QUANTUM INFORMATION AND COMPUTATION

EXERCISE SHEET 4
Nilanjana Datta [email protected] (Lent 2023-2024)

Note: questions 6(b), 7(c) and 8 are optional and can be left till last or omitted.

(1) (Rotation in Grover’s algorithm)

For the plane P(x0 ) spanned by |x0 ⟩ and |ψ0 ⟩ = √1N x∈Bn |x⟩ set up an orthonormal basis in
P

the plane. Then using the basis, show algebraically (rather than geometrically as in lectures)
that the Grover iteration operator Q is a rotation in the plane and derive the angle of rotation.

(2) (Grover’s algorithm with an arbitrary starting state)

Consider Grover’s algorithm for a unique good item x0 in a search space of size N = 2n .
Suppose that instead of the usual uniform superposition state |ψ0 ⟩, we √ start with any state
|η0 ⟩ of n qubits and conduct the algorithm just as before i.e. apply π4 N iterations of Q and
measure.
With |η0 ⟩ = |ψ0 ⟩ the final measurement gives x0 with probability 1 up to terms of order
1/N . If we instead begin with some other starting state |η0 ⟩, describe geometrically how |η0 ⟩
evolves in the course of the computation. Give an expression (up to terms of order 1/N ) for
the probability of obtaining x0 in the final measurement. Show that this may generally be
improved by changing the number of Grover iterations.

(3) (An algebraic interpretation of Grover’s algorithm)

√1 |x⟩ and N = 2n .
P
(a) Consider the operator −I|ψ0 ⟩ = 2 |ψ0 ⟩ ⟨ψ0 | − I with |ψ0 ⟩ = N x∈Bn
Show that
2 X
−I|ψ0 ⟩ = |x⟩ ⟨y| − I.
N
all x,y

P
P |α⟩ =
(b) Let x ax |x⟩ be any n-qubit state. The average amplitude a is defined to be
a = (
P ′ x x a )/N . The operation R of “inversion in the average” is defined as follows: R |α⟩ =
′
x ax |x⟩ where ax = ax − 2(ax − a) i.e. the value of each amplitude is inverted about the
average. Pictorially:

a −a a −a
x - x -
r r r -
a′x a ax

Using the formula in (a) show that −I|ψ0 ⟩ |α⟩ = R |α⟩ .

(c) Hence Grover’s algorithm may be described as follows: start with state |ψ0 ⟩; then flip the
sign of the x0 amplitude; then do R, an inversion of all amplitudes in the average; then iterate
the last two steps alternately. We can represent states (with real amplitudes) pictorially as
a graph of the amplitudes: the x axis has the labels x and each amplitude is a (positive or
negative) vertical bar. In terms of this pictorial representation, starting with |ψ0 ⟩, carry out
one or two iterations of the “flip x0 and then do R” operation to see how the initial amplitude
distribution, uniform over all x, begins to become concentrated at x0 .

(d) Consider the definite case of N = 4 (so x ∈ {0, 1, 2, 3}) and take x0 = 3 say. (In lectures
we saw that for this case of “1 in 4”, one Grover iteration serves to find x0 with certainty i.e.
rotating |ψ0 ⟩ exactly onto |x0 ⟩). Draw the pictorial graph representation of |ψ0 ⟩ and carry out
one Grover iteration as a flip followed by inversion in the average. Show that as a result, the
amplitude becomes exactly zero at x ̸= x0 and 1 at x = x0 .

1
(4) (Shor’s quantum algorithm for discrete logarithms)
For any prime p consider the set Z∗p = {1, 2, . . . , p − 1} ⊂ Zp of nonzero integers modulo p,
with the operation of multiplication mod p. A generator for Z∗p is an element g whose powers
generate all of Z∗p i.e. for all x ∈ Z∗p there is y ∈ Zp−1 with x = g y mod p. y is called the
discrete logarithm of x (to base g). You may assume that Z∗p always has a generator g and that
it satisfies g p−1 = 1 mod p.

Suppose we are given a generator g and element x ∈ Zp , and we wish to compute its discrete
logarithm y.

(a) Consider the function f : Zp−1 × Zp−1 → Z∗p given by

f (a, b) = g a x−b mod p.

For each fixed c ∈ Z∗p , show that there is a corresponding fixed k ∈ Zp−1 such that

f (a, b) = c iff a = by + k mod (p − 1).

(b) Suppose we have constructed the state

1 X
|ϕ⟩ = |a⟩ |b⟩ |f (a, b)⟩
(p − 1)
a,b∈Zp−1

(in Hp−1 ⊗ Hp−1 ⊗ Hp , where Hn denotes a state space of dimension n, with orthonormal
basis {|k⟩ : k ∈ Zn }) and we measure the third register obtaining a result c0 . Find the post-
measurement state of the first two registers.

