An Introduction to Quantum Computing, Without the Physics

Giacomo Nannicini
IBM T.J. Watson, Yorktown Heights, NY
[email protected]

Last updated: October 3, 2017.

Abstract
This paper is a gentle but rigorous introduction to quantum computing intended for
discrete mathematicians. Starting from a small set of assumptions on the behavior of quan-
tum computing devices, we analyze their main characteristics, stressing the differences with
arXiv:1708.03684v2 [cs.DM] 1 Oct 2017

classical computers, and finally describe two well-known algorithms (Simon’s algorithm and
Grover’s algorithm) using the formalism developed in previous sections. This paper does not
touch on the physics of the devices, and therefore does not require any notion of quantum
mechanics.

1 Introduction
Quantum computing is a relatively new area of computing that has the potential to greatly
speedup the solution of certain problems. However, quantum computers work in a fundamentally
different way than classical computers. This introduction aims to explain the basic principles
underpinning quantum computing. It assumes the reader is at ease with linear algebra, and
with basic concepts in classical computing such as Turing machines, and algorithm complexity.
The literature contains many textbooks on quantum computing: a comprehensive reference
is [Nielsen and Chuang, 2002], whereas more modern textbooks that are more accessible to
non-physicists are [Mermin, 2007, Rieffel and Polak, 2011]. However, those books are time-
consuming reads. There are not many short introductions that are truly accessible to non-
physicists: [Rieffel and Polak, 2000] is noteworthy, as it actually uses very little physics.
The approach used in this work is, as far as we are aware, different from the literature in
the sense that it abstracts entirely away from quantum physics: we study a quantum computing
device starting from a small set of assumptions, and rigorously derive the remaining properties.
The assumptions are verified in the real world because of the laws of quantum mechanics, but it
is not necessary to understand why they hold: as long as we are willing to take a small leap of
faith and believe that these assumptions are true, the rest will follow. The exposition in this work
is more formal than in other surveys in the literature, but in some sense more mathematically
precise: it defines the necessary concepts in a rigorous ways, rather than relying on examples
or intuition, and provides formal proofs.

1.1 Model of computation

The quantum computing device is, in abstract terms, similar to a classical computing device: it
has a state, and the state of the device evolves according to certain operations. More specifically,
the model of computation that we consider is inspired by the current generation of quantum
computing hardware, and it works as follows:

1. The state of the quantum computer is contained in a quantum register, which is initialized
in a predefined way.
 2. The state evolves according to operations specified in advance according to an algorithm.

3. At the end of the computation, some information on the state of the quantum register is
obtained by means of a special operation, called a measurement.

All terms in italics will be the subject of the assumptions mentioned earlier, upon which our
exposition will build. Note that this type of computing device is similar to a Turing machine,
except for the presence of a tape. It is possible to assume the presence of a tape and be
more formal in defining a device that is the quantum equivalent of a Turing machine, see
[Deutsch, 1985], but there is no need to do so for the purposes of this work.

1.2 Basic definitions and notation

A discussion on quantum computers requires notational devices to switch back and forth from
the decimal and the binary representation of integers, some bit operations, and familiarity with
the properties of the tensor product. We describe here the necessary concepts and the notation,
so that the reader can come back to this section at any time to clarify symbols.

Definition 1. Given two vector spaces V and W over a field K with bases e1 , . . . , em and
f1 , . . . , fn respectively, the tensor product V ⊗ W is another vector space over K of dimension
mn. The tensor product space is equipped with a bilinear operation ⊗ : V × W → V ⊗ W . The
vector space V ⊗ W has basis ei ⊗ fj ∀i = 1, . . . , m, j = 1, . . . , n.

If the origin vector spaces are complex Hilbert spaces H of the for Cn , and we choose the
standard basis (consisting of the orthonormal vectors that have a 1 in a single position and 0
elsewhere) in the origin vector spaces, then the tensor product is none other than the Kronecker
product, which is itself a generalization of the outer product. This is formalized next.

Definition 2. Given A ∈ Cm×n , B ∈ Cp×q , the Kronecker product A ⊗ B is the matrix D ∈

Cmp×nq defined as:  
a11 B . . . a1n B
 a21 B . . . a2n B 
D := A ⊗ B =  . ..  .
 
 . . . 
am1 B . . . amn B
If we choose the standard basis over the vector spaces Cm×n and Cp×q , then the bilinear operation
⊗ of the tensor product Cm×n ⊗ Cp×q is simply the Kronecker product.

In this paper we always work with complex Hilbert spaces H of the form Cn , using the
standard basis. With a slight but common abuse of notation, we will therefore use tensor product
to refer to the Kronecker and outer products. The next proposition states some properties of
the tensor product that will be useful in the rest of this paper.

Proposition 1. Let A, B : Cm×m , C, D ∈ Cn×n be linear transformations on V and W respec-

tively, u, v ∈ C m , w, x ∈ Cn , and a, b ∈ C. The tensor product satisfies the following properties:

(i) (A ⊗ C)(B ⊗ D) = AB ⊗ CD.

(ii) (A ⊗ C)(u ⊗ w) = Au ⊗ Cw.

(iii) (u + v) ⊗ w = u ⊗ w + v ⊗ w.

(iv) u ⊗ (w + x) = u ⊗ w + u ⊗ x.

2
 (v) au ⊗ bw = abu ⊗ w.

(vi) (A ⊗ C)∗ = A∗ ⊗ C ∗ .

Above and in the following, the notation A∗ denotes the conjugate transpose of A. Given a
matrix A, the notation A⊗n indicates the tensor product of A with itself n times, and the same
notation will be used for Hilbert spaces:

A⊗n := A ⊗ A · · · ⊗ A, H⊗n := H ⊗ H · · · ⊗ H .
| {z } | {z }
n times n times

To work with the binary representation of integer numbers, we use the following definitions.

Definition 3. For any integers q > 0 and 0 ≤ j ≤ 2q − 1, we denote by jBq ∈ {0, 1}q the vector
containing the binary representation of j on q digits.

Definition 4. For any integers q > 0 and 0 ≤ j ≤ 2q − 1, 0 ≤ k ≤ 2q − 1, we denote by j ⊕q k

the bitwise modulo 2 addition (bitwise XOR), defined as:
(
0 if (jBq )p = (kBq )p
j ⊕q k = h (hBq )p =
1 otherwise.

When the subscript is omitted, it is intended to be 1, i.e., ⊕ is the same as ⊕1 .

Definition 5. For any integers q > 0 and 0 ≤ j ≤ 2q − 1, 0 ≤ k ≤ 2q − 1, we denote by j •q k

the bitwise dot product, defined as:
q
X
j •q k = (jBq )h (kBq )h .
h=1

The last piece of notation that we need is the bra-ket notation, used in quantum mechanics.
As mentioned earlier, this paper will not touch on any quantum mechanical concepts, however
there is an undeniable advantage in the quantum notation in that it puts the most important
information in the center of the symbols, rather than relegate it to a marginal role in the
subscript or superscript. Furthermore, a goal of this work is to equip the reader with the
necessary tools to understand quantum computing papers, hence it is important to familiarize
with the bra-ket notation.

Definition 6. Given a Hilbert space H ≡ Cn , a quantity ψ ∈ H enclosed in a ket, denoted |ψi,

is a vector and can be thought of as a column vector. A quantity φ ∈ H∗ enclosed in a bra,
denoted hφ|, is a vector in the dual space, and can be thought of as a row vector that is the
conjugate transpose of φ ∈ H.

Thus, an expression such as hψ|φi is an inner product in the Hilbert space. The Hilbert
spaces used in this work will be of the form (C2 )⊗q , where q is a given integer. It is therefore
convenient to specify the basis elements of such spaces.
   
2 1 0
Definition 7. The standard basis for C is denoted by |0i1 = , |1i1 = . The standard
0 1
basis for (C2 )⊗q , which has 2q elements, is denoted by |0iq , |1iq , . . . , |2q − 1iq .

We now define more formally our ket notation for basis vectors.

3
 • For any q-digit binary string x ∈ {0, 1}q , |xi is the 2q -dimensional basis vector (C2 )⊗q
Pq−1 inq−j−1
corresponding to the binary string, i.e., the basis vector with a 1 in position j=0 2 xj ,
and 0 elsewhere. For example: |101i is the 8-dimensional basis vector (0 0 0 0 0 0 1 0) .>

• When x is any integer ≤ 2q − 1, |xiq is the 2q -dimensional basis vector |xBq i ∈ (C2 )⊗q , i.e.
the basis vector in which x is expressed as a binary string on q digits. We always use the
subscript |xiq whenever is a basis state. For example: |6i3 = |101i is the 8-dimensional
basis vector (0 0 0 0 0 0 1 0)> .
Notice that according to our notation, |0i = |0i1 and |1i = |1i1 , i.e., the subscript can be
omitted for the basis vectors in C2 . We provide an example of this notation below.
Example 1. Let us write the basis elements of (C2 )⊗2 = C2 ⊗ C2 :
   
1 0
0 1
|0i2 = |0i ⊗ |0i = |00i = 
0
 |1i2 = |0i ⊗ |1i = |01i = 
0


0 0
   
0 0
0 0
|2i2 = |1i ⊗ |0i = |10i = 
1
 |3i2 = |1i ⊗ |1i = |11i = 
0 .


