Shor's algorithm

Shor's algorithm, named after mathematician Peter Shor, is a quantum algorithm (an algorithm which runs on a quantum computer) for integer factorization discovered in 1994. Informally it solves the following problem: Given an integer N, find its prime factors.

On a quantum computer, to factor an integer N, Shor's algorithm runs in polynomial time (the time taken is polynomial in log N, which is the size of the input^[1]). Specifically it takes time O((log N)³), demonstrating that the integer factorization problem can be efficiently solved on a quantum computer and is thus in the complexity class BQP. This is exponentially faster than the most efficient known classical factoring algorithm, the general number field sieve, which works in sub-exponential time -- about O(e^{(log N)^1/3 (log log N)^2/3}). The efficiency lies in the efficiency of the quantum Fourier transform, and modular exponentiation by squarings.

Shor's algorithm is important because it can, using a quantum computer, be used to break the widely used public-key cryptography scheme known as RSA. RSA is based on the assumption that factoring large numbers is computationally infeasible. So far as is known, this assumption is valid for classical (non-quantum) computers; no classical algorithm is known that can factor in polynomial time. However, Shor's algorithm shows that factoring is efficient on a quantum computer, so an appropriately large quantum computer can break RSA. It was also a powerful motivator for the design and construction of quantum computers and for the study of new quantum computer algorithms. It has also facilitated research on new cryptosystems that are secure from quantum computers, collectively called post-quantum cryptography.

In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored 15 into 3 × 5, using an NMR implementation of a quantum computer with 7 qubits.^[2] However, some doubts have been raised as to whether IBM's experiment was a true demonstration of quantum computation, since no entanglement was observed.^[3] Since IBM's implementation, several other groups have implemented Shor's algorithm using photonic qubits, emphasizing that entanglement was observed.^[4]^[5]

1 Procedure
- 1.1 Classical part
- 1.2 Quantum part: Period-finding subroutine
2 Explanation of the algorithm
- 2.1 I. Obtaining factors from period
- 2.2 II. Finding the period
3 Discrete logarithms
4 References
5 Further reading

Procedure

The problem we are trying to solve is: given a (without loss of generality odd) composite number N, find an integer p, strictly between 1 and N, that divides N.

Shor's algorithm consists of two parts:

A reduction, which can be done on a classical computer, of the factoring problem to the problem of order-finding.
A quantum algorithm to solve the order-finding problem.

Classical part

Pick a random number a < N
Compute gcd(a, N). This may be done using the Euclidean algorithm.
If gcd(a, N) ≠ 1, then there is a non-trivial factor of N, so we are done.
Otherwise, use the period-finding subroutine (below) to find r, the period of the following function:

$f(x) = a^x\ \mbox{mod}\ N$ ,

i.e. the order $r$ of $a$ in $(\mathbb{Z}_N)^\times$ , or the smallest positive integer r for which $f(x+r) = f(x)$
If r is odd, go back to step 1.
If a ^{r /2} ≡ -1 (mod N), go back to step 1.
gcd(a^r/2 ± 1, N) is a nontrivial factor of N. We are done.

Quantum part: Period-finding subroutine

The quantum circuits used for this algorithm are custom designed for each choice of N and the random a used in f(x) = a^x mod N. Given N, find Q = 2^q such that $N^2 \le Q < 2N^2$ , which implies $Q/r > N$ . The input and output qubit registers need to hold superpositions of values from 0 to Q − 1, and so have q qubits each. Using what might appear to be twice as many qubits as necessary guarantees that there are at least N different x which produce the same f(x), even as the period r approaches N/2.

Proceed as follows:

Initialize the registers to

$Q^{-1/2} \sum_{x=0}^{Q-1} \left|x\right\rangle \left|0\right\rangle$

where x runs from 0 to Q − 1. This initial state is a superposition of Q states.
Construct f(x) as a quantum function and apply it to the above state, to obtain

$Q^{-1/2} \sum_x \left|x\right\rangle \left|f(x)\right\rangle$

This is still a superposition of Q states.
Apply the quantum Fourier transform to the input register. This transform (operating on a superposition of power-of-two Q = 2^q states) uses a Q^th root of unity such as $\omega = e^{2 \pi i /Q}$ to distribute the amplitude of any given $\left|x\right\rangle$ state equally among all Q of the $\left|y\right\rangle$ states, and to do so in a different way for each different x:

$U_{QFT} \left|x\right\rangle = Q^{-1/2} \sum_y \omega^{x y} \left|y\right\rangle$

This leads to the final state

$Q^{-1} \sum_x \sum_y \omega^{x y} \left|y\right\rangle \left|f(x)\right\rangle$

This is a superposition of many more than Q states, but many fewer than Q² states. Although there are Q² terms in the sum, the state $\left|y\right\rangle \left|f(x_0)\right\rangle$ can be factored out whenever x₀ and x produce the same value. Let

