quantumcryptographyandquantumcomputing · 2019-12-16 · figure 2: vigen`ere-square with keyword...
TRANSCRIPT
Quantum Cryptography and Quantum Computing
Bruno Lengeler, RWTH Aachen University
December, 2019
1 Introduction
In these lecture notes we will examine the possible contributions of quantum mechan-ics to the fields of cryptography as well as to machine computation in general. Thesetopics are very much under development but can already boast of initial successes,especially in cryptography. With regard to quantum computing, the realization ofthe necessary components still presents some major technical problems, whereas thetheoretical basis has made considerable advances. One can say, however, that thereare no obstacles of a fundamental nature to the construction of a quantum com-puter. The future will show if and when quantum computing can surpass the powerof conventional computers in the performance of specific tasks.
In order to be able to follow the essential parts of the text, the reader will require aminimum knowledge of quantum mechanics. For most outsiders this is a book withseven seals. But in fact the basic principle is very simple, if a little unusual andcounter-intuitive. I will try to make the most important aspects clear with the aidof examples. A minimum of familiarity with mathematics on the part of the readerwill be assumed – mathematics is of course the fundamental language of physics.
The central concept in quantum mechanics is the probaility amplitude, or simplyamplitude, a concept which doesn’t exist in classical physics. Experience shows thatthis concept is essential for the understanding of such phenomena as interference andentanglement, phenomena which play a fundamental role in quantum cryptographyand, above all, in quantum computing.
The notes consist of three main sections:
1. Classical Cryptography and the RSA Algorithm
2. Quantum Cryptography
3. Quantum Computing
In addition there are several annexes intended for those with the necessary mathe-matical background and who wish to delve more deeply into the material:
1
A The Mathematics of the RSA Algorithm
B Euclid’s Algorithm and Continued Fraction Decomposition
C Propagation Amplitudes and Wave-Particle Duality
D Rules for Manipulation of Probability Amplitudes
E Decoherence: An Atom in a Cavity
F Fourier Transformation of the Multiple Slit
G Creation of an Entangled 2-Qbit State from 1-Qbit States with Hadamard andcNOT Gates. Partial measurement of a Register
H Basic Idea for Error Correction of Qbits
2 Classical Cryptography
In all highly developed societies with their own written language, cryptographicmethods have been developed in order to communicate restricted or secret informa-tion among designated partners. It’s usual nowadays when explaining or analyzingcryptographic methods to call the communicating partners Alice and Bob. The basicprinciple is always the same: Alice needs an algorithm (encryption procedure) anda key in order to code a readable text into a secret text (cipher). Alice sends thecipher to Bob, who in turn needs an algorithm and a key to make it again readable.Bob requires not only his own algorithm but also the key Alice used to create thecipher. It is the transfer of the key that presents a significant logistical and securityproblem, the more so if the message is to be sent to more than one recipient, or evento many.
2.1 Transposition Methods
In a transposition encryption the text alphabet is unaltered, the letters are simplyinterchanged, e.g., HELLO => OLELH. The ancient Spartans used a military en-coding called skytale which relied on transposition. A band is wrapped round a stick(skytale, see Figure 1). The sender writes row-wise to the band and the columns ofband consist of the cipher. The receiver has then to re-wrap the band onto a stickof the same diameter in order to read the message. In this case the stick is the key,and the act of wrapping the band is the algorithm.
2
Figure 1: The skytale algorithm.
2.2 Substitution methods
In this case, the letters of a text are again exchanged, but without change of relativeposition. Julius Caesar described this procedure in the Gallic Wars, and hence thename Caesar encryption. The secret alphabet is shifted relative to the original byn steps. Thus for n = 3 the two alphabets are:
Original : ABCDEFGHIJKLMNOPQRSTUVWXYZ
Secret : DEFGHIJKLMNOPQRSTUVWXYZABC
So, for example, VENI VIDI VICI => YHQL YLGL YLFL. Now the number n isthe key and the shift procedure is the algorithm.
Both the transposition and substitution encryption methods are mono-alphabeticaland easy to decode by examining the frequency of occurrence of the letters. This isalways possible for sufficiently long texts and illustrates a basic principle:
Repetition is the enemy of secrecy!
Around 1560 the french diplomat Blaise de Vigenere achieved a significant improve-ment with the poly-alphabetic method. With the help of a keyword, the same lettersin the original text are associated with a different letter in the cipher via a changein the the cipher alphabet during the encoding. Figure 2 shows the so-called Vi-genere-Square with the word LICHT (Engl. LIGHT) as key. After each letter in theoriginal the encoding row is changed according to the letters in the key. For exam-ple VENI VIDI VICI => GMPP OTLK CBNQ. It took 300 years before CharlesBabbage was able to break this code, once again from analyzing repetitions due tothe finite length of the key word.
3
Figure 2: Vigenere-Square with keyword “LICHT”
The famous ENIGMA code, developed by Arthur Scherbius in Germany, was alsoa poly-alphabetical algorithm. It made use of several rotating discs each with 26letters on the circumference, and with a freely chosen offset n. The code was broken,again from repetitions, by Marian Rejewski and Alan Turing.
2.3 Public key Cryptography (Asymmetric Key)
Until well into the 1970’s cryptographic methods continued to be based on symmet-ric keys, that is, both sender and receiver used the same key, with the associatedproblems of key exchange and key security.
The concept of the asymmetric key, with different keys for sender and receiver, was
4
Figure 3: The four developers of the RSA-Algorithm, left to right: C. Cocks, R.Rivest, A. Shamir and L. Adelman.
first conceived in the 1970’s by Martin Hellman, Whitfield Diffie and Ralf Merkle.In 1977 Ronald Rivest, Adi Shamir and Leonard Adleman published a workablerealization of this idea. It is known today by the name RSA-Algorithm and plays anessential role in the communication between web browsers and servers, for encryptionof emails, in electronic signatures, credit card payments, etc. In 1997 it becameknown that a young English mathematician, Clifford Cocks, had come up with thesame algorithm four years earlier for the British secret service but was not allowedto publish it. All four are now given credit, see Figure 3.
2.3.1 The RSA algorithm
It is worthwhile taking a closer look at the RSA method. Modular arithmetic lies atthe root of the algorithm and also plays an essential role in quantum cryptographyand quantum computing. Modular arithmetic is also referred to as “clock arith-metic”. If one says 8 o’clock it is unclear whether morning or evening is meant. Inmathematical parlance
20 : 00 = 8 : 00 mod 12 : 00,
that is 20 is congruent to 8 modulo 12.
In general, two integers are congruent with respect to integer N when they have thesame remainder r after division by N ,
a = b (mod N) => a = jN + r and b = kN + r, j, k integers.
Thus, for example,145 = 109 = 73 = 37 = 1 mod 36.
The most important property of congruence in cryptography is its character of beinga one-way function. When one knows the base 36 then one can uniquely conclude
5
from 109 or 73 or . . . the number 1. One cannot however uniquely infer from 1mod 36 any one of the other integers larger than 36. Modular arithmetic has fixedrules analogous to ordinary arithmetic.
We will now illustrate the RSA-algorithm with an example:
Alice as sender wants to convey the message ”x” to Bob. First she converts x to anASCII (American Standard Code for Information Interchange) string. The letter xcorresponds in ASCII to the decimal number a = 88 or in binary a = 1011000.
Bob as receiver:
• chooses two large prime numbers p and q. This is his private key, from whichhe constructs the product N = pq,
• chooses an arbitrary large number c which does not have a common divisorwith (p−1)(q−1), i.e., the greatest common divisor (gcd) for c and (p−1)(q−1)is 1,
• publishes the numbers N and c on the internet (the public key).
Let’s assume p = 11, q = 17, N = 187 and c = 7, which has no common divisorwith (p− 1)(q − 1) = 160.
Alice as sender:
• retrieves the number N and c from the internet,
• calculates the cipher b = ac mod N ,
• sends the cipher b over the internet to Bob.
In our example, b = 887 mod 187 = 11 (verify with a pocket calculator!)
Bob as receiver:
• constructs the inverse d of c modulo (p − 1)(q − 1), that is, he chooses dsatisfying
cd = 1 mod (p− 1)(q − 1).
This is the decisive and non-trivial step. In ordinary arithmetic we would ofcourse get d = 1/7, a non-integer. Not so in modular arithmetic: d is again aninteger and can only be determined when both p and q are known. But theseconstitute Bob’s private key. Even Alice doesn’t know them.
• calculates bd mod N . But this is just acd mod N = a, see Appendix A. SoBob need only convert the ASCII value a back to its alphabetical value x andhas successfully deciphered Alice’s message.
6
In this simple example: From 7d = 1 mod 160 we get d = 23 since
7 ∗ 23 = 161 = 160 + 1
and
bd mod N = 1123 mod 187 = 11 ∗ 112 ∗ 114 ∗ 1116 mod 187 = 88.
2.3.2 Security of the RSA algorithm
In order to calculate the inverse d of c one requires the numbers p and q. In practicethese are chosen as very large prime numbers each with several hundred decimalplaces. It is easy to form the product N but very difficult, virtually impossible, tofactor N back into p and q: the larger p and q the more difficult the factorization,at least with conventional computers, because there exists no efficient classical al-gorithm with which to accomplish it. The security of the RSA algorithm rests onthe present inability to factor large numbers into their prime factors, even with thelargest known computers.
All this can change when quantum computers become available. They are in prin-ciple capable of factoring very large numbers in a time which grows polynomiallywith the number of bits, rather than exponentially as is the case with the classicalcomputer.
If we choose, for instance, N = pq as a decimal number with 300 decimal places,corresponding to about n = 1000 binary bits (10300 ≈ 21000), then the number ofcalculation steps on the classical computer is about 2n ≈ 10300. The quantum com-puter would require only n3 ≈ 109 steps. This corresponds to between minutes andhours of calculation time as opposed to centuries and more with present conventionaltechnology.
