Shor's Factorization Algorithm Keith Kelley, CS 6800

Why is Shor's interesting? ● Shor's produces the prime factors of an integer in polynomial time and space ● The RSA encryption algorithm is based on a large integer (hundreds or thousands of digits) that is the product of two large primes ● Since Shor's is exponentially faster than known classical algorithms, it breaks RSA, which counts on the difficulty of this task ● Basically all the encryption on the Internet is RSA based: SSL/https, SSH, etc.

Factoring with a Digital Computer ● General Number Field Sieve O(e (64b/9) 1/3 (log b) 2/3 ) where b is the number of bits ● RSA factoring challenge results: ~200 digits in several months ● Any number of different algorithms for special types of numbers ● No number of processors or computers makes the processing needs reasonable as digits increase

Structure of a Quantum Algorithm ● Qubits start in a classical state ● System put in a superposition of many states ● Superposition acted on with unitary operations ● Qubits are measured

Unitary Operations ● Classical operations convert one bit string to another ● QC operations are unitary operations ● Unitary operations are reversible ● Unitary operations can take a bit string into or out of a superposition

Deutsch's Algorithm (1985) ● Basically the inspiration for all QC algorithms ● Determines whether functions from {0,1} to {0,1} (of which there are only four) are constant (f(0)=f(1)) or balanced (1:1) ● Deutsch-Jozsa (the generalized version for f{0,1} n ->{0,1}) gives an answer that is always correct with one evaluation of f. A classical method would require 2 n-1 +1 evaluations ● Started probabilistic, improved to be deterministic

Simon's Algorithm (1994) ● Simon's algorithm was the main inspiration for Shor's algorithm ● Exponentially faster than any known classical algorithm ● A classical solution requires roughly 2 n/2 executions vs O(n) executions for Simon's ● Simon's finds the period of a function ● The period P of a function is given by: ● f(x+P) = f(x)

Problem Reduction ● Breaking RSA reduces to finding prime factors of a large integer ● The factoring problem reduces to finding the period of a certain function

Shor's Vital Statistics ● Input: a positive integer N ● Output: a factor p of N ● Time Complexity: O((log N) 3 ), specifically O(n 2 log n log log n) where n is bits needed to represent N ● Space Complexity: O(log N) ● Probabilistic like most QC algorithms, not deterministic - gets the answer with constant probability in a constant number of passes

Shor's algorithm – steps ● 5 steps according to Quantum Computing For Computer Scientists ● 2 parts – classical and quantum – quantiki – Classical: 7 parts – Quantum: period finding – 8 parts ● 8 steps according to “A precise estimation of the computational complexity in Shor's factoring algorithm”, Kuriyama, Sano, Furuichi ● 7 steps according to “A pseudo-simulation of Shor’s quantum factoring algorithm”, Schneiderman, Stanley and Aravind ● 6 steps according to Scott Aarsonson's “Shor I'll do it”

Shor's Steps 1) Use a classical Polynomial algorithm to determine if N is prime or a power of a prime (if so exit) 2) Randomly choose an int a between 1 and N. Determine GCD(a,N), return it and exit if <>1 3) Use a quantum circuit to find the period r 4) If r is odd or ar is the same as -1 Mod N go back to step 2 5) Calculate GCD(a r/2 +1,N) and GCD(a r/2 –1,N)

Step 1: test primality ● Now there is the AKS algorithm, published in 2002 ● At the time of Shor's paper there were a number of classical polynomial algorithms that do this in a way that are either – probabilistic – conditional (depends on unproven theorems like the Reimann hypothesis) – or not general

Step 2: Euclidian algorithm ● A random a and N are coprime if GCD(a,N)=1, if so continue ● Determined by Euclidian algorithm for GCD ● The GCD does not change if the smaller number is subtracted from the larger ● Repeat until one of the numbers is zero ● The nonzero number is the GCD ● Efficient for large numbers

Step 3: Quantum Part ● Create a superposition over x mod N, x 2 mod N, x 3 mod N... and figure out the period ● Start with log 2 N qubits and initialize them to a classical state ● Construct f(x) with quantum gates ● Apply QFT to the input register ● Perform the measurements, oddly enough on both the output register and the input register

Modular arithmetic ● 2 mod 15 = 2 ● 15 goes into 2 zero times, with a remainder of 2 ● 4 mod 15 = 2 ● 15 goes into 4 zero times, with a remainder of 4 ● 17 mod 15 = 2 ● 15 goes into 17 1 time, with a remainder of 2

