# Shor's algorithm

This article needs additional citations for verification. (February 2018) (Learn how and when to remove this template message) |

**Shor's algorithm**, named after mathematician Peter Shor, is a quantum algorithm (an algorithm that runs on a quantum computer) for integer factorization, formulated in 1994^{[1]}. Informally, it solves the following problem: Given an integer , find its prime factors.

On a quantum computer, to factor an integer , Shor's algorithm runs in polynomial time (the time taken is polynomial in , the size of the integer given as input).^{[2]} Specifically, it takes quantum gates of order using fast multiplication,^{[3]} thus demonstrating that the integer-factorization problem can be efficiently solved on a quantum computer and is consequently in the complexity class **BQP**. This is almost exponentially faster than the most efficient known classical factoring algorithm, the general number field sieve, which works in sub-exponential time — .^{[4]} The efficiency of Shor's algorithm is due to the efficiency of the quantum Fourier transform, and modular exponentiation by repeated squarings.

If a quantum computer with a sufficient number of qubits could operate without succumbing to quantum noise and other quantum-decoherence phenomena, then Shor's algorithm could be used to break public-key cryptography schemes, such as the widely-used RSA scheme. RSA is based on the assumption that factoring large integers is computationally intractable; as far as is known, this assumption is valid for classical (non-quantum) computers; no classical algorithm is known that can factor integers in polynomial time. However, Shor's algorithm shows that factoring integers is efficient on an ideal quantum computer, so it may be feasible to defeat RSA by constructing a large quantum computer, it was also a powerful motivator for the design and construction of quantum computers, and for the study of new quantum-computer algorithms. It has also facilitated research on new cryptosystems that are secure from quantum computers, collectively called post-quantum cryptography.

In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored into , using an NMR implementation of a quantum computer with qubits.^{[5]} After IBM's implementation, two independent groups implemented Shor's algorithm using photonic qubits, emphasizing that multi-qubit entanglement was observed when running the Shor's algorithm circuits.^{[6]}^{[7]} In 2012, the factorization of was performed with solid-state qubits.^{[8]} Also, in 2012, the factorization of was achieved, setting the record for the largest integer factored with Shor's algorithm.^{[9]} In April 2012, the factorization of was achieved, although this used adiabatic quantum computation rather than Shor's algorithm.^{[10]} In November 2014, it was discovered that this 2012 adiabatic quantum computation had also factored larger numbers, the largest being ,^{[11]}^{[12]} (this number is equal to ).

## Contents

## Procedure[edit]

The problem that we are trying to solve is, given an odd composite number , find an integer , strictly between and , that divides . We are interested in odd values of because any even value of trivially has as a prime factor. Also, any whose digits are a multiple of 3, is trivially divisible by 3. Any ending on 5 is also divisible by 5. Excluding those trivial cases, we can use a primality-testing algorithm to ensure that is indeed composite.

Moreover, for the algorithm to work, we need not to be any power of a prime. This can be tested by checking that is not an integer for any .

Since is not a power of a prime, it is the product of two coprime integers greater than . As a consequence of the Chinese remainder theorem, the number has at least four distinct square roots modulo , two of which are and . The aim of the algorithm is to find a square root that is different from and ; such a will lead to a factorization of , as in other factoring algorithms, like the quadratic sieve.

In turn, finding such a is reduced to finding an element of even period with a certain additional property (as explained below, it is required that the condition of Step 6 of the classical part does not hold). The quantum algorithm is used for finding the period of randomly chosen elements , as this is a hard problem on a classical computer.

Shor's algorithm consists of two parts:

- A reduction, which can be done on a classical computer, of the factoring problem to the problem of order-finding.
- A quantum algorithm to solve the order-finding problem.

### Classical part[edit]

- Pick a random number .
- Compute , the greatest common divisor of and . This may be done using the Euclidean algorithm.
- If , then this number is a nontrivial factor of , so we are done.
- Otherwise, use the quantum period-finding subroutine (below) to find , which denotes the period of the following function:
- If is odd, then go back to step 1.
- If , then go back to step 1.
- Otherwise, at least one of and is a nontrivial factor of , so we are done.

For example: Given , , and , we have , where and . For that is a product of two distinct primes, and , the value of is just , which for is . Note that divides .

### Quantum part: period-finding subroutine[edit]

This section may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (February 2014) (Learn how and when to remove this template message) |

The quantum circuits used for this algorithm are custom designed for each choice of and each choice of the random used in . Given , find such that , which implies that . The input and output qubit registers need to hold superpositions of values from to , and so have qubits each. Using what might appear to be twice as many qubits as necessary guarantees that there are at least different values of that produce the same , even as the period approaches .

Proceed as follows:

- Initialize the registers to
- Construct as a quantum function and apply it to the above state, to obtain
- Apply the inverse quantum Fourier transform to the input register. This transform (operating on a superposition of states) uses a -th root of unity such as to distribute the amplitude of any given state equally among all of the states, and to do so in a different way for each different . We thus obtain
- be a -th root of unity,
- be the period of ,
- be the smallest of the for which (we actually have ), and
- indexes these , running from to , so that .

