin 2tθ sin θ + cos 2tθ cos θ cos(2t + 1)θ

=⇒ Pr(ω) = sin2 ((2t + 1)θ)

2
 When is Pr(ω) close to 1?
1 1
sin θ ≈ θ when θ is small, ∴ θ = arcsin √ ≈ √ usually n is large
n n
π π 1 π√
=⇒ t ≈
(2t + 1)θ ≈ − ≈ n
2 4θ 2 4
√
This means that we alternate between U and V for O( n) times.

Fact: If all the marked items are ω1 , . . . , ωm .


|xi if x 6= ω1 , . . . , ωm
U |xi = ∑m
−|xi if x ∈ {ω1 , . . . , ωm } U =I −2 |wi i hωi |
i=1

What if we have m marked items?

∑ ∑
· If m is known, |ωi 7−→ √1m x:f (x)=1 |xi sin θ = hψ| √1m x:f (x)=1 |xi = m
n
√
π√ π n
t= n→t=
4 4 m
Remark 1. What if m is unknown? Without knowing m. we may overshoot:
sin2 ((2t + 1)θ) starts to diminish after t > 4θπ
− 12
( )i ⌊ ⌋
A quick fix: Guess m using exponentially increasing sequences: b 43 c where i = 1, 2, . . . , log 43 n .
Observation: sin2 π3 = sin2 2π 3 / 2 ≤ 2.
3 π π 2π π 3
3 = 4. 2/3,
O(log n) overhead to fix this if wo don’t know m.
Research paper: Yoder, Low, Chung. Fixed-point quantum search with an optimal number of qubits.
PRL 2014: arxiv: 1409. 3305
(√ n )
An algorithm without overshooting nor known m: cost O m
In general, having n items with m marked can be generalized to having a unitary U acting on l qubits sit.
√ √
U |0l i = p |1i |ψ1 i + 1 − p |0i |ψ0 i
(h1| hψ1 |) |0i |ψ0 i = h1|0i · hψ1 |ψ0 i = 0

where |ψ1 i and |ψ0 i are normalized (l − 1) - qubit quantum states, We can think of |1i |ψ1 i as the “good
state” and |0i |ψ0 i as the “bad state”.
Similar to Grover, we could apply:

1. A reflection w.r.t. the bad state |0i |ψ0 i

2. A reflection w.r.t. U |0l i.

1. This is basically putting a ”-” in front of |1i |ψ1 i and leaving |0i |ψ0 i alone
Solution: Put Z on the first quit. Z |0i = |0i , Z |1i = − |1i.

3
 2. Apply U R0 U −1

Applying 1 and 2 alternatively for k iterations, we get

√
sin((2k + 1)θ)|1i |ψ1 i + cos((2k + 1)θ)|0i |ψ0 i θ = arcsin p.
( )
Taking (2k + 1)θ ≈ π2 ⇒ k = O √1p , we can approximately get |1i|ψ,i.
( )
Classically: toss a coin with pub. p getting head, need Θ p1 tosses to get a head.
( )k )
(Fail: 1 − (1 − p)k , limk→∞ 1 − k1 = 1e .
This is known as amplitude amplification.
Remark 2. Unstructured search → ordered search (binary search) n items
Classically: dlog2 ne. 
0 x < j
Quantum: Consider a function fj : [n] → {0, 1] s,t. fj (x) = f , · · · , fn . decide which I’m
1 x ⩾ j 1
choosing.
Research paper. Childs. Londahl, and Parillo. artiv quent-ph/0608,61
Quantum: ≤ 4 log605 n ≈ 0.433 log2 n
Hoyer. Neerbek. Shi. arxiv : quat-ph/0009032
Quantum: ⩾ π1 (ln n − 1) ≈ 0.221 log2 n

4
Introduction to Quantum Computing Lecturer: Tongyang, scribed by Shuo Zhou
Fall 2022, Peking University Date: November 11, 2022

