Shor’s Algorithm

Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini

May 15, 2015
 Integer factorization

. n = p · q (where p, q are prime numbers) is a cryptographic one-way

function
. Classical algorithm with best asymptotic behavior:
 h General Numberi Field
1 2
Sieve with superpolynomial scaling: O exp c (ln n) 3 (ln ln n) 3
. Basis for commercially important cryptography
 Shor’s algorithm

. Factorization algorithm with polynomial complexity

. Runs only partially on quantum computer
with complexity
O (log n)2(log log n)(log log log n)
. Pre- and post-processing on a classical computer
. Makes use of reduction of factorization problem to order-finding problem
. Achieves polynomial time with efficiency of Quantum Fourier Transform
Talk outline

1. Classical computer part

Sketch of various subroutines
Reduction to period-finding problem
Full classical algorithm
2. Period-finding on quantum computer
Quantum Fourier Transform
Period-finding algorithm
3. Example: Factoring 21
4. Summary
 Sketch of various subroutines

. greatest common
( divisor: e.g. Euclidean algorithm
b if a mod b = 0
gcd(a, b) =
gcd(b, a mod b) else
with a > b, quadratic in number of digits of a, b.
reminder: gcd(a, b) = 1 → a, b coprime
. Test of primality: e.g. Agrawal-Kayal-Saxena 2002, polynomial
. Prime power test: determine if n = pα , e.g. Bernstein 1997 in O(log n)
. continued fraction expansion: required to approximate a rational number
by an integer fraction, e.g. Hardy and Wright 1979, polynomial
 Reduction to period-finding problem, Miller 1976

. Find factor of odd n provided some method to calculate the order r of xa mod n,
a ∈ N:

1. Choose a random x < n.

2. Find order r (somehow) in xr ≡ 1 mod n.
r
3. Compute p, q = gcd(x 2 ± 1, n) if r even.
r r
. Since (x 2 − 1)(x 2 + 1) = xr − 1 ≡ 0 mod n.
r
. Fails if r odd or x 2 ≡ −1 mod n.
. Yields a factor with p = 1 − 2−k+1 where k is the number of distinct odd prime
factors of n.
Shor’s algorithm

1. Determine if n is even, prime or a prime power. If so, exit.

2. Pick a random integer x < n and calculate gcd(x, n). If this is not 1, then we
have obtained a factor of n.
3. Quantum algorithm
Pick q as the smallest power of 2 with n2 ≤ q < 2n2 .
Find period r of xa mod n.
c d
Measurement gives us a variable c which has the property q ≈ r where d ∈ N.
4. Determine d, r via continued fraction expansion algorithm.
d, r only determined if gcd(d, r) = 1 (reduced fraction).
r
5. If r is odd, go back to 2. If x 2 ≡ −1 mod n go back to 2.
r
Otherwise the factors p, q = gcd(x 2 ± 1, n).
 Quantum Fourier Transform (QFT)

. Define the QFT with respect to an ONB {|xi} = {|0i , ..., |q − 1i}
q−1   q−1
1 X 2πi 1 X x·y
QF T : |xi 7→ √ exp x · y |yi = √ ω |yi
q y=0 q q y=0
P
. Apply QFT to a general state |ψi = x αx |xi:
q−1
1 X
QF T (|ψi) = √ βy |yi ,
q y=0
where the βy ’s are the discrete Fourier transform of the amplitudes αx .
. The QFT is unitary, i.e.
QF T † QF T |xi = |xi
 Quantum Fourier Transform (QFT)

. Implement QFT on n qubits

. With the matrix  

1 0 0 0
 0 1 0 0 
R=
 0

0 1 0 
0 0 0 e2πi/N
 Period Finding Algorithm

. Given a periodic function f : {0, ..., q − 1} → {0, ..., q − 1}, where q = 2l , the periodicity conditions
are
f (a) = f (a + r) r 6= 0
f (a) 6= f (a + s) ∀s < r.

. Initialize the q.c. with the state |ΦI i = |0i⊗2l

. Then apply Hadamard gates on the first l qubits and the identity to the others:
 ⊗l q−1
⊗2l 1 ⊗l 1 X
⊗l ⊗l
|Φ0 i = H ⊗ 1 |0i = √ (|0i + |1i) ⊗ |0i = √ |ai |0i⊗l
2 q a=0

. Apply the unitary that implements the function f (here it is f = xa mod n)

q−1
1 X
|Φ1 i = Uf |Φ0 i = √ |ai |f (a)i
q a=0
 Period Finding Algorithm

. Imagine one performs a measurement on f (a), then the post measurement state of
the first l qubits is
r X
r
|Φ1 iz = |ai .
q
a:f (a)=z

. Remember that f is periodic and choose a0 = min {a|f (a) = z}. Now one can
rewrite
r q/r−1
r X
|Φ1 iz = |a0 + t · ri
q t=0

when assuming that r|q (i.e. r divides q).

