The application pertains to quantum circuit synthesis.
Disclosed herein are example embodiments of methods, apparatus, and systems for performing quantum circuit synthesis and/or for implementing the synthesis results in a quantum computer system. For instance, the disclosure presents innovations in quantum computing design and synthesis tools for generating circuit descriptions operable on such designs. The innovations can be implemented as part of a method, as part of a computing device, compilation system, or synthesis system configured or programmed to perform any embodiment of the disclosed techniques, or as part of a tangible computer-readable media storing computer-executable instructions for causing a computing device to perform any embodiment of the disclosed synthesis techniques. The innovations can also be performed as part of a method or system for implementing and performing quantum operations in a physical implementation of a quantum computer. The various innovations can be used in combination or separately.
Embodiments of the disclosed technology can be used as part of an overall synthesis process for generating gate sets for a quantum computer having a target architecture from higher-level descriptions. In particular embodiments, the techniques disclosed herein can be used to generate a quaternion approximation for a synthesis process that uses quaternion algebra. Example embodiments of suitable quaternion-based synthesis procedures with which the disclosed technology can be used are described in U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; Vadym Kliuchnikov and Jon Yard, “A Framework for Exact Synthesis,” arXiv:1504.04350 (2015); and in Simon Forest, David Gosset, Vadym Kliuchnikov, David McKinnon, “Exact synthesis of single-qubit unitaries over Clifford-cyclotomic gate sets,” Journal of Mathematical Physics 56, 082201, (2015) (also available at arXiv:1501.04944v2). For instance, any of the embodiments disclosed in these references (or aspect or feature (including combinations thereof) disclosed therein) can be used together with any aspect or feature (including combinations thereof) of the innovations presented in this disclosure.
In certain example embodiments, methods for efficiently approximating qubit unitaries over gate sets derived from totally definite quaternion algebras are presented.
Example implementations of the technology can achieve ε-approximations using circuits of length O(log(1/ε)), which is asymptotically optimal. Example implementations also achieve the same quality of approximation as previously-known algorithms for Clifford+T, V-basis, and Clifford+π/12, running on average in time polynomial in O(log(1/ε)) (conditional on a number-theoretic conjecture).
In certain example embodiments of the quantum circuit synthesis procedure disclosed herein, a universal gate set, a target unitary described by a target angle, and target precision is received (input); a corresponding quaternion approximation of the target unitary is determined; and a quantum circuit corresponding to the quaternion approximation is synthesized, the quantum circuit being over a single qubit gate set, the single qubit gate set being realizable by the given universal gate set for the target quantum computer architecture. The single qubit gate set can be a Clifford+T basis gate set, a Clifford+eiπZ/12 basis gate set, a Clifford+eiπZ/16 basis gate set, a V-basis gate set, or any other single qubit base set expressible in terms of totally definite quaternion algebra. The corresponding quaternion approximation can describe the target unitary in quaternion algebra. In some implementations, the system further comprises a quantum circuit controller coupled to the target quantum circuit architecture and configured to implement the quantum circuit in the target quantum circuit architecture. In particular implementations, the synthesis procedure further comprises determining a cost vector for the target unitary, and the act of determining the corresponding quaternion approximation comprises finding one or more corresponding quaternion approximations that satisfy the cost vector. The cost vector can, for example, describe a limit on a size of the single qubit gate set resulting from the synthesis procedure. In some implementations, the act of determining the corresponding quaternion approximation of the target unitary comprises selecting a first algebraic integer for use as a first quaternion element in the quaternion approximation, the first algebraic integer being selected so that a distance threshold to a Rx, Ry, or Rz rotation is satisfied. The act of determining the corresponding quaternion approximation of the target unitary can further comprise selecting a second algebraic integer for use as a second quaternion element in the quaternion approximation, the second algebraic integer being selected so that, in combination with the first integer, the quaternion approximation produces a quaternion that satisfies a cost limit and the corresponding unitary satisfies the distance threshold. The first algebraic integer and the second algebraic integer can be selected from a ring of integers of the CM-field K. In particular implementations, the determining a corresponding quaternion approximation of the target unitary comprises finding a quaternion from an order of a totally definite quaternion algebra defined over totally real number field F (e.g., the generalized Lipschitz order) that has the following two properties: (1) (Uq,Rz(φ)≤ε; and (2) nrd(q)F=1L
In some example embodiments of a quantum circuit synthesis procedure disclosed herein, a program describing a desired computation to be performed in a target quantum computer architecture is input; and a gate set adapted for implementation on the target quantum computer architecture is generated based on the program, the gate set including a single qubit circuit for one or more respective unitaries used to perform the desired computation. In certain implementations, the single qubit circuit is generated by identifying a target unitary, and determining a corresponding quaternion approximation of the target unitary using a process in which one or more of the elements in the corresponding quaternion approximation are randomly selected. For example, in some implementations, the act of determining the corresponding quaternion approximation of the target unitary can comprise randomly selecting one or more values for use in the corresponding quaternion approximation from a constrained body of values that guarantees that a norm equation is solvable; and solving the norm equation to determine at least another one of the elements in the corresponding quaternion approximation. For instance, the at least another one of the elements in the corresponding quaternion approximation can be z, where z is an algebraic integer from K, and wherein the norm equation for z is z(z*)=e, where e is an element of the totally real subfield F. In some implementations, the act of determining the corresponding quaternion approximation of the target unitary comprises: randomly sampling points from subsets of a ring of integers; and using the randomly selected sampling points as quaternion elements in the quaternion approximation. The ring of integers can be, for instance, a ring of integers of the CM-field K. In certain implementations, the act of determining the corresponding quaternion approximation of the target comprises: partitioning a convex body of complex numbers into convex subsets, the partitioning being performed such that each subset has a lattice point corresponding to K; randomly selecting one of the subsets; selecting a lattice point corresponding to K from the randomly selected subset; and using the selected lattice point as an element in the quaternion approximation. In some implementations, the circuit is implemented in the target quantum computer architecture.
In certain example embodiments of a quantum circuit synthesis procedure disclosed herein, a target unitary described by a target angle and target precision is received (input); a corresponding quaternion approximation of the target unitary is determined; and the corresponding quaternion approximation is synthesized using a Closest Vector Problem (CVP) technique to select values for the corresponding quaternion approximation and to produce a single qubit circuit for the target unitary, the single qubit circuit being realizable by a quantum computer architecture. In certain implementations, the determining the corresponding quaternion approximation of the target unitary comprises selecting values from a Hermite-Korkine-Zolotarev, Block-Korkine-Zolotarev, Lenstra-Lenstra-Lovasz, or other size-reduced basis as an element in the corresponding quaternion approximation. Further, in some implementations, the determining the corresponding quaternion approximation of the target unitary comprises using a Lenstra-Lenstra-Lovasz reduction technique or other lattice basis reduction technique.
Any of these example synthesis procedures can be performed by a quantum circuit synthesizer system comprising a processor and memory and/or by a quantum computer synthesis tool adapted for use in a quantum computer design and implementation process and implemented by one or more computing devices. Further, any of these example synthesis procedures can be implemented as computer-executable instructions stored on a computer-readable media, which when executed by a computer cause the computer to perform the synthesis procedure.
As used in this application, the singular forms “a,” “an,” and “the” include the plural forms unless the context clearly dictates otherwise. Additionally, the term “includes” means “comprises.” Further, the term “coupled” does not exclude the presence of intermediate elements between the coupled items. Further, as used herein, the term “and/or” means any one item or combination of any items in the phrase. Still further, as used herein, the term “optimiz*” (including variations such as optimization and optimizing) refers to a choice among options under a given scope of decision, and does not imply that an optimized choice is the “best” or “optimum” choice for an expanded scope of decisions.
The systems, apparatus, and methods described herein should not be construed as limiting in any way. Instead, the present disclosure is directed toward all novel and nonobvious features and aspects of the various disclosed embodiments, alone and in various combinations and sub-combinations with one another. The disclosed systems, methods, and apparatus are not limited to any specific aspect or feature or combinations thereof, nor do the disclosed systems, methods, and apparatus require that any one or more specific advantages be present or problems be solved. Any theories of operation are to facilitate explanation, but the disclosed systems, methods, and apparatus are not limited to such theories of operation.
Although the operations of some of the disclosed methods are described in a particular, sequential order for convenient presentation, it should be understood that this manner of description encompasses rearrangement, unless a particular ordering is required by specific language set forth below. For example, operations described sequentially may in some cases be rearranged or performed concurrently. Moreover, for the sake of simplicity, the attached figures may not show the various ways in which the disclosed systems, methods, and apparatus can be used in conjunction with other systems, methods, and apparatus. Additionally, the description sometimes uses terms like “produce” and “provide” to describe the disclosed methods. These terms are high-level abstractions of the actual operations that are performed. The actual operations that correspond to these terms will vary depending on the particular implementation and are readily discernible by one of ordinary skill in the art.
Each time a new computing device is built, one typically asks the question: what problems can it solve? The same question applies to the quantum computers that are now being developed. When addressing such questions, one usually starts with a crude analysis, asking how resources like time, memory, cost, and the size of the computer scale with the problem size. In particular, how do these resources depend on the particular gate set supported by a quantum computer? The algorithm of Solovay and Kitaev shows that any two universal gate sets are equally good from the perspective of polynomially-scaling resources. See, e.g., Alexei Kitaev, Alexander Shen, and Mikhail Vyalyi, “Classical and quantum computation,” volume 47 of Graduate studies in mathematics, American Mathematical Society (2002); Christopher M. Dawson and Michael A. Nielsen, “The Solovay-Kitaev algorithm,” Quantum Information and Computation, 6(1):81-95 (2005). However, once a small quantum computer is built, more refined questions are asked: How large of a problem can one solve on it? How can one compile our algorithms in the most resource-efficient way possible?
Typically, a circuit implementing a quantum algorithm uses a large number of gates, or local unitaries. Each local unitary must be compiled into the gate set supported by a target fault-tolerant quantum computer. Whereas the unitary groups are uncountable, most promising quantum computer architectures known today (topological or based on error correcting codes) natively support only a finite set of unitary gates. The problem of optimal compilation into circuits over such a gate set can be naturally formulated as that of approximation in such groups.
This disclosure concerns the problem of compiling circuits for single-qubit unitaries, and, more specifically, of approximation by finitely-generated subgroups of SU(2). A systematic description of the problem can be given as follows. Let ⊂SU(2) be a finite set of 2×2 unitary matrices, or gates. Given an arbitrary unitary U∈SU(2), one wants to express it in terms of unitaries from . In most cases U can not be expressed exactly using elements of and must be therefore approximated. For a selected absolute precision ε, the task is to find a sequence of gates g1, . . . , gN∈ (usually called a circuit over ) such that ∥U−gN . . . g1≤ε. If one can approximate any unitary over the gate set (or in other words, if generates a dense subgroup of SU(2)), one calls universal.
Given that each unitary can be so approximated, one can then ask for the shortest, or least costly, such circuit. A volume argument shows that there exist unitaries U requiring circuits of length at least C log(1/ε), where C is a constant that depends on the gate set . A natural question to ask is whether there is a matching upper bound (e.g., whether one can approximate any unitary using a circuit of length O(log(1/ε))). To answer this question, one can employ non-trivial mathematical ideas. For example, it was recently shown that such approximations exist if the unitaries in have entries that are algebraic numbers. See, e.g., Jean Bourgain and Alexander Gamburd, “On the spectral gap for finitely-generated subgroups of SU(2),” Inventiones mathematicae, 171(1):83-121 (2008) (hereinafter “Bourgain and Gamurd 2008”). Known gate sets associated with fault-tolerant quantum computing architectures have this property.
Unfortunately, the result is non constructive. Furthermore, there is no obvious way to make it constructive that would realistically work for even a moderately small precision target ε. The result of Bourgain and Gamurd 2008 implies that a brute-force search can yield approximations saturating the lower bound. In practice, however, the precision of approximation achievable with brute force search is limited to 10−4 or 10−5. Ideally, one would like to have an algorithm that finds an ε-approximation of a given unitary with a circuit of length O(log(1/ε)) and, furthermore, one would like the algorithm to run in O(poly(log(1/ε)) time.
Recently such algorithms were found for several gate sets such as Clifford+T, the V-basis, Clifford+Rz(π/6) and the braiding of Fibonacci anyons. See, e.g., Neil J. Ross and Peter Selinger, “Optimal ancilla-free Clifford+T approximation of z-rotations,” arXiv:1409.4355 (2014); Peter Selinger, “Efficient Clifford+T approximation of single-qubit operators,” arXiv:1212.6253 (December 2012); Alex Bocharov, Yuri Gurevich, and Krysta M. Svore, “Efficient decomposition of single-qubit gates into V basis circuits,” Physical Review A, 88(1):1-13 (July 2013); Alex Bocharov, Martin Roetteler, and Krysta M. Svore, “Efficient synthesis of probabilistic quantum circuits with fallback,” Physical Review A, 91:052317 (2015) (see also arXiv preprint arXiv:1409.3552); Vadym Kliuchnikov, Alex Bocharov, and Krysta M. Svore, “Asymptotically optimal topological quantum compiling,” Physical Review Letters, 112(14) (April 2014). The question of why it is possible to construct such an algorithm for these gate sets and what general properties such gate sets should have has been an outstanding challenge in the field.
In this disclosure, and in certain example embodiments, a general framework is presented that enables efficient approximation algorithms for entire families of gate sets, instead of for specific examples. Example algorithms are developed in the general setting of gate sets derived from totally definite quaternion algebras. Results of applying an example implementation of the algorithm are also presented for a wide range of gate sets, including Clifford+√{square root over (T)}.