Lecture 15

Hamiltonian Simulation
- Efficient simulation
- Product formulas

1 Efficient simulation
d
One of the most well-known results in quantum mechanics: the Schrödinger equation, iℏ dt |ψ(t)i = H(t) |ψ(t)i
where H(t) is a Hamiltonian, and ℏ is Planck’s constant.
For convenience, it’s typical to choose units in which ℏ = 1.
Goal: Can we efficiently simulate the evolution of Schrödinger’s equation? In other words, given an initial
wave function |ψ(0)i, determine |ψ(t)i at any time t.
Actually, this was the first application of quantum computing when Richard Feynman initiated the field
in the 1980s.
For H independent of time, the solution of the Schrödinger equation is

|ψ(t)i = e−iHt |ψ(0)i

(−iHt)2 (−iHt)3
e−iHt = I + (−iHt) + + + ···
2! 3!
H : We consider cases where H is a (time-independent) n-quit Hamiltonian.
H ∈ C2 ×2 and H † = H. N = 2n
n n

We say that an n-qubit Hamiltonian H can be efficiently simulated if,

for any t > 0, ε > 0, there is a quantum circuit U consisting of poly (n, t, 1/ε) gates,
s.t. U − e−iHt ≤ ε. WLOG kHk = poly(n).

H, λ1 , · · · , λN e−iHt : e−iλ1 t , . . . , e−iλN t

Can prove: If H = H † , e−iHt eiHt = I.

We would like to understand: when H can be efficiently simulated.
Fact: We cannot simulate arbitrary Hamiltonian s efficiently, just as we cannot hope to efficiently imple-
ment arbitrary unitaries.
Instead: Study a few classes of Hamiltonian that can be efficiently simulated.
Strategy: Start from simple Hamiltonians, and combine then to more complicated ones.
Observation 1. H can be efficiently simulated if H only acts nontrivially on a constant number of qubits.
Trivial by the Sobvay-Kitaev Theorem: Any unitary evolution on a constant number of qubits can be
approximated with error ⩽ ε using poly (log 1/ε) one and two-qubit gates.
−1
Observation 2. If H can be efficiently simulated, so does cH for any c = poly(n). e−iHt = e−icH·c t .

1
 • Simply take the original Hamiltonian and rescale t.

• This holds even if c < 0 : just take t for the quantum circuit.
n
×2n
Observation 3. If H can be efficiently simulated, and U ∈ C2 can be efficiently implemented, then
U HU † can be efficiently simulated.

†
†
U HU † = U† H † U † = U HU †
†
k
This is because e−iU HU t
= U e−iHt U † . U HU † = U HU † U HU † · · · U HU † = U H k U † .

2  
−iU HU † t −iU HU + t −iU HU † t −iHt (−iHt)2
e =I+ + + ··· = U I+ + + ··· U † = U e−iHt U † .
1! 2! 1! 2!

Observation 4. If H ∈ C 2 ×2 is diagonal in the computational basis and any diagonal element d(k) =
n n

hk|H|ki can be computed efficiently for each k ∈ [n], then H can be efficiently simulated.
   
d(1) e−id(1)t
 ..   .. 
H=  .  e−iHt =  . 
  
e−id(2 )t
n
d (2n )
H† = H d(k) = d(k) ⇒ d(k) ∈ R

compute uncompute
|k, 0i 7−→ |k, d(k)i 7−→ e−itd(k) |k, d(k)i 7−→ e−itd(k) |k, 0i = e−iHt |ki|0i
Uf Uf†

By linearity, this process simulates H for time t.

Remark. Observation 3 and 4 together gives a way to simulate a Hamiltonian that can be efficiently
diagonalized, i.e., the U that diagonalizes H can be efficiently implemented.

2 Product formula
Many natural Hamiltonians have the form of a sum of terms, each of which can be efficiently simulated (by
the observations above).
For example: Hamiltonian of an n-quit spin system:
X X
H= hi X i + Ji,j Zi Zj .
i i,j

where hi , Ji,j ∈ C, and Xi is Pauli-X acting on the ith qubit, and Zi is Pauli-Z acting on the ith quit.
Definition. A Hamiltonian H is k-local if H is a sun of Hamiltonians that each acts on at most k qubits.
Product formula: In general, if H1 and H2 can be efficiently simulated, then H1 + H2 can be efficiently
simulated.
If H1 and H2 commute ([H1 , H2 ] = H1 H2 − H2 H1 = 0), then this is trivial.

e−i(H1 +H2 )t = e−iH1 t e−iH2 t

In general, for matrices, H1 and H2 don’t commute, i.e., [H1 , H2 ] 6= 0. In this case, e−i(H1 +H2 )t 6=
−iH1 t −iH2 t
e e in general. What can we do?