(c) If we then apply the quantum Fourier transform mod (p − 1) to each of these two registers
and measure both registers, which output pairs (c1 , c2 ) ∈ Zp−1 × Zp−1 can be obtained with
non-zero probability?
Can y be determined from any such pair?
Hence outline a quantum algorithm for computing discrete logarithms, that runs in time
O(poly(log p)) for large p, and succeeds with probability 1 − ϵ for any chosen constant ϵ > 0.
You may assume that f and QF Tp−1 may be implemented in O(poly(log p)) time.

(5) (Shor’s factoring algorithm, continued fractions)

This question relates closely to §11.1 - §11.3 of online lecture notes.
Suppose we wish to factor N = 21 using Shor’s algorithm and we have chosen a = 2 so we aim
to determine the period of f (x) = 2x mod 21. We proceed through the quantum algorithm and
finally measure the x register. Suppose we obtain measurement result c = 427.

(a) What is the number m of qubits that is used for the x register?

(b) Use the continued fraction method to find a fraction j/r with denominator less than 21,
that is within 1/2m+1 of the ratio c/2m .

(c) We hope that the denominator of j/r (when the fraction is cancelled down to lowest terms)
is the period of f (x). Check to see that it is indeed the period in this example.
Use your value of r to find factors of 21 (following the method used in Shor’s algorithm).

2
(6) (Grover search with multiple good items; application to collision finding)
(a) Write N = 2n and let f : Bn → B1 be a function taking value 1 exactly K times, with
f (x) = 1 iff x ∈ G = {x1 , . . . , xK }. The Grover operator is defined by Q = −Hn I0 Hn IG where
Hn = H ⊗ . . . ⊗ H is the Hadamard operation on each of n qubits, and for all x ∈ Bn , I0 and
IG are defined by
 
− |x⟩ if x = 0 . . . 0 − |x⟩ if x ∈ G
I0 |x⟩ = IG |x⟩ =
|x⟩ if x ̸= 0 . . . 0 |x⟩ if x ∈/ G.

Write |ψ0 ⟩ = √1N x∈Bn |x⟩ and introduce |ψG ⟩ = √1K x∈G |x⟩. Derive a geometrical inter-
P P

pretation of the action of Q in the two-dimensional subspace of n qubits spanned by |ψ0 ⟩ and
|ψG ⟩. Using this interpretation, show that if IG is given as a black pbox then an x in G may
be obtained with high probability (better than a half say) with O( N/K) uses of IG , if N is
large, and K is small compared to N .

(b) (optional) Let g : Bn → Bn be a 2-to-1 function i.e. for every y in the range of g there are
precisely two strings x ∈ Bn with g(x) = y. A collision is a pair of strings x1 , x2 ∈ Bn with
g(x1 ) = g(x2 ). The standard quantum oracle Ug for g is the unitary operation on 2n qubits
defined by
Ug |x⟩ |y⟩ = |x⟩ |y ⊕ g(x)⟩ x, y ∈ Bn
where ⊕ denotes bitwise addition of n-bit strings.

Suppose that we are given Ug as a black box operation. Using the result of (a), or otherwise,
show that a collision may be found with high probability (better than a half say) with O(N 1/3 )
uses of Ug .
Hint: start by partitioning the domain of g into sets A and B of sizes N 1/3 and (N − N 1/3 )
and listing all the values of g(x) for x ∈ A. We might find a collision there, but if we’re not so
lucky, what should we do next with B?
√
Remark: the classical query complexity for collision finding is O( N ). The O(N 1/3 ) upper
bound on its quantum query complexity established in this question can also be shown to be
optimal.

(7) (QFT, shift invariant states)

(a) For the state space HN with orthonormal basis {|k⟩ : k ∈ ZN } consider the (unitary)
shift operator S defined by S |k⟩ = |k + 1 mod N ⟩ for all k ∈ ZN . Also introduce the states
|χk ⟩ = QF TN |k⟩, called shift invariant states.

Show that the |χk ⟩’s are eigenstates of S and determine the corresponding eigenvalues.

Let |ψ⟩ be any state in HN . Show (using the foregoing) that if S m |ψ⟩ (for any m) is measured
relative to the shift invariant basis then the output probabilities are independent of the amount
of shift m. (This provides an alternative derivation of the efficacy of QF T in the quantum
period finding algorithm, as presented in lectures).

(b) For any two positive integers x and N with x < N , and let Ux be the operator on HN
defined by Ux |y⟩ = |xy mod N ⟩ for all y ∈ ZN i.e. Ux is the shift operator for the multiplicative
(rather than additive) action of x on ZN .

(i) Show that Ux is unitary iff x and N are coprime.

