Quantum search algorithm
In quantum computing, Grover's algorithm, also known as the quantum search algorithm, refers to a quantum algorithm for unstructured search that finds with high probability the unique input to a black box function that produces a particular output value, using just O ( N ) {displaystyle O({sqrt {N}})} evaluations of the function, where N {displaystyle N} is the size of the function's domain. It was devised by Lov Grover in 1996.[1]
The analogous problem in classical computation cannot be solved in fewer than O ( N ) {displaystyle O(N)} evaluations (because, on average, one has to check half of the domain to get a 50% chance of finding the right input). At roughly the same time that Grover published his algorithm, Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani proved that any quantum solution to the problem needs to evaluate the function ( N ) {displaystyle Omega ({sqrt {N}})} times, so Grover's algorithm is asymptotically optimal.[2] Since researchers generally believe that NP-complete problems are difficult because their search spaces have essentially no structure, the optimality of Grover's algorithm for unstructured search suggests (but does not prove) that quantum computers cannot solve NP-complete problems in polynomial time.[3]
Unlike other quantum algorithms, which may provide exponential speedup over their classical counterparts, Grover's algorithm provides only a quadratic speedup. However, even quadratic speedup is considerable when N {displaystyle N} is large, and Grover's algorithm can be applied to speed up broad classes of algorithms.[3] Grover's algorithm could brute-force a 128-bit symmetric cryptographic key in roughly 264 iterations, or a 256-bit key in roughly 2128 iterations. As a result, it is sometimes suggested[4] that symmetric key lengths be doubled to protect against future quantum attacks.
Grover's algorithm, along with variants like amplitude amplification, can be used to speed up a broad range of algorithms.[5][6][7] In particular, algorithms for NP-complete problems generally contain exhaustive search as a subroutine, which can be sped up by Grover's algorithm.[6] The current best algorithm for 3SAT is one such example. Generic constraint satisfaction problems also see quadratic speedups with Grover.[8] These algorithms do not require that the input be given in the form of an oracle, since Grover's algorithm is being applied with an explicit function, e.g. the function checking that a set of bits satisfies a 3SAT instance.
Grover's algorithm can also give provable speedups for black-box problems in quantum query complexity, including element distinctness[9] and the collision problem[10] (solved with the BrassardHyerTapp algorithm). In these types of problems, one treats the oracle function f as a database, and the goal is to use the quantum query to this function as few times as possible.
Grover's algorithm essentially solves the task of function inversion. Roughly speaking, if we have a function y = f ( x ) {displaystyle y=f(x)} that can be evaluated on a quantum computer, Grover's algorithm allows us to calculate x {displaystyle x} when given y {displaystyle y} . Consequently, Grover's algorithm gives broad asymptotic speed-ups to many kinds of brute-force attacks on symmetric-key cryptography, including collision attacks and pre-image attacks.[11] However, this may not necessarily be the most efficient algorithm since, for example, the parallel rho algorithm is able to find a collision in SHA2 more efficiently than Grover's algorithm.[12]
Grover's original paper described the algorithm as a database search algorithm, and this description is still common. The database in this analogy is a table of all of the function's outputs, indexed by the corresponding input. However, this database is not represented explicitly. Instead, an oracle is invoked to evaluate an item by its index. Reading a full data-base item by item and converting it into such a representation may take a lot longer than Grover's search. To account for such effects, Grover's algorithm can be viewed as solving an equation or satisfying a constraint. In such applications, the oracle is a way to check the constraint and is not related to the search algorithm. This separation usually prevents algorithmic optimizations, whereas conventional search algorithms often rely on such optimizations and avoid exhaustive search.[13]
The major barrier to instantiating a speedup from Grover's algorithm is that the quadratic speedup achieved is too modest to overcome the large overhead of near-term quantum computers.[14] However, later generations of fault-tolerant quantum computers with better hardware performance may be able to realize these speedups for practical instances of data.
As input for Grover's algorithm, suppose we have a function f : { 0 , 1 , , N 1 } { 0 , 1 } {displaystyle f:{0,1,ldots ,N-1}to {0,1}} . In the "unstructured database" analogy, the domain represent indices to a database, and f(x) = 1 if and only if the data that x points to satisfies the search criterion. We additionally assume that only one index satisfies f(x) = 1, and we call this index . Our goal is to identify .
We can access f with a subroutine (sometimes called an oracle) in the form of a unitary operator U that acts as follows:
This uses the N {displaystyle N} -dimensional state space H {displaystyle {mathcal {H}}} , which is supplied by a register with n = log 2 N {displaystyle n=lceil log _{2}Nrceil } qubits.This is often written as
Grover's algorithm outputs with probability at least 1/2 using O ( N ) {displaystyle O({sqrt {N}})} applications of U. This probability can be made arbitrarily large by running Grover's algorithm multiple times. If one runs Grover's algorithm until is found, the expected number of applications is still O ( N ) {displaystyle O({sqrt {N}})} , since it will only be run twice on average.
