Shor’s Factoring Algorithm

Shor’s Factoring Algorithm David Poulin Institute for Quantum Computing & Perimeter Institute for Theoretical Physics Guelph, September 2003

Summary • Some number theory • Shor’s entire algorithm • Quantum circuits • Phase estimation • Quantum Fourier transform • Final circuit David Poulin, IQC & PI

A bit of number theory • Theorem • If a  ±b (mod N) but a2  b2 (mod N) • Then gcd(a+b,N) is a factor of N. • Proof • a2 - b2 0 (mod N) •  (a - b)(a+b) 0 (mod N) • (t) [ (a - b) (a+b) = tN ]  gcd(a+b, N) is a non trivial factor of N. uN vN David Poulin, IQC & PI

Shor’s entire algorithm Easy Easy Easy Easy Easy • N is to be factored: • Choose random x: 2  x  N-1. • If gcd(x,N)  1, Bingo! • Find smallest integer r : xr 1 (mod N) • If r is odd, GOTO 1 • If r is even, a = xr/2 (mod N) • If a = N-1 GOTO 1 • ELSE gcd(a+1,N) is a non trivial factor of N. Hard Easy David Poulin, IQC & PI

Success probability Add this step to Shor’s algorithm: 0. -Test if N=N’2l and apply Shor to N’ -Compute for 2  j  ln2N. If one of these root is integer, apply Shor to this root.  Probability of success  ½. Theorem If N has k different prime factors, probability of success for random x is  1- 1/2k-1. Easy David Poulin, IQC & PI

Classical computing Basic logical unit: the bit 0 or 1 Universal set: (Not-and, Swap, Copy) A Not-and(A B) B A B A Swap Copy A B A A David Poulin, IQC & PI

Bits and Qubits 1 qubit  | +  |1||2 + ||2=1 n qubits (|4- |7) = (|0100- |0111) = |01(|00- |11) Measure  i with probability |ci|2 Classical Quantum 1 bit 0 or 1 n bits 000...0 (0) 000...1 (1) … 111...1 (2n-1) Measure b1b2b3...bn  b1b2b3...bn David Poulin, IQC & PI

Quantum gates |a |a Controlled not: |b if a=0 |b |b if a=1 Universal set: (C-not, U(2) on single qubit) |0  (|0+|1) Ex. One qubit gate: H |1  (|0-|1) David Poulin, IQC & PI

Composing Quantum gates Use linearity of quantum mechanics. |0 H (|0|0 +|1|1) |0 (|0+ |1)  |0 = (|0|0+ |1|0) Any classical computation can be made reversibly (one to one) with poly overhead. Any reversible classical computation can be performed on a quantum computer with poly overhead. David Poulin, IQC & PI

Phase kick back |0 |x s.t. eig. = eix H H |± |± = |0+ eix |1 (|0| ±+ |1| ±) (|0| ±±|1| ±) = (|0±|1)  | ± What are the eigenstates of NOT? (|1+ |0) = |+ |+ = (|0+ |1) ±|± (|1- |0) = - |- |- = (|0- |1) David Poulin, IQC & PI

Phase estimation 4 |0+ei2  |1 … Hn | |0 |0+ei |1 2 3 4 U2 |u |u U2 U2 U2 U In the previous slide, we were able to determine whether  was 0 or . Q: Can me determine any  ? A: We can get the best n bit estimation of /2. David Poulin, IQC & PI

Quantum Fourier Transform So applying F-1 to | will yield |x that is the best n bit estimation of /2. F (binary extension of x/2n mod1) David Poulin, IQC & PI

QFT circuit H R1 R2 H R1 H We define the gate Rk as a -/2k phase gate. |x3 R1 R2 R3 H |x2 |x1 |x0 Note: H = R0 David Poulin, IQC & PI

Multiplication UN,a Consider UN,a : |x  |ax mod N. Then, for k = 1,...,r are eigenstates of UN,a with eigenvalues If we could prepare such a state, we could obtain an estimation of k/r hence of r. It requires the knowledge of r. David Poulin, IQC & PI

Multiplication Consider the sum Since The state |1 is easy to prepare. In what follows, we show that it can be used to get an estimation of k/r for random k. David Poulin, IQC & PI

Phase estimation m F-1 m m Make measurement here to collapse the state to a random |k : get an estimation of k/r for random k. This measurement commutes with the Us so we can perform it after. This measurement is useless! No knowledge of r is needed! Hn |0 2 3 4 U2 |1 U2 U2 U2 U N,a N,a N,a N,a N,a David Poulin, IQC & PI

Shor’s Factoring Algorithm