The proof that example implementations of the disclosed techniques terminate and run on average in polynomial time relies on a number-theoretic conjecture that generalizes and refines similar conjectures. The mathematics behind conjectures of this type were recently studied for Clifford+T, V-basis and some other gate sets. See, e.g., Peter Sarnak, “Letter to Aaronson and Pollington on the Solvay-Kitaev Theorem and Golden Gates,” available at http://publications.ias.edu/sarnak/paper/2637 (February 2015) (hereinafter “Sarnak 2015”). Results of experiments with example implementations of the disclosed technology provide indirect evidence that some of results in Sarnak 2015 can be true for a wider range of gate sets. This is related to the “Golden Gates” introduced in Sarnak 2015. This is discussed in more detail in the “Conjecture” Section below. Next, the problem of unitary approximation is presented more formally and a high level overview of example embodiments of the approximation framework is presented.
In summary, disclosed herein are embodiments of a framework for approximate synthesis of single qubit unitary transformations over a universal gate set. The example framework is applicable whenever the gate set is related to totally definite quaternion algebras. Embodiments of the disclosed synthesis procedure run in time that is polynomial in log(1/ε), where ε is the approximation parameter and the output factorizations produced have length O(log(1/ε)). An example implementation of the algorithm was implemented in the computer algebra system Magma and was applied to a wide range of gate sets.
Formally, the problem of ancillae free approximation for single qubit gate sets can be stated as follows:
(unitary approximation problem in two dimensions, UAP). Given
(1) finite universal unitary gate set ⊂SU(2)
(2) cost function c: →+ (c:→{1} corresponds to circuit length)
(3) distance function ρ on the set of unitaries
(4) cost bound function costmax: +→+
(5) target unitary U from Utarg⊂SU(2)
(6) target precision ε
Find g1, . . . , gN from G such that ρ(g1· . . . ·gN,U)≤ε and Σk=1Nc(gk)≤costmax(ε).
It can be said that an algorithm solves UAP in polynomial time, if it solves Problem 2.1 for arbitrary unitaries U from Utarg and its runtime is polynomial in log(1/ε). Here, one also is allowed to spend arbitrary time on precomputation based on (1)-(4) and store an arbitrary amount of results of the precomputation. The set Utarg can be equal to SU(2) or some its subset. For example, it can be the set of all unitaries eiφz for Z being Pauli Z matrix and φ being arbitrary real number.
The hardness of solving UAP and the existence of the solution to it depends on the choice of cost bound function costmax. A summary of known algorithms for solving UAP is presented in the table shown in
In practice, for target precisions 10−10 to 10−30, the overhead from using the Solovay Kitaev algorithm can be between one to three orders of magnitude. On the other hand, the methods based on brute force search find the best possible solution, but are frequently limited to precisions 10−5 or even less because their runtime and required memory scale exponentially with log(1/ε). The methods described in Alex Bocharov, Yuri Gurevich, and Krysta M. Svore, “Efficient decomposition of single-qubit gates into V basis circuits,” Physical Review A, 88(1):1-13 (July 2013); Neil J. Ross and Peter Selinger, “Optimal ancilla-free Clifford+T approximation of z-rotations,” arXiv:1409.4355 (2014); and Peter Selinger, “Efficient Clifford+T approximation of single-qubit operators,” arXiv:1212.6253 (December 2012), together with the methods that are described herein (see the Table of
One of the focuses of this disclosure is to present example algorithms that work for gate sets described by an arbitrary totally definite quaternion algebra. In this subsection, a discussion is provided regarding what it means for the gate set to be described by totally definite quaternion algebra. The flow diagram 1300 of
The “Basic results and definitions” Section (Section 3) below provides definitions and a more detailed discussion of the mathematical objects discussed herein. The aim of this part is to explain connections between them and to the algorithm presented in this disclosure at a high level. It can be said that the gate set is described by quaternion algebra if the following list of objects can be specified and related to the gate set.
A quaternion gate set specification is a tuple F, σ, a, b, , S where:
Using the embedding σ any quaternion q from the quaternion algebra can be mapped to a special unitary Uq∈SU(2). The precise construction of this map is discussed in the “Using quaternions to represent unitaries” subsection (Subsection 3.1) below. This map has the following relevant properties:
U
q
q
=U
q
U
q
,U
q
†
=U
q*
where q* is the conjugate of q. Also defined is the following closed under multiplication set
S
={q∈
:nrd(q)F=1L
and call (L1, . . . , LM) the cost vector of q. The meaning of a cost vector is discussed in more detail further in this section and also in the “Exact synthesis results for totally definite quaternion algebras” subsection below. Above nrd(q) is the reduced norm of quaternion and F is a ring of integers of number field F. The set S is closed under multiplication because is closed under multiplication and nrd(q1q2)=nrd(q1)·nrd(q2).
A simplified set of conditions that desirably holds for the gate set to be described by the quaternion gate set specification is:
(1) There must exist subset Q of S such that ={Uq:q∈Q}.
(2) The group generated by must be equal to group {Uq:q∈S}.
Condition (1) implies that the group generated by elements from G is a subgroup of {Uq:q∈S}. Condition (2) can be checked for a given set Q using the framework described in Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; and PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”. A brief overview of results from those works is in the “Exact synthesis results for totally definite quaternion algebras” subsection (Subsection 3.3) below.
One way of checking the condition (2) is to first compute a finite set of quaternions ,S such that every element of S can be written as a product of elements of ,S and a scalar (using, for example, algorithms from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; and PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”). Here, ,S is a set of canonical generators of S. Second, for each q from Q*, find a representation of Uq as a product of elements of . For all q from ,S one then can define:
Circuit(q)=(U1, . . . ,Un), where Uq=U1 . . . Un,Uk∈. (1)
One natural way of defining the cost of elements of ,S is
For the other cost function definitions related to the cost vector of the quaternion, see the “Exact synthesis results for totally definite quaternion algebras” subsection below.
To summarize, the following definition is given:
a gate set is described by quaternion algebra if the following data is defined:
(1) A quaternion gate set specification F, σ, a, b, , S,
(2) A set set of canonical generators ,S of S,
(3) A map Circuit as described by equation (1).
In the “End to end examples of using the framework” Section (Section 6) below, examples of the gate sets described by quaternion algebras (including Clifford+T and V basis) are given and items (1)-(3) are explicitly specified for each example. With this background, an example flow of an embodiment of the disclosed technology can be given in more detail.
Consider items 1302 and 1303 in
The following paragraphs discuss item 1301 in more detail. To give some intuition, one can start with the Clifford+T gate set example (analyzed in more details in the “End to end examples of using the framework” Section (Section 6) below. In this case, set S contains precisely one prime ideal 1 and L1 is greater or equal to the T-count of the resulting circuit. To ensure that the approximation step succeeds, the input to the algorithm desirably satisfies inequality:
L
1 log(N(1))≥4 log(1/ε)+Cmin, where N(1) is the norm of 1.
This reproduces the result from Peter Selinger, “Efficient Clifford+T approximation of single-qubit operators,” arXiv:1212.6253 (December 2012) that the T-count scales as 4 log2(1/ε)+Cmin because N(1)=2 holds for the Clifford+T case. The bound also saturates the lower bound proved in that paper up to an additive constant. In this simple case, at item 1301 of
More generally, the cost vector (L1, . . . , LM) that is input to item 1302 desirably satisfies the following inequality:
L
1 log(N(1))+ . . . +LM log(N(M))≥4 log(1/ε)+Cmin.
The length of the circuit output by the example embodiment is proportional to L1+ . . . +LM and therefore proportional to log(1/ε) which is up to multiplicative factor is the best possible. Cost optimality up to an additive constant is more subtle and is dependent on the choice of cost function and the gate set.
In some cases, one might not have very fine control of the cost of the output circuit using cost vector. In the worst case, the cost vector will allow one to control the cost of the output circuit up to multiplicative factor. In this situation, one can use the following strategy to improve the cost of output
More formally, the problem being solved in item 1302 of
(Quaternion approximation problem, QAP). Given
(1) A quaternion gate set specification F, σ, a, b, , S={1, . . . , M},
(2) target angle φ
(3) target precision ε
(4) target cost vector (L1, . . . , LM) satisfying
L
1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax],
where constants Cmin,Cmax depend only on the quaternion gate set specification.
Find q from the generalized Lipschitz order (see the “generalized Lipschitz order” section) in quaternion algebra
such that nrd(q)F=1L
The polynomial time algorithm (in log(1/ε)) for QAP provides a polynomial time algorithm for solving the unitary approximation problem for gate sets that can be described by totally quaternion algebra. The circuit for Uq can be found in time polynomial in L1, . . . , LM using an embodiment of the exact synthesis algorithm from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; or PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”. The cost of the resulting circuit is a linear function in L1, . . . , LM and therefore one can solve UAP with cost bound function that is in 8(log(1/ε)). Next, the basic definitions used to describe the details of the example embodiments are provided.
Let F be a totally real number field of degree d. Let σ1, . . . , σd be embeddings of F into . Let F be a ring of integers of F. Let a, b be two totally negative elements of F. In other words for all k=1, . . . , d one has σk(a)<0, σk(b)<0. Now consider a quaternion algebra
given by
Q={a
0
+a
1
i+a
2
j+a
3
k:a
0
,a
1
,a
2
,a
3
∈F},
where i2=a, j2=b and k=ij=−ji. The fact that a, b are totally negative implies that Q is totally definite quaternion algebra. The conjugate of a quaternion q=a0+a1i+a2j+a3k is defined as q*=a0−a1i−a2j−a3k. The reduced norm nrd and reduced trace trd are defined as
nrd(q)=qq*, trd(q)=q+q*
Let σ=σ1 be a fixed embedding that one can use to construct unitaries out of quaternions. A homomorphism from quaternion algebra into the algebra of complex 2×2 matrices can be defined as follows:
Here I, X, Y, Z are the four Pauli matrices. Note that h has additional nice properties:
det(h(q))=σ(nrd(q)), Tr(h(q))=σ(trd(q)).
To construct special unitaries out of quaternions, one can use the following mapping:
Note that for any non-zero a from F one has the following
Now consider the structure of image of U(q) in more detail. This structure can be expressed using a number field that can be embedded into Q. Let K=F(√{square root over (a)}) be a totally imaginary extension of F of degree 2. Such number fields K are called CM fields. See, e.g., Lawrence C. Washington, “Introduction to Cyclotomic Fields,” (Springer, 1982). This is ensured by the condition that σk(a)<0, k=1, . . . , d. Let β be an element of K such that β2−a=0. The degree of the field K is 2d and there are 2d embeddings of K into . Each element of K can be represented as a0+a1β where a0 and a1 are from F. One can define 2d embeddings of K into as following:
σk,+(a0+a1β)=σk(a0)+iσk(a1)√{square root over (|σk(a)|)}
σk,−(a0+a1β)=σk(a0)−iσk(a1)√{square root over (|σk(a)|)}
Further, the notation σ for σ1,+ is used, which is in agreement with σ=σ1 for elements of F because for a0 from F one has σk,±(a0)=σk(a0).
Each element of the quaternion algebra
q=a
0
+a
1
i+a
2
j+a
3
k=(a0+a1i)+(a2+a3i)j
can be mapped to two elements of K in the following way:
e
1(q)=a0+βa1, e2(q)=a2+a3. (4)
Conversely, the map e1−1 describes an embedding of K into quaternion algebra Q. Note that now homomorphism h(q) can be written as:
Using this notation one also has:
σ(nrd(q))=|σ(e1(q))|2+|σ(b)∥σ(e2(q))|2.
Or in other words, in terms of relative norm NK/F one has:
nrd(q)=NK/F(e1(q))−bNK/F(e2(q)).
For any CM field, one can define an automorphism *:K→K which is called complex conjugation and which has the following properties:
σk,±((a0+a1β)*)=σk,±(a0+a1β)*,
(a0+a1β)*=a0−a1β.
Using it one can express the relative norm NK/F(x)=xx* and see that σk(NK/F(x))=|σk,±(a0+a1β)2. In addition one has that
e
1(q)*=e1(q*), e1−1(q)*=e1−1(q*).
Example distance functions that are used for unitaries in example embodiments include
The notation for Rz is the following:
Now consider the distance between Rz(φ) and unitary Uq for a given quaternion q:
where R=√{square root over (σ(nrd(q)))} and h(q) is defined by Equation 2. One can further rewrite this as:
where z=σ(e1(q)), w=−σ(e1(q))*√{square root over (|σ(b)|)} and |x|2+|y|2=R2. Now, one can solve the inequalities:
Inequalities above do not constrain w. Introducing z0=R(1−ε2)e−iφ/2 inequality (8) simplifies to the following two inequalities:
Re((z−z0)eiφ/2)≥0 or Re((z+z0)eiφ/2)≤0,
and inequality (9) simplifies to
Re((z−z0)eiφ/2)≥0.
In addition, the fact that Uq is a unitary matrix implies that |z|≤R.
Let q=e1−1 (z1)+e2−1(z2) and let σ1,+(z1) belong to the following set
{z∈:Re((z−z0)eiφ/2)≥0,|z|≤R}
(region 1412 on
More specifically, in
Recall several definitions about rings, ideals, orders, and quaternions that are useful in studying a special case presented in Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015), U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; or PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”, namely the case of totally definite quaternion algebras. Here, Section 2 of Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015) is followed. For further references to the literature and other facts used in the following, refer to the reference section of Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015).
Let Q be a quaternion algebra over number field F (defined in Section 3.1). A F-lattice I is finitely generated F-submodule of Q such that F I=Q. In other words I has a full rank in Q. An order 0 is a F-lattice that is a subring of Q. An order is a maximal order if it is not properly contained in any other order. There is a right and left order associated with any F lattice I defined as
R(I)={q∈Q:Iq⊂I},L(I)={q∈Q:qI⊂I}.
When one wants to emphasize that I has particular right and left order, one can call I right-R(I) fractional ideal or left-L(I) fractional ideal. A fractional right- ideal is a normal ideal if the order is a maximal order. Note that, order R(I) is maximal if and only if L(I) is maximal. All normal ideals are invertible. A normal ideal I is principal if I=qRI for some q from Q.
A normal ideal I is two sided -ideal if R(I)=L(I)=. The principal two sided -ideals form a subgroup of the group of all two sided -ideals (under multiplication). The quotient of the group of all two sided ideals modulo principal two sided O-ideals is the two-sided ideal class group of . It is known that the two sided ideal class group of is always finite. The two sided class number of Q is the size of the two-sided ideal class group of any maximal order of Q. It known that the size of two-sided ideal class group is independent on the choice of maximal order . Here, the special case of results from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015) are considered for totally definite quaternion algebras with two sided class number 1. The examples considered in this disclosure have this property.