$\omega = e^{2 \pi i /Q}$ be a Q^th root of unity,

r be the period of f,

x₀ be the smallest of a set of x which yield the same given f(x) (we have x₀ < r), and

b run from 0 to $\lfloor(Q-x_0-1)/r\rfloor$ so that $x_0 + rb < Q$

Then $\omega^{ry}$ is a unit vector in the complex plane ( $\omega$ is a root of unity and r and y are integers), and the coefficient of $Q^{-1}\left|y\right\rangle \left|f(x_0)\right\rangle$ in the final state is

$\sum_{x:\, f(x)=f(x_0)} \omega^{x y} = \sum_{b} \omega^{(x_0 + r b) y} = \omega^{x_0y} \sum_{b} \omega^{r b y}$

Each term in this sum represents a different path to the same result, and quantum interference occurs—constructive when the unit vectors $\omega^{ryb}$ point in nearly the same direction in the complex plane, which requires that $\omega^{ry}$ point along the positive real axis.
Perform a measurement. We obtain some outcome y in the input register and $f(x_0)$ in the output register. Since f is periodic, the probability of measuring some pair y and $f(x_0)$ is given by

$\left| Q^{-1} \sum_{x:\, f(x)=f(x_0)} \omega^{x y} \right|^2 = Q^{-2} \left| \sum_{b} \omega^{(x_0 + r b) y} \right|^2 = Q^{-2} \left| \sum_{b} \omega^{ b r y} \right|^2$

Analysis now shows that this probability is higher, the closer unit vector $\omega^{ry}$ is to the positive real axis, or the closer yr/Q is to an integer.Unless r is a power of 2, it won't be a factor of Q.
Perform Continued Fraction Expansion on y/Q to make a an approximation of it, and produce some c/r′ by it that satisfies two conditions:

A: r′<N

B: |y/Q - c/r′| < 1/2Q

By satisfaction of these conditions, r′ would be the appropriate period r with high probability.
Check if f(x) = f(x + r′) $\Leftrightarrow$ $a^r \equiv 1 \pmod{N}$ If so, we are done.
Otherwise, obtain more candidates for r by using values near y, or multiples of r′. If any candidate works, we are done.
Otherwise, go back to step 1 of the subroutine.

Explanation of the algorithm

The algorithm is composed of two parts. The first part of the algorithm turns the factoring problem into the problem of finding the period of a function, and may be implemented classically. The second part finds the period using the quantum Fourier transform, and is responsible for the quantum speedup.

I. Obtaining factors from period

The integers less than N and coprime with N form a finite Abelian group under multiplication modulo N. The size is given by the totient (p-1)(q-1). By the end of step 3, we have an integer a in this group. Since the group is finite, a must have a finite order r, the smallest positive integer such that

$a^r \equiv 1\ \mbox{mod}\ N.\,$

Therefore, N divides a ^r − 1 . Suppose we are able to obtain r, and it is even. Then

$a^r - 1 = (a^{r/2} - 1) (a^{r/2} + 1) \equiv 0\ \mbox{mod}\ N$

$\Rightarrow N\ | (a^{r/2} - 1) (a^{r/2} + 1).\,$

r is the smallest positive integer such that a ^r ≡ 1, so N cannot divide (a ^{r / 2} − 1). If N also does not divide (a ^{r / 2} + 1), then N must have a nontrivial common factor with each of (a ^{r / 2} − 1) and (a ^{r / 2} + 1).

Proof: For simplicity, denote (a ^{r / 2} − 1) and (a ^{r / 2} + 1) by u and v respectively. N | uv, so kN = uv for some integer k. Suppose gcd(v, N) = 1; then mv + nN = 1 for some integers m and n (this is a property of the greatest common divisor.) Multiplying both sides by u, we find that mkN + nuN = u, so N | u. By contradiction, gcd(v, N) ≠ 1. By a similar argument, if N does not divide (a ^{r / 2} + 1) , gcd(u, N) ≠ 1.

This supplies us with a factorization of N. If N is the product of two primes, this is the only possible factorization.

To show the algorithm works, we have to prove for random choices of a, the probability that we can find a factor is high.

II. Finding the period

Shor's period-finding algorithm relies heavily on the ability of a quantum computer to be in many states simultaneously. Physicists call this behavior a "superposition" of states. To compute the period of a function f, we evaluate the function at all points simultaneously.