3 Quantum Cryptography
Independently of the RSA algorithm, with the aid of quantum mechanical processes,one can already transfer messages over the public internet securely. To illustrate,suppose Alice wants to send the message ”Gruss” (Engl: ”greeting”) to Bob in sucha way that no one can intercept and read it. The encryption method is as shown inthe table below:
Message G r u s sASCII decimal 71 114 117 115 115ASCII binary 1000111 1110010 1110101 1110011 1110011Random series 0110001 1001001 1010010 1010111 0111011Addition mod 2 1110110 0111011 0100111 0100100 1001000Cipher (ASCII) v ; ‘ $ H
7
Clearly the cipher has no longer any similarity with the original message. Theessential step is that Alice and Bob produce the random series used to encode themessage over the internet in a secure way. Alice then uses the series to encode themessage as shown in the table and sends the cipher to Bob. Bob adds the series backto the cipher to obtain the original message. Why? Because adding the randomseries to the original binary message twice is the same as adding nothing!
0 + 0 = 0 mod 2, 1 + 1 = 0 mod 2.
But how does one create the secure random series? The answer is thanks to thework of Charles Bennett (IBM) and Gilles Brassard (University of Montreal), seeFigure 4, who in 1984 found a method to accomplish secure transmission (the BB84code).
Figure 4: Charles Bennett (left) and Gilles Brassard.
In order to understand the method we need first to look at some basic quantummechanics.
3.1 Polarization of Photons, Quantum Bits (Qbits) and Prob-
ability Amplitudes
All elementary particles have a number of intrinsic properties, such as electric charge,rest mass and angular momentum (also called spin). The photon for example haselectric charge nil, rest mass nil and spin one (spin quantum number = 1).
The spin of the photon is also called its polarization. The photon can e.g. bevertically or horizontally polarized. When many photons are in the same stateof vertical polarization, then the electric vector of the light wave oscillates in the
8
Figure 5: Linear polarization.
Figure 6: Various polarization directions.
vertical plane perpendicular to the direction of propagation, and similarly in thehorizontal plane for horizontal polarization (Figure 5).
Figure 6 shows the two possible polarization directions H and V, which form, in theplane perpendicular to the direction of propagation, a basis consisting of two basisvectors:
basis vector H = |H〉 =(
10
)
= |0〉
basis vector V = |V 〉 =(
01
)
= |1〉 .
The photon is a quantuum mechanical two-state system. As well as the representa-tion as a column vector, the Dirac |ket〉 notation used above is common in physics.They are equivalent. The state |H〉 represents the Qbit 0 and the state |V 〉 the
9
Qbit 1. Computer calculations are carried out in this so-called computational basis.
The direction of polarization of the photon is not restricted to horizontal or ver-tical. Any direction between the two is allowed, as indicated in Figure 6. In thecomputational basis the most general Qbit state has the form
|a〉 = a1 |H〉+ a2 |V 〉 , |a1|2 + |a2|2 = 1.
The coefficients a1 and a2 are called probability amplitudes or simply amplitudes.They form a fundamentally new concept in quantum mechanics: they do not existin classical physics. For example a1 is the proportion of state |H〉 in the state |a〉.The amplitude a1 is also the projection of the state vector |a〉 onto basis vector |H〉.Mathematically this is expressed as the scalar product of |a〉 and |H〉, in the form
a1 = 〈H|a〉 .
The state |a〉 is said to be a superposition of the two basis states |H〉 and |V 〉 withthe amplitudes as coefficients.
In quantum cryptography the polarization directions +45 deg and −45 deg are ofparticular interest. These two directions define the Hadamard basis (Figure 6).
basis vector + 45 deg = |+〉 =(
11
)
/√2 = (|H〉+ |V 〉)/
√2
basis vector − 45 deg = |−〉 =(
1−1
)
/√2 = (|H〉 − |V 〉)/
√2.
(1)
Both bases (computational and Hadamard) are used in the BB84 code.
Now we need to answer two questions:
1. What is the difference between classical bits (Cbits) and Qbits?
A Cbit, either a 1 or a 0, is a position in a binary string. It is realized in a classicaltwo state system such as a switch that can be either |on〉 = |1〉 or |off〉 = |0〉. Ina two-dimensional space (the xy-plane) these states can also be represented by theunit vectors1 (1, 0)⊤ = |0〉 and (0, 1)⊤ = |1〉. The states |on〉 and |off〉 are mutuallyexclusive, which is why the two vectors are at right angles to one another. Theirscalar product is nil. In contrast to Qbits, Cbits have no intermediate state. Thepolarization direction of light can be rotated in any direction, but for a classic switchsuch a rotation makes no sense: it is just on or off, nothing else.
2. What do probability amplitudes have to do with probability?
Let us consider a photon in state |+〉, see Equation (1), but we measure it with apolarimeter which is only sensitive to |H〉 or |V 〉 polarization. That is, we measure
1Here ⊤ denotes vector or matrix transposition.
10
the photon in the HV-basis. As we saw above, the amplitudes are a1 = a2 = 1/√2.
At 45 deg the projections are the same, cos 45 deg = sin 45 deg = 1/√2. If many
photons are analyzed at once, one can expect that half of the intensity will bedetected as H and the other half as V. But if only one photon is present it willnot be detected as half H and half V polarized. There is no such thing as a halfphoton! For this reason Max Born interpreted the square of the amplitudes notas intensities but as the probability of an event, and the amplitudes themselves asprobability amplitudes. This interpretation is one of the most significant and widereaching realizations in all of physics. It is often referred to as the Copenhageninterpretation, although the idea came from Born. The amplitudes are in generalcomplex numbers and not measurable. Only the probabilities can be measured.Nevertheless they are essential to the description of physical phenomena.
Since probability amplitudes are so centrally important to all of quantum mechanics,and also to the understanding of quantum cryptography and quantum computing,we now summarize the most important aspects.
The measurement of a physical quantity (an observable) which is in state |a〉 canassume only one of a discrete number of possible results (called eigenvalues) for thatobservable. The associated vector space (a Hilbert space) has as many dimensionsas there are eigenvalues (degenerate eigenvalues are counted as many times as theyappear). Precisely which result or eigenvalue is measured is in general uncertain.One can only give a probability with which a given result will occur. This probabilityis the absolute square of the amplitude in which the eigenstate of the observableappears in the state |a〉. After the measurement, the system finds itself in thatcorresponding eigenstate. All other options that were virtually present in |a〉 areerased. The system has lost its history!
In our previous example, the system (photon) was in state |+〉. The observable isin this case the polarization of the photon in the HV basis, with eigenstates |H〉and |V 〉 and the eigenvalues are the polarizations H and V. Thus here there are twoeigenstates and the corresponding Hilbert space is two-dimensional. The probabilityof measuring H is | 〈H|a〉 |2 = 1/2. The probability of measuring V is also 1/2 andthe sum of the probabilities is 1, that is, one of the results will be obtained withcertainty. If the polarization H is measured, the system state collapses to |H〉.We now have all the basics required to understand the BB84 code.
3.2 The BB84 Quantum Cryptography Code
We require:
• a laser source for single photons with 1.55µm wavelength and a defined polar-ization,
• a polarizer and a polarimeter for photon polarization
11
• optical glass fiber for transporting photons between sender and receiver (theycan be hundreds of kilometers and more apart). The fibers should not changethe photons’ polarization, a non-trivial technical problem for large distances,nor should they absorb the photons. Glass fibers are especially conductive at1.55µm wavelength,
• a 50/50 beam splitter.
Figure 7: A beam splitter.
An intense laser beam contains very many photons in the same mode, i.e., sameenergy, direction and polarization. With the aid of strong absorption in a beamattenuator, one can almost produce single photons.
A 50/50 beam splitter is a thin metal film on a transparent plate, see Figure 7. Ifthe laser beam consists of many photons, half will be transmitted and half reflected.The incident intensity will thus be split into two channels. If, however, only onephoton is incident, it will be either transmitted or reflected, never “half transmittedand half reflected”: the photon is an elementary particle and cannot be split in two.If one places a detector behind each channel from the beam splitter, only one ofthem will respond, never both simultaneously.
The ideal 50/50 beam splitter is also an ideal random generator, since it is impossibleto predict whether the photon will be transmitted or reflected. This property is takenadvantage of in the BB84 code. Figure 8 shows the principal construction of theBB84 apparatus.
Alice has 4 LEDs which can emit single polarized photons in the polarizations H , V ,+ or −. The attenuator serves to guarantee single photon emission. Alice chooses atrandom one of the bases HV or +−, and she also randomly chooses a polarizationwithin the basis.
Alice sends a single photon in her chosen state via the fiber glass transmitter toBob. Bob then sends each received photon through a 50/50 beam splitter which
12
Figure 8: Principle of the production of a random series.
transmits it, at random, to either a HV or to a +− polarimeter. In other words,every arriving photon will be detected in one of four detectors for H , V , + or −polarization. The photons are individually identified according to their transmissionand reception times as determined by synchronized clocks.
The transmission, reception and measurement of 12 photons might for example looklike Figure 9. For the first photon Alice has chosen basis HV and polarization H .Bob analyzed it in basis +− and determined that is has polarization −. For thesecond photon both used basis +− and Bob measured the same polarization thatAlice has chosen (in this case −). In the case of equal bases the polarimeter doesnot change the state of the photon. It can happen that a photon is lost, as is thecase for the ninth entry.
