Grover's algorithm
In quantum computing, Grover's algorithm, also known as the quantum search algorithm, is a quantum algorithm for unstructured search that finds with high probability the unique input to a black box function that produces a particular output value, using just evaluations of the function, where is the size of the function's domain. It was devised by Lov Grover in 1996.
The analogous problem in classical computation would have a query complexity .
Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani proved that any quantum solution to the problem needs to evaluate the function times, so Grover's algorithm is asymptotically optimal. Since classical algorithms for NP-complete problems require exponentially many steps, and Grover's algorithm provides at most a quadratic speedup over the classical solution for unstructured search, this suggests that Grover's algorithm by itself will not provide polynomial-time solutions for NP-complete problems.
Unlike other quantum algorithms, which may provide exponential speedup over their classical counterparts, Grover's algorithm provides only a quadratic speedup. However, even quadratic speedup is considerable when is large, and Grover's algorithm can be applied to speed up broad classes of algorithms. Grover's algorithm could brute-force a 128-bit symmetric cryptographic key in roughly 264 iterations, or a 256-bit key in roughly 2128 iterations. It may not be the case that Grover's algorithm poses a significantly increased risk to encryption over existing classical algorithms, however.
Applications and limitations
Grover's algorithm, along with variants like amplitude amplification, can be used to speed up a broad range of algorithms. In particular, algorithms for NP-complete problems which contain exhaustive search as a subroutine can be sped up by Grover's algorithm. The current theoretical best algorithm, in terms of worst-case complexity, for 3SAT is one such example. Generic constraint satisfaction problems also see quadratic speedups with Grover. These algorithms do not require that the input be given in the form of an oracle, since Grover's algorithm is being applied with an explicit function, e.g. the function checking that a set of bits satisfies a 3SAT instance. However, it is unclear whether Grover's algorithm could speed up best practical algorithms for these problems.Grover's algorithm can also give provable speedups for black-box problems in quantum query complexity, including element distinctness and the collision problem. In these types of problems, one treats the oracle function f as a database, and the goal is to use the quantum query to this function as few times as possible.
Cryptography
Grover's algorithm essentially solves the task of function inversion. Roughly speaking, if we have a function that can be evaluated on a quantum computer, Grover's algorithm allows us to calculate when given. Consequently, Grover's algorithm gives broad asymptotic speed-ups to many kinds of brute-force attacks on symmetric-key cryptography, including collision attacks and pre-image attacks. However, this may not necessarily be the most efficient algorithm since, for example, the Pollard's rho algorithm is able to find a collision in SHA-2 more efficiently than Grover's algorithm.Limitations
Grover's original paper described the algorithm as a database search algorithm, and this description is still common. The database in this analogy is a table of all of the function's outputs, indexed by the corresponding input. However, this database is not represented explicitly. Instead, an oracle is invoked to evaluate an item by its index. Reading a full database item by item and converting it into such a representation may take a lot longer than Grover's search. To account for such effects, Grover's algorithm can be viewed as solving an equation or satisfying a constraint. In such applications, the oracle is a way to check the constraint and is not related to the search algorithm. This separation usually prevents algorithmic optimizations, whereas conventional search algorithms often rely on such optimizations and avoid exhaustive search. Fortunately, fast Grover's oracle implementation is possible for many constraint satisfaction and optimization problems.The major barrier to instantiating a speedup from Grover's algorithm is that the quadratic speedup achieved is too modest to overcome the large overhead of near-term quantum computers. However, later generations of fault-tolerant quantum computers with better hardware performance may be able to realize these speedups for practical instances of data.
Problem description
As input for Grover's algorithm, suppose we have a function. In the "unstructured database" analogy, the domain represent indices to a database, and if the data that points to satisfies the search criterion. We additionally assume that only one index satisfies, and we call this index. Our goal is to identify.We can access with a subroutine in the form of a unitary operator that acts as follows:
This uses the -dimensional state space, which is supplied by a register with qubits.