Quantum physics does not allow us to access all this information directly, though. A measurement will yield only one of all possible values, destroying all others. But for the no cloning theorem, we could first measure f(x) without measuring x, and then make a few copies of the resulting state (which is a superposition of states all having the same f(x)). Measuring x on these states would provide different x values which give the same f(x), leading to the period. Because we cannot make exact copies of a quantum state, this method does not work. Therefore we have to carefully transform the superposition to another state that will return the correct answer with high probability. This is achieved by the quantum Fourier transform.

Shor thus had to solve three "implementation" problems. All of them had to be implemented "fast", which means that they can be implemented with a number of quantum gates that is polynomial in $\log N$ .

Create a superposition of states. This can be done by applying Hadamard gates to all qubits in the input register. Another approach would be to use the quantum Fourier transform (see below).
Implement the function f as a quantum transform. To achieve this, Shor used repeated squaring for his modular exponentiation transformation. It is important to note that this step is more difficult to implement than the quantum Fourier transform, in that it requires ancillary qubits and substantially more gates to accomplish.
Perform a quantum Fourier transform. By using controlled rotation gates and Hadamard gates Shor designed a circuit for the quantum Fourier transform (with Q = 2^q) that uses just $q(q-1)/2 = O((\log Q)^2)$ gates.^[6]

After all these transformations a measurement will yield an approximation to the period r. For simplicity assume that there is a y such that yr/Q is an integer. Then the probability to measure y is 1. To see that we notice that then

$e^{-2 \pi i b yr/Q} = 1\,$

for all integers b. Therefore the sum whose square gives us the probability to measure y will be Q/r since b takes roughly Q/r values and thus the probability is $1/r^2$ . There are r y such that yr/Q is an integer and also r possibilities for $f(x_0)$ , so the probabilities sum to 1.

Note: another way to explain Shor's algorithm is by noting that it is just the quantum phase estimation algorithm in disguise.

Discrete logarithms

Suppose we know $g^r = x (mod\, p)$ , and we wish to compute the discrete logarithm $r = log_g x (mod \, p)$ . Consider the Abelian group $\left( \mathbb{Z}_{p} \right)^\times \times \left(\mathbb{Z}_{p}\right)^\times$ where each factor corresponds to modular multiplication of nonzero values, assuming p is prime. Now, consider the function

$f(a,b) = g^a x^{-b} (mod \, p)$

This gives us an Abelian hidden subgroup problem, as f corresponds to a group homomorphism. The kernel corresponds to modular multiples of (r,1). So, if we can find the kernel, we can find r.

References

↑ See also Pseudo-polynomial time.
↑ Vandersypen, Lieven M. K.; Steffen, Matthias; Breyta, Gregory; Yannoni, Costantino S.; Sherwood, Mark H. & Chuang, Isaac L. (2001), "Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance", Nature 414 (6866): 883–887, doi:10.1038/414883a, PMID 11780055 .
↑ Braunstein, S. L.; Caves, C. M.; Jozsa, R.; Linden, N.; Popescu, S.; Schack, R. (1999), "Separability of Very Noisy Mixed States and Implications for NMR Quantum Computing", Phys. Rev. Lett 83 (5): 1054–1057, doi:10.1103/PhysRevLett.83.1054
↑ Lu, Chao-Yang; Browne, Daniel E.; Yang, Tao & Pan, Jian-Wei (2007), "Demonstration of a Compiled Version of Shor's Quantum Factoring Algorithm Using Photonic Qubits", Physical Review Letters 99 (25): 250504, doi:10.1103/PhysRevLett.99.250504
↑ Lanyon, B. P.; Weinhold, T. J.; Langford, N. K.; Barbieri, M.; James, D. F. V.; Gilchrist, A. & White, A. G. (2007), "Experimental Demonstration of a Compiled Version of Shor's Algorithm with Quantum Entanglement", Physical Review Letters 99 (25): 250505, doi:10.1103/PhysRevLett.99.250505
↑ Shor 1999, p. 14.