At the conclusion of transmission, Alice informs Bob publicly of her choice of basisfor each photon. She does not tell him which polarizations she chose. Both theneliminate all photons from the list that were sent and analyzed in different bases.The reason for this is that, for those cases, Bob knows nothing about Alice’s choiceof polarization. Figure 10 illustrates this fact for the list entries 4 and 5 in Figure9. A photon with polarization |+〉 can be analyzed with equal probability as |H〉or |V 〉 in the HV basis, since at 45 deg the vector (1, 1)⊤/
√2 has equal components
along the horizonal and vertical directions. The same holds for amplitude vector(1,−1)⊤/
√2 (remember that the probabilities depend only on the absolute values
of the projections, not on their signs!).
Of the 12 transmitted photons in our example 6 were sent in the same basis as weremeasured. This corresponds to the random choice of the basis. They are marked inFigure 9 with #.
The random series for decoding the message could thus be 110101, if one knew that
13
Figure 9: Possible lists for 12 transmitted photons.
Eve (the eavesdropper who wishes to intercept the message) wasn’t listening. Inorder to test if this is true, Alice and Bob sacrifice half of the 6 photons whosepolarizations are supposed to be the same, as explained in the following:
The listening test: The No-cloning Theorem of quantum mechanics says that onecannot copy an unknown quantum state. In order to copy a quantum state onemust first measure it. The act of measurement randomly selects one of the possibleeigenvalues and leaves the system in the state corresponding to that eigenvalue.The components of the amplitude which correspond to the other eigenstates areirrevocably lost. If it were possible to copy the unknown sate of a transmittedphoton then the information about its polarization state could be gained withoutdetection and a similar photon sent on the rest of its way to the receiver. Howeverphysical reality forbids this.
If Eve intercepts a photon and measures its polarization, she will choose the correctbasis 50% of the time, thus receiving information without detection, and sending asimilar photon to Bob. In the other 50% she will choose the wrong basis and sendan incorrect photon to Bob.
If now Alice and Bob sacrifice approximately half of the supposably mutually agree-ing photons (Qbits) and test whether they actually do agree, then they will deter-mine whether or not Eve was listening. If necessary the procedure would have tobe repeated. In all, about 1/4 of the the transmitted Qbits are available for thegeneration of the key, that is, of the random series.
Problems with quantum cryptography: It is not trivial
14
Figure 10: Resolution of |+〉 and |−〉 in the HV basis.
• to generate single photons. If there are several photons per bit, then Eve candetermine the polarization state,
• to transmit single photons without error. Optical conductors can change thepolarization via scattering and refraction,
• to measure, error-free, the polarization of single photons. This sets strictdemands on the equipment used.
The BB84 code is relatively slow, since the random sequence has the same lengthas the message. And it can only be used once (so-called one-time-pad-code). Onlythen is it guaranteed that the sequence is absolutely secure (Claude Shannon).
4 Quantum Computing
There are problems which cannot be solved efficiently with classical computers. Thecomputation time increases exponentially with the number of Cbits used in the algo-rithm. The factorization of very large numbers which are the product of two primenumbers is in this category. On the other hand there are many problems for whichefficient classical algorithms exit so there is no danger of conventional computersbecoming one day obsolete. Quantum computers are sensible for problems with noefficient classical algorithmic solutions but for which an efficient quantum mechan-ical algorithm exists, provided that a quantum computer can be constructed withsufficiently many Qbits. And provided it can operate long enough before externaleffects destroy the Qbits (so-called decoherence). Qbits are sensitive to externaleffects and therefore very expensive.
Some interesting questions that one can approach with quantum computing are:searching very large databases, long-range weather forecasting, traffic control in
15
Figure 11: Peter Shor.
large cities, simulation of chemical reactions and in materials research, machinelearning and finance forecasts.
We will continue with the subject of factorization of large numbers to illustrate, inprinciple, how a quantum computer functions. Should this factorization actuallysucceed one day, then the RSA algorithm will become obsolete, with grave conse-quences for the economy and military security.
It is quite easy to multiply very large numbers together using conventional comput-ers, for instance with the Schonhage-Strassen algorithm. But, as we have said, itis difficult to impossible to factor large numbers into their prime factors, especiallywhen the factors consist of just two prime numbers. Peter Shor from AT&T BellLabs (Figure 11) published a quantum algorithm in 1994 capable of doing the fac-torization in an efficient way. His groundbreaking discovery greatly increased theinterest in quantum computing. The algorithm consists of a classical and a quantummechanical part.
4.1 Classical Part of the Shor Algorithm
1. First choose two large prime numbers p and q, e.g., with 300 decimal places orabout 1000 bits. Their product N = np is to be factorized. We will illustratewith a “toy” example: p = 17, q = 29, N = 493.
2. Choose a further large number a which has no common divisor with N , i.e.,gcd(N, a) = 1. In the example let a = 22 = 2 · 11.
3. Now seek the period of the function f(x) = ax mod N , that is, find the
16
Figure 12: Table of the function f(x) = ax mod N for a = 22, N = 493. Theperiod is r = 112.
smallest integer r for which f(x + r) = f(x). For very large N, a this is notclassically solvable.
4. The table in Figure 12 shows the values of x and f(x) for x = 1, 2 . . . 118. Thefunction springs erratically between the values 1 and 492 until, at x = 112, itreturns suddenly to the value 1. Thus the period is r = 112 and we have 22112
mod 493 = 1. This is easily done on an ordinary computer for our choice ofsmall numbers, for instance in Python,
import numpy as np
from math import gcd
def f(x,a,N):
return a**x % N
p = 17
q = 29
N = p*q
a = 22
print(gcd(N,a))
table = np.array([f(x,a,N) for x in range(119)])
r = np.where(table==1)[0][1]
print(r)
# output:
17
1
112
but it is not possible for large numbers.
5. Now, from ax+r = ax mod N , we get
ar = 1 mod N, ar − 1 = 0 mod N.
If r is even, as it is in our example, then we can write
(ar/2 − 1)(ar/2 + 1) = 0 mod N since b2 − 1 = (b+ 1)(b− 1).
(In the example (2256 − 1)(2256 + 1) = 0 mod 493.) This can in turn bewritten in the form
(ar/2 − 1)(ar/2 + 1) = kN mod N
for some integer k. If r turns out to be odd, then another a has to be chosenand the procedure started again from the beginning.
6. Now find gcd(N, ar/2 ± 1). If these turn out to be 1 or N , bad luck again sorestart with another a. If not, then the factors ar/2 ± 1 are just the primefactors p and q we are looking for, since N , by construction, has no otherfactors. Concluding the Python code:
print(gcd(N,table[np.int(r/2)]+1))
print(gcd(N,table[np.int(r/2)]-1))
# output:
17
29
The calculation of the greatest common divisor with Euclid’s algorithm and contin-ued fraction factorization are explained in Appendix B.
How does one find the period r of f(x) for very large numbers and how accuratelymust r be determined?
To answer the first question, we need a quantum computer.
The answer to the second question is: very accurately. To get a feeling for thenecessary precision, consider the value r = 110 in the factorization of N = 493 asthe smallest possible deviation from the correct value r = 112 (recall r must beeven). From Figure 12 we get 255 mod 493 = 265. Therefore
255 + 1 mod 493 = 266 = 2 · 7 · 19, 493 = 17 · 29 => gcd(266, 493) = 1
255 − 1 mod 493 = 264 = 8 · 3 · 11, 493 = 17 · 29 => gcd(264, 493) = 1,
and we get neither of the non-trivial divisors of N . We will discuss this in moredetail later.
18
4.2 Quantum Mechanical Part of the Shor Algorithm
As we have just seen, the decomposition of a large number N into two prime numbersrequires the period r of the function f(x) = ax mod N . The determination of roccurs in the quantum mechanical part in essentially three steps:
• Entanglement of two quantum registers.
• Measurement of one register with the consequent reduction in the alternativesfor the other register.
• Determination of the period of this subset of alternatives with the help of aquantum Fourier transform.
To understand this we have to concern ourselves with some additional basics of quan-tum mechanics, namely interference, entanglement, decoherence, quantum registersand quantum gates.
4.2.1 Interference
Interference is a fundamental phenomenon in quantum mechanics, which we willillustrate with the setup in Figure 13.
Figure 13: Experimental constructs with one and two beam splitters.
In the left hand setup, a single photon is directed with the help of a beam splitter(St) and two mirrors (Sp) to two different detectors D1 and D2. The photon can beeither transmitted or reflected at the splitter, and there is a probability amplitudefor each alternative. For an ideal 50/50 splitter they are
atr = 1/√2
aref = i/√2, i2 = −1.
The complex i in the reflection amplitude accounts for a phase shift of π/2 in thereflection. The probabilities for transmission and reflection are correspondingly
Ptr = |atr|2 = 1/2
Pref = |aref |2 = 1/2.
19
As expected the probabilities are equal for a 50/50 beam splitter.
In the left hand setup in Figure 13 the photon reaches detector D1 along the re-flection path (Weg1) with certainty, and detector D2 along the transmission path(Weg2) with certainty. We already met the concepts of probability amplitude andprobability in the preceding discussion of quantum cryptography (Section 3.2). AsMax Born first pointed out, it is essential to distinguish the two. Otherwise we willbe led astray with certainty (see Appendices C and D for more details).
Now consider the right hand setup in Figure 13 in which we have added a secondbeam splitter. Now it is possible that the photon can arrive at D1 over both pathsWeg1 and Weg2 (call this event 1) and at D2 over both paths (event 2).
Now comes the decisive formulation demanded by quantum mechanics: To eachof the alternative paths (Weg1 and Weg1) leading to one of the detectors thereis a probability amplitude. As long as the alternatives are not distinguished, theamplitudes must add to give the total probability amplitude and the absolute squareof that amplitude gives the probability of the event. In this case the alternativesconsist of sub-paths so that the amplitude for an alternative is the product of theamplitudes for each such sub-path.
