Michele Mosca

Wolfson College
University of Oxford

Quantum Computer Algorithms

Thesis for the degree of Doctor of Philosophy at the University of Oxford

Trinity Term 1999
 Abstract
Quantum computer algorithms are designed to exploit the properties of quan-
tum physics. Quantum computations can be carried out in parallel on superposi-
tions of exponentially many computational basis states and information about the
outcomes of these computations can be measured via quantum interference. By
casting quantum algorithms within the paradigm of quantum interferometry, most
of the known quantum algorithms are clari ed, uni ed, and generalised.
Further, the limitations of quantum computer algorithms is studied in the
black-box model of computation, where the black-box reveals information about
certain parameters (in this case Boolean values X1; X2; : : : ; XN ) and we wish to
compute a function of these parameters. It is shown that the probability ampli-
tudes of a quantum algorithm which has made T black-box calls is a polynomial
in X1 ; X2; : : : ; XN of degree at most T . From this fact we can derive several
lower bounds on the number of queries required to compute various functions of
X1; X2; : : : ; XN , such as their parity, or majority value. Further, any function that
can be evaluated probabilistically using T queries on a quantum computer can be
evaluate deterministically on a classical computer using at most (4T )6 queries.
Several other relationships are also established.
Lastly, techniques for better exploiting a xed amount of quantum resources
are illustrated and versions of quantum algorithms that can be implemented with
very few qubits are suggested. I describe some of the rst quantum algorithms and
detail the rst implementation, namely, the Deutsch algorithm.

1
 Preface
Quantum computer algorithms are designed to exploit the properties of quan-
tum physics. Few powerful quantum algorithms are known. Although it is inter-
esting to nd applications of the existing quantum algorithms, we really seek a
fundamentally new one or an understanding of why we cannot nd one.
As part of this endeavour I have sought to understand the fundamental as-
pects of the existing quantum algorithms. Quantum computations can be carried
out in parallel on superpositions of exponentially many input states and infor-
mation about the outcomes of these computations can be measured via quan-
tum interference. By casting the known quantum algorithms within the para-
digm of quantum interferometry, I was able (together with co-authors) to clarify,
unite and generalise most of the known quantum algorithms in a series of papers
[CEMM98, CEH+99, vDDE+99, Mos98, Mos99, ME99, BHMT99]. These
results appear in Chapter 2. One class of algorithms that I have not yet studied
closely are those for simulating physical systems. However, one of the algorithms
developed for this purpose [AL98] turns out to be a rediscovery of the eigenvalue
estimation algorithm described in [CEMM98] (which was based on the one in
[Kit95]).
As a second part of this endeavour, I have sought to understand the limitations
of quantum computers, identifying approaches that cannot work, and shedding
light on why we nd it so hard to nd fundamentally new quantum algorithms. One

2
 PREFACE 3
approach is to study the limitations of quantum computer algorithms in the black-
box model of computation, where we have a black-box that reveals information
about certain parameters (such as a string X of Boolean values X1 ; X2; : : : ; XN ),
and we wish to compute a function F (X ) of those parameters. We [BBC+98]
showed that the probability amplitudes of a quantum algorithm which has made
T black-box calls is a polynomial in X1; X2; : : : ; XN of degree at most T . From this
fact we derive several lower bounds on the number of queries required to compute
various functions of X1; X2; : : : ; XN , such as their parity, or majority value. We
show that any function that can be evaluated probabilistically using T queries
on a quantum computer can be evaluate deterministically on a classical computer
using at most (4T )6 queries. Several other relationships are also established. This
approach and the major results are presented in Chapter 3.
Some algorithms are interesting even if we never implement them. Perhaps
they prove a new mathematical theorem or possess some other intrinsic beauty.
However algorithms are often interesting because they solve a problem of practical
interest in which case their realisability is of fundamental importance. A good
example are algorithms for breaking cryptographic protocols. There is a large
gap between theory and practice in quantum computer algorithms. For the rst
few years since the eld of quantum computing was born [Fey82, Deu85] not
even two qubit algorithms had been implemented. Recently, nuclear magnetic
resonance technology was shown to be suitable for implementing quantum logic
[CFH96, GC97]. However no practical way of scaling NMR quantum computers
to large numbers of qubits is known and we are currently limited to a handful of
qubits. We illustrate techniques for better exploiting a xed amount of quantum
resources and suggest versions of quantum algorithms that can be implemented
 PREFACE 4
with very few qubits. We have realised several of the rst quantum computations
[JM98, JMH98, JM99] and these are described in Chapter 4.
 Acknowledgements
I am truly grateful to my supervisors Artur Ekert and Dominic Welsh for all
their teaching, advice, help and support.
Many thanks to my co-authors and collaborators. I thank those who have
generously hosted me, and the rest of the people at Oxford and around the world
who have helped me learn about this eld over the past three years. I also thank
my examiners for the many helpful suggestions.
Special thanks to Adriano Barenco, Simon Benjamin, Harry Buhrman, Richard
Cleve, Holly Cummins, Wim van Dam, Mark Ettinger, Matt Gevaert, Rasmus
Hvass Hansen, Bernard Howes, Peter Hyer, Hitoshi Inamori, Jonathan Jones,
Chiara Macchiavello, Frederic Magniez, Juan Poyatos, Miklos Santha, Alain Tapp,
Vlatko Vedral, Sue Witney, and Ronald de Wolf.
I am grateful to Richard Booth, Pete Seeviour, Kevin Thacker, and the
C.E.S.G. who funded this D.Phil. Many thanks to Wolfson College for supporting
me in so many ways over the past four years, this last year as the Robin Gandy
Junior Research Fellow. I thank the Wolfson College Boat Club and the mem-
bers of the many other clubs and societies in which I have participated during the
preparation of this thesis.
Many special thanks to my parents, brother, family, and friends for their love
and support.

5
 Contents
Abstract 1
Preface 2
Acknowledgements 5
List of Figures 8
List of Tables 10
Chapter 1. Introduction 11
1.1. Quantum Physics 15
1.2. Quantum Computers 34
Chapter 2. Algorithms 37
2.1. The Deutsch algorithm 37
2.2. Eigenvalue Kick-Back 39
2.3. Phase Estimation and the Quantum Fourier Transform 42
2.4. Quantum Eigenvalue Estimation 47
2.5. Finding orders 50
2.6. Discrete Logarithms 56
2.7. Amplitude Estimation 59
2.8. Finding Hidden Subgroups 71
2.9. Equivalence of Shor and Kitaev approaches 82
2.10. Finding Hidden Ane Functions 85
6
 CONTENTS 7
Chapter 3. Limitations of Quantum Computers 93
3.1. What is a complexity class? 94
3.2. Black-boxes 98
3.3. Relation between quantum networks, black-boxes and polynomials 101
3.4. Applications to lower bounds 104
3.5. Relating quantum and deterministic query complexity 107
3.6. Some examples and applications 108
3.7. Controlled-OX and some open problems 112
Chapter 4. Implementations 116
4.1. Dealing with errors and faults 116
4.2. Maximising exploitation of quantum resources 119
4.3. Quantum Computation using Nuclear Magnetic Resonance 123
4.4. Interesting algorithms for implementation with few qubits 130
Appendix A. Appendix 137
A.1. Computing a controlled-U 137
A.2. Computing M (U ) 139
A.3. Reversible Computing without keeping the input 140
A.4. Fourier Transforms 141
A.5. Public Key Cryptography and Quantum Computing 144
A.6. Finding logarithms, DSA, and Die-Hellman 148
A.7. Implementing a function with a pulse sequence 149
Bibliography 152
 List of Figures
1.1 NOT and AND gates 13
1.2 Reversible AND 14
1.3 Reversibly computing a function 16
1.4 Beam-splitter 17
1.5 Two beam-splitters 18
1.6 Two beam-splitters and phase-shifters 19
1.7 Energy eigenstates of single spins 29
1.8 Energy eigenstates of two independent spins 31
1.9 Energy eigenstates of two coupled spins 32
2.1 Deutsch algorithm 38
2.2 Phase kick-back 40
2.3 Quantum Fourier transform and phase estimation 42
2.4 Eigenvalue estimation 49
2.5 Amplitude ampli cation 61
2.6 Hidden subgroup problem 73
2.7 Factoring algorithm analysis: computational vs. eigenvector
basis 84
2.8 Hidden subgroup analysis: computational vs. eigenvector basis 85
8
 LIST OF FIGURES 9
2.9 Hidden ane functions algorithm 90
3.1 3-Colouring 95
3.2 A network which makes T black-box queries 102
3.3 A controlled black-box application 113
4.1 \Semi-classical" Fourier transform 121
4.2 Cytosine quantum computer 124
4.3 Classically computing f (0) and f (1) 133
4.4 Implementation of Deutsch algorithm 134
A.1 Network for controlled-controlled-NOT 138
A.2 Network for controlled-U 138
A.3 A network for M (U ) 140
A.4 Reversible computing without keeping the input 141
A.5 QFT (AB ) with A and B coprime 142
A.6 QFT (ABC ) for arbitrary A; B; C 144
 List of Tables
2.5 Quantum vs. classical counting complexities 70
3.2 Quantum query complexities 113

10
 CHAPTER 1

Introduction
An algorithm is a procedure for performing a task. For example, a cake recipe
is an algorithm that takes as input standard kitchen ingredients and uses standard
kitchen equipment to output a cake (sometimes with only a bounded probability of
success). A computer is a physical device that helps us process information, and an
information processing task can always be translated into physical one. Theorists
tend to work with an abstract model of computation, but when pondering the
capabilities and limitations of a computing device for some practical reason, it is
important not to forget the relationship between computing and physics. Dramatic
examples are the physical attacks used to break certain cryptosystems that made
use of RSA encryption. These protocols were designed with the hope that the
security of the system relies on the diculty of solving a problem which is closely
related to factoring large numbers. However, without factoring any integers, people
have been able correctly to infer the encryption keys. They did so by cleverly
probing physical devices performing the encryption for clues leaked during the
physical act of computing the ciphertext (see for example, [Koc96]).
A prototype computer is the Turing machine (see e.g. [GJ79, AHU74,
Pap94, MR95, Wel88]). The key ingredients are a piece of hardware which
runs according to some software and uses additional memory to carry out the
software instructions and produce some output. A suciently complex Turing
machine with an arbitrarily large supply of memory can simulate any other Turing
machine M provided the input contains a description of how M works. Such a

11
 1. INTRODUCTION 12
Turing machine is called a universal Turing machine. If we equip a Turing ma-
chine with the ability to ip a fair coin, we get a probabilistic Turing machine. A
probabilistic Turing machine computers a function by outputting an answer that
is correct with probability at least 23 (the average is over all possible outcomes
of the coin ips, not the di erent inputs to the function f ). A universal Turing
machine can simulate any other Turing machine and in fact, they can simulate any
other reasonable computer known to date. Furthermore, a universal probabilistic
Turing machine can simulate any Turing machine (and any other reasonable device
known to date) with at most a polynomial overhead (this is the strong form of the
Church-Turing thesis). By polynomial overhead we mean that if our machine uses
T units of some resource (usually time or space), then the universal probabilistic
Turing machine will simulate it using at most p(T ) units of that resource where p is
a xed polynomial (often referred to as poly(T )). To do so, we specify the way our
reasonable computer works, and then the universal Turing machine simulates our
machine. Another model of computation is that of a uniform families of acyclic
circuits (see [Pap94] for example). An acyclic circuit Cn is described by a circuit
diagram which has n input wires, and at each time step t each wire can enter at
most one gate G. The term circuit seems to correspond to a particular physical
implementation. The acyclic circuits look more like an array or network of gates,
which is the terminology we will use in the quantum setting. The gates come from
a nite family of gates which take information from input wires and output infor-
mation along some output wires. A family of acyclic circuits is a family of circuits
fCnjn 2 Z+g. The family is uniform if we can easily construct Cn (say by an appro-
priately resource-bounded Turing machine - see [GJ79, Pap94, MR95, Cle99],
for a discussion). A deterministic Turing machine can compute whatever a prob-
abilistic one can (in nite time) by trying all possible outcomes of the coin ips.
 1. INTRODUCTION 13
There is a well-de ned family of functions that can be computed in a nite number
of steps and those that cannot (see e.g. [Rog87] or [Dav82]). However not all
problems which have \e ective procedures" for solving them will have \ecient
procedures", that is procedures that use a `reasonable' amount of resources. The
computational complexity of a problem or task attempts to quantify the amount
of resources, such as time, space, or energy, necessary to perform the task for an
input of size n. We will restrict attention to worst-case complexities, that is the
complexity of a problem on the worst-case input of a speci c size. In particu-
lar, when using the acyclic circuit model, a natural measure of complexity is the
number of gates used in the circuit Cn.
In studying the minimum energy requirements of any computing device, Ben-
nett [Ben73] observed that the amount of energy necessary can be made arbitrarily
small if the computer has reversible components, that is if each operation was log-
ically reversible. For example, the NOT operation is reversible, but the AND
operation is not reversible (see gure 1.1).

Figure 1.1. The NOT and AND gate. Note that the NOT gate
is logically reversible while the AND is not.
 1. INTRODUCTION 14
He also showed how any irreversible classical algorithm can be transformed into
a reversible one. This is easy to see in the circuit model of computation. Each gate
in a nite family of gates can be made reversible by adding some additional input
and output wires if necessary. For example, the AND gate can be made reversible
by adding an additional input wire and two additional output wires (see gure 1.2).
Note that additional information necessary to reverse the operation is now kept

Figure 1.2. The reversible AND gate keeps a copy of the inputs
and adds the AND of x0 and x1 (denoted x1 ^ x2 ) to the value in
the additional input bit. Note that by xing the additional input bit
to 0 and discarding the copies of the x0 and x1 we can simulate the
non-reversible AND gate.

instead of being somehow absorbed into the environment, as is done in any logically
irreversible computation. By simply replacing all the non-reversible components
with their reversible counterparts 1, we get a reversible version of the algorithm.
1 Our universal set of reversible gates might not contain this particular gate, but a xed size
circuit made from our universal set of gates could be used instead.
 1.1. QUANTUM PHYSICS 15
If we start with the output, and run the circuit backwards, we obtain the input
again. The reversible version might introduce some constant number of additional
wires for each gate. Thus if we have a non-reversible algorithm which used time T
(the depth of the circuit) and space S , we can easily construct a reversible version
that used a total of O(T + S ) space and time T . Furthermore, the additional `junk'
information generated by making each gate reversible can also be erased at the end
of the computation by rst copying the output, and then running the reversible
algorithm in reverse to obtain the starting state again. This is illustrated in gure
1.3. Bennett subsequently showed how to turn a computation using time T and
space S in a reversible one using time O(T 1+) and space O(S log T ) or time O(T )
and space O(ST ), for any  > 0 (see [Ben89], [LTV98]).
This beautiful theory of reversible computation was sparked by a simple ques-
tion about the physics of computation. It is important to note that Turing ma-
chines and modern-day computers implicitly refer only to notions of physics that
are over a century old and known as `classical physics'. This past century a new
theory has been developed which includes the theory of quantum mechanics.
In the next section we take a closer look at quantum physics and its relationship
to computation.
1.1. Quantum Physics
One experimental set-up that exempli es in a very simple way some of the
main principles of quantum mechanics is the Mach-Zehnder interferometer. The
interferometer is an apparatus that allows us to measure the interference of photons
following two di erent paths. It consists of two half-silvered mirrors (or beam-
splitters ), some full-mirrors to help direct the photons along one of two desired
paths (we will not illustrate these full-mirrors, but whenever you see a light path
take a sharp turn, there implicitly is a mirror there!), and two photon detectors
 1.1. QUANTUM PHYSICS 16

Figure 1.3. A network for computing f (x) reversibly. Start with

the input. Compute f (x) using reversible logic, possibly generat-
ing some extra 'junk' bits of information. Copy the output f (x) to
another register (this is a `classical' state, so copying simply corre-
sponds to performing a controlled-NOT between every qubit of the
output register and a qubit of the copy register). Run the circuit
for f backwards (replacing each gate by its inverse gate - here we
illustrate self-inverse gates) to erase the contents of the output and
workspace registers.
 1.1. QUANTUM PHYSICS 17
at the end of each path. Let us denote a photon in the upper path as being in
state j 0i, and in the lower path as state j 1i. We rst describe the behaviour of
the half-silvered mirrors (see gure 1.4). We start with a single photon in the j 0i

Figure 1.4. When a photon enters the beam-splitter along the j 0i

path, we get a single click at either the j 0i or j 1i detector, each with
probability 50%.

path and set up the photon detectors along both possible directions the photon
could take. When the photon passes through the half-silvered mirror, we notice
that exactly one of the two photon detectors clicks (this is an ideal situation). We
never get two \half-clicks", or other fractions of a click. This discreteness is one of
the main features of quantum mechanics. We repeat this experiment many times,
and each time exactly one detector clicks, each one about half of the time. The
simplest explanation is that the photon impinging upon the half-silvered mirror
takes one of the two paths with 50% probability - a simple coin ip.
 1.1. QUANTUM PHYSICS 18
Now let us repeat this experiment, except this time with two beam-splitters
aligned so that no matter which of the two paths the photon takes it will arrive at
the second beam-splitter at the same time (see gure 1.5).

Figure 1.5. Contrary to our classical intuition, all of the photons

are detected at detector j 1i.

Assuming that a photon going through a beam-splitter simply takes one of the
two paths at random, then we expect roughly half of the photons to be detected
at the j 1i detector and the other half at the j 0i detector. Quite logical, but false.
Set up this apparatus, and you will notice that you only detect photons at the j 1i
detector! By inserting an appropriate phase-shifter (usually a piece of glass), along
the j 0i path, the probability distribution shifts from only j 1i detections to only
j 0i detections. We call this a -phase-shifter. Thus we can reliably distinguish
between the presence and absence of this -phase-shifter. Further, by placing a
0-phase-shifter along the j 0i path and 1-phase-shifter (we can adjust the phase
shift  of a phase shifter by changing internal properties such as thickness and
refractive index) along the j 1i path the proportions are sin2(  2  ) j 0i detections
0 1

and cos2 (  2  ) j 1i detections.

0 1
 1.1. QUANTUM PHYSICS 19

Figure 1.6. The phase shifters induce an interference pattern de-

pending on the di erence between the two phase shifts.

So our simple explanation needs to be revamped. Our current understanding

is the following: when exiting the rst beam-splitter, the photon is in the state
pi j 0i + p1 j 1i, that is a linear combination or superposition of the two states. The
2 2
amplitude of j 0i tells us the probability of observing the photon in path j 0i if we
set up our detectors. You obtain the probability by squaring the modulus of the
2
amplitude. Thus we measure the photon in path j 0i with probability pi2 = 21 .
Similarly, if we send a photon through the beam-splitter starting in the j 1i path it
would come out in the state p12 j 0i + pi2 j 1i (that is the re ected beam picks up a
phase of i). The phase shifts of 0 and 1 change the state from pi2 j 0i + p12 j 1i to
iepi j 0i + epi j 1i. The second beam-splitter acts in the same way as the rst one,
0 1
2 2
that is it maps j 0i ! pi2 j 0i + p12 j 1i and j 1i ! p12 j 0i + pi2 j 1i, and therefore it
maps iepi2 j 0i + epi2 j 1i to
0 1

  
iepi pi j 0i + p1 j 1i + epi p1 j 0i + pi j 1i :
0 1

(1)
2 2 2 2 2 2
Thus a photon can arrive at the j 0i detector by two di erent paths, one with
  
amplitude iepi2 pi2 = e2i , and the other path with amplitude ei2 . The
0 0 1
 1.1. QUANTUM PHYSICS 20
0 +1
total amplitude of the state j 0i is e2i + ei2 = iei
0 1
sin(  2  ). Similarly we
2 0 1

 
see that the total amplitude of the state j 1i is iei cos(  2  ) and the state
0+ 1 0 1

2

 
in equation (1) is equal to iei 2 sin(  2  ) j 0i + cos(  2  ) j 1i . Note that all
0+ 1 0 1 0 1

that determines the magnitude of the amplitudes is the di erence between 0 and
1. In general the photon could be in any linear combination or superposition state
of the form

0 j 0i + 1 j 1i

where j 0 j2 +j 1 j2 = 1. This state can also be described by the vector ( 0 ; 1) 2 C 2 ,

where the basis vectors (1; 0) and (0; 1) correspond to j 0i and j 1i respectively. The
action of the beam-splitter can thus be described by the 2  2 matrix
0 i 1
p12
@ p2 A
p12 pi2

and the phase-shifters by the matrix

0 i 1
@e 0 A:
0

0 ei 1

Suppose we had two such Mach-Zehnder apparatuses set up with the state of each
of photon described by p12 j 0i + p12 j 1i. The 2-photon system would be described
by the state
1  1 X 1 
(2) p j 0i + p1 j 1i p j 0i + p1 j 1i = 2 j x1 i j x2 i :
2 2 2 2 x ;x 2f0;1g 1 2

We will often denote a state j x1 i j x2 i as j x1 i j x2 i or simply as j x1 x2 i. The two

photon system could in fact exist in any linear combination of the form
X
(3) x j xi ;
x2f00;01;10;11g
 1.1. QUANTUM PHYSICS 21
P
where j xj2 = 1, and j 2
x j is the probability of observing the state j xi =
j x1 i j x2 i if we set up our four detectors along the possible paths. This means the
2-photon system can be in a state that is not simply two independent 1-photon
systems as we describe in equation (2). Consider for example the state, also known
as an Einstein-Podolsky-Rosen (EPR) [EPR35] state,

(4) p1 j 0i j 0i + p1 j 1i j 1i :
2 2
This state cannot be factored into the product of two independent states. Note
that superpositions of the form in equation (3) can also be denoted as vectors in
C 4 , ( 00 ; 01 ; 10 ; 11 ). In general, if we have two systems in states (a0 j 0i + a1 j 1i)

and (b0 j 0i + b1 j 1i), the joint system

a0 b0 j 00i + a0 b1 j 01i + a1 b0 j 10i + a1 b1 j 11i

is denoted by the vector

(a0b0 ; a0 b1 ; a1b0 ; a1b1 ) = (a0 ; a1) (b0 ; b1)

the tensor product of the vectors describing the subsystems. We can prove that
state (4) cannot be factorised into two independent one-qubit states by showing
that the vector ( p12 ; 0; 0; p12 ) cannot be decomposed as the tensor product of two
complex vectors (a0 ; a1) (b0 ; b1). The two particles are strongly correlated in a
way we refer to as being entangled. This notation where (1; 0; 0; 0) is denoted j 00i
is Dirac's bra-ket notation [Dir58].
However, the path of a photon in a Mach-Zehnder interferometer is just one
example of a system with two discrete states which we label j 0i and j 1i. Any
quantum system with at least two reliably distinguishable states (for example, two
discrete energy levels which can represent the logical states 0 and 1) can be used
 1.1. QUANTUM PHYSICS 22
as a qubit and prepared in a superposition of its logical states

(5) j i = 0 j 0i + 1 j 1i ;

where j 0j2 + j 1j2 = 1, and as before, j 0 j2 is the probability of observing j 0i and

j 1j2 is the probability of observing j 1i.
Other candidates for physical realisation of qubits are polarised photons,
trapped ions and nuclear spins. The physical details of preparing, manipulating
and measuring a qubit depend on the type of physical realisation. For example,
a proton has a nuclear spin of 21 and therefore when in a static magnetic eld
oriented along the z-axis it has two possible energy levels, one corresponding to
\spin-up" which we call state j 1i and one corresponding to \spin-down" which we
call state j 0i. If the spin is in state j 0i and we wish to apply the NOT opera-
tion, we can send in a radio-frequency pulse of appropriate intensity and duration,
with frequency corresponding to the energy di erence between the j 1i and j 0i
states. This causes a spin initially in the state j 0i to evolve into the state j 1i
and vice versa. We can also apply the same pulse for half of the duration to give
us an equally weighted superposition of j 0i and j 1i, similar to the state of the
photon after it goes through the beam-splitter 2 Just as going through a second
beam-splitter sends the photon to the state j 1i, applying another pulse of half the
duration of the NOT pulse sends the spin to the state j 1i thereby completing the
p
NOT operator. This operation is often called the square-root of NOT , NOT .
2 When we view the beam-splitter (from the previous example) and radio-frequency pulse as
quantum objects, we see that the interaction between the qubit and the apparatus does leave
in the apparatus a very small trace of information about the state of the qubit. The degree of
entanglement between the qubit and apparatus in the case of a beam-splitter or a large radio-
frequency pulse is negligible, so in practice we ignore it.
 1.1. QUANTUM PHYSICS 23
In general a single spin can be prepared, by a suitable sequence of various types
of pulses, in any superposition as in equation (5).
We can also consider a register composed of n qubits. Any classical register of
n bits can store just one of 2n strings at a time. Suppose we prepare a quantum
register of 3 qubits, say nuclear spins, in the state j 0i j 0i j 0i and we apply a
suitably tuned radio-frequency pulse to evolve the rst qubit into the state p12 j 0i +
p1 j 1i. Then the three-qubit system will be in the state
2

p1 j 0i j 0i j 0i + p1 j 1i j 0i j 0i :
2 2
A similar pulse applied to the second qubit will act in parallel on both con gura-
tions j 0i j 0i j 0i and j 1i j 0i j 0i to produce

1 j 0i j 0i j 0i + 1 j 0i j 1i j 0i + 1 j 1i j 0i j 0i + 1 j 1i j 1i j 0i
2 2 2 2

and another pulse applied to the third qubit creates a superposition of all eight
con gurations 000, 001, : : : , 111. With n qubits we can similarly prepare superpo-
sitions of all 2n con gurations. All 2n possible strings are now physically present,
and any operation we apply to the register of n qubits will be applied to all con-
gurations in parallel. For example, if we apply an operation U only once to this
system, we will produce the state
X
p1 n U j xi :
x2f0;1gn 2

An n-qubit system can be in any state of the form

X
x j xi
x2f0;1gn
 1.1. QUANTUM PHYSICS 24
P
where j xj2 = 1 and j 2
x j is the probability of observing the state j xi =
j x1 i j x2 i : : : j xn i. The amplitude x of j xi in the state j i is the inner prod-
uct h xj i between the state vectors j i and j xi. We can thus also write
X X X
j i= x j xi = j xi x = j xi h xj i:
x2f0;1gn x2f0;1gn x2f0;1gn