Assume now that x and N are coprime. Let r be the order of x mod N (i.e. the minimal t > 0
such that xt = 1 mod N ). For 0 ≤ s ≤ r − 1, define the states
r−1
1 X −2πisk/r k E
|ψs ⟩ := √ e x mod N .
r
k=0

3
(ii) Show that each state |ψs ⟩ is an eigenvector of Ux with eigenvalue e2πis/r (i.e. these are shift
invariant states for the multiplicative action).

(iii) Show that √1r r−1

P
s=0 |ψs ⟩ = |1⟩ .

(c) (Optional) Suppose now that we have a quantum process A that achieves the following: for
any unitary V , if |ξλ ⟩ is any eigenstate of V with eigenvalue e2πiλ then A is a unitary process
which on input |ξλ ⟩ |0⟩ produces the final state |ξλ ⟩ |λ⟩ (from which the value of λ may be
read out by a measurement on the second register). Here the second register (initially |0⟩) is
of suitable size to be able to represent the possible values of λ (and we are ignoring issues of
precision here). Such a process A does in fact exist and is usually called the phase estimation
algorithm. For the purposes of this question we will assume that A is given for the case of
V = Ux , and also that in this case, it runs in poly(log N )-time (which is true). (For an account
of the phase estimation algorithm see e.g. Nielsen and Chuang §5.2).

Show how the results of (b) together with the phase estimation algorithm for V = Ux can
be used to provide a poly(log N )-time quantum algorithm for factoring N (called Kitaev’s
factoring algorithm). Hint: start with the reduction of factoring to order finding, as done in
Shor’s algorithm.

(8) (A query complexity problem with no promise) (optional)

Let x = x0 x1 . . . xN −1 be an N -bit string. We may think of x as the list of values of a function
from ZN to {0, 1}. A quantum oracle Ox for x is a unitary operation on a state space of
dimension 2N whose action is defined by Ox |i⟩ |y⟩ = |i⟩ |y ⊕ xi ⟩, where i ∈ ZN , y ∈ {0, 1} and
⊕ denotes addition modulo 2.
Note: this simply generalises the notion of an oracle for f : Bn → B1 (corresponding to domain
size N = 2n ) to arbitrary sized domains that are not powers of 2.

Consider the following oracle problem BAL:

Input: an oracle Ox for some N -bit string x with N = 2K being even.
Problem: decide with certainty whether x is (i) balanced or (ii) not balanced. (Here ‘balanced’
means that exactly half of the bit values are 0 and half are 1).

We know that if we impose a promise on x that it is either balanced or constant, then the
problem can be solved with just one query to the oracle (by the Deutsch-Jozsa algorithm). But
if there is no promise on the form of x (as in BAL) then it can be shown that any quantum
1
algorithm solving it requires at least O(N 6 ) queries to the oracle (so is exponential in n for
N = 2n ). The actual (optimal) quantum query complexity is not known.

(a) Show that any classical deterministic algorithm that solves Problem BAL on any input must
make at least N = 2K queries to the oracle in the worst case.

We now develop a quantum algorithm that solves BAL with at most K = N/2 queries thus
improving (albeit modestly) on any classical algorithm.

(b) Begin by writing x̂i = (−1)xi and we will work on a state space of dimension N 2 with
orthonormal basis states |i⟩ |j⟩ for i, j ∈ ZN . Consider the following three computational steps:
PN −1
Step 1: Make the state |ψ0 ⟩ = √1N i=0 |i⟩ |0⟩ and then (together with a qubit in state |−⟩)
use one query to the oracle to make
N −1
1 X
|ψ1 ⟩ = √ x̂i |i⟩ |0⟩ .
N i=0

4
Step 2: Consider a transformation U whose action on states |i⟩ |0⟩ is given by
!
1 X X
U : |i⟩ |0⟩ → √ |i⟩ |k⟩ − |k⟩ |i⟩ + |0⟩ |0⟩ .
N k>i k<i

Then by linearity the action of U on |ψ1 ⟩ will be

N −1
!
1 X X (x̂i − x̂j )
|ψ2 ⟩ = U |ψ1 ⟩ = x̂i |0⟩ |0⟩ + |i⟩ |j⟩
N N
i=0 i<j

as you can directly check.

Step 3: Measure |ψ2 ⟩ to obtain an outcome (k, l) with k, l ∈ ZN .

(i) Show that there exists a unitary transformation Ũ on the whole state space whose action
on the states |i⟩ |0⟩ coincides with the action of U as given in step 2.

(ii) Suppose for a moment that we impose the promise on x that it is either balanced or constant.
If we see (0, 0), respectively (i, j) ̸= (0, 0), as the measurement outcome in step 3, what can we
deduce about the string x?

(iii) Now returning to general input strings x and considering the possible measurement out-
comes (k, l), show that Problem BAL may be solved with certainty with at most K = N/2
queries to the oracle in every case (by suitable uses of the steps above).