Let disc(q1, . . . , q4)=det(trd(qiqj)i,j=1, . . . , 4). The discriminant of an order is F ideal generated by the set
{disc(q1, . . . ,q4):q1, . . . ,q4∈}.
It turns out that the discriminant always is a square. Its square root is the reduced discriminant denoted by disc(). All maximal orders in quaternion algebra q has the same discriminant. The reduced norm of F lattice I is ZF ideal nrd(I) generated by {nrd(q):q∈I}.
The unit group x of is {q∈:nrd q∈Fx} where Fx is a unit group of F. For orders in totally definite quaternion algebras, the quotient group x/Fx is always finite. The normalizer of order is the set
Normalizer()={q∈:qq−1=}.
which is a monoid under multiplication. For totally definite quaternion algebras, the quotient Normalizer()/F (considered as a quotient of two monoids) is finite similarly to x/F.
One can say that nrd(q) is supported on the set S of primes ideals of F if:
Also recall that map T2: F→+ is defined as:
Now all definitions are in place to state the special case of one of the main results of Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015) (Theorem 3.18) for totally definite quaternion algebras with two sided class number 1.
Let Q be a totally definite quaternion algebra over totally real number field F with two sided class number one, let be a maximal order in Q, let S=(1, . . . , M) be a finite set of prime ideals of F. There exists set genS() such that every quaternion q from the set
S
={q∈
:nrd(q) is supported on S}
can be written as the product q1 . . . qnqrem where q1, . . . , qn are from genS() and qrem is from Normalizer(). If all ideals from S do not divide disc() then qrem is from x.
There exist algorithms for deciding if the set genS() is finite and computing it if this is the case. There is also an algorithm for finding factorization q1 . . . qnqr in time polynomial in log T2(nrd(q)).
To find the factorization, one can do trial division of q by elements of genS() and greedily reduce values v(,q) in equation (10) on each step. A trial-division step can be performed until one is left with an element of Normalizer(). The map Uq discussed in the “Using quaternions to represent unitaries” Section (Section 3.1) depends only on qr/Fx up to a sign, therefore there is only finitely many possible unitaries Uq
,S
*=gen
S()∪Normalizer()/F∪{−1}.
The main difficulty of the exact synthesis of quaternions and unitaries is computing genS() such that described simple trial division algorithm works. Specific examples illustrating the above definitions are presented below in the “End to end examples of using the framework” Section below.
The canonical cost function for Uq can be defined using v(q,) (see Equation 10) as:
As will be discussed in more detail in the “End to end examples of using the framework” Section (Section 6), the canonical cost function corresponds to the T-count for Clifford+T case and to the V-count for V-basis case. The cost vector (L1, . . . , LM) of quaternion q is equal to (v(q,), . . . , v(q,M)). Given the cost vector it is always possible to upper bound Ccanonical(Uq) as:
For the decomposition q=q1 . . . qnqr described in the Theorem 3.2 one has cost(q)=Σk=1n cost(qk). This also implies that the length of the circuit corresponding to Uq can be upper bounded by the function linear in cost vector (L1, . . . , LM).
The Lipschitz order L in the quaternion algebra
can be expressed in the following way:
L=e
1
−1([i])+e2−1([i])=+i+j+k,
where [i] is a maximal order of (√{square root over (−1)}). For the definition of e1,e2 see eq. (4) in the “Using quaternions to represent unitaries” Section (Section 3.1). This construction can be generalized to arbitrary totally definite quaternion algebra. Let K be a ring of integers of K. It is a two dimensional F module, therefore it has a F pseudo basis and can be written (in modified Hermite Normal Form), see Corollary 2.2.9 in Henri Cohen, “Advanced Topics in Computational Number Theory,” Graduate Texts in Mathematics (Springer New York, 2000) as:
K=F+γI
where I is integral F ideal and γ an element of K such that 1, γ is a F-basis of K.
The generalized Lipschitz order can be defined as:
L=e
1
−1(K)+e2−1(K)
L=
F
+e
1
−1(γ)I+Fj+e1−1(γ)jI (12)
In the disclosure, lattices are used that are related a) to the ring of integers K of CM field K, b) to ideals in K, and c) to the unit group of a the totally real subfield of F of K. Definitions related to integer lattices are briefly reviewed here. More detailed discussion of the definitions and related results can be found in Daniele Micciancio and Sha Goldwasser, “Complexity of lattice problems: a cryptographic perspective,” volume 671 of Springer International Series in Engineering and Computer Science (Springer, 2002).
Let B={b1, . . . , bn} be a set of linearly-independent vectors in m, where m≥n. The discrete group (B)=B(n)=b1+ . . . +bn is called the integer lattice of rank n with basis B. Let span ()= be the real span of an n-dimensional lattice and write span((B))=span(B). A subset ∈span() is called a fundamental domain of the lattice if for every vector t∈span() there exists a unique lattice vector v(t)∈ such that t−v(t)∈ There are at least two different centrally-symmetric fundamental domains associated with each lattice basis. The centered fundamental parallelepiped C(B) associated to a lattice basis B is given by the inequalities
C(B)=B[−½,½)n={Bx:−½≤xk<½,k=1, . . . ,n}.
The second fundamental domain is defined in terms of Gram-Schmidt orthogonalization (GSO) B*=[b1*, . . . , bn*] of a lattice basis B:
where the orthogonalization coefficients μi,j are defined as
μi,j=bi,bj*/bj*,bj*.
Note that GSO of a lattice basis is not necessary a basis of (B). It is related to the original basis via
The centered orthogonalized fundamental parallelepiped C(B*) associated to a lattice basis B is given by the inequalities
C(B*)=B*[−½,½)n={B*x:−½≤xk<½,k=1, . . . ,n}
where B* is the Gram-Schmidt orthogonalization of B.
For every integer lattice of rank n>1, there are infinitely many choices of bases. Indeed, for any transformation G∈GLn(), the basis BG spans the same set of vectors over as the basis B. Here, x,y are used for the standard Euclidean inner product of vectors x,y∈m, and ∥x∥ for the corresponding norm. Reduced lattice bases obtained using the Lenstra-Lenstra-Lovasz (LLL) or Hermite-Korkine-Zolotaroff (HKZ) reduction algorithms allow one to ensure that the sizes of the above fundamental domains are essentially independent of an initial choice of basis, depending on only on the lattice determinant. See, e.g., Arjen K. Lenstra, Hendrik W. Lenstra, and Laszlo Lovasz, “Factoring polynomials with rational coefficients,” Math. Ann., 261:515-534 (1982); Phong Q. Nguyen and Damien Stehle, “Floating-point LLL revisited,” in 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'05), pages 215-233 (2005).
Elements of K correspond to 2d dimensional real vectors via map
σ:K→2d
z
(Re(σ1,+(z)),Im(σ1,+(z)), . . . ,Re(σ1,+(z)),Im(σ1,+(z))).
The image of K under σ is a 2d dimensional integer lattice with associated bilinear form given by TrK/(xy*). Each integral basis of K corresponds to the basis of . Similarly each K ideal has basis. The images of K ideals under map σ correspond to a sublattices of . Determinant of is equal to the discriminant of F.
4.1. High Level Description of the Algorithm.
In this section, a formal description of an exemplary embodiment for solving Problem 2.4 is given and for implementing item 1302 in
There exist constants Cmin,Cmax and an algorithm (the online part of the procedure APPROXIMATE,
Before looking at details of the algorithm on
The online part of all procedures is executed for each instance of the approximation problem being solved. The instance of the problem is defined by angle φ, target precision ε and target cost vector (L1, . . . , LM). These are the inputs for the online part of procedure APPROXIMATE. The input to the online part of each procedure is denoted by word Input. An online part of each procedure uses results of computations done in the offline part. Naturally, any offline part can not depend on the results of online computation. The output of online part of each procedure is denoted by word Output. In the complexity analysis discussed here, the primary concern is the online part and it will be shown that the online part of procedure APPROXIMATE has a polynomial runtime on average under a certain number theoretic conjecture. In the “End to end examples of using the framework” Section, the runtime of both online and offline parts is provided for some examples, demonstrating that the offline part is not prohibitively expensive for instances of the problem interesting for applications. Next, the online part of procedure APPROXIMATE is described in more detail.
The method (algorithm) shown on
q=e
1
−1(z1)+e2−1(z2).
As discussed in the “Distance to Rz rotations” Section, the distance d2(Uq,Rz(φ) depends only on z1. For this reason, in the algorithm, z1 (procedure RANDOM-INTEGER-POINT, line 9 in
Procedure FAST-SOLVE-NORM-EQ solves the relative norm equation NK/F(z2)=z2z2=e in the relative extension K/F for a special class of right hand sides e. There are two challenges related to this procedure. First, the solution does not always exist for arbitrary right hand side e. Second, solving the arbitrary instance of the norm equation (for fixed extension K/F) can be as hard as factoring. Both these challenges can be addressed. First, the necessary conditions on the right hand side e of the equation to be solvable are identified. Second, the set of right hand sides e for which the equation can be solved in probabilistic polynomial time (using procedure IS-EASILY-SOLVABLE, line 11, in
The necessary condition for the norm equation to be solvable is that for all embeddings σk of F into it must be the case that σk(e)>0 (for k=1, . . . , d). Procedure RANDOM-INTEGER-POINT (line 9 in
S
r,φε
={x∈
2d
:Re((x1+ix2−z0r,φ,ε)e−iφ/2)≥0,|x2k+ix2k+1|2≤σk(r)} (14)
where z0r,φ,ε=√{square root over (σ1(r))}(1−ε2)e−iφ/2. See
Before proceeding to the proof of Theorem 4.1, results that are proven later and used in the proof are presented.
There exist real numbers p0, M and vectors Rmin,Rmax from (0, ∞)d (computed in the offline part of RANDOM-INTEGER-POINT procedure,
√{square root over (σ1(r))}ε2/4∈[R1min,R1max], √{square root over (σk(r))}∈[Rkmin,Rkmax] for k=2, . . . ,d
there is an element z from F such that σ(z) is in Sr,φ,ε (see Equation (14)). Procedure RANDOM-INTEGER-POINT runs in time polynomial in log(1/ε) and returns each element of the set
Cand
r,φ,ε
={z∈
K:σ(z)∈Sr,φ,ε} (15)
with probability at least p0/|Candr,φ,ε|. The size of the set Candr,φ,ε belongs to the interval
[2√{square root over (4−ε2)}/ε,(4√{square root over (4−4ε2)}/ε+2)M]
The proof of Theorem 4.2 can be found in the “Solution region sampling” Section (Section 4.3).
Given vector Rmin from (0, ∞)d, there exists constants Cmin,Cmax and vector Rmax (computed by the offline part of SUITABLE-Q-NORM procedure,
L
1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax]
there is an algorithm that decides if narrow class number of ideal 1L
√{square root over (σ1(r))}ε2/4∈[R1min,R1max], √{square root over (σk(r))}∈[Rkmin,Rkmax] for k=2, . . . ,d
The algorithm runs in polynomial time in log(1/ε) (see online part of SUITABLE-Q-NORM procedure in
The informal discussion and the proof of the Theorem 4.3 can be found in the “Picking a suitable quaternion norm” Section (Section 4.2).
Given totally positive element e of F, there exists an algorithm for testing if the instance of integral relative norm equation in K/F
zz*=e, z∈
K
can be solved in polynomial time in log T2(e) (procedure IS-EASILY-SOLVABLE, where T2(e)=Σk=1dσk2(e)). If the test is passed, there exist another algorithm for deciding if the solution exists and finding it that runs in time polynomial in log T2(e) (procedure FAST-SOLVE-NORM-EQ). Procedure IS-EASILY-SOLVABLE returns true for at least those cases when the ideal eF is prime.
First, a proof is given that the output is correct. The norm of the quaternion q computed on line 15 (
Re((σ1,+(z)−z0)e−iφ/2)≥0,|σ1,+(z)|≤√{square root over (σ1(r))}
where z0=√{square root over (σ1(r))}(1−ε2)e−iφ/2. According to Proposition 3.1 this implies that d2(Rz(φ),Uq)≤ε. Numbers z1,z2 are in F which immediately implies that q is in generalized Lipschitz order.
Next, it is shown that the restrictions on inputs of all the procedures called within online part of procedure APPROXIMATE are satisfied. Procedure SUITABLE-Q-NORM (line 6,
L
1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax],
which is required in the statement of the theorem. From Theorem 4.3 it is known that procedure SUITABLE-Q-NORM (line 6,
√{square root over (σ1(r))}ε2/4∈[R1min,R1max], √{square root over (σk(r))}∈[Rkmin,Rkmax] for k=2, . . . ,d
therefore procedure RANDOM-INTEGER-POINT always succeeds. Now it is shown that e=(r−z1z1*)/(−b) is totally positive, where b is the parameter from the definition of the quaternion algebra Q. Note that e being totally positive is required by procedures IS-EASILY-SOLVABLE (line 11,
σk(e)=(σk(r)−|σk,+(z1)|2)/−σk(b).