Any linear transformation U that maps states

P j xi satisfying
x
x
X
j xj2 = 1

to other states
P j xi satisfying
x
x
X
j x j2 = 1

must be unitary. Unitary transformations are precisely those that satisfy U  =

U 1 , where U  denotes the conjugate transpose of U (often denoted U y in the
literature).
A quantum operation such as applying a radio-frequency pulse or putting a
beam-splitter in the path of a photon, can be described without reference to any
particular quantum technology. We will describe operations on qubits in terms of
some prescribed elementary operations which we refer to as quantum logic gates.
p
We have already described the NOT and NOT . A similar operation which maps

j 0i ! p1 j 0i + p1 j 1i
2 2
and

j 1i ! p1 j 0i p1 j 1i
2 2
 1.1. QUANTUM PHYSICS 25
is called a Hadamard gate denoted by H . A gate such as the phase shifter of angle
 along the j 1i path, that maps
j 0i ! j 0i
(6)
j 1i ! ei j 1i
is called a phase gate R .
These one-qubit gates alone will not allow us to perform every unitary operation
possible on n-qubits. They will not even allow us to create entangled states from
unentangled ones. We need a non-trivial two-qubit gate, such as the controlled-
NOT which maps
j 00i ! j 00i
j 01i ! j 01i
j 10i ! j 11i
j 11i ! j 10i :
We call this a controlled-NOT because the NOT is e ected to the second qubit
(or target qubit) when the rst qubit (or control qubit) is in the state j 1i. Another
non-trivial two-qubit gate is the controlled-R that maps
j 00i ! j 00i
j 01i ! j 01i
j 10i ! j 10i
j 11i ! ei j 11i
(note the symmetry between the control and target qubits).
We need such two-qubit gates to map the state j 0i j 0i to the state p12 j 0i j 0i +
p12 j 1i j 1i. We can do this by rst applying a Hadamard gate to the rst qubit to
 
create p12 j 0i + p12 j 1i j 0i = p12 j 0i j 0i + p12 j 1i j 0i. Applying a controlled-NOT
then yields the EPR state p12 j 0i j 0i + p12 j 1i j 1i. As mentioned earlier, this state
 1.1. QUANTUM PHYSICS 26
cannot be decomposed as the product of two independent one-qubit states, and is
thus entangled. Superpositions that can be so decomposed are called unentangled
or separable. Qubits typically become very entangled in the intermediate stages
of most interesting quantum computations. Entangled pairs of qubits are also a
valuable physical resource in other applications of quantum information theory,
such as quantum communication and quantum key exchange.
The fact that one qubit in an entangled pair of qubits cannot be described
as a superposition independently of the other qubit forces us to reconsider the
mathematical description of quantum states in terms of state vectors. For example,
how should we describe the state of one qubit of an EPR pair? Such a state
can be described in terms of density operators [CTDL77] which provide a more
general mathematical description of a quantum state. For a single qubit in the
superposition state (or pure state ) j i = j 0i + j 1i, the corresponding density
operator is the projector  = j i h j =  j 0i h 0j +  j 0i h 1j +  j 1i h 0j +
 j 1i h 1j. This operator can be written in the fj 0i ; j 1ig basis as
0 1 0 2 1
  j j 
@ A
  =@ A
2 :
 jj
The probability of measuring j 0i is equal to

j j2 =  = h 0j ih j 0i = Tr(h 0j ih j 0i) = Tr(j ih jj 0ih 0j) = Tr(j 0ih 0j):

In general, given a state described by a density matrix , the probability of mea-
suring a state j i equals

Tr( j i h j):

Note that for any unitary operator U acting on a qubit, the density operator
j 0i h 0j of the state j 0i = U j i is equal to UU  where  = j i h j.
 1.1. QUANTUM PHYSICS 27
With any quantum state we can associate a density operator, , such that  is
positive and the trace of , Tr() = 1 (see [CTDL77]). If we apply the unitary
operator U to that state, the outcome state has density operator UU  .
If we wish to describe a qubit that is entangled to another we start by writing
the quantum state vector of the two qubit system
X
j i= wx j wxi
w;x2f0;1g
then we construct the density operator of the two qubits
X
 = j ih j = wx yz j wxi h yz j :

w;x;y;z2f0;1g
To compute the density operator 1 of the rst qubit, we perform the partial trace
(see [CTDL77]) over the second qubit to get
X
wx yx j wi h y j :
1 = Tr2() = 
w;y;x2f0;1g
Similarly we can compute the density operator 2 of the second qubit by performing
the partial trace over the rst qubit to get
X
wx wz j xi h z j :
2 = Tr1() = 
w;x;z2f0;1g
For example, the state
j i = p1 j 00i + 21 j 01i + 2i j 11i
2
is described by the density operator
0 1 1 i
1
B 2 2p20 2p2 C
B
B 2p2
1 1 0 i C
C
=B
B 4 4 C
C
B
@ 0 0 0 0 C
A
i i 1
2p2 4 0 4
 1.1. QUANTUM PHYSICS 28
and, after taking the partial traces we get

03 i
1
1 = Tr2() = @ 4i 4
1
A
4 4
0 1 1
1
2 = Tr1() = @ 21 2p2 A:
1
2p2 2

If the bit value is measured on the two qubits then with the probabilities 12 ; 14 ,and 14
one obtains respectively 00 , 01; and 11: The outcome 10 has the probability zero.
These probabilities are given by the diagonal elements of : Suppose the second
qubit was taken away so that one can measure only the bit value on the rst qubit.
In this case one obtains the bit values 0,1 with probabilities 43 ; 41 respectively,
which are given by the diagonal elements of 1: The diagonal elements of 2 give
probabilities of obtaining 0 or 1 when the measurement is performed on the second
qubit alone. The partial trace of larger systems is de ned similarly [CTDL77].
So how do we actually e ect an operation, such as the controlled-NOT , that
will create entanglement? Let us return to our example of a spin- 21 particle, say a
proton, in a magnetic eld oriented along the z-axis. The energy of a proton in the
spin-up state is !2 ~ and in the spin-down state is 2! ~ where ~ = 6:626  10 34 J
s
and 2! is a frequency. The frequency 2! depends on the strength B of the magnetic
eld and on the type of nucleus according to ! = B , where is the gyromagnetic
ratio (which for a proton is about 2:675  10 6 Hz=Tesla). Thus a proton in a eld
of strength 9:4Tesla has a frequency ! = 400MHz. (The strength of magnetic
elds is often given in terms of the frequency 2! the magnetic eld would induce
on a proton.) We thus denote the energy operator H , or the Hamiltonian, by the
 1.1. QUANTUM PHYSICS 29

Figure 1.7. The energy eigenstates of the energy operator are j 0i

with energy eigenvalue !2~ and j 1i with energy eigenvalue 2!~ .

matrix
0 !~ 1
@ 2 0 A 1
!~
= !~z
2
0 2

where
0 1
1 0
z = @ A:
0 1

As mentioned earlier, we can e ect the NOT gate by sending a radio-frequency

pulse of frequency 2! of appropriate intensity and duration. Suppose we had two
independent nuclei in the same magnetic eld, one with energy eigenvalues  !2~1

and the other with energy eigenvalues  !2~ . The joint system has a Hamiltonian
2
 1.1. QUANTUM PHYSICS 30
equal to
0 1
B !1 + !2 0 0 0 C
B 0 !1 !2
~B 0 0 C
C
B
B C
C = 1 !1~z I+
1 ! ~I 
2B 0 0 !1 + !2 0 C 2 2 2 z
@ A
0 0 0 !1 !2
as illustrated in gure 1.8.
However two such nuclei do not behave independently of each other, since their
own magnetic elds a ect the energy levels of surrounding nuclei. The energy
levels are increased by 2 J12~ if the nuclei are oriented in the same direction, and
decreased by the same amount if they are oriented in the opposite direction. The
Hamiltonian thus gets shifted to !2~ z I + !2~ I z + 2~ J12z z
1 2

0 1
B !1 + !2 + J12 0 0 0 CC
B
~B 0 !1 !2 J12 0 0 CC
= 2B
B CC
B
@ 0 0 !1 + !2 J12 0 A
0 0 0 !1 !2 + J12
(see gure 1.9). A radio-frequency pulse of frequency 21 (!2 + J12 ) of appropriate
intensity and duration would e ect the NOT on the second nucleus if and only if
the rst nucleus is in the state j 1i. The coupling of the two nuclei thus gives us
the opportunity to e ect conditional dynamics on the two qubits.
We have just illustrated one way of realising the controlled-NOT . We can use
similar pulse sequences to implement quantum algorithms using NMR technology.
I have said how quantum operations are unitary (some operations may seem
non-unitary, but only when ignoring part of the entire system), and have even
illustrated some examples of unitary operations, such as putting a beam-splitter
in the path of a photon, or applying a radio-frequency pulse to a nucleus. The
Schrodinger equation tells us how these black-boxes work.
 1.1. QUANTUM PHYSICS 31

Figure 1.8. With two independent nuclei, we have four energy

eigenstates. A radio-frequency pulse of frequency !1 and appropri-
ate duration and intensity will e ect a NOT on the rst qubit. A
radio-frequency pulse of frequency !2 and appropriate duration and
intensity will e ect a NOT on the second qubit.

Consider a closed system in the state j (0)i 2 H N . This state can change
over time, and we denote by j (t)i the state of this system at time t. Let us
suppose that we start with a system in the state j (0)i and the system is in an
environment where the energy of a state j i is de ned by the operator H (t). The
 1.1. QUANTUM PHYSICS 32

Figure 1.9. The energy eigenvalues of two nuclei with respective

energies  !2~ and  !2~ and coupling term J12 are illustrated. A
1 2

radio-frequency pulse of frequency 2! + J2 of appropriate intensity

2 12

and duration will e ect the controlled-NOT .

Schrodinger equation states

i~ dtd j (t)i = H (t) j (t)i :

This equation implies that the evolution of the state j i is unitary. If we assume
the Hamiltonian remains constant then the solution to the Schrodinger equation
is

j (t)i = e ~i Ht j (0)i :
 1.1. QUANTUM PHYSICS 33
This equation implies that the evolution of the state j i is unitary. For example,
if we change the environment of a qubit so that we e ect a Hamiltonian !~Ix,
where
0 1
1
0 A = 1 x;
Ix = @
2
1 0 2
2
( Ix is typically used in chemistry) then by letting the qubit evolve in this environ-
ment for a period of time t we e ect the unitary operation
0 1
@ cos( !2 t) i sin( !2 t) A
:
i sin( !2 t) cos( !2 t)
So if we set t = ! we get a unitary operation equal to
0 1
0 1
e iIx = i@ A
1 0
which corresponds to a NOT gate (apart from the global phase factor 3 of i).
This is often called a -pulse, or a 180Ix pulse. If t = 2! , we call this a 2 -pulse
or a 90Ix pulse, which realises the square root of NOT operation.
A 180Iy pulse, where
0 i
1
0 2 A = 1 ;
Iy = @ y
i 0 2
2
realises the operation
0 1
0 1
e iIy = @ A
1 0
3 Global phase shifts, say by a factor ei , of a state j do not a ect the probability of
i

observing any particular state j xi even if the state j i is transformed by unitary operator U .
 1.2. QUANTUM COMPUTERS 34
and applying a 90Iy pulse realises what we call a pseudo-Hadamard gate [JM98]:
0 1
1 1
(7) e i  Iy = p1 @
2 A:
2 1 1
One- and two-qubit gates like these will form the basis of a quantum computer,
which we describe in the next section.
This brief summary of quantum physics should suce for this course. For more
details, see for example [Fey65, CTDL77].

1.2. Quantum Computers

Our model of computation will be a quantum version of the uniform families of
acyclic circuits, namely uniform families of quantum networks or acyclic quantum
gate arrays. We will restrict attentions to nite universal sets G of gates that can
eciently simulate any other nite set of gates. Let us explain this in more detail.
A set G of gates is universal if for every positive integer n, any real  > 0, and
any unitary operation U on n qubits, we can approximate U with an error of at
most  using gates from G . This means that there is a network N of gates from
G such that for any input j xi, the network outputs a state N j xi that is within

distance  (in the Euclidean norm) of the state U j xi.

An example of a universal (but not nite) set of gates that can exactly simulate
any unitary operation is the set of single-qubit operations and the controlled-NOT
gate [BBC+95]. It is not reasonable of course to have an in nite number of gates
at our disposal, but the controlled-NOT with almost any one-qubit gate allows
us to approximate any unitary operator arbitrarily well. Other nite families of
universal gates are also known [Deu89, BDEJ95, DiV95, Llo95].
We also require our universal set G of gates to be able to eciently simulate
any network N of T gates from another speci ed set of gates. This means that for
 1.2. QUANTUM COMPUTERS 35
any  > 0, we can eciently construct a network N 0 of at most poly(T; 1 ) gates
from G that approximates N with accuracy . We therefore require our universal
set G of gates to have the property that given a gate G (acting on a nite number
of qubits) and an integer N > 0, we can eciently nd a sequence of poly(N )
gates in G that approximates G with accuracy N1 . Many such families are known
[BV97, Cle99, Kit97, ADH97]. Kitaev [Kit97] and Solovay [Sol99] de ne sets
of gates that have only a polylog(N ) overhead.
As in the classical case, we also require uniformity. In this course it will be
clear from the description of the quantum networks that a classical Turing machine
(either a reversible or an irreversible one) can easily construct them. For exam-
ple, one could easily write a short C program that will eciently output circuit
diagrams for the algorithms described. Some of the algorithms involve construct-
ing a network, executing it, and then depending on the output, we construct and
execute another quantum network if necessary. Another natural model of compu-
tation is the universal quantum Turing machine [Deu85]. See [BV97, Yao93]
for a discussion of the relationship between these models of computation. We will
stick with the uniform families of networks, because they most accurately represent
what researchers are attempting to construct in practice and is the model in which
most quantum algorithms have been designed.
How are quantum computers di erent from classical reversible ones? The states
of classical reversible computers are con ned to one of the computational basis
states. Quantum computers can branch out into superpositions of exponentially
2P
n 1
many computational basis states such as p12n j xi. Once in such a superposi-
x=0
tion, they are able to compute functions in parallel on all of the basis states. That
is, by computing a reversible function  only once, via a quantum gate array that
2P
n 1
1 2P
n 1
maps j xi ! j (x)i, we will map the state p12n j  (x)i.
x=0
p
2n j xi to the state x=0
 1.2. QUANTUM COMPUTERS 36
The function  could for example map j x1 i j x2 i ! j x1 i j x2  f (x1)i for any func-
tion f (even a non-reversible f will work since we keep a copy of the input). With
exponentially many outputs of  in superposition, we can probe some of the global
properties of  (that is properties depending on many of its inputs) by techniques
we describe later.
Are quantum computers essentially di erent from classical probabilistic com-
puters? Probabilistic algorithms can also e ectively branch over exponentially
many computational paths, but there is a subtle di erence in how the various
outcomes of di erent paths combine to produce an output. In probabilistic com-
puting, if outcome 0 can be reached by two di erent paths with probabilities
p00 = ja00 j2 and p10 = ja10 j2, then the probability of obtaining outcome 0 is
p00 + p10 = ja00 j2 + ja10 j2 . In a quantum algorithm, if outcome 0 can be obtained
by two di erent paths, like the j 0i detection in the Mach-Zehnder interferometer,
with probability amplitudes a00 and a10 , then the probability of observing 0 is
ja00 + a10 j2 . The relative phase between the two amplitudes is important and can
result in either constructive or destructive interference. Destructive interference
occurs when the amplitudes a00 and a10 cancel each other out, the most extreme
case being when a00 = a10 and we thus measure 0 with probability 0. Con-
structive interference occurs when the amplitudes are aligned in some common
direction, an extreme case being when a00 = a10 = p12 in which case we measure
0 with probability 1. The challenge is to design quantum algorithms which induce
constructive interference on good states and destructive interference on bad states.
 CHAPTER 2

Algorithms
This chapter will discuss the algorithms which make explicit use of the quantum
nature of a quantum computer. I summarise the known quantum algorithms and
present them in a simple and uni ed way. The simplest quantum algorithm is
presented rst. I then generalise the basic elements of this algorithm and show
how they lead to the known powerful quantum algorithms.

2.1. The Deutsch algorithm

In [Deu85], Deutsch considers the task of determining f (0)  f (1) for some
Boolean function f : f0; 1g ! f0; 1g, where  corresponds to addition modulo
2. However, he supposes that we only have the resources to implement f once.
Note that f (0)  f (1) = 0 if and only if f is constant. If we restrict ourselves to a
`classical' setting, it is impossible to determine f (0)f (1) using only one evaluation
of f . In a quantum setting however, given a reversible means of computing f , we
can perform this task! Deutsch presented an algorithm which outputs the correct
answer with probability 21 and outputs an inconclusive result otherwise. By a
subtle modi cation [CEMM98], as we show here, we can compute the correct
answer with probability 1 using only one application of f .
We are given a quantum means of computing f , namely, we have a unitary
operator Uf which implements:

(8) j xi j bi ! j xi j b  f (x)i
37
 2.1. THE DEUTSCH ALGORITHM 38
where x; b 2 f0; 1g. The `trick' used in [CEMM98] is to the encode the value of
f (x) into the phase. To do this we start with a second, auxiliary register in the
state j 0i j 1i (remember that we will often drop the normalisation factors), then
the operation j bi ! j b  f (x)i maps j 0i j 1i to
j f (x)i j 1  f (x)i = ( 1)f (x) (j 0i j 1i):
Consequently we can describe Uf in a di erent basis as
j xi (j 0i j 1i) ! ( 1)f (x) j xi (j 0i j 1i)
j xi (j 0i + j 1i) ! j xi (j 0i + j 1i)
for x 2 f0; 1g. If we x the auxiliary register to be in state j 0i j 1i , then its state
remains unchanged and we e ectively have a way of mapping j xi ! ( 1)f (x) j xi.
Let us go back to the example of the Mach-Zehnder interferometer. There
we saw that if the relative phase-shift between the two computational paths was
either 0 or , then we could correctly distinguish the two cases 100% of the time.
The same `algorithm' can be applied to solve Deutsch's problem, as illustrated
in gure 2.1. We will now ignore the state of the auxiliary qubit, since it stays

Figure 2.1. Network representation of the Deutsch algorithm

in the state j 0i j 1i. The rst Hadamard gate H creates the state j 0i + j 1i.
The Uf induces phase shifts to produce ( 1)f (0) j 0i + ( 1)f (1) j 1i, and the nal H
 2.2. EIGENVALUE KICK-BACK 39
completes the interference that produces the state ( 1)f (0) j f (0)  f (1)i, in other
words, the answer.
As we will see in the subsequent sections, this simple algorithm illustrates all
the main ingredients of the known quantum algorithms.

2.2. Eigenvalue Kick-Back

One of the key steps in the quantum solution to Deutsch's problem was
encoding the value of f (x) into the phases given a quantum version of a re-
versible algorithm for computing f , namely, an operation Uf that maps j xi j bi !
j xi j b  f (x)i. Here  refers to an appropriate group addition, such as addition
modulo 2 if b 2 f0; 1g, or addition in Z2n if b 2 f0; 1gn, or addition modulo N if
b 2 f0; 1; : : : ; N 1g. Computing f into the phases, where b 2 f0; 1g meant send-
ing j xi ! ( 1)f (x) j xi. More generally, when f (x) 2 f0; 1gn this means sending
j xi ! ( 1)f (x)
b j xi for some b 2 f0; 1gn and when f (x) 2 f0; 1; : : : ; N 1g this
if x
means sending j xi ! e N j xi.
2 ( )

In this section we generalise the method of inducing relative phases in the states
of the register (which we call the control register) that contains the input values
j xi. We make use of an auxiliary or target register and a function evaluation.
Suppose we have a family of unitary operators Ux which share an eigenvector
j i with eigenvalues e2i!x , respectively. The value !x corresponds to f (2x) ; f (x2)
b , or
f (x) in the above examples. We de ne the controlled-U to be a unitary operation
N x
acting on two systems, a control system of dimension M and a target system of
dimension N . The controlled-Ux maps j xi j yi to j xi Ux j yi. We give an example
of such a controlled-Ux, and how to implement it, later in this section. Figure
2.2 shows how to use this operator to compute wx into the phases. Starting with
the state j i in a second target register, and the state j xi in a control register,
 2.2. EIGENVALUE KICK-BACK 40

Figure 2.2. A) The controlled-Ux applies Ux to the second regis-

ter when the rst register is in state j xi. B) The net e ect of a
controlled-Ux when the target register is in an eigenstate of Ux with
eigenvalue e2i!x is to induce a phase factor of e2i!x on the state
j xi j i. C) When the target register is in eigenstate j i and the
control register is in any superposition of computational basis states,
we can write the outcome as a product of the control register with
all the appropriate phase factors kicked back and the target register
in the original eigenstate.
apply the controlled-Ux operator. The net e ect is to map the state j xi j i to
the state e2i!x j xi j i; the phase e2i!x is associated to the product of the two
states. If the second register is in the eigenstate j i, and the rst register is in a
MP1
superposition, say j xi, applying a controlled-Ux will produce the product state
x=0
 2.2. EIGENVALUE KICK-BACK 41
P e2i!x jxi j i, which can be nicely written as
M 1 MP1 
e2i!x j xi j i. In other
x=0 x=0
words, the eigenvalues were \kicked back" into the rst register. This might seem
wrong since the operators Ux were applied to the second register and we `only' used
the rst register as a control. However the rst register behaves as an una ected
\control" register only when the controlled-Ux is considered in the computational
basis. The controlled-Ux acts linearly on all superpositions of these basis states
and has eigenstates j xi j i with eigenvalues e2i!x .
An important example of a controlled-Ux is the operator M (U ) which we now
de ne.

Definition 1. Let U be any unitary operator on a vector space H N of dimen-

sion N . The operator M (U ) acts on the space HM HN and sends j xi j y i !
j xi U x j yi.
Given a quantum network for computing U that uses T elementary quantum
gates, we can create a quantum network for M (U ) that has O(MT ) elementary
quantum gates (see appendix A.2). If U 2 ; : : : ; U 2l are also easily expressible us-
ing only T elementary gates, then the network for M (U ) has only O(T log M )
elementary gates.
Note that the operator M (U ) applied to two registers in the state
X
M 1
j xi j i ;
x=0
where U j i = e2i! j i, encodes the value ! in the state
X
M 1
e2ix! j xi j i :
x=0
The next section describes how estimating this phase shift is related to the
quantum Fourier transform.
 2.3. PHASE ESTIMATION AND THE QUANTUM FOURIER TRANSFORM 42
2.3. Phase Estimation and the Quantum Fourier Transform
One of the important features that distinguishes quantum computation from
classical randomised computation is the relative phase between states. Estimating
such a phase turns out to lie in the kernel of most quantum algorithms. Therefore
in this section we will describe some techniques for estimating parameters encoded
in the phase of quantum states.
We start with a simple phase estimation task whose natural solution will di-
rectly lead to the quantum Fourier transform methods. Suppose, for some real !,
0  ! < 1, that we have the product state
(j0i + e2i(4!) j1i)(j0i + e2i(2!) j1i)(j0i + e2i! j1i).
Let us (for now) conveniently assume that ! is of the form a8 , for some integer a.

Figure 2.3. This phase estimation network implements the inverse

quantum Fourier transform (reversing the order of the output
qubits).

Let a1 a2a3 be the binary expansion of a, that is a = 4a1 + 2a2 + a3 , and each aj is
either 0 or 1. Using the fact that e2i = 1, we can also express this state as
(j0i + e2i(0:a ) j1i)(j0i + e2i(0:a a ) j1i)(j0i + e2i(0:a a a ) j1i).
3 2 3 1 2 3
 2.3. PHASE ESTIMATION AND THE QUANTUM FOURIER TRANSFORM 43
We know immediately how to obtain the value of a3 since the Hadamard gate H
de ned in the introduction maps, for b 2 f0; 1g,
j bi ! j0i + ( 1)b j1i = j0i + e2i(0:b) j1i ;
and vice versa since H 1 = H . Thus applying the Hadamard gate to the leftmost
qubit gives us the state
j a3 i (j0i + e2i(0:a a ) j1i)(j0i + e2i(0:a a a ) j1i).
2 3 1 2 3

It would be very convenient if the second qubit were in the state j0i + e2i(0:a ) j1i 2

since we could then easily determine a2. Fortunately, since the rst qubit is in the
state ja3 i, we can simply apply a controlled-R  gate (recall equation (6)) to the
2

leftmost and middle qubits to give us this state. Applying this gate and then a
Hadamard gate on the second qubit gives us
j a3 i j a2 i (j0i + e2i(0:a a a ) j1i).
1 2 3

A controlled-R 
2
gate and a controlled-R 
4
gate, as shown in gure 2.3, gives us
the state
j a3i j a2 i (j0i + e2i(0:a ) j1i) 1

which after applying a Hadamard gate becomes

j a3 i j a2i j a1 i .
A straightforward generalisation of this network maps the n qubits
(9) (j0i + e2i(2n !) j1i)(j0i + e2i(2n !) j1i):::(j0i + e2i(2!) j1i)(j0i + e2i! j1i);
1 2

with ! = 0:a1a2 : : : an, to the state

jani jan 1 i ::: ja2i ja1 i .
 2.3. PHASE ESTIMATION AND THE QUANTUM FOURIER TRANSFORM 44
This network might seem familiar since state (9), is in fact equal to
2X
n 1
(10) e2ix! jxi ;
x=0
which for ! = 20n ; 21n ; :::; 2n 1 is a basis state in what we call the Fourier basis.
2n
Thus the network we described above, apart from a reversing of the nal qubits,
realises the inverse quantum Fourier transform.

Definition 2. (QFT(M)) For any integer M > 1, the quantum Fourier

transform, QFT (M ), acts on the vector space generated by the states
j0i ; j1i ; j2i ; :::; jM 1i, and maps jj i to P e2i Mj x jxi.
M 1
x=0
We just illustrated how to eciently implement the quantum Fourier transform
for M = 2n ( rst done in [Cop94]), and it is easy to generalise these methods
for any M whose prime factors are bounded above by a polynomial in n (done
for distinct primes in [Sho94] and generally in [Cle94]; see appendix A.4). For
general M , say a large prime, we can also eciently approximate QFT (M ) by the
technique of Kitaev [Kit95] but for all applications mentioned in this course, an
appropriate power of 2 suces.
MP1
Given the state e2ik! jki, where M is known and ! is of the form Mj for
k=0
some integer j , applying QFT (M ) 1 will yield the state jj i and thus correctly
determine ! = Mj . This is an immediate consequence of the de nition of the quan-
tum Fourier transform. What happens if we apply the same estimation technique
for arbitrary !?
 
