Quantum factorization algorithm by NMR ensemble computers

Applied Mathematics and Computation 174 (2006) 1363–1369

www.elsevier.com/locate/amc

Quantum factorization algorithm by NMR ensemble computers Chien-Yuan Chen, Chih-Cheng Hsueh

*

Department of Information Engineering, I-Shou University, Kaohsiung Country, 840, Taiwan, ROC

Abstract In this paper, we design our quantum factorization algorithm by using NMR ensemble computers. Our algorithm can find the prime factor pffiffiffiffi p of the RSA-modulus N = pq by using NMR ensemble search scheme, where p < N , p and q are primes. We prepare massive molecules with the same states and use an auxiliary spin to record the result of computing. In each computation, we input states with one fixed spin and determine one bit value of the prime factor p. After dlnpecomputations, we can discover the factor p. pffiffiffiffi Thus, our algorithm requires at most ln N oracle queries for factoring the RSAmodulus N.
2005 Elsevier Inc. All rights reserved. Keywords: Quantum factorization; NMR ensemble computer

*

Corresponding author. E-mail addresses: [email protected] (C.-Y. Chen), [email protected] (C.-C. Hsueh). 0096-3003/$ - see front matter
2005 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2005.05.051

1364

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

1. Introduction In 1994, Shor presented the quantum factorization algorithm [11] such that the RSA-modulus N = pq, where p and q are primes, can be factored. Shor utilizes the concept of periodic function in his algorithm to compute the order of g, where g is an element in the multiplicative group (mod N). Let the order of g be r. We have gr = 1 mod N. Shor
s algorithm will output a random rational number cr, where c is an unknown integer. Normally, a projective measurement is used to obtain cr. We then use the continued fractions algorithm in classical computer to get c and r with high probability. When the order r is found, we obtain a factor of N by computing gcd (gr=2
1; N ). Shor then showed that his algorithm can perform in polynomial time O(n3), where n ¼ dlogðN Þe [3,11,12]. However, Shor
s algorithm requires an assumption that the size of the input state is the multiple of the order r. This assumption was discussed by Ekert and Jozsa [3]. Ekert and Jozsa proved that the probability of factoring the RSA-modulus by Shor
s algorithm is still high even if the size of the input state is not the multiple of the order r. Recently, nuclear magnetic resonance (NMR) ensemble computing has been presented [2,6,13–15]. In NMR, there are many identical molecules. Each molecule, as a quantum computer, contains massive different spins. NMR differs from a quantum computer in that the result of a measurement is the expectation value of the observable, rather than a random eigenvalue thereof. According to the property of NMR, we can solve the SAT problem [2] and the ensemble search problem [1,4,8–10]. If we want to solve the factoring problem by implementing Shor
s algorithm in NMR ensemble computers, we encounter that the average value j cri gives no meaningful information because c is nearly uniformly distributed. Fortunately, a resolution is mentioned in [6]. We let each molecule, a quantum computer, perform a continued fraction algorithm and output a candidate r. Thus, the final ensemble average measurement will be the order r. In this paper, we present a novel quantum factorization algorithm by using Bru¨schweiler
s ensemble search scheme. Bru¨schweiler
s ensemble search scheme [1] aims at searching a single object among N = 2n unsorted elements. Let f: {0, 1}n ! {0, 1} be a binary function such that f(x) = 0 for all input x, except for one, say x = z, where f(z) = 1. Given an input with states, an NMR ensemble computer will output f, the sum of function values of input states. If f = 1, it means that the object z is included; otherwise, z is excluded. Therefore, in each computation, we prepare the states with one fixed spin which corresponds to one bit of z. For example, we assume that the ith bit spins up. If the output f = 1, it denotes that the ith bit of z is zero; otherwise, the ith bit of z is one. After n = log N computations, we can determine every bit value of z. We modify Bru¨schweiler
s scheme by constructing a new oracle function pffiffiffiffi gN: {0, 1}n ! {0, 1}, where N = pq is the RSA-modulus and p < N . If

