Shor's factoring algorithm

'''Shor's algorithm''' is a [[quantum computer|quantum]] [[algorithm]] for [[Integer factorization|factoring]] a number ''N'' in [[Big O notation |O]]((log ''N'')3) time and O(log ''N'') space, named after [[Peter Shor]]. The algorithm is significant because it implies that [[public key cryptography]] might be easily broken, given a sufficiently large quantum computer. [[Wikipedia:RSA| RSA]], for example, uses a public key ''N'' which is the product of two large prime numbers. One way to crack RSA encryption is by factoring ''N'', but with classical algorithms, factoring becomes increasingly time-consuming as ''N'' grows large; more specifically, no classical algorithm is known that can factor in time O((log ''N'')''k'') for any ''k''. By contrast, Shor's algorithm can crack RSA in polynomial time. It has also been extended to attack many other public key cryptosystems. Like all quantum computer algorithms, Shor's algorithm is probabilistic: it gives the correct answer with high probability, and the probability of failure can be decreased by repeating the algorithm. Shor's algorithm was demonstrated in 2001 by a group at IBM, which factored 15 into 3 and 5, using a quantum computer with 7 [[qubit|qubits]]. === Procedure === The problem we are trying to solve is that, given an integer ''N'', we try to find another integer ''p'' between ''1'' and ''N'' that divides ''N''. Shor's algorithm consists of two parts: # A reduction of the factoring problem to the problem of [[Order (group theory)|order-finding]], which can be done on a classical computer. # A quantum algorithm to solve the order-finding problem. ==== Classical part ====

1. Pick a pseudo-random number ''a'' < ''N''
2. Compute [[greatest common divisor|gcd]](''a'', ''N''). This may be done using the [[Euclidean algorithm]].
3. If gcd(''a'', ''N'') ≠ 1, then there is a nontrivial factor of ''N'', so we are done.
4. Otherwise, use the period-finding subroutine (below) to find ''r'', the [[periodic function|period]] of the following function: :$f(x)\; =\; a^x\backslash \; \backslash mbox\{mod\}\backslash \; N$, i.e. the smallest integer ''r'' for which $f(x+r)\; =\; f(x)$.
5. If ''r'' is odd, go back to step 1.
6. If ''a'' ''r''/2 ≡ -1 (mod ''N''), go back to step 1.
7. The factors of ''N'' are gcd(a''r''/2 ± 1, ''N''). We are done.

==== Quantum part: Period-finding subroutine: ====

1. Start with a pair of input and output [[qubit]] registers with log2''N'' qubits each, and initialize them to :$N^\{-1/2\}\; \backslash sum\_x\; \backslash left|x\backslash right\backslash rangle\; \backslash left|0\backslash right\backslash rangle$ where ''x'' runs from 0 to ''N'' - 1.
2. Construct ''f''(''x'') as a quantum function and apply it to the above state, to obtain :$N^\{-1/2\}\; \backslash sum\_x\; \backslash left|x\backslash right\backslash rangle\; \backslash left|f(x)\backslash right\backslash rangle$
3. Apply the [[quantum Fourier transform]] on the input register. The quantum Fourier transform on ''N'' points is defined by: :$U\_\{QFT\}\; \backslash left|x\backslash right\backslash rangle\; =\; N^\{-1/2\}\; \backslash sum\_y\; e^\{2\backslash pi\; i\; x\; y/N\}\; \backslash left|y\backslash right\backslash rangle$ This leaves us in the following state: :$N^\{-1\}\; \backslash sum\_x\; \backslash sum\_y\; e^\{2\backslash pi\; i\; x\; y/N\}\; \backslash left|y\backslash right\backslash rangle\; \backslash left|f(x)\backslash right\backslash rangle$
4. Perform a measurement. We obtain some outcome ''y'' in the input register and $f(x\_0)$ in the output register. Since ''f'' is periodic, the probability to measure some ''y'' is given by :$N^\{-1\}\; \backslash left|\; \backslash sum\_\{x:\backslash ,\; f(x)=f(x\_0)\}\; e^\{2\backslash pi\; i\; x\; y/N\}\; \backslash right|^2\; =\; N^\{-1\}\; \backslash left|\; \backslash sum\_\{b\}\; e^\{2\backslash pi\; i\; (x\_0\; +\; r\; b)\; y/N\}\; \backslash right|^2$ Analysis now shows that this probability is higher, the closer ''yr/N'' is to an integer.
5. Turn ''y/N'' into an [[irreducible fraction]], and extract the denominator ''r''′, which is a candidate for ''r''.
6. Check if ''f''(''x'') = ''f''(''x'' + ''r''′). If so, we are done.
7. Otherwise, obtain more candidates for ''r'' by using values near ''y'', or multiples of ''r''′. If any candidate works, we are done.
8. Otherwise, go back to step 1 of the subroutine.

