Shor’s Factoring Algorithm

1.6 Shor’s Factoring Algorithm

Probably the most important quantum algorithm so far is Shor’s factoring algo-rithm [151]. It can find a factor of a composite number N in roughly (log N )² steps, which is polynomial in the length log N of the input. On the other hand, there is no known classical (deterministic or randomized) algorithm that can fac-tor N in polynomial time. The best known classical randomized algorithms run in time roughly

2^{(log N )α},

where α = 1/3 for a heuristic upper bound [110] and α = 1/2 for a rigorous upper bound [111]. In fact, much of modern cryptography is based on the conjecture that no fast classical factoring algorithm exists [142]. All this cryptography (for example RSA) would be broken if Shor’s algorithm could be physically realized.

In terms of complexity classes: factoring (rather, the decision problem equivalent to it) is provably in BQP but is not known to be in BPP. If indeed factoring is not in BPP, then the quantum computer would be the first counterexample to the “strong” Church-Turing thesis, which states that all “reasonable” models of computation are polynomially equivalent (see [68] and [135, p.31,36]).

Shor also gave a similar algorithm for solving the discrete logarithm problem.

His algorithm was subsequently generalized to solve the so-called Abelian hidden subgroup problem and phase-estimation problem [99, 55, 124]. We will not go into those issues here, and restrict to an explanation of the quantum factoring algorithm.

1.6.1 Reduction from factoring to period-finding

The crucial observation of Shor was that there is an efficient quantum algorithm for the problem of period-finding and that factoring can be reduced to this. We first explain the reduction. Suppose we want to find factors of the composite number N > 1. Randomly choose some integer x ∈ {2, . . . , N − 1} which is coprime to N (if x is not coprime to N , then the greatest common divisor of x and N is a factor of N , so then we are already done). Now consider the sequence

1 = x⁰ mod N, x¹ mod N, x² mod N, . . .

This sequence will cycle after a while: there is a least 0 < r ≤ N such that x^r = 1 mod N . This r is called the period of the sequence. It can be shown that with probability ≥ 1/4, r is even and x^r/2+ 1 and x^r/2− 1 are not multiples of N . In that case we have:

x^r ≡ 1 mod N ⇐⇒

(x^r/2)² ≡ 1 mod N ⇐⇒

(x^r/2+ 1)(x^r/2− 1) ≡ 0 mod N ⇐⇒

(x^r/2+ 1)(x^r/2− 1) = kN for some k.

Note that k > 0 because both x^r/2+ 1 > 0 and x^r/2 − 1 > 0 (x > 1). Hence x^r/2+ 1 or x^r/2− 1 will share a factor with N. Because x^r/2+ 1 and x^r/2− 1 are not multiples of N this factor will be < N , and in fact both these numbers will share a non-trivial factor with N . Accordingly, if we have r then we can efficiently (in roughly log N steps) compute the greatest common divisors gcd(x^r/2+ 1, N ) and gcd(x^r/2− 1, N), and both of these two numbers will be non-trivial factors of N . If we are unlucky we might have chosen an x that does not give a factor (which we can detect efficiently), but trying a few different random x gives a high probability of finding a factor.

Thus the problem of factoring reduces to finding the period r of the function given by modular exponentiation f (a) = x^a mod N . In general, the period-finding problem can be stated as follows:

The period-finding problem:

We are given some function f : N → [N] with the property that there is some unknown r∈ [N] such that f(a) = f(b) iff a = b mod r. The goal is to find r.

We will show below how we can solve this problem efficiently, using O(log log N ) evaluations of f and O(log log N ) quantum Fourier transforms. An evaluation of f can be viewed as analogous to the application of a query in the previous algorithms. Even a somewhat more general kind of period-finding can be solved by Shor’s algorithm with very few f -evaluations, whereas any classical bounded-error algorithm would need to evaluate the function Ω(N^1/3/√

log N ) times in order to find the period [52].

How many steps (elementary gates) will the algorithm take? For a = N^O(1), we can compute f (a) = x^a mod N in O((log N )²log log N log log log N ) steps:

compute x² mod N, x⁴ mod N, x⁸ mod N, . . . by repeated squaring (using the Sch¨onhage-Strassen algorithm for fast multiplication [106]) and take an appro-priate product of these to get x^a mod N . Moreover, as explained below, the quantum Fourier transform can be implemented using O((log N )²) steps. Ac-cordingly, Shor’s algorithm finds a factor of N using an expected number of roughly (log N )²(log log N )²log log log N steps, which is only slightly worse than quadratic in the length of the input.