Consider event 1, meaning the photon propagates from the source S to detector D1.Then
a1 = i/√2 · (−1) · 1/
√2 · exp{iδ}
a2 = 1/√2 · (−1) · i/
√2 · exp{iδ}.
The factor (−1) is the amplitude for reflection at the mirror and the factor exp{iδ}is the amplitude for the propagation of the photon along the path from the sourceto the detector D1. The distances Weg1 and Weg2 are equal (and equal to ℓ)and therefore the propagation amplitudes are the same. The phase δ = 2π · ℓ/λ,where λ is the photon’s wavelength. (See Appendix C for a detailed explanationof propagation amplitudes.) The total amplitude for event 1, which we write as〈D1|S〉, is the sum of the two amplitudes a1 and a2,
〈D1|S〉 = a1 + a2 = −i · exp{iδ},
and the probability of event 1 is
P = | 〈D1|S〉 |2 = 1,
so the photon reaches D1 with certainty.
Mixed terms generally appear when forming the absolute square of the amplitudes,and these are responsible for interference. For event 2, propagation of the photonfrom S to D2, we get
a1 = i/√2 · (−1) · i/
√2 · exp{iδ}
a2 = 1/√2 · (−1) · 1/
√2 · exp{iδ},
20
which add to zero, and the corresponding probability for the event is
P = | 〈D2|S〉 |2 = 0.
Thus, if the photon has both undistinguished alternatives (Weg1 and Weg2) at itsdisposal and if the experiment is repeated many times, the photon will always strikedetector D1 and never D2.
A few remarks on the above discussion:
• It is essential for the argument that one cannot know without performing anadditional measurement which path the photon takes.
• Interference can only occur when there are two or more alternatives for theevent. In the setup on the left in Figure 13 there is only one alternative perevent, so no interference takes place.
• Interference can fundamentally change the way that the probabilities are dis-tributed among the different events. This plays an important role in the Shoralgorithm.
• Only the probability amplitudes of undistinguished alternatives have to beadded coherently. Amplitudes for alternatives with different final states mustnever be combined coherently, since one can distinguish which alternative wasrealized without any additional measurement.
Next we examine the difference between the distribution of the detectedparticles and the probability distribution of the events.
Figure 14: Double slit experiment with probability distribution P.
In order to make this difference clear, we consider a typical thought experiment inquantum mechanics: the double slit experiment (Figure 14). A beam of monochro-matic (equal energy and neglecting the electron spin) electrons falls onto a doubleslit (a screen with two slits separated by distance d with width small compared to
21
the electron wavelength). The source emitting the electrons is far away so that theelectrons strike the surface parallel to one another and perpendicular to the screen.A detector screen with many pixels capable of detecting each electron is located ata distance b behind the double slit.
Event: Propagation of an electron from the source to one of the pixels D of thedetector. There is an event for every pixel.
Alternatives: For each event there are two alternatives, the electron has probabilityamplitudes a1 to go through slit 1 and a2 to go through slit 2.
a1 = exp{i2πs1/λ}a2 = exp{i2πs2/λ}.
Here s1 and s2 are the distances from slits 1 and 2 to the detector pixel D. Theamplitudes for propagation of quantum mechanical particles in space have the formof complex waves, see Appendix C for more details. This is the so-called wavecharacter of quantum mechanical particles. The overall amplitude is the sum of a1and a2 (the alternatives are not distinguished), and the probability P for the eventis the absolute square of the sum. With a little algebra we get
P ∼ cos2(πd sin θ/λ),
where θ is the angle under which the detector pixel D appears as seen from themid point between the two slits, Figure 14. To every (discrete) value of θ belongs adifferent pixel and hence a different event.
The probability distribution over the detecting screen shows a typical interferencestructure with minima and maxima. It includes everything one can know about thesystem. This knowledge cannot be obtained with a single measurement alone. Asingle measurement shows the incidence of an electron onto one pixel at which Pis not zero. This is the particle character of quantum mechanical particles. Onlyif the measurement is repeated many times, as indicated in Figure 15 showing theresult obtained by Akira Tonomura, does one gradually see the emerging interferencestructure.
This result is in complete contradiction to a classical wave, where probability andintensity distributions are immediately proportional. The classical wave always con-tains very many particles so that one cannot observe the successive formation of theintensity distribution. If one wishes to observe the quantum mechanical characterof the particles then it is necessary to measure the behavior of individual particlesand then repeat the experiment many times under identical conditions.
Now let us ask the following question:
What if we don’t wish to know everything about the system? If werestrict ourselves to a partial aspect, can the number of necessary mea-surements be reduced?
This is the question that Peter Shor asked himself, since he wished to determine theperiod r of his function f(x) = ax mod N and not the complete, erratic path of
22
Figure 15: Interference from the double slit with single electrons and n-fold repeti-tion: from left to right n = 10, 100, 3000, 20000, 70000 (A. Tonomura).
the output. (One can see this pattern for example in the table in Figure 12). Thepossibility indeed exists with the aid of interference and of entanglement.
We will look first at multiple interference and consider the interference patternwhich, rather than being generated by just two slits, is caused by a large numberN of slits with separation d. To keep things simple we will assume that bothsource and detection plane are a long way from the slits (the so-called Fraunhoferapproximation, see Figure 16).
Figure 16: Interference pattern from a multiple slit in the Fraunhofer approximationfor n = 10.
23
The coherent superposition of the propagation amplitudes in now given by
〈D|S〉 = exp{ik(a+ b)}N−1∑
n=0
exp{ik(nd+ x0) sin θ}
= exp{ik(a+ b+ x0 sin θ)}N−1∑
n=0
exp{ipdn},
with p = k sin θ = (2π/λ) sin θ. Taking the absolute value of the square of theamplitude then gives the probability distribution
P = | 〈D|S〉 |2 = sin2(pdn/2)
sin2(pd/2).
This distribution, seen as function of p, has its principal maxima with values N2
and width 2π/Nd at p = (2π/d)m for integer m, as shown on the right in Figure 16.There are n − 2 secondary maxima between each pair of principal maxima. Withincreasing N the latter get larger and more narrow while the former decrease inrelation to the maxima. We conclude:
With the aid of multiple interference one can concentrate the probabilitydistribution at a small number of positions which contain precisely theinformation of interest, namely here the period of the multiple slit.
Multiple interference is one of the tricks used in the Shor algorithm.
It is shown in Appendix F that the preceding derivation leads to the same result ascalculating the Fourier transform of the multiple slit itself. This is not an accident,since the propagation amplitudes in the Fraunhofer approximation are identical withthe basis functions of the Fourier transform. This fact is also used in the quantummechanical part of the Shor algorithm,.
4.2.2 Entanglement
Whenever two or more particles are involved in an event and there are two or morealternatives for that event a new phenomenon appears for which there is no classicalanalog and which has been (and still is) the cause of a great deal of confusion.We will illustrate the phenomenon of entanglement by considering the decay ofparapositronium.
An electron and its anti-particle, a positron, can enter a bound state similar to anelectron and a proton in a hydrogen atom. This state is called positronium. If thespins of the two particles are anti-parallel, then one speaks of parapositronium. Inthis case the particles annihilate in about 0.1 nanoseconds into two photons withenergy 511 keV. Assuming the positronium was at rest prior to decay, the systemmomentum will be nil after the annihilation so the two photons will be emitted at 180deg relative to one another. Since in parapostronium the total angular momentum
24
Figure 17: right circular polarized light.
is also nil, the two photons will both be either right circular or left circular polarized.Only then is the total angular momentum still zero after the decay.
Right circular polarized light is shown in Figure 17. The electric vector of thelight wave rotates along a right-handed screw and there is a phase difference of π/2between its x- and y-components. Figure 18 depicts the two alternatives for thepolarization of the photon pair. Thus we have a situation involving two particles(two photons) and two alternatives (right and left circular polarization).
Figure 18: Both photons have the same polarization.
The state of the two photons immediately after the decay is of form
|ein〉 =(
|R〉A |R〉B − |L〉A |L〉B)
/√2 =
(
|RR〉 − |LL〉)
/√2.
This is just the coherent superposition of two product states with amplitude 1/√2
and −1/√2. The state cannot be represented as the product of two states, one
25
for photon A and one for photon B. It is therefore said to be entangled. As weshall see, there is more information contained in the entangled state than in statesthat describe photon A and photon B separately. Put another way, there existcorrelations between the photons which are present only in the entangled state, notin the states of the individual photons.
If we perform an experiment to measure the polarization of the photons with po-larimeters that are sensitive to circular polarization then we would find that theyalways have the same polarization, either both right or both left circular. Not sur-prising since this is required by conservation of angular momentum. However thingslook quite different if the polarimeters are sensitive to linear H and V polarizationsas shown in Figure 19. Now there exist four events with probability amplitudes〈AB|ein〉 with AB = HH,HV, V H or V V .
Figure 19: Measurement of the polarization of both photons in the decay of para-positronium in the HV basis.
If we note that
|R〉 = (|H〉+ i |V 〉)/√2 => 〈H|R〉 = 1/
√2, 〈V |R〉 = i/
√2
|L〉 = (|H〉 − i |V 〉)/√2 => 〈H|L〉 = 1/
√2, 〈V |L〉 = −i/
√2,
then the four probability amplitudes are given explicitly. The corresponding prob-abilities for the entangled system are then given by
P =1
2
∣
∣ 〈AB|RR〉 − 〈AB|LL〉∣
∣
2.