By definition, b is totally negative and σk(e)>0 if and only if σk(r)−|σk,+(z1)|2>0. By Theorem 4.2, the output of procedure RANDOM-INTEGER-POINT (line 9,
It remains to show that the example algorithm terminates and runs on average in time polynomial in log(1/ε). Procedure SUITABLE-Q-NORM (line 6,
Next, it is shown that the logarithm of
is bounded by polynomial in log(1/ε). This implies that procedures IS-EASILY-SOLVABLE and FAST-SOLVE-NORM-EQ run on average in polynomial time according to Theorem 4.4. Indeed, one has σk(e)≤σk(r)/σk(−b), √{square root over (σ1(r))} is bounded by 4R1max/ε2 and √{square root over (σk(r))} are bounded by Rkmax for k=2, . . . , d. Finally, arithmetic in the number field (line 10,
It can be concluded that procedure APPROXIMATE runs on average in time polynomial in log(1/ε) under the conjecture that the fraction of points in set {z∈K:σ(z)∈Sr,φ,ε} for which one can reach line 12 (
In this subsection, the following theorem is proven:
Given vector Rmin from (0, ∞)d, there exists constants Cmin,Cmax and vector Rmax (computed by the offline part of SUITABLE-Q-NORM procedure,
L
1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax]
there is an algorithm that decides if narrow class number of ideal 1L
√{square root over (σ1(r))}ε2/4∈[R1min,R1max], √{square root over (σk(r))}∈[Rkmin,Rkmax] for k=2, . . . ,d
The algorithm runs in polynomial time in log(1/ε) (see online part of SUITABLE-Q-NORM procedure in
The proof relies on the following proposition proven in this and the next sections.
Given non-negative integers L1, . . . , LM there is an algorithm (procedure TOTALLY-POS-GEN,
There exists real numbers δ0 and δ1, . . . , δd (computed by the offline part of the procedure UNIT-ADJUST,
|log|σk(u)|−tk|≤log δk for k=1, . . . ,d,
under the assumption that |t1+ . . . +td<log δ0. The runtime of the algorithm is bounded by a polynomial in ∥t∥.
Given real numbers δ0, . . . , δd>1, vector Rmin from (0, ∞)d, and prime ideals 1, . . . , M there exist real numbers Cmin,Cmax and vector Rmax from (0, ∞)d (computed by the offline part of the procedure TARGET-SIZE,
t
1+log(√{square root over (σk(r))}ε2/4)∈[log R1min+log δ1,log R1max−log δ1]
t
k+log √{square root over (σk(r))}∈[log Rkmin+log δk,log Rkmax−log δk], k=2, . . . ,d
and |t1+ . . . +td|<log δ0. The algorithm succeeds under the assumption that L1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax].
The runtime of the algorithm is bounded by a polynomial in log(1/ε) and log T2(r). The norm ∥t∥ is bounded by the function that is linear in the same variables.
First, it is proven that the procedure terminates in polynomial time in L1, . . . , LM when it returns FALSE. Indeed, when ideal 1L
Next, the case when the output of SUITABLE-Q-NORM procedure is TRUE is considered. First, it is proven that the output of SUITABLE-Q-NORM procedure (
It remains to show that σk(ru2) satisfy required inequalities. By Proposition 4.6 unit u (line 11,
|log|σk(u)|−tk|≤log δk, k=1, . . . ,d,
because by Proposition 4.7 procedure TARGET-SIZE ensures that |t1+ . . . +td|<log δ0. Now, it can be seen that
log √{square root over (σk(ru2))}−log √{square root over (σk(r))}=log|σk(u)|∈[tk−log δk,tk+log δk]
log(√{square root over (σk(ru2))}ε2/4)−log(√{square root over (σ1(r))}ε2/4)=log|σ1(u)|∈[t1−log δ1,t1+log δ1]
This immediately implies that
log √{square root over (σk(ru2))}∈[log Rkmin,log Rkmax], for k=2, . . . ,d
log(√{square root over (σ1(ru2))}ε2/4)∈[log R1min,log R1max]
It is now shown that the runtime of the algorithm is bounded by a polynomial in log(1/ε). All Lk are bounded by function linear in log(1/ε). Procedure TOTALLY-POS-GENERATOR runs in polynomial time and produces r such that log T2 (r) is bounded by a function linear in L1, . . . , LM. This ensures that procedure TARGET-SIZE outputs t1, . . . , td such that their bit size is bounded by polynomial in log(1/ε). It also ensures that ∥t∥ is bounded by a function linear in log(1/ε). This ensures that procedure UNIT-ADJUST runs in polynomial time. Note that for unit u (computed in line 11,
Therefore log T2(u) is bounded by a function linear in log(1/ε). Hence, the time spent on computing ru2 is bounded by polynomial in log(1/ε). It has therefore been shown that procedure SUITABLE-Q-NORM runs in polynomial time.
Now, the procedure TOTALLY-POS-GENERATOR (
Given non-negative integers L1, . . . , LM there is an algorithm (procedure TOTALLY-POS-GEN,
First, the correctness of the online part of the algorithm is proven. It is not difficult to see that
1
L
· . . . ·ML
One knows what each of ideals kN
1
L
· . . . ·ML
It can be seen that r1s
Now, it is shown that the algorithm runs in polynomial time. The number of multiplications to perform is bounded by L1+ . . . +LM. Note that
Therefore, each time a multiplication is performed, the value log T2 of the arguments is bounded by a function linear in L1, . . . , LM. It can be concluded that r1s
It remains to show the correctness of the offline part of procedure. First, note that Nk always exist. The fact that the class group of the number field is always finite implies that for each ideal k there exists a number Nk′ (dividing the order of class group) such that ideal kN′
Note, that in case of Clifford+T and Clifford+Rz(π/16) gate set the narrow class group of F is trivial and therefore any ideal has a totally positive generator. This significantly simplifies procedure TOTALLY-POS-GENERATOR.
On a high level, procedure TARGET-SIZE (
Given real numbers δ0, . . . , δd>1, vector Rmin from (0, ∞)d, and prime ideals 1, . . . , M there exist real numbers Cmin,Cmax and vector Rmax from (0, ∞)d (computed by the offline part of the procedure TARGET-SIZE,
t
1+log(√{square root over (σk(r))}ε2/4∈[log R1min+log δ1,log R1max−log δ1]
t
k+log √{square root over (σk(r))}∈[log Rkmin+log δk,log Rkmax−log δk], k=2, . . . ,d
and |t1+ . . . +td|<log δ0. The algorithm succeeds under the assumption that L1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax].
The runtime of the algorithm is bounded by a polynomial in log(1/ε) and log T2(r). The norm ∥t∥ is bounded by the function that is linear in the same variables.
First, the correctness of the procedure TARGET-SIZE (
Therefore value t1+ . . . +td belongs to the interval [(Cmin−Cmax)/2, 0]. The definition of Cmax precisely implies that [(Cmin−Cmax)/2, 0]=[−log δ0, 0] which gives required bound on the sum of tk. Note that the analysis above performed for tk will hold for any tk′ in the interval [tk,tk+log δ0/d].
Parameter log δ0 is needed to account for the finite precision arithmetic used. It is not difficult to see that as soon as precision of arithmetic used is smaller then log δ0/C1d for sufficiently big fixed constant C1 numbers tk computed within mentioned precision will satisfy all required constraints. It is sufficient to perform the calculation up to fixed precision independent on the online part of the algorithm input. This implies that all calculations in the online part can be performed in polynomial time. Also note that tk are bounded by functions linear in log T2(r) and log(1/ε) and therefore the same is true for ∥t∥. As it has been established that tk can be computed up to fixed precision, bound on ∥t∥ implies a bound on the number of bits needed to specify each tk. This concludes the proof.
In this subsection, the Theorems 4.2 used in the proof of Theorem 4.1 in Section 4.1 are proven:
There exist real numbers p0, M and vectors Rmin,Rmax from (0, ∞)d (computed in the offline part of RANDOM-INTEGER-POINT procedure,
√{square root over (σ1(r))}ε2/4∈[R1min,R1max], √{square root over (σk(r))}∈[Rkmin,Rkmax] for k=2, . . . ,d
there is an element z from F such that σ(z) is in Sr,φ,ε (see Equation (14)). Procedure RANDOM-INTEGER-POINT runs in time polynomial in log (1/ε) and returns each element of the set
Cand
r,φ,ε
={z∈
K:σ(z)∈Sr,φ,ε} (15)
with probability at least p0/|Candr,φ,ε|. The size of the set Candr,φ,ε belongs to the interval
[2√{square root over (4−ε2)}/ε,(4√{square root over (4−4ε2)}/ε+2)M]
The procedure returns points from the set Candr,φ,ε because on line 21 in
It is noted that H′/H=√{square root over (4−ε2)}/(2√{square root over (4−4ε2)})∈(½, 1/√{square root over (3)}) and (ε2R/2H′)=/(4√{square root over (4−4ε2)}) (0, 1/(8√{square root over (3)})). The constraint ε∈(0, ½) implies that PCand is lower bounded by constant independent on the input to the online part of RANDOM-INTEGER-POINT procedure.
It has been shown that the online part of the example procedure comprises a fixed number of arithmetic operations on average. To show that the procedure runs in polynomial time, it is sufficient to show that the absolute value of the logarithm of absolute precision required for the computation is bounded by a polynomial in log(1/ε). Consider line 18 in
∥Pk(Bm′−t)∥≤∥t−t′∥+∥PkB(┌B−1)′t′┘−(B−1)′t′)∥+∥t′∥∥B(B−1)′−I∥
Now it can be seen that ∥t−t′∥ is bounded by δc, the second term in the sum above is bounded by Rkmin and the third term is bounded by some fixed constant times δc∥t′∥. This implies that one can find m′ such that ∥Pk(Bm′−t)∥≤Rkmin+δc′. The absolute value of the logarithm of absolute precision required for the computation is bounded by polynomial in log(1/ε) and log(1/δc′) because log∥t′∥ is bounded by polynomial in log(1/ε). This is sufficient for purposes of this discussion because it is sufficient to choose log(1/δc′) to be of order log∥t′∥.
It remains to show that the procedure can get every point from Candr,φ,ε with probability at least p0/|Candr,φ,ε|. First, some notation is introduced for the proof. Let ξN be a random variable corresponding to N (line 16 in
S
r,φ,ε
∩{x∈
2d
:
x−t
0
,ΔZ
∈(−½,½]}.
The equality
implies that it is sufficient to lower bound P(ξz=z0/ξN=N0) and relate 2Nmax+1 to the size of Candr,φ,ε. Note that P(ξz=z0/ξN=N0)=P(z0=ξz′+Σk mk0zk). This implies that P(ξz=z0/ξN=N0) is 1/|SHIFTS| if z0−Σkmk0zk belongs to set SHIFTS. It is now shown that z0−ρkmkzk is always in SHIFTS. It is sufficient to show that
It is useful to note that
∥Pk(σ(z0)−Bm0)∥≤∥Pk(σ(z0)−t0)∥+∥Pk(t0−Bm0)≤∥Pk(σ(z0)−t0)∥+Rkmin
The fact that σ(z0) is in Sr,φ,ε∩{x∈2d:ΔZ∈(−½,½]} implies that
∥Pk(σ(z0)−t0)∥≤√{square root over (σk(r))}≤Rkmax for k=2, . . . ,d.
To establish bound on ∥P1(σ(z0)−Bm0)∥, observe that P1σ(z0) and P1Bm0 both belong to a set with the diameter √{square root over (5)}ε2R/2. It has also been shown that:
Cand
r,φ,ε⊂SHIFTS+{σ−1(B┌B−1(Zc+NΔZ)┘):N∈[−Nmax,Nmax]}
Finally, note that:
{z∈ZK:σ(z)∈Zc+NΔZ+C(B),|N|≤┌H′/(ε2R)┘−1,N∈}⊂Candr,φ,ε.
This implies that if Candr,φ,ε is non-empty, one has:
It can be concluded that
where P0 is
Above derivation also gives the required bounds on the size of Candr,φ,ε.
In practice, example implementations of the disclosed technology are looking for the best possible value (or other favorable values) of the additive constants Cmin,Cmax in Theorem 4.1 while maintaining the polynomial runtime of the online part of the algorithm. Section 8 explains in detail the version of the procedure used in the example implementations used herein to obtain the numerical results reported below (Section 6). In practice, the Nearest Plane Algorithm can be used. See Laszlo Babai, “On Lovasz lattice reduction and the nearest lattice point problem,” Combinatiorica, 6(1):1-13 (1986). It is also possible to show that Rkmin can be chosen to be based on C(B*), not based on C(B). One can ensure that the basis used is Hermite-Korkine-Zolotarev reduced which makes it possible to guarantee that Rkmin are bounded by some functions of discriminant of K and these bounds are independent of the choice of the basis of K. See Guillaume Hanrot and Damien Stehle, “Improved analysis of kannan's shortest lattice vector algorithm” in Alfred Menezes, editor, Advances in Cryptology—CRYPTO 2007, volume 4622 of Lecture Notes in Computer Science, pages 170-186 (Springer Berlin Heidelberg, 2007); Ravi Kannan, “Improved algorithms for integer programming and related lattice problems”, In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC '83, pages 193-206 (New York, N.Y., USA, 1983, ACM); and Phong Q Nguyen and Damien Stehle, “Low-dimensional lattice basis reduction revisited,” 3076:338-357 (2004). A simpler version of the sampling procedure is also used in particular example implementations. The simpler version does not ensure that the distribution of procedure outcomes is close to uniform, but works well in practice.
In this section, the following proposition is proven:
There exists real numbers δ0 and δ1, . . . , δd (computed by the offline part of the procedure UNIT-ADJUST,
|log|σk(u)|−tk|≤log δk for k=1, . . . ,d,
under the assumption that |t1+ . . . +td|<log δ0. The runtime of the algorithm is bounded by a polynomial in ∥t∥.
The offline part of procedure UNIT-ADJUST computes a system of fundamental units u1, . . . , ud−1∈Fx and outputs
for k=1, . . . , d, where δ0>1 is some fixed constant.
When called with a target vector t∈d satisfying |(t, 1d)<log δ0, the online part of UNIT-ADJUST simply rounds off t in the basis
to the lattice vector Bm, where m=┌B−1t┘∈d. Then it returns the unit u=u1m
Proof that UNIT-ADJUST is Correct.
Because Bm is the unique lattice vector contained in the shifted parallelepiped t+C(B), the following inequalities hold for k=1, . . . , d:
It is also worth noting the above shows that
C(B)⊂[−log δ1,log δ1]× . . . ×[−log δd,log δd]
and ∥Bm−t∥B≤1, where ∥x∥B:=inf{y>0:x∈C(B)y}.
Now it is shown that the running time is a polynomial in ∥t∥ and in the number of bits used to specify tk
Proof that UNIT-ADJUST Runs in Polynomial Time.