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

1365

gcd (x, N) = 1, we give gN(x) = 0; otherwise, we give gN(x) = 1. Then, we compute the sum of the values of oracle function g. If the sum is one, we obtain that the ith bit of the prime factor p is zero; otherwise it is one. After dlog pe computations, we can discover all bit value of the factor p. Using Bru¨schweiler
s ensemble search scheme in NMR ensemble computers [2], we have five phases in each computation: input, frequency labeling, computation, read out, and processing, to design our algorithm. In input phase, we prepare the same states in each molecule. The frequency labeling phase utilizes radio-frequency (rf) pulse to perform unitary transformation. But, in our algorithm, the frequency labeling phase is not needed. In computation phase, we perform the needful computation. Note that we perform the spin ensemble quantum computation in spin Liouville space, not Hilbert space. We detect the free induction decay (FID) signal in read-out phase. Finally, we process and transform the FID signal to the frequency domain by a classical computer in processing phase. The remainder of this paper is organized as follows. In Section 2, we prepare that input states and computation. We describe a novel quantum factorization algorithm by NMR ensemble computers in Section 3 and discuss our algorithm in Section 4. Section 5 draws the conclusions.

2. Preparation In this section, we describe the state in spin Liouville space and the computation in our algorithm. First, the pure state jwi = j0100  010i = jabaa  abai in Hilbert space is mapped on the state r ¼ jwihwj ¼ I a1 I b2 I a3    I bn1 I an in spin Liouville space [5], where a denotes spin ‘‘up’’, b denotes spin ‘‘down’’ and Ii denotes the ith spin or qubit. Note that I a1 I b2 I a3    I bn1 I an is the direct product of ! 1 0 1 I ak ¼ jak ihak j ¼ ð1k þ 2I kz Þ ¼ and 2 0 0 I bk

1 ¼ jbk ihbk j ¼ ð1k  2I kz Þ ¼ 2

0 0

! ;

0 1

where k 2 {1  n}, 2Ikz is the Pauli matrix rz and 1k is the unity operator of the subspace of spin Ik. According to [1], we define a binary function f: {0, 1}n ! {0, 1}. The function f computes the sum of the input states. In order to perform function f reversibly [7], an extra bit is required, represented by spin I0. The initial state of I0 is always in the a state, i.e. I a0 . The sign of I a0 is 1. Thus, the input of f has the general form I a0 rin in spin Liouville space. According to [1], f ¼ F ðI a0 rin Þ ¼ 12  TrfUI a0 rin U þ I 0z g, where U is a unitary transform. Further,

1366

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

P a F can be evaluated from a sum of M density operators, i.e. M j¼1 I 0 rj . Then, the function f computes the sum of M density operator which is ! M M X X ðM  1Þ a a . ð1Þ F ðI 0 rj Þ ¼ F I 0 rj þ f ¼ 2 j¼1 j¼1 The above equation shows that f can be evaluated simultaneously when f is applied to a linear combination of states in spin Liouville space. We can refer in detail to [1]. 3. Quantum factorization algorithm by NMR ensemble computers In our algorithm, we define an operation U gN corresponding to gN(Æ). The operation U gN aims at computing the value gN(Æ) of state ri and stores it in spin I0. If gcd (ri, N) = 1, then I 0 ¼ I a0 , otherwise I 0 ¼ I b0 . The sign of I a0 and I b0 is 1 and 1, respectively. In NMR ensemble computer, we assume that the operation of computing the greatest common denominator is practicable because the implementation of basic logic gate operations was presented [5]. Assume that we want to factor the RSA-modulus N = pq. We prepare input pffiffiffiffi pffiffiffiffi states from 1 to N . Without loss of generality, we assume that N ¼ 2h for some h. These states are r0 ¼ I a1 I a2    I ah1 I ah ; r1 ¼ I b1 I a2    I ah1 I ah ; r2 ¼ I a1 I b2    I ah1 I ah ; r3 ¼ I b I b    I a I a ; . . . ; rpffiffiffiffiffiffiffi ¼ I b I b    I b I b . 1 2

h1 h

N 1

1 2

h1 h

P2h1 1 ¼ ¼ j¼0 I a0 rij , where ij represents Besides, we let the sequence of numbers whose ith bit is zero. In our algorithm, each compuP 2h1 1 a tation contains four phases to discover g ¼ U gN I 0 rij þ b, where j¼0 I 0 I ai

a=b a=b I a0 I 1 I 2

   I ai

a=b    Ih

b = 2h  1  1, and determines one bit value of the prime factor p. In the following, we list the ith computation. Input phase: We prepare the input state r ¼ I a0 I ai in spin Liouville space. Computation phase: P2h1 1 We perform U gN which applies gN to I 0 I ai ¼ j¼0 I a0 rij and store the result in spin I0. That is, if gcd ðrij ; N Þ ¼ 1, then I 0 ¼ I a0 . Otherwise, we have I 0 ¼ I b0 . Read-out phase: In this phase, we detect a time domain free induction decay (FID) signal to get the read out of spin I0 which is the sum of g for the input states rij . Processing phase: According to Eq. (1), the final result can be calculated by adding a signal of relative magnitude b = 2h  1  1. If the result is one, we learn that the ith bit