In particular we get for the event HV the amplitude
〈HV |ein〉 = [〈HV |RR〉 − 〈HV |LL〉]/√2 = [〈H|R〉 〈V |R〉 − 〈H|L〉 〈V |L〉]/
√2
= [(1/√2)(i/
√2)− (1/
√2)(−i/
√2)]/
√2
= i/√2,
26
and the corresponding probability P is | 〈HV |ein〉 |2 = 1/2. The other three proba-bilities can be computed similarly. The result is shown in the following table:
Event P(entangled) P(not entangled)HV 1/2 1/4VH 1/2 1/4HH 0 1/4VV 0 1/4
In the table we have also listed the probabilities for not entangled photons, given by
P =1
2| 〈AB|RR〉 |2 + 1
2| 〈AB|LL〉 |2.
What can we now conclude from the above calculation about the decay of para-positronium?
• If Alice (A in Figure 19) measures the linear polarization of her photon inde-pendently from Bob (B), then she will measure the values H or V with equalprobability. If Bob does the same he will also measure H or V with equalprobability.
• However if Alice measures her photon’s polarization (getting, say, H) and Bobthen measures the polarization of his photon, he will measure V with certainty,even if the measurements take place light years apart. This does not imply thatinformation is transferred at a speed greater than the speed of light. Bob willlearn of the correlation in the measured values only when Alice communicatesher result to him. This can take place at most with the speed of light.
• Albert Einstein called this “spooky action at a distance” and was, because ofit, never able to reconcile himself with quantum mechanics (Einstein-Podolski-Rosen (EPR) Paradox).
• If we take account of the rules for manipulation of probability amplitudes thenthere is no paradox. We must “simply” abandon our classical prejudices. Manyexperiments have now clearly shown that nature behaves precisely as predictedby quantum mechanics. The entangled photons form a single unit. They donot need to communicate with one another. This also means that there ismore information in the entangled pair of photons than in the two photonstaken individually, namely the correlation of their polarizations. If we don’ttake account of the entanglement (the rightmost column in the above table)then all combinations of H and V would be realized with 25% probability, asincorrectly expected by Einstein.
27
What does all this imply for the Shor algorithm? The reduction in Bob’spossibilities once Alice has made her measurement leads in Shor’s algorithm to a verylarge reduction in the number of necessary computations for factorization of largenumbers. Multiple interference and entanglement are the secret of the efficiency ofthe algorithm. This approach works whenever one doesn’t have to know everythingabout the system that it is possible to know, but only (in this case) the period of afunction.
4.2.3 Decoherence
In classical physics, the observation of an event has no influence on its occurrence.A flying rock follows its path whether or not the sun shines on it or someone iswatching it. This is not true in the quantum world. The act of observation changesthe progress of the event. We will illustrate this with the double slit experimentagain with electrons, and with scattered light as “observer”, Figure 20.
Without observation there are two undistinguished alternatives to the event〈D|S〉 and interference takes place.
With observation: Behind the screen with the two slits there is a light sourceL which emits so many photons that no electron can pass through a slit withoutbeing identified by photon-electron scattering (Compton scattering). The electronsare detected by detectors D1 and D2, which are so arranged that D1 can only seeslit 1 and D2 only slit 2. The alternatives are now distinguished and no interferencepattern is formed.
Figure 20: Double slit experiment without observation (left) and with observation(right) with scattered light (Compton scattering) on the electron.
In this experiment we intentionally determined through which slit the electronpassed. But it makes no difference whether the system is deliberately disturbed orwhether the disturbance takes place through interaction with the surroundings. Ex-amples of the latter are heat radiation from the walls surrounding the experimental
28
apparatus, disturbing electromagnetic fields, microwaves, mechanical disturbances,etc. It is extremely difficult to eliminate all these influences, the more so the morecomplicated the system.
All of these unwanted and hard to control external influences lead to decoherenceand the ability of the system to exhibit interference is lost. Decoherence is the mainhindrance to the construction of a quantum computer.
It is shown in Appendix E, with the help of an example, how decoherence can comeabout. Decoherence changes the Qbits. Peter Shor showed that an error correction ispossible if the number of errors infiltrating a quantum algorithm due to decoherenceis not too large (of the order of a few percent). Without this correction possibilitythe chances of ever building a quantum computer would be minimal. Today thereare better correction algorithms than that proposed by Shor, but it was he whoopened the door, see Appendix H.
4.2.4 Qbits, quantum registers and quantum gates
Qbits are realized using two-state quantum mechanical systems. The possibilitiesinclude photon polarization, particles with spin 1/2, superconducting ring currentswhich can flow clockwise or counterclockwise, two level atoms, etc. Unlike a Cbit,the Qbit can exist in all states between |0〉 and |1〉. In a quantum computer onerequires not single Qbits, rather registers consisting of many Qbits. A register withn Qbits spans a 2n-dimensional complex space with scalar product (a Hilbert space).In this space there are 2n basis vectors |x〉. Figure 21 illustrates the 3 Qbit spacewith 8 dimensions. All three common representations in binary and decimal formas well as column vectors are equivalent.
Figure 21: Eight basis vectors in a 3-Qbit register in different, equivalent represen-tations.
With s = 2n, the most general state in this space is
|Φ〉 =s−1∑
x=0
ax |x〉
29
In this expression
• ax is the probability amplitude of the state |x〉 contained within |Φ〉.
• ∑ |ax|2 = 1 because information is conserved.
• A single measurement in the calculation basis leads to the determination ofonly one state, for instance |k〉 with the probability |ak|2. The informationabout the other states is lost.
• For the Shor algorithm equally weighted superpositions with ax = 1/√2n are
especially important, because in calculating the function f(x) = ax mod N allvalues of x must be treated equally. This is achieved with the aid of Hadamardgates.
In order to perform calculations, it is necessary to transform quantum registers intoone another, similarly to registers in classical computers. This occurs with the helpof quantum gates. Unlike classical gates, quantum gates must be unitary. Thesuperposition principle of quantum mechanics requires that operators are linear, theconservation of information requires that the norm of the gates is preserved andboth of these mean that the quantum gates are represented by unitary operators.(An operator is unitary when its adjoint is equal to its inverse.) One consequenceof this is that quantum gates have the same number of inputs as outputs.
It was shown by David DiVincenzo that any arbitrary unitary transformation canbe represented by (sufficiently many) one and two Qbit quantum gates. This isimportant, because it is easier to manufacture quantum gates with few as opposedto many Qbits.
We will take a look at four different quantum gates:
1. Hadamard Gate H
The Hadamard gate is a one-Qbit rotation, mapping the basis states |0〉 and|1〉 to two superposition states with equal weights of the computational basisstates.
H |0〉 = 1√2(|0〉+ |1〉) = |+〉
H |1〉 = 1√2(|0〉 − |1〉) = |−〉
Equivalently, in the matrix representation of the basis,
|0〉 =(
10
)
, |1〉 =(
01
)
, H =1√2
(
1 11 −1
)
,
we have
H |0〉 = 1√2
(
1 11 −1
)(
10
)
=1√2
(
11
)
H |1〉 = 1√2
(
1 11 −1
)(
01
)
=1√2
(
1−1
)
.
30
Applying the product operator H⊗2 to the 2 Qbit quantum register in thestate |00〉 we get
H⊗2 |00〉 = H |0〉⊗H |0〉 = 1
2(|0〉+|1〉)⊗(|0〉+|1〉) = 1
2(|00〉+|01〉+|10〉+|11〉)
or, in the decimal notation in Figure 21,
H⊗2 |0〉 = 1
2(|0〉2 + |1〉2 + |2〉2 + |3〉2).
In general the operator H⊗n (as a tensor product) constructs an equallyweighted, coherent superposition of all the basis states |x〉 in 2n-dimensionalspace, see Appendix G.
Note: The tensor product of two 2-dimensional vectors produces a vector in4-dimensional space, e.g.,
(x0, x1)⊗ (y0, y1) = (y0y0, x0y1, x1y0, x1y1).
2. NOT gate
Converts a 0 to a 1 and vice versa.
Figure 22: Schematic of the cNOT gate.
3. cNOT gate Cct (controlled NOT)
This gate operates on a two Qbit state with bit 1 as control bit and bit 2 astarget. If the control bit is 0, then the target is unchanged, otherwise flipped(see Figure 22 and also Appendix G):
Cct |00〉 = |00〉 Cct |01〉 = |01〉Cct |10〉 = |11〉 Cct |11〉 = |10〉 ,
equivalently, in the calculation basis,
Cct =
1 0 0 00 1 0 00 0 0 10 0 1 0
.
31
4. Phase shift gate Phi
Phi |0〉 = |0〉 Phi |1〉 = exp{iφ} |1〉 ,
or
Phi =
(
1 00 eiφ
)
.
(Hadamard, Phi and cNOT form a universal set of quantum gates from whichall quantum operations can be constructed with any accuracy. However notall combinations are computationally efficient.)
5. Measurement gates
Besides the unitary quantum gates, measurement gates are indispensable.They are not unitary, being irreversible and nonlinear. They are requiredin order to generate measurement results at the end of a calculation and toform a well-defined initial state of the Qbits. The most common initial stateof a register with n Qbits is
|000 . . . 000〉n = |0〉n .
It can be generated from a set of undefined Qbits via measurement: If themeasurement yields 0 do nothing, if the measurement gives 1, apply the NOTgate to get 0.
4.2.5 The quantum mechanical part of the algorithm
Now we have the prerequisites to understand the quantum mechanical part of theShor algorithm. We want to factor N = pq. To do this we need the period r of thefunction f(x) = ax mod N .
1. Construct two quantum registers, each with n Qbits, where N2 < s = 2n <2N2. (Note: N2 and not N ! This will be seen to be important for the laterFourier transformation).
2. Initialize both registers in the state |Φi〉 = |0〉n |0〉n = |0〉.
3. Apply the Hadamard gate to register 1 so that all basis states are present withequal weights. Leave register 2 unchanged (apply the identity operator I),leading to the state
|Φ〉1 = H |0〉 I |0〉 = 1√s
s−1∑
x=0
|x〉 |0〉 .