Computing x r mod N on a QC ● We have the capability of creating a superposition over all integers r from 1 to N ● Given r how do we quickly compute x r mod N for a large N ● Multiplying x by itself trillions of times is a bad idea ● Use repeated squaring: N=17,x=3,r=14 ● r= ● X r =3 14 =3 ( ) =((3 2 ) 2 ) 2 *(3 2 ) 2 *3 2 ● Do all multiplications mod N: 3 14 mod 17=2 ● Create a superposition over all pairs of ints of the form (r, x r mod N)

Shor's Order-finding ● Miller, 1975, showed splitting integers reduces to order finding (probabilistically) ● Order is the least r such that x r is the same as 1 (mod n) ● Or: x r -1 is divisible by n ● Order means the same as period in this case. ● Shor and others refer to this problem as order finding, but it boils down to period finding

Period of a function ● Period of a function is how often the results repeat ● y q mod N is periodic ● Take powers of 2 mod 15 ● 2 1 mod 15, 2 2 mod 15,2 3 mod 15,2 4 mod ● 2,4,8,1,2,4,8,1... ● So the period of this function is 4 ● Could be nearly as large as N ● In this case N could be hundreds or thousands of digits long

More on periods ● We pick a random a < N that does not have a nontrivial factor in common with N (test for such a factor by performing Euclid's algorithm ● N = 15 a=2 f a,N (x)=a x mod N ● x a 0 mod 15=1 mod 15= 1/15 0rem1 ● f mod 15=1 mod 15= 2/15 0rem2 ● Periods: f 2,15 =4 f 4,15 =2 f 3,15 =4

Periods example: 371 ● N=371 a=24 Find: ● the smallest r such that f a,N (r)=a r mod N=1 ● There's a number theory theorem that says once you find a 1, the series repeats ● If f a,N (r)=1 then f a,N (r+1)=f a,N (1) ● Periods f 2,371 =156 f 6,371 =26 f 24,371 =78

Step 4 & 5: From period to factor ● we found the period of x y mod N ● 4) If period r is odd or a r is the same as -1 Mod N, pick new a ● p and q are 2 prime factors of N ● x is a number not divisible by p or q ● sequence repeats with some period that divides (p-1)(q-1) ● Take N=15, p=3 and q=5. (p-1)(q-1)=2*4=8 ● So we know a divisor of (p-1)(q-1), which is a clue to the prime factors of N ● We use several random values of x and put them together to learn a highly probable (p-1)(q-1) ● We use that to find p and q, the numbers we want

Implementing U f a,N with Quantum Gates ● Split U that evaluates f a,N (x) into many smaller operations ● Done by splitting up x

Amplitudes ● Mathematically like probabilities ● Can cancel each other out ● Superposition of states at various amplitudes until read, at which point the probability waves “collapse”

Quantum Fourier Transform (QFT) ● A special kind of Discrete Fourier Transform (DFT) ● A special kind of Fourier Transform ● QFT used in many Quantum Algorithms to read the probability amplitudes ● QFT will show you the highest amplitude

Complexity ● O(n 2 log n log log n) worst case where n is the number of bits ● The bottleneck is evaluating the modular exponent

Catches ● Period finding algorithms don't always work well, particularly where values of periodic function are mostly the same. Maybe not a problem in this case. ● Sometimes returns N and 1 as factors (not useful). ● Answers a random p, probability is proportional to f(p)

So far.. ● 15 factored into 3 and 5 with Shor's algorithm on a 7 qubit NMR machine ● NMR is said to not really allow entanglement ● NMR is supposedly limited to around 10 qubits so that architecture will never be practical ● However, the largest QC so far is a 12-bit NMR ● 300 qubits have 2^300 values, more than the number of atoms in the universe

Different Implementations ● NMR ● Trapped Ion QC ● Linear Optics ● Cavity QED ● Optical Lattice ● Superconducting ● Nitrogen-Vacancy Center ● Quantum Wire ● Quantum Dot (Loss-DiVincenzo)

Improvements ● A Refinement of Shor's Algorithm, David McAnally - “almost absolute certainty” in one run as opposed to originally ● Using fewer Qubits in Shor's Factorization Algorithm via Simultaneous Diophantine Approximation, Jean-Pierre Seifert ● Architecture of a Quantum Multicomputer Optimized for Shor's Factoring Algorithm, 2006, Van Meter ● Many others

References ● “Quantum Computing for Computer Scientists,” Yanofsky, Mannuci, 2008 ● “An introduction to quantum computing,” Kay, LaFlamme, Mosca, 2007 ● quantiki.org ● “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” Shor, 1995

Better Topics ● Deutsch's Algorithm (most instructive) ● Simon's Algorithm (basis for Shor's) ● Quantum Fourier Transform (used often) ● Quantum Gates (to implement algorithms) ● Quantum Algorithms (a brief view of all)

Exam Question ● Q. What portion of Shor's algorithm is the quantum part? ● A. period finding or order finding