*different path to the same result*, and quantum interference occurs — constructive when the unit vectors point in nearly the same direction in the complex plane, which requires that point along the positive real axis. - Perform a measurement. We obtain some outcome in the input register and some outcome in the output register. As is periodic, the probability of measuring some state is given by
- Since is close to some integer , the known value is close to the unknown value . Performing [classical] continued fraction expansion on allows us to find approximations of it that satisfy two conditions:
Given these conditions (and assuming is irreducible), is very likely to be the appropriate period , or at least a factor of it.
- .
- .

- Check (classically) if . If so, then we are done.
- Otherwise, (classically) obtain more candidates for by using multiples of , or by using other with near . If any candidate works, then we are done.
- Otherwise, try again starting from step 1 of this subroutine.

## Explanation of the algorithm[edit]

The algorithm is composed of two parts; the first part of the algorithm turns the factoring problem into the problem of finding the period of a function, and may be implemented classically. The second part finds the period using the quantum Fourier transform, and is responsible for the quantum speedup.

### Obtaining factors from period[edit]

The integers less than and coprime with form the multiplicative group of integers modulo , which is a finite abelian group . The size of this group is given by . By the end of step 3, we have an integer in this group. As the group is finite, must have a finite order , which is the smallest positive integer such that

Therefore, divides (also written ). Suppose that we are able to obtain and that it is even. (If is odd, then see step 5.) Now is a square root of modulo that is different from . This is because is the order of modulo , so , or else the order of in this group would be . If , then by step 6, we have to restart the algorithm with a different random number .

Eventually, we must hit an of order in such that . This is because such a is a square root of modulo other than and , whose existence is guaranteed by the Chinese remainder theorem, as is not a prime power.

We claim that is a proper factor of , i.e., . In fact, if , then divides , so that , which goes against the construction of . If, on the other hand, , then by Bézout's identity, there are integers such that

Multiplying both sides by , we obtain

As divides , we find that divides , so that , again contradicting the construction of .

Therefore, is the required proper factor of .

### Finding the period[edit]

Shor's period-finding algorithm relies heavily on the ability of a quantum computer to be in many states simultaneously. Physicists call this behavior a "superposition" of states. To compute the period of a function , we evaluate the function at all points simultaneously.

Quantum physics does not allow us to access all this information directly, though. A measurement will yield only one of all possible values, destroying all others. If not for the no cloning theorem, we could first measure without measuring , and then make a few copies of the resulting state (which is a superposition of states all having the same ). Measuring on these states would provide different values which give the same , leading to the period. Because we cannot make exact copies of a quantum state, this method does not work. Therefore, we have to carefully transform the superposition to another state that will return the correct answer with high probability; this is achieved by the quantum Fourier transform.

Shor thus had to solve three "implementation" problems. All of them had to be implemented "fast", which means that they can be implemented with a number of quantum gates that is polynomial in .

- Create a superposition of states. This can be done by applying Hadamard gates to all qubits in the input register. Another approach would be to use the quantum Fourier transform (see below).
- Implement the function as a quantum transform. To achieve this, Shor used repeated squaring for his modular exponentiation transformation, it is important to note that this step is more difficult to implement than the quantum Fourier transform, in that it requires ancillary qubits and substantially more gates to accomplish.
- Perform a quantum Fourier transform. By using controlled rotation gates and Hadamard gates, Shor designed a circuit for the quantum Fourier transform (with ) that uses just gates.
^{[13]}

After all these transformations a measurement will yield an approximation to the period . For simplicity assume that there is a such that is an integer. Then the probability to measure is . To see this, we notice that then

for all integers . Therefore, the sum whose square gives us the probability to measure will be , as takes roughly values and thus the probability is . There are possible values of such that is an integer, and also possibilities for , so the probabilities sum to .

Note: Another way to explain Shor's algorithm is by noting that it is just the quantum phase estimation algorithm in disguise.

### The bottleneck[edit]

The runtime bottleneck of Shor's algorithm is quantum modular exponentiation, which is by far slower than the quantum Fourier transform and classical pre-/post-processing. There are several approaches to constructing and optimizing circuits for modular exponentiation; the simplest and (currently) most practical approach is to mimic conventional arithmetic circuits with reversible gates, starting with ripple-carry adders. Knowing the base and the modulus of exponentiation facilitates further optimizations.^{[14]}^{[15]} Reversible circuits typically use on the order of gates for qubits. Alternative techniques asymptotically improve gate counts by using quantum Fourier transforms, but are not competitive with fewer than 600 qubits due to high constants.

## Discrete logarithms[edit]

Given prime with generator where , suppose we know that , for some , and we wish to compute , which is the discrete logarithm: . Consider the abelian group , where each factor corresponds to modular multiplication of nonzero values, assuming is prime. Now, consider the function

This gives us an abelian hidden subgroup problem, as corresponds to a group homomorphism. The kernel corresponds to modular multiples of . So, if we can find the kernel, we can find .