32
4. Carry out the exponentiation f(x) = ax mod N in the second register,
|Φ〉2 =1√s
s−1∑
x=0
|x〉 |f(x)〉 .
This is an entangled state consisting of s product states. This so-called quan-tum parallelism is represented in Figure 23 for N = 21 and a = 11.
Figure 23: Top: Graphical representation of the exponentiation for N = 21 anda = 11. Bottom: The measurement in register 2 reduces the number of possiblestates in register 1 (x0 = 3). Here r = 6, however we see not just one period, rather85 periods since 2n > N2 was chosen.
We have
N2 = 441, 2N2 = 882 => 441 < s = 29 = 512 < 882
so we require n = 9 Qbits per register. x takes on 512 values and in thiscase the period is r = 6. There is room in the interval 0 ≤ x < 512 form = [s/r] = 510/6 = 85 periods.
Note that x and f(x) represent states, e.g., x = 13, f(x) = 11 stand for the9-bits states |000001101〉 and |000001011〉.
33
5. Carry out a measurement in register 2. This returns just one of the possiblevalues of f(x), say f(x0). Because of the entanglement, register 1 collapses tothe subset {x = x0 + kr} where f(x0+ kr) = f(x0) for integer k and x0 in thefirst period. The state of register 1 is now
|Ψ1〉 =1√m
m−1∑
k=0
|x0 + kr〉 .
Register 1 contains considerably fewer states than it did prior to the measure-ment of register 2, since m≪ s = 2n (Figure 23 bottom).
If we had chosen only half as many Qbits in registers 1 and 2, namely justenough needed to represent N (and not N2) in binary form, then we wouldhave seen essentially just one period in the exponentiation. We would thenhave gained nothing, since r can’t be inferred from x0 alone.
Since the registers can represent N2 in binary form, the exponentiation resultsin m periods, where m = 2n/r is of the order N2/N = N .
We can nevertheless not deduce the period r simply by measuring register 1.The measurement of |Ψ1〉 will just give one value of k, from which r can’tbe determined due to the presence of x0. If we were to repeat the entireprocedure then some other value of x0 would appear with equal probability,and we’d have gained nothing. If we were able to clone the state |Ψ1〉 thenwith two or a few measurements we could solve for the value of r. We havealready seen, however, that it is impossible to clone unknown quantum states.
Now comes the the trick with the Fourier transform: We have to “push” x0into a phase factor which then plays no role in the absolute square of theprobability amplitude, i.e., in the measurement probability!
6. Apply a Quantum Fast Fourier Transformation (QFFT) on register 1. Thenecessary computing time for n bits is proportional to 2n. In the classical case(the ordinary fast Fourier transform FFT) the time required is proportional ton2n. The difference is due to the fact that for the QFFT we are only interestedin the period r and not in all of the Fourier coefficients.
The definition of the QFFT, which we represent as the operator Uft, is asfollows:
Uft |x〉n =1√s
s−1∑
y=0
exp{i2πxy/s} |y〉 , s = 2n.
Now apply it to |Ψ1〉:
Uft1√m
m−1∑
k=0
|x0 + kr〉 =s−1∑
y=0
exp{i2πx0y/s}1√ms
m−1∑
k=0
exp{i2πkry/s} |y〉 .
34
If we now measure register 1, we get just one particular state |y〉. The proba-bility for that state is given by
P (y) =1
ms
∣
∣
∣
∣
∣
m−1∑
k=0
exp{i2πkry/s}∣
∣
∣
∣
∣
2
=1
m2n· sin
2(πrym/2n)
sin2(πry/2n)(2)
and the bothersome shift x0 has vanished.
The structure of the probability distribution is that of the Fourier transformof the multiple slit (Appendix F). The height and width of the maxima in thedistribution are:
Maximum Actually chosen 2n > N2 Had we chosen 2n > NHeight m/2n 1/2n
Width 2n/rm 2n/r = m
Figure 24: Flow chart for the quantum mechanical part of the Shor algorithm. Thefour measurement gates are indicated with a dial symbol.
By using twice as many Qbits as would have been required to represent N , thewidths of the principal maxima in the distribution have been greatly reduced: Themore periods a function includes, the narrower its Fourier transform. The positionsof the main maxima are given by the zeros of the denominator in Equation (2),
y = j2n/r or r = j2n/y, integer j,
It is improbable that the above expression for r will lead exactly to an integer valuefor the period. But because of the large number m of periods it will be very close toan integer. As explained in Appendix B, the period r can be easily determined asthe continued fraction approximation of the ratio of two large numbers as the ratioof smaller numbers.
35
Once we have the determined r then the factorization of N can be carried outwith the classical part of the Shor algorithm. The flow diagram for the quantummechanical part of the algorithm is summarized in Figure 24.
The essence of the Shor algorithm can be expressed in just a few simple words, andthese should be remembered apart from all of the technical detail involved:
In order to drastically reduce the number of required computations one must concen-trate on the essential information (the period of a function) and leave out all otheraspects which one could learn but doesn’t need. This is achieved in the problem offactorization of very large numbers with the aid of multiple interference (Fouriertransformation) and entanglement.
4.3 Perspectives
1. Encryption using quantum cryptography is within reach.
2. Quantum computers are in principle feasible. The main difficulty is in thedevelopment of applicable hardware. On the one hand the Qbits must be wellisolated in order to prevent decoherence for a sufficiently long time (powerfulalgorithms for error correction mitigate the problem to some extent). On theother hand the Qbits must be easily manipulated with quantum and measure-ment gates. The presently discussed candidates for Qbits are nuclear spins,electron spins, ion traps for Rydberg atoms, electrons in quantum dots, opticaland microwave cavities, and others.
Quantum algorithms for other problems must also be developed. Shor’s trickof drastically reducing the number of calculations by concentrating on theessentials would appear to be universal enough to be applied to many otheralgorithms.
3. David DiVincenzo listed a number of criteria for the construction of a quantumcomputer:
• a scalable physical system with well-defined Qbits.
• the ability to initialize the Qbit registers in a simple state.
• the guarantee of a sufficiently long coherence period, much longer thanthe time required for gate operations.
• the availability of a universal set of quantum gates.
• the ability to measure the Qbits.
In addition the possibility to transfer information between working and inter-mediate storage and the further development of error correction algorithmsare needed.
36
References used in preparation of these lecture notes
N. D. Mermin (2007) Quantum Computer Science, Cambridge University Press
R. P. Feynmann, The Feynmann Lectures on Physics, Vol. 3
Simon Singh (2001), Geheime Botschaften, dtv Verlag
This lecture is an extended version of a talk given by the author in July, 2019 toemeriti colleagues of RWTH Aachen University. The author would like to thank Dr.Morton Canty for translating the text into English and re-formatting it in LaTeX.
37
A The Mathematics of the RSA Algorithm
LetN be an integer. The set of all integers in the interval [1, N−1] which do not havea common divisor with N (are coprime to N) constitute a group GN with respect tomultiplication modulo N . The number of elements in GN is denoted φ(N), referredto as the Euler phi-function or totient. If N = p is prime, then φ(p) = p − 1. Forexample
p = 5, G5 = {1, 2, 3, 4}, φ(5) = 4
closure 3× 4 = 2 mod 5, 2 ∈ G5
inverse 3× 2 = 1 mod 5
We have the following:
1. For every element g ofGN there exists an exponent k such that gk = 1 mod N .Moreover, according to Lagrange, φ(N) = mk for some integer m. For N = pprime, φ(p) = p−1 and therefore p−1 = mk and it follows that gmk = gp−1 = 1mod p. This holds not only for g ∈ G5 but also for any a coprime to p. Thisis stated in
Fermat’s little theorem: If gcd(a, p) = 1 then ap−1 = 1 mod p.
Again, for p = 5, we have 25−1 = 16 = 1 mod 5, 65−1 = 1296 = 1 mod 5,etc.
2. Fermat’s little theorem also holds for two different prime numbers p and q aslong as a is coprime to both:
a(p−1)(q−1) = 1 mod (pq), gcd(a, p) = 1, gcd(a, q) = 1,
from which follows for integer s,
as(p−1)(q−1)+1 = a mod (pq). (3)
3. If c is coprime to (p−1)(q−1) then it is an element of G(p−1)(q−1). It thereforemust have an inverse d:
cd = 1 mod [(p− 1)(q − 1)] or
cd = 1 + s(p− 1)(q − 1), for integer s.
Substituting this into Equation (3),
acd = a mod (pq).
With b = ac mod (pq) we get
a = bd mod (pq)
and Bob has received Alice’s message.
38
B Euclid’s Algorithm and Continued Fraction De-
composition
There is a very efficient algorithm for calculating the greatest common divisor oftwo numbers, which was already known in ancient Greece and which even todayis still in use, Euclid’s algorithm. The “old” Greeks thought geometrically: Howdoes one subdivide two lengths equally using the largest possible sublengths? Forexample take two lengths of 22 and 6 inches. Figure 25 shows the geometric andarithmetic versions of the subdivision. The arithmetic version is referred to ascontinued fraction decomposition.
Figure 25: Euclid’s algortihm.
On a conventional computer the algorithm can be implemented, e.g., in Python, ina very simple while loop:
def gcd(a,b):
while b:
a, b = b, a%b
return a
which terminates when b = 0. In the above example we start with
Initial values: a = 22, b = 6
After first loop: a = 6, b = 22 mod 6 = 4
After second loop: a = 4, b = 6 mod 4 = 2
After third loop: a = 2, b = 4 mod 2 = 0
Terminates and returns a = 2 as the gcd.