 Period Finding Algorithm

. Perform the QFT

r q/r−1 q−1  
 E
−1 r X 1 X −2πi
Φ̃ = QF T (|Φ1 iz ) = √ exp (a0 + rt)c |ci

z q t=0 q c=0 q
r X q−1   q/r−1  
r 2πi X 2πi
= exp − a0 c exp − trc |ci .
q 2 c=0 q t=0
q
| {z }
αc

. Remark: if rc = kq for some k ∈ N then

q
αc = .
r
. The probability for measuring a specific c0 = kq/r:
D  E2 r r q2 1
P [c0 ] =  c0 Φ̃  = 2 |αc0 |2 = 2 2 =
  
q q r r
 Period Finding Algorithm

. Overall probability to measure a c of the form kqr is then

 c0 Φ̃  = r 1 = 1
X 
  2
r
c=kq/r

kq
. The algorithm output is a natural number that is of the form r, with
k ∈ N.
 Example: Factoring n=21

1. Choose x
2. Determine q
3. Initialize first register (r1 )
4. Initialize second register (r2 )
5. QFT on first register
6. Measurement
7. Continued Fraction Expansion → determine r
8. Check r → determine factors
 1. Choose a random integer x, 1 < x < n

. if it is not coprime with n, e.g. x = 6:

→ gcd(x, n) = gcd(6, 21) = 3 → 21/3 = 7 → done!
. if it is coprime with n, e.g. x = 11:
→ gcd(11, 21) = 1 → continue!
 2. Determine q

!
. n = 244 ≤ q = 2l < 2n2 = 882
2

→ q = 512 = 29
. Initial state consisting of two registers of length l:
l
|Φii = |0ir1 |0ir2 = |0i⊗2
 3. Initialize r1

. initialize first register with superposition of all states a( mod q):

511
1 X
|Φ0i = √ |ai |0i
512 a=0

. this corresponds to √1 (|0i + |1i) on all bits

2
 4. Initialize r2

. initialize second register with superposition of all states xa( mod n):
511
1 X
|Φ1i = √ |ai |11a( mod 21)i
512 a=0
1
= √ (|0i |1i + |1i |11i + |2i |16i + |3i |8i + ...)
512
a 0 1 2 3 4 5 6 7 8 9 10 ...
11a(mod21) 1 11 16 8 4 2 1 11 16 8 4 ...
. r = 6, but not yet observable
 5. Quantum Fourier Transform

. apply the QFT on the first register:

511 511
1 X X 2πiac/512
|Φ̃i = e |ci |11a(mod21)i
512 a=0 c=0
 6. Measurement!

. probability for state |c, xk ( mod n)i, e.g. k = 2 → |c, 16i to occur:
 511 2  2
 1 X
2πiac/512 
  1 X
2πi(6b+2)c/512 

p(c) =   e  =  512
 e
512 a 
a:11 mod 21=16 b

512
. peaks for c = 6 · d, d ∈ Z:
 7. Determine the period r

   427 d  !
. Assume we get 427:  qc − dr  =  512 − r ≤ 1
1024

. Continued fraction expansion:

c 1
= a0 + 1 , d 0 = a0 , d 1 = 1 + a0 a1 , dn = andn−1 + dn−2
q a1 + 1
a2 + ...
r0 = 1, r 1 = a1 , rn = anrn−1 + rn−2
427 1
=0+ 1 , d0 = 0, d1 = 1, d2 = 5, d3 = 427
512 1+ 5+ 1 1
42+ 2
r0 = 1, r1 = 1, r2 = 6, r3 = 512
 d0
. as r0= 0 and dr11 = 1 obviously don’t work, try d2
r2 = 5
6 →r=6
→ it works! =)
. for qc = 171 d 1
512 we would get r = 3 , so using r = 3 this would not work.
→ it only works if d and r are coprime!
→ if it doesn’t work, try again!
 8. Check r

. check if r is even X
. check if xr/2 mod n 6= −1 X
. as both holds, we can determine the factors:
xr/2 mod n − 1 = 113 mod 21 − 1 = 7
xr/2 mod n + 1 = 113 mod 21 + 1 = 9

→ the two factors are gcd(7, 21) = 7 and gcd(9, 21) = 3

 Conclusion

. Shor’s algorithm is very important for cryptography, as it can factor large

numbers much faster than classical algorithms (polynomial instead of
exponential)
. powerful motivator for quantum computers
. no practical use yet, as it is not possible yet to design quantum computers
that are large enough to factor big numbers
 References

. Shor, Peter W. ”Polynomial-time algorithms for prime factorization and discrete

logarithms on a quantum computer.” SIAM journal on computing 26.5 (1997):
1484-1509.
. Agrawal, Manindra, Neeraj Kayal, and Nitin Saxena. ”PRIMES is in P.” Annals of
mathematics (2004): 781-793.
. Bernstein, Daniel. ”Detecting perfect powers in essentially linear time.” Mathe-
matics of Computation of the American Mathematical Society 67.223 (1998):
1253-1283.
. Hardy, Godfrey Harold, et al. An introduction to the theory of numbers. Vol. 4.
Oxford: Clarendon press, 1979.
. Miller, Gary L. ”Riemann’s hypothesis and tests for primality.” Journal of computer
and system sciences 13.3 (1976): 300-317.