2

m
Lie product formula: e(−iH1 +H2 )t = limm→∞ e−iH1 t/m e−iH2 t/m .
For more quantitive versions, we truncate this expression to a finite number of times:
 m  m
e−iH1 t/m e−iH2 t/m − e−i(H1 +H2 )t/m ⩽ ε. (∗)

For convenience, denote A = −iH1 t, B = −iH2 t. Since for matrices a, b,

kam − bm k = am − am−1 b + am−1 b − am−2 b2 + · · · + abm−1 − bm

≤ am − am−1 b + am−1 b − am−2 b2 + · · · + abm−1 − bm (kXY k ≤ kXk · kY k)

m−1
≤ mka − bk · max {kak, kbk)

a2 kak2
kea k ≤ e∥a∥ : kea k = I + a + + ······ ≤ 1 + kak + + · · · = e∥a∥ .
2! 2!
Taking a = eA/m eB/m and b = e(A+B)/m , we have:
 m  m n om−1
eA/m eB/m − e(A+B)/m ⩽ m · eA/m eB/m − eA+B/m · max eA/m eB/m · e(A+B)/m

In our case, eA/m eB/m = e−iH1 t/m e−iH2 t /m is a multiplication of two unitaries, so eA/m eB/m = 1.
Similarly. e(A+B)/m = e−i(H1 +H2 )t/m is a unitary, so e(A+B)/m = 1, kA + Bk ≤ 2 max{kAk, kBk}.
        
A kAk2 B kBk2 A+B kA + Bk2
eA/m eB/m − eA+B/m = I + +O I + + O − I + + O
m m2 m m2 m m2
     
A B AB max{kAk, kBk}2 A+B max{kAk, kBk}2
= I+ + + 2 +O − I + + O
m m m m2 m m2
 
max{kAk, kBk} 2
=O (∆)
m2

In all, we have

 m  m 1
max{kAk, kBk}2 ?
e A/m B/m
e − e (A+B)/m
= m
⩽ε
X

m
Suppose kH1 k , kH2 k = O(1). Then kAk, kBk = O(t). Cost of simulation: Apply e−iH1 t/m e−iH2 t/m ,


in other words, e−iH2 t/m and e−iH1 t/m alternatively, for m = O t2 /ε times.
Can we improve further on the bound for m ?
In other words, can we make the error to 3rd power?

m
Consider eA/2m eB/m eA/2m . eA/2m eB/m eA/2m eA+B
(WLOG, kAk, kBk ≤ 1 for better presentation.)

eA/2m eB/m eA/2m − e(A+B)/m

        
A A2 1 B B2 1 A A2 1
= I+ + +O I+ + +O I+ + +O
2m 8m2 m3 m 2m2 m3 2m 8m2 m3
 2
   
A+B (A + B) 1 1
− I+ + +O =O A = −iH1 t, B = −iH2 t
m 2m2 m3 m3

m  3
Overall: e−iH1 t/2m e−iH2 tm e−iH1 t/2m − e−i(H1 +H2 )t = O m t
2 ⩽ε
 
t1.5
⇒ Cost : m=O .
ε0.5

3

m
eA/m eB/m : Trotter formula  
1
t1+ k
Higher-order Trotter formula: m = O ε1/k
∀k ∈ N Trotter-Suzuki: formula
Research paper. Berry, Ahokas. Cleve, Sanders. Efficient quantum algorithms for simulates sparse
Hamiltonians. CMP 2007. arxiv: quant-ph/0508139.
Similarly, for move terms we have
 m
e−i(H1 +···+Hl )t = lim e−iH1 ,/m · · · e−iHt t/m ,
m→∞
 1

t1+ k
and the product formulas still apply and give algorithms with cost O ε1/k
, ∀k ∈ N
Corollary: O(1)-local Hamiltonians can! be efficiently simulated.
n
For k-local Hamiltonians, at most = poly(n) terms when k = O(1).
k