Suppose that the tk are given with n bits of precision. Then they can be specified using O(n+log|tk|) bits as tk=±2l−ns, where l=┌log2|tk|┐ and s∈{0, . . . , 2n-1} is an n-bit integer. First, observe that because the number field is fixed and δ0>1 is an arbitrary fixed constant, the inverse B−1 can be precomputed to sufficiently high precision and stored during the offline part. The vector m can therefore be computed in polynomial time. Also note that its norm is bounded by a polynomial in ∥t∥. Indeed,
This further implies that each |mi|≤O(∥t∥), so that the output unit u=u1m
log∥u∥=O(|m1|log∥u1∥+ . . . +|md|log∥ud∥)=O(poly(∥t∥,∥u1∥, . . . ,∥ud∥)),
implying that the output unit can indeed be computed in polynomial time.
For proving that the algorithm runs in polynomial time, it is sufficient to show that δk are fixed numbers for a given quaternionic gate set specification. It does not in principal matter how big they are. However, one can see that the additive constant Cmin in Theorem 4.1 depends on values of δk. When implementing examples of the algorithm in practice, the aim can be to achieve the smallest possible (or favorably small) constant Cmin while maintaining good performance. For this reason, the Nearest Plane Algorithm is used instead of the simple round off procedure shown in
The results of applying the Nearest Plane Algorithm depends on the quality of the basis used with it. In practice, and in accordance with certain example implementations, a Hermite-Korkine-Zolotarev or LLL reduction is applied to the unit lattice basis during the offline step of the algorithm. See Guillaume Hanrot and Damien Stehle, “Improved analysis of kannan's shortest lattice vector algorithm” in Alfred Menezes, editor, Advances in Cryptology—CRYPTO 2007, volume 4622 of Lecture Notes in Computer Science, pages 170-186 (Springer Berlin Heidelberg, 2007); Ravi Kannan, “Improved algorithms for integer programming and related lattice problems”, In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC '83, pages 193-206 (New York, N.Y., USA, 1983, ACM); and Phong Q Nguyen and Damien Stehle, “Low-dimensional lattice basis reduction revisited,” 3076:338-357 (2004); Phong Q. Nguyen and Damien Stehle, “An LLL algorithm with quadratic complexity,” SIAM Journal on Computing, 39(3):874-903 (2009). This allows the procedure to further lower the contribution from log 51, . . . , log δk to the additive constant Cmin. Value of log 60 can be chosen to be very small, and its contribution to Cmin can be made negligible without high computational overhead. Values of δk computed based on a reduced basis can also be related to the value of the regulator of number field F and known techniques for bounding the regulator can be applied to bound them.
Computing the system of fundamental units of the number field is known to be a hard problem and can be too costly even for the offline part of the algorithm. In practice, this issue can be circumvented to some extent. For example, it is sufficient to know the generators of the finite index subgroup of the unit group, but not the unit group itself. Frequently generators of such a subgroup can be computed much faster than the system of fundamental units (see, e.g., Michael E. Pohst and Hans Zassenhaus, “Algorithmic Algebraic Number Theory,” volume 30 of Encyclopedia of Mathematics and its Applications (Cambridge University Press, 1989)) or are even known in analytic form (see, e.g., Lawrence C. Washington, Introduction to Cyclotomic Fields (Springer, 1982)).
On a high level, the performance of the example approximation algorithm depends on the properties of the set of all possible solutions to QAP (Problem 2.4). Recall the statement of QAP:
(Quaternion approximation problem, QAP). Given
(1) A quaternion gate set specification F, σ, a, b, , S={1, . . . , M}),
(2) target angle φ
(3) target precision ε
(4) target cost vector (L1, . . . , LM) satisfying
L
1 log N(1)+ . . . +LM log N(M)−4 log(1/ε)∈[Cmin,Cmax],
where constants Cmin,Cmax depend only on the quaternion gate set specification.
Find q from the generalized Lipschitz order (see the “generalized Lipschitz order” section) in quaternion algebra
such that nrd(q)F=1L
Recall also, that map Uq is constructed in the “Using quaternions to represent unitaries” Section (Section 3.1) using the embedding σ:F→ that is a part of quaternion gate set specification.
Next, a formal description to the set of all solution to QAP is constructed. Let L be a generalized Lipschitz order in
(see Section 3.4). Here, the following set is used as a part of the description of all possible solutions to QAP:
Sln
r,φ,ε
={q∈L:∥U
q
−R
z(φ)∥≤ε,nrd(q)=r}
The set of all possible norms of quaternions with given cost vector L1, . . . , LM is given by
nrd
L
, . . . ,L
={r∈
F
:r
F=1L
Using the notation above, the set of all solutions to given instance of QAP is given by:
Note that for any unit u for Fx it is the case that Uq=Uqu. For this reason, the set of all solutions can be obtained as:
where the set nrdL
{u∈Fx):u is totally positive}/(Fx)2.
Next, a discussion of the structure of the set Slnr,φ,ε is provided. Consider q from Slnr,φ,ε. Quaternion q can be described by two elements z1,z2 of K as
q=e
1
−1(z1)+e2−1(z2)
Note that equality r=z1z1*−bz2z2 and condition ∥Uq−Rz(φ)∥≤ε imply that
Re((σ1,+(z1)−z0)eiφ/2)≥0, σk,+(z1)≤σk(r)
where z0=√{square root over (σ1(r))}(1−ε2)e−iφ/2. In other words z1 belongs to the set Candr,φ,ε defined as:
Cand
r,φ,ε
={z∈
K
:Re((σ1,+(z1)−z0)eiφ/2)≥0, σk,+(z1)≤σk(r)}={z:σ(z)∈Sr,φ,ε}
The observations above allows one to rewrite the set Slnr,φ,ε as following:
Note that some sets in the above union can be empty, because the relative norm equation |z2|2=(r−|z1|2)/(−b) does not always have a solution. Motivated by this fact, one can define the set
Termr,φ,ε={z1∈Candr,φ,ε:there exists z2∈K such that |z2|2=(r−|z1|2)/(−b)}
Now assume the existence of an oracle for solving the relative norm equations and drawing points from Termr,φ,ε. Under this assumptions, one could have the following algorithm for solving QAP:
(1) Pick random r from nrdL
(2) Pick z1 from Termr,φ,ε
(3) Find z2 by solving relative norm equation |z2|2=(r−|z1|2)/(−b)
(4) Return q=e1−1(z1)+e2−1(z2)
Suppose now, that such an oracle does not exist for drawing points from Termr,φ,ε. The algorithm can then be modified as follows:
(1) Pick random r from nrdL
(2) Pick random element z1 from Candr,φ,ε
(3) Check if z1 is in Termr,φ,ε. If this is not the case return to Step 2.
(4) Find z2 by solving relative norm equation |z2|2=(r−∥z1|2)/(−b)
(5) Return q=e1−1(z1)+e2−1(z2)
Note that if the ratio |Termr,φ,ε|/|Candr,φ,ε| were in Ω(1/log(1/ε)), then the algorithm would still run in polynomial time. In practice, there is no oracle that solves all relative norm equations in polynomial time (or even checks if there is a solution to given relative norm equation). However, if one restricts the possible right hand sides of the relative norm equation, one can check the existence of the solution and find one in polynomial time. This motivates the following definition:
PolyTermr,φ,ε={z1∈Termr,φ,ε:((r−|z1|2)/(−b)) is a rational prime}
This gives the example following algorithm, which is very close to the procedure APPROXIMATE in
(1) Pick random r from nrdL
(2) Pick random element z1 from Candr,φ,ε
(3) Check if z1 is in PolyTermr,φ,ε. If this is not the case return to Step 2.
(4) Find z2 by solving relative norm equation |z2|2=(r−|z1|2)/(−b)
(5) Return q=e1−1(z1)+e2−1(z2)
If the ratio |PolyTermr,φ,ε|/|Candr,φ,ε| were in Ω(1/log(1/ε)) and one were drawing samples from Candr,φ,ε sufficiently uniformly, the algorithm above would still run in polynomial time. In this case in the absence of the oracle for solving arbitrary norm equation. Note the above discussion implies, that
For this reason, the ratio above is well defined for r/(Fx)2. The conjecture that implies that the algorithm runs in polynomial time is the following:
Keeping the notation introduced before in this section, for any r from
nrd
L
, . . . ,L
/(Fx)2={r∈F:rF=1L
the ratio |PolyTermr,φ,ε|/|Candr,φ,ε| is in Ω(1/log(1/ε)).
In this section, it is shown how a solution z∈K to a relative norm equation of the form NK/F(z)=e between a CM field K and its totally real subfield F=K∩ can be efficiently computed, provided such solutions exist at all for the given right hand side e∈F. The totally positive element e arises from the RANDOM-INTEGER-POINT step in lines 9 and 10 in the main algorithm (see
(CM Relative Norm Equation). Let K/F be a CM field of constant degree over and let e be a totally positive element of F. The task is to find an element z of K such that NK/F(z)=zz*=e in time polynomial in the bit-size of e, provided such an element z exists.
In the following paragraph, an example approach to solving a relative norm equation as in Problem 5.1 is described and pseudo-code implementations of IS-EASILY-SOLVABLE step in line 11 and FAST-SOLVE-NORM-EQ in line 12 of the main algorithm in
Relative norm equations of the form NK/F(z)=e have been studied in the literature before. Early approaches include various methods that proceed by establishing a bounding box that will contain a solution provided it exists and then checks the candidates in the bounding box. See, e.g., Zenon I. Borevich and Igor R. Shafarevich, “Number theory,” volume 20 of Pure and Applied Mathematics. Academic Press (1967); Claus Fieker, Andreas Jurk, and Michael E. Pohst, “On solving relative norm equations in algebraic number fields,” Math. Comput., 66(217):399-410 (1997); and Dennis A. Garbanati, “An algorithm for finding an algebraic number whose norm is a given rational number,” J. Reine Angew. Math., 316:1-13, 1980; Michael E. Pohst and Hans Zassenhaus, Algorithmic Algebraic Number Theory, volume 30 of Encyclopedia of Mathematics and its Applications (Cambridge University Press, 1989). Unfortunately, these methods are exponential in the bit-size of the right hand side. Next, there is a method based on S-units. See, e.g., Henri Cohen, “Advanced Topics in Computational Number Theory,” Graduate Texts in Mathematics (Springer, New York, 2000); and Denis Simon, “Norm equations in relative number fields using S-units,” Mathematics of Computation, 71(239):1287-1305 (2002). This requires the factorization of the right hand side of the equation, along with precomputation of the relative class group of the extension K/F, and some additional data that is dependent on the right hand side. Therefore, it is not clear that the resulting algorithm runs in polynomial time. Relative norm equations have also been studied in the context of cryptanalysis of lattice based cryptography, e.g., of the NTRU system. Further, in Craig Gentry and Michael Szydlo, “Cryptanalysis of the Revised NTRU Signature Scheme,” in International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'02), pages 299-320 (2002), an algorithm is described to solve relative norm equations for cyclotomic fields over their totally real subfield. This algorithm uses Fermat's little theorem for ideals in K in conjunction with LLL reduction to find a solution, which is known to exist in the context in which the algorithm is applied. See also Sanjam Garg, Craig Gentry, and Shai Halevi, “Candidate multilinear maps from ideal lattices,” in International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'13), pages 1-17 (2013). However, like Simon's S-unit based algorithm, the algorithm relies on some properties of the right hand side, and therefore does not seem to run in time that is a polynomial in the bit-size of the right hand side.
In embodiments of the disclosed technology, a different route is taken in which precompute a finite set of attributes of K/F that does not depend on the right hand side e. The example method reduces the problem for general right hand side to a bounded size instance. Furthermore, the approach leverages the fact that K is a CM field and that the right hand side is of a particular form, which are called benign integers. These are characterized in terms of a finite set ={1, . . . , k}⊂F:
(-Benign Integers). Let be a set of prime ideals of F. An integer e∈F is called benign if it is totally positive and the prime factorization of the ideal generated by e satisfies
where q is prime and e()≥0 for all ∈.
The primes in are defined by the user parameter P in algorithm APPROXIMATE (
There are several natural ways to measure the bit-size of the algebraic numbers that are involved as the input and the output of a relative norm equation. These definitions are briefly discussed and it is shown that in the example approach they are all within a constant factor of each other.
Let K/ be a Galois extension and let B={b1, . . . , bn} be a basis for K over , where n=[K:], i.e., K=⊕i=1nbi. Any x∈K can then be represented as x=Σi=1nbixi where xi∈, e.g., one can define the bit-size with respect to B as ∥x∥B:=Σi=1n|xi|. Alternatively, for CM fields, have n=2d where [F:]=d and one can use the quadratic form T2(x)=Σi=1d|σi(x)|2 as a measure for the bit-size of x. Also, one can use a notion of bit-size that is valid for general ideals I∈K and not just for the principal ideals eF: following Jean-Francois Biasse and Claus Fieker, “A polynomial time algorithm for computing the HNF of a module over the integers of a number field,” in International Symposium on Symbolic and Algebraic Computation (ISSAC'12), pages 75-82 (2012), a matrix M∈n×n is chosen for a basis of I expressed over an integral basis of K. If M is in Hermite Normal Form, then each entry can be bounded by |det(M)|=(I), e.g., one can define S(I):=n2 log2((I)) as the bit-size of I. For principal ideals, the following definition is applied S(x):=n log2(maxi|xi|).
It turns out that T2(x) and S(x) are related. More precisely, the following result can be found (see, e.g., Jean-Francois Biasse and Claus Fieker, “A polynomial time algorithm for computing the HNF of a module over the integers of a number
field,” In International Symposium on Symbolic and Algebraic Computation (ISSAC'12), pages 75-82 (2012)):
Let K/ be a CM field, let x∈K, and let ΔK=det(T2(bi,bj))2 denote the discriminant of K. Then the bound ½ log2(T2(x))≤Õ(S(x)/n+n2+log2(ΔK)) holds. Furthermore, one has that S(x)≤Õ(d(d+½ log2(T2(x)))).