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

1367

of p is zero; otherwise, the ith bit of p is one. Then, we go to input phase to start next computation. After dln pe computations, we can discover the factor p. In the following, we give an example to understand our algorithm. Example We assume that N = 3 · 5 = 15. Thus, we prepare r0 ¼ I a1 I a2 , r1 ¼ I b1 I a2 , r2 ¼ a b I 1 I 2 and r3 ¼ I b1 I b2 . First computation Input phase: We prepare input state r ¼ I a0 I a1 ¼ I a0 I a1 I a2 þ I a0 I a1 I b2 . Computation phase: We perform U gN to r. That is, U gN ðrÞ ¼ I a0 r0 þ I a0 r2 ¼ I a0 I a1 I a2 þ I a0 I a1 I b2 . Read-out phase: We perform NMR measurement on the ancillary qubits I0. We obtain the total intensity 1 and 1 after measuring, respectively. Thus, the sum is g = 2. Processing phase: According to Eq. (1), the result is g = (2) + b = (2) + 221  1 = 1. Thus, we learn that the first bit of the factor p is 1, i.e. I b1 . Second computation: Input phase: We prepare input state r ¼ I a0 I a2 ¼ I a0 I a1 I a2 þ I a0 I b1 I a2 . Computation phase: We perform U gN to r. That is, U gN ðrÞ ¼ I a0 r0 þ I a0 r1 ¼ I a0 I a1 I a2 þ I a0 I b1 I a2 . Read-out phase: We perform NMR measurement on the ancillary qubits I0. We obtain the total intensity 1 and 1 after measuring, respectively. Thus, the sum is g = 2. Processing phase: According to Eq. (1), the result is g = (2) + 1 = 1. Thus, we learn that the second bit of the factor p is 1, i.e. I b2 . Finally, the state of the factor p is I b1 I b2 ¼ ð11Þ2 ¼ 3. Thus the factor of N is 3 and the other is N3 ¼ 5. 4. Discussion So far, Bru¨schweiler
s quantum search scheme [1] has been implemented experimentally by three-qubit NMR ensemble computers [9,10]. In [9], they improve the Bru¨schweiler
s scheme by using measured spectra to read out

1368

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

the ensemble average of the output register. In [10], they completely remove the output register and use a modified oracle transformation, so that the scheme becomes irreversible. Other savants have also been proposed and implemented [4,8] in NMR ensemble computing. In bulk quantum Turing machine [16], the accurate problem occurs when measurement accuracy e < n. It causes the inaccuracy in each measurement. According to [1,17], however, the accuracy can be enhanced by repeating our algorithm a number of times. The accuracy level scales with the square-root of the number of experimental trials [1]. Assume that Nd is the number of experimental trials. If we want to obtain accurate measurement, Nd must satisfy 21e  p1ffiffiffiffi < 21n , where e is the number of correct qubits. Thus, we have Nd pffiffiffiffi Nd > 22(n  e). We require Oð22ðneÞ ln N Þ oracle pffiffiffiffi queries to obtain the correct element. When e  n, we only require Oðln N Þ oracle queries. However, when pffiffiffiffi e  n, we require OðN 2 ln N Þ oracle queries. Furthermore, we give the theoretical and practical considerations that the limit size of RSA-modulus can be solved in NMR ensemble quantum computers. In [2], Cory et al. pointed out the limit of size in NMR ensemble quantum computers. Assume that the number of spins in a molecule is h, the number of molecules present in the sample is H, and the total number of spins is R = hH. Let r ¼ 2Hh > 1 be the average number of molecules per state. Cory et al. typically have R  1023  276 in an NMR sample. So, if we wish to solve a problem 76 276 of size h, we would have H  2h or r  h2 h . Thus, we can derive the approximate bound h < 70 qubits from h2h < 276. Thus, our algorithm can theoretically factor the RSA-modulus with at most 70 bits. However, in practice, the NMR implementation is limited to 10 qubits [18–22]. Thus, our algorithm can factor RSA-modulus with at most 10 bits. In Shor
s quantum factorization algorithm, it needs O((ln N)3) to complete the factorization algorithm in a single quantum computer. In NMR ensemble computers, we use an ensemble of independent quantum computers in our algorithm. Then, we use the NMR pffiffiffiffiensemble search algorithm to find the factor of N = pq. Thus, we need Oðln N Þ oracle queries to factor N. 5. Conclusion In this paper, we design our quantum factorization algorithm with NMR ensemble computers. In the NMR ensemble computers, each molecule can perform computation in parallelism. Thus, we prepare the same states in each molecule and use an auxiliary spin I0 to record the result of computing. After dln pecomputations, we can discover all bit values of p. However, according to modern physical limitation, our algorithm only factors the RSA-modulus with less than 10 bits.