Definition 3. For any real ! , de ne jg
!iM = QFT (M ) 1 MP1 e2ik! j ki .
k=0

When the value of M is implicit we will just use jg

!i.
Lemma 4. For all positive integers M ,
 2.3. PHASE ESTIMATION AND THE QUANTUM FOURIER TRANSFORM 45
 if ! = Mj ; j = 0; 1; : : : ; M 1, we have jg
!iM = j j i and
MP1
 for all other real !, 0 < ! < 1, jg !iM = j;! j j i, where j j;! j =
j =0
sin((M! j )) .
M sin((! Mj ))

Proof. We have that

1 1 X1 2i!k
M
(11) j j;! j = p h j j QFT (M ) e j ki
M k=0
1 X1 2ik(! Mj )
M
(12) = M e
k=0
1 1 e 2iM (! Mj )
(13) = M
1 e2i(! Mj )
(14) = sin((M! jj)) :
M sin((! M ))

We have the following corollaries describing the quality of this estimator. As

we can see in Lemma 4, what matters is sin(( Mj !)) and thus the relevant
distance between our estimate Mj and ! is not simply Mj ! . For example M1 is
just as good an estimate of ! = 0 as MM 1 .
Definition 5. The distance d(!0 ; !1 ) between two real numbers !0 and !1 is
the real number d such that the shortest arclength of the unit circle between e2i! 0

and e2i! is 2d.

1

In other words d(!0; !1) = minz2Zfj!0 !1 + zjg. Roughly speaking, the prob-
ability of getting an error of size
is proportional to
1 . 2

MP1
Corollary 6. Given the integer M > 0 and the state e2ij! j j i, applying
j =0
QFT (M ) 1 and then measuring will yield the state j j i satisfying the following.
Let
= d(!; Mj ).
 2.3. PHASE ESTIMATION AND THE QUANTUM FOURIER TRANSFORM 46
 { If M! is an integer, then with probability 1, j = M!, that is
= 0.
{ Otherwise, the probability of observing j j i is Msin sin(M(

2
2
2

)  1 .
) (2M
)
2

8
 With probability at least  we have
 M .
2
1
 For k > 1, with probability at least 1 2(k1 1) we have
 Mk .
Proof. We make use of the fact that for x between 0 and 12 , 2x  sin(x) 
x. From Lemma 4 the probability that we measure j is Msin(sin((M! j )) 2 
 1 2 1
2 (! Mj ))
M sin(
)  2M
. We use this fact to prove the rest of the theorem.

Prob (jj M!j  k) = 1 Prob(jj M!j > k)

X1
 1 2 4M 21( j )2
j =k M

 1 2(k 1 1) :
The last inequality is easily proved by bounding the summation by an appropriate
integral.
We now use the fact that for M > 2, the function
sin2 (x)
 1 1

M 2 sin2 (x=M ) + sin2 (( x)=M ) ;
0  x  , attains its minimum at x = 2
Prob (jj M!j  1) = Prob(j = bM!c) + Prob(j = dM!e)
2 sin2 (M ( 1
))
= sin2 (M2
) + 2 2 M1
M sin (
) M sin (( M
))
 82 :

We have described and analysed techniques for estimating phases encoded in

MP1
the state e2ix! j xi. This is not the only way to encode phases, but it is
x=0
 2.4. QUANTUM EIGENVALUE ESTIMATION 47
simple and elegant. In [vDDE+99] it is shown how encoding ! in a state of
MP1
the form x e2ix! j xi for appropriate x and then applying QFT 1 (M ) can
x=0
provide a `better' estimate of !, where the x depend on the de nition of `better'.
We will not discuss these methods here since the techniques we have described
above suce for the algorithms presented in this course. It would be slightly
misleading not to note that the QFT as described earlier is not practical since it
uses exponentially precise phase rotations. For the purpose of phase estimation
and for the algorithms described herein, the transformations described above can
be approximated suciently well with phase shifts of bounded size as described in
[Cop94] and [BEST96]. By using di erent encodings of !, Kitaev [Kit95] shows
how to estimate ! without any quantum controlled rotations. I also noted that
it is possible to combine the phase estimation techniques used by Kitaev [Kit95]
with the approximate quantum Fourier transform methods. Some work in this
direction has been carried out [Bhi98] and these techniques show promise of being
practical and more ecient than those in [Kit95, Cop94, BEST96]. We will not
discuss these methods in this course, but simply point out that they exist, so that
exponential precision in the full QFT is not necessary. We use the QFT methods
for their simplicity.
With these last two sections under our belt, the content of the next section
might now seem obvious, yet it is the essence of the powerful quantum algorithms
such as those for factoring and nding discrete logarithms.
2.4. Quantum Eigenvalue Estimation
The previous two sections have described the two main ingredients for esti-
mating an eigenvalue of a unitary operator U . The algorithm, whose network
is illustrated in gure 2.4, uses a control register and a target register. We ini-
tialise the control register to the state j 00 : : : 0i. The target register can be in
 2.4. QUANTUM EIGENVALUE ESTIMATION 48
any state, but we analyse the algorithm in the basis of eigenvectors of U . Let
j k i ; k = 0; 1; : : : ; N 1, be the eigenvectors of U with respective eigenvalues
e2i!k . We will make use of the operator M (U ) from de nition 1.
It is easy to see that M (U ) j xi j k i = e2ix!k j xi j k i. Combining this phase
kick-back with the phase estimation method described earlier, we have the follow-
ing algorithm.

Algorithm 7. (Eig Est(U; ; M ))

Input:
 An integer N .
 A quantum network for a unitary operator U which acts on a vector space
HN of dimension N .
 A positive integer M .
 A target register in an arbitrary state described by the density matrix .
[Note that the input is the quantum state itself not a classical description of
it.]
Output:
 A rational !~ (i.e. an integer x such that !~ = Mx ).
Complexity:
 1 application of M (U ).
 O(log2 M ) other elementary operations.
Procedure:
1. Initialise a control register to the state j 0i 2 H M .
2. Apply QFT (M ) to the control register.
3. Apply M (U ).
 2.4. QUANTUM EIGENVALUE ESTIMATION 49
4. Apply QFT (M ) 1 to the control register.
5. Measure the control register, denote the outcome x. Output !~ = Mx .

Figure 2.4. We illustrate the e ect of the algorithm Eig Est with
the target register in an eigenvector of U and the control register in
the speci ed starting state.

Theorem 8. After running algorithm Eig Est(U; ; M ), the control register is

in the state
X
N 1
k;k j !fk i h !fk j
k=0
P
where the target register started in the state  = j;k j j i h k j. Thus if we
j;k
measure the control register we will get an estimate !fk of !k with probability
Tr( j k i h k j) = k;k . The probability distribution of !fk is equivalent to that
of measuring j !fk i, as described in corollary 6, and outputting the result x divided
by M .

More simply, if the target register contains the state j j i with probability j;j ,
then we will measure j !ej i with probability j;j .
 2.5. FINDING ORDERS 50
Proof. At step 1 the density matrix of the two-system state is
X
j 0i h 0j  = j;k j 0i h 0j j j i h k j :
j;k
The sequence (QFT (M ) 1  I )M (U )(QFT (M )  I ) maps j 0i j j i to j !ej i j j i.
Thus the state of the two systems becomes
X
j;k j !ej i h !fk j j j i h k j :
j;k
Tracing out the second register gives us the state
X
j;j j !ej i h !ej j :
j
The result follows.

We described the above algorithm in the most general setting where we were
given any input state . In this chapter we only use pure states.

Corollary 9. Let the density operator  describe the state

X
r 1
1 pr j k i :
k=0
Algorithm (Eig Est(U; ; M )) outputs an estimate !fk of !k with probability 1r . The
probability distribution of the estimate !fk is equivalent to that of measuring j !fk i
and outputting the result x divided by M .

2.5. Finding orders

We are now ready to describe the most well-known application of the above
techniques. The task is a `classical' one:
Let G be any nite group for which we know how to compute the group oper-
ation and for which we have a unique binary representation for every element and
 2.5. FINDING ORDERS 51
an algorithm for computing the group operation in that representation. We will
represent the operation multiplicatively.
Problem 10. Given an element a from a nite group G, nd the order of a,
that is the smallest positive integer r such that ar = 1.

This problem is not only of theoretical interest, but it is of great practical in-
terest. The reason is that integer factorisation and cracking the RSA cryptosystem
reduce to this problem for G = ZN , the multiplicative group integers modulo N
(see appendix A.5.3).
The quantum version we will address is the following. Let G be any group for
which we have unique binary representatives for each element and an algorithm
for computing the group operation and for computing inverses.
Problem 11. Given an element a of a nite group G, denote by Ua the unitary
operator that maps, for all x 2 G, j xi ! j axi. Find the order of Ua .

Before we describe the solution to this problem, we will make a few remarks
regarding the statement of these problems. First note that to turn Problem 10
into Problem 11, it suces to know a 1 , since this means we have an ecient
reversible way of implementing Ua (see appendix A.3). For groups where a 1 is
not easily obtained, we can apply the period- nding technique discussed later to
nd the order r of a (note that we can then simply compute a 1 = ar 1). We need
unique representatives for each element of G since this is necessary for quantum
interference to occur. Most groups of interest have some easy-to-compute canonical
representatives. Note that the group G does not need to be Abelian: it suces
that the subgroup generated by a is Abelian, which is always true.
Solving this quantum version is simple once we measure the following. Since
Uax = Uax , then r is also the order of Ua . Since Uar = I , the identity operator, then
 2.5. FINDING ORDERS 52
any eigenvector j i must satisfy Uar j i = j i ; which implies that the eigenvalues
of Ua are rth roots of unity. For each coset fc; ac; a2c; :::; ar 1cg of hai, the subgroup
generated by a, there correspond r eigenvectors [Kit95]:
X
r 1
(15) j ck i = p1r e
ijk
2
r caj , for k = 0; 1; :::; r 1:
j =0
Then note that
1 X
r 1
ijk e ik X
2
r
r 1
ijk
Ua j ci = pr e caj+1 = pr e caj = e ik
r j ck i :
2 2 2
k r r
j =0 j =0
Further,
1 X
r 1
jci = pr j ck i
k=0
(that is we get constructive interference on the basis state j ca0i and totally de-
structive interference on the other j caj i states).
Estimating such random eigenvalues precisely enough will allow us to nd r.
This fact is based on the theory of continued fractions. Every real number y has
a sequence of rationals, called convergents, that approximate it. The convergents
can be eciently computed as outlined in [Kob94] or [Knu98]. The following
lemma follows from Theorem 184 of [HW79].

Lemma 12. Given the integers x and M , if

k x  1 < 1
r M M 2r2
then the fraction kr is a convergent of Mx .

It is easy to see that there can be at most one fraction ab that satis es b  r
and ab Mx < 21r . The continued fractions algorithm will nd integers a and b
2

such that ab = kr after computing at most O(log M ) convergents.

 2.5. FINDING ORDERS 53
We will use the following algorithm as a subroutine later. This algorithm
assumes we have an upper bound on r, whereas this subsequent algorithm does
not.
Algorithm 13.

Input:
 An integer M
 An element a 2 G.
Output:
 A positive integer t or FAIL.
Complexity:
 O(T log M ) elementary operations where a group operation uses O(T ) ele-
mentary operations.
 O(log2 M ) other elementary operations.
Procedure:
1. Repeat Eig Est(Ua ; j 1i h 1j ; M ) twice to obtain two estimates Mx and xM of
1 2

random eigenvalues of Ua .
2. Use the continued fractions algorithm to seek two fractions ar and ar with
q
1 2
1 2

r1; r2  M2 that satisfy

(16) x1 a1  1
M r1 M
(17) x2 a2  1 :
M r2 M
If both do not exist, then return FAIL.
3. Let t be the lowest common multiple of r1 and r2. If this is not less than
qM
2 then return FAIL.
 2.5. FINDING ORDERS 54
4. If at 6= 1 return FAIL,
5. Return t.

Proposition 14. If M > 2r2 , then Algorithm 13 nds the correct order r with
probability at least 32 . If it does not output FAIL, then it outputs a multiple of r.
4

Proof. The proposition follows by rst showing that with probability at least
8
2 , x 1 and x2 satisfy the equations (16) and (17) for k1 and k2 chosen indepen-
2
dently and uniformly at random from the set f1; : : : ; rg. The second part of the
proof shows that assuming x1 and x2 satisfy these equations for such k1 and k2
then we obtain r with probability at least 12 .
By Theorem 8 (Eig Est) we will obtain integers x1 and x2 such that for each
k1 and k2 2 f0; 1; : : : ; r 1g with probability 1r the value xM is an estimate of kr
1 1

, and similarly for xM . Further, for j = 0; 1 the distribution of xj is equivalent to

2

that of measuring kerj , as described in corollary 6, and outputting the outcome

x divided by M . Since Eig Est(Ua ; M; j 1i h 1j) was run twice independently, the
integers k1 and k2 are independent.
Since the error in the estimate is thus at most 21r , then the continued fractions
2

algorithm will eciently nd the fractions ar = kr and ar = kr . We still might not

1
1
1 2
2
2

know r since the integers k1; k2 and r might not be coprime. Taking the lowest
common multiple of the denominators yields t = gcd(kr;k ;r) . Since k1 and k2 are
1 2

selected uniformly at random between 1 and r, they are coprime with probability
at least 1
P 1 > 1 . Thus this procedure will successfully nd r with
p 2 2
prime p
probability greater than 32 . 4

The nal test that at = 1 guarantees that the algorithm only outputs FAIL or
multiples of r.
Note that j 1i could have been replaced by any mixture of j aj i states.
 2.5. FINDING ORDERS 55
We are now ready to solve Problem 11. We will assume the worst case, that is
that we have no good bounds on r.

Algorithm 15. (Find Order(a))

Input:
 An element a 2 G.
Output:
 A positive integer t.
Complexity:
 Expected O(T log r) elementary operations where a group operation requires
O(T ) elementary operations.
 Expected O(log2 r) other elementary operations.
Procedure:
1. Set M = 2.
2. Apply Algorithm 13 three times.
3. If all three outputs are FAIL, double M and go to step 2. Otherwise let t be
the minimum value of the non-FAIL outputs.
4. Test if at = 1. If so, output t. Otherwise double M and to go step 2.

Theorem 16. Algorithm 15 (Find Order(a)) nds a multiple of r (the order

of a). With probability at least 32 the multiple is indeed r. The expected complexity
is O(log r) group multiplications and O(log2 r) other elementary operations.

Proof. While M  2r2, step 3 of Algorithm

q M 13 guarantees that we will tobtain
FAIL (the outputted t > 0 satis es t < 2  r and thus cannot satisfy a = 1).
Once M  2r2, then Proposition 14 tells us that we will nd the correct r with
 2.6. DISCRETE LOGARITHMS 56
probability at least 1 (1 324 )3 > 23 at each iteration. To bound the expected
running time, note that once M  2r2, the algorithm will output an answer with
probability at least 32 . This means the expected running time is O(log r) group
multiplications and O(log2 r) elementary operations. The nal test guarantees any
output is a multiple of r.
We can modify this algorithm so that it always outputs the correct r, by factor-
ing the output t (with the factoring algorithm described in [Buh96] ) and removing
unnecessary factors.

2.6. Discrete Logarithms

Not all public key cryptosystems in use today rely on the diculty of factoring.
Breaking many cryptosystems in use today can be reduced to nding discrete
logarithms in groups such as the multiplicative group of nite elds or the additive
group of points on certain elliptic curves (see appendix A.6 and [MvOV97]). Shor
[Sho94] also shows how to nd discrete logarithms in GF (p), and the algorithm
easily extends to other groups.
The discrete logarithm problem in a group G is the following. Let G be any
nite group for which we have a unique binary representation for every element
and an algorithm for computing the group operation. We represent the group
multiplicatively.

Problem 17. Given elements a and b = as , 0  s < r (r is the order of a)

from the group G, nd s, also referred to as the discrete logarithm of b with respect
to the base a.

We can translate this discrete logarithm problem into a discrete logarithm

problem in the group of unitary operators on the vector space spanned by the
 2.6. DISCRETE LOGARITHMS 57
elements of G. Namely, letting Ua : j xi ! j axi and Ub : j xi ! j bxi, we wish to
nd the logarithm r of Ub to the base Ua. We can also assume that we know a 1 ,
b 1 and r, the order of a, due to the order- nding or period- nding algorithms
discussed in the previous section. As mentioned in the previous section, given a 1
and b 1 we can easily construct a reversible network for implementing Ua and Ub .
Since we can factor r, we can further assume that r is prime (see section 4.2.1, for
details and other advantages).
The operators Ua and Ub share the same eigenvectors j ck i de ned in the pre-
vious section, with respective eigenvalues e ik
2 iks
r and e r . The idea is to apply
2

the eigenvalue estimation algorithm to estimate these two eigenvalues accurately

enough to determine both kr and ks mod r
r . Since we know r, we only need to

estimate these eigenvalues with an error of at most 21r in order to nd the correct
numerator. If k 6= 0 we can simply compute s = k 1 ks mod r. The eigenvalue
estimation algorithm thus gives us the following algorithm for nding discrete log-
arithms.

Algorithm 18. (Discrete Log (b; a))

Input:
 Elements a and b 2 G, where b is a power of a.
 The order r of a.
Output:
 An integer t or FAIL.
Complexity:
 O(log r) group operations.
 O(log2 r) other elementary operations.
 2.6. DISCRETE LOGARITHMS 58
Procedure:
1. Prepare three registers in the state
j 00 : : : 0i j 00 : : : 0i j 1i :
2. Let n = dlog2 2re+1. Apply QFT (2n) QFT (2n ) to the two control registers.
3. Apply 2n (Ua) using the rst control register and the target register.
4. Apply 2n (Ub ) using the second control register and the target register.
5. Apply QFT 1(2n) QFT 1(2n) to the two control registers.
6. Measure the rst two registers and denote the outcome j x1 i j x2 i. Compute
   
s1 = x2nr and s2 = x2nr .
1 2

7. If s1 = 0, output FAIL. Otherwise let s = s1 1s2 mod r. Output s.

Note that this algorithm also works in non-Abelian groups G, since it suces
that the subgroup generated by a and b is Abelian, and this of course is true.
Corollary 19. Let a and b = as be elements from a group G. Algorithm 18


(Discrete Log (b; a)) outputs s with probability at least r r 1 ( 8 )2. This algorithm
2

has expected running time O(log r) group operations and O(log2 r) other elementary
operations.
Proof. After step 5 we have the state
Xr 1 e+ f+
k ks
k=0 r r j ki :
With probability at least ( 8 )2 the integers s1 and s2 will correspond to integers
2

j and js, where j is chosen uniformly at random from the integers 0; 1; : : : r

1. In this case s1 = j 6= 0 with probability r r 1 and we can easily compute
j 1js = s mod r. The result follows. The running time follows by noting that the
O(log r) bit arithmetic described can be done with O(log2 r) elementary (classical)
operations.
 2.7. AMPLITUDE ESTIMATION 59
2.7. Amplitude Estimation
In the previous sections we detailed and used a simple algorithm for estimating
a phase shift induced by a unitary operator U . Now suppose we wish to estimate a
di erent parameter, namely the probability with which the operator U produces a
good output j xi. More speci cally, let U = A be a quantum algorithm that starts
with the state j 00 : : : 0i and the aim is to output states j xi that satisfy f (x) = 1.
The function f : f0; 1; : : : ; N 1g ! f0; 1g characterises the good states. We
denote by X1 the set of good states j xi, namely those satisfying f (x) = 1. The set
X0 denotes the bad states, which satisfy f (x) = 0. Denote by p1 the probability of
obtaining a good state when we measure j i. As discussed earlier, we can assume
that we can implement the operator Uf : j xi ! ( 1)f (x) j xi. In other words we
wish to determine
X
p1 = jh xj ij2
x2X1
where

(18) j i = A j 00 : : : 0i :
When 0 < p1 < 1, we can assume that

A j 00 : : : 0i = pp0 j X0i + pp1 j X1 i

where p0 = 1 p1,
X
j X0i = p1p j xi h xj i
0 x2X0
and
X
j X1i = p1p j xi h xj i:
1 x2X1
 2.7. AMPLITUDE ESTIMATION 60
We will start by reviewing the algorithm for amplitude ampli cation
[BBHT98, BH97, BHT98, Gro98, BHMT99], based on the quantum search-
ing algorithm by Grover [Gro96], and then show how the main iterate of this
algorithm can be used to solve the amplitude estimation problem mentioned above.
2.7.1. Amplitude Ampli cation. It is helpful to work in a basis containing
the states j X0i and j X1i (a full basis contains another 2n 2 states). We have
at our disposal the operator Uf which sends j Xj i ! ( 1)j j Xj i, the unitary
operators A and A 1, and the operator U0 which maps j 0i to j 0i and leaves
the other basis states alone. By conjugating U0 with the operator A, we have the
operator U = AU0 A 1 which sends j i = A j 00 : : : 0i to j i and leaves all the
other orthogonal basis states alone (it is convenient to describe this operator in a
basis containing j i). Let us consider the action of the operator U Uf in the
space spanned by j X0 i and j X1i. Given any state
j i = cos() j X0 i + sin() j X1i ;
applying Uf gives us
(19) cos() j X0i sin() j X1i :
Let ! be the real number between 0 and 12 that satis es p1 = sin2(!) and p0 =
cos2(!). Representing the state (19) in a basis containing j i = cos(!) j X0i +
sin(!) j X1i and j i = sin(!) j X0i cos(!) j X1 i gives us
cos() j X0i sin() j X1i = cos( + !) j i + sin( + !)j i:
Since j i is orthogonal to j i, applying U gives us
cos( + !) j i sin( + !)j i
= cos( + 2!) j X0 i + sin( + 2!) j X1 i :
 2.7. AMPLITUDE ESTIMATION 61
The two re ections Uf and U thus give us a rotation of 2! in the plane spanned
by j X0i and j X1 i (see gure 2.5 for an illustration with  = !).

Figure 2.5. A) We start o in the state j i = A j 00 : : : 0i =

sin(!) j X1i + cos(!) j X0i. B) The Uf operation changes the sign
in front of the j X1i component. C) The U (which is equal to a
U) changes the sign in front of the  component. The net e ect
of applying G = U Uf can be described as a rotation of 2 = 2!
in the plane spanned by j X0i and j X1 i. D) Repeating G a total of
k times e ects a rotation of 2k = 2k!.
 2.7. AMPLITUDE ESTIMATION 62
Such a rotation G = U Uf will have eigenvalues e2i! in the subspace gen-
erated by j X0i and j X1 i. In fact, we can explicitly describe the eigenvectors (as
de ned in [Mos98]):

(20) j +i = p1 j X0i + pi j X1i

2 2
(21) j i = p1 j X0i pi j X1i
2 2
with respective eigenvalues e2i! and e 2i! .
The state

j i = cos(!) j X0 i + sin(!) j X1 i

is expressed in this eigenbasis as

epi! j i + epi! j i:
2 + 2
Since G j +i = e2i! j +i and G j i = e 2i! j i, then applying the operator
Gk to the state j i = A j 00 : : : 0i gives us

(22) ei(2pk+1)! j +i + e i(2k+1)!

p j i
2 2
(23) = cos((2k + 1)!) j X0 i + sin((2k + 1)!) j X1i :

The probability of measuring an element of X1 is sin2 ((2k +1)!) and assuming

p1 > 0 then to measure an element of X1 with probability close to 1 we should
 
apply G roughly k = 41! 12 2 ( 4pp ) times. 1

Having summarised the use of the Grover iterate G for amplifying the amplitude
pp1 of j X1i in j i = A j 00 : : : 0i, we move on to describe its use for estimating
p1.
 2.7. AMPLITUDE ESTIMATION 63
2.7.2. Amplitude Estimation. The strategy for estimating p1 = sin2 (!)
is simple. We will just estimate one of the eigenvalues e2i! of G using the
eigenvalue estimation algorithm. Note that when p1 = 0 or 1, j i = A j 00 : : : 0i is
an eigenvector of G with eigenvalue e2i! equal to 1 = e0 or 1 = ei respectively,
and so we still have p1 = sin2(!).

Algorithm 20. (Amp Est(A; f; M ))

Input:
 An integer M (a precision parameter).
 An integer N .
 A quantum network for implementing the operator (algorithm) A acting on
a vector space H N of dimension N .
 A unitary operator which marks elements of a good set X1 by mapping
j xi ! ( 1)f (x) j xi, where f (x) = 1 i x 2 X1.
Output:
 A description of a real number p~ (i.e. an integer x such that p~ = sin2 ( x
M )).
Complexity:
 O(M ) applications of Uf
 O(M ) applications of A and A 1
 O(M log2 N ) other elementary operations
Procedure:
1. Prepare the input state j 00 : : : 0i A j 00 : : : 0i 2 H M H N .
2. Apply QFT (M ) to the rst register.
3. Apply M (G).
4. Apply QFT (M ) 1 to the rst register.
 2.7. AMPLITUDE ESTIMATION 64
5. Measure the rst register to obtain a state j xi, x 2 f0; 1; : : : ; M 1g and
output p~ = sin2( Mx ).

Theorem 21. For any positive integer M , the algorithm Amp Est(A; f; M )
outputs p~ such that
 with probability at least 8 we have
2

pp (1 p ) 2
jp1 p~j  2 1 M 1 + M 2

 for any integer k > 1, with probability at least 1 1

2(k 1) we have
pp (1 p ) k22
jp1 p~j  2k 1 M 1 + M 2

and uses M applications of Uf .

Proof. After step 3 we have the state

X
M 1
p1 j j i (ei(2j+1)! j +i + e i(2j +1)! j i)
2M j=0
e X1 2ij!
i! M e X1 2ij!
i! M
= p e j j i j +i + p e j ji j i
2M j=0 2M j=0

and after step 4 we have the state

pe e
i! i!
jg
!iM j +i + p j]! iM j i :
2M 2M

In step 5, with probability 12 we get an estimate !e of ! with the properties given

in corollary 6. In this case, letting
= d(!e ; !), and applying some standard
 2.7. AMPLITUDE ESTIMATION 65
trigonometric identities, we have

jpe1 p1 j = sin2(!e ) sin2 (!) = sin2(!  
) sin2(!)

= (sin(!) cos(
)  sin(
) cos(!))2 sin2 (!)
= sin2(
) cos(2!)  sin(2!) sin(2
)
2
p
 2
p1(1 p1) + 2
2
The result in the case that we e ectively measure j !e i now follows by corollary
6. Otherwise, we e ectively measure f! , but since sin2(!) = sin2 ( !), the
same result holds, and the theorem follows.

2.7.3. Application to counting. We give three applications of the ampli-

tude estimation algorithm to counting. Suppose we wish to estimate or determine
the cardinality of X1 . Let A be any transformation, such as the Fourier transform
FN , that maps the state j 00 : : : 0i to a uniformly weighted superposition of ele-
ments in f0; 1; : : : ; N 1g. Then p1 = jXN j and estimates of p1 translate directly
1

to estimates of t = jX1j = Np1 .

Algorithm 22. (Count(f; M ))

Input:
 An integer N .
 A quantum network for Uf : j xi ! ( 1)f (x) j xi.
 An integer M .
Output:
 A description of a real number t~ (i.e. an integer x such that t~ = N sin2 ( x
M ).
Complexity:
 2.7. AMPLITUDE ESTIMATION 66
 O(M ) applications of Uf .
 O(M log2 N ) other operations.
Procedure:
1. Output N  Amp Est(FN ; f; M )

In [BHMT99] are given the following algorithms and theorems (based on

results in [BBHT98, BHT98, Mos98, Mos99]) related to counting t.
The following theorem and corollary follow easily from Theorem 21.

