Download presentation
Presentation is loading. Please wait.
Published byMerryl Joseph Modified over 8 years ago
1
Shor's Factorization Algorithm Keith Kelley, CS 6800
2
Why is Shor's interesting? ● Shor's produces the prime factors of an integer in polynomial time and space ● The RSA encryption algorithm is based on a large integer (hundreds or thousands of digits) that is the product of two large primes ● Since Shor's is exponentially faster than known classical algorithms, it breaks RSA, which counts on the difficulty of this task ● Basically all the encryption on the Internet is RSA based: SSL/https, SSH, etc.
3
Factoring with a Digital Computer ● General Number Field Sieve O(e (64b/9) 1/3 (log b) 2/3 ) where b is the number of bits ● RSA factoring challenge results: ~200 digits in several months ● Any number of different algorithms for special types of numbers ● No number of processors or computers makes the processing needs reasonable as digits increase
4
Structure of a Quantum Algorithm ● Qubits start in a classical state ● System put in a superposition of many states ● Superposition acted on with unitary operations ● Qubits are measured
5
Unitary Operations ● Classical operations convert one bit string to another ● QC operations are unitary operations ● Unitary operations are reversible ● Unitary operations can take a bit string into or out of a superposition
6
Deutsch's Algorithm (1985) ● Basically the inspiration for all QC algorithms ● Determines whether functions from {0,1} to {0,1} (of which there are only four) are constant (f(0)=f(1)) or balanced (1:1) ● Deutsch-Jozsa (the generalized version for f{0,1} n ->{0,1}) gives an answer that is always correct with one evaluation of f. A classical method would require 2 n-1 +1 evaluations ● Started probabilistic, improved to be deterministic
7
Simon's Algorithm (1994) ● Simon's algorithm was the main inspiration for Shor's algorithm ● Exponentially faster than any known classical algorithm ● A classical solution requires roughly 2 n/2 executions vs O(n) executions for Simon's ● Simon's finds the period of a function ● The period P of a function is given by: ● f(x+P) = f(x)
8
Problem Reduction ● Breaking RSA reduces to finding prime factors of a large integer ● The factoring problem reduces to finding the period of a certain function
9
Shor's Vital Statistics ● Input: a positive integer N ● Output: a factor p of N ● Time Complexity: O((log N) 3 ), specifically O(n 2 log n log log n) where n is bits needed to represent N ● Space Complexity: O(log N) ● Probabilistic like most QC algorithms, not deterministic - gets the answer with constant probability in a constant number of passes
10
Shor's algorithm – steps ● 5 steps according to Quantum Computing For Computer Scientists ● 2 parts – classical and quantum – quantiki – Classical: 7 parts – Quantum: period finding – 8 parts ● 8 steps according to “A precise estimation of the computational complexity in Shor's factoring algorithm”, 2004. Kuriyama, Sano, Furuichi ● 7 steps according to “A pseudo-simulation of Shor’s quantum factoring algorithm”, Schneiderman, Stanley and Aravind ● 6 steps according to Scott Aarsonson's “Shor I'll do it”
11
Shor's Steps 1) Use a classical Polynomial algorithm to determine if N is prime or a power of a prime (if so exit) 2) Randomly choose an int a between 1 and N. Determine GCD(a,N), return it and exit if <>1 3) Use a quantum circuit to find the period r 4) If r is odd or ar is the same as -1 Mod N go back to step 2 5) Calculate GCD(a r/2 +1,N) and GCD(a r/2 –1,N)
12
Step 1: test primality ● Now there is the AKS algorithm, published in 2002 ● At the time of Shor's paper there were a number of classical polynomial algorithms that do this in a way that are either – probabilistic – conditional (depends on unproven theorems like the Reimann hypothesis) – or not general
13
Step 2: Euclidian algorithm ● A random a and N are coprime if GCD(a,N)=1, if so continue ● Determined by Euclidian algorithm for GCD ● The GCD does not change if the smaller number is subtracted from the larger ● Repeat until one of the numbers is zero ● The nonzero number is the GCD ● Efficient for large numbers
14
Step 3: Quantum Part ● Create a superposition over x mod N, x 2 mod N, x 3 mod N... and figure out the period ● Start with log 2 N qubits and initialize them to a classical state ● Construct f(x) with quantum gates ● Apply QFT to the input register ● Perform the measurements, oddly enough on both the output register and the input register
15
Modular arithmetic ● 2 mod 15 = 2 ● 15 goes into 2 zero times, with a remainder of 2 ● 4 mod 15 = 2 ● 15 goes into 4 zero times, with a remainder of 4 ● 17 mod 15 = 2 ● 15 goes into 17 1 time, with a remainder of 2
16
