Quantum computing from a mathematical perspective:

a description of the quantum circuit model

J. Ossorio-Castillo∗1,2 and José M. Tornero †2

1
Instituto Tecnolóxico de Matemática Industrial (ITMATI), 15782 Santiago de Compostela, Spain
2
IMUS & Departamento de Álgebra, Universidad de Sevilla, 41012 Sevilla, Spain
arXiv:1810.08277v1 [quant-ph] 16 Oct 2018

Abstract
This paper is an essentially self–contained and rigorous description of the fundamental princi-
ples of quantum computing from a mathematical perspective. It is intended to help mathematicians
who want to get a grasp of this quickly growing discipline and find themselves taken aback by the
language gap between mathematics and the pioneering fields on the matter: computer science and
quantum physics.

1 Historical precedents of Quantum Computation

The origins of quantum computation date back to 1980, when American physicist Paul Benioff
(b. 1930) described a computing model defined by quantum mechanical Hamiltonians [5]. Later that
year, Russian mathematician Yuri Manin gave a first idea on how to simulate a quantum system
with a computer governed by quantum mechanics [37]. Both of them laid the groundwork for two of
the basic components of quantum computing: quantum Turing machines and quantum computers [39].

Two years later, American theoretical physicist Richard Feynman (1918 – 1988) talked in one of
his most seminal papers about the problems of simulating physics with a classical computer [22], and
introduced independently a quantum model of computation. He stated that, being the world quantum
mechanical, the inherent difficulty within the possibility of exactly replicating the behavior of nature
is related to the problem of simulating quantum physics. This way, the most important rule defined by
Feynman deals with the computational complexity at the time of efficiently simulating a quantum sys-
tem. If one doubles the dimensions of the system, it would be ideal that the size of the computational
resources needed for this task also double in the worst case, instead of experimenting an exponential
growth.

Feynman also stated the underlying limitations that appear when it comes to simulate the proba-
bilities of a physical system. Instead of calculating the probabilities of such a system, which he proved
to be impossible, he proposed that the computer itself should have a probabilistic nature. To this new
kind of machine he gave the name of quantum computer, and stated that it had a distinct essence
than the well-known Turing machines. He also noted that with one of them it should be possible to
simulate correctly any quantum system, and the physical world itself. Feynman asked himself if it
would be possible to define a universal quantum computer, capable of modeling all possible quantum
systems and detached from the possible problems that originate from its physical implementation, in
the same way that a classical one is.

2 Quantum Turing Machines

Although the credit for introducing the concept of a universal quantum computer goes to Richard
Feynman, it was British physicist David Deutsch (b. 1953) the first to properly describe, generalize
∗ Email: joaquin.ossorio@usc.es ( ). Supported by MTM2016-75027-P (MEyC).
† Email: tornero@us.es. Supported by MTM2016-75027-P (MEyC) and P12-FQM-2696 (JdA).

1
 Figure 1: Diagram of complexity classes (incl. BQP)

and formalize it [13]. Supported in the works by Feynman, Manin and Benioff, he also introduced the
concept of quantum Turing machine (QTM), which we proceed to introduce.
A quantum Turing machine M, or QTM, is defined (as are classical Turing machines) by a triple
M = (S, Σ, δ), but the usual set of states S of a Turing machine is replaced by (some) vectors of a
Hilbert space, the alphabet Σ is finite, and the transition function δ is substituted for a set of unitary
transformations which are automorphisms of the Hilbert space.
This definition is rather informal and leaves out many important details. In fact, the study of
quantum Turing machines is quite intricate. Fortunately, an equivalent and much more friendly model
of computation called the quantum circuit model exists, and will be explained later on in this paper
along with many of its details. Nevertheless, the reader interested in the complete and original definition
of quantum Turing machines and all of its characteristics, can refer to the seminal papers where it
was first outlined and formalized: [13], [14] and [8]. A quantum Turing machine can also be seen
as a probabilistic Turing machine that obeys the rules of quantum probability instead of classical
probability [46].
The counterpart of the P class is given in the QTM context by the complexity class BQP, which
stands for Bounded-error Quantum Polynomial-time. It contains all decision problems that can be
solved in polynomial time by a quantum Turing machine with error probability bounded by 1/3 for all
inputs.
The latter class is usually taken as a reference for representing the power of quantum computers.
Thanks to [8] and [13], we already know that BQP ⊆ PSPACE and it is trivial to see that P ⊆ BQP.
However, at the present time there is no known relationship between NP and BQP, except that P is
inside their intersection. There is a strong belief that N P * BQP ; consequently, a polynomial-time
quantum algorithm for a NP-complete problem would be surprising, as it would violate this conjecture.
A problem that is not known to be in P is the factoring problem, but we already know thanks to Peter
W. Shor a polynomial-time algorithm for this problem that runs on a quantum computer [45]. This
algorithm, among many others, will be thoroughly explained in the next chapter.

It can be deduced from the definition of the complexity class BQP that the inner nature of quantum
computation is probabilistic. In order to measure the performance of a quantum algorithm that solves
a certain problem, we do not usually take into account the time needed for obtaining the solution to
that problem. What we do is to study the relationship between the probability of obtaining a correct
solution and the computation time. In order for an quantum algorithm to be considered efficient, it
must return a correct solution in polynomial time with a probability of at least 2/3. For a ground-
breaking study on the algorithmic limitations of quantum computing, we refer to [6].

We must mention here that the quantum circuit model is not the only quantum computation

2
paradigm that is currently being developed. There exists a completely different approach to exploiting
the possibilities of quantum physics in computation, called the adiabatic model, which is equivalent
also to a QTM [2]. We will not treat this matter here, as it needs a substantially diverse approach
(and this paper is already long enough as it is).

3 Quantum Bits and Quantum Entanglement

In classical computation, the basic unit of information is the bit (a portmanteau of binary digit).
A bit can only be in one of its two possible states, and may therefore be physically implemented with
a two-state device. This pair of values is commonly represented with 0 and 1. On the other hand,
we have an analogous concept in quantum computation: the qubit (short for quantum bit) which is a
mathematical representation of a two-state quantum-mechanical system.
We will work in the Hilbert space C2 , with the usual scalar product. In the quantum parlance,
vectors are, however, written in a different way.
Definition 3.1. The vectors    
1 0
|0i = and |1i =
0 1
are called the basis states of a quantum bit.
So far we have only two states and it does not seem to far apart from the bit situation (funny
notations aside). However, there is a difference between bits and qubits: a qubit can also be in a state
other than |0i and |1i. Its generic state is, in fact, a linear combination over the complex numbers of
both basis states.
Definition 3.2. A pure qubit state |ψi is a unit vector which is a linear combination of the basis
states,  
α
|ψi = α |0i + β |1i =
β
where the coefficients α, β ∈ C are called the amplitudes of the state.
2 2
The fact that |ψi is a unit vector means of course that the constraint |α| + |β| = 1 holds.

Remark: The notation we have just introduced, |ψi, termed ket, for describing a quantum state.
This notation is part of the bra-ket notation, also named Dirac notation in honor of English theoretical
physicist Paul Dirac (1902 – 1984), who first introduced it in 1939 [17]. Alternatively, we will also use
hψ|, called bra, to describe the Hermitian conjugate of |ψi.

Thus, |0i and |1i form an orthonormal C-basis of C2 . From now on, the basis formed by |0i and |1i
will be called the computational basis of a qubit. Nevertheless, there are other commonly used basis
for the states of a quantum bit. An example that will come in handy later, known as the Hadamard
basis in honor of French mathematician Jacques Hadamard (1865 – 1963), is defined by
 
1 1 1
|+i := √ (|0i + |1i) = √
2 2 1
and  
1 1 1
|−i := √ (|0i − |1i) = √ .
2 2 −1
It is easy to see that |+i and |−i also form an orthonormal C-basis of C2 , and that our generic
qubit |ψi = α |0i + β |1i can be seen as

α+β α−β
|ψi = √ |+i + √ |−i .
2 2
We know that qubits exist in nature thanks to the Stern-Gerlacht experiment, first conducted by
German physicists Otto Stern (1888 – 1969) and Walther Gerlach (1889 – 1979) in 1922 [23].

3
 Figure 2: Bloch sphere1

Remark: One of the key features that makes a quantum computer differ dramatically from its
classical counterpart is the process of measuring the state of a quantum bit. A measurement, also
called observation, of a generic single-qubit state |ψi = α |0i + β |1i is a physical procedure that yields
a result from the orthonormal basis, depending on the values of α and β. This dependence is modelled
as a Bernoulli distribution: the probability that the measurement gives |0i as a result is |α|2 and,
obviously, the probability that the measurement yields |1i is |β|2 .
However, unlike the classical case, the measurement process inevitably disturbs the qubit |ψi,
forcing it to collapse to either |0i or |1i and thus generally making impossible the task of finding out
the actual values of α and β. This collapse to either |0i or |1i is then non-deterministic and non-
reversible, and this is a fundamental feature of quantum computation. It will be shown in Section 4
how to change these probabilities without violating the unitary constraint.
Therefore, in short one might think of a qubit as a non-deterministic bit. It can all take two possible
values, all the same, but which of them does one actually get depends on a probability distribution.
And, most importantly, the data given by these probabilities vanish once the qubit is observed.

Remark: A possible geometrical representation of the states of a single-qubit system, known as the
Bloch sphere [9, 39] (see Figure 3), leans on the following interpretation. The amplitudes α and β are
not interesting by themselves: it is their moduli who characterize the probability distribution that ac-
tually matters. Therefore, two qubits which feature the same distribution are, in fact, computationally
indistinguishable.
Therefore we may choose a representative for all such qubits: for instance we may force α to be a
real number, and it is straightforward that, given a qubit |ψi there is only one qubit

θ θ
|ψ0 i = cos + eiϕ sin
2 2
with θ ∈ [0, π] and ϕ ∈ [0, 2π).
Choosing such a representation, we have that a generic qubit can be represented uniquely as a
point (θ, ϕ) of the unit 2-sphere, with the north and south poles typically chosen to correspond to the
standard basis vectors |0i and |1i as indicated in the figure.
The Bloch sphere is useful as a way of depicting transformations of a single qubit. As we will
see later on, the most important transformations can be broken down to (essentially) rotations in the
Bloch sphere. We will look at this matter in the next section. But first, let us explain some concepts
needed to understand how multiple-qubit systems behave.

1 Credit: Glosser.ca (CC BY-SA 3.0)

4
 Going from a single qubit to a multiple-qubit system should obviously involve considering a Hilbert
vector space which stems from combining multiple copies of C2 . The chosen way for doing that is using
the tensor product.
Definition 3.3. Let V and W be vector spaces of dimensions n and m respectively. The tensor
product of V and W , denoted by V ⊗ W , is an nm-dimensional vector space whose elements are linear
combinations of the symbols v ⊗ w satisfying the subsequent properties:
• α(v ⊗ w) = (αv) ⊗ w = v ⊗ (αw)
• (v1 + v2 ) ⊗ w = (v1 ⊗ w) + (v2 ⊗ w)
• v ⊗ (w1 + w2 ) = (v ⊗ w1 ) + (v ⊗ w2 )
where α ∈ C, v, v1 , v2 ∈ V and w, w1 , w2 ∈ W .
A related definition that will come to use in Section 4 is the concept of tensor product between
linear operators.
Definition 3.4. Let A and B be linear operators defined on V and W respectively, then the linear
operator A ⊗ B operating on V ⊗ W is defined as

(A ⊗ B)(v ⊗ w) = Av ⊗ Bw

with v ∈ V and w ∈ W .
If A and B are n×n and m×m matrices respectively that correspond to the matrix representations
of the linear operators A and B with respect to the canonical base, the linear operator A ⊗ B (called
the tensor product, or the Kronecker product of A and B) has the following matrix representation
with respect to the canonical base:
 
a11 B a12 B · · · a1n B
 a21 B a22 B · · · a2n B 
A⊗B = .
 
.. .. .. 
 .. . . . 
an1 B an2 B · · · ann B

As expected the matrix representation of A ⊗ B has dimension nm × nm. As it happens with the usual
product, this operation is not commutative. A common notation for the Kronecker product of l copies
of a matrix A is A⊗l .

Example: By means of showing how the matrix representations of the Kronecker products of linear
operators are calculated, let
 
  1 0 0
1 −1
A= and B = 0 2 0
−2 0
0 0 3

be two linear operations defined on R2 and R3 respectively. Then, their tensor product is calculated
as follows:  
1 0 0 −1 0 0
   0 2 0 0 −2 0
  1 0 0  
1 −1  0 0 3 0 0 −3 
A⊗B = ⊗ 0 2 0 =
   
−2 0 −2 0 0 0 0 0 
0 0 3 
 0 −4

0 0 0 0
0 0 −6 0 0 0
where A ⊗ B is a linear operator defined on R6 .

Of course, the previous definitions are extended in the direct way to finite tensor products of spaces
and operators. In particular, note that the tensor product of unit vectors is again a unit vector.
Also, the tensor product we have thus defined can also be extended to vectors and non-square
matrices, and will be useful at the time of calculating the basis states of a quantum system with more
than one qubit and representing it as a vector in Cl , for some l ∈ N.

5
Example: For instance, if |0i and |1i are the basis states of a quantum bit, the tensor product
|1i ⊗ |0i will be given by:  
    0
0 1  0 
|1i ⊗ |0i = ⊗ = 
1 0  1 
0
Before continuing with the possible states of a multiple qubit system, let us introduce some notation.

Remark: As it is well-known, given two bases for V and W , say

BV = {v1 , ..., vn }, BW = {w1 , ..., wm },
the set
BV ⊗W = {vi ⊗ wj | 1 ≤ i ≤ n, 1 ≤ j ≤ m}
is a basis of V ⊗ W .
In our set-up, the corresponding bases will be of use for representing integers. In a classical
computer, we represent an integer a ∈ Z≥0 such that a < 2n (i.e., such that it can be described with
n bits) with the base-2 numeral system:
n−1
X
a= al 2l
l=0
where al ∈ {0, 1} are the binary digits of a. In a quantum computer, we can also represent an integer
a < 2n with n qubits as follows:
n−1
O
|ain = |an−1 · · · a1 a0 i = |al i
l=0

Thus, for example, number 29 can be represented with 5 qubits (as 29 < 25 ) like this:
|29i5 = |11101i = |1i ⊗ |1i ⊗ |1i ⊗ |0i ⊗ |1i .
In this way, integers are always represented by elements of the basis which is obtained from tensor
products of the single-qubit computational bases. This basis will be subsequently called the computa-
tional basis itself.