Theorem 23. For any integer M > 0, Count(f; M ) outputs a real number t~
satisfying
 with probability at least 8 we have
pt(N t) N2
2

t t~  2 M + 2
M
 for any integer k > 1, with probability at least 1 1
2(k 1) we have
pt(N t) + Nk2 2
t t~  2k M M2
and uses M applications of Uf .
p
Corollary 24. Let t~ = Count(f; dc N e). Then
r  2
t~ t  2c t (NN t) + c
with probability at least 8 .
2

Note that Count(f; M ) outputs a real number. In the following applications

we will be rounding o Count(f; M ) to an integer. We do not simply round o
Count(f; M ) to a nearest integer, since in general this requires arbitrary precision.
We will instead round o Count(f; M ) to an integer that is within 23 of it. The
 2.7. AMPLITUDE ESTIMATION 67
number 23 is arbitrary and can be replaced by any constant fraction strictly between
1
2 and 1.
We next describe an algorithm for approximately counting t with accuracy 
(see [MR95]), that is outputting an estimate t~ such that with probability at least
2 we have t~ t  t.
3

Algorithm 25. (Approx Count(f; ))

Input:
 An integer N .
 A quantum network for the operator Uf : j xi ! ( 1)f (x) j xi.
 An accuracy parameter , 0 <   1 (given, say, as two integers a; b > 0,
 = ab ).
Output:
 An integer t~.
Complexity:
1q N 
 O  t+1 applications of Uf .
 log N q N 
O  t+1 other elementary operations.
2

Procedure:
1. Set l = 2.
2. Apply Count(f; 2l).
p
3. If t~ = 0 and 2l < 2 N then increment l by 1 and go to step 2.
4. Set M = d 20 2l e.
2

5. Apply Count(f; M ) to obtain t0. Output an integer t~ satisfying t~ t0  23 .

Theorem 26. Approx Count(f; ) outputs an integer t~ satisfying

t t~  t
 2.7. AMPLITUDE ESTIMATION 68
with probability at least 23 (t is the number of solutions to f (x) = 1). If t > 0 it
1qN 
uses an expected number of O  t applications of Uf . If t = 0, the algorithm
p
outputs t~ = t = 0 with certainty and Uf is evaluated ( N ) times.

Proof. The case t = 0 is easy. For t > 0, let e2i! be the eigenvalue of j + i,
1
c. From Lemma 4 we have that
so sin2 (!) = Nt , 0  !  12 . Let m = blog2 5!
the probability that in step 2 Count(f; 2l) = 0 for l = 1; 2; : : : ; m is
Y
m
sin2(2l !)  Y
m
sin 2 (2m+1 ! ) 
2 2
2 l
cos (2 !) = 2m 2  cos2 2 :
l=1 2 sin (! ) l=1 2 sin (2!) 5
l

The previous inequalities are obtained by using the fact that sin(x!) 
x sin(!) cos(x!) for any x  0 and 0  !x < 12 , which can be seen by looking
at the Taylor expansion of tan(x) at x = M!.
p
Now assuming step 2 was repeated at least m times (note that 2m+1  25 N
4
qt
), after step 4 we have M  ! and since !  2 sin(!) = 2 N , then by
  

Theorem 23, the probability that Count(f; M ) outputs a number t0 satisfying

jt0 tj  4 t + 64 t is at least 8 . If t < 1, then when we round o t0 to get t~ we
2
2

will get the correct t and thus the nal error is 0  t. If t  1, then rounding
o t0 to t~ can introduce an error of at most 23  23 t, which increases the error to
something less than t3 + 23  t. The overall probability of obtaining this estimate
is at least 8 cos2 ( 25 ) > 32 .
2

Lastly, we describe an algorithm for exactly counting t.

Algorithm 27. (Exact Count(f ))

Input:
 The integer N .
 A quantum network for Uf .
Output:
 2.7. AMPLITUDE ESTIMATION 69
 An integer t~.
Complexity:
p
 O( (t + 1)(N t + 1)) applications of Uf .
p
 O(log2 N (t + 1)(N t + 1)) other elementary operations.
Procedure:
p p
1. Set t~1 = Count(f; d9 N e) and t~2 = Count(f; d9 N e).
p p
2. Set M1 = d30 t~1 (N t~)e, M2 = d30 t~2(N t~2)e, M~ = min(M1 ; M2).
3. Apply Count(f; M ) to obtain output t0 . Output an integer t~ satisfying
t~ t0  32 .

Theorem 28. Algorithm Exact Count(f ) outputs an integer t~ which equals t,

the number of solutions to f (x) = 1, with probability at least 23 . It uses an expected
p
( (t + 1)(N t + 1)) applications of Uf .

Proof. By Theorem 21, settingpt(N tk) = 7, we see that with probability greater
11 , t~1 satis es t~1 t 
than 12 + 14 , and similarly for t~2 . This inequality
p p N
implies that t(N t)  2Mj , for j = 1; 2. Thus with probability at least 11

2
12
we have
pt(N t) p2
M  30 :
When this is the case, then Theorem 23 tells us that with probability 8 we have
2

p
t~ t  152 + 30 2 < 1
2 3
(so when we round o in step 3 we will get t~ = t). Therefore with probability at
least 8 11

2 2
2 12 > 3 we have t~ = t.
The following table summarises the complexities of these algorithms, along
with their classical counterparts for comparison. The complexity measure we use
 2.7. AMPLITUDE ESTIMATION 70

Problem Quantum Complexity Classical Complexity

qN N )
Decision ( t+1 ) ( t+1
qN N )
Searching ( t+1 ) ( t+1
p p
Count with error t ( N ) O(N )
q
Count with accuracy  O(( 1 ) t+1
N ) O(( 1 ) t+1
N )
p
2

Exact counting ( (t + 1)(N t + 1)) (N )

Table 2.5. This table compares quantum and classical counting
complexities. The lower bounds are in the black-box model of com-
putation.

here is the number of applications of Uf (that is evaluations of f ) used in order to

solve the problem with probability 32 of being correct. The lower bounds are lower
bounds for solving these problems in the black-box model of computation which
we describe in the next section.

For xed , or for all t  N (1 ), the upper bound for quantumly counting
with accuracy epsilon is tight up to a constant factor since Nayak and Wu [NW99]
show a lower bound of
s p !
N + t(N t) :
d(t + 1)e d(t + 1)e
We believe it is possible to match the upper and lower bounds into a tight bound
for all  and t (Nayak and Wu conjecture their lower bound is tight). I am not
aware of a tight lower bound for the classical complexity (some related results
appear in [CEG95] and [Gol99]), but I conjecture that the classical lower bound
is simply the square of the quantum lower bound.
 2.8. FINDING HIDDEN SUBGROUPS 71
2.8. Finding Hidden Subgroups
Let us now return to the problem of nding orders and discrete logarithms and
explore the natural generalisations. Both can be described as special cases of the
following problem as illustrated in gure 2.6.

Problem 29. Let f be a function from a nitely generated group G to a nite

set X such that f is constant on the cosets of a subgroup K (of nite index, since
X is nite), and distinct on each coset. Given a quantum network for evaluating
f , namely Uf : j xi j yi ! j xi j y  f (x)i, nd a generating set for K .

Generalisations of this form have been known since shortly after Shor presented
his factoring and discrete logarithm algorithms (for example, [Vaz97] presents
the hidden subgroup problem for a large class of nite Abelian groups, or more
generally in [Hy97] for nite Abelian groups presented as a product of nite cyclic
groups. In [ME99] the natural Abelian hidden subgroup algorithm is related to
eigenvalue estimation.)
Other algorithms which can be formulated in this way include:
Deutsch's Problem: Consider a function f mapping Z2 = f0; 1g to f0; 1g.
Then f (x) = f (y) if and only if x y 2 K , where K is either f0g or Z2 = f0; 1g.
If K = f0g then f is 1 1 or `balanced' and if K = Z2 then f is constant.
[Deu85, CEMM98].
Simon's Problem: Consider a function f from Zl2 to some set X with the
property that f (x) = f (y) if and only if x y 2 f0; sg for some s 2 Zl2. Here K =
f0; sg is the hidden subgroup of Zl2. Simon [Sim94] presents an ecient algorithm
for solving this problem, and the solution to the hidden subgroup problem in the
Abelian case is a generalisation.
 2.8. FINDING HIDDEN SUBGROUPS 72
Finding Orders (Factoring): Let a be an element of a group H . Consider
the function f from Z to the group H where f (x) = ax for some element a of H .
Then f (x) = f (y) if and only if x y 2 rZ. The hidden subgroup is K = rZ and
a generator for K gives us the order r of a.
Discrete Logarithms: Let a be an element of a group H , with ar = 1,
and suppose b = ak from some unknown k. The integer k is called the discrete
logarithm of b to the base a. Consider the function f from Zr  Zr to H satisfying
f (x1 ; x2) = ax bx . Then f (x1 ; x2) = f (y1; y2) if and only if (x1; x2 ) (y1; y2) 2
1 2

f(t; tk); t = 0; 1; : : : ; r 1g which is the subgroup h(1; k)i of Zr  Zr. Thus

nding a generator for the hidden subgroup K will solve the discrete logarithm k.
Hidden Linear Functions: Let g be some permutation of ZN for some integer
N . Let h be a function from Z  Z to ZN , h(x; y) = x + ay mod N . Let f = g  h.
The hidden subgroup of f is h( a; 1)i. Boneh and Lipton [BL95] show that even
if the linear structure of h is hidden, we can recover the parameter a.
Self-Shift-Equivalent Polynomials: Given a polynomial P in l variables
X1; X2; : : : ; Xl over F q , the function f which maps (a1 ; a2; : : : ; al ) 2 F lq to P (X1
a1 ; X2 a2 ; : : : ; Xl al ) is constant on cosets of a subgroup K of F lq . This subgroup
K is the set of shift-self-equivalences of the polynomial P . Grigoriev [Gri97] shows
how to compute this subgroup.
Abelian Stabiliser Problem: Let G be any group acting on a nite set X .
That is each element of G acts as a map from X to X in such a way that for
any two elements a; b 2 G, a(b(x)) = (ab)(x) for all x 2 X . For a particular
element x 2 X , the set of elements which x x (that is the elements a 2 G such
that a(x) = x) form a subgroup. This subgroup is called the stabiliser of x in G,
denoted StG(x). Let fx denote the function from G to X which maps g 2 G to
g(x). The hidden subgroup corresponding to fx is StG(x). The nitely generated
 2.8. FINDING HIDDEN SUBGROUPS 73
Abelian case of this problem was solved by Kitaev [Kit95], and includes nding
orders and discrete logarithms as special cases.
When K is normal in G, we could in fact decompose f as g  h, where h is a
homomorphism from G to some nite group H , and g is some 1-1 mapping from
H to a set X which `hides' the homomorphism structure of h. In this case, K
corresponds to the kernel of h and H is isomorphic to G=K .

Figure 2.6. The function f is constant on cosets of K and distinct

on each coset.

We give the complexity in terms of n = dlog2 [G : K ]e which is a lower bound

on log2 jX j (note that underestimating the input size results in an overestimated
complexity, so any upper bound is still valid).
Let us start with a simple example, namely G = Z. This special case is almost
identical to the order- nding algorithm, and will be useful for reducing the case of
nitely generated G to nite G. This algorithm is needed for nding the order of
a 2 G when a 1 is not known.
 2.8. FINDING HIDDEN SUBGROUPS 74
2.8.1. Finding a period. Let us suppose we have a function f : Z ! X ,
where jX j  N < 1, and f has the property that f (x) = f (y) if and only if
x y 2 rZ . Thus the sequence f (0); f (1); : : : is periodic with period r. The case
where f is not 1 1 in this range is addressed in [BL95] and in the appendix of
[ME99]. Consider the `eigenstates'
X
r 1
j ki = e 2ij kr j f (j )i :
j =0

Why do I call these `eigenstates'? Eigenstates of what? They are eigenstates of

the shift operation j f (x)i ! j f (x + y)i. The respective eigenvalues are e2iy kr ,
analogous to the eigenvalues of the j k i from equation (15).
The period- nding algorithm goes as follows.

Algorithm 30.

Input:
 An integer N ,
 An integer M .
 A unitary operator Uf which acts on H M  H N and maps j xi j 0i !
j xi j f (x)i.
Output:
 A positive integer t.
Complexity:
 1 application of Uf on inputs of size dlog2 M e.
 O(log2 M ) other elementary operations.
Procedure:
 2.8. FINDING HIDDEN SUBGROUPS 75
The procedure is the same as in Algorithm 13 except that instead of using
Algorithm Eig Est we use the following (almost identical) procedure:
1a: Start in the state j 00 : : : 0i j 00 : : : 0i.
1b: Apply QFT (M ) to the rst register.
1c: Apply Uf .
1d: Apply QFT (M ) 1 to the rst register.
1e: Measure the rst register and output the measured integer y.
Theorem 31. If M > 2r2 , then Algorithm 30 nds the correct period r of f
with probability at least 32 . If it does not output FAIL, then it outputs a multiple
4
of r.

Proof. After step 1c we have the state

MP1
j xi j f (x)i
x=0
rP1 MP1 ixk 
= e j xi j k i :
2
r
k=0 x=0
Thus after step 1d, measuring the rst register produces the same distribution as
Algorithm 7 (Eig Est(Ua ; ; M )), as described in Proposition 14, and the result
follows similarly.

Algorithm 32. (Find Period(f ))

Input:
 A uniform algorithm which outputs for any integer M a quantum network
Uf which acts on H M  H N and maps j xi j 0i ! j xi j f (x)i.
Output:
 A positive integer t.
Complexity:
 2.8. FINDING HIDDEN SUBGROUPS 76
 Expected O(log2 r) applications of Uf .
 Expected O(n2) other elementary operations where n = dlog2[G : K ]e =
dlog2 re.
Procedure:
Same as Algorithm 15 (Find Order(a)) except using Algorithm 30) instead of
Algorithm 13.

Corollary 33. Algorithm 30 nds a multiple of r. With probability at least

2
3 this multiple is r. The expected complexity is O(log r) applications of Uf and
O(log2 r) other elementary operations.

Having thus described the one-dimensional in nite order case, we are ready to
reduce the general nitely generated Abelian case to the nite Abelian case.
2.8.2. The general case. Let us assume that we have a set of generators
for G. Since f has nite index, K must contain some power of each of these
generators. We can use the period- nding algorithm to nd the period of f on
each of these generators. We can then assume each of the generators has nite
order. The algorithm described here is for G identi ed with a product of cyclic
groups, namely ZN  ZN 


 ZN . Although all Abelian groups are isomorphic
1 2 2

to such a product of cyclic groups, nding such a product and the isomorphism
can be very dicult (at least as hard as factoring integers when G = ZN ). In the
next section, we show how a reasonable representation of a nite Abelian group G
can be decomposed in this way by using this quantum algorithm.
With the factoring algorithm of Shor, we can factor each Nj into its prime power
factors, and then eciently nd the isomorphism between the additive group ZNj
and a product of cyclic groups of prime power order. For example, if N = pq, where
p and q are coprime, and hai is identi ed with ZN , then ZN  hai = hapi  haq i 
 2.8. FINDING HIDDEN SUBGROUPS 77
Zq  Zp. We can thus restrict our attention to such products of groups where the
Nj are prime powers.
Furthermore, any subgroup K of an Abelian G = Gp  Gp 


 Gpk where 1 2

Gpj is the pj -subgroup (the pj are distinct primes) of G, is of the form Kp  Kp  1 2

 Kpk where Kpj  Gpj . We can thus nd the hidden subgroup K of f piecewise
in the following way. For j = 1; 2; : : : ; k, we nd the hidden subgroup Kpj of the
function fpj : Gpj ! X , where fpj (x) = f (0; 0; : : : ; 0; x; 0; : : : ; 0) (x appears in the
j th entry), and then set K = Kp  Kp 


 Kpk .
1 2

So we restrict attention to the case of nite groups G equal to Gp  Zpa  1

Zpa 


 Zpak for some prime p and positive integers aj . Let a = maxfaj g.
2

Let us de ne more general `eigenstates'. Let T be the set of tuples

(t1 ; t2; : : : ; tk ) 2 Zpa  Zpa 


 Zpak that satisfy
1 2

X
k
hj tj
(24) pa = 0 mod pa for all h 2 K:
j =1 paj
For each such t 2 T , de ne
X 2i P
k tj sj
a
(t1 ;t2 ;:::;tk ) = e j =1 p j j f (s)i :
s2G=K
The sum is over a set s of coset representatives for K in G. Since the t satisfy
equation (24), the j ti are well-de ned. Again these are eigenvectors of the shift
operations j f (x)i ! j f (x + y)i with respective eigenvalue
2i P
k yj tj
a
e j =1 p j :

From these eigenvalues the following algorithm determines a uniformly random

t 2 T , and by equation (24), we can use enough random t to determine K using
linear algebra. For simplicity, we assume here that we can perform QFT (pa)
 2.8. FINDING HIDDEN SUBGROUPS 78
perfectly. In practice, we could use QFT (2n) where n is in O(a log p), or other
approximate versions of it, and succeed with probability close to 1.
Algorithm 34. (Find Hidden Subgroup(f ))
Input:
 Integers p; a1; a2 ; : : : ; ak .
 A quantum network for implementing Uf .
Output:
 A k-tuple t 2 Zpa  Zpa 


 Zpak .
1 2

Procedure:
1. Start with the state j 0i j 0i


j 0i j 00 : : : 0i 2 H pa  H pa 


 H pak  H .
1 2

2. Apply QFT (pa ) QFT (pa )


QFT (pak ) I .

1 2

3. Apply Uf .
4. Apply QFT (pa ) 1 QFT (pa ) 1


QFT (pak ) 1 I .
1 2

5. Measure the control registers and output the measured values t1 ; t2; : : : ; tk .
Proposition 35. Algorithm 34 (Find Hidden Subgroup(f )) outputs an ele-
ment t satisfying
X
k
hj tj
pa aj = 0 mod p for all h 2 K:
a
j =1 p
Proof. After step 3 we have the state
X
j xi j f (x)i ;
x2Zpa1 Zpa2 


Zpak
which can be reexpressed in a di erent basis (in the same way as we did in the
proof of Theorem 31) as
X pX
a 1 1
x1 t1
! X
pak 1 xk tk
!
= e2i pa1 j x1i


e2i pak j xki j ti :
t2T x1 =0 xk =0
 2.8. FINDING HIDDEN SUBGROUPS 79
It is then clear that after step 4 we will have
X
j t1 i j t2 i


j tk i j ti :
t2T

2.8.3. Decomposing Abelian Groups. The hidden subgroup algorithm

described above requires that the nite Abelian group G be identi ed with
ZN 


 ZNk and not just isomorphic to such a group with no eciently com-
1

putable isomorphism available.

Here we show that using the Hidden Subgroup Algorithm itself, we can nd this
isomorphism with high probability for some `reasonably' presented nite groups
G. We will assume the following about the presentation of G.
1. We have a unique binary representation for each element of G and we can
eciently recognise if a binary string represents an element of G or not.
2. Using the binary representation, for any a 2 G, we can eciently construct
a quantum network for implementing Ua : j yi ! j ayi. This might seem like
a strong assumption, since this means we can compute a 1 . But in light of
the quantum period- nding algorithm, which allows us to nd the order r
of a and then easily compute a 1 = ar 1, this becomes a fair assumption.
3. We can eciently nd a generating set for G.
The last assumption might seem strong, but for nite groups G note that it
suces that we have an upper bound 2k on the size of G and that we can eciently
select elements of G uniformly at random. It is easy to show that O(k) randomly
selected elements of G will span G with probability 1 o(1).
We can again assume the orders of the generators are of prime power order.
Further, we can rst nd generators for each of the p-subgroups of G, and then
take their product to obtain G. Thus we restrict attention to p-groups G.
 2.8. FINDING HIDDEN SUBGROUPS 80
Algorithm 36. (Decompose Group(a1 ; a2 ; : : : ; ak ))
Input:
 Generators a1; a2 ; : : : ; ak of the p-group G.
 The maximum order q = pr of the elements a1; : : : ; ak .
Output:
 A set of elements g1; g2; : : : ; gl, l  k, from the group G.
Complexity:
 O(k log q) quantum group multiplications.
 O(k2 log q) classical group multiplications.
 O(k3 log2 q) other elementary operations.
Procedure:
1. De ne g : Zkq ! G by mapping (x1 ; x2; : : : ; xk ) ! g(x) = ax1 ax2


axkk . Use
1 2

Find Hidden Subgroup(g) to nd generators for the hidden subgroup K of

Zkq as de ned by the function g .

2. Compute a set y1; y2; : : : ; yl 2 Zkq=K of generators for Zkq=K (for example,
see Section 2.4.4 and Algorithm 2.4.14 of [Coh93]).
3. Output fg(y1); g(y2); : : : ; g(yl)g.

Theorem 37. The group G is equal to hg1i  hg2 i  : : :  hgl i and Algorithm
Decompose Group(a1; a2; : : : ; ak ) nds the generators g1; g2; : : : ; gl using
O(k log q) quantum group multiplications, O(k2 log q) classical group multiplica-
tions, and O(k3 log2 q ) other elementary operations.

Proof. Evaluating the function g requires at most k exponentiations with

exponents of size at most pa (these require O(a log p) group operations each),
plus k 1 multiplications to multiply the results together. This accounts for
the O(k log q) (quantum) group operations.
 2.8. FINDING HIDDEN SUBGROUPS 81
Standard matrix reductions over the integers will nd the elements
y1; y2; : : : ; yk at a cost of O(k3) arithmetic operations with integers of size at
most q, which accounts for the O(k3 log2 q) other operations. From these we can
compute each gj = g(yj) using at most O(k log q) group operations.
The function g is a surjective homomorphism from Zkq to G with kernel K , and
thus the First Isomorphism Theorem implies that Zkq=K is isomorphic to G, and
we can identify the generators yj + K of Zkq=K with generators gj of G via the
equation g(yj) = gj.

2.8.4. Discussion: What about non-Abelian groups? If the group

G is not Abelian, then it is not a product of cyclic groups. Algorithm
Find Hidden Subgroup(f ) does not apply and it is not clear how to proceed.
For example, suppose G is Sn, the group of permutations of n points and X is
the set of n-vertex graphs. Let f () = (A), where  is a permutation and (A)
is the graph obtained from A by relabelling vertex j with (j ). The function f is
constant on left cosets of the automorphism group Aut(A) of A. Beals [Bea97]
showed how to implement a quantum version of the Fourier transform for Sn, but
this has not lead to an algorithm for nding the automorphisms of graphs.
Ettinger [Ett98] showed how to nd a hidden subgroup of a di-hedral group G
if K is normal in G using only a polynomial number of applications of f . For K
not necessarily normal, Ettinger and Hyer [EH98] show that with a polynomial
number of applications of f they have enough information to nd K , however, no
ecient way of performing the post-processing is known.
Rotteler and Beth [RB98] show how to nd hidden subgroups of certain wreath
product groups. Zalka [Zal99] showed how to reduce this problem to several
instances of an Abelian hidden subgroup problem.
 2.9. EQUIVALENCE OF SHOR AND KITAEV APPROACHES 82
Question 38. Can other non-Abelian hidden subgroup problems be eciently
unravelled into a polynomial number of instances of the Abelian hidden subgroup
algorithm?

2.9. Equivalence of Shor and Kitaev approaches

I will rst show the equivalence between Shor's factoring algorithm and our ver-
sion of the factoring algorithm following Kitaev's eigenvalue estimation approach.
I will then generalise the equivalence to the hidden subgroup algorithm.
This section starts with a review of the quantum part of Shor's algorithm (with
some trivial modi cations to highlight the similarities).

Algorithm 39. (Shor Factor(N ))

Input:
 An integer N .
 An element a 2 ZN .
Output:
 An integer t which approximates kNr for a uniformly random integer k from
f1; 2; : : : ; rg, where r is the order of a.
Complexity:
 One application of M (Ua ), M = 2N 2 .
 O(log2 M ) other operations.
Procedure
1. Start with two registers j 00 : : : 0i j 1i.
2. Apply QFT (M ) to the rst register.
3. Evaluate the function f (x) = ax using the operator Ua : j xi j yi ! j xi j axyi.
 2.9. EQUIVALENCE OF SHOR AND KITAEV APPROACHES 83
4. Apply QFT (M ) 1 to the rst register. 1

After step 4, we have the state

X
M 1
(25) j xi j axi :
j =0

Shor describes this in the computational basis as

0 r kc 1
X
r 1 b MX
@
1

j rj + kiA ak :
k=0 j =0

He then mentions a measurement of the second register to `collapse' the rst

register into a periodic superposition
0b M r k c 1
@ X 1

j rj + kiA
j =0

for some random k. Since we never make use of the measured value ak ,
this `measurement' was only an illustrative tool. We ignore it.
The nal QFT (M ) 1 maps the periodic superposition to a superposition where
the amplitudes are concentrated near values of x where Mx is close to rj for some
integer j between 0 and r 1. The information about k is encoded primarily in
the phases:

(26)
0b M r k c 1 0b M r k c 1
X
r 1 X 1
X
r 1 X1

QFT (M ) 1 @ j rj + kiA ak = e 2i Mk QFT (M ) 1 @ j rj iA ak :

k=0 j =0 k=0 j =0

1 Shor actually uses QF T (M ). The net result is the same.

 2.9. EQUIVALENCE OF SHOR AND KITAEV APPROACHES 84

Figure 2.7. Shor analysed the above state in the computational

basis, whereas we analysed it in the eigenvector basis.

Since we ignore (or \trace out") the second register, the rst state is in a mixture
of states of the form
0b M r k c 1
X 1

QFT (M ) 1 @ j rj iA ak
j =0

which each have most of the probability amplitude near states j yi such that My is
close to kr for some integer k, as shown by Shor [Sho95b].
Using our eigenvalue estimation approach, we also have the state (25), and we
also apply QFT (M ) 1 to the rst register to produce the same state as in equation
(26) but we described it in a di erent basis as
r e+
X k j ki
k=0 r
as illustrated in gure 2.7.
We can similarly compare the common analysis of the hidden subgroup algo-
rithm in the computational basis, where after applying the QFT 1 to the rst
register in the state
X X X !
j xi j f (x)i = j s + yi j f (y)i ;
(x1 ;x2 ;:::;xl ) y2G=K s2K
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 85

Figure 2.8. One common approach is to analysis the above state

in the computational basis, but analysing the second register in the
`eigenvector' basis produces a convenient description of the nal
state.
we get
X X !
2i P tpjayjj
e j ti j f (y)i
y2G=K t2T
(the rst summation is over a set of coset representatives y of G=K ) whereas in
our analysis we write this in the `eigenvector' basis as
X
j ti j ti
t2T
as illustrated in gure 2.8.