Computing x r mod N on a QC ● We have the capability of creating a superposition over all integers r from 1 to N ● Given r how do we quickly compute x r mod N for a large N ● Multiplying x by itself trillions of times is a bad idea ● Use repeated squaring: N=17,x=3,r=14 ● r=2 3 + 2 2 + 2 1 ● X r =3 14 =3 (2 3 + 2 2 +2 1 ) =((3 2 ) 2 ) 2 *(3 2 ) 2 *3 2 ● Do all multiplications mod N: 3 14 mod 17=2 ● Create a superposition over all pairs of ints of the form (r, x r mod N)
17
Shor's Order-finding ● Miller, 1975, showed splitting integers reduces to order finding (probabilistically) ● Order is the least r such that x r is the same as 1 (mod n) ● Or: x r -1 is divisible by n ● Order means the same as period in this case. ● Shor and others refer to this problem as order finding, but it boils down to period finding
18
Period of a function ● Period of a function is how often the results repeat ● y q mod N is periodic ● Take powers of 2 mod 15 ● 2 1 mod 15, 2 2 mod 15,2 3 mod 15,2 4 mod 15... ● 2,4,8,1,2,4,8,1... ● So the period of this function is 4 ● Could be nearly as large as N ● In this case N could be hundreds or thousands of digits long
19
More on periods ● We pick a random a < N that does not have a nontrivial factor in common with N (test for such a factor by performing Euclid's algorithm ● N = 15 a=2 f a,N (x)=a x mod N ● x 0 1 2 3 4 a 0 mod 15=1 mod 15= 1/15 0rem1 ● f 1 2 4 8 1 2 1 mod 15=1 mod 15= 2/15 0rem2 ● Periods: f 2,15 =4 f 4,15 =2 f 3,15 =4
20
Periods example: 371 ● N=371 a=24 Find: ● the smallest r such that f a,N (r)=a r mod N=1 ● There's a number theory theorem that says once you find a 1, the series repeats ● If f a,N (r)=1 then f a,N (r+1)=f a,N (1) ● Periods f 2,371 =156 f 6,371 =26 f 24,371 =78
21
Step 4 & 5: From period to factor ● we found the period of x y mod N ● 4) If period r is odd or a r is the same as -1 Mod N, pick new a ● p and q are 2 prime factors of N ● x is a number not divisible by p or q ● sequence repeats with some period that divides (p-1)(q-1) ● Take N=15, p=3 and q=5. (p-1)(q-1)=2*4=8 ● So we know a divisor of (p-1)(q-1), which is a clue to the prime factors of N ● We use several random values of x and put them together to learn a highly probable (p-1)(q-1) ● We use that to find p and q, the numbers we want
22
Implementing U f a,N with Quantum Gates ● Split U that evaluates f a,N (x) into many smaller operations ● Done by splitting up x
23
Amplitudes ● Mathematically like probabilities ● Can cancel each other out ● Superposition of states at various amplitudes until read, at which point the probability waves “collapse”
24
Quantum Fourier Transform (QFT) ● A special kind of Discrete Fourier Transform (DFT) ● A special kind of Fourier Transform ● QFT used in many Quantum Algorithms to read the probability amplitudes ● QFT will show you the highest amplitude
25
Complexity ● O(n 2 log n log log n) worst case where n is the number of bits ● The bottleneck is evaluating the modular exponent
26
Catches ● Period finding algorithms don't always work well, particularly where values of periodic function are mostly the same. Maybe not a problem in this case. ● Sometimes returns N and 1 as factors (not useful). ● Answers a random p, probability is proportional to f(p)
27
So far.. ● 15 factored into 3 and 5 with Shor's algorithm on a 7 qubit NMR machine ● NMR is said to not really allow entanglement ● NMR is supposedly limited to around 10 qubits so that architecture will never be practical ● However, the largest QC so far is a 12-bit NMR ● 300 qubits have 2^300 values, more than the number of atoms in the universe
28
Different Implementations ● NMR ● Trapped Ion QC ● Linear Optics ● Cavity QED ● Optical Lattice ● Superconducting ● Nitrogen-Vacancy Center ● Quantum Wire ● Quantum Dot (Loss-DiVincenzo)
29
Improvements ● A Refinement of Shor's Algorithm, David McAnally - “almost absolute certainty” in one run as opposed to 20-30 originally ● Using fewer Qubits in Shor's Factorization Algorithm via Simultaneous Diophantine Approximation, Jean-Pierre Seifert ● Architecture of a Quantum Multicomputer Optimized for Shor's Factoring Algorithm, 2006, Van Meter ● Many others
30
References ● “Quantum Computing for Computer Scientists,” Yanofsky, Mannuci, 2008 ● “An introduction to quantum computing,” Kay, LaFlamme, Mosca, 2007 ● quantiki.org ● “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” Shor, 1995
31
Better Topics ● Deutsch's Algorithm (most instructive) ● Simon's Algorithm (basis for Shor's) ● Quantum Fourier Transform (used often) ● Quantum Gates (to implement algorithms) ● Quantum Algorithms (a brief view of all)
32
Exam Question ● Q. What portion of Shor's algorithm is the quantum part? ● A. period finding or order finding
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.