Notation: From now on, the notation |ψin will imply that we are describing a n-qubit system (with
n ≥ 2) instead of a single-qubit one, which will remain to be indicated with the absence of a subindex.
We will also make use sometimes of the notation |uvi to describe the tensor product |ui ⊗ |vi of two
basis states. Now that we know what |ψin and |ain really mean, we are finally in the position to begin
studying the possible states of a multiple qubit system which is, once again essentially, a unitary vector
in the corresponding Hilbert space.
Definition 3.5. The state |ψin of a generic n-qubit system is a superposition (that is, a linear com-
bination) of the 2n states of the computational basis |0in , |1in , . . . , |2n − 1in with modulus 1. In
particular,
n
2X −1
|ψin = αj |jin ,
j=0

with amplitudes αj ∈ C constrained to

n
2X −1
2
|αj | = 1.
j=0

This can be seen as an obvious advantage with respect to classical computation. In a conventional
computer we can store one but only one integer between 0 and 2n − 1 inside a n-bit register, which can
be seen as a discrete probability distribution between all possible integers where the integer we have
stored has probability 1 and the rest have 0. In a quantum register, the probability can be distributed
between all integers from 0 to 2n − 1, instead of having just one possibility when it comes to read the
register. Even more, if we are to simulate this quantum behavior with a classical computer, we would
need 2n registers of n bits, instead of a single n-qubit register as in the quantum case. This is precisely
one of the benefits of quantum computing that Richard Feynman foretold in his paper [22].

6
Example: Let us have a look at the simplest case. The basis states of a two-qubit system are the
tensor products of the basis states of a single-qubit system:
   
    1     0
1 1  0 
 , |1i = |01i = |0i ⊗ |1i = 1 ⊗ 0 =  1  ,
 
|0i2 = |00i = |0i ⊗ |0i = ⊗ = 2
0 0  0  0 1  0 
0 0
   
    0     0
0 1  0  0 0  0 
|2i2 = |10i = |1i ⊗ |0i = ⊗ =
 1 ,
 |3i2 = |11i = |1i ⊗ |1i = ⊗ =
 0 .

1 0 1 1
0 1
And the generic state of two different single-qubit systems, described independently, can be repre-
sented as      
1 0 α
|ψ0 i = α |0i + β |1i = α +β =
0 1 β
and      
1 0 γ
|ψ1 i = γ |0i + δ |1i = γ +δ = ,
0 1 δ
2 2 2 2
where |α| + |β| = 1 and |γ| + |δ| = 1. This means that the state of this 2-qubit system which arise
from them should be described as the tensor product of both:
 
    αγ
α γ  αδ 
|ψ0 i ⊗ |ψ1 i = ⊗ =  βγ  .

β δ
βδ

On the other hand, if we want to describe a generic 2-qubit system |ψi2 with the basis states defined
in ??, we would have
         
1 0 0 0 α0
 0   1   0   0   α1 
|ψi2 = α0  0  + α1  0  + α2  1  + α3  0  =  α2  ,
        

0 0 0 1 α3

where
2 2 2 2
|α0 | + |α1 | + |α2 | + |α3 | = 1
must hold (remember that any quantum system must be described as a unit vector).

Note that if our generic two-qubit system described by |ψi2 is to be decomposed in two single-qubit
states (i.e., |ψi2 = |ψ0 i ⊗ |ψ1 i), then

α0 = αγ, α1 = αδ, α2 = βγ and α3 = βδ.

It is easy to see that the equality α0 α3 = α1 α2 is imposed; however, it is clear that this condition
does not necessarily holds in a two-qubit generic state.
This is the mathematical counterpart of a well-known physical phenomenon called quantum en-
tanglement which implies that the quantum state of each one of the particles of a two-qubit system
may not be described independently. This leads us to the subsequent definition:
Definition 3.6. An n-qubit general state |ψin is called mixed or entangled if there does not exist n
one-qubit states |ψ0 i , ..., |ψn i such that

|ψin = |ψ0 i ⊗ ... ⊗ |ψn i .

7
Remark: Quantum entanglement was first observed in nature in 1935, and in early days it was known
as the Einstein–Podolsky–Rosen paradox. It was first studied by German-born theoretical physicist
Albert Einstein (1879 – 1955) and his colleagues Boris Podolsky (1896 – 1966) and Nathan Rosen
(1909 – 1995) [19], and later by Austrian physicist Erwin Schrödinger (1887 – 1961) [44]. The role and
importance of quantum entanglement in quantum algorithms operating on pure states and in quantum
computational speed-up was extensively discussed by Richard Jozsa and Noah Linden in [28].
In particular, it is shown in the above reference that a quantum computer which does not take
advantage of the quantum entanglement is not too far apart from a classical computer. In fact, the
most interesting result that links quantum entanglement and quantum computing performance over
classical computation is the following:
Theorem 3.7. (Gottesman–Knill) A quantum algorithm that starts in a computational basis state
and does not feature quantum entanglement can be simulated in polynomial time by a probabilistic
classical computer [1].

Therefore, it is precisely quantum entanglement what might give quantum computing a head start,
compared to classical computing. One of the many challenges on the hardware side is precisely to
create a stable enough environment for entanglement, which is a very delicate and fragile phenomenon.

Remark: Analogously to the single-qubit case, observing an n-qubit system unavoidably interferes
with |ψin and impels it to collapse in one of the vectors of the computational basis (i.e., in |jin with
0 ≤ j < 2n ). This collapse is again non-deterministic and is governed by the discrete probability
2
distribution given by |αj | . Thus, all the information that may have been stored in the amplitudes αj
is inevitably lost after the measurement process.

Example: By way of illustration, let us suppose that we have the following 3-qubit quantum system:
1 1 1 1
|ψi3 = |1i + |3i + |5i + |7i .
2 3 2 3 2 3 2 3
Then, if we measure this system, we will obtain with identical probability one of these possible
outcomes: 1, 3, 5 or 7. Additionally, it is interesting to see the behavior of a quantum system if, rather
than measuring all qubits at once, we measure them one by one. Our previous quantum system can
be seen as
1 1 1 1
|ψi3 = |001i + |011i + |101i + |111i .
2 2 2 2
But also as
1  1 1  1  1 1 
|ψi3 = √ |0i ⊗ √ |01i + √ |11i + √ |1i ⊗ √ |01i + √ |11i
2 2 2 2 2 2
or as  1 1   1 1 
|ψi3 = √ |0i + √ |1i ⊗ √ |01i + √ |11i .
2 2 2 2
If we measure the first qubit, we have the same probability of obtaining 0 or 1. However, as the
measurement collapses the state of the qubit, the two remaining qubits will be forced to be in a state
that is somewhat linked to the one we have obtained for the first qubit (i.e., the part that is tensored
with the result we obtain for the first qubit). Let us suppose that by measuring the first qubit, we
have obtained a 1. Then, our 3-qubit system has collapsed to
 1 1 
|ψi3 = |1i ⊗ √ |01i + √ |11i ,
2 2
which can also be seen as  1 1 
|ψi3 = |1i ⊗ √ |0i + √ |1i ⊗ |1i .
2 2
Note that the third qubit is already in one of the states of the computational basis, which means
that, if we measure it right now, we will certainly obtain the value 1. The only remaining qubit that
is not in the computational basis is the second one. Looking at the current state of our system, it is
easy to see that we have the same probability of obtaining 0 or 1 by measuring it, which means that
we will obtain 5 or 7.

8
Remark: It is of interest to see if the result we obtain from one of the qubits will condition the
possible values for the remaining qubits. Let
1 1
|ψi2 = √ (|0i ⊗ |0i) + √ (|1i ⊗ |1i)
2 2
be one of the four possible so-called Bell states [4, 39], named after Northern Irish physicist John
Stewart Bell (1928 – 1990). This state is composed of two entangled qubits (they cannot be described
as two single-qubit states). If we measure the second qubit, we have the same probability of obtaining
0 or 1. However, if we first measure the first qubit, and obtain 1, then the state of the second qubit
will collapse (without having observed it) to 1, as the value 1 for the second qubit is only tensored
with the value 1 of the first qubit. Thus, the result we obtain from a qubit or a set of qubits can be
conditioned by the order in which we proceed to measure the rest of qubits. As will be seen later, the
order in which we choose to read the members of a quantum register is one of the most important
aspects of a quantum algorithm.

Another set of operations between qubits that are of great value are the inner and outer products,
which we proceed to define.

Definition 3.8. Let |ψ0 in and |ψ1 in be two n-qubit systems, the inner product of |ψ0 in and |ψ1 in is
the usual scalar product, defined by
∗
hψ0 |ψ1 in = |ψ0 in |ψ1 in .

The inner product has the following well-known properties:

∗
• hψ0 |ψ1 in = hψ1 |ψ0 in
• hψ0 | (a |ψ1 i + b |ψ2 i) in = a hψ0 |ψ1 in + b hψ0 |ψ2 in

• hψ|ψin = || |ψin ||2

Definition 3.9. Let |ψ0 in and |ψ1 in be two n-qubit systems, the outer product of |ψ0 in and |ψ1 in is
defined by
∗
|ψ0 i hψ1 |n = |ψ0 in |ψ1 in
For example, let
   
α γ
|ψ0 i = α |0i + β |1i = and |ψ1 i = γ |0i + δ |1i =
β δ

be two generic single-qubit systems, then the matrix representations of the inner and outer product
between |ψ0 i and |ψ1 i are calculated as follows:

αγ ∗ αδ ∗
     
 ∗ ∗
 γ ∗ ∗ α  ∗ ∗

hψ0 |ψ1 i = α β = α γ + β δ, |ψ0 i hψ1 | = γ δ = .
δ β βγ ∗ βδ ∗

Remark: As we are only considering unit vectors, hψ|ψi = 1 for any quantum state |ψi.

4 Quantum Circuits
The language of quantum circuits is a model of computation which is equivalent to quantum Turing
machines or to universal quantum computers [49]. Currently, it is the more extensively used when it
comes to describe an algorithm that runs on a quantum machine, and draws upon a sequence of register
measurements (as described in Section 3) and discrete transformations (which will be explained in this
section, as promised). This is mainly due because all its elements can be treated as classical, with the
sole exception of the information that is going through the wires.

First, we shall see what kind of transformations can be applied to the state of an n-qubit system.
As a quantum state is always represented by a unitary vector, we need the most general operator that
preserves this property and the dimension of the vector.

9
Definition 4.1. A matrix A ∈ MC (n) is unitary if

A∗ A = AA∗ = I

where I is the identity matrix and A∗ is the Hermitian adjoint of A.

Definition 4.2. The unitary group of degree n, denoted by UC (n), is the group of n × n unitary
matrices, with matrix multiplication as the group operation.
Proposition 4.3. Let A ∈ UC (n) be a unitary matrix and let x ∈ Cn be a unitary vector, then Ax ∈ Cn
is also a unitary vector.
In this context, a unitary transformation acting on n-qubits is called an n-qubit quantum gate,
and can be represented by a unitary matrix. Let us expand this concept and its physical implications
(beyond the fact that quantum gate is probably cooler as a name than unitary matrix).
Definition 4.4. A quantum gate that operates on a space of one qubit is represented by a unitary
matrix A ∈ UC (2). More generally, a quantum gate acting on an n-qubit system is represented by a
unitary matrix A ∈ UC (2n ).
Please note that quantum gates necessarily have the same number of inputs and outputs, as opposed
to classical logic gates. From now on, all quantum gates will be represented with a bold symbol, in
order to distinguish them from mere matrices. We will show the most frequently used quantum gates as
examples, and various results that simplify in a dramatic way the difficulty of implementing physically
any quantum gate.
Definition 4.5. The Hadamard gate is a single-qubit gate with the following matrix representation:
 
1 1 1
H=√
2 1 −1
which is unitary.

Remark: The Hadamard gate, applied to each of the basis states, it has the following effect:
1  
H : |ji → √ |0i + (−1)j |1i .
2

Remark: The classical flowchart for algorithms is replaced in quantum computing by the circuit
representation, which allows one to get a glimpse of the procedure rather quickly. For instance, the
circuit representation of the Hadamard gate is

|ψ0 i H |ψ1 i

which is shorthand for |ψ1 i ← H |ψ0 i. The measurement step is written as

|η0 i |η1 i

Remark: As will be seen when describing the most relevant quantum algorithms, the Hadamard
transformation is one of the most important quantum gates. Its importance settles in the role it has at
the time of generating all possible basis states, all of them with the same amplitude, inside a quantum
register.
2 2
Let us suppose that we have a qubit whose quantum state is |ψ0 i = α |0i+β |1i, where |α| +|β| = 1.
Then, the state of this single-qubit system after applying the Hadamard gate to it is:
    
1 1 1 α 1 α+β α+β α−β
H |ψ0 i = √ =√ = √ |0i + √ |1i
2 1 −1 β 2 α − β 2 2
Let us suppose now that, rather than having a generic state, we have the basis state |ψ0 i = |0i in
our one-qubit system. In that case, the result of applying the Hadamard gate will be as follows:
    
1 1 1 1 1 1 1 1
H |ψ0 i = √ =√ = √ |0i + √ |1i
2 1 −1 0 2 1 2 2

10
 As can be appreciated, we have transformed a basis state, |0i, into a linear combination of the two
basis states, |0i y |1i, with identical amplitudes. If we measure the qubit at this moment, then we
will obtain with equal probability one of the two possible basis states. That said, what will happen
if, rather than having a single quantum state, we have a n-qubit quantum system, all of them also in
their basis state |0i?
 ⊗n  ⊗n  ⊗n 2n −1
1 1 1 1 1 1 1 X
H ⊗n |ψ0 in = H ⊗n |0in = √ =√ =√ |jin
2n 1 −1 0 2n 1 2n j=0

What we have obtained is, thanks to quantum entanglement, a superposition of all basis states of
the system with identical probability. In other words, if we measure our n-qubit register right now, we
will obtain a certain integer j ∈ {0, . . . , 2n − 1} with probability 1/2n .