0 1
Thus, the index in the standard basis for (C2 )⊗q of the basis element corresponding to a
tensor product of basis elements of C2 is given simply by the decimal number corresponding to
the binary string obtained by concatenating the indices of the basis elements of C2 .

2 Qubits and quantum state

According to our computational model, a quantum computing device has a state that is stored
in the quantum register. Qubits are the quantum counterpart of the bits found in classical
computers: a classical computer has registers that are made up of bits, whereas a quantum
computer has a single quantum register that is made up of qubits. The state of the quantum
register, and therefore of the quantum computing device, is defined next.

⊗q
Assumption 1. The state of q qubits is a unitary vector in C2 = C2 ⊗ · · · ⊗ C2 .
Remark 1. If we pick
  the standard
  basis for C2 , then a single qubit (q = 1) can be represented
1 0
as α|0i + β|1i = α +β where α, β ∈ C and |α|2 + |β|2 = 1.
0 1

⊗q
Remark 2. Given the standard basis for each C2 , a basis for C2 is given by:
|0iq = |0i ⊗ · · · ⊗ |0i ⊗ |0i = |0Bq i
| {z }
q times

|1iq = |0i ⊗ · · · ⊗ |0i ⊗ |1i = |1Bq i

| {z }
q times
..
.
|2q − 1iq = |1i ⊗ · · · ⊗ |1i = |(2q − 1)Bq i.
| {z }
q times

4
 P q −1 P q −1
The state of q qubits can be represented as: |ψi = 2j=0 αj |jiq , with αj ∈ C and 2j=0 |αj |2 =
1.

⊗q
It is important to notice that C2 is a 2q -dimensional space. This is in sharp contrast
with the state of classical bits: given q classical bits, their state is a binary string in {0, 1}q ,
which is a q-dimensional space. In other words, the dimension of the state space of quantum
registers grows exponentially in the number of qubits, whereas the dimension of the state space
of classical registers grows linearly in the number of bits. Furthermore, to represent a quantum
state we need complex coefficients: a q-qubit quantum register “stores” 2q complex coefficients,
which is an enormous amount of information compared to what is stored in a q-bit classical
register. However, we will see in Section 3.2 that a quantum state cannot be accessed directly,
therefore even if the quantum state contains a lot of information, we cannot get access to it as
easily as with classical registers.

2.1 Basis states and superposition

P q −1
Definition 8. We say that q qubits are in a basis state if their state |ψi = 2j=0 αj |jiq is such
that ∃k : αk = 1, αj = 0 ∀j 6= k. Otherwise, we say that they are in a superposition.

Example 2. Consider two qubits:

|xi = α0 |0i + α1 |1i

|yi = β0 |0i + β1 |1i.

Then, the two qubits taken as a whole will be in state:

|xi ⊗ |yi = α0 β0 |0i ⊗ |0i + α0 β1 |0i ⊗ |1i + α1 β0 |1i ⊗ |0i + α1 β1 |1i ⊗ |1i.

If both |xi and |yi are in a basis state, we have that either α0 or α1 is zero, and similarly
either β0 or β1 is zero, while the nonzero coefficients have modulus one. Thus, only one of the
coefficients in the expression of the state of |xi ⊗ |yi is nonzero, and in fact its modulus is one:
all other coefficients are zero. This implies that if both |xi and |yi are in a basis state, |xi ⊗ |yi
is in a basis state as well. But now assume that α0 = β0 = α1 = β1 = √12 : the qubits |xi and
|yi are in a superposition. Then the state of |xi ⊗ |yi is 21 |00i + 12 |01i + 12 |10i + 12 |11i, which is
a superposition as well. Notice that the normalization of the coefficients works out, as one can
easily check with simple algebra: the tensor product of unitary vectors is unitary.

The example clearly generalizes to an arbitary number of qubits. In fact the following
proposition is trivially true:

Proposition 2. For any q, q qubits are in a basis state if and only if each of the individual
qubits is in a basis state.

Notice that superposition does not have a classical equivalent: q classical bits are always
in a basis state, i.e., the q bits will always correspond exactly to one of the 2q binary strings
representing the numbers 0, . . . , 2q − 1. Indeed, superposition is one of the main features of
quantum computers that differentiates them from classical computers. The second important
feature is entanglement, that will be discussed next.

5
2.2 Product states and entanglement

⊗q
We have seen that the state of q-qubits is a vector in C2 , which is a 2q dimensional space.
2
Since this is a tensor product of C , i.e., the space in which single qubits live, it is natural to
ask whether moving from single qubits to multiple qubits gained us anything at all. In other
words, we want to investigate whether the quantum states that are representable on q qubits
are simply the tensor product of q single qubits. We can answer this question
⊗q by using the
definitions given above. The state of q qubits is a unitary vector in C2 , and it can be
represented as:
q −1
2X q −1
2X
|ψi = αj |jiq , |αj |2 = 1.
j=0 j=0
Now let us consider the tensor product of q qubits, the j-th of which is in state βj,0 |0i + βj,1 |1i.
Taking the tensor product we obtain the vector:
1 1 1 q−1 q −1 q
2X
X X X Y Y
|φi = ··· βk,jk |jq jq−1 . . . j0 i = βk,(jBq )k |jBq i,
jq−1 =0 jq−2 =0 j0 =1 k=0 j=0 k=1

|βj,0 |2 + |βj,1 |2 = 1 ∀j = 1, . . . , q.
The normalization condition for |φi implies that 1jq−1 =0 1jq−2 =0 · · · 1j0 =1 q−1 2
P P P Q
k=0 |βk,jk | = 1,
q −1
but it is more restrictive than that of |ψi. That is, there are values for αj with 2j=0 |αj |2 = 1
P
that cannot be expressed as coefficients satisfying the conditions for |φi.
This is easily clarified with an example using two qubits:
|xi = α0 |0i + α1 |1i
|yi = β0 |0i + β1 |1i.
that taken as a whole will be in state:
|xi ⊗ |yi = α0 β0 |00i + α0 β1 |01i + α1 β0 |10i + α1 β1 |11i, (1)
with the normalization conditions |α0 |2 + |α1 |2 = 1 and |β0 |2 + |β1 |2 = 1. The general state of
a 2-qubit register |ψi is:
|ψi = γ00 |00i + γ01 |01i + γ10 |10i + γ11 |11i, (2)
with normalization condition |γ00 |2 + |γ01 |2 + |γ10 |2 + |γ11 |2 = 1. Comparing equations (1) and
(2), we determine that a |ψi is of the form |xi ⊗ |yi if and only if it satisfies the relationship:
γ00 γ11 = γ01 γ10 . (3)
Clearly |xi⊗|yi yields coefficients that satisfy this condition. To see the converse, let θ00 , θ01 , θ10 , θ11
be the phases of γ00 , γ01 , γ10 , γ11 . Notice that (3) implies:
|γ00 |2 |γ11 |2 = |γ01 |2 |γ10 |2
θ00 + θ11 = θ01 + θ10 .
Then we can write:
p 2 p
|γ00 | = |γ00 | = |γ00 |2 (|γ00 |2 + |γ01 |2 + |γ10 |2 + |γ11 |2 )
p
= |γ00 |4 + |γ00 |2 |γ01 |2 + |γ00 |2 |γ10 |2 + |γ01 |2 |γ10 |2
p p
= |γ00 |2 + |γ01 |2 |γ00 |2 + |γ10 |2 ,
| {z }| {z }
|α0 | |β0 |

6
and similarly for other coefficients:
p p
|γ01 | = |γ00 |2 + |γ01 |2 |γ01 |2 + |γ11 |2
| {z }| {z }
|α0 | |β1 |
p p
|γ10 | = |γ10 |2 + |γ11 |2 |γ00 |2 + |γ10 |2
| {z }| {z }
|α1 | |β0 |
p p
|γ11 | = |γ10 |2 + |γ11 |2 |γ01 |2 + |γ11 |2 .
| {z }| {z }
|α1 | |β1 |

To fully define the coefficients α0 , α1 , β0 , β1 we must determine their phases. We can assign:

α0 = eiθ00 |α0 |, α1 = eiθ10 |α1 |, β0 = |β0 |, β1 = ei(θ01 −θ00 ) |β1 |. (4)

It is now easy to verify that the state |ψi in (2) can be expressed as |xi ⊗ |yi in (1) with
coefficients α0 , α1 , β0 , β1 as given in (4). We formalize the concept of expressing a quantum
state as a tensor product of lower-dimensional quantum states as follows.

⊗q
Definition 9. A quantum state |ψi ∈ C2 is a decomposable if it can be expressed as a
tensor product |ψ1 i ⊗ · · · ⊗ |ψk i of k > 2 quantum states on q1 , . . . , qk qubits respectively, with
the property that q1 + · · · + qk = q.

⊗q
Definition 10. A quantum state |ψi ∈ C2 is a product state if it is decomposable into the
tensor product of q single-qubit quantum states. Otherwise, it is entangled.

Notice that a general quantum state |ψi could be the product of two or more lower-
dimensional quantum state, e.g., |ψi = |ψ1 i ⊗ |ψ2 i, with |ψ1 i and |ψ2 i being entangled states.
In such a situation, |ψi still exhibits some entanglement, but in some sense it can still be “sim-
plified”. Generally, according to the definition above, a quantum state is called entangled as
long as it cannot be fully decomposed.