=== Explanation of the algorithm === The algorithm is composed of two parts. The first part of the algorithm turns the factoring problem into the problem of finding the period of a function, and may be implemented classically. The second part finds the period using the quantum Fourier transform, and is responsible for the quantum speedup. ==== I. Obtaining factors from period ==== The integers less than ''N'' and [[coprime]] with ''N'' form a finite [[group (mathematics)|group]] under multiplication [[modular arithmetic|modulo]] ''N'', which is typically denoted ('''Z'''/''N'''''Z''')×. By the end of step 3, we have an integer ''a'' in this group. Since the group is finite, ''a'' must have a finite order ''r'', the smallest positive integer such that :$a^r\; \backslash equiv\; 1\backslash \; \backslash mbox\{mod\}\backslash \; N.\backslash ,$ Therefore, ''N'' | (''a'' ''r'' − 1). Suppose we are able to obtain ''r'', and it is even. Then :$a^r\; -\; 1\; =\; (a^\{r/2\}\; -\; 1)\; (a^\{r/2\}\; +\; 1)\; \backslash equiv\; 0\backslash \; \backslash mbox\{mod\}\backslash \; N$ :$\backslash Rightarrow\; N\backslash \; |\; (a^\{r/2\}\; -\; 1)\; (a^\{r/2\}\; +\; 1).\backslash ,$ ''r'' is the ''smallest'' positive integer such that ''a'' ''r'' ≡ 1, so ''N'' cannot divide (''a'' ''r'' / 2 − 1). If ''N'' also does not divide (''a'' ''r'' / 2 + 1), then ''N'' must have a nontrivial common factor with each of (''a'' ''r'' / 2 − 1) and (''a'' ''r'' / 2 + 1). '''Proof:''' For simplicity, denote (''a'' ''r'' / 2 − 1) and (''a'' ''r'' / 2 + 1) by ''u'' and ''v'' respectively. ''N'' | ''uv'', so ''kN'' = ''uv'' for some integer ''k''. Suppose gcd(''u'', ''N'') = 1; then ''mu'' + ''nN'' = 1 for some integers ''m'' and ''n'' (this is a property of the [[greatest common divisor]].) Multiplying both sides by ''v'', we find that ''mkN'' + ''nvN'' = ''v'', so ''N'' | ''v''. By contradiction, gcd(''u'', ''N'') ≠ 1. By a similar argument, gcd(''v'', ''N'') ≠ 1. This supplies us with a factorization of ''N''. If ''N'' is the product of two primes, this is the ''only'' possible factorization. ==== II. Finding the period ==== Shor's period-finding algorithm relies heavily on the ability of a [[quantum computer]] to be in many states simultaneously. Physicists call this behaviour a "[[Quantum superposition|superposition]]" of states. To compute the period of a function ''f'', we evaluate the function at all points simultaneously. Quantum physics does not allow us to access all this information directly, though. A [[measurement in quantum mechanics|measurement]] will yield only one of all possible values, destroying all others. Therefore we have to carefully transform the superposition to another state that will return the correct answer with high probability. This is achieved by the [[quantum Fourier transform]]. Shor thus had to solve three "implementation" problems. All of them had to be implemented "fast", which means that they can be implemented with a number of [[quantum gate]]s that is polynomial in $\backslash log\; N$.

1. Create a superposition of states. This can be done by applying [[Hadamard transform|Hadamard]] gates to all qubits in the input register. Another approach would be to use the quantum Fourier transform (see below).
2. Implement the function ''f'' as a quantum transform. To achieve this, Shor used [[Exponentiating by squaring|repeated squaring]] for his modular exponentiation transformation.
3. Perform a quantum Fourier transform. By using controlled NOT gates and single qubit rotation gates Shor designed a circuit for the quantum Fourier transform that uses just $O((\backslash log\; N)^2)$ gates.

After all these transformations a measurement will yield an approximation to the period ''r''. For simplicity assume that there is a ''y'' such that ''yr/N'' is an integer. Then the probability to measure ''y'' is 1. To see that we notice that then :$e^\{2\; \backslash pi\; i\; b\; yr/N\}\; =\; 1$ for all integers ''b''. Therefore the sum that gives us the probability to measure ''y'' will be ''N/r'' since ''b'' takes roughly ''N/r'' values and thus the probability is ''1/r''. There are ''r'' ''y'' such that ''yr/N'' is an integer, so the probabilities sum to 1. Note: another way to explain Shor's algorithm is by noting that it is just the [[quantum phase estimation algorithm]] in disguise. === Modifications to Shor's Algorithm === There have been many modifications to Shor's algorithm. For example, whereas, an order of twenty to thirty runs are required on a quantum computer in the case of Shor's original algorithm, and with some of the other modifications, in the case of the modification done by David McAnally at the University of Queensland an order of only four to eight runs on the quantum computer is required. === References === Preprint of the original paper by Peter Shor: * [http://www.arxiv.org/abs/quant-ph/9508027 ''Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer'', Peter W. Shor] A general textbook on quantum computing: * ''Quantum Computation and Quantum Information'', Michael A. Nielsen, Isaac L. Chuang, Cambridge University Press, 2000 {{Template:FromWikipedia}} [[Category:Quantum Algorithms]]