Definition 4.6. The Pauli gates are single-qubit gates with the following matrices:
     
0 1 0 −i 1 0
X= , Y = , Z=
1 0 i 0 0 −1
which are unitary, but also Hermitian.
The Pauli matrices have the following effect on the basis states:
X : |ji 7−→ |1 ⊕ ji
Y : |ji 7−→ (−i)j |1 ⊕ ji
Z : |ji 7−→ (−1)j |ji
The three previous quantum gates are named after Austrian-born Swiss and American theoretical
physicist Wolfgang Pauli (1900 — 1958). The three of them, along with the identity matrix I, form a
basis for the vector space of 2 × 2 Hermitian matrices (multiplied by real coefficients).

Single-qubit gates (that is, unitary 2 × 2 matrices) can be in fact, fully described by means of the
following result, which is essentially straightforward:
Proposition 4.7. Let A ∈ UC (2). Then, there exist real numbers α, β, γ and δ such that
 −iβ/2    −iδ/2 
e cos(γ/2) − sin(γ/2) e
A = eiα    
eiβ/2 sin(γ/2) cos(γ/2) e−iδ/2

Remark: Matrices of the type

e−iβ/2
 
 
eiβ/2
are usually called z–rotations, as their effect on a qubit, seen in the Bloch sphere, correspond precisely
to a rotation of angle β about the z axis. For analogous reasons, matrices of the type
 
cos(γ/2) − sin(γ/2)
 
sin(γ/2) cos(γ/2)
are called y–rotations.

However, all previously defined quantum gates have their limitations. In fact, quantum gates that
are the direct product of single-qubit gates cannot produce entanglement, which is reasonable, as
entaglement needs at the very least two qubits in order to happen.
Definition 4.8. The C N OT gate, which stands for controlled-not, is a two-qubit quantum gate with
the following matrix representation:
 
1 0 0 0
0 1 0 0
C N OT = 
0

0 0 1
0 0 1 0

11
 Applied to a two-qubit basis state, the C N OT gate has the next effect:

C N OT : |ii ⊗ |ji 7−→ |ii ⊗ |i ⊕ ji .

The C N OT gate is another one of the key quantum gates, as it can be used to entangle and
disentangle Bell states. In fact, it is the most simple gate that produces quantum entanglement. For
example, let
1
|ψi2 = √ (|0i2 + |2i2 )
2
be an unmixed quantum state (as it can be written |ψi2 = |+i ⊗ |0i). If we apply the C N OT gate to
it, we obtain
1   1
|ψ 0 i2 = C N OT (|ψi2 ) = √ C N OT (|0i ⊗ |0i) + C N OT (|1i ⊗ |0i) = √ (|0i ⊗ |0i + |1i ⊗ |1i) ,
2 2
which is one of the entangled Bell states.

Theorem 4.9. [18, 3] Let A ∈ MC (2n ) be an n-qubit gate, then it can be expressed as a finite number
of tensor products of single-bit gates Mi ∈ MC (2) and the two-qubit C N OT gate.

The previous result imply that every unitary transformation on an n-qubit system can be imple-
mented physically using only single-qubit gates and the C N OT gate. In other words, single-qubit gates
and the C N OT gates form a set of universal gates.

Thus, we have explained the main notions needed for the correct comprehension of the rest of this
paper: a quantum circuit algorithm will consist in a set of transformations of two different types,
observations and unitary transformations, to an n-qubit register. It is time to describe some of the
milestones of quantum computing.

5 Introduction to Quantum Algorithms

We present a chronological summary of the first quantum algorithms that were shown to be more
efficient than their best known classical counterparts. Our objective is to define them in the context of
the previous sections, while showcasing their main properties and proving their correctness. We also
give worked-out examples for some of them.

But first, let us explain two concepts that will be common to many of the algorithms here presented.
The first one is the hidden subgroup problem, which we proceed to define:
Definition 5.1. Let G be a group, let K ⊆ G be a subgroup of G and let g ∈ G. The cosets of K in
G with respect to g are the orbits gK and Kg, called respectively the left coset and the right coset.
Let G be a finitely generated group, let X be a finite set, and let f : G → X be a function that is
constant on the (say) left cosets of a certain subgroup K ⊆ G and distinct for each one of the cosets.
The hidden subgroup problem, or HSP, is the problem of determining a generating set for K, using f
as a black box.
Obviously there is no difference if the map f is constant on the right cosets, it is an HSP likewise.

As will be shown, the superior performance of those algorithms relies on the ability of quantum
computers to solve the hidden subgroup problem for finite Abelian groups. All those HSP-related
algorithms were developed independently by different people, but the first to notice a common factor
between them and to find a generalization was Richard Jozsa [27].

The other common factor, closely related to the HSP, is the possibility of building a quantum gate
that can code a certain function f that is given as a black box (i.e., as a digital circuit). A proof of
this fact that uses the properties of reversible computation can be found in [39], and gives us another
important quantum gate.

12
Definition 5.2. Let f : {0, 1}n → {0, 1}m be a function, the oracle gate O f is the unitary transfor-
mation that has the following effect on the basis states of a quantum system:

O f : |jin ⊗ |kim 7−→ |jin ⊗ |k ⊕ f (j)im ,

where ⊕ is the bitwise exclusive disjunction operation.

The first algorithms that shared those elements eventually evolved into Shor’s factoring algorithm,
probably the most celebrated of all quantum algorithms and the one that gave birth to another of the
greatest achievements in quantum computation: the quantum Fourier transform. All those algorithms
are capable of solving their respective problems in polynomial time. However, for some of them the
inexistence of polynomial-time classical algorithms for those same problems has yet to be proven.

Another class of algorithms, which will be shown at the end of the chapter and that also uses the
oracle gate, are based on Grover’s quantum search, whose objective is to speed up the finding of a
solution for a problem whose candidate solutions can be verified in polynomial time (i.e., all problems
in NP).

Finally, we explain the algorithm of quantum counting, which makes use of both worlds.

6 Deutsch’s Algorithm
Let f : {0, 1} → {0, 1} be a function, it is clear that either f (0) = f (1) or f (0) 6= f (1). Let
us suppose that we are given f as a black box, and that we want to know if f is constant. From a
classical perspective, it is completely neccesary to evaluate the function both in f (0) and f (1) if we
are to know this property with accuracy. Deutsch’s algorithm [13] shows us that, with the help of a
quantum computer, it is possible to achieve this with only a single evaluation of f .

We can see the previous question as an instance of the hidden subgroup problem, where G =
({0, 1}, ⊕), X = {0, 1}, and K is either {0} or {0, 1} depending on the nature of f . Note that in this
case the cosets of {0} are {0} and {1} and that the only coset of {0, 1} is precisely {0, 1}.

SETUP

|ψ0 i1,1 ← |0i ⊗ |1i

Deutsch’s algorithm needs only two one-qubit registers. The first one is initialized at |0i, and the
second one at |1i. As will be seen, this is due to the properties of the Hadamard gate when applied to
the canonical basis states, and it is a frequent way of initializing a quantum algorithm.

STEP 1

 
|ψ1 i1,1 ← H ⊗2 |ψ0 i1,1

On the first step of Deutsch’s algorithm we apply the Hadamard gate to both quantum registers,
thus transforming the values of the canonical basis into the respective ones of the Hadamard basis.
   
⊗2 |0i + |1i |0i − |1i
|ψ1 i1,1 = H (|0i ⊗ |1i) = (H |0i) ⊗ (H |1i) = √ ⊗ √ = |+i ⊗ |−i
2 2

STEP 2

 
|ψ2 i1,1 ← O f |ψ1 i1,1

13
 The second step needs the oracle gate, defined at the beginning of this chapter for a generic function
and for n and m qubits. Note that, in this case, the function f associated to the oracle gate as a black
box is the one given for this instance of the hidden subgroup problem: f : {0, 1} → {0, 1}. In fact,
the oracle gate is not a constant transformation as are the Hadamard or the Pauli gates, but it rather
depends on the problem. It is thus constructed ad hoc subject to the question we want to answer,
provided that we have a logic circuit that implements f . The effect the oracle gate has on our quantum
register can be seen as follows:
  h |0i + |1i  i
|ψ2 i1,1 = O f |ψ1 i1,1 = O f (|+i ⊗ |−i) = O f √ ⊗ |−i
2
O f (|0i ⊗ |−i) + O f (|1i ⊗ |−i) (−1)f (0) |0i ⊗ |−i + (−1)f (1) |1i ⊗ |−i
= √ = √
2 2
f (0) f (1)
 
(−1) |0i + (−1) |1i
= √ ⊗ |−i
2
Please notice that all operations are just algebraic manipulations which allow us to see more clearly
the information we have inside our quantum computer. We are not modifying anything, we are just
reshaping the equation in order to have a better picture of what is happening.

STEP 3

 
|ψ3 i1,1 ← (H ⊗ I) |ψ2 i1,1

The third and final step before measuring our quantum register involves again the Hadamard gate
H, but this time it is only applied to the first register. The second register is left alone, which is
represented with an identity gate I. In fact, the information inside the second register is no longer
relevant, as it was only used as the auxiliary register needed for the oracle gate.

(−1)f (0) |0i + (−1)f (1) |1i

    
|ψ3 i1,1 = (H ⊗ I) |ψ2 i1,1 = (H ⊗ I) √ ⊗ |−i
2
f (0) f (1)
(−1)f (0) |+i + (−1)f (1) |−i
   
(−1) H |0i + (−1) H |1i
= √ ⊗ |−i = √ ⊗ |−i
2 2
(−1)f (0) |0i + (−1)f (0) |1i + (−1)f (1) |0i − (−1)f (1) |1i
 
= ⊗ |−i
2
[(−1)f (0) + (−1)f (1) ] |0i + [(−1)f (0) − (−1)f (1) ] |1i
 
= ⊗ |−i
2
= (−1)f (0) |f (0) ⊕ f (1)i ⊗ |−i

In order to understand the last part of the equation, one must take into account that, if f (0) = f (1),
then (−1)f (0) − (−1)f (1) = 0 and f (0) ⊕ f (1) = 0. A similar reasoning goes for f (0) 6= f (1), which
leads us to the last expression for |ψ3 i1,1 . Note also that f (0) ⊕ f (1) = 0 if and only if f (0) = f (1),
and that f (0) ⊕ f (1) = 1 if and only if f (0) 6= f (1).

STEP 4

δ̃ ← measure the first register of |ψ3 i1,1

As the reader has surely noted, the information we wanted to obtain from the function f is already
in the first register. We measure it now, thus destroying all the information related to the amplitudes
of the basis states, and obtain a certain δ̃ ∈ {0, 1}. If δ̃ = 0, then K = {0, 1} and f (0) = f (1). If δ̃ = 1,
then K = {0} and f (0) 6= f (1). A circuit representation of Deutsch’s algorithm can be found below.

14
 Figure 3: Circuit representation of Deutsch’s algorithm

|0i H H δ̃
Of
|1i H

|ψ0 i |ψ1 i |ψ2 i |ψ3 i

At this moment, the inherent capabilities of quantum computing begin to surface. A problem which
needs two evaluations of a function f in its classical version, can be reduced to just one evaluation of
the same function in its quantum counterpart thanks to quantum parallelism. One may wonder if this
property could be scaled to a function acting on {0, 1}n rather than just {0, 1}. That is the objective
of the next algorithm.

7 Deutsch–Jozsa Algorithm
The following algorithm is a generalization of the previous one. Its original version appeared in
[15], and is due again to David Deutsch and also to Australian mathematician Richard Jozsa (b. 1953).
Let f : {0, 1}n → {0, 1} be a function that is either constant for all values in {0, 1}n , or is else balanced
(i.e., equal to 0 for exactly half of all possible values in {0, 1}n , and to 1 for the other half). The
problem of determining if the function f is constant or balanced, using it as a black box, is called
Deutsch’s problem. In the classical version, a solution for this problem requires 2n−1 + 1 evaluations
of f in the worst case. Let us see if we can improve that bound with the help of a quantum computer.

SETUP

|ψ0 in,1 ← |0in ⊗ |1i

We need a quantum computer with n + 1 qubits, where the first n qubits will be initialized at
|0i and the remaining one at |1i. Again, the single-qubit register is only used as the auxiliary qubit
required for the oracle gate.

STEP 1

 
|ψ1 in,1 ← H ⊗n+1 |ψ0 in,1

The first transformation we apply to our system is again the Hadamard gate. As explained in 4,
when applied to the basis state |0in the Hadamard transformation gives us a superposition of all basis
states with identical probability, thus obtaining the following quantum state:
2n −1
!
⊗n

1 X
|ψ1 in,1 = H |0in ⊗ (H |1i) = √ |ii ⊗ |−i
2n i=0 n

STEP 2

 
|ψ2 in,1 ← O f |ψ1 in,1

15
 Now, we apply the oracle gate, which in this case is constructed for n + 1 qubits and for the specific
function f that we want to know if it is constant or balanced.
n
h 1 2X −1 2n −1 2n −1
 i 1 X 1 X
|ψ2 in,1 = Of √ |ii ⊗ |−i = √ O f (|jin ⊗ |−i) = √ (−1)f (j) |jin ⊗ |−i
2n i=0 n 2n j=0 2n j=0

The last step is better understood if we apply it separately to a generic basis state |jin with
j ∈ {0, . . . , 2n − 1}, tensored with the Hadamard basis state |−i.
   |0i − |1i  O f (|jin ⊗ |0i) − O f (|jin ⊗ |1i)
O f |jin ⊗ |−i = O f |jin ⊗ √ = √
2 2
|jin ⊗ |f (j)i − |jin ⊗ |1 ⊕ f (j)i  |0i − |1i 
= √ = (−1)f (j) |jin ⊗ √
2 2
f (j)
= (−1) |jin ⊗ |−i

Thus, we end up again with a superposition of all basis states in the first register, all of them with
identical probability. The only difference with the previous state is that the amplitude of the states
|jin remains identical if f (j) = 0, and is negated when f (j) = 1. Taking into account that either f
is constant or balanced (i.e., all amplitudes are the same now, or half the amplitudes are positive and
the other ones negative), is there any way to obtain this information from our quantum register? Note
that, until now, although we have applied f to every possible j ∈ {0, . . . , 2n − 1}, we have used the
gate that implements it only once.