This section compares the above oracle U {displaystyle U_{omega }} with an oracle U f {displaystyle U_{f}} .
U is different from the standard quantum oracle for a function f. This standard oracle, denoted here as Uf, uses an ancillary qubit system. The operation then represents an inversion (NOT gate) conditioned by the value of f(x) on the main system:
or briefly,
These oracles are typically realized using uncomputation.
If we are given Uf as our oracle, then we can also implement U, since U is Uf when the ancillary qubit is in the state | = 1 2 ( | 0 | 1 ) = H | 1 {displaystyle |-rangle ={frac {1}{sqrt {2}}}{big (}|0rangle -|1rangle {big )}=H|1rangle } :
So, Grover's algorithm can be run regardless of which oracle is given.[3] If Uf is given, then we must maintain an additional qubit in the state | {displaystyle |-rangle } and apply Uf in place of U.
The steps of Grover's algorithm are given as follows:
For the correctly chosen value of r {displaystyle r} , the output will be | {displaystyle |omega rangle } with probability approaching 1 for N 1. Analysis shows that this eventual value for r ( N ) {displaystyle r(N)} satisfies r ( N ) 4 N {displaystyle r(N)leq {Big lceil }{frac {pi }{4}}{sqrt {N}}{Big rceil }} .
Implementing the steps for this algorithm can be done using a number of gates linear in the number of qubits.[3] Thus, the gate complexity of this algorithm is O ( log ( N ) r ( N ) ) {displaystyle O(log(N)r(N))} , or O ( log ( N ) ) {displaystyle O(log(N))} per iteration.
There is a geometric interpretation of Grover's algorithm, following from the observation that the quantum state of Grover's algorithm stays in a two-dimensional subspace after each step. Consider the plane spanned by | s {displaystyle |srangle } and | {displaystyle |omega rangle } ; equivalently, the plane spanned by | {displaystyle |omega rangle } and the perpendicular ket | s = 1 N 1 x | x {displaystyle textstyle |s'rangle ={frac {1}{sqrt {N-1}}}sum _{xneq omega }|xrangle } .
Grover's algorithm begins with the initial ket | s {displaystyle |srangle } , which lies in the subspace. The operator U {displaystyle U_{omega }} is a reflection at the hyperplane orthogonal to | {displaystyle |omega rangle } for vectors in the plane spanned by | s {displaystyle |s'rangle } and | {displaystyle |omega rangle } , i.e. it acts as a reflection across | s {displaystyle |s'rangle } . This can be seen by writing U {displaystyle U_{omega }} in the form of a Householder reflection:
The operator U s = 2 | s s | I {displaystyle U_{s}=2|srangle langle s|-I} is a reflection through | s {displaystyle |srangle } . Both operators U s {displaystyle U_{s}} and U {displaystyle U_{omega }} take states in the plane spanned by | s {displaystyle |s'rangle } and | {displaystyle |omega rangle } to states in the plane. Therefore, Grover's algorithm stays in this plane for the entire algorithm.
It is straightforward to check that the operator U s U {displaystyle U_{s}U_{omega }} of each Grover iteration step rotates the state vector by an angle of = 2 arcsin 1 N {displaystyle theta =2arcsin {tfrac {1}{sqrt {N}}}} .So, with enough iterations, one can rotate from the initial state | s {displaystyle |srangle } to the desired output state | {displaystyle |omega rangle } . The initial ket is close to the state orthogonal to | {displaystyle |omega rangle } :
In geometric terms, the angle / 2 {displaystyle theta /2} between | s {displaystyle |srangle } and | s {displaystyle |s'rangle } is given by
We need to stop when the state vector passes close to | {displaystyle |omega rangle } ; after this, subsequent iterations rotate the state vector away from | {displaystyle |omega rangle } , reducing the probability of obtaining the correct answer. The exact probability of measuring the correct answer is
where r is the (integer) number of Grover iterations. The earliest time that we get a near-optimal measurement is therefore r N / 4 {displaystyle rapprox pi {sqrt {N}}/4} .