Example 3. Consider the following 2-qubit state:

1 1 1 1
|00i + |01i + |10i + |11i.
2 2 2 2
  
This is a product state because it is equal to √12 |0i + √12 |1i √12 |0i + √1 |1i
2
. On the other
hand, the following 2-qubit state:
1 1
√ |00i + √ |11i
2 2
is an entangled state, because it cannot be expressed as a product of two single-qubit states.

3 Operations on qubits
Operations on quantum states must satisfy certain conditions, to ensure that applying an op-
eration does not break the basic properties of the quantum state.

Assumption 2. An operation applied by a quantum computer with q qubits, also called a gate,
q q
is a unitary matrix in C2 ×2 .

Remark 3. A matrix U is unitary if U ∗ U = U U ∗ = I.

7
 A well-known property of unitary matrices is that they are norm-preserving; that is, given
a unitary matrix U and a vector x, kU xk = kxk. Thus, for a q-qubit system, the quantum state
q q q
is a unitary vector ψ ∈ C2 , a quantum operation is a matrix U ∈ C2 ×2 , and the application
q
of U onto the state ψ is the unitary vector U ψ ∈ C2 . This leads to the following remarks:
• Quantum operations are linear.

• Quantum operations are reversible.

While these properties may initially seem to be extremely restrictive, [Deutsch, 1985] shows that
a universal quantum computer is Turing-complete, implying that it can simulate any Turing-
computable function with an additional polynomial amount of space, given sufficient time. Out
of the two properties indicated above, the most counterintuitive is perhaps reversibility: the
classical notion of computation is typically not reversible, because memory can be erased and, in
the classical Turing machine model of computation, symbols are erased from the tape. However,
[Bennett, 1973] shows that computations can be made reversible by means of extra space. The
general idea to make a function invertible is to have separate input and output registers. This
is a standard trick in quantum computing that will be discussed in Section 4, but in order to
do that, we first need to introduce some notation for quantum circuits.

3.1 Notation for quantum circuits

A quantum circuit is represented by indicating which operations are performed on each qubit,
or group of qubits. For a quantum computer with q qubits, we represent q qubit lines, where
the bottom line indicates qubit 1 and the rest are given in ascending order from the bottom.
Operations are represented as gates; from now, the two terms are used interchangeably. Gates
take qubit lines as input, have the same number of qubit lines as output, and apply the unitary
matrix indicated on the gate to the quantum state of those qubits. Figure 1 is a simple example.

qubit 3
qubit 2 U
qubit 1
Figure 1: A simple quantum circuit.

Note that circuit diagrams are read from left to right, but because each gate corresponds to
applying a matrix to the quantum state, the matrices corresponding to the gates should be
written from right to left in the mathematical expression describing the circuit. For example,
in the circuit in Figure 2, the outcome of the circuit is the state BA|ψi, because we start with

|ψi A B BA|ψi

Figure 2: Order of the operations in a quantum circuit.

state |ψi, and we first apply the gate with unitary matrix A, and then B.
Gates can also be applied to individual qubits. Because a single qubit is a vector in C|2 , a
single-qubit gate is a unitary matrix in C2×2 . Consider the same 3-qubit device, and suppose
we want to apply the gate only to the first qubit. We would write it as in Figure 3

8
 qubit 3 U
qubit 2
qubit 1
Figure 3: A circuit with a single-qubit gate.

From an algebraic point of view, the action of our first example in Figure 1 on the quantum
state is clear: the state of the three qubits is mapped onto another 3-qubit state, as U acts on
all the qubits. To understand the example in Figure 3, where U is a single-qubit gate that acts
on qubit 3 only, we must imagine that an identity gate is applied to all the empty qubit lines.
Therefore, Figure 3 can be thought of as indicated in Figure 4.

qubit 3 U
qubit 2 I
qubit 1 I
Figure 4: Equivalent representation of a circuit with a single-qubit gate.

This circuit can be interpreted as applying the U ⊗ I ⊗ I to the 3-qubit state |ψi. Notice that by
convention U , applied to qubit 3, appears in the leftmost term of the tensor product, because
the basis for C2 ⊗ C2 ⊗ C2 has elements |000i, |001i, . . . , |111i where by convention we label
qubit 3 the leftmost qubit. In particular, if we have a product state |xi ⊗ |yi ⊗ |zi, we can write
labels as indicated in Figure 5.
|xi |xi
|yi |yi
|zi U U |zi

Figure 5: Effect of a single-qubit gate on a product state.

This is because (I ⊗ I ⊗ U )(|xi ⊗ |yi ⊗ |zi) = |xi ⊗ |yi ⊗ U |zi. If the system is in an entangled
state, however, the action of (I ⊗ I ⊗ U ) cannot be determined in such a simple way, because the
state cannot be factored as a product state. Thus, for a general entangled state, the effect of the
circuit is as indicated in Figure 6. Notice that this fact is essentially the reason why simulation



|ψi (I ⊗ I ⊗ U )|ψi


U
Figure 6: Effect of a single-qubit gate on an entangled state.

of quantum computations on classical computers takes exponential space: to simulate the effect
even of a single-qubit gate on the entangled state |ψi, we have to explicitly compute the 2q × 2q
matrix (I ⊗ I ⊗ U ), and then apply it to |ψi. As long as the quantum state is not entangled
computations can be carried out on each qubit independently, but entanglement requires us to
keep track of the full quantum state in 2q -dimensional complex space, leading to large amounts
of memory required.

9
3.2 Input-output, and measurement gates
We will first note that by convention, the initial quantum state of the quantum computing
device is |0iq . Any algorithm will have to start from this state. Of course, this does not prevent
the algorithm to modify the state and transform it into a more suitable one. Examples of how
this can be done will be seen in subsequent sections. The important part is that if there is any
data that has to be fed to the algorithm, this data will take the form of a circuit that performs
some operation on the quantum state. Therefore, the input to a quantum computing device
is a circuit, or a set of circuits, which are then combined in an algorithm: the algorithm may
be self-contained in the quantum computer, or it may involve an external, classical computing
device that uses quantum computations as a subroutine. But what is the output of the quantum
computer?
So far we characterized properties of quantum states and quantum gates. Remarkably, the
state of a q-qubit quantum device has dimension 2q , exponentially larger than the dimension
of q classical bits. However, there is a catch: in a classical computer we can simply read the
state of the bits, whereas in a quantum computer we do not have direct, unrestricted access to
the quantum state. Information on the quantum state is only gathered through a measurement
gate, indicated in the circuit diagram in Figure 7.

|ψi M

Figure 7: Single-qubit measurement.

We now formally define the effect of a single-bit measurement.

Assumption 3. Information on the state of a quantum computing P q −1 device can only be obtained
through a measurement. Given a q-qubit quantum state |ψi = 2j=0 αj |jiq , a measurement gate
on qubit k outputs 0 with probability j:(jBq )k =0 |αj | , and 1 with probability j:(jBq )k =1 |αj |2 .
2
P P

Let x ∈ {0, 1} be the measured value. After the measurement, the quantum state becomes:
X αj
qP |jiq .
2
j:(jBq )k =x j:(jBq )k =x |αj |

The original quantum state is no longer recoverable.

Remark 4. The state of the quantum system after a measurement collapses to a linear combi-
nation of only those basis states that are consistent with the outcome of the measurement.

The measurement rule for single-qubit implies a very simple and natural expression for the
probability of observing a given binary string when measuring all the qubits.
P q −1
Proposition 3. Given a q-qubit quantum state |ψi = 2j=0 αj |jiq , measuring the q qubits in
any order yields jBq with probability |αj |2 , for j = 0, . . . , 2q − 1.

Proof. We need to show that the probability of observing jBq after q single-qubit measurements
is equal to |αj |2 . We can do this by induction on q. The case q = 1 is trivial. We now show how
M
to go from q − 1 to q. In terms of notation, we will write Pr(i = x) to denote the probability
that the measurement of qubit i yields x ∈ {0, 1}. If it is important to indicate the quantum
M
state on which the measurement is performed, we denote it as Pr|ψi (i = x).