STEP 3

 
|ψ3 in,1 ← (H ⊗n ⊗ I) |ψ2 in,1

The last step involves again the Hadamard transform. We apply it to the first n qubits of our
quantum system, and obtain the following:
 n
  n

2X −1 2X −1
1 1
|ψ3 in,1 = (H ⊗n ⊗ I)  √ (−1)f (j) |jin ⊗ |−i =  √ (−1)f (j) H ⊗n |jin  ⊗ |−i
2n j=0 2n j=0
 n
n  
2X −1 2X−1
1
=  n  (−1)f (j)+j·k  |kin  ⊗ |−i
2 j=0
k=0

In order to understand the last equation, we must first fathom the effects of the Hadamard gate on
an n-qubit basis state. Let j ∈ {0, . . . , 2n − 1}, a closer inspection leads us to the following identity:
n
2 −1
⊗n 1 X
H (|jin ) = √ (−1)j·k |kin ,
2n k=0

where j · k is the bitwise inner product of j and k, modulo 2, i.e.,

n
X
j·k = jl kl mod 2,
l=1

with jl and kl being the binary digits of j and k respectively. Likewise, the last identity is a general-
ization of the effect of the one-qubit Hadamard gate, which can be seen as:
1
1   1 X
H(|ji) = √ |0i + (−1)j |1i = √ (−1)jk |ki
2 2 k=0

16
 Figure 4: Circuit representation of Deutsch-Jozsa algorithm

|0in H ⊗n H ⊗n k̃
Of
|1i H

|ψ0 i |ψ1 i |ψ2 i |ψ3 i

STEP 4

k̃ ← measure the first register of |ψ3 in,1

Finally, we are able to measure the qubits, thus destroying the information inside the register
and obtaining a number k̃ ∈ {0, . . . , 2n − 1} according to the probability distribution given by the
amplitudes
n
2X −1
αk = (−1)f (j)+j·k .
j=0

Let us have a closer look to the probability of obtaining k̃ = 0. It is given by:

n
2
2 −1
2 1 X
|α0 | = √ (−1)f (j) .
2n j=0

It is easy to see that |α0 |2 = 1 if and only if the function f is constant for all j ∈ {0, . . . , 2n − 1},
and that |α0 |2 = 0 if and only if the function f is balanced (recall that we are promised that f is
of one of those two natures). Having said that, if we measure now the first register and obtain some
k̃, we can conclude that f is constant if k̃ = 0, and that f is balanced otherwise. With just a single
evaluation of f we have answered the question, as opposed to the 2n−1 + 1 evaluations needed in the
classical version. A circuit representation of Deutsch-Jozsa algorithm is displayed in Figure 4.

The previous algorithm has much more profound implications than the possibility of solving
Deutsch’s problem exponentially faster with the help of a quantum computer. It also tells us that,
relative to an oracle (i.e., a black box that solves a certain problem or function, namely f ) we can
establish a difference between the classes P and EQP (Exact Quantum Polynomial, that is, quantum
algorithms that run in polynomial time and give the solution with probability 1). Note that this does
not imply that P 6= EQP, it just tells us that there exists an oracle separation between P and EQP.
We shall come back to these concepts later on.

8 Simon’s Algorithm
Let f : {0, 1}n → {0, 1}n be a function such that, for some s ∈ {0, 1}n with s 6= 0, f (j) = f (k)
if and only if either j = k or j ⊕ k = s for all j, k ∈ {0, 1}n (where ⊕ is again the bitwise exclusive
disjunction operation, also called bitwise xor). Simon’s problem is defined as: given such an f as a
black box, figure out the value of s, which is usually called the xor-mask of f . Both the problem and
the quantum algorithm we proceed to explain were both first presented in [46] by Daniel R. Simon,
hence their names.

Simon’s problem can also be seen as an instance of the hidden subgroup problem, where G =
({0, 1}n , ⊕), X ⊆ {0, 1}n is any finite set, and K = {0, s} for some s ∈ {0, 1}n . In the classical version,
a solution for this problem requires that we find a pair of values x, y ∈ {0, 1}n such that f (x) = f (y),
and then compute x ⊕ y. This solution requires O(2n/2 ) evaluations of f in the worst case whereas, as
will be proved later, Simon’s algorithm only needs O(n) evaluations of f .

17
SETUP

|ψ0 in,n ← |0in ⊗ |0in

In this algorithm, we need 2n qubits, all of them initialized at |0i.

STEP 1

 
|ψ1 in,n ← (H ⊗n ⊗ I ⊗n ) |ψ0 in,n

We first apply the Hadamard transformation to the first half of our qubit set, thus obtaining the
following quantum state.
n
2 −1
⊗n ⊗n ⊗n 1 X
|ψ1 in,n = (H ⊗I )(|0in ⊗ |0in ) = (H |0in ) ⊗ (|0in ) = √ |jin ⊗ |0in
2n j=0

STEP 2

 
|ψ2 in,n ← O f |ψ1 in,n

Next, we use the oracle gate, built particularly for the function f . Note that, thanks to quantum
parallelism, we apply here the function f to all possible values in {0, 1}n with just a single iteration of
O f . Thus, all possible values of f are now present in the second register.
 n

2X −1 2n −1 2n −1
1 1 X 1 X
|ψ2 in,n = O f √
 |jin ⊗ |0in = √
 O f (|jin ⊗ |0in ) = √ |jin ⊗ |f (j)in
2n j=0 2n j=0 2n j=0

STEP 3

δ̃ ← measure the second register of |ψ2 in,n

|ψ3 in ← |ψ2 in,n after measuring the second register

In this step we see for the first time the true effects of measuring part of our quantum system
before completing the execution of an algorithm. If we measure now the second register, we shall
end up with a value δ̃ = f (j̃) for a certain j̃ ∈ {0, 1}n . Thus, only the values in f −1 (δ̃) will remain
in the first register (before measuring, they were the only ones tensored with |δ̃i). In any case, as
f −1 (δ̃) = {j̃, j̃ ⊕ s} (we remark that j ⊕ k = s if and only if j ⊕ s = k), we end up with the following
quantum state:
1

|ψ3 in = √ |j̃in + |j̃ ⊕ sin
2

STEP 4

|ψ4 in ← H ⊗n (|ψ3 in )

The last transformation we apply to our quantum system is, again, the Hadamard gate. Before
that, we could have measured the first register and obtain a certain value in f −1 (δ̃) = {j̃, j̃ ⊕ s}.
However, in that case we would have ended with the same information as if we would have just made

18
 Figure 5: Circuit representation of Simon’s algorithm (one iteration)

|0in H ⊗n H ⊗n ω̃
Of
|0in δ̃

|ψ0 i |ψ1 i |ψ2 i |ψ3 i |ψ4 i

a single classical evaluation of f . The Hadamard gate, on the other hand, will let us obtain much
more information than from a single evaluation of f : it will give us some precious information about
s. Following a similar reasoning as with Deutsch-Jozsa algorithm, we end up with:
 
⊗n 1 1
|j̃in + |j̃ ⊕ sin = √ H ⊗n |j̃in + H ⊗n |j̃ ⊕ sin



|ψ4 in = H √
2 2
n n
−1 −1
" 2X 2X
#
1 1 1
= √ √ (−1)j̃·k |kin + √ (−1)(j̃⊕s)·k |kin
2 2n k=0 2n k=0
n n
2X −1 2X −1
1 1
(−1)j̃·k+(j̃⊕s)·k |kin = √ (−1)j̃·k 1 + (−1)s·k |kin
 
= √
2n+1 k=0
2n+1 k=0

STEP 5

ω̃ ← measure |ψ4 in

Let us suppose that we measure our quantum system right now. It is clear that the current
amplitudes of the basis states are
2
1
1 + (−1)s·k
 
αk = √
2n+1
for k ∈ {0, 1}n .

However, it can be noted that αk 6= 0 if and only if s · k ≡ 0 mod 2, which happens for half the
values of k necessarily. Even more, in those cases the amplitude is equal to 1/2n−1 . Analyzing the
outcome, we have ended up with some ω̃ such that ω̃ · s ≡ 0 mod 2. If we are able to find n − 1
linearly independent values of ω̃, namely ω̃1 , . . . , ω̃n−1 , we will arrive at a system of equations whose
solutions are 0 and s. Before proving this, let us explain the performance of Simon’s algorithm with a
worked-out example.

Example with n = 4
Let us suppose that we are given as a black box a function that fulfills the requirements of Simon’s
problem. This function, namely f : {0, 1}4 → {0, 1}4 , has the following outcome:

f (0) = f (5) = 0 f (1) = f (4) = 1

f (2) = f (7) = 2 f (3) = f (6) = 3
f (8) = f (13) = 4 f (9) = f (12) = 5
f (10) = f (15) = 6 f (11) = f (14) = 7

Of course, as the function is given as a black box, this information is only available to us if we
evaluate f (j) for all j ∈ {0, . . . , 15}. A closer inspection of these values tells us that this function has
in fact a xor-mask and that its value is s = 5. Our objective is to arrive at this knowledge without
evaluating f classically for all values in {0, 1}4 .

19
 Now, let us suppose that we do not know this information yet. As a start, Simon’s algorithm would
need the quantum state
|ψ0 i4,4 = |0i4 ⊗ |0i4 .
After applying the Hadamard gate, we would obtain
15
1 X
|ψ1 i4,4 = |ji ⊗ |0i4
16 j=0 4

and, after the oracle gate, our system is in the state

15
1 X
|ψ2 i4,4 = |ji ⊗ |f (j)i4 .
16 j=0 4

If we make use of the information we know (but we should not!) about f , we could see the previous
equation as:
1h



|ψ2 i4,4 = |0i4 + |5i4 ⊗ |0i4 + |1i4 + |4i4 ⊗ |1i4 + |2i4 + |7i4 ⊗ |2i4 +
8



|3i4 + |6i4 ⊗ |3i4 + |8i4 + |13i4 ⊗ |4i4 + |9i4 + |12i4 ⊗ |5i4 +


i
|10i4 + |15i4 ⊗ |6i4 + |11i4 + |14i4 ⊗ |7i4

Please note again that the previous state is actually happening inside our quantum computer
whether or not we know the values for f (j). As we have constructed our oracle gate using f as a black
box, it necessarily has the previous effect on the Hadamard state.

Up until now all steps were deterministic. However, the next step, the measurement of the second
register, will have a non-deterministic outcome. Let us suppose that we measure it and obtain, for
example, the value δ̃ = 6. Necessarily, our quantum system is now in the state
1
|ψ3 i4 = √ (|10i4 + |15i4 )
2
and, if we apply now the Hadamard transform, we end up with
15
1 X
(−1)j̃·k 1 + (−1)s·k |kin ,
 
|ψ4 i4 = √
25 k=0

where j̃ ∈ f −1 (6) = {10, 15} and s is the (yet unknown!) xor-mask of f .

As can be seen, the values we get of j̃ and δ̃ are unimportant. What we need is the outcome of
the measurement of our quantum system at this moment. As previously said, we will end up with a
number ω̃ such that s · ω̃ = 0 mod 2. In this case, ω̃ ∈ {0, 2, 5, 7, 8, 10, 13} for s = 5, where all of them
have the same probability of coming up.

Let us suppose that we have run three complete iterations of Simon’s algorithm, and obtain ω̃1 = 2,
ω̃2 = 7 and ω̃3 = 10. Thus, draining from the fact that ω̃i · s = 0 mod 2 for all of them, if we define
s = s3 s2 s1 s0 as the bitwise representation of s (with si ∈ {0, 1}), we can consider the system of
equations

s1 = 0 mod 2
s2 + s1 + s0 = 0 mod 2
s3 + s2 + s0 = 0 mod 2,

with each one of the equations giving us respectively the following set of solutions:

Ω1 = {0, 1, 4, 5, 8, 9, 12, 13},

Ω2 = {0, 3, 5, 6, 8, 11, 13, 14},
Ω3 = {0, 1, 4, 5, 10, 11, 14, 15}.

20
 Clearly, as our xor-mask s must satisfy all previous equations, we can deduce that

s ∈ Ω1 ∩ Ω2 ∩ Ω3 = {0, 5}

and, as s 6= 0 by definition, we can conclude that our xor-mask is, in fact, s = 5. Note that as the
process of obtaining the different values for ω̃ is non-deterministic, the remaining question is this: how
many times do I have to execute Simon’s algorithm in order to obtain such a system with enough
probability?

Theorem 8.1. Simon’s algorithm finds the correct solution for Simon’s problem in O(n) steps with
probability greater than 1/3.
Proof. Let us suppose that we have obtained m linearly independent equations, namely with ω̃1 , . . . , ω̃m .
Then, the probability of obtaining another linearly independent equation in the next interation of Si-
mon’s algorithm is
2n − 2m
.
2n
Thus, assuming n ≥ 3, the probability of obtaining n − 1 linearly independent equations after n − 1
iterations of Simon’s algorithm is
n
!
2n−2 2n−1 − 1
    
1 2 X 1 1
P = 1− n 1 − n ··· 1 − n ≥ 1− k
≥ n
> .
2 2 2 2 2 3
k=2

Even though Simon’s algorithm is of little practical use in precisely the same way as Deutsch’s and
Deutsch-Jozsa’s are, it shows once more that there exist problems such that a quantum computer is
capable of solving them efficiently while a classical one is not. In fact, Simon’s algorithm shows that
there exist problems such that a quantum Turing machine is exponentially faster than a probabilistic
Turing machine (PTM) [39]. The difference between Simon’s and Deutsch-Jozsa is that the latter can
be solved by a PTM with an arbitrarily small error, while the former would take an exponential time
to solve with such a machine.

Finally, although Simon’s algorithm stablishes an oracle separation between BPP (Bounded-Error
Probabilistic Polynomial time classical algorithms) and BQP, we still do not know if BPP 6= BQP, as
Simon’s problem depends on a black box.