2.10. Finding Hidden Ane Functions

As pointed out in the previous section, Deutsch's problem (section 2.1) is a
very special instance of the hidden subgroup problem. It can also be rephrased as
follows.

Problem 40. Given an integer N and a function f : x ! mx + b, where

x; m; b 2 Z2, nd m.

We can partially generalise this problem as follows.

 2.10. FINDING HIDDEN AFFINE FUNCTIONS 86
Problem 41. Given an integer N function f : x ! mx + b, where x; m; b 2
ZN , nd m.

Since b could be any integer from ZN , one classical evaluation of f gives no

information about m. The next algorithm, however solves Problem 41 with just
one application of Uf .

Algorithm 42.
Input:
 An integer N .
 A black-box that implements Uf : j xi j yi ! j xi j y + f (x)i.
Output:
 An integer m 2 ZN .
Complexity:
 1 application of Uf
 1 application of QFT (N ) and 2 applications of QFT (N ) 1.
Procedure:
1. Start with two registers in the state j 00 : : : 0i j 1i 2 H N  H N where j 1 i =
QFT (N ) 1 j 1i.
2. Apply QFT (N ) to the rst register.
3. Apply Uf .
4. Apply QFT (N ) 1 to the rst register.
5. Measure the rst register and output the measured value.

Proposition 43. Algorithm 42 solves Problem 41.

 2.10. FINDING HIDDEN AFFINE FUNCTIONS 87
Proof. The second register is in the state
NX1
j 1i = e 2 Nj j j i
j =0
f (x)
which is an eigenstate of the operation j yi ! j y + f (x)i with eigenvalue e2i N .

After step 3 we will have the state

X
N 1 f (x)
e2i N j xi j 1 i
x=0
X
N 1 !
= e2i Nb e2i mxN j xi j 1i
x=0
Thus after applying QFT (N ) 1 to the rst register we get e2i Nb j mi j 1 i.
As with the hidden subgroup algorithm, we are measuring the eigenvalues of
shift functions j f (x)i ! j f (x + y)i, except in this case we know the eigenvectors
and can eciently construct one, and the respective eigenvalue directly gives us the
desired solution (in contrast, the hidden subgroup algorithms only output elements
`orthogonal' to the solution, from which the solution is derived by linear algebra).
Bernstein and Vazirani [BV97] generalised the Deutsch problem another way
that we describe here.

Problem 44. Given a function f : x ! mT
x + b, where x; m 2 Zn2 , b 2 Z2,

nd m.

This following algorithm is a re nement of the one proposed in [BV97] for

solving Problem 44.

Algorithm 45.

Input:
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 88
 An integer N .
 A black-box that implements Uf : j xi j yi ! j xi j y + f (x)i.
Output:
 A tuple m 2 Zn2 .
Complexity:
 1 application of Uf .
 2n + 1 applications of H = QFT (2) = QFT (2) 1.
Procedure:
1. Prepare the state j 00 : : : 0i (j 0i j 1i).
2. Apply QFT (2)  QFT (2) 


 QFT (2) to the rst register.
3. Evaluate Uf .
4. Apply QFT (2) 1  QFT (2) 1 


 QFT (2) 1 to the rst register.
5. Measure the rst register and output the measured values.
Proposition 46. Algorithm 45 solves Problem 44.
Proof. After step 2 we have the state
X
p 1n+1 j xi (j 0i j 1i)
2 x2f0;1gn
and after step 3 we have
X
p 1n+1 ( 1)f (x) j xi (j 0i j 1i)
2 x2f0;1gn
b X
= p( 1) ( 1)m
x j xi (j 0i j 1i)
2n+1 x2f0;1gn
b
= p( 1) +1 (j 0i + ( 1)m j 1i) (j 0i + ( 1)m j 1i)


(j 0i + ( 1)mn j 1i) (j 0i j 1i) :
1 2

2n
Thus after applying a Hadamard transform H = QFT (2) 1 on each of the rst n
qubits we get ( p1)2 j m1 i j m2 i : : : j mn i (j 0i j 1i).
b
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 89
We now combine problems 41 and 44 and get the following.
Problem 47. Given a function f : x ! mT
x + b, where x; m 2 ZnN , b 2 ZN ,
nd m.
Algorithm 45, replacing QFT (2) with QFT (N ), and replacing (j 0i j 1i) =
QFT (2) 1 j 1i with j 1i = QFT (N ) 1 j 1i will solve this problem. The proof
follows similarly, so it is omitted.
Problem 48. Given a function f : x ! Mx + b, where M 2 Mmn (N ),
x; b 2 ZnN , nd M.
Let us denote by r1; r2; : : : ; rm the rows of M and c1; c2; : : : ; cn the columns.
So
0 1
B r1 C
B
B r C
C  
M=B
B
2 C
C = c1 c2 : : : cn :
B C
@ ::: A
rm
We describe an algorithm (illustrated in gure 2.9) for determining dT
M for any
d 2 ZnN .
Algorithm 49.

Input:
 The integers N ,n, and m.
 A black-box that implements Uf : j xi j yi ! j xi j y + f (x)i.
 A tuple d 2 ZmN.
Output:
 A tuple t 2 ZnN .
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 90

Figure 2.9. The values dT
cj are encoded in the control register

and deciphered by the nal F 1 transformations. A global phase of
edT
b is also present, but not illustrated in the diagram.
Complexity:
 1 application of Uf .
 n applications of QFT (N ) and n + m applications of QFT (N ) 1.
Procedure:
1. Prepare n + m registers in the state

j 0i j 0i : : : j 0i j d1 i j d2 i : : : j dm i

2. Apply QFT (N )  QFT (N ) 


 QFT (N ) to the control registers.

3. Apply Uf .
4. Apply QFT (N ) 1  QFT (N ) 1 


 QFT (N ) 1 to the control registers.
5. Measure the rst n registers and output the value.
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 91
Proposition 50. Algorithm 49 outputs t = dT
M. With m iterations with
d = (1; 0; 0; : : : ; 0); (0; 1; 0; 0; : : : ; 0); : : : ; (0; 0; : : : ; 0; 1), we can determine M.
Proof. Step 1 requires preparing m registers in the states j ci i and then ap-
plying QFT (N ) 1 to them. The remaining registers are initialised to j 0i. The
second register is in an eigenstate of the operator j yi ! j y + zi with eigenvalue
e2idT
z. Thus after step 3, which applies the operator j yi ! j y + f (x)i when the
rst register is in the state j xi, the rst register is then in the state
X dT
f (x)
e2i N j xi
x2ZnN
T X T
= e2i d N
b e2i d N
Mx j xi
x2ZnN
X ! X !
dT
c1 x1
= e2 i dT
b
N e2i N j x1i


e2i dT
cn xn
N j xn i
x1 2ZN xn 2ZN
and thus after step 4 we have
T
e2i d N
b dT
c1 dT
c2


dT
cn
T
= e idN
b j t1 i j t2 i : : : j tni
2

where t = dT
M. If d = ej then dT
M = cj, so we can clearly determine M

using only n applications of Uf .

Algorithm 49 appears in [CEMM98] for N = 2, and a similar algorithm was

noted independently in [Hy97] but for homomorphisms acting on ZN  : : :  ZNk 1

for arbitrary Nj (that is without the shift component b).

However, unlike the case with the hidden subgroup problem, I can think of
no practical examples where we have an ecient way of computing f but do not
already know M .
 2.10. FINDING HIDDEN AFFINE FUNCTIONS 92
Problem 51. Find an example where we know how to evaluate a function of
the form f : x ! Mx + b but do not already e ectively possess a description of
M.
[HR90]
 CHAPTER 3

Limitations of Quantum Computers

What can quantum computers not do? Like any `classical' computer, they
are subject to the laws of physics. With a computational task expressed in more
physical terms, it might become easier to determine the limitations of any computer
in performing the task.
We start this chapter by de ning some complexity classes and other relevant
notions, like the classical classes P , BPP and NP , the quantum class BQP ,
and notions like NP -complete and NP -hard. By classical computer we mean
any device which is polynomially equivalent to a universal Turing machine, and a
classical algorithm is one that runs on a classical computer.
Finding non-trivial lower bounds on the computational complexity of computa-
tional tasks have proved very dicult. We hope that this more general framework
provided by quantum computation will help nd non-trivial lower bounds and
some new relationships between computational complexity classes. For example,
suppose our physical intuition inspires a proof that a quantum computer cannot
solve an NP -complete problem. This will not only prove that NP does not contain
BQP , but will have corollaries like P 6= NP . This is a rather ambitious task of
course. It seems quite dicult to prove non-trivial lower bounds in the quantum
setting as well.
Section 3.2 describes the black-box model of computation, in which we have
proved some lower bounds and relationships between various complexity measures

93
 3.1. WHAT IS A COMPLEXITY CLASS? 94
(sections 3.4, 3.5). The main ingredient is the relationship between the amplitudes
of states in a quantum network and polynomials (section 3.3).

3.1. What is a complexity class?

As we discussed in the introduction, complexity refers to some measure of the re-
sources required to solve a problem, and we will restrict attention to decision prob-
lems. Decision problems can be treated as the problem of recognising elements of a
language. To de ne a language, we rst x an alphabet, say  = f0; 1g. A language
L   (the set of nite strings over the alphabet ) is a collection of strings. An
algorithm solves the language recognition problem for L if it accepts (by outputting
1) any string x 2 L and rejects (by outputting 0) any string x 2= L. For example,
let the string x represent an integer, and consider the language COMPOSITE
which contains all representations of composite integers. The number x has non-
trivial factors if and only if x 2 COMPOSITE . So 7 2= COMPOSITE and
6 2 COMPOSITE . For another example, let the string x represent a graph,
and we have x 2 3-COLOURABLE if and only if there is a way of assigning one
of three colours to the vertices of x so that no adjacent vertices are coloured the
same. Note that both of these language recognition problems have the property
that if x 2 L, then I can prove it to you eciently (though nding the proof
might be very hard). For example, as illustrated in gure 3.1, we know 110111 2
3-COLOURABLE since CHECK 3 COLOURING(110111; RBRG) = 1, where
CHECK 3 COLOURING(x; y) is an algorithm which veri es that y is a proper
colouring of x. It is easy to implement CHECK 3 COLOURING to run in poly-
nomial time. This property of being checkable in polynomial time on a classical
computer de nes a whole class of problems. More speci cally, following [MR95],
 3.1. WHAT IS A COMPLEXITY CLASS? 95
Definition 52. The class NP (non-deterministic polynomial time) consists
of all languages L that have a polynomial time classical algorithm A such that for
any input x 2 
 x 2 L ) there exists a y 2  such that A(x; y) accepts, (jyj is bounded by
a polynomial in jxj).

Figure 3.1. There are 26 four-vertex graphs, in a 1-1 correspon-

dence with 6-bit strings that tell us which of the pairs of vertices
f1; 2g; f1; 3g; f1; 4g; f2; 3g; f2; 4g; f3; 4g are connected. The graph
(101111) is illustrated here, with the colouring RBRG, one of the
proper colourings (that is, a colouring were no connected vertices are
coloured by the same colour).
 3.1. WHAT IS A COMPLEXITY CLASS? 96
 x 2= L ) for all y 2 , A(x; y) rejects.
We can similarly de ne the complementary class to NP , namely co-NP , to be
all the languages L such that  nL 2 NP .
Therefore 3-COLOURABLE and COMPOSITE are in NP while NOT -
3-COLOURABLE and PRIME are in co-NP . In fact COMPOSITE and
PRIME are in both NP and co-NP , denoted NP \ co-NP (proved in [Pra75]).
One of the biggest open problems in theoretical computer science is whether or
not every problem in NP can be solved in polynomial time.

Definition 53. The class P consists of all languages L that have a polynomial
time classical algorithm A such that for any input x 2  ,
 x 2 L , A(x) accepts.
Most people believe that P 6= NP . Furthermore, most people believe that even
probabilistic algorithms with some chance of error will not be able to decide all
NP problems in polynomial time. The class of languages that can be solved with
a classical computer in polynomial time with a small probability of error is called
BPP .
Definition 54. The class BPP (bounded-error probabilistic polynomial time)
consists of all languages L that have a randomised classical algorithm A running
in worst-case polynomial time such that for any input x 2 ,
 x 2 L ) Pr[A(x) accepts ]  23 .
 x 2= L ) Pr[A(x) accepts ]  13 .
By repeating this algorithm n times and taking the majority answer, we get
the correct result with probability at least 1 n for some , 0 <  < 1 (by the
Cherno bound; e.g. [MR95]). The problems in BPP are held to be the tractable
 3.1. WHAT IS A COMPLEXITY CLASS? 97
ones on a classical computer. Similarly, the problems in the quantum class BQP
are widely held to be the tractable ones on a quantum computer.

Definition 55. The class BQP (bounded-error quantum polynomial time)

consists of all languages L that have a quantum algorithm A running in worst-
case polynomial time such that for any input x 2  ,
 x 2 L ) Pr[A(x) accepts ]  32 .
 x 2= L ) Pr[A(x) accepts ]  13 .

Two important notions are those of being \NP -complete" and \NP -hard".
Consider the problem where the inputs x encode (classical) acyclic circuits with
one output bit.

Definition 56. The language CIRCUIT SAT consists of all strings x which
encode classical acyclic circuits (using some reasonable encoding as discussed in
[Wel88, MR95]) for which there exists an input string y to the circuit x for
which the circuit outputs a 1.

The problem CIRCUIT SAT is in NP since there is an algorithm that runs

in time polynomial in jxj that implements the circuit to verify that the circuit
described by x outputs 1 on input y. Further, it can be shown [Coo71, Lev73,
GJ79] that for any language L in NP , we can eciently transform the polynomial
time algorithm A(x; y) that certi es membership in L into an acyclic circuit x0 (of
size polynomial in jxj) with the property that there exists a y such that A(x; y) = 1
if and only if there exists a y0 such that x0 outputs 1 on input y0. In other words,
if we can solve CIRCUIT SAT in polynomial time, then we can solve any NP
decision problem in polynomial time. Such a language is called NP -complete.
 3.2. BLACK-BOXES 98
Definition 57. A language L is NP -hard if for any language L0 2 NP there
is a polynomial time algorithm that for any input x 2  outputs y satisfying
y 2 L , x 2 L0 .
Definition 58. A language L is NP -complete if L is NP -hard and L is in
NP .
In general, a problem (perhaps not even a decision problem) is called NP -hard
if a polynomial time algorithm for solving that problem implies the existence of a
polynomial time algorithm for deciding some NP -hard language L.
It has been shown that 3-COLOURABLE is NP -complete [GJS76], and thus
being able to solve this problem in polynomial time means we can solve every NP
problem in polynomial time. See [GJ79] for many other examples of NP -complete
problems. Note that FACTOR (which decides if an integer x has a non-trivial
factor less than y), COMPOSITE , and PRIME are not believed to be NP -
complete.
If P 6= NP , then for any NP -complete language L with corresponding poly-
nomial time classical algorithm A(x; y) and a polynomial time classical algorithm
B (x) that seeks to nd y such that A(x; y) = 1, there must be some x 2 L for
which B (x) does not succeed. No proof is known however. In the next section, we
discuss a related problem in the black-box model of computation.
3.2. Black-boxes
In the previous chapter, section 2.7.1, we discussed the problem of nding, for
a given function f : f1; 2:::; N g ! f0; 1g a solution to f (y) = 1. For speci c f it
is usually quite hard to nd a lower bound on the diculty of this problem. For
example, in the previous section we de ned the class NP . Consider any L 2 NP
with the polynomial-time checking algorithm A(x; y) satisfying A(x; y) = 1 if and
 3.2. BLACK-BOXES 99
only if x 2 L. If we let fx(y) = A(x; y), then the problem of deciding L is equivalent
to deciding if there exists a y satisfying fx(y) = 1. We mentioned earlier, that for
this family of functions f it is widely believed that this problem cannot be solved
in time polynomial in jxj.
For any NP -complete language L, say 3-COLOURABLE , for worst case input
x, there is no known algorithm which works more than polynomially better than
simply trying the colourings y = c1 c2 : : : cn in order to see if they are proper
colourings, that is if CHECK 3 COLOURING(x; y) = 1. In this case we are
only using fx, where fx(c) is the output of CHECK 3 COLOURING(x; c), as a
black-box in order to decide if there exists a c such that fx(c) = 1.
When we use f = fx as a black-box and ignore any information we have about
it (other than the fact that it maps f1; 2; : : : ; N g ! f0; 1g), we could just as well
de ne Xj = f (j ) and rephrase the problem as follows. There is a binary string
X = X1; X2; :::; XN and we are given a black-box which takes as input an index
j and outputs Xj . In the quantum setting, we will assume that we have a black-
box operator OX which maps j j i j bi ! j j i j b  Xj i. The question addressed by
Grover [Gro96] was to nd an index j where Xj = 1. We can also consider the
decision problem: does there exist a j such that Xj = 1?
It was rst shown in [BBBV97] that any quantum algorithm using the function
p
OX : j j i j bi ! j j i j b  Xj i as a black-box requires ( N ) applications of OX in
order to nd a solution with probability at least 32 for worst case X .
Another way to phrase this decision problem is to evaluate the OR function
on the string X, where OR(X) = X1 _ X2 _


_ XN . In general, we can consider
any f0; 1g-valued function F of the variables X1 ; X2; : : : ; XN . Recall that f is
a function f1; 2; : : : ; N g ! f0; 1g satisfying f (j ) = Xj , and X1; X2; : : : ; XN are
inputs to the function F : f0; 1gN ! f0; 1g.
 3.2. BLACK-BOXES 100
In the following sections, we will study the limitations of quantum computers
in determining properties of a binary string X = X1X2 : : : XN . For example, the
numbers 0; 1; : : : ; N 1 could represent the 3-colourings of a graph G (so N = 3n),
and Xj = 1 if and only if j is a proper 3-colouring of G. We will only consider the
limitations in the black-box model of computation.
This restriction might seem rather convenient and raises the question of how
relevant these lower bounds are to a `real' problem, where we do have some in-
formation about how X is evaluated. If we consider an X corresponding to an
NP problem, then Xj = f (j ) for some function f which we usually know how
to compute. So what is the relevance? These black-box lower bounds tell us the
limitations of certain algorithmic approaches as we now illustrate.

Definition 59. The deterministic query complexity D(F ) of F is the mini-

mum number of queries of bits of X required by a deterministic classical strategy
for computing F (X ) (the j th index to be queried can depend on the outcome of the
previous j 1 queries).

The quantum equivalent of D(F ) is the exact quantum query complexity QE (F )

of F .

Definition 60. The exact quantum query complexity QE (F ) of F is the min-

imum number of black-box OX queries required by a quantum algorithm which cor-
rectly nds F (X ) with probability 1 for every string X .

A more practical quantity is the 2-sided error quantum query complexity Q2(F )
of F .

Definition 61. The 2-sided error quantum query complexity Q2 (F ) of F is

the minimum number of black-box queries required by a quantum algorithm which,
 3.3. RELATION BETWEEN QUANTUM NETWORKS, BLACK-BOXES AND POLYNOMIALS 101
on any input X , outputs a f0; 1g value that has probability at least 23 of being equal
to F (X ).

In [BBC+98] we prove the following relationship.

Theorem 62. If F is a Boolean function, then D(F )

1
6  4Q2(F ).
What does Theorem 62 mean for the quantum complexity of computing F given
an algorithm for computing Xj = f (j )? Suppose the best deterministic classical
strategy for evaluating F (X ) requires in the worst case T = D(F ) queries of the
bits of X . Theorem 62 tells us that for any quantum algorithm to evaluate F using
less that T4 steps, it must exploit additional properties of X . Further, even any
1
6

non-constructive proof that such an algorithm does or does not exist must make
use of the additional properties of X = f (1)f (2) : : :f (N ), other than that it is a
binary string of length N .
3.3. Relation between quantum networks, black-boxes and polynomials
In this section we will show how a quantum gate array which queries the string
X a total of T times will have amplitudes that are polynomials of degree T in the
variables X1 ; X2; : : : ; XN . In the subsequent section we describe several applica-
tions of this fact.

Lemma 63. Let N be a quantum network that uses a total of m qubits and
makes T queries to a black-box OX . Then there exist complex-valued N -variate
multi-linear polynomials p1; p2; : : : ; p2m , each of degree at most T , such that the
nal state of the network is the superposition
2X
m 1
py (X ) j yi
y=1
for any black-box X .
 3.3. RELATION BETWEEN QUANTUM NETWORKS, BLACK-BOXES AND POLYNOMIALS
102
Proof. We can assume that N = 2n . We can assume that the black-boxes
are used sequentially. Let Uj denote the unitary transformation which we apply
between the j th and (j + 1)th black-box query. We can assume that we always
apply OX to the rst n +1 qubits (incorporate any permutations of the qubits into
the Uj operations). We thus have the network illustrated in gure 3.2. For the
proof, it will help to consider the register in three parts: the rst n qubits, the 1
output bit, and the remaining l = m n 1 ancilla bits.

Figure 3.2. Without loss of generality, any network which makes

T black-box queries is equivalent to a network which starts with the
state j 00 : : : 0i, applies a unitary operator U0, followed by a black-
box query on the rst n+1 qubits, followed by a unitary operation U1
and so on, with a nal unitary operation UT after the last black-box
call.
 3.3. RELATION BETWEEN QUANTUM NETWORKS, BLACK-BOXES AND POLYNOMIALS
103
Just before the rst black-box application the m-qubits will be in some state
X
j 0k j j 0ki + j 1k j j 1ki ;
j;k

where 0  j < 2n, 0  k < 2l , and the j;b;k , b 2 f0; 1g are independent of the
string X . In other words the j are polynomials of degree 0 in X1; X2 ; : : : ; XN .
For b 2 f0; 1g we also use the notation b = NOT (b) = 1 b. After the rst
black-box call, we have the state
X
j 0k j jXj ki + j 1k jXj k
j;k
X
= [(1 Xj ) j0k + Xj j1k ] j j 0ki + [(1 Xj ) j1k + Xj j0k ] j j 1ki :
j;k

Therefore the amplitudes are polynomials in the Xj of degree at most 1. The

unitary operation U1 is linear, and thus the amplitudes just after U1 is applied are
still polynomials of degree at most 1. We can easily see that, for j  0, if just
after Uj 1 is applied the amplitudes are polynomials of degree at most j 1, then
the j th black-box call adds at most 1 to the degree of the amplitude polynomials
so they are of degree at most j . The Uj replaces the amplitude polynomials with
linear combinations of amplitude polynomials and thus the degrees remain at most
j . Since x2 = x for x 2 f0; 1g, we can assume the polynomials are multi-linear.
The proof follows by a simple induction.

We get the following corollary [BBC+98].

Corollary 64. Let N be a quantum network that makes T queries to a black-

box X , and B be a set of basis states. Then there exists a real-valued multi-linear
polynomial P of degree at most 2T , which equals the probability of observing a state
from the set B after applying the network N using black-box OX .
 3.4. APPLICATIONS TO LOWER BOUNDS 104
3.4. Applications to lower bounds
Let us start by de ning three quantities, deg(F ), dg eg(F ), and bs(F ), related
to the N -variate function F . Although the function F is only de ned on values of
0 and 1 it is useful to extend this function to the reals.
Definition 65. An N -variate polynomial p : RN ! R represents F if p(X ) =
F (X ) for all X 2 f0; 1gN .
Lemma 66. Every N -variate function F : fX1 ; : : : ; XN g ! f0; 1g, has a
unique multi-linear polynomial p : R N ! R which represents it.
Proof. The existence of a representing polynomial is easy: let
X Y
N
p(X ) = F (Y ) [1 (Yk Xk )2 ]:
Y 2f0;1gN k=1
To prove uniqueness, let us assume that p1(X ) = p2(X ) for all X 2 f0; 1gN .
Then p(X ) = p1(X ) p2(X ) is a polynomial that represents the zero function.
Assume that p(X ) is not the zero polynomial and without loss of generality, let
X1X2 : : : Xk be a term of minimum degree, for some 6= 0. Then the string X
with X1 = X2 = : : : = Xk = 1 and the remaining Xj all 0 has p(X ) = 6= 0. This
contradiction implies that p(X ) is indeed the zero polynomial and p1 = p2 .
The degree of such a p is a useful measure of the complexity of F .
Definition 67. The degree of the polynomial p which represents F is denoted
deg(F ).
For example, the OR function is represented by the polynomial 1 (1 Xj )
QN
j =1
which has degree N . Thus deg(OR) = N .
In practice, it would suce to have a polynomial p which approximates F at
every X 2 f0; 1gN . For example OR(X1; X2)  23 (X1 + X2).
 3.4. APPLICATIONS TO LOWER BOUNDS 105
Definition 68. An N -variate polynomial p : RN ! R approximates F if
jp(X ) F (X )j  13 for all X 2 f0; 1gN .
Again, the minimum degree of such a polynomial p is a useful measure of the
complexity of F .

Definition 69. The minimum degree of a p approximating F is denoted

dg
eg(F ).

Lastly, intuitively it seems obvious that functions which are very sensitive to
changes of the values of almost any of the bits in the string X will require us
to probe more bits of X than functions which are relatively indi erent to such
changes. One way of rigorously capturing this concept of sensitivity is by the
notion of the block sensitivity of F .

Definition 70. Let F : f0; 1gN ! f0; 1g be a function, X 2 f0; 1gN , and
B  f1; 2; : : : ; N g be a set of indices.
Let X B denote the vector obtained from X by ipping the variables in B .
The function F is sensitive to B on X if f (X ) 6= f (X B ).
The block sensitivity bsX (F ) of F on X is the maximum number t for which
there exist t disjoint sets of indices B1 ; : : : ; Bt, such that F is sensitive to each Bi
on X .
The block sensitivity bs(F ) of F is the maximum of bsX (F ) over all X 2
f0; 1gN .
We get the following three theorems relating the quantum query complexities
QE (F ) and Q2(F ) to deg(F ); dg
eg(F ), and bs(F ).

Theorem 71. If F is a Boolean function, then QE (F )  deg(2 F ) .

 3.4. APPLICATIONS TO LOWER BOUNDS 106
Proof. Consider the result of a quantum algorithm for evaluating F exactly
using QE (F ) queries. By corollary 64, the probability of observing 1 is p1 (X ), a
polynomial of degree at most 2QE (F ). We will observe 1 if and only if F (X ) = 1.
In other words p1 (X ) = F (X ) for all X 2 f0; 1gN . This implies that 2QE (F ) 
deg(F ).
g
Theorem 72. If F is a Boolean function, then Q2 (F )  deg(2 F ) .