39
The continued fraction decomposition of rational numbers (ratios of integers) hasfinite length, whereas the decomposition of irrational numbers has infinite length.One can, however, approximate every irrational number with a finite continuedfraction just as one can approximate every irrational number with a finite decimalnumber, e.g., π ≈ 3.14159.
The continued fraction decomposition of the ratio of two very large numbers can beapproximated by the ratio of much smaller numbers. This possibility is made use ofin the quantum mechanical part of the Shor algorithm. We will illustrate this againusing our toy example 493 = 17 · 29.
f(x) = ax mod N for N = 493(< 29) and a = 22 has period r = 112.
Figure 26: Continued fraction approximation of y/218.
As explained in the discussion of the quantum mechanical part of the Shor algorithm,we need twice as many Qbits as would be needed to represent N :
N2 = 243049 < 218 = 262144.
So we need 18 Qbits in register 1 and not 9 as in the simpler example. The QFFTfrom the Shor algorithm gives y = 222354 where y/218 = j/r for integer j. So werequire the ratio
y/218 = 222354/262144,
which can be approximated as 95/112 using the continued fraction approximationas shown in Figure 26. Since 95 is itself the only multiple of 95 which is less than112, it follows that the period is r = 112.
To test the result we compute (95/112) · 262144 = 222354.2857. This differs fromy = 222354 by less than 0.5. Since y, j and r must be whole numbers is was sufficientto break off the continued fraction approximation at 95/112 as we did.
40
C Propagation Amplitudes and Wave-Particle Du-
ality
We consider first of all a source of monochromatic photons of energy E = hω. Thereexists a probability amplitude for the emission process as well: The amplitude foremission of a photon at time t is exp{−iωt}, a basic law of quantum mechanics.The probability P for the emission process is therefore independent of the timeof emission and so one has no knowledge of emission times. In reality only quasi-monochromatic photons exist, so that we have to include an exponential attenuationfactor:
emission amplitude = exp{−iωt} · exp{−t/2τ},where ω is now the mean frequency of a narrow band with width 1/τ . If, for exampledue to a collision, an electron in an atom is excited to an empty energy level andthen a photon is emitted as the atom returns to its ground state, one doesn’t knowthe exact time of the emission. One only knows that after a time interval of say 5τthe emission has with 99% (= 1− exp{−5}) probability taken place.
Next we consider a photon that propagates over a distance s from source S todetector pixel D and which arrives at the detector at time t. Then the photon musthave been emitted at the earlier time t− s/c. The probability amplitude for this is
a = exp{iω(t− s/c)} = exp{i(ωt− ks)},
where c is the speed of light, ω = ck, k = 2π/λ and λ is the wavelength of thephoton. We have ignored the attenuation factor under the assumption that τ ismuch longer than the travel time of the photon. The propagation amplitude hasthus the form of a complex wave. This complex character is essential. We can’tchoose sine or cosine waves instead! Retardation is the essential property of anywave. Without it no wave could exist. If the speed of light were infinite, therewould be no electromagnetic waves.
Now let’s consider the quantum mechanical particle in the double slit experimentof Figure 20 (left), this time thinking of a single photon of energy E = hω. Thephoton strikes detector pixel D at time t and we can assume that D does not lieon the symmetry axis, true for all pixels but one. Then the paths 1 and 2 fromS to D are of different length. Consequently the photon would have had to beemitted at different times if it is to reach D at the same time t via path 1 and 2.This can’t be understood from a classical standpoint, but presents no problem interms of probability amplitudes, since the photon is emitted at every time pointwith a defined probability amplitude. Here we see how necessary the concept of theprobability amplitude really is. The amplitudes are
path 1 : a1 = exp{−iω(t− s1/c)} = exp{−i(ωt− ks1)}path 2 : a2 = exp{−iω(t− s2/c)} = exp{−i(ωt− ks2)}.
41
If it is not known which path the photon takes, both amplitudes must be added togive
a = exp{−iωt} · [exp{iks1}+ exp{iks2}].In forming the absolute square of the amplitude, only the retardation part remains,
P = |a|2 = 4 cos2[k(s2 − s1)/2].
Up to a normalization factor this is the expression given in the Section 4.2.1 oninterference. The mixed terms in the formation of the absolute square give riseto interference. Interference occurs only when there exist more than one undistin-guished alternatives for an event. Now the wave-particle duality is clear; the particlepropagates from source to detector as a complex wave but is detected as a discreteparticle. There are no diffuse particles.
D Rules for Manipulation of Probability Ampli-
tudes
• Every physical event is defined by a uniquely determined initial and final state(for pure states).
• Most events can be realized through different alternatives.
• For every alternative, there is a probability amplitude. Its determination is dif-ferent for different events, as for example, propagation through space, tramsmis-sion and reflection from a beam splitter, emission and absorption of photons,scattering of a particle by a potential. The amplitudes for the residence of aparticle in a point in space at a particular time deserve special mention. Theseamplitudes are called wave functions and are determined for non-relativisticelectrons by the Schrodinger equation.
• Most often an alternative is built up of partial steps or pieces. The amplitudeshave to be determined for each step and then multiplied together to determinethe amplitude for the alternative.
• If two particles are involved in an event which behave independently of oneanother, then their amplitudes must be multiplied.
• The amplitudes of all undistinguished alternatives of the same event must beadded together. This is referred to as coherent superposition and forms thebasis of the quantum mechanical principle of superposition. It is importantto emphasize that all alternatives must be taken into account and only theamplitudes of undistinguished alternatives may be added.
42
Undistinguished means that without additional measurement, one can’t de-termine which alternative the particle chose. One can always find out whichalternative was chosen by observing the particle, but then the interferencevanishes (the uncertainty principle). It follows that the amplitudes for alter-natives with different final states can never be added. This is because one canalways determine the end state (e.g. which detector pixel responded) if onewishes to do so. It is irrelevant whether someone is looking or not. It sufficeswhen one can in principle know which alternative was realized. In the case ofdifferent end states the alternatives in fact belong to different events.
• According to Max Born, the probability for an event is the absolute valueof the square of the sum of the probability amplitudes for the alternatives.Mixed terms in the absolute square give rise to interference. One cannot de-termine the distribution of probabilities on the basis of a single measurement.The measurement must be repeated many times under identical conditions.Only then do the probability distribution and the particle distribution mergetogether.
• Probability amplitudes for distinguished alternatives must be added incoher-ently. That is, their absolute squares are calculated separately and contributedirectly the the probability. They do not cause interference.
Many misunderstandings and false statements can be traced to the disregard for thedifference between probability amplitudes and probabilities.
It is false to say that:
• the photon goes half through slit 1 and half through slit 2.
• the photon goes through slit 1 with probability 1/2 and through slit 2 withprobability 1/2.
• a light wave has many photons and one photon goes through slit 1 and onethrough slit 2.
• only waves can interfere.
The only thing that interferes in quantum mechanics, optics, X-ray and neutronscattering, etc. are the probability amplitudes of all undistinguished alternatives tothe same event. Sometimes these amplitudes have the character of complex waves,but not always.
These rules for the manipulation of probability amplitudes were found empirically.So far no one has devised an experiment to disprove them. And no one has founda deeper principle or theory out of which they could be derived. In this sense onecan say (with Richard Feynman) that no one understands quantum mechanics. Butwe know very well how to apply the rules. To quote N. David Mermin, “That’s theway it is. So shut up and calculate!”
43
E Decoherence Example: An Atom in a Cavity
Figure 27 shows a pinned atom in the center on a spherical cavity. The atom hastwo electronic levels: the grond state |g〉 with energy E0 and an excited state |e〉with energy E1.
Figure 27: An atom with energy levels E0 and E1 in a cavity.
Let the cavity be a perfect mirror for the mode of emission of the atom. The stateof the complete system atom plus cavity is then:
ai |e〉 |no photon〉+ a2 |g〉 |one photon〉 = a1 |0, 1〉+ a2 |1, 0〉 .
This is a coherent superposition of two product states for atom and cavity. Thestate is entangled, in other words not representable as the product of one state forthe atom and one for the cavity. The entanglement is caused by the conservationof energy in the system, which swings back and forth between the two states. Itremains as a superposition, that is, the amplitudes a1 and a2 are time dependent.If the atom was initially in its excited state then it can’t permanently return to itsground state.
Now consider the same situation but with a few more degrees of freedom added toit. The atom can experience a recoil, it cause vibrations in its support, the cavity isnot a perfect reflector and can allow radiation to pass through both from inside andfrom outside. In total the original system atom plus cavity can couple with theseexternal and uncontrollable variables in such a way that information can diffuse outof the system and be lost. Ultimately the energy which was originally in the excitedatom simply vanishes in the bath of the many external degrees of freedom and thesystem ends in the unentangled state
|g, no photon〉 = |0, 0〉 .
This is decoherence. Typical times for decoherence are, depending on the system,in the region of seconds to femtoseconds (10−15 sec). The difficulty increase withthe number of Qbits. Decoherence is the main reason why no effective quantumcomputers exist.
44
F Fourier Transformation of the Multiple Slit
We look again at the multiple slit, ignoring the width of the individual slits incomparison with the slit separation d and assuming the number of slits N is large.The we can describe the slits together as a sum of Dirac delta functions:
f(x) =N−1∑
n=0
δ(x− nd− x0).
Figure 28: Absolute square of the Fourier transform of the mutiple slit.
Its Fourier transform is
g(p) =
∫
f(x) exp{ipx}dx = exp{ipx0}N−1∑
n=0
exp{ipdn}.
Evaluating the sum,
g(p) = exp{ipx0} exp{ipd(N − 1)/2}sin(pdN/2)sin(pd/2)
45
and taking the absolute square,
sin2(pdN/2)
sin2(pd/2).
This expression is identical with the probability distribution for the multiple slitexperiment. f(x) and |g(p)|2 are shown in Figure 28.