9 Shor’s Factoring Algorithm

Let us begin with a problem in number theory that depends on one of the most well known theorems
of all time:

Definition 9.1. Let N ∈ Z≥0 , the fundamental theorem of arithmetic tells us that there exists a unique
factorization of N as a product of prime powers:
k
Y
αk
N = pα1 α2
1 p2 · · · pk = pα
i .
i

i=1

The prime factorization problem, or PFP, is the problem of finding such a factorization for a given
number N ∈ Z≥0 .

Many mathematicians have worked on algorithms that calculate the prime factorization of an inte-
ger. To understand the ideas behind the most recent solutions to this problem, we must go back to the
17th Century, when a French lawyer called Pierre de Fermat (1607 – 1665) invented an elegant factor-
ization method that today bears his name. Fermat’s method consists in representing an odd number
N as a difference of squares, which is easily proven to exist. Then, as N = n2 − m2 = (n + m)(n − m),
we have that gcd(n + m, N ) and gcd(n − m, N ) are non-trivial factors of N .

21
 But it was not until the beginning of the 20th Century that some improvements were made, as
mathematicians like Maurice Kraitchik in 1922 [30], Derrick Henry Lehmer and Ralph Ernest Powers
in 1931 [33], Michael A. Morrison and John Brillhart in 1975 [38] and Richard Schroeppel at the end
of the 1970s (unpublished, but described in [40]) developed factorization methods whose ideas were
around the original Fermat’s method. These upgrades eventually arrived at its maximum expression
with the Quadratic Sieve developed by Carl Pomerance in 1984 [41] and the General Number Field
Sieve due to John Pollard in 1989 [34, 7]. For more information about the story behind the evolution
of Fermat’s idea, see [42].

The two previous methods are currently the most efficient classical algorithms for factoring an
integer. However, they still have a problem: their computational complexity is super-polynomial in
the number log N of digits in N . In fact, the GNFS, which has proven to be the most efficient known
classical algorithm for factoring integers larger than 10100 , has the following computational order:
 1 2

(log N ) 3 (log log N ) 3
O e

Unfortunately, Pollard’s method has the constraints of any super-polynomial algorithm and, at the
present time, no known ponynomial-time classical algorithm exists for the factoring problem (i.e., PFP
is not known to be in P). Nevertheless, verifying that a candidate solution for this problem is in fact
the actual solution is computationally easy; thus, PFP is in NP.

There is a very well known result in computational complexity theory, due to American computer
scientist Richard E. Ladner (b. 1943) [31], that tells us the following: if P 6= NP, then there exists a
non-empty class, called NP-intermediate, that contains all problems in NP which are neither in the
class P nor in NP-complete. It is widely believed that PFP is inside this class.

What we surely know, thanks to American mathematician Peter W. Shor (b. 1959) and its ac-
claimed polynomial-time quantum algorithm for prime factorization [45], is that the PFP is in BQP.
The objective of this subsection is to describe such result. For that, we shall first define Shor’s algo-
rithm as a classical one that relies on a black box that finds the multiplicative order of a modulo n.
Next, we will provide a quantum algorithm that substitutes that black box. Finally, we will describe
its performance via a worked-out example.

The classical part

Let N ∈ Z≥0 , we proceed to define Shor’s algorithm for factoring N .

STEP 1

x ← random integer such that 1 < x < N

d ← gcd(x, N )

It is clear that, if d > 1, we have already found a factor of N . However, the probability of
such an unlikely event is small, and in this case we proceed to next step. Note that the computational
complexity of this step (i.e., of calculating the greatest common divisor of x and N ) has order O(log2 N )
[29].

STEP 2

r ← ON (x)

This is the step that we shall resolve with the aid of a quantum computer, as will be explained
later. For now, let us recall that the multiplicative order of x modulo N , provided that gcd(x, N ) = 1,
is defined as
ON (x) = min{r ∈ Z>0 : xr ≡ 1 mod N }.

22
Calculating the multiplicative order is a hard problem in the general case, and the best known classical
algorithm that solves it has a super-polynomial computational complexity [12].

Right now, we have obtained a certain r such that r = ON (x). However, not any value of r serves
our purposes. At the end of this step, we shall check if r is an even number and, if that holds, we
have to also check if xr/2 + 1 6≡ 0 mod N . If any of those two conditions fail, we shall go back to the
beginning of the algorithm, and repeat it again with a different random value for x. The unavoidable
question is: what is the probability of not making it?

Theorem 9.2. Let N ∈ Z≥0 such that 2 - N and whose prime factorization is
αk
N = pα1 α2
1 p2 · · · pk .

Suppose x is chosen at random, with 1 < x < N and gcd(x, N ) = 1, and let r = ON (x). Then:
h i 1
Prob (2 | r) ∧ (xr/2 + 1 6≡ 0 mod N ) ≥ 1 −
2k−1

Proof. [20] Appendix B.

In other words, the probability of obtaining a number x that fulfills all the conditions of the
algorithm is greater than 1/2 in the worst case (i.e., when N has only two different prime factors).

STEP 5

d1 ← gcd(xr/2 + 1, N )
d2 ← gcd(xr/2 − 1, N )

As 2 | r and xr/2 + 1 6≡ 0 mod N , it is easy to see that

xr − 1 ≡ (xr/2 − 1)(xr/2 + 1) ≡ 0 mod N.

We can conclude that d1 and d2 are non-trivial factors of N , thus accomplishing the main purpose of
the algorithm. As promised, what remains to be seen is the calculus of the multiplicative order of x
modulo N with the help of a quantum computer. We proceed to describe this process.

The quantum part

We are given two non–negative integers N and x, with 1 < x < N . Our aim is finding the order of
x in the congruence ring Z/nZ.

SETUP

|ψ0 it,n ← |0it ⊗ |0in

First, we need a quantum computer with two registers of sizes t and n respectively, where n =
dlog2 N e and t = 2n (the reason behind this will be clear later). All qubits are initialized at 0.

STEP 2.1

 
|ψ1 it,n ← (H ⊗t ⊗ I ⊗n ) |ψ0 it,n

This transformation is now a common factor of our quantum algorithms and there is no need
of explaining it furthermore. The crucial point is that after its application the first register is in a

23
 √
superposition of all states of the computational basis with equal amplitudes given by 1/ 2t . More
precisely:
2t −1
1 X
|ψ1 it,n = √ |jit ⊗ |0in
2t j=0

STEP 2.2

 
|ψ2 it,n ← M x,N |ψ1 it,n

Let n, t, x and N defined as in the context of this algorithm, the modular exponentiation gate is
the unitary operator that has the following effect on the basis states of a quantum system:

M x,N : |jit ⊗ |kin → |ji ⊗ |k + xj mod N i .

This transformation is unitary, and its construction takes O(log3 N ) steps [45]. Thus, as will be clear
at the end of this subsection, it represents the bottleneck of Shor’s algorithm.

 
|ψ2 it,n = M x,N |ψ1 it,n
t
2 −1
1 X
=√ M x,N (|jit ⊗ |0in )
2t j=0
t
2 −1
1 X
=√ |jit ⊗ xj mod N n
2t j=0

Thanks again to quantum parallelism, we have now generated all powers of x modulo N simulta-
neously. From now on, in order to make the tracking of the algorithm cleaner, we shall suppose that
r is a power of 2. In this case, our current quantum state can be expressed as follows:
 t  
2
r−1 r −1
1 X X
|ψ2 it,n = √ |ar + bit  ⊗ |xb mod N in 
  

2t b=0 a=0

The general case where r may not be a power of 2 is more difficult to express, and is better to
explain it in the part devoted to the example.

STEP 2.3

δ̃ ← measure the second register

|ψ3 it ← |ψ2 it,n after measuring the second register

Let us suppose that, for a certain b0 ∈ {0, . . . , r − 1}, we obtain the value δ̃ = xb0 mod N . Thus,
the computer is now in the following quantum state:
2t
r −1
r
r X
|ψ3 it = |ar + b0 it .
2t a=0

Note that now we only have 2t /r terms in the sum, instead of the previous 2t ones, and that the value
we are looking for (i.e., r) is beginning to surface inside our quantum system in the form of a period.
The next step will provide us with a tool capable of extracting this period from a quantum state.

24
STEP 2.4

|ψ4 it ← F n (|ψ3 it )

This step requires that we define a new quantum gate: the quantum discrete Fourier transform, or
QFT, whose effect on the quantum basis states is:
n
2 −1
1 X −2πijk/2n
F n : |jin 7−→ √ e |kin
2n k=0

After applying the QFT to the first register, we can express the obtained state as follows:
2t r 2rt −1
 
r −1 2t −1
r
r X r X  1 X −2πij(ar+b0 )/2t
|ψ4 it = F t (|ar + b0 it ) = √ e | jit 
2t a=0 2t a=0 2t j=0
   
2t
r −1
t
2X −1 r−1 t
!
1  r X −2πija t 1 X k k2
= √  e 2t /r  e−2πijb0 /2 | jit  = √ e−2πi r b0
 
r j=0 2t a=0 r r t

k=0

Please note that, in order to arrive at the last version of the state, we have just rearranged the
summation order while also using the following property of the exponential sums:
N −1 
1 X 2πijk/N 1 if N | k
e =
N j=0 0 otherwise,

then we can rewrite the state as:

r−1 !
1 X
−2πi k k2t
|ψ4 i = √ e r b0 |xb0 in
r r t
k=0

Now, at last, it is time to measure the first register.

STEP 2.5

ω̃ ← measure |ψ4 it

We obtain, for some unknown k0 ∈ {0, . . . , r − 1} (the probability of obtaining each of them is the
same, but this changes in the general case where r may not be a power of 2):

k0 2 t
ω̃ =
r
If ω̃ = 0, we obtain no information and we must come back to the beginning. If, otherwise, ω̃ 6= 0,
we can obtain some information about r (or the actual value of r indeed), just by putting ω̃/2t as
a fraction in lowest terms and taking the denominator. If we call c that denominator and xc 6≡ 1
mod N , then c is a factor of r. If, on the other hand xc ≡ 1 mod N , then r = c and we have obtained
the multiplicative order of x modulo N . In the former case, we should rerun the quantum part of
Shor’s algorithm with xc instead of with x, and by repeating this process a finite number of times we
shall end up with the correct value of r. Now let us show with an example how Shor’s algorithm works
for a particular input.

Example: Factoring 217

We want to find the prime factors of 217 using Shor’s Factoring Algorithm. First, the algorithm
chooses a random integer x such that 1 < x < 217. Let us suppose that we obtain x = 5, which fulfills
the first condition: gcd(5, 217) = 1. Now is the time of finding the multiplicative order of 5 modulo

25
217, which is achieved with the help of a quantum computer.

We calculate t and n and initialize the quantum system. In this case, n = dlog2 217e = 8 and
consequently t = 2n = 16. Thus, our quantum registers have the following initial states:

|ψ0 i16,8 ← |0i16 ⊗ |0i8

Next, we apply the Hadamard transformation, hence obtaining a superposition of all basis states
in the first register, all with identical amplitudes. This way, all integers between 0 and 216 − 1 are now
somewhere in the first register.
 
|ψ1 i16,8 ← (H ⊗16 ⊗ I ⊗8 ) |ψ0 i16,8

16
2X −1
1
|ψ1 i16,8 = √ |ji16 ⊗ |0i8
216 j=0

Afterwards, we apply the quantum gate that calculates the powers of 5 modulo 217, which has the
following effect.
 
|ψ2 i16,8 ← M 5,217 |ψ1 i16,8

16 16
2X −1 2X −1
1 1
|ψ2 i16,8 = √ M 5,217 (|ji16 ⊗ |0i8 ) = √ |ji16 ⊗ 5j mod 217 8
216 j=0 216 j=0

If we expand the sum, we can alternatively express the result as follows (please note that, for the
sake of simplicity, we have omitted the subindices and the tensor product operators):

|ψ2 i = √1 (|0i |1i + |1i |5i + |2i |25i + |3i |125i + |4i |191i + |5i |87i +
216
|6i |1i + |7i |5i + |8i |25i + |9i |125i + |10i |191i + |11i |87i +
|12i |1i + |13i |5i + |14i |25i + |15i |125i + |16i |191i + |17i |87i +
|18i |1i + |19i |5i + |20i |25i + |21i |125i + |22i |191i + |23i |87i +
|24i |1i + |25i |5i + |26i |25i + |27i |125i + |28i |191i + |29i |87i +
|30i |1i + ...)

After a close inspection, we can observe that the values on the second register are periodic. If we
make common factor, we end up with the state:

|ψ2 i = √1 (|0i + |6i + |12i + |18i +...+ |65526i + |65532i) |1i +

216
(|1i + |7i + |13i + |19i +...+ |65527i + |65533i) |5i +
(|2i + |8i + |14i + |20i +...+ |65528i + |65534i) |25i +
(|3i + |9i + |15i + |21i +...+ |65529i + |65535i) |125i +
(|4i + |10i + |16i + |22i +...+ |65530i) |191i
+
(|5i + |11i + |17i + |23i +...+ |65531i) |87i

Thanks to this representation, it is easier to understand what will happen if we measure the second
register.

δ̃ ← measure the second register

|ψ3 i16 ← |ψ2 i16,8 after measuring the second register

It is clear that we shall obtain a value δ̃ such that δ̃ = 5 j̃ mod 217 for a certain j̃ ∈ {0, . . . , 216 − 1}.
Thus, δ̃ ∈ {1, 5, 25, 125, 191, 87} (which are the powers of 5 modulo 217). Let us suppose that we get
δ̃ = 25. The register will collapse into |25i and all other possible values will be destroyed and gone

26
forever, the information about the rest of possible powers of 5 modulo 217 lost. However, the first
register will also collapse into the values that were tensored with |25i, thus discarding the remaining
ones. What interests us is that all the basis states tensored with |25i correspond with the exponents
j̃ such that δ̃ = 5j̃ mod 217. More specifically:
10922
!
1   1 X
|ψ3 i16 = √ |2i16 + |8i16 + |14i16 + ... + |65528i16 + |65534i16 = √ |6a + 2i16
10923 10923 a=0

A pattern has arisen, as the basis states on the first register display some periodic behavior. This
period naturally corresponds with the multiplicative order of 5 modulo 217, which happens to be equal
to 6. Of course, this information is yet hidden to us, we are just using some knowledge of the problem
for providing a mathematical explanation of the performance of the algorithm in this particular case.
On the other hand, the constant 10923 is just a normalization of the amplitudes after the collapse of
the register, corresponding to the total number of exponents that return 25 modulo 217 between 0 and
216 − 1.