This is often written as
Grover's algorithm outputs with probability at least using applications of. This probability can be made arbitrarily large by running Grover's algorithm multiple times. If one runs Grover's algorithm until is found, the expected number of applications is still, since it will only be run twice on average.
Alternative oracle definition
This section compares the above oracle with an oracle.is different from the standard quantum oracle for a function. This standard oracle, denoted here as, uses an ancillary qubit system. The operation then represents an inversion on the main system conditioned by the value of f from the ancillary system:
or briefly,
These oracles are typically realized using uncomputation.
If we are given as our oracle, then we can also implement, since is when the ancillary qubit is in the state :
So, Grover's algorithm can be run regardless of which oracle is given. If is given, then we must maintain an additional qubit in the state and apply in place of.
Algorithm
The steps of Grover's algorithm are given as follows:- Initialize the system to the uniform superposition over all states
- Perform the following "Grover iteration" times:
- # Apply the operator
- # Apply the Grover diffusion operator
- Measure the resulting quantum state in the computational basis.
Implementing the steps for this algorithm can be done using a number of gates linear in the number of qubits. Thus, the gate complexity of this algorithm is, or per iteration.
Geometric proof
There is a geometric interpretation of Grover's algorithm, following from the observation that the quantum state of Grover's algorithm stays in a two-dimensional subspace after each step. Consider the plane spanned by and ; equivalently, the plane spanned by and the perpendicular ket.Grover's algorithm begins with the initial ket, which lies in the subspace. The operator is a reflection at the hyperplane orthogonal to for vectors in the plane spanned by and, i.e. it acts as a reflection across. This can be seen by writing in the form of a Householder reflection:
The operator is a reflection through. Both operators and take states in the plane spanned by and to states in the plane. Therefore, Grover's algorithm stays in this plane for the entire algorithm.
It is straightforward to check that the operator of each Grover iteration step rotates the state vector by an angle of. So, with enough iterations, one can rotate from the initial state to the desired output state. The initial ket is close to the state orthogonal to :
In geometric terms, the angle between and is given by
We need to stop when the state vector passes close to ; after this, subsequent iterations rotate the state vector away from, reducing the probability of obtaining the correct answer. The exact probability of measuring the correct answer is
where r is the number of Grover iterations. The earliest time that we get a near-optimal measurement is therefore.
Algebraic proof
To complete the algebraic analysis, we need to find out what happens when we repeatedly apply. A natural way to do this is by eigenvalue analysis of a matrix. Notice that during the entire computation, the state of the algorithm is a linear combination of and. We can write the action of and in the space spanned by as:So in the basis the action of applying followed by is given by the matrix
This matrix happens to have a very convenient Jordan form. If we define, it is
where
It follows that r-th power of the matrix is
Using this form, we can use trigonometric identities to compute the probability of observing ω after r iterations mentioned in the previous section,
Alternatively, one might reasonably imagine that a near-optimal time to distinguish would be when the angles 2rt and −2rt are as far apart as possible, which corresponds to, or. Then the system is in state
A short calculation now shows that the observation yields the correct answer ω with error.
Extensions and variants
Multiple matching entries
If, instead of 1 matching entry, there are k matching entries, the same algorithm works, but the number of iterations must be instead ofThere are several ways to handle the case if k is unknown. A simple solution performs optimally up to a constant factor: run Grover's algorithm repeatedly for increasingly small values of k, e.g., taking k = N, N/2, N/4,..., and so on, taking for iteration t until a matching entry is found.
With sufficiently high probability, a marked entry will be found by iteration for some constant c. Thus, the total number of iterations taken is at most
Another approach if k is unknown is to derive it via the quantum counting algorithm prior.
If , the algorithm will provide no amplification. If, increasing k will begin to increase the number of iterations necessary to obtain a solution. On the other hand, if, a classical running of the checking oracle on a single random choice of input will more likely than not give a correct solution.
A version of this algorithm is used in order to solve the collision problem.