Proof. Consider the result of a quantum algorithm for evaluating F ap-

proximately using Q2 (F ) queries. By corollary 64, the probability of observ-
ing 1 is p1(X ), a polynomial of degree at most 2QE (F ). If F (X ) = 1, then
p1(X )  23 . Similarly if F (X ) = 0 then 1 p1(X )  23 . In other words
jp1(X ) F (X )j  31 for all X 2 f0; 1gN , which means p1 approximates F . This
implies that 2QE (F )  dg
eg(F ).
This last theorem is less obvious.
q bs(F )
73. If F is a Boolean function, then QE (F )  8 and Q2 (F ) 
q bsTheorem
(F )
16 .

The proof [BBC+98] makes clever use of the following theorem (from [EZ64,
RC66]).
Theorem 74. Let p : R ! R be a polynomial such that b1  p(i)  b2 for
every integer i from 0 to N , and jp0(x)j  c for some real x, 0  x  N . Then
q
deg(p)  c+bcN+b .
2 1

The notion of block sensitivity extends nicely to the study of partial Boolean
functions. The functions F we have considered so far are called total functions
since they are de ned on all of f0; 1gN . Partial functions are only de ned on a
 3.5. RELATING QUANTUM AND DETERMINISTIC QUERY COMPLEXITY 107
subset S  f0; 1gN . For example in [DJ92] Deutsch and Jozsa restricted the
domain to the set S of strings which were either all 0 or all 1 or which had an
equal number of 0s and 1s. They de ned the function F to be 1 if and only if
X1 = X2 = : : : = XN (i.e. if X is constant) and 0 otherwise (i.e. if X is balanced).
The block sensitivity of a partial function is simply the minimum bsX (F ) over all
X 2 S and Theorem 73 holds for partial functions as well. The Deutsch-Jozsa
function has block sensitivity 2 giving a lower bound of 1, which is tight since the
algorithm in [CEMM98] solves the problem with only one query (see Algorithm
45).

3.5. Relating quantum and deterministic query complexity

Using the relationship between the quantum query complexity Q2 (F ) and bs(F )
and the result D(F )  bs(F )3 (before this the best known result was D(F ) 
bs(F )4 [Nis91]), we are able to prove the relationship 212 Q2 (F )6  D(F ) (Theorem
62). The proof requires the introduction of another property of a function F ,
namely its certi cate complexity.

Definition 75. Let F : f0; 1gN ! f0; 1g be a function. A 1-certi cate is an

assignment C : S ! f0; 1g of values to some subset S of the N variables, such that
f (X ) = 1 whenever X is consistent with C . The size of C is jS j. We similarly
de ne a 0-certi cate. The certi cate complexity CX (F ) of F on X is the size of a
smallest f (X )-certi cate that agrees with X . The certi cate complexity C (F ) of
F is the maximum over all X of CX (F ). The 1-certi cate complexity C (1) (F ) of
F is the maximum of CX (F ) over all X with f (X ) = 1.

Roughly speaking, a 0- or 1-certi cate is a subset of the string which guarantees

or certi es the value of the function on the whole string.
 3.6. SOME EXAMPLES AND APPLICATIONS 108
Example 76. Consider the OR function, which satis es OR(X ) = 0 if and
only if Xj = 0 for all j . Any substring Xj = 1 is enough to guarantee that
OR(X ) = 1. Thus the certi cate complexity CX (OR) for any non-zero string X is
1. However the certi cate complexity of the all-zero string is N , since every single
bit of a string X must be 0 for OR(X ) = 1 to hold. Thus the certi cate complexity
C (0) (OR) = N . The maximum of all the CX (OR) gives us the certi cate complexity
of (OR), namely, C (OR) = N . The 1-certi cate complexity is C (1) (OR) = 1 and
the 0-certi cate complexity is C (0) (OR) = N .

The following lemma is a result of Nisan [Nis91].

Lemma 77. C (1) (F )  C (F )  bs(F )2 .

The next lemma is proved in [BBC+98].

Lemma 78. D(F )  C (1) (F )bs(F ).

Combining these two lemmas gives D(F )  bs(F )3, and adding in Theorem 73
gives Theorem 62.

3.6. Some examples and applications

We have related Q2 (F ) and QE (F ) to the quantities deg(F ); dgeg(F ), and bs(F ).
How do we evaluate deg(F ), dgeg(F ) and bs(F )? By Lemma 66 we can nd deg(F )
by nding a representing polynomial. We can lower bound block sensitivity bs(F )
by nding particular strings that have high block sensitivity. Bounding deg( ^ F)
requires a little more work.
Let us restrict attention to symmetric polynomials, that is those for which
permuting the variables Xj does not a ect the value of the function. Such functions
F are thus reducible to functions q : f0; 1; : : : ; N g ! R of the Hamming weight
 3.6. SOME EXAMPLES AND APPLICATIONS 109
of X . Thus any such symmetric function F e ectively partitions the integers
f0; 1; 2; : : : ; N g, into two disjoint sets, and the task at hand in determining F (X )
is to decide which set the Hamming weight of X lies in. A related quantity is the
function (F ) = minfj2k N +1j : q(k) 6= q(k +1) and 0  k  N 1g. The value
of (F ) is small if q(k) changes for k close to N2 . We make use of the following
theorem of Paturi [Pat92].

Theorem 79. (Paturi) If F is a non-constant symmetric Boolean function on

f0; 1gN , then dg
p
eg(F ) 2 ( N (N (F ))).

Some examples:
 OR
The OR function maps all non-zero strings to 1 and the all-zero string
to 0. As a polynomial we have OR(X ) = 1 (1 X1)(1 X2 ) : : : (1 XN ),
and thus deg(OR) = N .
Thus by Theorem 71 QE (OR)  N2 . This can in fact be tightened to
QE (OR) = N [BBC+98].
It is easy to see that the block sensitivity of the OR function is N , thus
p p
Theorem 73 gives us Q2 (OR)  14 N . Another way to prove an ( N )
lower bound is to make use of Theorems 79 and 72, and of the fact that
(OR) = N 1.
Note that Grover's algorithm or the quantum counting algorithms will
evaluate the OR function with probability at least 23 of being correct using
p
O( N ) queries, so our lower bound is tight up to a constant factor. Such a
lower bound was rst given in [BBBV97]. Several subsequent proofs have
also been given.
 PARITY
 3.6. SOME EXAMPLES AND APPLICATIONS 110
The PARITY function maps all strings with an even number of 1s to 0
and all strings with an odd number of 1s to 1. The PARITY function can be
Xj
compactly described as 1 j 2( 1) . By substituting ( 1)Xj = (1 2Xj ) we
=1
N

see that deg(PARITY ) = N , and thus QE (PARITY )  N2 . This fact was

shown independently in [FGGS98] and [BBC+98]. This is in fact tight due
to the following algorithm (we assume N is even, otherwise set XN +1 = 0
and apply this algorithm).

Algorithm 80.
Input:
{ A black-box which evaluates Uf .
Output:
{ PARITY (X )
Complexity:
{ N2 applications of Uf
{ O(N ) other elementary operations.
Procedure:
1. Use the Deutsch algorithm ( section 2.1) to compute X2j 1  X2j for
j = 1; 2; : : : ; N=2. This uses N=2 queries.
2. Compute PARITY (X ) = (X1  X2 )  (X3  X4 ) 


 (XN 1  XN ).

Approximating the PARITY function however is not much easier than

determining it exactly, since dg
eg(PARITY ) 2 (N ). This follows from
Theorem 79 and the fact that (OR)  1. However we will now show
that dg
eg(PARITY ) = N [MP95, BBC+98]. We will need the following
de nition.
 3.6. SOME EXAMPLES AND APPLICATIONS 111
Definition 81. Let p : R N ! R be a polynomial. For any  2 SN , let
(X ) = (X1)(X2) : : : (XN ) and de ne the polynomial
P p((X ))
psym(X ) = 2SN N ! :

Theorem 82. dg
eg(PARITY ) = N

Proof. Note that if p represents or approximates a function F then so

does psym. Since psym is symmetric, it can be written as
a0 + a1 V1 + a2V2 + : : : + ad Vd
where d is the degree of p and Vj is the sum of all multi-linear polynomials
of degree j in X1; X2; : : : ; XN . Note that when we plug in values for the


variables Xi, the value of Vj will be jXj j , where jX j is the Hamming weight
of the string X . Therefore the value
jX j jX j jX j
sym
p (X ) = a0 + a1 1 + a2 2 + : : : an d :



De ne the polynomial q : R ! R by q(x) = a0 + a1 x1 + a2 x2 + : : : ad xd .


Note that psym (X ) = q(jX j) and the degree of q in x is at most the degree
of psym in X1 ; X2; : : : ; XN . Therefore if p approximates F , the deg(q) 
deg(psym) = dg eg(F ).
Note that for the PARITY function, q(x) = 0 for x = 0; 2; 4; : : : and
q(x) = 1 for x = 1; 3; : : : . So the function q(x) 12 has N roots and thus
N  deg(q)  dg eg(F ). Therefore dg eg(PARITY ) = deg(PARITY ) =
N.

Corollary 83. Q2 (PARITY ) = QE (PARITY ) = d N2 e.

 THRESHOLDM
 3.7. CONTROLLED-OX AND SOME OPEN PROBLEMS 112
The THRESHOLDM function maps strings X with at least M 1s to
1 and the others to 0. The MAJORITY function is a special case with
M = d N2 e, OR is a special case with M = 1 and AND is a special case
with M = N . For non-trivial M , we have deg(THRESHOLDM ) = N
and thus QE (THRESHOLDM )  d N2 e. We know that for special cases
M = 1 and M = N , QE (THRESHOLDM ) = N and for M = d N2 e,
algorithms [HKM98] have been found which use at most N + 1 e(N )
queries, where e(N ) is the number of 1s in the binary expansion of N .
Since (THRESHOLDM ) = j2M N + 1j, by theorem 79 we know that
p
for M > 0, Q2 (THRESHOLDM ) 2 ( N (N (THRESHOLDM ))) =
p
( M (N M + 1)). We rewrote the lower bound in a way to coincide
with the upper bound shown in section 2.7 (since exact counting will solve
the THRESHOLD problem). Thus we have a tight (up to a constant fac-
tor) algorithm for the THRESHOLDM function, Q2 (THRESHOLDM ) 2
p
( M (N M + 1)) (this also holds for M = 0).
In [Dam98] van Dam shows that we can determine the entire string X with
p
probability greater than 32 using only N2 + N queries, in which case we can
correctly evaluate any function F (X ).
The following table summarises the complexities of evaluating certain functions
in terms of the number of black-box calls OX .

3.7. Controlled-OX and some open problems

The type of algorithms we considered applied our black-box OX exactly T times
in our quantum network. What if we wish only to conditionally apply the OX ?
How can we implement a controlled-OX if we are not given a break-down of OX
into elementary gates?
 3.7. CONTROLLED-OX AND SOME OPEN PROBLEMS 113

Q2 (F ) QE (F )
p
OR; AND ( N ) N
PARITY N=2 N=2
p
THRESHOLDM ( M (N M + 1) (N )
Table 3.2. This table gives some bounded-error and exact quantum
query complexities.

Note that if the target qubit of OX is in the state j 0i + j 1i, the OX has no
e ect. We can thus implement a controlled-OX by implementing a 0-controlled-
SWAP (i.e. SWAP the qubits when the control bit is in state j 0i) between the
target qubit and an auxiliary qubit set to the state j 0i + j 1i. The qubits should
be swapped back immediately after then OX is applied (see gure 3.3).

Figure 3.3. A network for implementing a controlled black-box operation.

I list a few open problems.

We know that QE (F ) 2 (deg(F )) (Theorem 71). Conversely, given a multi-
linear polynomial P of degree T , which satis es p(X ) 2 f0; 1g for all X 2 f0; 1gN ,
 3.7. CONTROLLED-OX AND SOME OPEN PROBLEMS 114
is there a quantum algorithm which makes O(T ) black-box queries and outputs
j 1i with probability P (X )?
Question 84. Is QE (F ) 2 (deg (F ))?

Question 85. Is Q2 (F ) 2 (dg

eg(F ))?

Nisan and Szegedy [NS94] have shown that

bs(F )  6dg
eg(F )2:
It thus follows (Corollary 5.5 of [BBC+98]) that
Q2 (F )  D(F )  bs(F )3  216dg
eg(F )6:
So question 85 is rather ambitious and an answer to the following question would
already be interesting.

Question 86. Is Q2 (F ) 2 O(dg

eg(F )k ) for any k < 6.

The diculty with proving these claims by a simple recursion is related to

the diculty of computing functions cleanly (a term borrowed from Buhrman and
de Wolf). For example, early attempts at using the Deutsch algorithm, which
computes X0  X1 using only one query su ered the fatal aw that the state
created is not just j X0  X1i but ( 1)X j X0  X1 i. That is, the extra phase
0

information ( 1)X complicates any recursive use of this method. It seems very
0

tricky indeed to compute the value of the desired function and nothing else without
cumbersome `uncomputing'. For example, try to compute the AND of two bits X0
and X1 using only two queries. The best I know of is an algorithm which uses 3
queries.

Algorithm 87.
 3.7. CONTROLLED-OX AND SOME OPEN PROBLEMS 115
 Start with the state j 0i j 0i j 0i.
 Apply a query using the rst two qubits. This produces j 0i j X0i j 0i.
 Apply a query using the last two qubits. This produces the state
j 0i j X0i j XX i.
0

 Again apply a query using the rst two qubits. This uncomputes the value
of X0 to produce j 0i j 0i j XX i.
0

Observe that XX = 1 if and only if X0 = X1 = 1. This algorithm can be easily

0

generalised to cleanly compute the AND of N variables using 2N 1 queries. Note

that this algorithm is also a reversible classical one. I know of no better way that
does so classically reversibly or quantumly cleanly.

Question 88. What is the black-box complexity of cleanly computing the AND
of N variables?

At present we only have an example of at most a quadratic separation between

D(F ) and Q2 (F ), so it is natural to ask the following.
Question 89. Show that D(F ) 2 O(Q2 (F )k ) for any k satisfying 2  k < 6.
Alternatively, nd a function F where Q2 (F )k 2 o(D(F )), 2  k < 6
 CHAPTER 4

Implementations
In section 4.1 we brie y describe why it is dicult to realise a large scale
quantum computation and ways we hope to deal with errors once our quantum
components are suciently reliable. In section 4.2 we describe some methods
for maximising what we can do with a limited amount of quantum resources. In
section 4.3 we describe how current NMR technology is used to implement quantum
algorithms. Finally, in section 4.4 we describe some interesting algorithms that are
suitable for implementations on small quantum computers and describe some of
the rst implementations of quantum algorithms.

4.1. Dealing with errors and faults

Quantum computers, like classical computers, su er from errors and faults.
Quantum information is especially susceptible to corruption by interacting with the
environment. This corruption is called decoherence. For example, suppose we have
a superposition j 0i + j 1i independent of the environment in the state j E i. If the
environment in any way interacts with the qubit and obtains enough information
to distinguish the state j 0i from the state j 1i, it will evolve into orthogonal states
j E0 i and j E1 i and the joint system is described by j 0i j E0i + j 1i j E1 i. If we trace
out the environment we see that our qubit is in the state
01 1
@2 0A
:
0 12
116
 4.1. DEALING WITH ERRORS AND FAULTS 117
If we apply a Hadamard transform to this state we still have the state
01 1
1 j 0i h 0j + 1 j 1i h 1j = @ 2 0A
2 2 0 12
whereas applying the Hadamard transform to the original state
01 1
1
@2 2 A
1 1
2 2
gives us the state
0 1
1 0A
j 0i h 0j = @ :
0 0
In the classical case, we have codes, in particular, linear codes (see e.g. [Wel88]
for an introduction) that help us detect and correct errors.
A small example is the 3-qubit code which encodes 0 as 000 and 1 as 111.
One-bit errors can be corrected by resetting the three bits to the value that occurs
most often. If the bit ip errors occur independently at random with probability
p then we get more than one error with probability 3p2 2p3. Thus this scheme
will reduce the probability that an uncorrected error corrupts our computation,
provided p is small enough that 3p2 2p3 < p (which is true if 0  p < 12 ).
Note that the error can be detected and corrected without probing all of the bits
individually. It suces to learn the XOR of bits 1 and 2 and of bits 1 and 3. This
2-bit string is called the error syndrome and has the property that for all strings
in the code, 000 and 111, the syndrome is 00. Corrupted strings 001 and 110 both
have the same syndrome 01 which tells us that the most likely error was a bit ip
in the rightmost bit, corresponding to the error vector 001. Corrupted strings 010
and 101 have syndrome 10 which identi es error vector 010 as the most likely one,
and similarly strings 100 and 011 have syndrome 11 to identify the error vector
 4.1. DEALING WITH ERRORS AND FAULTS 118
100. From the syndrome we can easily identify the most likely error and correct
for that error by ipping the appropriate bit.
In general, linear codes embed the computation in a subspace of a larger space.
The subspace is carefully chosen to have several properties:

 legitimate computations keep the state of the computer in the subspace

 unwanted operations (errors, the net e ect between an imprecise operation
and the desired operation) are likely to map the computer outside the sub-
space
 we can eciently compute the most likely way a state has deviated from the
computational subspace (this is done by looking at the error syndrome )
 we can eciently \uncompute" these errors.

A quantum version of the 3-bit repetition code could consist of three parallel
copies of the quantum register, initialised to the same state. The computation
would be carried out on all three registers in parallel. An error-free computa-
tion would leave the state of the three quantum registers in the subspace that is
symmetric under permutations of the three registers. This encoding, along with
the corresponding error-detection (in order to suppress, but not correct, errors) is
described in [BBD+97]. A quantum version of linear codes with error-correction
soon followed [Sho95a, CS96, Ste96]. There is also the problem of introducing
and propagating errors during the process of error-correction. John von Neumann
addressed this in the classical case [Neu56], and a quantum version has been
developed [Sho96, Ste97].
The current state of the art in quantum error-correction and fault tolerant
computing holds that under reasonable models of decoherence, once the quality
of our elementary operations is above some threshold, we have ecient families of
 4.2. MAXIMISING EXPLOITATION OF QUANTUM RESOURCES 119
fault-tolerant error correcting codes that allow us to reliably perform computations
requiring T steps using Tpolylog(T ) operations [Got98, KLZ97, ABO97].

4.2. Maximising exploitation of quantum resources

Classical computers store information in various media, including oppy
diskettes, the RAM and the hard-drive. Good algorithms try to store informa-
tion that is accessed very often in the RAM, since this information is most quickly
accessed. Di erent bits of information are stored in di erent media at di erent
times depending on their role in the computation. Quantum registers are expen-
sive, fragile, and really useful only for certain tasks. Therefore they should be used
with prudence. Let us assume that we have a quantum computer with n qubits,
and we wish to maximise what we can do with these n qubits. We should not
use these qubits to store information that could be encoded quantumly much later
on in the computation, or to perform classical calculations that could have been
carried out classically \on the side". We can often modify quantum algorithms to
reduce the amount of quantum memory required to carry it out. In section 4.2.1 I
will describe how the discrete logarithm problem can be reduced to several smaller
instances reducing the necessary size of the control register. If the implementation
permits, when performing eigenvalue estimation, we can reduce the control register
down to a single reusable control qubit ( section 4.2.2). The last `trick' I mention
is to not bother preparing qubits in a speci c starting state if the algorithm does
not really require it. In liquid state NMR, preparing a qubit in the state j 0i turns
out to be very dicult, and thus we can avoid this for many of the qubits in the
factoring algorithm for example.

4.2.1. Classical reductions to several smaller instances: Discrete Log-

arithms. Suppose we have a bounded amount of quantum memory, or a bounded
 4.2. MAXIMISING EXPLOITATION OF QUANTUM RESOURCES 120
number of operations before decoherence reduces the probability of success to an
unacceptable level. In this case, it will be useful, if possible, to break up large
quantum algorithms into several instances of smaller quantum algorithms that can
be run separately and then combined later on a classical computer.
For example, suppose we wish to nd the discrete logarithm of b to the base
a 2 G where a is of order M and M is composite. Let us rst assume M = pq,
where p < q are coprime. If we directly apply Algorithm 18 (Discrete Log(b; a))
to nd the discrete log of b to base a, we need dlog2 2M e + 1 control qubits and
dlog2 2M e + 1 group multiplications. We can however nd a logarithm modulo p
and another modulo q and combine the answers classically to nd the logarithm
modulo M . We nd the logarithm s1 mod p of bq to the base aq , and the logarithm
s2 mod q of bp to the base ap. We then use the Chinese Remainder theorem to
nd s mod pq satisfying s  s1 mod p and s  s2 mod q.
If we remove the restriction that p and q are coprime, say M is a prime power
p2, we cannot apply this technique. We can apply a di erent one however. The
logarithm s has a decomposition s = ps1 + s2 where s1 and s2 are between 0 and
p 1. We rst nd the logarithm s1 mod p of bp to the base ap. We then nd the
logarithm s2 mod p of ba ps = as to the base a. The logarithm of b to the base
1 2

a is then s = ps1 + s2.

Combining these two simple methods allows us to reduce nding logarithms
in a group of composite order to nding logarithms in subgroups of prime order.
The quantum memory requirements for the control register thus gets reduced to
dlog2 2pe +1 qubits, where p is the largest prime dividing N . Suppose M = Q paj j ,
n
j =1
then the total number of group multiplications is in

X
n !
O aj (log pj + 1) = O(log M ):
j =1
 4.2. MAXIMISING EXPLOITATION OF QUANTUM RESOURCES 121
The cost of combining all the answers to nd the answer modulo M is O(log2 M )
elementary classical operations.

4.2.2. Replacing the control register with a reusable control qubit.

In section 2.4 it was shown how to obtain an n-bit estimate of an eigenvalue of
a unitary operator U using a control register containing n qubits and using the
inverse quantum Fourier transform QFT (2n) 1 which was illustrated in gure 2.3.
If we take a closer look at that gure, we notice that we could in fact have observed
the rst qubit immediately before we used it as a control bit for the rotations later
(see gure 4.1). This observation was illustrated in [GN96] and they call this part-

Figure 4.1. A \Semi-classical" Fourier transform. The rst qubit

could be observed rst and the result used to classically control the
rotation on the next qubits. The same could be done with the second
qubit.

classical part-quantum version of the QFT a \semi-classical" Fourier transform.

This does not require any 2-qubit quantum gates. However, the advantages go
further if the experimental realisation of our quantum computer permits. Note
that the preparation of the second qubit could occur after the rst qubit has been
measured. In fact, if we could reset our rst qubit to j 0i, we could then reuse this
 4.2. MAXIMISING EXPLOITATION OF QUANTUM RESOURCES 122
qubit instead of requiring an additional one in our system. The same goes for the
third qubit and so on. Alternatively, we could throw away each qubit once it is
measured, and then introduce the subsequent control qubit. This lends itself to a
system which has ying qubits [THL+96]. The advantage is that we do not need
to maintain a coherent superposition of more than one-qubit in a control register.
In other words, the physical requirements of the control qubits are di erent from
those in the target register (as emphasised to me by David DiVincenzo). That
is the control register needs to be some system that can be quickly and reliably
prepared, measured and reset. The target register can take lots of time to prepare,
but should not decohere much over time (as is typical with systems that can be
easily measured), and it does not need to be easily measured (since we never
measure it).

Remark 90. Algorithm 7 (Eig Est) can be implemented using only one ying
control qubit at a time.

This has consequences on the memory demands of a system used to implement

the factoring algorithm for example. This observation was made independently by
E. Knill as noted in [Zal98] (where he also discusses the e ects of this technique
on the factoring algorithm).