As explained previously, if we want to obtain the period from within the bowels of our quantum
system, we should use the quantum Fourier transform:

|ψ4 i16 ← F 16 (|ψ3 i16 )

10922
! 10922
1 X 1 X

|ψ4 i16 = F 16 √ |6a + 2i16 = √ F 16 |6a + 2i16
10923 a=0 10923 a=0
 16

10922 2X −1
1 X 1 (6a+2)k
= √ √ e−2πi 216 |ki16 
10923 a=0 216 k=0
216 −1
" 10922
# !
1 X 1 X −2πi 6ak −2πi 2k
= √ √ e 216 e 216 |ki
16
216 k=0 10923 a=0

Thus, we end up again with a distribution of the amplitudes defined by

10922
!
1 X −2πi 6ak 2k
αk = √ e 216 e−2πi 216 ,
216 · 10923 a=0

which gives us the following probability distribution:

10922 2
2 1 X −2πi 6ja
|αk | = 16 e 216
2 · 10923 a=0

with k = 0, . . . , 216 − 1. If we represent this distribution in a graph, it is easier to understand the final
steps of the algorithm (please note that each of peaks is composed of many numbers with probability
greater than 0, not just of a single integer).

27
0.0010

0.0008

0.0006

0.0004

0.0002

0.0000
0 10 000 20 000 30 000 40 000 50 000 60 000 70 000

ω̃ ← measure |ψ4 i16 )

We then measure the first register, and obtain non-deterministically a value from one of the seven
peaks. The first peak yields a 0, thus forcing us to start again the quantum part of the algorithm. If,
otherwise, we obtain a value from the other six peaks, we can retrieve (using continued fractions) the
order r from it.

Let us explain this last step more formally (we took details for this from [35]). We recall that a
continued fraction is represented as

1
[a0 ; a1 , . . . , aK ] = a0 +
1
a1 +
1
a2 +
1
a3 +
1
··· +
aK

where a0 ∈ Z≥0 and a1 , . . . , aK ∈ Z>0 . Let [a0 ; a1 , . . . , aK ], then there exists a unique q ∈ Q>0 such
that q = [a0 ; a1 , . . . , aK ]. We define the k-th convergent of [a0 ; a1 , . . . , aK ], where 0 ≤ k < K, as

qk = [a0 ; a1 . . . , ak ].

Provided a certain q ∈ Q>0 , we can compute the members of its corresponding continued fraction as
follows:

a0 ← bqc
q0 ← q − a0
ak+1 ← b1/qk c
qk+1 ← 1/qk − ak+1

Even more, each of the convergents qk can be expressed as qk = bk /ck , where gcd(bk , ck ) = 1 and

28
 b0 ← a0
c0 ← 1
b1 ← a0 a1 + 1
c1 ← a1
bk+2 ← ak+2 bk+1 + bk
ck+2 ← ak+2 ck+1 + ck
It can be proven [35] that we can obtain the period r from w̃ with the following algorithm: starting
at k = 1, we compute bk and ck as previously explained from the continued fraction of q = w̃/2n .
Then, we check if
xck ≡ 1 mod N.
If the answer is affirmative, we have obtained the order r; if not, we do it again for k + 1.

For example, a possible value from the second peak is 10915, and if we divide it by 216 we obtain
the continued fraction
10915
= [0; 6, 237, 3, 1, 1, 6],
65536
whose first convergent is 61 . Thus, as 56 ≡ 1 mod 217 we have that the order is 6. There is a
probability of not obtaining r in this step (not all peaks will lead to a successful result), thus having
to restart the algorithm again to obtain the correct order. As shown in [35], the probability of success
has a lower bound of  2
0.232 1
1− .
log log N N

Remains to be seen if x = 5 and r = 6 fulfill the final conditions of the algorithm. As 6 is an even
number, and 56/2 + 1 = 126 6= 0 mod 217, we can finally proceed to the last step. As explained, we
can calculate now two non-trivial factors of 217:
d1 = gcd(126, 217) = 7
and
d2 = gcd(124, 217) = 31,
which in fact are the only prime factors of 217. Thus ends Shor’s algorithm for this particular case.

217 = 7 × 31

The first experimental demonstration of Shor’s factoring algorithm came in 2001, [47] when a
group at IBM factored 15 into 3 and 5 using a nuclear magnetic resonance (NMR) quantum computer
with seven spin-1/2 nuclei in a molecule as qubits. In 2007, Shor’s algorithm was implemented with
photonic qubits by two different groups [32, 36], with both of them observing quantum entanglement
in the process. In 2012, number 143 was factored with the help of an adiabatic quantum computer
[48].

10 Grover’s Search Algorithm

Grover’s search algorithm was first described by Indian-American computer scientist Lov K. Grover
(b. 1961) in [24, 25, 26], hence its name. The original aim of Grover’s algorithm is the following: we
have an unstructured and disorganized database with 2n elements, identified from now on with the
indices 0, . . . , 2n − 1, and we want to find one that satisfies a certain property. The algorithm leans on
two hypotheses: first, that such an element exists inside the database; and second, that this element
is unique.

If we are to search for this mentioned element with a classical computer, in the worst case we will
have to check all members of the database, which tells us that this problem has a classical computational
√
complexity of O(2n ). As will be shown, Grover’s quantum search algorithm will make only O( 2n )
queries to the database, thus strictly improving the performance of its classical counterpart.

29
SETUP

|ψ0 in,1 ← |0in ⊗ |1i

We need a quantum computer with n + 1 qubits, where the first n qubits will be initialized at |0i
and the remaining one at |1i.

STEP 1

 
|ψ1 in,1 ← H ⊗n+1 |ψ0 in,1

In the first proper step of the algorithm, we apply the Hadamard quantum gate to all the qubits in
our system. This way, the obtained result is a combination of all basis states inside our first n qubits,
and the |−i state in the remaining one.
n
     ⊗n    1 2X −1 
⊗n
|ψ1 in,1 = H |0in ⊗ H |1i = H |0i ⊗ H |1i = √ |jin ⊗ |−i
2n j=0

For the sake of simplicity, we reintroduce a useful quantum state that will appear many times
throughout the rest of the algorithm. It will also be needed in order to define one of the key quantum
gates of Grover’s Search method, as will be shown in the next step.
n
2 −1
1 X
|γin = √ |jin
2n j=0

This definition helps us to express our quantum state as |ψ1 in,1 = |γin ⊗ |−i.

STEP 2.1

 
|ψ2 in,1 ← O f |ψ1 in,1

The next step of the algorithm leans on the following assumption: we can build a quantum gate,
called O f , that makes use of a function capable of recognizing the element of the database we are
searching for. This function f can be defined as follows (note that the desired element is identified by
the unknown index j0 ∈ {0, . . . , 2n − 1}).
(
1 if j = j0
f (j) =
0 otherwise

The O f quantum gate is in fact the oracle gate described in previous algorithms, which has the
following effect on the basis states of a n + 1-qubit system

O f : |jin ⊗ |ki 7−→ |jin ⊗ |k ⊕ f (j)i .

We recall from Deutsch-Jozsa algorithm that the oracle gate has the following effect on the state
|jin ⊗ |−i:

 
O f |jin ⊗ |−i = (−1)f (j) |jin ⊗ |−i

30
 It can be seen that, in those cases, O f inverts the sign of the amplitude corresponding to the
basis state that codifies the searched element in the first n qubits, while keeping intact the rest of the
amplitudes.

In order to make the explanation and understanding of the algorithm easier and simpler, we intro-
duce another n-qubit quantum state,
n
2X −1
1
|ρin = √ |jin ,
2n − 1 j=0
j6=j0

whose relationship with the aforedescribed state |γin is

√ n
2 −1 1
|γin = √ |ρin + √ |j0 in .
2n 2n
Please note that |ρi depends on the value of j0 , but we shall write |ρi instead of |ρ (j0 )i for the sake
of simplicity. The introduction of the notation |ρin helps in noticing the separation of the searched
elemenet |j0 i from the rest of the quantum basis states.

Thus, after applying O f to our quantum system it will look like this:
 √ n  
  2 −1 1
|ψ2 in,1 = O f |γin ⊗ |−i = O f √ |ρin + √ |j0 in ⊗ |−i
2n 2n
√
 2n − 1 1   2 
= √ |ρin − √ |j0 in ⊗ |−i = |γin − √ |j0 in ⊗ |−i
2n 2n 2n

The motivation behind the last interpretation of |ψ2 in,1 will become clear in the next step.

STEP 2.2

 
|ψ3 in,1 ← (Γ n ⊗ I) |ψ2 in,1

For this step, we must construct a new quantum gate, denoted by Γ n , that will affect only the first
n qubits. The remaining qubit will remain intact (this is represented with the single-qubit identity
gate I). The definition of Γ n is:

Γ n = 2 |γin hγ|n − I ⊗n
Let us see what happens when we apply this new quantum gate to the first n qubits of our quantum
state |ψ2 in,1 defined in the previous step.
 
2
Γ n (|ψ2 in ) = 2 |γin hγ|n − I ⊗n |γin − √ |j0 in


2n
4 2
= 2 |γin hγ|γin − √ |γin hγ|j0 in − |γin + √ |j0 in
2 n 2n
n−2
4 2 2 −1 2
= 2 |γin − n |γin − |γin + √ |j0 in = n−2
|γin + √ |j0 in
2 2 n 2 2n
√
Mind that, from the properties of the inner product hγ|γin = 1 and hγ|i0 in = 1/ 2n .

The Γ n gate is also called Grover diffusion operator, and can also be seen as
Γ n = (H ⊗n )(2 |0in h0|n − I ⊗n )(H ⊗n ),
which is a much more painless way of implementing it in practice. Steps 2.1 and 2.2 are usually treated
as a single step, represented by the Grover gate
G = (Γ n ⊗ I)(O f ).

31
 |0in H ⊗n Γn ···
Of
|1i H ···
| {z }
√
Repeat O( 2n ) times
Figure 6: Circuit representation of Grover’s Search Algorithm

STEP 3

In order to achieve the objective of Grover’s algorithm, one must apply the G gate repeatedly until
the probability of obtaining the index j0 is maximal (a general overview of the algorithm can be seen
in Figure 6). After the desired probability has been reached, we measure the first√ n-qubit register,
and obtain the index j0 . The optimal number of times G is applied has order O( 2n ), which will be
proved later. But first, let us explain the behavior of the algorithm with an example.

An example with n = 4 qubits

Let us illustrate how Grover’s Search works with this exemplifying case: suppose we have an
unstructured database with its elements listed as 0, 1, . . . , 15 indexed via 4 qubits, and that we want
to find a certain item that is indexed with the number 7 (note that we do not know this yet, but it
can be supposed in order to explain the algorithm straightforwardly).
As previously explained, we need a quantum computer with n + 1 qubits, where n is the number
of bits needed for codifying the indices of the members of the database (in this case, n = 4). In order
to correctly setup our quantum system, the first 4 qubits must be in the state |0i and the remaining
one must be in the state |1i. Thus, our quantum system begins as follows:
|ψ0 i4,1 = |0i4 ⊗ |1i
The first transformation we apply to the quantum system is the Hadamard gate, or H, which
converts it to the following state:
15
1 X 
|ψ1 i4,1 = (H ⊗4 |0i4 ) ⊗ (H |1i) = |ji4 ⊗ |−i
4 j=0

We remind the reader that from now on we will make use of the states |γi4 and |ρi4 in the interest
of simplifying the writing of the whole process:
15 15 √
1X 1 X 15 1
|γi4 = |ji , |ρi4 = √ |ji4 , |γi4 = |ρi4 + |7i4
4 j=0 4 15 j=0 4 4
j6=7

The introduction of these states allows us to write |ψ1 i4,1 as:

√ !
15 1
|ψ1 i4,1 = |ρi4 + |7i4 ⊗ |−i
4 4

On STEP 2.1 we make use of the transformation O f , which applies to all possible states inside the
first 4 qubits an oracle f that identifies 7 as the correct index for the element we are looking for.
" √ ! # √ !  
15 1 15 1 1
|ψ2 i4,1 = O f |ρi4 + |7i4 ⊗ |−i = |ρi4 − |7i4 ⊗ |−i = |γi4 − |7i4 ⊗ |−i
4 4 4 4 2

On STEP 2.2, we apply the quantum gate Γ 4 to the first 4 qubits of the computer. We use |ρi4 to
make more clear which part of the state has the index 7 in it and which one does not have it.
  √
 1  1 3 1 3 15 11
Γ 4 |γi4 − |7i4 = (2 |γi4 hγ|4 − I) |γi4 − |7i4 = |γi4 + |7i4 = |ρi4 + |7i
2 2 4 2 16 16 4
 3√15 11 
|ψ3 i4,1 = |ρi4 + |7i4 ⊗ |−i
16 16

32
 Thus, we have completed the first iteration of G, and if we are to measure our quantum state now,
we have a probability
 11 2 121
p= = ≈ 0.4726
16 256
of obtaining the index 7, and a probability
 3√15 2 135
p̄ = = ≈ 0.5274
16 256
of obtaining any other index. As can be seen, the probability of finding the searched element is greater
than of finding any other element, but is still not big enough, which tells us that at least another round
of the algorithm is needed.

We repeat again the application of G. First, we apply O f and end up with the following quantum
state, defined again as a combination of |γi4 and |7i4 .
√ !  
3 15 11 3 14
|ψ4 i4,1 = O f,4 (|ψ3 i4,1 ) = |ρi4 − |7i ⊗ |−i = |γi4 − |7i ⊗ |−i
16 16 4 4 16 4

And then we apply Γ 4 :

  √
3 14 5 7 5 15 61
|ψ5 i4 = (2 |γi4 hγ|4 − I) |γi4 − |7i = |γi4 + |7i4 = |ρi4 + |7i
4 16 4 16 8 64 64 4

Thus, after two iterations of G we end up with a state whose possibility of returning the index i0
is  61 2
3721
p= ≈ 0.9084,
=
64 4096
which gives us a fairly enough chance of completing the execution of Grover’s Search algorithm suc-
cessfully. However, how can we be sure that we have obtained the maximum probability of retrieving
the desired element from the database if we cannot measure
√ the amplitudes inside our quantum reg-
ister? Even more, whence comes the required order of O( 2n ) needed in the number of iterations of G?