10
 Suppose the qubits are measured in an abitrary order π(1), . . . , π(q). After measuring the
first qubit, the quantum state becomes:
X αk X
|φi = qP |kiq := βk |kiq ,
2
k:(kBq )π(1) =(jBq )π(1) k:(kBq )π(1) =(jBq )π(1) |αk | k:(kBq )π(1) =(jBq )π(1)

where the coefficients βk , as given above, are only defined for k : (kBq )π(1) = (jBq )π(1) . Re-
garding the probability of measuring the outcomes, we can write:
 
M M
Pr π(1) = (jBq )π(1) , . . . , π(q) = (jBq )π(q) =
|ψi
   
M M M M
Pr π(2) = (jBq )π(2) , . . . , π(q) = (jBq )π(q) |π(1) = (jBq )π(1) Pr π(1) = (jBq )π(1) =
|ψi |ψi
   
M M M
Pr π(2) = (jBq )π(2) , . . . , π(q) = (jBq )π(q) Pr π(1) = (jBq )π(1) .
|φi |ψi

By the definition of single-qubit measurement, we have:

  X
M
Pr π(1) = (jBq )π(1) = |αk |2 .
|ψi
k:(kBq )π(1) =(jBq )π(1)

By the induction hypothesis:

 
M M
Pr π(2) = (jBq )π(2) , . . . , π(q) = (jBq )π(q) =
|φi
X X |αk |2
|βk |2 = X ,
k:(kBq )π(h) =(jBq )π(h) ∀h=1,...,q k:(kBq )π(h) =(jBq )π(h) ∀h=1,...,q |αk |2
k:(kBq )π(1) =(jBq )π(1)

where the summation is only over indices for which (kBq )π(1) = (jBq )1 by definition of |φi.
Carrying out the multiplication, we obtain:
 
M M
Pr π(1) = (jBq )π(1) , . . . , π(q) = (jBq )π(q) =
|ψi
X |αk |2 X
X |αk |2 =
2
k:(kBq )π(h) =(jBq )π(h) ∀h=1,...,q |αk | k:(kBq )π(1) =(jBq )π(1)
k:(kBq )π(1) =(jBq )π(1)
X
|αk |2 = |αj |2 .
k:(kBq )h =(jBq )h ∀h=1,...,q

Proposition 3 above shows that the two circuits in Figure 8 are equivalent.

M
|ψi M |ψi M
M
Figure 8: Multiple-qubit measurement.

11
In other words, the single-qubit measurement gate is sufficient to measure any number of qubits
in the most natural way, i.e., the measurement outcomes on the q qubits occur with probability
that is exactly equal to the square of the state coefficients αj . Notice that with this simple rule,
it is easy to compute the probability of measuring a given string on a given subset of the qubits:
we just need to add up the modulus squared of the coefficients for all those basis states that
contain the desired string in the desired position.

Example 4. Consider again the following 2-qubit state:

1 1 1 1
α00 |00i + α01 |01i + α10 |10i + α11 |11i = |00i + |01i + |10i + |11i.
2 2 2 2
We remarked that this is a product state. Let qubit QR be the qubit on the right (i.e., the second
digit in the two-digit binary strings), and qubit QL the qubit on the left (i.e., the first digit in
the two-digit binary strings). Then:
 2  2
M 2 2 1 1 1
Pr(QL = 0) = |α00 | + |α01 | = + =
2 2 2
 2  2
M 1 1 1
Pr(QL = 1) = |α10 |2 + |α11 |2 = + =
2 2 2
 2  2
M 1 1 1
Pr(QR = 0) = |α00 |2 + |α10 |2 = + =
2 2 2
 2  2
M 1 1 1
Pr(QR = 1) = |α01 |2 + |α11 |2 = + = .
2 2 2

Suppose we measure QR and we obtain 1 as the outcome of the measurement. Then the state
of the 2-qubit systems collapses to:
1 1
√ |01i + √ |11i.
2 2
If we measure QL from this modified state, we obtain:

M 1 M 1
Pr(QL = 0) = Pr(QL = 1) = .
2 2
Hence, the probability of measuring 0 or 1 from qubit QL did not change after the measurement.
Consider now the followin entangled 2-qubit state:
1 1
β00 |00i + β11 |11i = √ |00i + √ |11i.
2 2
Doing the calculations, we still have:

M 1 M 1
Pr(QL = 0) = |β00 |2 = Pr(QL = 1) = |β11 |2 =
2 2
M 2 1 M 2 1
Pr(QR = 0) = |β00 | = Pr(QR = 1) = |β11 | = .
2 2
Suppose we measure qubit QR and we obtain 1 as the outcome of the measurement. Then the
state of the 2-qubit system collapses to:
|11i.

12
If we measure QL from this state, we obtain:
M M
Pr(QL = 0) = 0 Pr(QL = 1) = 1.

The situation is now very different: the probability of the outcomes from a measurement on QL
have changed after measuring QR. This is exactly the concept of entanglement: when two or
more qubits are entangled, they affect each other, and measuring one qubit changes the probability
distribution for the other qubits. This can be seen in terms of conditional probabilities: if, for
M M M
all x, y ∈ {0, 1}, we have Pr(QL = x) = Pr(QL = x|QR = y), then the two qubits are not
M M M
entangled (product state), whereas if Pr(QL = x) 6= Pr(QL = x|QR = y) for some x, y, there is
entanglement.

3.3 The no-cloning principle

Because measurement destroys the quantum state, it is natural to look for a way to create a copy
of a quantum state. If a clone could be created, it would be possible to perform measurements
on the clone, so that the original state would not be destroyed. Furthermore, cloning would
allow us to take several measurements of the same set of qubits without having to repeat the
circuit that creates the quantum state. However, it turns out that cloning is impossible: this is
a direct consequence of the properties of quantum gates.

Proposition 4. Let |ψi be an arbitrary quantum state on n qubits. There does not exist a
unitary matrix that maps |ψi ⊗ |0in to |ψi ⊗ |ψi.

Proof. Suppose there exists such a unitary U . Then for any two quantum states |ψi, |φi on n
qubits, we have:

U (|ψi ⊗ |0in ) = |ψi ⊗ |ψi

U (|φi ⊗ |0in ) = |φi ⊗ |φi.

Using these equalities, we can write:

hφ|ψi = hφ|ψih0|0in == hφ|ψi ⊗ h0|0in = (hφ| ⊗ h0|n )(|ψi ⊗ |0in ) = (hφ| ⊗ h0|n )U ∗ U (|ψi ⊗ |0in )
= (hφ| ⊗ hφ|)(|ψi ⊗ |ψi) = hφ|ψi2 .

But hφ|ψi = hφ|ψi2 is only true if hφ|ψi is equal to 0 or to 1, contradicting the fact that |φi, |ψi
are arbitrary quantum states.

The above proposition shows that we cannot copy a quantum state. This establishes that
we cannot “cheat” the destructive effect of a measurement by simply cloning the state before
the measurement. Hence, whenever we run a circuit that produces an output quantum state,
in general we can only reproduce the output quantum state only by repeating all the steps of
the algorithm.

3.4 Basic operations and universality

Existing quantum computing hardware does not allow the user to specify just any unitary
matrix in the code. Quantum gates have to be constructed out of a set of basic gates. We will
now discuss what these basic gates are, and how they can be combined to form other operations.
The first operations that we discuss are the Pauli gates.

13
Definition 11. The four Pauli gates are the following single-qubit gates:
   
1 0 0 1
I= X=
0 1 1 0
   
0 −i 1 0
Y = Z= .
i 0 0 −1

Proposition 5. The Pauli gates form a basis for C2×2 , they are Hermitian, and they satisfy
the relationship XY Z = iI.
The X, Y, Z gates all correspond to 90◦ rotations, around different axes. The X gate flips a
qubit:
X|0i = |1i X|1i = |0i.
This is the equivalent of a NOT gate in classical computers. At the same time, the Z gate is
also called a phase-flip gate: it leaves |0i unchanged, and maps |1i to −|1i.
Z|0i = |0i Z|1i = −|1i.
A single-qubit gate that is used in many quantum algorithms is the Hadamard gate:
 
1 1 1
H=√ .
2 1 −1
The action of H is as follows:
1 1
H|0i = √ (|0i + |1i) H|1i = √ (|0i − |1i)
2 2
In subsequent sections we will need an algebraic expression for the action of Hadamard gates
on basis states. The effect of H on a single-qubit basis state |xi1 (where x = 0 or 1) can be
summarized as follows:
1
1 1 X
H|xi1 = √ (|0i + (−1)x |1i) = √ (−1)k·x |ki1 .
2 2 k=0

This is consistent with our previous definition. If we apply H ⊗n on an n-qubit basis state |xin ,
we obtain:
1 1
1 Pn−1
(−1) j=0 kj ·(xBn )j+1 |kn−1 i1 ⊗ · · · ⊗ |k0 i1
X X
H ⊗n |xin = √ ···
2n k =0 k =0
n−1 0
n −1
(5)
2X
1
=√ (−1)k•n x |kin ,
2n k=0

where •n is the bitwise dot product, as defined in Section 1.2. When considering multiple
Hadamard gates in parallel, we will also make use of the following relationship, that can be
easily verified using the definition:
1 H ⊗n−1 H ⊗n−1
 
H ⊗n = √ ⊗n−1 −H ⊗n−1 . (6)
2 H
The next proposition shows one of the reasons why the Hadamard gate is frequently employed
in many quantum algorithms.

14
Proposition 6. Given a q-qubit quantum device initially in the state |0iq , applying the Hadamard
to all qubits, equivalent to the matrix H ⊗q , yields the uniform superposition of basis states
gate P
√1 2q −1
2q j=0 |jiq .

Proof. The state |0iq can also be written as |0i⊗q . Therefore we have:
 ⊗q 2q −1
⊗q ⊗q ⊗q 1 1 1 X
H |0i = (H|0i) = √ |0i + √ |1i =√ |jiq .
2 2 2q j=0

Remark 5. The uniform superposition of the 2q basis states on q qubits can be obtained from
the initial state |0iq applying q gates only.