4.2.3. Cool only if necessary. For most current attempts at implementing

quantum computers, cooling the starting state down to the all-zero state is quite
a challenging task. Some algorithms do not require this.
For example, the order- nding algorithm in ZN will work almost as well if the
target register is in the maximally mixed state or some natural equilibrium states
(we describe one in the next section). It is therefore not worth any signi cant e ort
to cool the target register down to the j 00 : : : 0i state and then set it to the state
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 123
j 1i. In fact, the only state one must intentionally avoid with high probability is the
state j 0i, since this is the only trivial eigenvector of multiplication by a modulo N .
The other states that might pose some problem have non-trivial greatest common
factors with N - but if these occur with signi cant amplitude we can eciently
factor N without the order- nding algorithm!
4.3. Quantum Computation using Nuclear Magnetic Resonance
Unlike the ideal two-spin computer described earlier, modern liquid state NMR
computer does not manipulate just two spins. Firstly, the two spins are usually
part of a larger molecule. For example, they could be two hydrogen atoms in
a cytosine molecule (see gure 4.2). Further, they do not work with just one
molecule, since the spin state of a single proton is not reliably detectable with
existing apparatus. They use an ensemble of roughly 1017 1020 molecules and
perform measurements on this ensemble. These molecule-sized computers are in a
solution, often with water (H2 O) or heavy water (D2 O) as a solvent. To distinguish
our qubits from other spins in the sample, the frequencies of the qubit spins need
to be di erent from the frequencies of the other spins in the molecule and in
the solvent. For this reason we use deuterated cytosine, where we use D2O as
our solvent and the hydrogens of the cytosine, apart from our two qubits, are
replaced with deuterium. We can still distinguish the two di erent hydrogens from
each other since their energy eigenvalues (and therefore frequencies) are shifted
according to their chemical neighbourhoods in slightly di erent ways.
The size of the output signal from a particular spin (ignoring noise and other
errors) is proportional to the sum of the signals of that spin from each molecule.
Let us consider a molecule with just one spin. We can assume that j 1i gives a
signal of size 1 and j 0i gives a signal of size 1, where the minus sign means the
signal is in the opposite direction. Ideally, when we have two molecules, j 1i j 1i
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 124
(we keep the to remind us that these spins are on di erent molecules, and not
just di erent spins on the same molecule) gives a signal of size 2, j 1i j 0i and

Figure 4.2. This picture illustrates a cytosine molecule. The green

arrows point at the two hydrogen atoms we used in our computation.
The remaining white atoms are deuterium. The grey atoms are
carbon, blue atoms are nitrogen, and the red one is oxygen.
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 125
j 0i j 1i give signals of size 0 and j 0i j 0i gives a signal of size +2. In general when
we have n molecules the ideal signal size varies from n to n, and is proportional
to the di erence between the number of j 0i states and the number of j 1i states.
Let us for a moment treat the output signal quantumly and note that if we observe
the state p12 j 0i + p12 j 1i with the measuring apparatus initialised to the state j 0i,
after measuring we would have

p1 j 0i j +1i + p1 j 1i j 1i :
2 2
If we start with the state 12 j 0i j 0i + 12 j 0i j 1i + 12 j 1i j 0i + 21 j 1i j 1i and
measure we would get
 
1 (j 0i j 0i) j +2i + p1 p1 j 0i j 1i + p1 j 1i j 0i j 0i + 1 (j 1i j 1i) j 2i :
2 2 2 2 2
This means, for example, that if we observe the apparatus, then with probability
1 1 1
2 , we observe an output of j 0i and are left with the state p2 j 0i j 1i + p2 j 1i j 0i.
If we have N copies of the spin, then the output signal for the state j x1 i j x2 i
PN
: : : j xN i is proportional to ( 1)xj = N 2H (x), where H (x) is the number
j =1
of 1s0in the string
1 x = x 1 x 2 : : : xN . If we observe a single qubit in the state
 
 = @ 00 01 A, then the expected size of the output signal is
10 11
00 11 = Tr(z )
where
0 1
1 0
z = @ A
0 1
When we have N copies of this spin, the expected size of the output signal is

N (00 11 ) = NTr(z ):

 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 126
The expected size of the output signal is relevant since the law of large numbers
implies that as N gets large then the size of the output signal we see tends to this
expected size, NTr(z ). Since our N are roughly between 1017 and 1020, this is
an extremely accurate approximation and we will simply say that the signal size
is proportional to NTr(z ).
The measurements do not distinguish di erent molecules, which we assume are
independent of each other, so we can describe the system as being in the state
 


 where  describes the state of one molecule, which in general can
have more than one spin. If we have N molecules, each with n distinguishable
spins in the n-qubit state , the output signal when probing the j th spin will be
proportional to NTr(zj ) = 2NTr(Ijz) (where zj = I


I z I


I
with the z on the j th spin).
So what is the natural starting state ? We will assume the initial distribution
is the natural equilibrium point eventually reached by the sample after it has been
placed in the magnetic eld oriented in the z direction. This natural equilibrium
point is a function of the Hamiltonian of the molecules. For the purpose of esti-
mating the equilibrium distribution, we can ignore the coupling constants J (since
they are much less than any of the ! terms). Let us suppose that all the spins
have roughly the same frequency 2! . The natural equilibrium point for that spin is
p0 j 0i h 0j + p1 j 1i h 1j where p0 is proportional to e kT~! and p1 is proportional to e kT~!
(k is Boltzmann's constant and T is the temperature). Since ! is proportional to
the strength of the magnetic eld, we could make p0 close to 1 by increasing the
eld strength and lowering the temperature. However there are practical reasons
why we cannot increase the eld strength to a point where p0 is close to 1. Further,
we cannot lower the temperature arbitrarily close to 0 since the sample will freeze
well before that point, and this poses problems, in particular the molecules can no
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 127
longer be treated as independent computers. In current NMR quantum computa-
tion, the term kT~! is quite small, roughly 10 5 , and thus we can approximate p
0
and p1 by 12 +  and 12  where   2~kT! .
The natural equilibrium distribution for the whole system is then roughly a
binomial distribution. In other words, we get the term we really want j 0000i h 0000j


with probability roughly 12 +  n  21n + 2nn .
1

Ideally, we would like to somehow prepare some qubits that are almost entirely
in the state j 00 : : : 0i h 00 : : : 0j.
One way of better approximating the state j 00 : : : 0i h 00 : : : 0j [Tap98] is to
apply a transformation that sorts our n qubit strings according to their Hamming
weights. This way the more likely strings have a longer string of leading 0s in
their binary representation. This encoding means that with probability 1 o(1),
the leftmost O(2n) bits are all 0. We could use these rst O(2n) qubits for our
computation.
However the straightforward ways of sorting by Hamming weight require an
ancilla initialised to j 0i states, which brings us back to our original problem!
Schulman and Vazirani found a clever method of permuting the computational ba-
sis states that produces roughly the same result, and this method does not require
an ancilla [SV98]. In current experiments  is roughly 10 5, thus to get even 100
qubits mostly in the j 0i state requires molecules with about 1012 spins, which is not
practical. Further, the algorithm assumes the operations are performed perfectly.
As far as I am aware, no careful treatment of this technique in the presence of errors
and imprecise operations has been done. We cannot simply use error-correcting
codes since they require ancilla bits initialised to j 0i! However this algorithm gives
hope that there is nothing in principle stopping us from initialising a register to
the desired starting state.
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 128
It suces however to produce a starting n-qubit state of the form
 j 00 : : : 0i h 00 : : : 0j + (1 ) 21n I, where  is large enough to produce an observable
signal. The reason is that when we apply our algorithm A on this state, we will
get
A j 00 : : : 0i h 00 : : : 0j A + (1 ) 21n I:
Let j i = A j 00 : : : 0i be the output of the algorithm. When we measure spin j ,
we get an output signal proportional to NTr(j i h j zj ) (note that Tr(Izj = 0).
This equals N (p0 p1) where p0 is the probability of measuring j 0i and p1 is the
probability of measuring j 1i if we measure the j th qubit of j i.
No unitary transformation can transform n independent qubits in the state 
into
 j 00 : : : 0i h 00 : : : 0j + (1 ) 21n I
(see e.g. [HSTC98]), so we must somehow use an ancilla and trace it out.
Let me now describe the methods that have been used in practice and work for
small systems.
Ignoring terms of second order in , the natural equilibrium state of two spins
is
1  1 1
1 
(27) +  j 00i h 00j + j 01i h 01j + j 10ih 10j +  j 11i h 11j
4 4 4 4
(28) = 14 I +  j 00i h 00j  j 11i h 11j :
Note that
 j 00i h 00j + (1 ) 14 I = 31 14 I + 34  j 00i h 00j 34  j 11i h 11j


+ 13 41 I + 34  j 00ih 00j 34  j 10i h 10j




+ 13 41 I + 34  j 00i h 00j 34  j 01i h 01j :
 4.3. QUANTUM COMPUTATION USING NUCLEAR MAGNETIC RESONANCE 129
This equation suggests the following strategy. Leave the top third of the sample
alone (call this operation U0 ), map the middle third (using a controlled-NOT) from
1  1 
4 I +  j 00i h 00j  j 11i h 11j ! 4 I +  j 00i h 00j  j 01i h 01j
(call this U1 ) and the bottom third from
1  1 
4 I +  j 00i h 00j  j 11i h 11j ! 4 I +  j 00i h 00j  j 10i h 10j
(call this U2), and then average over all the molecules again. This gives us the
state
4  j 00i h 00j + (1 4 ) 1 I:
3 3 4
One way of looking at this is as adding a virtual two-qubit register to each
molecule, a location register, preparing the state
1 j 0i h 0j + 1 j 1i h 1j + 1 j 2i h 2j ;
3 3 3
applying a controlled-Uj on the two systems, and then tracing out the location
qubits giving us the desired state. In practice we can spatially address di erent
parts of the sample, so that one third of them (say the top third of the test
tube) are designated to be in region j 0i h 0j, the middle third are in region j 1i h 1j
and the bottom third are in region j 2i h 2j. We can thus apply U0 to the top
third, U1 to the middle third, and U2 to the bottom third. Cory et. al [CFH96]
describe such a method ( eld gradients). Knill et. al [KCL98] designed a similar
scheme where instead of averaging over spatial con gurations they would run U0 ,
U1 and U2 at three separate times and combine up the output signals afterwards
(temporal averaging). Gershenfeld and Chuang [GC97] have also described an
elegant method called logical labelling that uses additional spins in the molecule
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 130
as the additional control bits. Each of these methods allows us to prepare pseudo-
pure states.
Unfortunately, the simple generalisations of these methods to large systems
only produce states with  roughly 2nn . To have any hope of observing a signal
we need the number of copies N of the molecule to be of size on the order of 1 ,
which implies that N must be exponential in n, the number of qubits we wish to
have. This means that these techniques alone will not suce in providing eciently
scalable quantum computation, but must be combined with other methods, such
as those in [SV98]. We are still seeking a method that is both practical and whose
complexity scales at most polynomially in the number of qubits we wish to have.

4.4. Interesting algorithms for implementation with few qubits

4.4.1. Deutsch algorithm. As an example of the hidden subgroup problem,
this problem is the most interesting two-qubit algorithm to implement and can also
be implemented on ensemble computers using only 2 qubits. This algorithm was
implemented by Jones and myself using [JM98] two hydrogen nuclei in deuterated
cytosine (see gure 4.2). More speci cally, we used a 50 mM solution of cytosine
in D2 O. We worked at room temperature, 20C with a magnetic eld of frequency
500MHz and a J -coupling term of 7:2Hz between the two 1H atoms. This J -
coupling corresponds to the term 14:4~Iz Iz in the Hamiltonian. The resonant
frequencies of the two hydrogen atoms di ered by 763Hz, which allowed us to
di erentiate the two.
We used the gradient techniques of Cory et al. to prepare (approximately) the
pseudo-pure state

01 =  j 01i h 01j + (1 ) 14 I:

 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 131
We applied a 90y pulse to both spins to e ect the pseudo-Hadamard operator and
thus produced a pseudo-pure state corresponding to the pure state
(j 0i + j 1i) (j 0i j 1i) :
We then implemented one of the four functions f : f0; 1g ! f0; 1g. For example,
to implement f01 (0) = 0; f10(1) = 1, via the operator
U01 : j xi j yi ! j xi j y  f (x)i
we could apply the following sequence (based on the one in [JM98]; see appendix
A.7 for details):
(29) 90I2y 1 180x 1 180x 90I1z 90I2z ( 90)I2y
4J12 4J12
where 4J1 indicates simply waiting for a period of time 4J1 and 180x indicates a
12 12

180Ix on all spins (when the frequencies of the two spins are close together, these
hard pulses are easier to implement than selective pulses, that is pulses that only
target one of the spins). In general a pulse sequence for Uf produces a pseudo-pure
state corresponding to the pure state


( 1)f (0) j 0i + ( 1)f (1) j 1i (j 0i j 1i) ;
as described in section 2.1.
A pseudo-Hadamard gate applied to both qubits would give us a pseudo-pure
state corresponding to the pure state
j f (0)  f (1)i j 1i
and a subsequent measurement of the rst qubit would give us a signal proportional
to Tr(j bi h bj z ) = ( 1)b where b = f (0)  f (1) and measuring the second qubit
would give us a signal proportional to 1. We implemented similar pulse sequences
for all four possible functions f : f0; 1g ! f0; 1g. We rst implemented each Uf
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 132
twice, once with a pseudo-pure starting state corresponding to j 0i j 0i and again
with a pseudo-pure state corresponding to j 1i j 0i in order to simply compute f (x)
on every possible classical input. The output signals for the `classical' computations
appear in gure 4.3. We then implemented the Deutsch algorithm to nd the
value of f (0)  f (1) with only one application of Uf . The output signals from
these experiments are shown in gure 4.4. More details are provided in [JM98].
A similar implementation with a chloroform molecule was announced shortly after
[CVLL98].
4.4.2. Quantum searching. Quantum searching in a space of size N = 4 can
also be implemented with only two qubits. On an ensemble computer, it is useful
to promise that there is only one solution to f (x) = 1. Otherwise, if there is more
than one solution, we observe an average of the corresponding signals, which does
not necessarily give useful information. It also convenient when exactly one fourth
of the inputs are solutions, since in that case one iteration of the searching iterate
will produce exactly a superposition of the satisfying assignments (see section 2.7.
When N = 4 and we have only one solution, we enjoy both of these advantages.
This algorithm was implemented in [GCK98] and [JMH98].
4.4.3. Quantum counting. Quantum counting can also be done with as few
as 2 qubits. One qubit is used for the \semi-classical" phase estimation and the
other is the input to a function f . It gets more interesting of course as the domain
of f increases. The averaging in NMR that we describe in section 4.3 turns out to
be an advantage! This implementation is described in [JM99].
The quantum counting, or more generally, amplitude estimation algorithm,
seeks to estimate an eigenvalue of the unitary operator G = AU0 A 1Uf de-
ned in section 2.7. We adapted this algorithm to work with one control bit
by implementing, for increasing r, a controlled-Gr. We know that G has two
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 133

Figure 4.3. An upward peak corresponds to the state j 0i and a

downward peak corresponds to the state j 1i. The starting state has
both peaks pointing up. The left qubit stores the input to f and the
answer is added to the right qubit. All four functions were evaluated
on both possible input values.
eigenvectors j +i and j i with eigenvalues e2i! and e 2i! where A j 0i =
sin(!) j X1i + cos(!) j X0i and Uf j X1i = j X1i and Uf j X0i = j X0i. If we
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 134

Figure 4.4. The four output signals correspond to the result of

applying the Deutsch algorithm with the four functions f : f0; 1g !
f0; 1g. The left qubit stored the value of f (0)  f (1). The right
qubit is in the state j 1i.
start with the state (j 0i j 1i) j +i and apply a controlled-Gr, we get the state
(j 0i e2ir! j 1i) j +i. An inverse pseudo-Hadamard transform on the rst qubit
gives us
 1 + e2ir! 2ir! 
2
j 0i + 1 e2 j 1i j +i :
Tracing out the target register we see that the rst qubit is in the state
0 1
@ 1 + cos(2r!) i sin(2r!) A :
i sin(2r!) 1 cos(2r!)
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 135
The same result is obtained if we replace j +i with j i, except that the two o -
diagonal elements are negated. Thus the same diagonal elements are also obtained
from any superposition or statistical mixture of the two, such as A j 0i. Starting
with A j 0i = ei! j +i + e i! j i in the target register, applying the controlled-
Gr , and then tracing out the target register gives the state
0 1
1 + cos(2r!) 0
= 1@
2
A;
0 1 cos(2r!)
and measuring will produce an output signal of size proportional to Tr(z ) =
cos(r!). The averaging e ects actually help provide a more precise estimate of
cos(r!)! Running this experiment for exponentially increasing r and classically
post-processing (similar to the methods in [Kit95, Bhi98]) gives us counting algo-
rithms similar to those described in section 2.7. The details of this implementation
appear in [JM99].

4.4.4. Order- nding. Pick any group whose operation can be realised with
few qubits, add one control bit, and you can nd the order of that operation using
the order- nding algorithm and the modi ed phase estimation method described
in section 4.2.2 and in [Bhi98]. For example, multiplication by 2 mod 2k 1
corresponds to a cyclic permutation of the k bits, which can be implemented using
only k qubits. The order- nding algorithm can nd this period.
It is not worth implementing this algorithm on very small NMR quantum
computers (or other ensemble computers) because the average of the signals from
E
the eigenvalue estimations ekr does not provide useful information. We could in
principle perform the post-processing that computes the order r quantumly (so
E
that we observe an average signal over states of the form j ri ekr ), but in practice
this greatly increases the required amount of quantum memory.
 4.4. INTERESTING ALGORITHMS FOR IMPLEMENTATION WITH FEW QUBITS 136
4.4.5. Simulating Quantum Chaotic Maps. Schack and Brun [Sch98,
BS99] have suggested using small quantum computers to implement quantum
chaotic maps and to observe and study the predicted chaotic features. Once the
number of qubits is above a few dozen, we are out of the range of what classical
computers can simulate. This is not the case for the factoring problem, where it
would take several hundred working logical qubits to outperform classical algo-
rithms.
 APPENDIX A

Appendix
A.1. Computing a controlled-U
Given a quantum gate array for computing U , we wish to create a network for
computing the controlled-U which maps j 0i j yi ! j 0i j yi and j 1i j yi ! j 1i U j yi.
It is important to remember that we do not measure the control bit, and then
apply U if the outcome is 1 (in some circumstances, such as when the control
qubit never used again, or as described in section 4.2.2, this is possible, but not in
general).
In [BBC+95], they show the essential ingredients for performing this task.
Firstly, for each gate G in the available family of gates G , we should decompose
the controlled-G (at least approximately) into a network of gates from G. For
example, the controlled-controlled-NOT can be decomposed as shown in gure
A.1.
Creating a network for the controlled-U is now simple. Just replace every gate
G in U with a gate array for computing the controlled-G, always using the same
control bit, as illustrated in gure A.2. With our universal set of gates G we can,
for any , eciently approximate every controlled-G with error at most  using
poly( 1 ) gates from G. Suppose we have a network N with T gates not necessarily
from our universal set. We wish to approximate N with a network N 0 such that
their respective outputs j i = N j 00 : : : 0i and j 0i = N 0 j 00 : : : 0i are `close',
that is jj 0i j ij <  for some small . It suces to approximate each gate G

137
 A.1. COMPUTING A CONTROLLED-U 138
in N with an error in O( T ). We can eciently do this using poly( T ) gates from
our universal set.
Although it suces to approximate every controlled-G, it is an interesting
mathematical question if it is possible to do so exactly.

Figure A.1. A network for computing the controlled-controlled-

NOT using only two-qubit gates. Here N denotes the NOT gate
p
and A denotes the NOT gate.

Figure A.2. A quantum network for computing the controlled-U

given a network for U .
 A.2. COMPUTING M (U) 139
Problem 91. Does there exist a nite universal family of quantum gates G ,
such that for each gate G 2 G , the controlled-G can be decomposed exactly as a
nite concatenation of elements in G .

A.2. Computing M (U )
Given a means for computing U , for any positive integer M , we wish to create
a gate array for computing M (U ) : j xi j yi ! j xi U x j yi. Note that this is a
generalisation of the controlled-U .
We will consider two cases. The rst case is where we are simply given a
quantum network for computing U . For a xed positive integer k, a controlled-
U 2k can easily be created by concatenating 2k consecutive controlled-U arrays.
If the quantum network for U has T gates, then the quantum network for the
controlled-U 2k has O(2k T ) gates.
The second case is where it is possible to compute U 2k more eciently than
by just iterating 2k times the operator U . For example, if U corresponds to mul-
tiplication by a in some group G, we can rst compute a2 by squaring a, then
compute a4 by squaring a2, and continue squaring a total of k times to compute
a2k . This requires k group operations, and we then directly implement the opera-
tion Ua k = Ua2k .
2

In either case, once we know how to implement the controlled-U , controlled-

U 2 , controlled-U 4, : : : , controlled-U 2l , we are ready to implement M (U ) using the
well-known `square and multiply' algorithm (see for example, Algorithms 2.143 and
2.227 in [MvOV97]). Using a qubit in the state j xj i as the control bit for U 2j , we
will apply the operator U exactly x0 20 + x1 21 + : : : + xl 12l 1 times. In other words,
U is applied x times where x equals xl 1 : : : x1 x0 represented in binary. Therefore,
such a gate array, as illustrated in gure A.3, will realise the operator M (U ).
 A.3. REVERSIBLE COMPUTING WITHOUT KEEPING THE INPUT 140

Figure A.3. A network for implementing 2 (U ) : j xi j

3 i!
j xi U x j i, where x = x1 + 2x2 + 4x3 .

Lemma 92. Given a quantum network with T elementary gates for implement-
ing U , we can implement M (U ) using O(MT ) gates. If U = Ua , the operator that
multiplies by a in a group G where a group multiplication requires O(T ) gates, then
we can implement M (Ua ) using O(log MT ) elementary gates.

A.3. Reversible Computing without keeping the input

If the function f is logically reversible, and we have a means of comput-
ing f 1, then we can implement the operation j xi ! j f (x)i (versus imple-
menting j xi j yi ! j xi j y + f (x)i). More speci cally, given a quantum network
for implementing j xi j yi ! j xi j y + f (x)i and one for implementing j xi j yi !
j x f 1 (y)ij yi, we can implement j xi ! j f (x)i as illustrated in gure A.4.
 A.4. FOURIER TRANSFORMS 141
A.4. Fourier Transforms
When we have a non-trivial factorisation for M , say M = AB , there are two
ways of combining QFT (A) and QFT (B ) to produce QFT (M ). If A and B
are coprime, we can make use of the Chinese remainder theorem, and represent

Figure A.4. When f is invertible, we can compute f (x) without

keeping the input. First compute j xi j f (x)i, and then uncompute
the input using f 1.
 A.4. FOURIER TRANSFORMS 142
integers k 2 f0; 1; :::; M 1g as elements in f0; 1; :::; A 1g  f0; 1; :::; B 1g via
the isomorphism k mod M ! (k mod A; k mod B ). Using this representation,
it is easy to verify that QFT (M ) = (UB UA )(QFT (A) QFT (B )), where UB :
j x mod Ai ! j xB mod Ai, and UA : j x mod B i ! j xA mod B i.

Figure A.5. This network realises the QFT (AB ) 1 when a

mod AB is represented as j a mod Ai j b mod B i. Apply QFT (A)
on the rst register followed by a multiplication by B mod A, and
apply QFT (B ) on the second register followed by a multiplication
by A mod B .

In general, for any A and B , say A = 2 and B = 2n 1, we can generalise the

technique described in section 2.3. We represent a 2 f0; 1; :::; M 1g as elements
in f0; 1; :::; A 1g  f0; 1; :::; B 1g via the isomorphism a1B + a2 mod M !
(a1 mod A; a2 mod B ), where a2 2 f0; 1; :::; B 1g, and a1 2 f0; 1; :::; A 1g. In
the following equations, we will decompose the indices k 2 f0; 1; : : : ; AB 1g as
fk2; k1g where k = k2A + k1, k2 2 f0; 1; : : : ; B 1g and k1 2 f0; 1; : : : ; A 1g.
 A.4. FOURIER TRANSFORMS 143
Suppose we are given the state
X
AB 1
ka X
AB 1 k(a1 B+a2 )
QFT (AB ) j ai = e2i AB j ki = e2i AB j ki
k=0 k=0
X k a B+k2 a2 A+k1 a2
= e2i 1 1 AB j k2; k1i
0k2 <B;0k1 <A
X ! X !
ka k (a B+a )
= e2i 2B 2 j k2i e2i 1 1AB 2 j k1i .
0k2 <B 0k1 <A
Applying QFT (B ) 1 to the left register will give us
X !
k (a B+a )
j a2i e2i 1 1AB 2 j k1i .
0k1 <B
Extend the de nition of Rw to H B by mapping j xi ! e 2ixw j xi, x 2
f0; 1; : : : ; B 1g. A multi-qubit controlled-R AB (i.e. a A(R AB )) will give us
1 2

X !
kaB
j a2 i e2i 1AB1 j k1i
0k1 <A
X !
ka
= j a2i e2i 1A 1 j k1i .
0k1 <A
and applying QFT (A) 1 gives us j a2 i j a1 i.
Note that whereas in the input register j xi j yi corresponded to xB + y, in the
output register it corresponds to yA + x. This accounts for the reversal of the
qubits at the end of the QFT (2n), but it is not quite so simple when a mixed radix
representation is used. We will not worry about transforming the outputs back to
the same representation as the inputs.
We can recursively apply this technique for any N = A1A2 : : : An and map, for
any a 2 f0; 1; : : : ; N 1g, a = a1 A2A3 : : : An + a2 A3 A4 : : : An + : : : + an 1 An + an,
0  aj < Aj . The result is a network which maps, with indices k represented as
 A.5. PUBLIC KEY CRYPTOGRAPHY AND QUANTUM COMPUTING 144
j kni j kn 1i : : : j k1i, k = knAn 1An 2 : : : A1 + kn 1An 2 : : : A1 + : : : + k2A1 + k1,
X
N 1
e2i kaN j ki ! j ani j an 1i : : : j a1i :
k=0
Again, the numbers are encoded di erently in the output and input registers.

Figure A.6. This gure illustrates a network for QFT 1 (ABC )

where A,B and C are not necessarily coprime. Note that j xi j yij zi
represents 6x + 2y + z at the input, and 15z + 5y + x at the out-
put. This corresponds to the necessary reordering of qubits in the
QFT (2n) network described earlier.

A.5. Public Key Cryptography and Quantum Computing

A.5.1. Public Key Cryptography. Up until 1976, most publicly used cryp-
tography was private or symmetric key cryptography. In private key schemes (such
as DES or the one-time pad), the encryption and decryption keys are e ectively
 A.5. PUBLIC KEY CRYPTOGRAPHY AND QUANTUM COMPUTING 145
the same and must somehow be secretly exchanged between participants, say Alice
and Bob. In public key cryptography, rst described publicly by Die and Hell-
man [DH76b] (see also [Ell70, Ell87]) the encryption and decryption keys are
quite di erent, since it should be infeasible for one to compute the decryption key
given the encryption key.
A reliable copy of everyone's encryption key should be publicly available. If
Alice wishes to send a message M to Bob, she encrypts M using Bob's public key
EBob to produce a ciphertext C . Only Bob possesses the decryption key DBob that
allows him to compute P from C . Note than anyone can use the same public key
EBob to send encrypted messages to Bob.
A.5.2. RSA. In 1977, Rivest, Shamir, and Adleman devised a public key
scheme now known as RSA [RSA78] (similar to that of [Coc73]). Alice's public
key EAlice is a pair of integers (N; e). The integer N is a product of two distinct
large primes p; q known only to Alice. The multiplicative group of integers modulo
N , ZN is the set of (N ) = (p 1)(q 1) integers between 1 and N 1 that
are coprime to N . From the encryption key e Alice computes a decryption key
DAlice = d which satis es ed  1 mod (N ). Fermat's theorem implies that for
any integer M between 0 and N 1, and any integer k, M k(N )+1  M mod N .
Bob encrypts M by computing C = M e mod N . Alice decrypts C by computing
C d mod N . Note that C d  P ed  P k(N )+1  P mod N .
The security of this cryptosystem requires that it is dicult to compute the
decryption key DAlice = d given EAlice = (N; e). If we know the factors p and q
of N , we could easily compute d. Thus being able to factor suces to compute P
from C . It is not known if it is necessary.
A.5.3. Using Algorithm 13 to crack RSA. As we show in the next section,
we can crack RSA by using Algorithm 15 (Find Order) to factor N . We can
 A.5. PUBLIC KEY CRYPTOGRAPHY AND QUANTUM COMPUTING 146
however directly compute P from C without factoring N (we could factor N if we
wish by solving this problem for several random C ).

Algorithm 93. (Find RSA Plaintext(C; N ))

Input:
 Integers N and C .
Output:
 An integer P .
Complexity:
 O(log N ) multiplications modulo N .
Procedure:
1. Use Algorithm 15 (Find Order(C )) to nd an integer r such that C r  1
mod N .
2. Use the extended Euclidean algorithm to compute an integer d satisfying
de  1modr.
3. Output P  C d mod N .

Theorem 94. Algorithm 93 (Find RSA Plaintext(C; N )) nds C such that

P e  CmodN .

Proof. Note that ed  1 mod r means ed = kr + 1 for some integer k. Thus

C d  P ed  P kr+1  (P r )k P  P mod N .