Both questions are pivotal in the correct performance of the algorithm. Let us show their signifi-
cance with a simple example: what happens if we continue applying the G gate to our quantum system?

If we apply G once more, we will have the following two states, the first after O f and the second
after Γ 4 . √
5 33 13 15 251
|ψ6 i = |γi4 − |7i4 , |ψ7 i = − |ρi4 − |7i
16 32 256 256 4
As can be seen, the probability of obtaining index 7 now is
 251 2
p= ≈ 0.9613.
256
Yet, if we are still not satisfied with a 96% chance of success, we can run over G once again, and
obtain √
13 238 342 15 1562
|ψ8 i = − |γi4 − |7i , |ψ9 i = − |ρi4 + |7i ,
64 256 4 2048 2048 4
which gives us a probability
 1562 2
p= ≈ 0.5817
2048
of obtaining |7i4 . Yes, it seems that to unabatedly perform numberless iterations of G does not
guarantee a continuous increment in the probability of success.2 Even more, it can waste all previously
done work. We shall see next why this has happened.
2 “There is thy gold, worse poison to men’s souls.” (Romeo and Juliet, Act 5, Scene 1)

33
Proof of correctness
In this section we sketch a proof of the correctness of Grover’s algorithm. The main ideas behind
this proof are taken from [10], and will come in handy in the next subsection, where different and more
general versions of the database search algorithm are discussed.

Theorem 10.1. Grover’s Search algorithm for a unique solution needs m ∼ O(2n ) iterations of G for
maximizing the probability of obtaining the desired element with unknown index j0 .
Proof. First, we are interested in redefining all the possible states that occur during the execution of the
algorithm as a function of the different amplitudes involved. As was shown earlier, the only amplitude
that will differ from the rest after every Grover’s iteration is the one associated with the basis state
that identifies the searched element. Thus, suffices to define the generic state in the following way:
n
2X −1
|ψ(α, β)in = α |j0 in + β |jin ,
j=0
j6=j0

with α and β constrained to α2 + (2n − 1)β 2 = 1.

Note that we are only having into account the first register, the one with n qubits. The remaining
qubit will behave as explained before, starting at |1i and remaining as |−i throughout the rest of the
algorithm, but for the sake of simplicity will be omitted during the proof.

Let us see what happens when we apply all quantum gates that make up the Grover transform Gn
to a generic state |ψ(α, β)in . First, we employ O f , which recognizes the searched element and flips its
amplitude. Thus, after O f we obtain
n
2X −1
0
|ψ (α, β)in = −α |j0 in + β |jin
j=0
j6=j0

In order to apply the Γn quantum gate, it is interesting to previously see our current state as a
function of |γin , as was done before:
√
|ψ 0 (α, β)in = −(α + β) |j0 in + 2n β |γin .

We are finally in condition of applying Γ n :

   √ 
|ψ 00 (α, β)in = Γ n |ψ 0 (α, β)in = Γ n − (α + β) |j0 in + 2n β |γin
  √ 
= 2 |γin hγ|n − I ⊗n − (α + β) |j0 in + 2n β |γin
 √ 2 √ 
= (α + β) |j0 in + 2 2n β − √ (α + β) − 2n β |γin
2n
 2n−1 − 1 n
2 −1   1 2n−1 − 1 
= n−1
α + n−1 β |j0 in + − n−1 α + β |γin
2 2 2 2n−1
Now that we know the effect Gn makes to a generic state, we are in condition of predicting in
which iteration of the algorithm we have more possibilities of obtaining the desired element i0 . If we
define
|ψk+1 (αk+1 , βk+1 )in = Gn (|ψk (αk , βk )in )
√
where α1 = β1 = 1/ 2n , and

2n−1 − 1 2n − 1 1 2n−1 − 1
αk+1 = n−1
αk + n−1 βk , βk+1 = − αk + βk
2 2 2n−1 2n−1
for j ≥ 1, then we can try to find a more tractable closed-form formula for the amplitude of i0 . Note
that, for j = 0, it is not possible to define |ψ0 i as a function of α0 and β0 , thus only the cases where
j ≥ 1 will be defined as such.

34
 If we designate θ such that sin2 θ = 1/2n , we can easily prove by mathematical induction that
αj = sin((2j − 1)θ) and that
1
βj = √ n cos((2j − 1)θ).
2 −1
Let us suppose now that, for an unknown step j = m + 1 (note that m is equivalent to the number
of times we have applied G), we want to assure that αm = 1. This occurs when (2m + 1)θ = π/2, and
expressly, when m = (π − 2θ)/(4θ).
Obviously, we can not perform a non-integer number of iterations of G. If we take m = bπ/(4θ)c,
we can conclude that the √ number of iterations of G needed
√ for achieving the maximum probability
of success is close (π/4) 2n (note that θ ≈ sin θ = 1/ 2n when√2n is large enough). Thus, we can
conclude that the number m of iterations of G has order m ∼ O( 2n ).

Multiple solutions
The main limitation of Grover’s Search algorithm deals with the number of solutions: it assumes
that there is one and only one element in the database that matches our search. There are many
cases in which Grover’s Search may prove useful, but in which the number of solutions is unknown, or
maybe we do not even know if there is indeed a solution. In this subsection we proceed to explain an al-
ternate version of Grover’s algorithm that originally appeared in [10] which takes care of this drawback.

Let us suppose that we have an unstructured database, indexed by 0, 1, . . . , 2n − 1. We are inter-

ested in finding an element inside the database that fulfills a certain property, but we do not know
if such an element exists, or if there are more than one. We name A ⊆ {0, 1, . . . , 2n − 1} the set of
possible solutions, with |A| = t and t ∈ {0, 1, . . . , 2n − 1}. At first sight, one can only hope to just
obtain the same performance results as in the original Grover’s algorithm just by applying G the same
number of √ steps. However, it is easy to find a counterexample showing that the probability of success
after (π/4) 2n iterations changes dramatically when t 6= 1.

In order to show how this variation of the algorithm works, we define B = A, with |B| = 2n − t.
Following a similar approach, we can assume that every quantum state of our system after first applying
globally the Hadamard transform can be expressed as
X X
|ψ(α, β)in = α |iin + β |iin ,
i∈A i∈B

where tα2 + (2n − t)β 2 = 1.

We only take into account the first n qubits, as previously done. We would like to clarify that
the algorithm is essentially the same, so there is no need for explaining it again. The only substantial
change is the expected number of iterations of G needed for maximizing the probability of success.
Thus, if we apply Uf to a certain state, we end up with the following configuration:
X X
|ψ 0 (α, β)in = −α |iin + β |iin
i∈A i∈B

Just like before, after a complete iteration of G the quantum system is in the state:
   2n−1 − t 2n − t  X  t 2n−1 − t  X
Γn |ψ 0 (α, β)in = α + β |iin + − αj + βj |iin
2n−1 2n−1 2n−1 2n−1
i∈A i∈B

As done previously, if we define

Gn (|ψj (αj , βj )in ) = |ψj+1 (αj+1 , βj+1 )in ,
√
we can induce a recursive formula for the general state of the system, where α1 = β1 = 1/ 2n and
2n−1 − t 2n − t t 2n−1 − t
αj+1 = αj + βj , βj+1 = − α +
n−1 j
βj
2n−1 2n−1 2 2n−1
2 n
If we define θ such that sin θ = t/2 ,then we can arrive at the following closed-up formula, just
by using induction and some trigonometric identities:
1 1
αj = √ sin((2j − 1)θ), βj = √ cos((2j − 1)θ).
t 2n −t

35
Theorem 10.2. Let t be the unknown number of solutions, and θ be as previously defined. Let m
be an arbitrary positive integer and j be an integer chosen at random following the discrete uniform
distribution U{1, m}. Then, if j − 1 corresponds to the number of times we have applied G to the state
|γin and we observe the state, the probability of obtaining one of the t solutions in A is

1 sin(4mθ)
Pm = − .
2 4m sin(2θ)
Proof. After j − 1 iterations of G, the probability of obtaining one of the possible solutions is

tαj2 = sin2 ((2j − 1)θ).

If 1 ≤ j ≤ m is chosen randomly, then the average probability of success is given by

m m
X 1 1 X  1 sin(4mθ)
Pm = sin2 ((2j − 1)α) = 1 − cos((2j − 1)θ) = − .
j=1
m 2m j=1
2 4m sin(2θ)

In the last step, we have used the following trigonometric identity:

m
X sin(2mα)
cos((2j − 1)α) = .
j=1
2 sin α

Thus, Grover’s Search algorithm for multiple solutions follows the next scheme:

m←1
λ ← λ ∈ (1, 43 )
j ← U{1, m}
|ψi ← (Gj−1 )(|γin )
Apply the G quantum gate j − 1 times to |γin
i ← Value of the first register
if i ∈ A then
return i
else √
m ← min(λm, 2n )
go to 3
end if

The average number of iterations of Grover’s algorithm is given via the following result:
Theorem 10.3. Let t ≤ 34 2n , the expected time for finding a solution with the previous algorithm has
p
order O( 2n /t).
Proof. [10] Let r
1 2n−1 2n
m0 = =p < ,
sin(2θ) (2n − t)t t
then the expected total number of Grover iterations that we need to reach the critical point is at most
dlogλ m0 e
1 X 1 λ
λs−1 < m0 = 3m0
2 s=1
2λ−1

and the expected number of Grover iterations needed to succeed once the critical point has been
reached is
∞
1 X 3u u+dlogλ m0 e λ 3
λ < m0 = m0 .
2 u=0 4u+1 8 − 6λ 2
p
Thus, the expected number of Grover iterations is upper bounded by 9m0 /2 ∼ O( 2n /t).

36
 Grover’s algorithm, which is also known as quantum amplitude amplification, is specially useful
in problems where the best known classical solution is to iterate over all possible candidates in the
worst case. Although the acceleration is not exponential, but quadratic, we do know that it is a strict
improvement with respect to the classical approach, provided that we are able to identify a solution
in polynomial time. The superiority of Shor’s algorithm, on the other hand, relies on the unproven
conjecture that factoring is not in P. An adiabatic version of Grover’s algorithm can be found in [21]
and [43].

11 Quantum Counting
A product of the work of Gilles Brassard, Peter Høyer and Alain Tapp, the Quantum Counting
algorithm is a variation of the Grover’s search in which we use the quantum Fourier transform for
counting the solutions to the database search problem, in case that this number is unknown to us. It
was first sketched in [10] and thoroughly described in [11]. Additionaly, some details of the proof of
its correctness that we present here are taken from [16].

The counting problem can be seen as the following: let us suppose that we have an unstructured
database, whose elements are indexed by {0, 1, . . . , 2n − 1}, and that we want to know how many
elements fulfill a certain property. Note that we are interested in the number of solutions, not in
returning any of them. If A ⊆ {0, . . . , 2n − 1} is the set of indices that fulfill our query, the quantum
counting problem can be seen as the problem of calculating t = |A|. We shall also define B =
{0, . . . , 2n − 1} \ A as the set of indices that do not fulfill the property. Therefore, |B| = 2n − t.

SETUP

|ψ0 ip,n ← |0ip ⊗ |0in

The quantum counting algorithm starts with p + n qubits initialized at 0, where p depends on n as
will be shown later.

STEP 1

 
|ψ1 ip,n ← H ⊗p+n |ψ0 ip,n

As usual, the first step of the algorithm involves the Hadamard gate, which gives us the state
 
|ψ1 ip,n = H ⊗p+n |ψ0 ip,n = |γip ⊗ |γin ,

where we recall that n

2 −1
1 X
|γin = √ |kin .
2n k=0
If we use the notations
1 X 1 X
|ain = √ |ki , |bin = √ |kin ,
t k∈A n 2n − t k∈B
1 1
|µ+ in = √ (|bin − i |ain ) , |µ− in = √ (|bin + i |ain )
2 2

37
and define ω such that sin2 (πω) = t/2n , we can express |γin as:
2n −1
!
1 X 1 X X
|γin = √ |kin = √ |ki + |ki
2n k=0 2n k∈A n k∈B n
! !
1 X 1 X
= sin(πω) √ |ki + cos(πω) √ n |ki = sin(πω) |ain + cos(πω) |bin
t k∈A n 2 − t k∈B n
i sin(πω)
cos(πω)
eiπω e−iπω
= √ |µ+ in − |µ− in + √ |µ+ in + |µ− in = √ |µ+ in + √ |µ− in
2 2 2 2

STEP 2

|ψ2 ip,n ← C p,n (|ψ1 ip,n )

For the next step, we need a new unitary transformation called the counting gate, which is repre-
sented by C p,n . This quantum gate has the following effect on a quantum state of the form |mip ⊗|ψin ,
where |mip is a basis state on p qubits, |ψin is any quantum state on n qubits and Gn is the Grover
gate described in the previous algorithm:

C p,n : |mip ⊗ |ψin 7−→ |mip ⊗ (Gn )m |ψin

Let us see what happens when we apply this new quantum gate to our previous quantum system.
2p −1
  1 Xh i
|ψ2 ip,n = C p,n |γip ⊗ |γin = √ |jip ⊗ Gjn (|γin )
2p j=0
2p −1 
e−iπω
 iπω 
1 X e
=√ |jip ⊗ Gjn √ |µ+ in + √ |µ− in
2p j=0 2 2
p
2X −1   
1 iπω j +

−iπω j −


=√ |jip ⊗ e Gn |µ in + e Gn |µ in
2p+1 j=0
p
2X −1   
1 iπω(2j+1) + −iπω(2j+1) −
=√ |jip ⊗ e |µ in + e |µ in
2p+1 j=0
p p
2 −1 2 −1
eiπω X 2πiωj e−iπω X 2πi(1−ω)j
=√ e |jip ⊗ |µ+ in + √ e |jip ⊗ |µ− in
2p+1 j=0 2p+1 j=0

In order to understand what happened in the last identities of the equation, we should see the effect
that Gjn has on the states |µ+ in and |µ− in . First:


Gn (|ain ) = (2 |γi hγ|n ) − I) − |ain = −2 |γi hγ|ain + |ain = −2 sin(πω) |γin + |ain