1.6.2 The quantum Fourier transform

For some number q, let Zq = {0, . . . , q − 1}. For each a ∈ Zq define a function χ_a: Z_q → C by

χ_a(b) = e^2πiabq .

The set of basis states {|ai | a ∈ Zq} is called the standard basis. An alternative orthonormal basis, called the Fourier basis, is the set {|χ^ai | a ∈ Z^q} defined by

|χai = 1

√q X

b∈Zq

χa(b)|bi.

1.6. Shor’s Factoring Algorithm 17 The quantum Fourier transform (QFT) is the unitary transformation that maps the standard basis to the Fourier basis:

QFT: |ai → |χai.

It is known that if q = 2^m for some m, then the QFT can be implemented on a quantum computer using O((log q)²) elementary gates. We will here present the construction from [55]; somewhat more efficient constructions can be found in [57, 85, 56]. It may be verified (with some effort) that applying QFT to an m-bit basis state|ai = |a1. . . a_mi gives an unentangled state:

|χ^ai = 1

√2^m

¡|0i + e^2πi(0.am)|1i)(|0i + e^{2πi(0.am−1am)}|1i) · · · (|0i + e^{2πi(0.a1...am)}|1i¢ , with 0.aj. . . am interpreted as a fraction in binary digits. This means that we can just restrict attention to single-qubit operations controlled by the values of the a_i-bits, as follows. To the rightmost qubit of the initial state, which is initially

|a^mi, we apply a Hadamard gate, obtaining ^√1₂(|0i + e^2πi(0.am)|1i). This is the leftmost qubit of |χ^ai. To the second qubit from the right in the initial state, which is initially |am−1i, we apply a Hadamard, and if am = 1 we also apply the phase gate R2πi(1/4), obtaining ^√1₂(|0i + e^{2πi(0.am−1am)}|1i). This is the second qubit from the left of |χai. We also do this for |am−2i, |am−3i, “rotating in” smaller and smaller angles etc., and eventually generating all qubits of|χ^ai in the wrong order. Applying some swap gates to change the order, we have constructed |χai using O(m²) operations. But if we have a circuit that works for basis states |ai, then by linearity it also works on all superpositions of basis states, so we have constructed the full quantum Fourier transform. Graphical representations of this circuit may be found in [55, 130].

1.6.3 Period-finding, easy case: r divides q

Now we will show how we can find the period of the function f , given a “black-box” that maps |ai|0i → |ai|f(a)i. We can always efficiently pick some q = 2^m such that N² < q ≤ 2N² and we can implement the Fourier transform over Z_q using O((log N )²) gates.

For didactical reasons, we will first assume that the unknown r divides q, in which case everything works out smoothly. We now find r as follows. Start with

|0i|0i, two registers of ⌈log q⌉ and ⌈log N⌉ zeroes, respectively. Apply the QFT to the first register to build the uniform superposition

√1q Xq−1 a=0

|ai|~0i.

(Actually the m-qubit Hadamard transform would have the same effect here.) The second register still consists of zeroes. Now use the “black-box” to compute

f (a) in quantum parallel:

√1q Xq−1

a=0

|ai|f(a)i.

Observing the second register gives some value f (s), with s < r. Because f (a) = f (s) iff a = s mod r, and r divides q, the a of the form a = jr + s (0≤ j < q/r) are exactly the a for which f (a) = f (s). Thus the first register collapses to a superposition of|si, |r+si, |2r+si, . . . , |q−r+si and the second register collapses to the classical state |f(s)i. We can now ignore the second register, and have in the first: Note that e^2πirb/q = 1 iff rb/q is an integer iff b is a multiple of q/r. Accordingly, we are left with a superposition where only the multiples of q/r have non-zero amplitude. Observing this final superposition gives some random multiple b = cq/r, with c a random number 0≤ c < r. Thus we get a b such that

b q = c

r,

where b and q are known and c and r are not. There are φ(r) ∈ Ω(r/ log log r) numbers smaller than r that are coprime to r [86, Theorem 328], so c will be coprime to r with probability Ω(1/ log log r). Accordingly, an expected number of O(log log N ) repetitions of the procedure of this section suffices to obtain a b = cq/r with c coprime to r. Once we have such a b, we can obtain r as the denominator by writing b/q in lowest terms.

Before continuing with the harder case, notice the resemblance of the basic subroutine of Shor’s algorithm (Fourier, f -evaluation, Fourier) with the basic sub-routine of Simon’s algorithm (Hadamard, query, Hadamard). The number of re-quired f -evaluations for period-finding can actually be reduced from O(log log N ) to O(1), see Shor’s paper [151] for details.