Next, a bound is established that allows to relate T2(x) to the bit-size of the expansion of x with respect to any given basis B.
Let K/ be a CM field and let B={b1, . . . , bn} be an integral basis for K over , where n=[K:]. For x=Σi=1xibi∈K define the bit size of x with respect to the basis B as ∥x∥B:=Σi=1n|xi|2. Let M=[Tr(bibj*)]i,j=1, . . . , n be the Gram matrix of B and let λmax and λmin be the largest, respectively smallest eigenvalue of M. Then
λmin∥x∥B/2≤T2(x)≤λmax∥x∥B/2.
Let x∈K and let x=Σi=1nxibi be its expansion over the chosen basis. Recalling that T2(x)=(xx*)=(xx*)/2 one can obtain that T2(x)=Σi,j=1nxixj*Tr(bibj*)/2. One can rewrite this as T2(x)=(x1, . . . , xn)M(x1, . . . , x)t/2 where M is the integer valued, symmetric, and positive-definite matrix with entries Mi,j=Tr(bibj*). By diagonalizing M in an eigenbasis, one sees that λmin∥x∥B/2≤T2(x)≤λmax∥x∥B/2 as claimed.
In an example approach taken in this disclosure, the field K is considered to be a constant. This implies that quantities such as the degree [K:] or the discriminant ΔF of the totally real subfield F=K+ are constants. By choosing B to be an LLL-reduced basis, one can obtain from Lemma 5.4 that T2(x) and ∥x∥B are related by a constant factor. See also Karim Belabas, “Topics in computational algebraic number theory,” Journal de Theorie des Nombres, 16:19-63 (2004). To summarize, Lemmas 5.3 and 5.4 imply that all measures of bit-size considered in the following are within constant factors of each other.
In order to represent ideals in rings of integers, Hermite normal forms are a useful tool. For example, see the result from Arne Storjohann and George Labahn, “Asymptotically fast computation of Hermite normal forms of integer matrices,” in Proceedings of the 1996 International Symposium on Symbolic and Algebraic Computation, ISSAC '96, pages 259-266 (1996) that allows to give a polynomial bound on both, the complexity of computing a Hermite Normal Form (HNF) of an integer matrix, and the bit-size of the output. See also Arne Storjohann, “Algorithms for matrix canonical forms,” PhD thesis, ETH Zurich (2000) for a discussion and comparison with other efficient algorithms to compute HNFs.
Let A∈n×m be a rank r integer matrix and let ∥A∥:=maxi,j|Ai,j|. There exists a deterministic algorithm that computes the HNF of A in time Õ(mθn log∥A∥), where the Õ notation ignores log-factors and 2≤θ≤2.373 is the exponent for matrix multiplication.
Next, a discussion will be presented of how to lift primes ideals in F to prime ideals in K. Write K=F(θ), where θ is a primitive element. Recall that the conductor of K/F is defined as ={x∈K:xK⊆F[θ]}. It is well known that at least the prime ideals that are coprime with can be easily lifted via a reduction to factoring the minimal polynomial of θ over a suitable finite field as described below. See, e.g., Jurgen Neukirch, “Algebraic Number Theory”, Ch. I, Prop. 8.3 (Springer, 1999); Daniel A. Marcus, “Number Theory,” Ch. 3, Thm. 27 (Springer 1977); or Henri Cohen, “Advanced Topics in Computational Number Theory,” Graduate Texts in Mathematics, Prop. 2.3.9 (Springer New York, 2000).
Being coprime with the conductor is equivalent to being coprime with K/F[θ]| which leaves only a finite set of primes for which it does not hold, e.g., these primes will be added to the exceptional set .
Let K/F be a Galois extension where K=F(θ). Denote by g(X)∈F[X] the minimal polynomial of θ and by the conductor of K/F. Let be a prime ideal in F that is coprime with . Let =F/ be the finite field corresponding to the residues mod and let
(X)=
be the factorization of
i:=K+gi(θ)K (17)
are precisely the prime ideals of K that are lying over and all these ideals are pairwise different.
Next, the time-complexity of computing the list of ideals i lying over is analyzed. Factoring of a polynomial f(X) of degree n over a finite field q of size q is known to run in time polynomial in n and log(q). See, e.g., Joachim von zur Gathen and Jurgen Gerhard, “Modern Computer Algebra,” Theorem 14.14 (Cambridge University Press, 2nd edition, 2003).
Let q be a finite field and let f(X)∈q[X] be a polynomial of degree n. Then there exists a probabilistic polynomial time algorithm that computes the factorization of f(X)=Πi=1kfi(X) into irreducible polynomials over q. The probability of success of the algorithm is at least ½ and the expected running time can be bounded by Õ(n2 log q).
The algorithm in Theorem 5.7 proceeds in 3 stages, namely (i) squarefree factorization, (ii) equal degree factorization, and (iii) distinct degree factorization. As in the present case [K:F]=2, there are only two possibilities of possible splitting behavior of
Using Theorem 5.7, one can obtain a refined version of Theorem 5.6 that bounds the running-time of finding the ideals lying over a given prime ideal in terms of the bit complexity of .
Let K/F be a CM field where K=F(θ). Let ⊆F be a prime ideal and let n=S() be the bit-size of . Then there exists a polynomial time algorithm to compute all ideals lying over . Furthermore, the bit-size of the is polynomial in n.
Let g(X)∈F[X] be the minimal polynomial of θ and let F:=OF/ be the finite field that arises as the residue field of . Using Theorem 5.7, one sees that the factorization
where n=2d, A is an HNF for , and the matrix
is the expansion over of the linear map that describes the multiplication by gi(θ) with respect to B. Note that all coefficients of H are bounded in bit-size by a polynomial in n. Theorem 5.5 can be used to compute an HNF H′ for H, and hence the ideal , in time polynomial in n. Theorem 5.5 also implies that the output size, e.g., all coefficients of H′, are polynomial in n.
Let K be a CM field over its totally real subfield F:=K+ and denote by {σ1, . . . , σd} the real embeddings of F into , e.g., [K:F]=2 and [F:]=d. The extension K/F is Galois and its Galois group is generated by complex conjugation, e.g., Gal(K/F)=τ, where τ(x):=x*. Furthermore, denote by F and K the rings of integers in K and F, respectively. Recall that for an ideal I⊆K the norm is defined as NK/F(I):=|K/I| which for principal ideals I=(x) coincides with the usual definition as the product of all Galois conjugates, i.e., NK/F((x))=x·x*.
For a given element e ∈F, one example approach to solving the relative norm equation NK/F(z)=e where z∈K relies on the observation that if I·I*=eF is a factorization of ideals in F and η is an arbitrary non-zero element in the lattice generated by I, then NK/F(I)|NK/F(η). This alone would not be a very useful property as potentially the quantity on the right might be unbounded. Using the fact that [K:F]=2 is constant and that K is a CM field, however, one will be able to show that for suitable η the quotient NK/F(η)/NK/F(I) will be a constant that just depends on the CM field K and not on the right hand side e of the norm equation (5.1). Furthermore, it will be shown that one can find such z in polynomial time, provided that e is benign.
In the next two sections, it is shown that there exists a probabilistic algorithm that runs in polynomial time (with respect to the bit-size of the right hand side e) and finds an element z such that NK/F(z)=e or else reports that no such element exists. This is first shown for the case where e generates a prime ideal and then in a subsection section for the case of general benign e. The example algorithm proceeds in several stages:
Provided below is a proof that all steps can be performed by a classical algorithm whose runtime is polynomial in the bit-size of e. In the “Constructing the solution: prime case” Section (Section 5.5), this is shown for the somewhat simpler, however in practice frequently occurring, case where the right hand side eF generates a prime ideal. Further, in the “Constructing the solution: general case” Section (Section 5.6), a discussion is provided of how the case of any benign e can be handled. Before proceeding with the proof, however, it is helpful to show another technical result, namely that it is indeed possible to find an element r as needed for Steps 6 and 7 such that the co-factor γ:=NK/F(η)/NK/F(I) is bounded.
Assuming that the norm equation I·I*=eK is solvable implies that I=ξK for some element ξ∈K. It is now shown that one can find an element η∈eK such that the quotient of the norms of I and ηK is a constant. Here, I is considered to be a 2d-dimensional lattice, where d=[F:]. This means that there exists a basis {a1, . . . , a2d}⊂K such that I=a1+ . . . +a2d. Recall further that there is a quadratic form on I defined by (x,y):=(xy*) and that the Gram matrix Gi,j:=(ai,aj) is integer valued, i.e., G∈2d×2d. Furthermore, for the volume of the fundamental parallelepiped of I, the identity vol(I)=√{square root over (det(G))} holds. See, e.g., Daniele Micciancio and Sha Goldwasser, “Complexity of lattice problems: a cryptographic perspective,” volume 671 of Springer International Series in Engineering and Computer Science (Springer, 2002).
The fact that I=ξK is principal is used in the following lemma to compute vol(I) in terms of the absolute norm of ξ:
For each I=ξK, vol(I)=vol(K)·(ξ).
First, a basis {b1, . . . , b2d} of k over , i.e., K=b1+ . . . +b2d is chosen. With respect to this basis, multiplication with the fixed element ξ is a linear transformation Mξ defined via Mξ(x1, . . . , x2d)=ξ(b1x1+ . . . +b2dx2d), and the determinant of Mξ is equal to the norm (ξ). Note also, as K is a CM field, all Galois automorphisms σ∈Gal(K/) come in complex conjugate pairs, i.e., (ξ)≥0, i.e., (ξ)=|det(Mξ)|.
By applying a base change to the Gram matrix G in which one goes from pairs of conjugates σi,
For general xi∈K one can denote by V(x1, . . . , z2d) the matrix
Using this matrix, one can then express the volume of I as vol(I)=√{square root over (det(G))}=|det(V(a1, . . . , a2d))|, where the set {ai:i=1, . . . , 2d} forms a basis for I over .
Next, one can observe that the matrices VI:=V(a1, . . . , a2d) and V
vol(I)=√{square root over (det(G))}=|det(VI)|=|det(Mξ)|·|det(V
as claimed.
It is now shown how to find an element η∈ξK such that the quotient of the norms of I and ηK is a constant as mentioned in the beginning of this section.
Let I=ξK be an ideal in K such that I·I*=eK. Then there exists η∈K such that (ξ/η) is upper bounded by a constant CK that depends just on the extension K/.
As above, consider I as a lattice I=a1+ . . . +a2d. Now use the LLL algorithm on the basis {a1, . . . , a2d}⊂2d. Using the LLL algorithm described in Phong Q. Nguyen and Damien Stehle, “Floating-point LLL revisited,” in 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'05), pages 215-233 (2005) it is known that the first vector v=b1 in the LLL reduced basis {b1, . . . , b2d} for I satisfies the following bound:
∥v∥≤(4/3)(2d−1)/4vol(I)1/2d.
As I=ξK is by assumption principal and v∈I, there exists an element η∈K such that v=ηξ. In order to finish the proof of the lemma, it remains to show that the norm of η is upper bounded by a constant that just depends on K alone and is in particular independent of the right hand side e of the norm equation:
where the first inequality is the arithmetic-geometric-mean inequality (AGM) and v is the first basis vector obtained via LLL reduction for δLLL≡1 and ηLLL≡½ as in Phong Q. Nguyen and Damien Stehle, “Floating-point LLL revisited,” in 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'05), pages 215-233 (2005).
Using Lemma 5.10 will finally put one into a position to solve norm equations as in Problem 5.1 efficiently, in case e is a benign number as defined in Definition 5.2. In the “Constructing the solution: prime case” Section (Section 5.5) this result is established first for the case where eF is a prime ideal itself as this case is relatively straightforward. Then, the more general case of benign e will be discussed in the “Constructing the solution: general case” Section (Section 5.6).
A proof of the following theorem is now provided, which is restated from the “High level description of the algorithm” Section (Section 4.1).
Given totally positive element e of F, there exists an algorithm for testing if the instance of integral relative norm equation in K/F
zz*=e, z∈
K
can be solved in polynomial time in log T2(e) (procedure IS-EASILY-SOLVABLE, where T2(e)=Σi=1dσk2(e)). If the test is passed, there exist another algorithm for deciding if the solution exists and finding it that runs in time polynomial in log T2(e) (procedure FAST-SOLVE-NORM-EQ). Procedure IS-EASILY-SOLVABLE returns true for at least those cases when the ideal eF is prime.
Now, with all of these pieces in place, it possible to prove that the norm equations arising in the context of the example approximation method can be solved in time that is polynomial in the input size. First, proof is provided for the case where the right hand side e generates a prime ideal =eF, then, proof is provided for the more general case of a benign integer e for the next section.
Let n=S(e) be the bit-size of the ideal generated by e. Next, a discussion will be provided for all Steps 1-7 described in Section 5.3 and it will be shown that all operations can be performed in time that is upper bounded by a polynomial in n.
In Step 1, one can run a test which is described in subroutine IS-EASILY-SOLVABLE shown in
Step 2 can be done by computing quotients of the form (e)(i)−1 which can be done in polynomial time in the input bit-size and at an increase per division that is also at most polynomial. See, e.g., Jean-Francois Biasse and Claus Fieker, “A polynomial time algorithm for computing the HNF of a module over the integers of a number field” in International Symposium on Symbolic and Algebraic Computation (ISSAC'12), pages 75-82 (2012). Eventually this yields the prime ideal .
This step is also done in subroutine IS-EASILY-SOLVABLE. All subsequent steps and line numbers refer to subroutine FAST-SOLVE-NORM-EQ shown in
For Step 3, in line 12 of subroutine FAST-SOLVE-NORM-EQ, Theorem 5.6 can be used and the complexity analysis given in Corollary 5.8 can be used in order to compute an HNF for the ideal lying over in polynomial time and almost polynomial increase of the bit-size.
Steps 4 in line 3 is an offline computation which does not count toward the cost of the online solution of the norm equation.
Step 5 does not have to be carried out, as by assumption in this subsection it is assumed that is prime (e.g., there is only one prime ideal to consider). This step and the consequences for the subsequent steps in case e is benign but not prime are discussed in the next subsection.