= −2 sin(πω) cos(πω) |bin + sin(πω) |ain + |ain
= −2 sin(πω) cos(πω) |bin + (1 − 2 sin2 (πω)) |ain = − sin(2πω) |bin + cos(2πω) |ain

Gn (|bin ) = (2 |γi hγ|n ) − I) |bin = 2 |γi hγ|bin − |bin = 2 cos(πω) |γin − |bin


= 2 cos(πω) cos(πω) |bin + sin(πω) |ain − |bin
= (2 cos2 (πω) − 1) |bin + 2 sin(πω) cos(πω) |ain = cos(2πω) |bin + sin(2πω) |ain

which leads us to
1  
Gn |µ+ in


= √ cos(2πω) |bin + sin(2πω) |ain + i sin(2πω) |bin − i cos(2πω) |ain
2
e2iπω
= √ (|bin − i |ain ) = e2iπω |µ+ in
2

38
 1  
Gn |µ− in


= √ cos(2πω) |bin + sin(2πω) |ain − i sin(2πω) |bin + i cos(2πω) |ain
2
e2iπω
= √ (|bin + i |ain ) = e−2iπω |µ− in
2

STEP 3

|ψ3 ip,n ← (F −1
p ⊗I
⊗n
)(|ψ2 ip,n )

The next step involves F −1n , the inverse of the quantum Fourier transform, already explained in
Section 9, which has the following effect on an n-qubit basis state.
n
2 −1
1 X −2πi jn k
F −1
n : |jin −
7 → √ e 2 |kin
2n k=0

We recall that, applied to a certain type of quantum state, the inverse quantum Fourier transform
can give us certain information about the distribution of its amplitudes.
 n

2X −1
1 k
 
F −1
n
 √ e 2πi 2n j
|ji n
 = F −1
n F n |kin = |kin
2n j=0

Let us see what happens when we apply it to our current quantum state:

|ψ3 ip,n = (F −1
p ⊗I
⊗n
)(|ψ3 ip,n )
p p
2 −1 2 −1
eiπω X 2πiωj −1 e−iπω X 2πi(1−ω)j −1
= √ e F p |jip ⊗ |µ+ in + √ e F p |jip ⊗ |µ+ in
2p+1 j=0 2p+1 j=0
p p p p
2 −1 2 −1 2 −1 2 −1
eiπω X X 2πi(ω− lp )j −eiπω X X 2πi((1−ω)− lp )j
= √ e 2 |lip ⊗ |µ+ in + √ e 2 |lip ⊗ |µ+ in
2p+1 2p+1
l=0 j=0 l=0 j=0

STEP 4

˜l ← measure the first register of |ψ3 i

p,n
if ˜l > 2p−1 then
˜l ← 2p − ˜l
end if !
n 2 π˜l
t̃ ← 2 sin
2p
return t̃

As can be concluded from the previous step, we could have obtained the value 2p ω or 2p (1 − ω) if
ω were an integer. However, as that is not the case, we end up with ˜l = 2p ω̃ or ˜l = 2p (1 − ω̃), where ω̃
is an estimator of ω, and from which we can get an estimator t̃ for t. Thus ends the quantum counting
algorithm, remains to be proven how good is that estimator, and the probability of obtaining it.

Proof of correctness
Theorem 11.1. Let f : {0, 1, . . . , 2n − 1} → {0, 1} be the indicator function of a certain set A ⊆
{0, 1, . . . , 2n − 1} with t = |A| = |f −1 (1)|, let p ≥ 2 and let t̃ be the return value of the previously
described algorithm. Then, with probability of at least 8/π 2 , it follows that

2π p n π2
|t − t̃| ≤ p
t(2 − t) + 2p |2n − 2t|.
2 2

39
Proof. [10, 11] Let us suppose that we have a quantum state of the form
p p
2 −1 2 −1
1 X X 2πi(ω− lp )k
e 2 |lip .
2p
l=0 k=0

As the amplitudes of such a state can be expressed as

p
2 −1 p l
1 X 2πi(ω− lp )k 1 − e2πi2 (ω− 2p )
αl = p e 2 = l ,
2 2p (1 − e2πi(ω− 2p ) )
k=0

its probability distribution can be seen as

2 sin2 (2p π(ω − l

2p ))
|αl | = 2 .
22p sin (π(ω − 2lp ))

As l1 = b2p ωc and l2 = d2p ωe are the closest values of l to 2p ω, we can deduce that
!
˜l 1  
P p
−ω ≤ p = P |˜l − 2p ω| ≤ 1 = P (˜l = l1 ) + P (˜l = l2 ) = |αl1 |2 + |αl2 |2
2 2
sin2 (2p π(ω − l1
2p )) sin2 (2p π(ω − l2
2p ))
= 2
+ 2
22p sin (π(ω − 2l1p )) 22p sin (π(ω − 2l2p ))
2
sin2 (2p π∆) sin (2p π( 21p − ∆))
= +
22p sin2 (π∆) 22p sin2 (π( 21p − ∆))
!
1 1 1 2 2 8
≥ + = 2p 2 π > 2p π 2 = 2 ,
22p sin2 ( 2p+1
π
) sin2 ( 2p+1
π
) 2 sin ( 2p+1 ) 2 ( 2p+1 ) π

where ∆ = (2p ω − l1 )/2p , whose minimum is attained at ∆ = 1/2p+1 . Thus, we have at least a
probability of 8/π 2 of obtaining l1 or l2 with an error less than 1/2p . It follows that, if we write
Λ = |(˜l/2p ) − ω| ≤ 1/2p and with probability of at least 8/π 2 ,
˜l
|t − t̃| = 2n | sin2 (πω) − sin2 (π )| = 2n | sin2 (πω) − sin2 (πω ± πΛ)|
2p
= 2n | sin2 (πω) − (sin(πω) cos(πΛ) ± sin(πΛ) cos(πω))2 |
≤ 2n | sin(2πΛ) sin(πω) cos(πω)| + 2n sin2 (πΛ)|1 − sin2 (πω)|
r
t t t π p n π 
≤ 2n+1 πΛ n
(1 − n ) + 2n (πΛ)2 |1 − n−1 | ≤ p−1 t(2 − t) + p |2n−1 − t|
2 2 2 2 2

References
[1] the heisenberg representation of quantum computers.
[2] D. Aharonov, W. Van Dam, J. Kempe, Z. Landau, S. Lloyd, and O. Regev, Adiabatic
quantum computation is equivalent to standard quantum computation, SIAM Review, 50 (2008),
pp. 755–787.
[3] A. Barenco, C. H. Bennett, R. Cleve, D. P. DiVincenzo, N. Margolus, P. Shor,
T. Sleator, J. A. Smolin, and H. Weinfurter, Elementary gates for quantum computation,
Physical Review A, 52 (1995), p. 3457.
[4] J. S. Bell, On the Einstein Podolsky Rosen paradox, Physics, 1 (1964), pp. 195–200.
[5] P. Benioff, The computer as a physical system: A microscopic quantum mechanical Hamiltonian
model of computers as represented by Turing machines, Journal of Statistical Physics, 22 (1980),
pp. 563–591.

40
 [6] C. H. Bennett, E. Bernstein, G. Brassard, and U. Vazirani, Strengths and weaknesses
of quantum computing, SIAM Journal on Computing, 26 (1997), pp. 1510–1523.

[7] D. J. Bernstein and A. K. Lenstra, A general number field sieve implementation, in The
development of the number field sieve, Springer, 1993, pp. 103–126.
[8] E. Bernstein and U. Vazirani, Quantum complexity theory, SIAM Journal on Computing, 26
(1997), pp. 1411–1473.

[9] F. Bloch, Nuclear induction, Physical Review, 70 (1946), p. 460.

[10] M. Boyer, G. Brassard, P. Høyer, and A. Tapp, Tight bounds on quantum searching, arXiv
preprint quant-ph/9605034, (1996).
[11] G. Brassard, P. Høyer, and A. Tapp, Quantum counting, Automata, Languages and Pro-
gramming, (1998), pp. 820–831.
[12] H. Cohen, A course in computational algebraic number theory, vol. 138, Springer Science &
Business Media, 2013.
[13] D. Deutsch, Quantum theory, the Church-Turing principle and the universal quantum com-
puter, in Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering
Sciences, vol. 400, The Royal Society, 1985, pp. 97–117.
[14] , Quantum computational networks, vol. 425, The Royal Society, 1989, pp. 73–90.
[15] D. Deutsch and R. Jozsa, Rapid solution of problems by quantum computation, Proceedings
of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 439 (1992),
pp. 553–558.

[16] Z. Diao, C. Huang, and K. Wang, Quantum counting: algorithm and error distribution, Acta
Applicandae Mathematicae, 118 (2012), pp. 147–159.
[17] P. A. M. Dirac, A new notation for quantum mechanics, in Mathematical Proceedings of the
Cambridge Philosophical Society, vol. 35, Cambridge University Press, 1939, pp. 416–418.

[18] D. P. DiVincenzo, Two-bit gates are universal for quantum computation, Physical Review A,
51 (1995), p. 1015.
[19] A. Einstein, B. Podolsky, and N. Rosen, Can quantum-mechanical description of physical
reality be considered complete?, Physical Review, 47 (1935), p. 777.

[20] A. Ekert and R. Jozsa, Quantum computation and Shor’s factoring algorithm, Reviews of
Modern Physics, 68 (1996), p. 733.
[21] E. Farhi, J. Goldstone, S. Gutmann, and M. Sipser, Quantum computation by adiabatic
evolution, arXiv preprint quant-ph/0001106, (2000).
[22] R. P. Feynman, Simulating physics with computers, International Journal of Theoretical Physics,
21 (1982), pp. 467–488.
[23] W. Gerlach and O. Stern, Der experimentelle Nachweis der Richtungsquantelung im Mag-
netfeld, Zeitschrift für Physik, 9 (1922), pp. 349–352.
[24] L. K. Grover, A fast quantum mechanical algorithm for database search, in Proceedings of the
28th Annual ACM Symposium on Theory of Computing, ACM, 1996, pp. 212–219.
[25] , Quantum mechanics helps in searching for a needle in a haystack, Physical Review Letters,
79 (1997), p. 325.
[26] , From Schrödinger’s equation to the quantum search algorithm, American Journal of Physics,
69 (2001), pp. 769–777.

[27] R. Jozsa, Quantum factoring, discrete logarithms, and the hidden subgroup problem, Computing
in Science & Engineering, 3 (2001), pp. 34–43.

41
[28] R. Jozsa and N. Linden, On the role of entanglement in quantum-computational speed-up, in
Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences,
vol. 459, The Royal Society, 2003, pp. 2011–2032.
[29] D. E. Knuth, The Art of Computer Programming, Volume 1: Fundamental Algorithms, Addison-
Wesley, 1968.
[30] M. Kraitchik, Recherches sur la théorie des nombres, vol. 1, Gauthier-Villars, 1924.

[31] R. E. Ladner, On the structure of polynomial time reducibility, Journal of the ACM, 22 (1975),
pp. 155–171.
[32] B. Lanyon, T. Weinhold, N. K. Langford, M. Barbieri, D. James, A. Gilchrist, and
A. White, Experimental demonstration of a compiled version of Shor’s algorithm with quantum
entanglement, Physical Review Letters, 99 (2007), p. 250505.

[33] D. H. Lehmer and R. E. Powers, On factoring large numbers, Bulletin of the American
Mathematical Society, 37 (1931), pp. 770–776.
[34] A. K. Lenstra, H. W. Lenstra, M. S. Manasse, and J. M. Pollard, The number field
sieve, in The development of the number field sieve, Springer, 1993, pp. 11–42.

[35] S. Lomonaco, Shor’s quantum factoring algorithm, in Proceedings of Symposia in Applied Math-
ematics, vol. 58, 2002, pp. 161–180.
[36] C.-Y. Lu, D. E. Browne, T. Yang, and J.-W. Pan, Demonstration of a compiled version
of shor’s quantum factoring algorithm using photonic qubits, Physical Review Letters, 99 (2007),
p. 250504.

[37] Y. Manin, The computable and not computable (in Russian), 1980.
[38] M. A. Morrison and J. Brillhart, A method of factoring and the factorization of F7, Math-
ematics of Computation, 29 (1975), pp. 183–205.
[39] M. A. Nielsen and I. Chuang, Quantum computation and quantum information, AAPT, 2002.

[40] C. Pomerance, Analysis and comparison of some integer factoring algorithms, Mathematisch
Centrum Computational Methods in Number Theory, Pt. 1 p 89-139(SEE N 84-17990 08-67),
(1982).
[41] , The quadratic sieve factoring algorithm, in Workshop on the Theory and Application of of
Cryptographic Techniques, Springer, 1984, pp. 169–182.

[42] , A tale of two sieves, Notices of the American Mathematical Society, 43 (1996), pp. 1473–
1485.
[43] J. Roland and N. J. Cerf, Quantum search by local adiabatic evolution, Physical Review A,
65 (2002), p. 042308.

[44] E. Schrödinger, Discussion of probability relations between separated systems, in Mathematical

Proceedings of the Cambridge Philosophical Society, vol. 31, Cambridge University Press, 1935,
pp. 555–563.
[45] P. W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring, in Foun-
dations of Computer Science, 1994 Proceedings., 35th Annual Symposium on, Ieee, 1994, pp. 124–
134.
[46] D. R. Simon, On the power of quantum computation, SIAM Journal on Computing, 26 (1997),
pp. 1474–1483.
[47] L. M. Vandersypen, M. Steffen, G. Breyta, C. S. Yannoni, M. H. Sherwood, and I. L.
Chuang, Experimental realization of Shor’s quantum factoring algorithm using nuclear magnetic
resonance, Nature, 414 (2001), p. 883.

42
[48] N. Xu, J. Zhu, D. Lu, X. Zhou, X. Peng, and J. Du, Quantum factorization of 143
on a dipolar-coupling nuclear magnetic resonance system, Physical Review Letters, 108 (2012),
p. 130501.
[49] A. C.-C. Yao, Quantum circuit complexity, in Foundations of Computer Science, 1993. Proceed-
ings., 34th Annual Symposium on, IEEE, 1993, pp. 352–361.

43