In the Fraunhofer approximation the coherent superposition of the propagation am-plitudes is identical with the Fourier transform of the multiple slit. This is becausethe propagation amplitudes are also the basis functions of the Fourier transform.The physical requirement to take into account all alternatives corresponds to themathematical requirement to take into account all of the basis functions of theFourier transform. We deliberately introduced a shift x0 into the function f(x) todemonstrate that it enters as phase factor and, when forming the absolute squareof the transform, vanishes. This plays a very big role in the Shor algorithm. Elimi-nating the effect of the shift x0 makes the period r in the Shor algorithm visible.
G Creation of an Entangled 2-Qbit State from 1-
Qbit States with Hadamard and cNOT Gates.
Partial Measurement of a Register
We begin with two state registers A (Alice) and B (Bob) which, in this case, eachhave only one Qbit, namely |0〉A and |0〉B. We apply the Hadamard gate to thestate in register A, obtaining the state
|X〉A =1√2(|0〉+ |1〉)
with equal contributions from states |1〉 and |0〉. Now construct from both registersa 2-Qbit state by forming the tensor product
|Φ〉AB =1√2(|0〉+ |1〉)A ⊗ |0〉B =
1√2(|0〉 ⊗ |0〉+ |1〉 ⊗ |0〉)
=1√2(|00〉+ |10〉) = 1√
2
1000
+1√2
0010
=1√2
1010
.
Since it can be factored, this is an unentangled 2-Qbit state. If we were now tomeasure register B, then we would obtain a nonzero probability amplitude only for
B 〈0|, while register A remains unchanged in state |X〉A and we learn nothing aboutthat state. Now let us apply the cNOT quantum gate Cct to the state |Φ〉AB. This
46
gives
|Ψ〉AB =1√2
1 0 0 00 1 0 00 0 0 10 0 1 0
1010
=1√2
1001
=1√2(|00〉+ |11〉).
This is an entangled 2-Qbit state (Bell state). If we perform a partial measurementin register B, only one state in register A remains. That is, with x = 0 and 1,
|Ψ〉A =1√2
B 〈x|(
|00〉AB + |11〉AB
)
=1√2
(
〈x|0〉B |0〉A + 〈x|1〉B |1〉A)
,
so that
x = 0, or B 〈0| => |Ψ〉A =1√2|0〉A
and
x = 1, or B 〈1| => |Ψ〉A =1√2|1〉A .
Thus if the state |0〉 is measured in register B, the state |0〉 will also be measuredin register A. The state |1〉 is suppressed. If the state |1〉 is measured in registerB, the state |1〉 will also me measured in register A. The state |0〉 is suppressed.Combinations |01〉 and |10〉 do not occur. By performing a measurement in registerB we get, because of entanglement, information about register A that we wouldotherwise not have. The suppression of states in one register due to measurementin another plays an essential role in the Shor algorithm.
H Basic Concept for Error Correction of Qbits
Physical systems that realize classical bits (Cbits) are large on the atomic scale(switches, transistors, ...). The states |0〉 and |1〉 are so far apart energetically thatthe probability of transitions between the two is very small. Nevertheless errorcorrection must still be performed in the classical computing environment becausesignals are weakened due to transmission over large distances. Since it is possible tocopy classical states without changing them, single Cbits can be replaced by triples:
|0〉 => |0〉 |0〉 |0〉 = |000〉|1〉 => |1〉 |1〉 |1〉 = |111〉 .
If, for whatever reason, a measurement reveals that a bit has flipped then the errorcan be corrected by majority decision. The error checks must be sufficiently frequentfor the possibility of double flips to be considered negligible.
Quantum bits (Qbits) on the other hand are realized by atomic scale physical sys-tems (atoms, photons, nuclear spins, ions in traps, ...). They are extremely sensitive
47
to external disturbance due to interaction with external degrees of freedom and thisleads to uncontrolled changes of state (bit flips, phase changes, ...). In order toexamine the state of a Qbit for possible error one must measure it. But measure-ments change the state and destroy entanglement. This is why it is not possibleto copy unknown states (impossibility of cloning). Subtler methods than those forCbit error correction are required.
Suppose Alice wants to send Bob the Qbit
|Φ〉 = a |0〉+ b |1〉 ,
with arbitrary probability amplitudes a and b, over a noisy communication channel.As in the Cbit case, she first creates a triple of Qbits
|Ψ〉 = a |000〉+ b |111〉 .
This is a 3-Qbit code word state. It can be obtained with the help of two cNOTgates and two additional Qbits, both of which are in the initial state |0〉, as is shownin Figure 29.
Figure 29: Creation of a 3-Qbit code word state |Ψ〉.
In terms of cNOT operations Cxy, where x is the control bit and y the target bit,and numbering the states 2,1,0 as shown in the Figure,
|Ψ〉 = C20C21(a |0〉+ b |1〉) |0〉 |0〉 = C20C21(a |000〉+ b |100〉)= C20(a |000〉+ b |110〉) = a |000〉+ b |111〉 .
There are various reasons why errors can creep in. Quantum gates may be unreliable.For instance a Hadamard gate might cause a rotation of 46 deg instead of 45 degrelative to the calculation basis (0,1). Errors in phase can occur that change |Ψ〉 toa |000〉 − b |111〉. Single and double flips can occur in transmission.
48
We will consider here the simplest error model with which the basic idea of errorcorrection in quantum computing can be demonstrated. We’ll only look at singlebit flips. There are then four possibilities for the 3-Qbit code word states:
subspace|Ψ〉 = a |000〉+ b |111〉 no flip |0〉3 |7〉3|Ψ0〉 = a |001〉+ b |110〉 Qbit 0 flipped |1〉3 |6〉3|Ψ1〉 = a |010〉+ b |101〉 Qbit 1 flipped |2〉3 |5〉3|Ψ2〉 = a |100〉+ b |011〉 Qbit 2 flipped |3〉3 |4〉3
The first state is error free, the others have single bit errors. Bob’s task is todetect the error, if present, and to correct it. He can’t measure the states withoutdestroying them. The four code word states are entangled, implying that theycontain more information (in the form of correlations) than is contained in theindividual contributing states (recall the discussion of parapositronium). It is thisadditional information which allows Bob to discover which state is erroneous withoutactually having to measure it.
Figure 30: Error correction for single bit flips.
To this end Bob uses two ancillary Qbits, numbered 3 and 4, and applies fouradditional cNOT gates, whereby the ancillary Qbits are the target bits and the codeword bits are the control bits. The operation is represented graphically in Figure 30.
Using the same notation as before for the cNOT gate operations, numbering the 5
49
Qbits in the order 2,1,0,4,3, and considering the code word state |ψ0〉,
C23C03C24C14(a |001〉+ b |110〉) |0〉 |0〉 = C23C03C24C14(a |001〉 |00〉+ b |110〉 |00〉)= C23C03C24(a |001〉 |00〉+ b |110〉 |10〉)= C23C03(a |001〉 |00〉+ b |110〉 |00〉)= C23(a |001〉 |01〉+ b |110〉 |00〉)= a |001〉 |01〉+ b |110〉 |01〉 = (a |001〉+ b |110〉) |01〉 .
The transformation of the other three code word states is analogous and we get, inall:
|Ψ〉 = a |000〉+ b |111〉 => |Ψ〉 |A〉 = (a |000〉+ b |111〉) |00〉|Ψ0〉 = a |001〉+ b |110〉 => |Ψ0〉 |A0〉 = (a |001〉+ b |110〉) |01〉|Ψ1〉 = a |010〉+ b |101〉 => |Ψ1〉 |A1〉 = (a |010〉+ b |101〉) |10〉|Ψ2〉 = a |100〉+ b |011〉 => |Ψ2〉 |A2〉 = (a |100〉+ b |001〉) |11〉 .
The code word bits and the ancillary bits are not entangled. Therefore the mea-surement of the ancillary bits does not influence the state of the code words. Soif Bob measures the ancillary bit states |A〉 , |A0〉 , |A1〉 , |A2〉 in the the basis (0,1),then he can unambiguously determine if a bit was flipped and, if so, which one. Hecan correct it with a NOT gate. He then knows that Alice has sent him the Qbita |0〉+ b |1〉.To summarize the error correction procedure:
1. The states |Ψ〉 , |Ψ0〉 , |Ψ1〉 , |Ψ2〉 span two-dimensional subspaces of the 8-dimen-sional 3-Qbit space, see the table on the previous page. These subspaces arepairwise orthogonal, that is, decoupled. This fact is responsible for the unam-biguous association of the ancillary bits to the code word states.
2. In measuring the ancillary Qbits, only the information contained within thecorrelations of the 3-Qbit code word states is used to determine, unambigu-ously, which code word |ψj〉 , j = nil, 0, 1, 2, is received. Nowhere in the pro-cedure are the precise values of the probability amplitudes a and b needed.The individual Qbits are not measured. With the aid of entanglement, themeasurement process is shifted from the three code word Qbits to the two an-cillary bits, thereby avoiding destruction of the information contained in thecode Qbits. Not all of the information contained within the code word Qbitsis obtained, but sufficient information is extracted to be able to carry out theerror correction.
In reality the errors that occur are more varied than described here in this simplemodel and the correction procedures are correspondingly more elaborate. Howeverthe basic principle of avoiding the destructive consequences of the necessary mea-surements by transferring them onto ancillary Qbits with the help of entanglement
50
applies to all error correction algorithms in quantum computing. It is a fantastic ac-complishment of Peter Shor to have first pointed out this possibility, without whichthe chances of ever constructing a workable quantum computer would have beenvanishingly small.
Nevertheless there are still plenty of technical hurdles to overcome in order to realizehardware not only with sufficiently many Qbits, but with Qbits that live long enoughbefore decoherence causes computations to crash.
51