Many quantum algorithms (for example, the algorithms discussed in Sections 4 and 5) start
by setting the state of the quantum device to a uniform superposition, and then apply further
operations which, by linearity, are simultaneously applied to all the possible binary strings.
This is remarkable advantage of quantum computing over classical computing. The multiple
Hadamard can be represented by one of the equivalent circuits given in Figure 9

|0i H √1 (|0i + |1i) |0i √1 (|0i + |1i)

2 2
√1 (|0i + |1i)
|0i H √1 (|0i + |1i) |0i H ⊗3 2
2
|0i √1 (|0i + |1i)
|0i H √1 (|0i + |1i) 2
2

Figure 9: Two representations for multiple Hadamard gates.

In general, since single-qubit gates are unitary matrices, they can be represented by the
following parameterized matrix:
 −i(φ+λ)/2
cos(θ/2) −e−i(φ−λ)/2 sin(θ/2)

e
U (θ, φ, λ) =
ei(φ−λ)/2 sin(θ/2) ei(φ+λ)/2 cos(θ/2)

All single-qubit gates can be obtained by an appropriate choice of parameters θ, φ, λ.

Another fundamental gate is the CNOT gate, also called “controlled NOT”. The CNOT
gate is a two-qubit gate that has a control bit and a target bit, and acts as follows: if the
control bit is |0i, nothing happens, whereas if the control bit is |1i, the target bit is flipped.
The corresponding circuit is given in Figure 10
•

Figure 10: The CNOT, or controlled-NOT, gate.

The matrix description of the gate with control qubit 2 and target qubit 1 is as follows:
 
1 0 0 0
0 1 0 0
CNOT21 =  0 0 0
.
1
0 0 1 0

15
We can easily see that the effect of CNOT is as follows:

CNOT21 |00i = |00i CNOT21 |01i = |01i

CNOT21 |10i = |11i CNOT21 |11i = |10i.

An interesting feature of the CNOT gate is that it can be used to swap two qubits. Considering
that CNOT, as all quantum gates, is a linear map, this may sound surprising. The SWAP can
be constructed as depicted in Figure 11.
• •
•
Figure 11: A circuit that swaps two qubits.

Proposition 7. The circuit above, constructed with three CNOTs, swaps qubits 1 and 2.
Proof. By linearity, it suffices to show that the circuit above maps |00i → |00i, |01i → |10i, |10i →
|01i, and |11i → |11i. We have:

CNOT21 CNOT12 CNOT21 |00i = CNOT21 CNOT12 |00i = CNOT21 |00i = |00i.
CNOT21 CNOT12 CNOT21 |01i = CNOT21 CNOT12 |01i = CNOT21 |11i = |10i.
CNOT21 CNOT12 CNOT21 |10i = CNOT21 CNOT12 |11i = CNOT21 |01i = |01i.
CNOT21 CNOT12 CNOT21 |11i = CNOT21 CNOT12 |10i = CNOT21 |10i = |11i.

Therefore, the SWAP circuit maps:

α00 |00i + α01 |01i + α10 |10i + α11 |11i → α00 |00i + α01 |10i + α10 |01i + α11 |11i.

The SWAP circuit is particularly important for practical reasons: in the current generation
of quantum computing hardware, qubits can typically only interact with a small set of the other
qubits (e.g., their neighbors on a chip). By “interaction” between a pair of qubits we mean that
we can apply a two-qubit gate on the pair. Thanks to the SWAP, as long as the connectivity
graph of the qubits on the device is a connected graph, any two qubits can interact with each
other: if the qubits are not directly connected (e.g., physically located next to each other on the
chip), we just need to SWAP one of them as many times as is necessary to bring it to a location
that is directly connected to the other. This way, we can assume that each qubit can interact
with all other qubits from a theoretical point of view, even if from a practical perspective this
may require extra SWAP gates.
The types of gates that we presented here can be shown to be sufficient to construct any
unitary matrix with arbitrary precision.
Definition 12. An ordered set of gates S that yields the unitary matrix A is an -approximation
of a unitary matrix U if supψ:kψk=1 k(U −A)ψk < . A set of gates that yields an -approximation
of any unitary matrix on any given number of qubits is called a universal set of gates.
Theorem 1. (Solovay-Kitaev [Kitaev, 1997, Nielsen and Chuang, 2002]) Let U ∈ C2×2 be an
arbitrary unitary matrix. Then there exists a constant c such that there exists a sequence S
of gates of length O(logc 1 ) that is an -approximation of U and consists only of H, Rπ/4 =
 
1 0
π and CNOT gates.
0 ei 4

16
 The theorem implies that just two single-qubit gates together with CNOT allow us to build
any single-qubit gate with arbitrary precision. [Dawson and Nielsen, 2005] gives a proof with
c ≈ 3.98. More recent work gives improved algorithm with smaller c, in fact even c = 1 (but
different constants), see [Selinger, 2012, Kliuchnikov et al., 2016]. To go from single-qubit gates
to general q-qubit gates, one needs at most O(4q ) gates (since each gate on q qubits has 2q × 2q
elements), and the decomposition can be done in terms of single-qubit gates and CNOTs. In
other words, the set of gates consisting of single-qubit gates and CNOT is universal, and in fact
even a restricted set of single-qubit gates (the two gates indicated in Theorem 1) is universal.
This shows that with a very small set of basic gates, we can construct any unitary matrix in
any dimension, although this may require many operations. Once again, this is important for
practical reasons: the current generation of quantum hardware only allows (natively) single-
qubit gates and CNOT gates, but all other gates can be constructed from these.
We conclude our discussion on basic operations with a quantum circuit for the logic AND
gate. We already know that the X gate performs the logical NOT: having access to the AND
guarantees that we can construct any Boolean circuit (since we stated already in Section 3 that
quantum computers are Turing-complete, being able to perform Boolean logic is of course a
requirement). The quantum version of the AND gate is the CCNOT (doubly-controlled NOT)
gate, that acts on three qubits: it has two control qubits, and swaps the third qubit if and only
if both control qubits are |1i. The gate is depicted in Figure 12. The action of CCNOT can be
•
•

Figure 12: The CCNOT, or doubly-controlled-NOT, gate.

described as: |xi1 ⊗ |yi1 ⊗ |zi1 → |xi1 ⊗ |yi1 ⊗ |z ⊕ (x · y)i1 , where x, y, z ∈ {0, 1}. Notice that
if z = 0, CCNOT computes the logical AND between x and y. Of course, following our earlier
discussion, CCNOT can be constructed from single-qubit and CNOT gates. This is shown in
1+i 1−i

Figure 13, where V = 2
1−i
2
1+i has the property that V 2 = X. It is a simple exercise to
2 2
verify, using linearity, that the circuit in Figure 13 is equivalent to CCNOT.
• • •

• •

V V∗ V

Figure 13: Decomposition of CCNOT in terms of single-qubit and CNOT gates.

3.5 Can we solve NP-hard problems?

It is important to remark that even if we can easily create a uniform superposition of all basis
states, the rules of measurement imply that using just this easily-obtained superposition does not
allow us satisfactorily solve NP-complete problems such as, for example, SAT (the satisfiability
problem). Indeed, suppose we have a quantum circuit Uf that encodes a SAT formula on n
boolean variables; in other words, a unitary Uf : |jin ⊗ |0i1 → |jin ⊗ |f (j)i1 , where f (j) is 1 if
the binary string jBn satisfies the formula, and 0 if not. We might P2be tempted to apply H ⊗n
q −1
1
to the initial state |0in to create the uniform superposition √2q j=0 |jiq , apply Uf to this

17
superposition (which evaluates the truth assignment of all possible binary strings), and then
perform a measurement on all qubits. But measuring the state:
 
q −1
2X 2q −1
1 1 X
Uf √
 |jiq ⊗ |0i1 = √
 |jiq ⊗ |f (j)i1
2q j=0 2q j=0

will return a binary string that satisfies the formula if and only if the last qubit has value 1 after
the measurement, and this happens with a probability that depends on the number of binary
assignments that satisfy the formula. If, for example, the SAT problem at hand is solved by
exactly ρ assignment out of 2n possible assignment, then the probability of finding the solution
after one measurement is 2ρn , and we have done nothing better than randomly sampling a
binary string. Clearly, this is not a good algorithm for SAT. In fact, in general solving NP-hard
problems in polynomial time with quantum computers is not believed to be possible: nobody
has shown P = NP yet. However, we will see in the next sections two examples of quantum
algorithms that are faster than any known classical algorithm. The basic principle employed by
these algorithms is to start with a uniform superposition of basis states, then apply operations
that make the basis states interact with each other so that the modulus of the coefficients for
some (desirable) basis states increase, which implies that the other coefficients decrease. Of
course, how to do that in order to solve a specific problem is exactly where the crux of the
matter lies.