To complete the algebraic analysis, we need to find out what happens when we repeatedly apply U s U {displaystyle U_{s}U_{omega }} . A natural way to do this is by eigenvalue analysis of a matrix. Notice that during the entire computation, the state of the algorithm is a linear combination of s {displaystyle s} and {displaystyle omega } . We can write the action of U s {displaystyle U_{s}} and U {displaystyle U_{omega }} in the space spanned by { | s , | } {displaystyle {|srangle ,|omega rangle }} as:
So in the basis { | , | s } {displaystyle {|omega rangle ,|srangle }} (which is neither orthogonal nor a basis of the whole space) the action U s U {displaystyle U_{s}U_{omega }} of applying U {displaystyle U_{omega }} followed by U s {displaystyle U_{s}} is given by the matrix
This matrix happens to have a very convenient Jordan form. If we define t = arcsin ( 1 / N ) {displaystyle t=arcsin(1/{sqrt {N}})} , it is
It follows that r-th power of the matrix (corresponding to r iterations) is
Using this form, we can use trigonometric identities to compute the probability of observing after r iterations mentioned in the previous section,
Alternatively, one might reasonably imagine that a near-optimal time to distinguish would be when the angles 2rt and 2rt are as far apart as possible, which corresponds to 2 r t / 2 {displaystyle 2rtapprox pi /2} , or r = / 4 t = / 4 arcsin ( 1 / N ) N / 4 {displaystyle r=pi /4t=pi /4arcsin(1/{sqrt {N}})approx pi {sqrt {N}}/4} . Then the system is in state
A short calculation now shows that the observation yields the correct answer with error O ( 1 N ) {displaystyle Oleft({frac {1}{N}}right)} .
If, instead of 1 matching entry, there are k matching entries, the same algorithm works, but the number of iterations must be 4 ( N k ) 1 / 2 {textstyle {frac {pi }{4}}{left({frac {N}{k}}right)^{1/2}}} instead of 4 N 1 / 2 {textstyle {frac {pi }{4}}{N^{1/2}}} .
There are several ways to handle the case if k is unknown.[15] A simple solution performs optimally up to a constant factor: run Grover's algorithm repeatedly for increasingly small values of k, e.g. taking k = N, N/2, N/4, ..., and so on, taking k = N / 2 t {displaystyle k=N/2^{t}} for iteration t until a matching entry is found.
With sufficiently high probability, a marked entry will be found by iteration t = log 2 ( N / k ) + c {displaystyle t=log _{2}(N/k)+c} for some constant c. Thus, the total number of iterations taken is at most
A version of this algorithm is used in order to solve the collision problem.[16][17]
A modification of Grover's algorithm called quantum partial search was described by Grover and Radhakrishnan in 2004.[18] In partial search, one is not interested in finding the exact address of the target item, only the first few digits of the address. Equivalently, we can think of "chunking" the search space into blocks, and then asking "in which block is the target item?". In many applications, such a search yields enough information if the target address contains the information wanted. For instance, to use the example given by L. K. Grover, if one has a list of students organized by class rank, we may only be interested in whether a student is in the lower 25%, 2550%, 5075% or 75100% percentile.
To describe partial search, we consider a database separated into K {displaystyle K} blocks, each of size b = N / K {displaystyle b=N/K} . The partial search problem is easier. Consider the approach we would take classically we pick one block at random, and then perform a normal search through the rest of the blocks (in set theory language, the complement). If we don't find the target, then we know it's in the block we didn't search. The average number of iterations drops from N / 2 {displaystyle N/2} to ( N b ) / 2 {displaystyle (N-b)/2} .
Grover's algorithm requires 4 N {textstyle {frac {pi }{4}}{sqrt {N}}} iterations. Partial search will be faster by a numerical factor that depends on the number of blocks K {displaystyle K} . Partial search uses n 1 {displaystyle n_{1}} global iterations and n 2 {displaystyle n_{2}} local iterations. The global Grover operator is designated G 1 {displaystyle G_{1}} and the local Grover operator is designated G 2 {displaystyle G_{2}} .
The global Grover operator acts on the blocks. Essentially, it is given as follows:
The optimal values of j 1 {displaystyle j_{1}} and j 2 {displaystyle j_{2}} are discussed in the paper by Grover and Radhakrishnan. One might also wonder what happens if one applies successive partial searches at different levels of "resolution". This idea was studied in detail by Vladimir Korepin and Xu, who called it binary quantum search. They proved that it is not in fact any faster than performing a single partial search.
Grover's algorithm is optimal up to sub-constant factors. That is, any algorithm that accesses the database only by using the operator U must apply U at least a 1 o ( 1 ) {displaystyle 1-o(1)} fraction as many times as Grover's algorithm.[19] The extension of Grover's algorithm to k matching entries, (N/k)1/2/4, is also optimal.[16] This result is important in understanding the limits of quantum computation.
If the Grover's search problem was solvable with logc N applications of U, that would imply that NP is contained in BQP, by transforming problems in NP into Grover-type search problems. The optimality of Grover's algorithm suggests that quantum computers cannot solve NP-Complete problems in polynomial time, and thus NP is not contained in BQP.
It has been shown that a class of non-local hidden variable quantum computers could implement a search of an N {displaystyle N} -item database in at most O ( N 3 ) {displaystyle O({sqrt[{3}]{N}})} steps. This is faster than the O ( N ) {displaystyle O({sqrt {N}})} steps taken by Grover's algorithm.[20]
See the rest here:
Grover's algorithm - Wikipedia