C.-Y. Chen, C.-C. Hsueh / Appl. Math. Comput. 174 (2006) 1363–1369

1369

Acknowledgement This work was supported in part by the National Science Council of the Republic of China under contract NSC93-2213-E-214-011. References [1] R. Bru¨schweiler, Novel strategy for database searching in spin Liouville space by NMR ensemble computing, Phys. Rev. Lett. 85 (22) (2000) 4815. [2] D.G. Cory, A.F. Fahmy, T.F. Havel, Ensemble quantum computing by NMR spectroscopy, Proc. Natl. Acad. Sci. 94 (1997) 1634–1639. [3] A. Ekert, R. Jozsa, Quantum computation and Shor
s factoring algorithm, Rev. Mod. Phys. 68 (3) (1996) 733–753. [4] A.K. Khitrin, V.L. Ermakov, B.M. Fung, NMR implementation of a parallel search algorithm, Phys. Rev. Lett. 89 (2002) 277902. [5] Z.L. Ma´di, R. Bru¨schweiler, R.R. Ernst, One- and two-dimensional ensemble quantum computing in spin Liouville space, J. Chem. Phys. 109 (1998) 10603. [6] M.A. Nielsen, I.L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, 2001, pp. 335–336. [7] T. Toffoil, in: J.W. de Bakker, J. van Leeuwen, (Eds.), Automata, Languages and Programming, 1980, pp. 632–644. [8] L. Xiao, G.L. Long, Fetching marked items from an unsorted database in NMR ensemble computing, Phys. Rev. A 66 (2002) 052320. [9] L. Xiao, G.L. Long, H.Y. Yan, Y. Sun, Experimental realization of the Bru¨schweiler
s algorithm in a homonuclear system, J. Chem. Phys. 117 (2002) 3310. [10] X. Yang, D. Wei, X. Miao, Modification and realization of Bru¨schweiler
s search, Phys. Rev. A 66 (2002) 042305. [11] P. Shor, Algorithms for quantum computation: discrete logarithms and factoring, in: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994, pp. 124–134. [12] P. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIMA J. Comput. 26 (5) (1997) 1484–1509. [13] N. Gershenfeld, I.L. Chuang, Bulk spin-resonance quantum computation, Science 275 (1997) 350. [14] J.A. Jones, NMR quantum computation, Prog. NMR Spectrosc. 38 (2001) 325. [15] L.M.K. Vandersypen, M. Steffen, G. Breyta, C.S. Yannoni, M.H. Sherwood, I.L. Chuang, Experimental realization of Shor
s quantum factoring algorithm using nuclear magnetic resonance, Nature (London) 414 (2001) 883. [16] T. Nishino, H. Shibata, K. Atsumi, T. Shima, Solving function problems and NP-complete problems by NMR quantum computation, Technical Report of IEICE, COMP 98-71, 1998. [17] V. Protopopescu, C. D
Helon, J. Barhen, Constant-time solution to the global optimization problem using Bru¨schweiler
s ensemble search algorithm, J. Phys. A: Math. Gen. 36 (2003) L399–L407. [18] N.A. Gershenfeld, I.L. Chuang, Bulk spin resonance quantum computation, Science 275 (1997) 350–356. [19] I.L. Chuang, L.M.K. Vandersypen, X. Zhou, D.W. Leung, S. Lloyd, Experimental realization of a quantum algorithm, Nature (May 14) (1998). [20] http://www.media.mit.edu/physics/projects/spins/home.html. [21] http://www.ee.pdx.edu/~mperkows/temp/June16/0033.NMR.pdf. [22] http://feynman.media.mit.edu/quanta/nmrqc-darpa/qc/local.html.