4 A simple period finding problem: Simon’s algorithm

In this section we describe a quantum algorithm that gives an expected exponential speedup
with respect to classical algorithms. Admittedly, the problem that this algorithm solves is
not very useful, but the ideas shown here give us a flavor of what quantum computation can
do. In fact, this algorithm was an inspiration for the well-known and groundbreaking work
of Shor on integer factorization [Shor, 1997]: a large part of Shor’s algorithm relies on the
solution of a period finding problem, and Simon’s algorithm solves a simplified problem of the
same flavor. Shor’s algorithm is, however, much more involved than Simon’s algorithm, and
a full treatment requires several number-theoretical results that are beyond the scope of this
introductory material. Thus, we will focus on Simon’s algorithm, but at the end of this paper
the reader should be capable of undertaking the study of Shor’s algorithm by himself or herself.
For Simon’s algorithm, we are told that there exists a function f : {0, . . . , 2n − 1} →
{0, . . . , 2n − 1} with the property that f (x) = f (z) if and only if x = z ⊕n a, for some unknown
a ∈ {0, . . . , 2n − 1}. We do not know anything else about the function, and the goal is to find
a only by querying the function.
Remark 6. For both Simon’s algorithm and Grover’s algorithm, the complexity of an algorithm
is determined only in terms of the number of calls to the function f . Considerations on what
the function f actually implements, and how many operations are performed inside of f , are
not part of our analysis. Our goal is to find a in the smallest possible number of calls to f .
Notice that if a = 0 then the function is one-to-one, whereas if a 6= 0 the function is two-to-
one, because for every x, there is exactly another number in domain for which the function has
the same value. The function f is assumed to be given as a quantum circuit on q = 2n qubits,
depicted in Figure 14
This particular form of the function, that maps |xin ⊗|yin to |xin ⊗|y ⊕n f (x)in , is typical of the
quantum world. Notice that if y = 0, then |y ⊕n f (x)in = |f (x)in so the circuit computes the

18
 |xin /n /n |xin
Uf
|yin /n /n |y ⊕n f (x)in
Figure 14: The circuit implementing Uf for Simon’s problem.

desired function. Furthermore, this is a reversible function, because applying the same circuit
Uf goes back to the initial state:

Uf Uf (|xin ⊗ |yin ) = Uf (|xin ⊗ |y ⊕n f (x)in ) = |xin ⊗ |y ⊕n f (x) ⊕n f (x)in = |xin ⊗ |yin .

4.1 Classical algorithm

Because we do not know anything about the number a, the best we can do is to feed inputs to
the function, and try to extract information from the output. The number a is determined once
we find two distinct inputs x, z such that f (x) = f (z), because then x = z ⊕n a which implies
x ⊕n z = a.
Suppose we have evaluated m distinct input values and we did not find a match. Then
a 6= x ⊕n z for all x, z previously evaluated, therefore we have eliminated at most m(m − 1)/2
values of a. (Fewer values may have been eliminated if we test inputs for which x ⊕n y ⊕ z for
any three input values x, y, z already tested. In fact, if we test w such that w = x ⊕n y ⊕ z,
we have that w ⊕n z = x ⊕n y, therefore the value w ⊕n z had already been eliminated from
the list of possible valus of a.) Since m(m − 1)/2 is small compared to 2n , the probability of
success m(m−1)
2n+1
is very small until we have evaluated a number of inputs that is in the order of
2n . In particular, to guarantee a probability of success of at least ρ, we need m(m−1) ≥ ρ2n ,
√ n 2n+1
which implies that m ∈ O( ρ2 ). Hence, √ for any positive constant ρ, the number of required
iterations is exponential. After evaluating 2n+1 + 1 ∈ O(2n/2 ) distinct input values satisfying
the condition outlined above for non-matching triplets, we are guaranteed that a matching pair
has been found, or we can safely determine that a = 0.

4.2 Simon’s algorithm: quantum computation

Using a quantum computer, we can determine a much faster. The idea, first described in
[Simon, 1997], is to apply the circuit in Figure 15.

|0in /n H ⊗n /n /n H ⊗n /n M
Uf
|0in /n /n
Figure 15: Quantum circuit used in Simon’s algorithm.

From an algebraic point of view, this corresponds to the following operation:

(H ⊗n ⊗ I ⊗n )Uf (H ⊗n ⊗ I ⊗n )(|0in ⊗ |0in ).

We now analyze the output of the quantum circuit, by looking at the quantum states at inter-
mediate steps of the circuit. Let |ψi be the state just before the Uf gate, |φi the state just after
Uf , and |χi the final state. In other words:

|ψi = (H ⊗n ⊗ I ⊗n )(|0in ⊗ |0in )

|φi = Uf (H ⊗n ⊗ I ⊗n )(|0in ⊗ |0in )
|χi = (H ⊗n ⊗ I ⊗n )Uf (H ⊗n ⊗ I ⊗n )(|0in ⊗ |0in ).

19
For |ψi, we know that H ⊗n creates a uniform superposition of |jin , j = 0, . . . , 2n − 1 over the
first n quantum bits. Therefore we can write:
n
2 −1
⊗n ⊗n 1 X
|ψi = (H ⊗I )(|0in ⊗ |0in ) = √ |jin ⊗ |0in .
2n j=0
By linearity, applying Uf to this state yields:
2 −1n 2 −1 n
1 X 1 X
|φi = Uf |ψi = √ |jin ⊗ |0 ⊕ f (j)in = √ |jin ⊗ |f (j)in .
2n j=0 2n j=0
We now need to analyze the effect of applying further Hadamard gates on the top lines of the
circuit. Using (5), the next step in the circuit is given by:
n
2 −1
⊗n ⊗n 1 X
|χi = (H ⊗I )√ |jin ⊗ |f (j)in =
2n j=0
n
2 −1 2 −1 n
1 X X
= n (−1)k•n j |kin ⊗ |f (j)in . (7)
2
j=0 k=0

When we make a measurement on the top n qubit lines of |χi, we obtain one of the states |kin
with probability equal to the the sum of the square of the coefficient of the states |kin ⊗|f (j)i, for
all j. It is easier to analyze the case a 6= 0 first: we will deal with the case a = 0 laterin Section
4.3. Assuming a 6= 0, |kin ⊗ |f (j)in = |kin ⊗ |f (j ⊕n a)in . Define the equivalence relationship
∼ as x ∼ y if and only if x = y ⊕n a, and let R be the quotient set {0, . . . , 2n − 1}/ ∼. In
other words, R contains exactly half of the integers from 0 to 2n − 1, and in particular for each
j ∈ {0, . . . , 2n − 1} it contains exactly one among j and j ⊕n a (it does not matter which one
it contains). Then, for each k, the basis state |kin appears in the top qubit lines exactly in the
2n−1 states |kin ⊗ |jin for j ∈ R. For each j ∈ R, the coefficient of the basis state |kin ⊗ |jin is
exactly the sum of the coefficients in (7) for |kin ⊗ |jin and |kin ⊗ |j ⊕n ain , that is:
(−1)k•n j + (−1)k•n (j⊕a) (−1)k•n j + (−1)k•n j (−1)k•n a
=
2n 2n
k• j 1 + (−1)k•n a


(−1) n
= .
2n
Therefore the probability of obtaining the binary string kBn after measuring the top qubit lines
is:

!2
!2 ( 1
X (−1)k•n j 1 + (−1)k•n a 1 (−1)k•n j 1 + (−1)k•n a n−1 if k •n a ≡ 0 mod 2
n
= n−1 n
= 2
2 2 2 0 if k •n a ≡ 1 mod 2,
j∈R
n
where the multiplication factor 2n−1 comes from the fact that |R| = 22 . Thus, the only binary
strings that have positive probability to be measured are those strings kBn for which k •n a ≡ 0
mod 2. Notice that unless k = 0, then there is a nonempty set of bits for which the modulo
2 sum of a must vanish. In this case, unless we are unlucky and we obtain the vector k = 0
or some other unlucky cases that will be specified later, we can express one of such bits as a
modulo 2 sum of the others, and we eliminate half of the possible values for a.
Our discussion shows that with a single quantum computation, in the case a 6= 0 with high
probability we learn very valuable information about a, and we can approximately halve the
search space for a. It now remains to fully specify in a more precise manner how this information
can be used, and how to deal with the case a = 0.

20
4.3 Simon’s algorithm: description and analysis
The quantum algorithm described in the previous section yields information on a, but it does
not output a directly. To recover a, further calculations have to be performed. This is a typical
situation in quantum algorithms: a quantum computation measures some properties of the
desired answer; then, classical computations are used to analyze these properties and obtain
the desired answer. Thus, even if the quantum algorithm does not explicitly output the desired
answer, it allows us to get closer to our goal.
In the specific case of the problem discussed here, the quantum computation allows us to
learn k such that k •n a ≡ 0 mod 2. We embed this equation into an algorithm as follows: we
initialize E ← ∅; then, while the system of equations E does not have a unique solution, we
apply the circuit described in the previous section to obtain k, and add the equation k •n a ≡ 0
mod 2 to E. We can have two possible situations: either the system has a unique solution
a 6= 0, or the only possible solution is a = 0. The former case requires n linearly independent
vectors kBn , where independence is intended modulo 2, whereas the latter may occur with even
less than n linear equations.
Because at every iteration we obtain a random k for which k •n a ≡ 0 mod 2, our discussion
above indicates that we have to obtain (at most) n linearly independent vectors kBn to ensure
that the system has a unique solution. In continuous space, uniform random sampling of vectors
yields linearly independent vectors with probability 1. In this case we are considering linear
independence among vectors that have coefficients 0 or 1, and independence is in terms of the
modulo 2 sum, so the argument is less clear; however, it is possible to show that the probability
of obtaining n such linearly independent vectors after sampling n + t times is bounded below
by 1 − 21t [Mermin, 2007, Apx. G]. This lower bound does not depend on n. Hence, with
overwhelming probability after slightly more than n executions of the quantum circuit, and
therefore O(n) queries to the function f , we determine the solution to the problem with a
classical computation that can be performed in polynomial time (i.e., O(n2 ) to determine a
solution to the system of linear equations modulo 2). We remark that once the unique a is
determined, we can easily verify that it is the solution by querying the function, and this
approach works in a finite number of steps for any value of a including a = 0 (if at any iteration
we determine that the only possible solution for the system of equations is a = 0, we can
terminate and return that solution). Compare the O(n) queries of this approach with the
O(2n/2 ) queries that are required by a classical algorithm, and we have shown an exponential
speedup.
This algorithm shows a typical feature of quantum algorithms: there is a classical compu-
tation to verify that the correct solution to the problem has been found – in this case, the
verification is carried out by checking whether the system of equations has a unique solution.
Indeed, quantum algorithms are probabilistic algorithm, and we can only try to increase the
probability that the correct answer is returned. For this reason, we need a way to determinis-
tically (i.e., classically) verify correctness. In other words, the quantum algorithm is applied to
a problem for which it is difficult to compute the solution, but once the solution is obtained, it
is easy to verify that it is correct.