Step 6 in line 13 involves the computation of a reduced lattice basis for the ideal corresponding to from the HNF that was computed in Step 3. Using bounds on the complexity of the LLL algorithm one can see that the running time of this step is polynomial in the input size n and so is the bit-size of the short vector η that is produced by this computation. See, e.g., Phong Q. Nguyen and Damien Stehle, “An LLL algorithm with quadratic complexity,” SIAM Journal on Computing, 39(3):874-903 (2009).
For Step 7 in line 15, a method for solving norm equations can be used, such as Simon's S-unit based algorithm for which an implementation is available. See, e.g., Henri Cohen, “A Course in Computational Algebraic Number Theory,” Graduate Texts in Mathematics (Springer, 1993). As the element γ is constant and does not depend on the input size n one can assume that this computation can be done in constant time that does not affect the overall running time.
Finally, in Step 8, the case where there is no solution for γ is considered, which then implies that there is no solution for e and combine η and w using an ideal multiplication into the final solution z to the norm equation NK/F(z)=e. This again can be done in polynomial time.
A pseudocode description of the Steps 3-8 is given in subroutine FAST-SOLVE-NORM-EQ shown in
Here, a brief discussion is provided of the implications of e being benign but not prime. In certain example implementations, this will involve a change in Step 5; for example, instead of only considering the prime ideals lying over , the procedure considers all ideals I that can be formed by multiplying with the ideals lying over the various prime factors i∈. All ideals lying over can be precomputed without any additional cost to the online part. Also, it is noted that even though the number of ideals to be considered grows significantly, this increase is still just a constant as for any given input parameter P of FAST-SOLVE-NORM-EQ in
It is possible to perform tests as to whether a solution to NK/F(z)=e over the rational elements of K (not necessarily elements in K) exists. A known test in this regard is the Hasse Norm Theorem that asserts that a global solution, e.g., a solution over K, exists if and only if a solution exists with respect to all local fields associated with K/F. See, e.g., Jurgen Neukirch, “Algebraic Number Theory,” (Springer, 1999). More precisely:
(Hasse Norm Theorem). Let K/F be a cyclic extension. An element e∈Fx is a norm of an element in Kx if and only it is a norm at every prime of F, including the infinite primes.
In practice, it is not necessary to check all primes of F, a finite set of primes is sufficient: as described in Vincenzo Acciaro and Jurgen Kluners, “Computing local Artin maps, and solvability of norm equations,” J. Symb. Comput., 30(3):239-252 (2000), the only primes that need to be checked are a) the divisors of the conductor of K/F and b) all finite primes dividing the ideal eF. If e is benign, one can therefore efficiently compute the prime factorization and hence can perform this sufficient test for solvability of the norm equation. Note that this test can only be used in this one-sided sense as there are examples of degree 2 extensions K/F known where for e∈F the equation NK/F(z)=e is solvable over K but not over K. In practice, the test is reasonably fast in order to eliminate some candidates e. Example pseudo-code for this test PASS-HASSE-SOLVABILITY-TEST is summarized in
In this section, examples of using an exemplary implementation of the disclosed technology are provided. In two examples, an example implementation of the disclosed framework is applied to reproduce results on Clifford+T and V-basis gate sets. The exact synthesis framework disclosed in Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; and PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA” is used for the end to end compilation. For this reason, this discussion describes how to use this framework to reproduce previously known results on exact synthesis from Alex Bocharov, Yuri Gurevich, and Krysta M. Svore, “Efficient decomposition of single-qubit gates into V basis circuits,” Physical Review A, 88(1):1-13 (July 2013); Vadym Kliuchnikov, Dmitri Maslov, and Michele Mosca, “Fast and efficient exact synthesis of single qubit unitaries generated by Clifford and T gates,” Quantum Information and Computation, 13(7-8):0607-0630 (June 2013); and Vadym Kliuchnikov, Dmitri Maslov, and Michele Mosca, “Asymptotically optimal approximation of single qubit unitaries by Clifford and T circuits using a constant number of ancillary qubits,” Physical Review Letters, 110(19):1-5 (December 2012), and also results on exact synthesis over Clifford+Rz(π/16) (see Simon Forest, David Gosset, Vadym Kliuchnikov, and David McKinnon, “Exact synthesis of single-qubit unitaries over clifford-cyclotomic gate sets,” Journal of Mathematical Physics, 56(8):082201 (2015)).
Two other examples correspond to approximating using gate sets Clifford+Rz(π/16) and Clifford+T+V. No number-theoretic style approximation algorithms for this gate sets were known before. A brief summary of the examples is given in Table 1. Amongst other data, the table contains time needed for precomputation stage for all of the disclosed examples and the value of the additive constant appearing in Theorem 4.1. All the data about the example algorithm performance is based on an example implementation of exact synthesis (see, e.g., Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; and PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”.) and approximation frameworks using the computer algebra system MAGMA. The total number of lines of code needed for it implementation is about 2500. More examples of running approximation stage of the algorithm are provided in Section 7.
In this section, it is described how to obtain results from Peter Selinger, “Efficient Clifford+T approximation of single-qubit operators,” (December 2012) within the example disclosed framework. Also discussed is the exact synthesis part using the framework introduced in Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015); U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”; and PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”. This section follows the “Approximation methods based on exact synthesis” Section above (Section 2.2) and shows that Clifford+T can be described by totally definite quaternion algebra. Recall the following definition:
a gate set is described by quaternion algebra if the following data is defined:
(1) A quaternion gate set specification F, σ, a, b, , S,
(2) A set set of canonical generators ,S of S,
(3) A map Circuit as described by equation (1).
For Clifford+T gate set, one can choose:
={Rα(π/4),Rα(π/2):α=x,y,z}
It can separately be written Rα(π/2) because they generate Clifford group. Clifford gates are much cheaper in practice and typical cost function for Clifford+T gate set used in practice is:
cost(Rα(π/4))=1, cost(Rα(π/2))=0, α=x,y,z.
Now consider the following quaternion gate set specification for Clifford+T:
Using notation qz=i, qy=j, qx=k, one can obtain set Q based on the following correspondence
q
t,α=1+θ(1−qα)/2 Uq(qt,α)=Rα(π/4)
q
c,α=θ(1−qα)/2 Uq(qc,α)=Rα(π/2)
where α=x,y,z.
The next step is to compute ,S using the algorithm from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015). One can find that quaternion algebra Q has a trivial two sided ideal class group and that the number of conjugacy classes of maximal orders of Q is one. In this case, the situation is relatively straightforward. The set ,S is equal to genS()∪genu(). The set genS() comprises N()+1=3 elements with reduced norm a0+a1θ. The set genu() comprises three generators of the finite group of units of maximal order modulo units of F. The results of exemplary computations are the following:
q
1=½+i/2+(θ−1)j/2+(θ−1)k/2, q2=(−θ+2)/2−θj/2, q3=(−θ+2)j/2+θk/2.
u
1=½−i/2−j/2−k/2, u2=−j, u3=θ/2−θj/2.
Algorithmically, one can find that u1=qc,zqc,x, u2=qc,y2, and u3=qc,y. One sees that the unit group of modulo units of F corresponds to Clifford group. Next, one finds that q1=qt,xqc,z2qc,xqc,z, q2=−qt,zqc,z2qc,xqc,z and q3=qt,yqc,y3 up to a unit of F. In general, the elements of set genS() are defined up to right-hand side multiplication by a unit of . For this reason, one can choose genS()={qt,α:α=x,y,z}. The map Circuit becomes almost trivial in this case. In the next examples, this detail is omitted and genS() is written using generators convenient for the example application.
Note that nrd qt,αF= therefore the cost vector corresponding to each qt,α is (1). For all elements of the unit group the cost vector is (0). In this example original cost definition completely matches cost obtained based on cost vectors. Table 2, 5 shows the results of running the example circuit synthesis algorithm for Clifford+T gate set.
In this section, a description of how to obtain results from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015) within the example framework is provided.
V-basis is defined using the following set
A typical cost function is:
The quaternion gate set specification is:
Using notation qZ=i, qY=j, qX=k, one can obtain set Q based on the following correspondence:
q
V,±P=1±2qP Uq(qV,±P)=(1±2iP)/√{square root over (5)}
U
q(qP)=iP
where P∈{X,Y,Z}.
Similarly to the previous section, one can compute ,S using the algorithm from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350
(2015). One can again find that quaternion algebra Q has a trivial two sided ideal class group and that the number of conjugacy classes of maximal orders of Q is one. The set ,S is equal to genS()∪genu(). The set genS() consists of N()+1=6 elements with reduced norm 5. The set genu() consists of two generators of the finite group of units of maximal order modulo units of . The results of the computations are the following:
One of the generators of the unit group cannot be expressed as a product of elements of Q. Indeed, all elements of Q belong to the Lipschitz order
L=
+
i+
j+
k
and (i+j+k+1)/2 does not. However, the example approximation algorithm finds q from L. It is possible to show that (in this particular example) the unit of obtained in the end of exact synthesis of q must belong to L and therefore belongs to the subgroup of the unit group of that contained in L. After a simple computation, one finds that this subgroup is generated by i,j,k.
Note that nrd qV,±P= and the cost vector corresponding to each qV,±P is (1). For all elements of the unit group the cost vector is (0). Similarly to Clifford+T case original cost definition completely matches cost obtained based on cost vectors. Table 3, 5 show the results of running the example circuit synthesis algorithm for V-basis.
The approximation part of the result for this gate set is new. An exact synthesis algorithm for this gate set was first described in Simon Forest, David Gosset, Vadym Kliuchnikov, and David McKinnon, “Exact synthesis of single-qubit unitaries over clifford-cyclotomic gate sets,” Journal of Mathematical Physics, 56(8):082201 (2015) in the language of SO(3) representation of unitary matrices over the ring [ζ16, ½]. It can be shown that the output of the approximation stage of the example algorithm can be converted to a unitary matrix over [ζ16, ½]. Therefore the algorithm developed in Simon Forest, David Gosset, Vadym Kliuchnikov, and David McKinnon, “Exact synthesis of single-qubit unitaries over clifford-cyclotomic gate sets,” Journal of Mathematical Physics, 56(8):082201 (2015) can be applied instead of the exact synthesis algorithm for quaternions used here.
For Clifford+
gate set, one can choose:
={Rα(±π/8),Rα(±3π/8),Rα(π/4),Rα(π/2):α=x,y,z}
For this example, the quaternion gate set specification is:
The discriminant of is equal to F, therefore is coprime to it. This implies that the set S is infinite.
Using notation qz=i, qy=j, qx=k, η=θ3−3θ (note σ(η)=2 sin(π/8)), one can obtain set Q based on the following correspondence:
q
t,α=1+ξ(1−qα)/2 Uq(qt,α)=Rα(π/4)
q
c,α=(1−qα)/2 Uq(qc,α)=Rα(π/2)
q
1/8,α=θ(1+(θ−ηqα)/2) Uq(q1/8,α)=Rα(π/8)
q
3/8,α=θ(1+(η−θqα)/2) Uq(q3/8,α)=Rα(3π/8)
where α∈{x,y,z}.
The next step is to compute ,S using the algorithm from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015). One finds that quaternion algebra Q has a trivial two sided ideal class group and two different conjugacy classes of maximal orders of Q. The set ,S is equal to genS()∪genu(). The set genu() consists of three generators of the finite group of units of maximal order modulo units of . As one has two conjugacy classes of maximal orders, it desirable to build an ideal principality graph (which is a tree in this case, see
In particular,
This computation reproduces the result from Simon Forest, David Gosset, Vadym Kliuchnikov, and David McKinnon, “Exact synthesis of single-qubit unitaries over clifford-cyclotomic gate sets.” Journal of Mathematical Physics, 56(8):082201 (2015) showing that all matrices over the ring [ζ16, ½] can be exactly represented using gate set . Because there are two conjugacy classes of maximal orders, the situation with the cost of generators becomes more interesting. For quaternions qt,α, nrd(qt,α)=2 and their cost vector is (2). For other elements of genS(), nrd(q1/8,α)=3 and nrd(q3/8,α)=3 and their cost vector is (3). In the case when S contains only one prime ideal, the cost of each generator from genu() is precisely equal to the distance from the root to corresponding node. Above cost values also reproduce results from Simon Forest, David Gosset, Vadym Kliuchnikov, and David McKinnon, “Exact synthesis of single-qubit unitaries over clifford-cyclotomic gate sets,” Journal of Mathematical Physics, 56(8):082201 (2015).
Note that while approximating, one only has control over the overall value of the cost vector. If one requested cost L, then the result can have any number Lt of the T gates and any number L1/8,3/8 of Rz(π/8) and Rz(3π/8) rotations as soon as L=2Lt+3L1/8,3/8. As usual, the cost of Clifford gates is assumed to be zero.
Another interesting aspect of this example is that the generalized Lipschitz order is not contained in maximal order M above. Orders in a totally definite quaternion algebra can be given a structure of the lattice using bilinear form (q1q2*). One can find that the index of sub-lattice L∩M in L is two. This means that half of the points from L belongs L∩M. In the example approximation algorithm, the result is tested to determine if it is in M in the end. If this is not the case, the procedure tries again. Experiments show that the procedure produces a quaternion in L∩M in half of the experiments. Tables 4, 5 show the results of running the example circuit synthesis algorithm for Clifford+Rz(π/8) gate set.
For Clifford+T+V gate set, one can choose set G to be:
={Rα(π/4),Rα(±2a tan(2)),Rα(π/2):α=x,y,z}
It is not difficult to check that Rα(±2a tan(2)) correspond to 6 V gates.
The gate set specification is similar to Clifford+T case except for the set S.
Using notation qz=i, qy=j, qx=k, one can obtain set Q based on the following correspondence
q
t,α=1+θ(1−qα)/2 Uq(qt,α)=Rα(π/4)
q
v,±α=1∓2qα Uq(qv,±α)=Rα(±2 a tan(2))
q
c,α=θ(1−qα)/2 Uq(qc,α)=Rα(π/2)
where α=x,y,z.