Nielsen, Michael A. & Chuang, Isaac L. (2000), Quantum Computation and Quantum Information, Cambridge University Press .
Phillip Kaye, Raymond Laflamme, Michele Mosca, An introduction to quantum computing, Oxford University Press, 2007, ISBN 019857049X
"Explanation for the man in the street" by Scott Aaronson, "approved" by Peter Shor. (Shor wrote "Great article, Scott! That’s the best job of explaining quantum computing to the man on the street that I’ve seen."). Scott Aaronson suggests the following 12 references as further reading (out of "the 10^{10⁵⁰⁰⁰} quantum algorithm tutorials that are already on the web."):
Shor, Peter W. (1997), "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer", SIAM J. Comput. 26 (5): 1484–1509, doi:10.1137/S0036144598347011, arXiv:quant-ph/9508027v2 . Revised version of the original paper by Peter Shor ("28 pages, LaTeX. This is an expanded version of a paper that appeared in the Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, Nov. 20--22, 1994. Minor revisions made January, 1996").
Quantum Computing and Shor's Algorithm, Matthew Hayward, 2005-02-17, imsa.edu, LaTeX2HTML version of the original 2750 line LaTeX document, also available as a 61 page PDF or postscript document.
Quantum Computation and Shor's Factoring Algorithm, Ronald de Wolf, CWI and University of Amsterdam, January 12, 1999, 9 page postscript document.
Shor's Factoring Algorithm, Notes from Lecture 9 of Berkeley CS 294-2, dated 4 Oct 2004, 7 page postscript document.
Chapter 6 Quantum Computation, 91 page postscript document, Caltech, Preskill, PH229.
Quantum computation: a tutorial by Samuel L. Braunstein.
The Quantum States of Shor's Algorithm, by Neal Young, Last modified: Tue May 21 11:47:38 1996.
A now-circular reference via the Wikipedia copy of this article; clearly Aaronson's link originally reached the February 20, 2007 version.
III. Breaking RSA Encryption with a Quantum Computer: Shor's Factoring Algorithm, Lecture notes on Quantum computation, Cornell University, Physics 481-681, CS 483; Spring, 2006 by N. David Mermin. Last revised 2006-03-28, 30 page PDF document.
arXiv quant-ph/0303175 Shor's Algorithm for Factoring Large Integers. C. Lavor, L.R.U. Manssur, R. Portugal. Submitted on 29 Mar 2003. This work is a tutorial on Shor's factoring algorithm by means of a worked out example. Some basic concepts of Quantum Mechanics and quantum circuits are reviewed. It is intended for non-specialists which have basic knowledge on undergraduate Linear Algebra. 25 pages, 14 figures, introductory review.
arXiv quant-ph/0010034 Shor's Quantum Factoring Algorithm, Samuel J. Lomonaco, Jr, Submitted October 9, 2000, This paper is a written version of a one hour lecture given on Peter Shor's quantum factoring algorithm. 22 pages.
Chapter 20 Quantum Computation, from Computational Complexity: A Modern Approach, Draft of a book: Dated January 2007, Comments welcome!, Sanjeev Arora and Boaz Barak, Princeton University.

Quantum Information Science

General	Quantum computer • Qubit • Quantum information • Quantum programming • Timeline of quantum computing

Quantum communication	Quantum channel • Quantum cryptography (Quantum key distribution) • Quantum teleportation • Superdense coding • LOCC • Entanglement distillation

Quantum algorithms	Universal quantum simulator • Deutsch–Jozsa algorithm • Grover's search • quantum Fourier transform • Shor's factorization • Simon's Algorithm • quantum phase estimation algorithm

Quantum complexity theory	Quantum Turing machine • BQP • QMA • PostBQP

Quantum computing models	Quantum circuit (quantum gate) • One-way quantum computer (cluster state) • Adiabatic quantum computation • Topological quantum computer

Decoherence prevention	Quantum error correction • Stabilizer codes • Entanglement-Assisted Quantum Error Correction • Quantum convolutional codes

Physical implementations

Quantum optics	Cavity QED

Ultracold atoms	Trapped ion quantum computer • Optical lattice

Spin-based	Nuclear magnetic resonance QC • Kane QC • Loss–DiVincenzo QC

Superconducting quantum computing	Charge qubit • Flux qubit • Phase qubit

Other	Nitrogen-vacancy center

Number-theoretic algorithms

Primality tests	AKS · APR · Ballie–PSW · ECPP · Elliptic curve · Pocklington · Fermat · Lucas · Lucas–Lehmer · Lucas–Lehmer–Riesel · Proth's theorem · Pépin's · Solovay–Strassen · Miller–Rabin · Trial division

Sieving algorithms	Sieve of Atkin · Sieve of Eratosthenes · Sieve of Sundaram · Wheel factorization

Integer factorization algorithms	CFRAC · Dixon's · ECM · Euler's · Pollard's rho · p − 1 · p + 1 · QS · GNFS · SNFS · rational sieve · Fermat's · Shanks' square forms · Trial division · Shor's

Multiplication algorithms	Ancient Egyptian multiplication · Karatsuba algorithm · Toom–Cook multiplication · Schönhage–Strassen algorithm · Fürer's algorithm

Discrete logarithm algorithms	Baby-step giant-step · Pollard rho · Pollard kangaroo · Pohlig–Hellman · Index calculus · Function field sieve

GCD algorithms	Binary GCD · Euclidean · Extended Euclidean

Modular square root algorithms	Cipolla · Pocklington · Tonelli–Shanks

Other algorithms	Chakravala · Cornacchia · integer relation algorithm · integer square root · Modular exponentiation · Schoof's

Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests (current article is always in bold).