5 Black-box search: Grover’s algorithm

Simon’s algorithm gives an exponential speedup with respect to a classical algorithm, but it
solves a very narrow problem that does not have practical applications. We now describe an
algorithm that gives only a polynomial – more specifically, quadratic – speedup with respect to

21
classical, but it applies to a very large class of problems. The algorithm is known as Grover’s
search [Grover, 1996].
The problem solved by the algorithm can be described as black-box search: we are given
a circuit that computes an unknown function on binary variables, and we want to determine
for which value(s) of the input the function gives output 1. In other words, we are trying to
determine the unique binary string that satisfies a property encoded by a circuit. The original
paper [Grover, 1996] describes this as looking for a certain element in a database. Such an
algorithm can be applied whenever we are searching for a specific element in a set, and we do
not have enough information to do anything smarter than a brute force search, i.e., testing all
elements in the set.
As mentioned earlier, the basic idea of the algorithm is to start with the uniform superpo-
sition of all basis states, and iteratively increase the coefficients of basis states that correspond
to binary strings for which the unknown function gives output 1.
We need some definitions. Let f : {0, . . . , 2n − 1} → {0, 1}, and assume that there exists
a unique ` ∈ {0, . . . , 2n − 1} : f (`) = 1, i.e., there is a unique element in the domain of the
function that yields output 1. We want to determine `.
Remark 7. Grover’s search can also be applied to the case in which there are multiple input
values that yield output 1, and we want to retrieve any of them; however, the analysis in that
case is slightly more convoluted, and is not pursued here in detail. By the end of our analysis,
the reader will have all the necessary tools to study this extension.

5.1 Classical algorithm

Given the problem definition, classical search cannot do better than O(2n ) operations. Indeed,
any deterministic classical algorithm may need to explore all 2n possible input values before
finding `: given any deterministic classical algorithm, there exists a permutation π of {0, . . . , 2n −
1} that represents the longest execution path (i.e., sequence of values at which f is queried) of
such algorithm. Then, if ` = π(2n − 1) the algorithm will require O(2n ) queries to determine
the answer, which is clearly the worst case.
At the same time, a randomized algorithm requires O(2n ) function calls to have at least
a constant positive probability to determine `, and the expected number of function calls to
determine the answer is 2n−1 , i.e., the expected number of flips of a biased coin with probability
of heads equal to 2−n until we obtain the first heads.

5.2 Grover’s search: algorithm description

The quantum search algorithm proposed in [Grover, 1996] requires q = n + 1 qubits. The
function f is encoded by a unitary Uf : |jin ⊗ |yi1 → |jin ⊗ |y ⊕ f (j)i1 .
The outline of the algorithm is as follows. The algorithm starts with the uniform superpo-
sition of all basis states on n qubits. The last qubit (n + 1) is used as an auxiliary qubit, and
it is initialized to H|1i. We obtain the quantum state |ψi. Then, these operations are repeated
several times:
(i) Flip the sign of the vectors for which Uf gives output 1.
(ii) Invert all the coefficients of the quantum state around the average coefficient.
A full cycle of the two operations above increases the coefficients of |`in ⊗ (|0i − |1i), and after
a certain number of cycles (to be specified later), the coefficient of the state |`in ⊗ (|0i − |1i) is
large enough that it can be obtained from a measurement with probability close to 1.

22
 (a) Initialization. (b) Sign flip.

2A 2A

A A

(c) Computation of the average. (d) Inversion about the average.

Figure 16: Sketch of Grover’s algorithm. The bars represent the coefficients of the basis states.

A sketch of the ideas for the algorithm is depicted in Figure 16: we have eight basis states,
and suppose the fourth basis state is the target basis state |`i. The representation is purely
meant to convey intuition, and does not geometrically represent the vectors encoding the quan-
tum state, but solely the amplitude of the coefficients. In Figure 16a, all basis states have the
same coefficient. In Figure 16b, the coefficient of the target basis state has its sign flipped. In
Figure 16c, we can see that the average value of the coefficients is slightly below the coefficient
for the undesired states. Taking twice the average and subtracting each coefficient now yields
the red bars in Figure 16d, where the target basis state |`i has a coefficient with much larger
value than the rest, and will therefore be measured with higher probability.
We now describe the steps above more in detail.

5.2.1 Initialization
The algorithm is initialized applying H ⊗(n+1) (I ⊗n ⊗ X)|0in+1 . We have:

(I ⊗n ⊗ X)|0in+1 = |0in ⊗ |1i

n −1
2X 2X n
−1
⊗(n+1) ⊗n 1
H (I ⊗ X)|0in+1 = √ |jin ⊗ (|0i − |1i) = αj |jin ⊗ (|0i − |1i) = |ψi.
j=0
2n j=0

23
Note that the initial coefficients are real numbers. Since the steps below will map real numbers
to real numbers, we only need to consider real numbers through the course of the algorithm.

5.2.2 Sign flip: step (i)

To flip the sign of the target state |`in ⊗ (|0i − |1i), we apply Uf to |ψi. We now show why this
flips the sign of |`in ⊗ |0i.
 
n −1
2X
Uf |ψi = Uf  αj |jin ⊗ (|0i − |1i)
j=0
n −1
2X
= α` |`in ⊗ (|1i − |0i) + αj |jin ⊗ (|0i − |1i)
j=1
j6=`
 
n −1
2X
 
−α` |`in +
= αj |jin 
 ⊗ (|0i − |1i).
j=1
j6=`

As the expression above suggests, we can always think of the last qubit as being in the unen-
tangled state (|0i − |1i), with the sign flip affecting only the first n qubits. Therefore, the state
that we obtain by applying Uf to |ψi is the same as |ψi except that the sign of the basis states
|`in ⊗ |0i and |`in ⊗ |1i has been flipped.

5.2.3 Inversion about the average: step (ii)

To perform the inversion about the average, we want to perform the following operation:
n −1
2X n −1
2X n −1
2X
! !
αk
αj |jin → 2 − αj |jin ,
2n
j=0 j=0 k=0

P n −1 αk
where 2k=0 2n is the average, and therefore we are taking twice the average and subtracting
each coefficient from it. This is realized by the following matrix:
2 2 2
 2 2 2

2n − 1 2n ... 2n 2n 2n . . . 2n
 2n 2 2   2n 2n . . . 2n 
 2 2n − 1 . . . 2n  2 2 2  ⊗n
T = . .. ..  =  .. .. ..  − I ,
 .. . .   . . . 
2 2 2 2 2 2
2n 2n ... 2n −1 2n 2n ... 2n

where the equal elements 21n over each row compute the average coefficient, the numerator 2
of the fraction takes twice the average, and finally we subtract the identity to subtract each
individual coefficient from twice the average. From the definition of the Hadamard in (5), we
can see that (H ⊗n )jk = √12n (−1)j•n k . But now if we let:
 
2 0 ... 0
0 0 . . . 0 n n
R = . ∈ R2 ×2 ,
 
. .
 .. . . .. 


0 0 ... 0

24
then we can write (H ⊗n RH ⊗n )jk = (H ⊗n )j0 R00 (H ⊗n )0k = 2
2n , because Rjk = 0 for j 6= 0, k 6=
0. Therefore, using the fact that H ⊗n H ⊗n = I ⊗n , we have:
T = H ⊗n RH ⊗n − I ⊗n = H ⊗n (R − I ⊗n )H ⊗n = −H ⊗n (I ⊗n − R)H ⊗n
= −H ⊗n diag(−1, 1, . . . , 1)H ⊗n := −H ⊗n DH ⊗n . (8)
| {z }
2n

The expression (8) also shows that T is a unitary, because H ⊗n is unitary (tensor product
of unitary matrices) and D is diagonal with ones on the diagonal. We must find a way to
construct the matrix D := diag(−1, 1, . . . , 1). This will be discussed in the next section. For
now, we summarize our analysis of the inversion about the average by concluding that it can
be performed applying T = −H ⊗n DH ⊗n to the n qubits of interest (i.e., all qubits except the
auxiliary qubit that we used for the sign flip of step (i)).