The next step is to compute ,S using the algorithm from Vadym Kliuchnikov and Jon Yard, “A framework for exact synthesis,” arXiv:1504.04350 (2015). One can find that quaternion algebra Q has a trivial two sided ideal class group and that the number of conjugacy classes of maximal orders of Q is one. The set ,S is equal to genS()∪genu(). The set genS() consists of N(1)+1=3 elements with reduced norm 2−θ and N(2)+1=26 elements with reduced norm 5. The set genu() consists of three generators of the finite group of units of maximal order modulo units of F and is the same as in Clifford+T case because maximal order is the same.
Here, the set genS() is discussed in more detail. One can find that it contains quaternions corresponding to Rα(π/4) gates and all 6 V gates. One is then left with 20 quaternions with reduced norm 5 that were not in the set . These can be expressed in terms of elements of . The following equivalence relation on quaternions can then be introduced:
q
1
˜q
2 if and only if q1=u1q2u2 for u1,u2−units of M
In this case, it means that corresponding unitaries are equivalent up to a Clifford and therefore will have the same cost of implementation. There are four equivalence classes in genS() corresponding to the relation ˜. Two of them are {qt,α:α∈{x,y,z}} and {qv,±α:α∈{x,y,z}}. The remaining twenty quaternions with reduced norm 5 split into two classes c1 and c2 of size 8 and 12. Next, one can find that all quaternions from c2 are equal to
u
1
q
t,α(1)
q
v,±α(2)
u
2
q
t,α(3)
−1 where u1,u2 are units of ,α(k)∈{x,y,z}, k=1, 2, 3.
The quaternions from the set c1 can be expressed as
u
1
q
t,α(1)
q
t,α(2)
q
v,±α(3)
u
2
q
t,α(4)
−1
q
t,α(5)
−1 where u1,u2 are units of ,α(k)∈{x,y,z}k=1, . . . ,5.
In practice it can be more beneficial to design circuits for all 26 gates corresponding to quaternions with norm 5 directly, because T gates are usually expensive to implement. Table 6 shows the results of running the example circuit synthesis algorithm for Clifford+T+V gate set.
In this section, results of running an example implementation of the disclosed approximation algorithm for a series of quaternion gate sets specification are provided. Recall that the quaternion gate set specification is:
A quaternion gate set specification is a tuple F, σ, a, b, , S where:
The family of examples is parametrized by even integer n. Number field F corresponds to the real subfield of cyclotomic field (ζn+ζn−1) with primitive element θ. Element a of F is chosen such that relative extension F(a) is a cyclotomic field, b=−1. The approximation part of the example algorithm is independent on maximal order , so there was no restriction to any specific choice of . Set S contains one prime ideal above 2. If there is more than one such ideal, it was chosen at random. The tables below summarize the series of examples using an implementation of the disclosed algorithm.
θ-3
This table (and the tables below) summarize the results of running offline part of the example algorithm: n is the number of example in the family described above; tapprox is the time in seconds spent on the offline stage required for the approximation part; Cmin is the additive constant appearing in Theorem 4.1; C/log N(1) is the ratio between Cmin and the log of the norm of the ideal in S. Next, tables are shown with the averages over 100 runs of the example algorithm with different target precisions ε and target cost vector (L1) and target angle φ=0.1 for each example for n=8, 10, . . . , 44. All columns of the tables except Ntr,min and Ntr,max are averages over 100 runs of the algorithm; ρ(Uq,Rz(φ)) is the obtained quality of approximation; Ntr,min,Ntr,max,Ntr,avg are minimum, maximum and average of the number of the main loop iterations in the procedure APPROXIMATE over all samples; tapprox is time in seconds spent on online part of the approximation stage of the algorithm.
In
At 1810, a target unitary described by a target angle and target precision is received (e.g., input, buffered into memory, or otherwise prepared for further processing).
At 1812, a corresponding quaternion approximation of the target unitary is determined. In particular embodiments, the corresponding quaternion approximation describes the target unitary in quaternion algebra. In some embodiments, and as discussed in detail above, the synthesis procedure can further comprise determining a cost vector for the target unitary (e.g., a cost vector describing a limit on a size of the single qubit gate set resulting from the synthesis procedure). In such embodiments, the act of determining the corresponding quaternion approximation can comprise finding one or more corresponding quaternion approximations that satisfy the cost vector. In some embodiments, the determining the corresponding quaternion approximation of the target unitary comprises selecting a first integer for use as a first quaternion element in the quaternion approximation, the first integer being selected so that a distance threshold to a Rx, Ry, or Rz rotation is satisfied. In such embodiments, a second integer for use as a second quaternion element in the quaternion approximation can also be selected, the second integer being selected so that, in combination with the first integer, the quaternion approximation produces a single qubit gate set that satisfies a cost threshold or gate set size limit. In particular implementations, the first integer and the second integer are selected from a ring of integers of the CM-field K. In particular implementations, the determining a corresponding quaternion approximation of the target unitary comprises finding a quaternion from the generalized Lipschitz order that has the following two properties: (1) d(Uq,Rz(φ))≤ε; and (2) nrd(q)F=1L
At 1814, the corresponding quaternion approximation is synthesized to produce a quantum circuit, the quantum circuit being over a single qubit gate set, get unitary, the single qubit gate set being realizable by a target quantum computer architecture. The single qubit gate set can be a Clifford+T basis gate set, a Clifford+eiπZ/12 basis gate set, a Clifford+eiπZ/16 basis gate set, a V-basis gate set, or any other single qubit base set expressible in terms of totally definite quaternion algebra.
At 1816, the quantum circuit is implemented in a target quantum circuit architecture. For instance, such implementation can be performed by a quantum circuit controller coupled to the target quantum circuit architecture and configured to implement the single qubit gate set for the target unitary in the target quantum circuit architecture. For example, embodiments as described in
At 1910, a program describing a desired computation to be performed in a target quantum computer architecture is input (e.g., buffered into memory or otherwise prepared for further processing).
At 1912, a gate set adapted for implementation on the target quantum computer architecture is generated based on the program. In the illustrated embodiment, the generating of the gate set includes generating a single qubit circuit for one or more respective unitaries used to perform the desired computation. Further, and as discussed in detail above, the generating the single qubit circuit comprises identifying a target unitary, and determining a corresponding quaternion approximation of the target unitary using a process in which one or more of the elements in the corresponding quaternion approximation are randomly selected.
At 1914, the gate set is implemented in a target quantum circuit architecture. For instance, such implementation can be performed by a quantum circuit controller coupled to the target quantum circuit architecture and configured to implement the gate set in the target quantum circuit architecture. For example, embodiments as described in
In particular implementations, the determining the corresponding quaternion approximation of the target unitary comprises randomly selecting one or more values for use in the corresponding quaternion approximation from a constrained body of values that guarantees that a norm equation is solvable, and solving the norm equation to determine at least another one of the elements in the corresponding quaternion approximation. Further, in some implementations, the at least another one of the elements in the corresponding quaternion approximation is z, where z∈K, and wherein the norm equation for z is z(z*)=e, where e is an element of the totally real subfield F.
In some implementations, the determining the corresponding quaternion approximation of the target unitary comprises randomly sampling points from subsets of a ring of integers, and using the randomly selected sampling points as quaternion elements in the quaternion approximation. For example, the ring of integers can be a ring of integers of the CM-field K.
In certain implementations, the determining the corresponding quaternion approximation of the target comprises: partitioning a convex body of complex numbers into convex subsets, the partitioning being performed such that each subset has a lattice point corresponding to K; randomly selecting one of the subsets; selecting a lattice point corresponding to K from the randomly selected subset; and using the selected lattice point as an element in the quaternion approximation.
At 2010, a target unitary described by a target angle and target precision is received (e.g., input, buffered into memory, or other prepared for further processing).
At 2012, a corresponding quaternion approximation of the target unitary is determined.
At 2014, the corresponding quaternion approximation is synthesized to produce a single qubit circuit for the target unitary, the single qubit circuit being realizable by a quantum computer architecture.
Further, in the illustrated embodiment and as discussed in detail above, the act of determining the corresponding quaternion approximation of the target unitary uses a Closest Vector Problem (CVP) technique to select values for the corresponding quaternion approximation. In some embodiments, the determining the corresponding quaternion approximation of the target unitary comprises selecting values from a Hermite-Korkine-Zolotarev, Block-Korkine-Zolotarev, Lenstra-Lenstra-Lovasz, or other size-reduced basis as an element in the corresponding quaternion approximation. In certain embodiments, the determining the corresponding quaternion approximation of the target unitary comprises using a Lenstra-Lenstra-Lovasz or other lattice basis reduction technique.
At 2016, the single qubit circuit for the target unitary is implemented in a target quantum circuit architecture. For instance, such implementation can be performed by a quantum circuit controller coupled to the target quantum circuit architecture and configured to implement the single qubit gate set for the target unitary in the target quantum circuit architecture. For example, embodiments as described in
With reference to
The exemplary PC 2100 further includes one or more storage devices 2130, such as a hard disk drive for reading from and writing to a hard disk, a magnetic disk drive for reading from or writing to a removable magnetic disk, and/OR an optical disk drive for reading from or writing to a removable optical disk (such as a CD-ROM or other optical media). Such storage devices can be connected to the system bus 2106 by a hard disk drive interface, a magnetic disk drive interface, and/or an optical drive interface, respectively. The drives and their associated computer readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules, and other data for the PC 2100. Other types of computer-readable media which can store data that is accessible by a PC, such as magnetic cassettes, flash memory, digital video disks, CDs, DVDs, RAMs, NVRAMs, ROMs, and the like, may also be used in the exemplary operating environment. As used herein, the terms storage, memory, and computer-readable media do not include or encompass propagating carrier waves or signals per se.
A number of program modules may be stored in the storage devices 2130, including an operating system, one or more application programs, other program modules, and program data. Storage of results of quantum syntheses and instructions for obtaining such syntheses (e.g., instructions for performing any embodiment of the disclosed technology) can be stored in the storage devices 2130. A user may enter commands and information into the PC 2100 through one or more input devices 2140 such as a keyboard and a pointing device such as a mouse. Other input devices may include a digital camera, microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the one or more processing units 2102 through a serial port interface that is coupled to the system bus 2106, but may be connected by other interfaces such as a parallel port, game port, or universal serial bus (USB). A monitor 2146 or other type of display device is also connected to the system bus 2106 via an interface, such as a video adapter. Other peripheral output devices, such as speakers and printers (not shown), may be included. In some cases, a user interface is displayed so that a user can input a circuit for synthesis, and verify successful synthesis.
The PC 2100 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 2160. In some examples, one or more network or communication connections 2150 are included. The remote computer 2160 may be another PC, a server, a router, a network PC, or a peer device or other common network node, and typically includes many or all of the elements described above relative to the PC 2100, although only a memory storage device 2162 has been illustrated in
When used in a LAN networking environment, the PC 2100 is connected to the LAN through a network interface. When used in a WAN networking environment, the PC 2100 typically includes a modem or other means for establishing communications over the WAN, such as the Internet. In a networked environment, program modules depicted relative to the personal computer 2100, or portions thereof, may be stored in the remote memory storage device or other locations on the LAN or WAN. The network connections shown are exemplary, and other means of establishing a communications link between the computers may be used.
With reference to
With reference to
The quantum processing unit(s) can be one or more of, but are not limited to: (a) a superconducting quantum computer; (b) an ion trap quantum computer; or (c) a fault-tolerant architecture for quantum computing (e.g., a topological quantum computer using Majorana zero modes). The synthesized gate sets (e.g., using any of the disclosed embodiments) can be sent into (or otherwise applied to) the quantum processing unit(s) via control lines 2206 at the control of the classical processor 2210 and/or synthesis unit 2220. In the illustrated example, the desired quantum computing process is implemented with the aid of one or more QP subcontrollers 2205 that are specially adapted to control a corresponding one of the quantum processor(s) 2202. For instance, in one example, the classical processor 2210 and/or synthesis unit 2220 facilitates implementation of the compiled quantum circuit by sending instructions to one or more memories (e.g., lower-temperature memories), which then pass the instructions to low-temperature control unit(s) (e.g., QP subcontroller(s) 2205) that transmit, for instance, pulse sequences representing the gates to the quantum processing unit(s) 2202 for implementation. In other examples, the QP subcontroller(s) 2205 operate to provide appropriate magnetic fields, encoded operations, or other such control signals to the quantum processing unit(s) 2202 to implement the operations of the compiled quantum computer circuit description. The classical processor 2210 can further interact with measuring/monitoring devices (e.g., readout devices) 2246 to help control and implement the desired quantum computing process (e.g., by reading or measuring out data results from the quantum processing units once available, etc.)
Having described and illustrated the principles of the disclosed technology with reference to the illustrated embodiments, it will be recognized that the illustrated embodiments can be modified in arrangement and detail without departing from such principles. For instance, elements of the illustrated embodiments shown in software may be implemented in hardware and vice-versa. Also, the technologies from any example can be combined with the technologies described in any one or more of the other examples. It will be appreciated that procedures and functions such as those described with reference to the illustrated examples can be implemented in a single hardware or software module, or separate modules can be provided. The particular arrangements above are provided for convenient illustration, and other arrangements can be used. cm What is claimed is:
This application claims the benefit of U.S. Provisional Application No. 62/233,293 entitled “METHOD AND SYSTEM FOR APPROXIMATE QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA” filed on Sep. 25, 2015, which is hereby incorporated herein by reference in its entirety. This application is also a continuation-in-part of PCT International Application No. PCT/US2016/025958 filed on Apr. 5, 2016, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”, which claims the benefit of U.S. Provisional Patent Application No. 62/146,182 filed on Apr. 10, 2015, and entitled “METHOD AND SYSTEM FOR QUANTUM CIRCUIT SYNTHESIS USING QUATERNION ALGEBRA”, both of which are hereby incorporated herein by reference in their entirety.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2016/053808 | 9/26/2016 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
62233293 | Sep 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | PCT/US2016/025958 | Apr 2016 | US |
Child | 15761836 | US |