A.5.4. Using Algorithm 13 to factor. As mentioned earlier, we could use

Algorithm 15 to factor any composite integer N . It of course suces to split any
composite integer N into two non-trivial factors. We assume N is odd, since it is
easy to recognise and divide out any power of 2. Further, we can assume N is not
 A.5. PUBLIC KEY CRYPTOGRAPHY AND QUANTUM COMPUTING 147
a perfect power, since we can easily check to see if it is a perfect rth power for
r = 2; 3; : : : log2 N .
Algorithm 95. (Split(N ))
Input:
 An odd composite integer N that is not a prime power.
Output:
 A integer t.
Procedure:
1. Pick an integer a 2 f1; 2; 3; : : : ; N 1g uniformly at random.
2. Use the Euclidean algorithm to nd d = gcd(a; N ). If d > 1, output d (i.e.
if d is not coprime to N , this is NOT a problem!)
3. Use Algorithm 13 three times with M = 2N 2 > 2r2. If the three results are
FAIL, go to step 1. Otherwise take r to be the minimum non-FAIL output.
If r is odd go to step 1. If r is even, let d = gcd(a r 1; N ). If d = 1, go to
2

step 1.
4. Output d.
Theorem 96. Algorithm Split(N ) outputs a non-trivial factor of N and runs
with expected running time of O(log3 N ) multiplications mod N and O(log2 N )
other elementary operations.
Proof. We will prove it for N = pq , where p < q are distinct primes. It is
easy to generalise. Let a1 be a generator of Zp and a2 be a generator of Zq . By
the Chinese Remainder theorem, the (p 1)(q 1) integers in ZN are in a 1 1
correspondence with the pairs of integer (x1 ; x2 ) 2 f1; 2; : : : ; p 1gf1; 2; : : : ; q
1g via the mapping a mod N ! (ax1 ; ax2 ) with a  ax1 mod p and a  ax2
1 2 1 2

mod q. Selecting an integer a uniformly at random from ZN is equivalent to

 A.6. FINDING LOGARITHMS, DSA, AND DIFFIE-HELLMAN 148
selecting x1 uniformly at random from f1; 2; : : : ; p 1g and independently selecting
x2 uniformly at random from f1; 2; : : : ; q 1g.
The order of such an a mod p is
r1 = gcd(px ; p1 1)
1
and modulo q is
r2 = gcd(qx ; q1 1) :
2
The order of a modulo pq is r = lcm(r1; r2).
Computing gcd(a r 1; N ) will split N if and only if r1 and r2 contain the factor
2

2 with di erent multiplicities. Since x1 and x2 are chosen uniformly at random,

the probability that r1 and r2 contain the factor two with di erent multiplicities
is at least 21 .
Recursive application of this splitting algorithm gives us a factoring algorithm.
By nding certi cates for the primes (which can be done since we can now factor),
we can make this a zero-error algorithm [Buh96].

A.6. Finding logarithms, DSA, and Die-Hellman

Die and Hellman [DH76a, DH76b] devised the following key exchange pro-
tocol (which can easily be turned into a public key scheme, such as the El-Gamal
protocol; see sections 12.6 and 8.4 of [MvOV97]).
There is some publicly known group G and an element 2 G.
Alice possesses a secret integer a, and makes public the element a. Bob
possesses a secret integer b and makes public the element b.
Alice takes Bob's public b and computes ( b)a = ab. Bob takes Alice's public
a and computes ( a )b = ab .

They now share the key ab . Any adversary knows , a and b.

 A.7. IMPLEMENTING A FUNCTION WITH A PULSE SEQUENCE 149
Problem 97. (Die-Hellman Problem) Given ; a ; b 2 G, nd ab .

Note that multiplying a and b only gives a+b. It is clear that being able to
compute discrete logarithms will allows us to solve the Die-Hellman problem and
crack any cryptosystems which rely on diculty of the Die-Hellman problem. For
example the U.S. Digital Signature Algorithm which is a U.S. Federal Information
Processing Standard (see section 11.5.1 of [MvOV97]) relies on the diculty of
the Die-Hellman problem in GF (p) where p is a 512-bit prime number.

A.7. Implementing a function with a pulse sequence

In I stated that the pulse sequence

(30) 90I2y 4J1 180x 4J1 180x 90I1z ( 90 )I2z ( 90)I2y
12 12
(applied from left to right) would implement Uf which corresponds to the matrix
0 1
01

B 1 0 0 0C
B
B 0 1 0 0C
C
(31) B
B C
C:
B
@0 0 0 1C
A
0 0 1 0
Here I will detail the action of this pulse sequence. The 90I2y e ects the 90Iy
pulse (see equation (7)) on the second qubit, corresponding to the matrix
0 1
B 1 1 0 0 C
1
B
B1 1 0 0 C
C
p B C :
2B
B C
C
@0 0 1 1 A
0 0 1 1
The point of the sequence 4J1 180x 4J1 180x is to e ect just the coupling
12 12

term 2~J12Iz Iz in the Hamiltonian for a period of time 2J1 in order to e ect
12
 A.7. IMPLEMENTING A FUNCTION WITH A PULSE SEQUENCE 150
the operation e iIz Iz , which (apart from a global phase of e i
4 ) has matrix

0 1
B 1 0 0 0 C
B
B 0 i 0 0 C
C
B
B C
C :
B
@0 0 i 0 C
A
0 0 0 1

The problem with just waiting for a period of time 2J1 is that the entire Hamil-
12

tonian also has the terms ~!1Iz I and ~!2I Iz. The 180x operation, which
corresponds to the matrix

0 1
B 0 0 0 1C
B
B 0 0 1 0C
C
B
B C
C;
B
@0 1 0 0C
A
1 0 0 0

applied after each of two intervals of time 4J1 , leaves the coupling term to evolve
12

for a period of time 2J1 , and causes the e ect of the other two terms to cancel out
12

over the two periods.

The 90I1z is the operation e i  Iz on the rst qubit, which corresponds to the
2

matrix (with a global phase of e i  ) 4

0 1
B 1 0 0 0C
B
B 0 1 0 0C
C
B
B C :
B
@0 0 i 0C
C
A
0 0 0 i
 A.7. IMPLEMENTING A FUNCTION WITH A PULSE SEQUENCE 151

The ( 90 )I2z corresponds to the operation ei 2 Iz on the second qubit, which has
matrix (with a global phase of ei  )
4

0 1
B 1 0 0 0 C
B
B 0 i 0 0 C
C
B
B C
C :
B
@0 0 1 0 C
A
0 0 0 i
The ( 90)I2y pulse has matrix
0 1
B 1 1 0 0C
B
B 1 1 0 0C C
B
B C
C:
B
@ 0 0 1 1C A
0 0 1 1
If we multiply these matrices we will get the operation U01 (apart from a global
phase factor).
 Bibliography
[ABO97] D. Aharonov and M. Ben-Or. Fault tolerant quantum computation with constant er-
ror. In Proceedings of the 29th Annual ACM Symposium on the Theory of Computing
(STOC '97), 1997. Also available at quant-ph/9611025.
[ADH97] L. Adleman, J. Demarrais, and M.D. Huang. Quantum computability. SIAM Journal
on Computing, 26(5):1524{1540, 1997.
[AHU74] Alfred V. Aho, John E. Hopcroft, and Je rey D. Ullman. The Design and Analysis
of Computer Algorithms. Addison-Wesley, Reading, Massachusetts, 1974.
[AL98] Daniel S. Abrams and Seth Lloyd. A quantum algorithm providing exponential speed
increase for nding eigenvalues and eigenvectors. Technical report, 1998. Also avail-
able at quant-ph/9807070.
[BBBV97] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani.
Strengths and weaknesses of quantum computing. SIAM Journal on Computing,
26:1510{1523, 1997.
[BBC+ 95] Adriano Barenco, Charles H. Bennett, Richard Cleve, David P. DiVincenzo, Norman
Margolus, Peter Shor, Tycho Sleator, John Smolin, and Harald Weinfurter. Elemen-
tary gates for quantum computation. Physical Review A, 52(5):3457{3467, 1995. On
the quant-ph archive, report no. 9503016.
[BBC+ 98] Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf.
Quantum lower bounds by polynomials. In Proceedings of the 39th Annual Sympo-
sium on Foundations of Computer Science (FOCS'98), pages 352{361, Los Alamitos,
California, November 1998. IEEE. On the quant-ph archive, report no. 9802049.
[BBD+ 97] A. Barenco, A. Berthiaume, D. Deutsch, A. Ekert, R. Jozsa, and C. Macchiavello.
Stabilization of quantum computations by symmetrization. SIAM Journal on Com-
puting, 26(5):1541{1557, 1997.

152
 BIBLIOGRAPHY 153
[BBHT98] Michel Boyer, Gilles Brassard, Peter Hyer, and Alain Tapp. Tight bounds on quan-
tum searching. Fortschritte der Physik, 46(4{5):493{505, 1998. On the quant-ph
archive, report no. 9605034.
[BDEJ95] Adriano Barenco, David Deutsch, Artur Ekert, and Richard Jozsa. Conditional quan-
tum dynamics and quantum gates. Physical Review Letters, 74:4083{4086, 1995.
[Bea97] Robert Beals. Quantum computation of fourier transforms over symmetric groups.
In Proceedings of the 29th Annual ACM Symposium on Theory of Computing (STOC
'97), pages 48{53, 1997.
[Ben73] Charles H. Bennett. Logical reversibility of computation. IBM Journal of Research
and Development, 17:525{532, November 1973.
[Ben89] Charles H. Bennett. Time/space trade-o s for reversible computing. SIAM Journal
on Computing, 18(4):766{776, 1989.
[BEST96] Adriano Barenco, Artur Ekert, Kalle-Antti Suominen, and Paivi Torma. Approxi-
mate quantum fourier transform and decoherence. Physical Review A, 54(1):139{146,
1996.
[BH97] Gilles Brassard and Peter Hyer. An exact quantum polynomial-time algorithm for
simon's problem. In Proceedings of Fifth Israeli Symposium on Theory of Computing
and Systems, pages 12{23. IEEE Computer Society Press, June 1997.
[Bhi98] Wahid Bhimji. Approximate quantum fourier transforms and phase estimations,
1998. M.Phys. dissertation.
[BHMT99] Gilles Brassard, Peter Hyer, Michele Mosca, and Alain Tapp. Quantum amplitude
ampli cation and estimation, 1999.
[BHT98] Gilles Brassard, Peter Hyer, and Alain Tapp. Quantum counting. In Proceedings of
25th International Colloquium on Automata, Languages, and Programming (ICALP
'98), volume 1443 of Lecture Notes in Computer Science, pages 820{831. Springer-
Verlag, 1998.
[BL95] D. Boneh and R. J. Lipton. Quantum cryptanalysis of hidden linear functions (ex-
tended abstract). volume 963 of Lecture Notes on Computer Science, pages 424{437,
1995.
[BS99] T. A. Brun and R. Schack. Realizing the quantum baker's map on a nmr quantum
computer. Physical Review A, 59:2649{2658, 1999.
 BIBLIOGRAPHY 154
[Buh96] H. Buhrman. A short note on shor's factoring algorithm. SIGACT News, 27(1):89{
90, 1996.
[BV97] Ethan Bernstein and Umesh Vazirani. Quantum complexity theory. SIAM Journal
on Computing, 26(5):1411{1473, October 1997.
[CEG95] Ran Canetti, Guy Even, and Oded Goldreich. Lower bounds for sampling algorithms
for estimating the average. Information Processing Letters, 53:17{25, 1995.
[CEH+ 99] Richard Cleve, Artur Ekert, Leah Henderson, Chiara Macchiavello, and Michele
Mosca. On quantum algorithms. Complexity, 4:33{, 1999.
[CEMM98] Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele Mosca. Quantum
algorithms revisited. Proceedings of the Royal Society of London A, 454:339{354,
1998. quant-ph report no. 9708016.
[CFH96] D. G. Cory, A. F. Fahmy, and T. F. Havel. Nuclear magnetic resonance spectroscopy:
An experimentally accessible paradigm for quantum. In Proceedings of the 4th Work-
shop on Physics and Computation, 1996. New England Complex Systems Institute.
[Cle94] Richard Cleve. A note on computing fourier transforms by quantum programs. Avail-
able at www.cpsc.ucalgary.ca/ cleve/pubs/fourier transform.ps, 1994.
[Cle99] Richard Cleve. An introduction to quantum complexity theory. In C.Macchiavello,
G.M.Palma, and A.Zeilinger, editors, Collected Papers on Quantum Computation
and Quantum Information Theory. World Scienti c, 1999. To appear.
[Coc73] C. Cocks. A note on non-secret encryption. Technical report,
Communications-Electronics Security Group, U.K., 1973. Available at
http://www.cesg.gov.uk/downlds/nsecret/notense.pdf.
[Coh93] Henri Cohen. A Course in Computational Algebraic Number Theory. 1993.
[Coo71] S. A. Cook. The complexity of theorem proving procedures. In Proceedings of the 3rd
Annual ACM Symposium on the Theory of Computing (STOC'71), pages 151{158,
1971.
[Cop94] Don Coppersmith. An approximate fourier transform useful in quantum factoring.
Research report, IBM, 1994.
[CS96] A. R. Calderbank and P. W. Shor. Good quantum error-correcting codes exist. Phys-
ical Review A, 54:1098{1105, 1996.
 BIBLIOGRAPHY 155
[CTDL77] Claude Cohen-Tannoudji, Bernard Diu, and Franck Laloe. Quantum Mechanics,
volume 1. John Wiley & Sons, 1977.
[CVLL98] I. L. Chuang, L. M. K. Vandersypen, X. Zhou D. W. Leung, and S. Lloyd. Experi-
mental realization of quantum algorithm. Nature, 393:143{146, 1998.
[Dam98] Wim van Dam. Quantum oracle interrogation: Getting all information for almost
half the price. In Proceedings of the 39th Annual IEEE Symposium on Foundations
of Computer Science (FOCS'98), pages 362{367, 1998. Also available at quant-
ph/9805006.
[Dav82] Martin Davis. Computability and Unsolvability. Dover Publications Inc., New York,
1982.
[Deu85] David Deutsch. Quantum theory, the Church{Turing principle and the universal
quantum computer. Proceedings of the Royal Society of London A, 400:97{117, 1985.
[Deu89] David Deutsch. Quantum computational networks. Proceedings of the Royal Society
of London A, 425:73{90, 1989.
[DH76a] W. Die and M. E. Hellman. Multiuser cryptographic techniques. In Proceedings of
AFIPS National Computer Conference, pages 109{112, 1976.
[DH76b] W. Die and M. E. Hellman. New directions in cryptography. IEEE Transactions
on Information Theory, 22:644{654, 1976.
[Dir58] Paul A.M. Dirac. The Principles of Quantum Mechanics. Clarendon Press, Oxford,
fourth edition, 1958.
[DiV95] David P. DiVincenzo. Two-bit gates are universal for quantum computation. Physical
Review A, 51(2):1015{1022, 1995. On the cond-mat archive, report no. 9407022.
[DJ92] David Deutsch and Richard Jozsa. Rapid solution of problems by quantum compu-
tation. Proceedings of the Royal Society of London A, 439:553{558, 1992.
[EH98] Mark Ettinger and Peter Hyer. On quantum algorithms for noncommutative hidden
subgroups. quant-ph report 9807029, Los Alamos archive, 1998.
[Ell70] J. H. Ellis. The possibility of non-secret encryption. Technical report,
Communications-Electronics Security Group, U.K., 1970. Available at
http://www.cesg.gov.uk/downlds/nsecret/possnse.pdf.
 BIBLIOGRAPHY 156
[Ell87] J. H. Ellis. The story of non-secret encryption. Technical report,
Communications-Electronics Security Group, U.K., 1987. Available at
http://www.cesg.gov.uk/downlds/nsecret/ellis.pdf.
[EPR35] A. Einstein, B. Podolsky, and N. Rosen. Can quantum mechanical description of
physical reality be considered complete? Physical Review, 47:777{780, 1935.
[Ett98] J. M. Ettinger. On noncommutative hidden subgroups, 1998. A lecture at AQIP '98.
[EZ64] H. Ehlich and K. Zeller. Schwankung von polynomen zwischen gitterpunkten. Math-
ematische Zeitschrift, 86:41{44, 1964.
[Fey65] Richard P. Feynman. The Feynman lectures on physics, volume III: Quantum Me-
chanics. Addison-Wesley, 1965.
[Fey82] Richard P. Feynman. Simulating physics with computers. International Journal of
Theoretical Physics, 21(6,7):467{488, 1982.
[FGGS98] E. Farhi, J. Goldstone, S. Gutmann, and M. Sipser. A limit on the speed of quantum
computation in determining parity. Technical Report 9802045, Los Alamos archive,
1998.
[GC97] N. A. Gershenfeld and I. L. Chuang. Bulk spin-resonance quantum computation.
Science, 275:350{356, 1997.
[GCK98] N. A. Gershenfeld, I. L. Chuang, and M. Kubinec. Physical Review Letters, 80:3408,
1998.
[GJ79] Michael R. Garey and David S. Johnson. Computers and Intractability (A guide to
the theory of NP-completeness). W.H. Freeman and Company, New York, 1979.
[GJS76] M. R. Garey, D. S. Johnson, and L. Stockmeyer. Some simpli ed np-complete graph
problems. Theoretical Computer Science, 1:237{267, 1976.
[GN96] R. B. Griths and C. S. Niu. Semi-classical fourier transform for quantum compu-
tation. Physical Review Letters, pages 3228{3231, 1996.
[Gol99] Oded Goldreich. A sample of samplers { a computational perspective on sampling
(survey). Technical report, Electronic Colloquium on Computational Complexity,
199. Available at http://www.eccc.uni-trier.de/eccc/.
[Got98] Daniel Gottesman. A theory of fault-tolerant quantum computation. Physical Review
A, 57:127{137, 1998. Also available at quant-ph/9702029.
 BIBLIOGRAPHY 157
[Gri97] D.Y. Grigoriev. Testing the shift-equivalence of polynomials by deterministic, prob-
abilistic and quantum machines. Theoretical Computer Science, 180:217{228, 1997.
[Gro96] Lov K. Grover. A fast quantum mechanical algorithm for database search. In Proceed-
ings of the 28th Annual ACM Symposium on the Theory of Computing (STOC'96),
pages 212{219, Philadelphia, Pennsylvania, May 1996. ACM. On the quant-ph
archive, report no. 9605043.
[Gro98] Lov K. Grover. Quantum computers can search rapidly by using almost any trans-
formation. Physical Review Letters, 80:4329{4332, May 1998.
[HKM98] T. Hayes, S. Kutin, and D. van Melkebeek. On the quantum complexity of majority.
Technical Report TR-98-11, University of Chicago, Computer Science Department,
1998.
[Hy97] Peter Hyer. Conjugated operators in quantum algorithms. IMADA preprint, 1997.
[HR90] Torben Hagerup and Christine Rub. Guided tour of Cherno bounds. Information
Processing Letters, 33(6):305{308, 1990.
[HSTC98] T. F. Havel, S. S. Somaroo, C.-H. Tseng, and D. G. Cory. Principles and demon-
strations of quantum information processing by nmr spectroscopy. Technical report,
1998. Available at quant-ph/9812086.
[HW79] G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford
University Press, Oxford, fth edition, 1979.
[JM98] J. A. Jones and M. Mosca. Implementation of a quantum algorithm on a nuclear
magnetic resonance quantum computer. Journal of Chemical Physics, 109:1648{
1653, 1998. Also available at Los Alamos archive quant-ph/9801027.
[JM99] J. A. Jones and M. Mosca. Approximate quantum counting on an nmr ensemble
quantum computer. Physical Review Letters, 83:1050{1053, 1999. Also available at
Los Alamos archive quant-ph/98008056.
[JMH98] J. A. Jones, M. Mosca, and R. H. Hansen. Implementation of a quantum search
algorithm on a quantum computer. Nature, 393:344{346, 1998. Also available at Los
Alamos archive quant-ph/9805069.
[KCL98] E. Knill, I. Chuang, and R. La amme. E ective pure states for bulk quantum com-
putation. Physical Review A, 57:3348{3363, 1998.
 BIBLIOGRAPHY 158
[Kit95] A. Yu. Kitaev. Quantum measurements and the abelian stabilizer problem. Available
at Los Alamos e-Print achive (http://xxx.lanl.gov) as quant-ph/9511026, 1995.
[Kit97] A. Yu. Kitaev. Quantum computations: algorithms and error correction. Russian
Math. Surveys, 52(6):1191{1249, 1997. Uspekhi Mat. Nauk 52:6 53-112.
[KLZ97] Emanuel Knill, Raymond La amme, and Wojciech Zurek. Resilient quantum com-
putation: Error models and thresholds. Technical report, 1997. Available at quant-
ph/9702058.
[Knu98] Donald E. Knuth. Seminumerical Algorithms, volume 2. Addison-Wesley, third edi-
tion, 1998.
[Kob94] Neal Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, New
York, second edition, 1994.
[Koc96] Paul C. Kocher. Timing attacks on implementations of die-hellman, rsa, dss, and
other systems. In Neal Koblitz, editor, Advances in Cryptology - CRYPTO '96, 16th
Annual International Cryptology Conference, Santa Barbara, CA, volume 1109 of
Lecture Notes in Computer Science. Springer, 1996.
[Lev73] L. A. Levin. Universal sorting problems. Problems of Information Transmission,
9:265{266, 1973.
[Llo95] Seth Lloyd. Almost any quantum logic gate is universal. Physical Review Letters,
75:346{349, 1995.
[LTV98] M. Li, J. Tromp, and P. Vitanyi. Reversible simulation of irreversible computation.
Physica D, 120:168{176, 1998.
[ME99] Michele Mosca and Artur Ekert. The hidden subgroup problem and eigenvalue esti-
mation on a quantum computer. volume 1509 of Lecture Notes in Computer Science,
1999. Also available at Los Alamos archive, quant-ph/9903071.
[Mos98] Michele Mosca. Quantum searching and counting by eigenvector analysis. In Pro-
ceedings of Randomized Algorithms, A satellite workshop of 23rd International
Symposium on Mathematical Foundations of Computer Science, 1998. Available at
http://www.eccc.uni-trier.de/eccc-local/ECCC-LectureNotes/randalg/index.html.
[Mos99] Michele Mosca. Counting by quantum eigenvalue estimation. Theoretical Computer
Science, 1999. to appear.
[MP95] M. Minsky and S. Papert. Perceptrons. MIT Press, second edition, 1995.
 BIBLIOGRAPHY 159
[MR95] Rajeev Motwani and Prabhakar Raghavan. Randomized Algorithms. Cambridge Uni-
versity Press, 1995.
[MvOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Ap-
plied Cryptography. discrete mathematics and its applications. CRC Press, London,
1997.
[Neu56] John von Neumann. Probabilistic logics and synthesis of reliable organisms from un-
reliable components. In C. E. Shannon and J. McCarthy, editors, Automata Studies.
Princeton University Press, 1956.
[Nis91] N. Nisan. Crew prams and decision trees. SIAM Journal of Computing, 20(6):999{
1007, 1991.
[NS94] N. Nisan and M. Szegedy. On the degree of boolean functions as real polynomials.
Computational Complexity, 4(4):301{313, 1994.
[NW99] Ashwin Nayak and Felix Wu. On the quantum black-box complexity of approximat-
ing the mean and related statistics. In Proceedings of the 21th Annual ACM Sym-
posium on Theory of Computing (STOC 99), 1999. Also available at Los Alamos
archive, quant-ph/9804066.
[Pap94] C. H. Papadimitriou. Complexity theory, 1994.
[Pat92] R. Paturi. On the degree of polynomials that approximate symmetric boolean func-
tions (preliminary version). In Proceedings of the 24th Annual ACM Symposium on
Theory of Computing, pages 468{474, 1992.
[Pra75] Vaughan R. Pratt. Every prime has a succinct certi cate. SIAM Journal on Com-
puting, 4(3):214{220, 1975.
[RB98] Martin Rotteler and Thomas Beth. Polynomial-time solution to the hidden subgroup
problem for a class of non-abelian groups. quant-ph 9812070, 1998.
[RC66] T. J. Rivlin and E. W. Cheney. A comparison of uniform approximations on an
interval and a nite subset thereof. SIAM Journal of Numerical Analysis, 3(2):311{
320, 1966.
[Rog87] Hartley Rogers. Theory of Recursive Functions and E ective Computability. MIT
Press, 1987.
 BIBLIOGRAPHY 160
[RSA78] R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital sig-
natures and public-key cryptosystems. Communications of the ACM, 21:120{126,
1978.
[Sch98] R. Schack. Using a quantum computer to investigate quantum chaos. Physical Review
A, 57:1634{1635, 1998.
[Sho94] Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and fac-
toring. In Sha Goldwasser, editor, Proceedings of the 35th Annual Symposium on
Foundations of Computer Science, pages 124{134. IEEE Computer Society Press,
November 1994. available at feynman.stanford.edu/qcomp/shor/index.html.
[Sho95a] P. W. Shor. Scheme for reducing decoherence in quantum computer memory. Physical
Review A, 52, 1995.
[Sho95b] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete log-
arithms on a quantum computer. On the quant-ph archive, report no. 9508027.,
August 1995. Expanded version of [Sho94].
[Sho96] P. W. Shor. Fault tolerant quantum computation. In Proceedings of the 37th Annual
Symposium on Foundations of Computer Science, pages 56{65, Los Alamositos, CA,
1996. IEEE Computer Society Press.
[Sim94] Daniel R. Simon. On the power of quantum computation. In Sha Goldwasser, ed-
itor, Proceedings of the 35th Annual Symposium on Foundations of Computer Sci-
ence, pages 116{123. IEEE Computer Society Press, November 1994. available at
feynman.stanford.edu/qcomp/simon/index.html.
[Sol99] R. Solovay. Lie groups and quantum circuits, 1999. preprint.
[Ste96] A. M. Steane. Error correcting codes in quantum theory. Physical Review Letters,
77:793{797, 1996.
[Ste97] A. M. Steane. Active stabilisation, quantum computation, and quantum state syn-
thesis. Physical Review Letters, 78:2252{2255, 1997.
[SV98] Leonard J. Schulman and Umesh Vazirani. Scalable nmr quantum computation.
Technical Report 9804060, Los Alamos archive, 1998.
[Tap98] Alain Tapp, 1998. Personal communication.
[THL+ 96] Q. A. Turchette, C. J. Hood, W. Lange, H. Mabuchi, and H. J. Kimble. Measurement
of conditional phase shifts for quantum logic. Physical Review Letters, 76:3108, 1996.
 BIBLIOGRAPHY 161
[Vaz97] Umesh Vazirani, 1997. UC Berkeley Course CS294-2 Quantum Computation Fall
1997.
[vDDE+ 99] Wim van Dam, Mauro D'Ariano, Artur Ekert, Chiara Macchiavello, and Michele
Mosca. Estimation of local phase shifts on a quantum computer, 1999. in preparation.
[Wel88] Dominic Welsh. Codes and Cryptography. Oxford University Press, Oxford, 1988.
[Yao93] Andrew Chi-Chih Yao. Quantum circuit complexity. In Proceedings of the 34th IEEE
Symposium on Foundations of Computer Science, pages 352{361, Los Alamitos,
California, 1993. Institute of Electrical and Electronic Engineers Computer Society
Press. available at feynman.stanford.edu/qcomp/yao/index.html.
[Zal98] Christof Zalka. Fast versions of shor's quantum factoring algorithm. Technical Report
9806084, Los Alamos archive, 1998.
[Zal99] Christof Zalka. preprint, 1999.