5.2.4 Constructing the matrix D

We give a sketch of the idea of how to construct D = diag(−1, 1, . . . , 1). Notice that the effect
of this quantum operation is to flip the sign of the coefficient of the basis state |0in , and leave
each other coefficient untouched.
Instead of flipping the sign of |0in , let us start by seeing how to flip the sign of |1in while
leaving all other coefficients untouched. Let Cn−1 Z be the gate that applies Z to qubit 1 if
qubits 2, . . . , n are 1, and does nothing otherwise. This is a generalization of the CNOT gate,
and it is called “controlled Z”. Cn−1 Z in the case of two qubits (n = 2) is given by the following
matrix:  
1 0 0 0
0 1 0 0 
CZ =  0 0 1 0  .


0 0 0 −1
Notice that in the 2-qubit case, the two circuits depicted in Figure 17 are equivalent.
• •
Z H H
Figure 17: Controlled-Z gate on two qubits: two possible representations.

Carrying out the matrix multiplications will confirm that the circuit on the right in Figure 17
implements exactly the CZ matrix as defined above. Thus, the controlled Z gate can be easily
realized with available gates.
If we have access to the Cn−1 Z gate, we can write:
D = X ⊗n (Cn−1 Z)X ⊗n ,
because this operations flips the sign of the coefficient of a basis state if and only if if all qubits
have value 0 in the basis state. In circuit form, it can be written as depicted in Figure 18.
Of course, one has to construct the operation Cn−1 Z. There are several ways to do so. One
way, suggested by [Barenco et al., 1995], is a recursive scheme that we show in Figure 19 for
n = 5 qubits, but that clearly can be generalized to arbitary qubits. √
The
√ √idea here is to exploit the fact that Z has a n−1 square root, i.e., a matrix Z such that
Z Z = Z. Notice how the scheme decomposes C Z into two copies of Cn−2 Z plus a con-
stant number of gates. This yields a decomposition with O(n2 ) gates, see [Barenco et al., 1995]
for details. To conclude, the construction of D, and therefore of the whole circuit implementing
step (ii) of Grover’s search, can be performed in O(n2 ) gates.

25
 X • X
X • X
X • X
.. ..
. .
X Z X
Figure 18: Quantum circuit implementing the S operation described for Grover’s algorithm.
• • •
• • •
• • •
• •
√ √ ∗ √
Z Z Z

Figure 19: Decomposition of Cn−1 Z.

5.3 Determining the number of iterations

Let Q be the matrix that applies a single iteration of Grover’s search, consisting of steps (i) and
(ii) above. It is paramount to determine how many iterations should be performed, so that the
coefficient of the desired basis state |`i ⊗ (|0i − |1i) is as large as possible, and the state can be
measured. This is what we attempt to do in this section.
Since the last, auxiliary qubit is always in state |0i − |1i and is unentangled, we can ignore
it. Let  
n
−1
2X 1 
|ψD i = |`in , |ψU i = 
 √ n |jin 
j=1
2 −1 
j6=`

be the desirable and undesirable quantum states, respectively. At iteration k of the algorithm
q let
n
us denote the quantum state by |ψk i = dk |ψD i + uk |ψU i. Initially, d0 = √12n and u0 = 2 2−1 n ,

√ to obtain u0 from the value of an individual coefficient in |ψU i we have

where notice that
multiplied by 2n − 1 for normalization.
At step (i), the algorithm flips dk |ψD i+uk |ψU i → −dk |ψD i+uk |ψU i. There is only one state
with coefficient dk , and there are 2n − 1 states with coefficient uk , so the value of the coefficient
for these states is, respectively, dk and √2unk−1 . Their average at iteration k is therefore:

(2n − 1) √2n1 −1 uk − dk √
2n − 1uk − dk
Ak = = .
2n 2n
At step (ii), the algorithm maps αh → 2Ak − αh for each coefficient αh . Therefore:
−α` → 2Ak + α`
αh → 2Ak − αh ∀h 6= `,
√
and to obtain uk from αh we need to multiply by 2n − 1, so the mapping of step (ii) can be
written, overall, as:
√
−dk |ψD i + uk |ψU i → (2Ak + dk )|ψD i + (2Ak 2n − 1 − uk )|ψU i = dk+1 |ψD i + uk+1 |ψU i,

26
where we defined:
dk+1 = 2Ak + dk
√
uk+1 = 2Ak 2n − 1 − uk .
Performing the substitution of Ak , we obtain:
√ n √
2 2n − 1
 
2 − 1uk − dk 1
dk+1 = 2 + dk = 1 − n−1 dk + uk
2n 2 2n
√ n √
2 − 1uk − dk √ n 2 2n − 1
 
1
uk+1 = 2 2 − 1 − uk = − dk + 1 − n−1 uk .
2n 2n 2
 
dk
This transformation is exactly a clockwise rotation of the vector by a certain angle θ,
uk
because it has the form   
cos θ sin θ uk
− sin θ cos θ dk
and it satisfies the relationship sin2 θ + cos2 θ = 1. and in our case we have:
√
2 2n − 1
sin θ = . (9)
2n
Notice that because this value of the sine is very small (for large n), then we can use the
approximation sin x ≈ x (when x is close to 0) to write:
√
2 2n − 1
θ= . (10)
2n
Overall, the above analysis shows that each iteration performs a rotation by an angle θ of
the vectors |ψD i and |ψU i. So after k iterations we obtain the following coefficients:
dk = cos kθd0 + sin kθu0
uk = − sin kθd0 + cos kθu0 .
In order to maximize the probability of obtaining |ψD i after a measurement, remember that
|u0 |  |d0 |, so the best choice is to pick kθ = π2 which yields the largest value of |dk |. Using
(10), the optimal number of iterations of Grover’s search algorithm is:
2n π π√ n
k≈ √ n ≈ 2 .
4 2 −1 4
After these many iterations, we have a probability close to 1 of measuring |ψD i and obtaining
the sought state |`i. Comparing this with a classical algorithm, that requires O(2n ) iterations,
we obtained a quadratic speedup.
Remark 8. If we perform more iterations of Grover’s algorithm than the optimal number, the
probability of measuring the desired state actually goes down, and reduces our chances of success.
Therefore, it is important to choose the right number of iterations.
Of course, the approximation for θ given in (10) is only valid for large n: for smaller n, it
is better to compute the optimal number of iterations deriving θ from (9). We conclude this
section by noticing that in case there are multiple input values on which f has value 1, we
should amend the above analysis adjusting the values for d0 and u0 , but the main steps remain
the same.

27
References
[Barenco et al., 1995] Barenco, A., Bennett, C. H., Cleve, R., DiVincenzo, D. P., Margolus, N.,
Shor, P., Sleator, T., Smolin, J. A., and Weinfurter, H. (1995). Elementary gates for quantum
computation. Physical review A, 52(5):3457.

[Bennett, 1973] Bennett, C. H. (1973). Logical reversibility of computation. IBM journal of

Research and Development, 17(6):525–532.

[Dawson and Nielsen, 2005] Dawson, C. M. and Nielsen, M. A. (2005). The Solovay-Kitaev
algorithm. Technical Report quant-ph/0505030, arXiv.

[Deutsch, 1985] Deutsch, D. (1985). Quantum theory, the Church-Turing principle and the
universal quantum computer. In Proceedings of the Royal Society of London A: Mathematical,
Physical and Engineering Sciences, volume 400, pages 97–117. The Royal Society.

[Grover, 1996] Grover, L. K. (1996). A fast quantum mechanical algorithm for database search.
In Proceedings of the twenty-eighth annual ACM Symposium on Theory of Computing, pages
212–219. ACM.

[Kitaev, 1997] Kitaev, A. Y. (1997). Quantum computations: algorithms and error correction.
Russian Mathematical Surveys, 52(6):1191–1249.

[Kliuchnikov et al., 2016] Kliuchnikov, V., Maslov, D., and Mosca, M. (2016). Practical ap-
proximation of single-qubit unitaries by single-qubit quantum clifford and t circuits. IEEE
Transactions on Computers, 65(1):161–172.

[Mermin, 2007] Mermin, N. D. (2007). Quantum computer science: an introduction. Cambridge

University Press.

[Nielsen and Chuang, 2002] Nielsen, M. A. and Chuang, I. (2002). Quantum computation and
quantum information. Cambridge University Press, Cambridge.

[Rieffel and Polak, 2000] Rieffel, E. and Polak, W. (2000). An introduction to quantum com-
puting for non-physicists. ACM Computing surveys, 32(3):300–335.

[Rieffel and Polak, 2011] Rieffel, E. G. and Polak, W. H. (2011). Quantum computing: A gentle
introduction. MIT Press.

[Selinger, 2012] Selinger, P. (2012). Efficient Clifford+T approximation of single-qubit opera-

tors. arXiv preprint arXiv:1212.6253.

[Shor, 1997] Shor, P. W. (1997). Polynomial-time algorithms for prime factorization and dis-
crete logarithms on a quantum computer. SIAM J. Comput., 26(5):1484–1509.

[Simon, 1997] Simon, D. R. (1997). On the power of quantum computation. SIAM journal on
computing, 26(5):1474–1483.

28