## In popular culture[edit]

On the television show *Stargate Universe*, the lead scientist, Dr. Nicholas Rush, hoped to use Shor's algorithm to crack *Destiny'*s master code, he taught a quantum cryptography class at the University of California, Berkeley, in which Shor's algorithm was studied.

In the animated film *Summer Wars*, the character Kenji Koiso reads an article titled "Shor's Factorization Algorithm" while riding on a train, foreshadowing his ability to understand and calculate complex equations.

In the TV series *The Big Bang Theory* it was mentioned in a Physics bowl competition in season 1 episode 13.

## See also[edit]

- In 2017, Daniel J. Bernstein et al. proposed a factorization algorithm known as GEECM said to be "often much faster than Shor's".
^{[16]}

## References[edit]

**^**Shor, P.W. "Algorithms for quantum computation: discrete logarithms and factoring".*Proceedings 35th Annual Symposium on Foundations of Computer Science*. IEEE Comput. Soc. Press. doi:10.1109/sfcs.1994.365700. ISBN 0818665807.**^**See also pseudo-polynomial time.**^**Beckman, David; Chari, Amalavoyal N.; Devabhaktuni, Srikrishna; Preskill, John (1996). "Efficient Networks for Quantum Factoring" (PDF).*Physical Review A*.**54**(2): 1034–1063. arXiv:quant-ph/9602016. Bibcode:1996PhRvA..54.1034B. doi:10.1103/PhysRevA.54.1034.**^**"Number Field Sieve".*wolfram.com*. Retrieved 23 October 2015.**^**Vandersypen, Lieven M. K.; Steffen, Matthias; Breyta, Gregory; Yannoni, Costantino S.; Sherwood, Mark H. & Chuang, Isaac L. (2001), "Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance" (PDF),*Nature*,**414**(6866): 883–887, arXiv:quant-ph/0112176, Bibcode:2001Natur.414..883V, CiteSeerX 10.1.1.251.8799, doi:10.1038/414883a, PMID 11780055**^**Lu, Chao-Yang; Browne, Daniel E.; Yang, Tao & Pan, Jian-Wei (2007), "Demonstration of a Compiled Version of Shor's Quantum Factoring Algorithm Using Photonic Qubits" (PDF),*Physical Review Letters*,**99**(25): 250504, arXiv:0705.1684, Bibcode:2007PhRvL..99y0504L, doi:10.1103/PhysRevLett.99.250504, PMID 18233508**^**Lanyon, B. P.; Weinhold, T. J.; Langford, N. K.; Barbieri, M.; James, D. F. V.; Gilchrist, A. & White, A. G. (2007), "Experimental Demonstration of a Compiled Version of Shor's Algorithm with Quantum Entanglement" (PDF),*Physical Review Letters*,**99**(25): 250505, arXiv:0705.1398, Bibcode:2007PhRvL..99y0505L, doi:10.1103/PhysRevLett.99.250505, PMID 18233509**^**Lucero, Erik; Barends, Rami; Chen, Yu; Kelly, Julian; Mariantoni, Matteo; Megrant, Anthony; O'Malley, Peter; Sank, Daniel; Vainsencher, Amit; Wenner, James; White, Ted; Yin, Yi; Cleland, Andrew N.; Martinis, John M. (2012). "Computing prime factors with a Josephson phase qubit quantum processor".*Nature Physics*.**8**(10): 719. arXiv:1202.5707. Bibcode:2012NatPh...8..719L. doi:10.1038/nphys2385.**^**Martín-López, Enrique; Martín-López, Enrique; Laing, Anthony; Lawson, Thomas; Alvarez, Roberto; Zhou, Xiao-Qi; O'Brien, Jeremy L. (12 October 2012). "Experimental realization of Shor's quantum factoring algorithm using qubit recycling".*Nature Photonics*.**6**(11): 773–776. arXiv:1111.4147. Bibcode:2012NaPho...6..773M. doi:10.1038/nphoton.2012.259. Retrieved October 23, 2012.**^**Nanyang Xu; Jing Zhu; Dawei Lu; Xianyi Zhou; Xinhua Peng; Jiangfeng Du (30 March 2012). "Quantum Factorization of on a Dipolar-Coupling Nuclear Magnetic Resonance System".*Physical Review Letters*.**108**(13): 130501. Bibcode:2012PhRvL.108m0501X. doi:10.1103/PhysRevLett.108.130501. PMID 22540684.CS1 maint: Uses authors parameter (link)**^**Zyga, Lisa (28 November 2014). "New largest number factored on a quantum device is ".*Phys.org*. Science X Network. Retrieved 4 August 2015.**^**Nikesh S. Dattani; Nathaniel Bryans (November 2014). "Quantum factorization of with only qubits". arXiv:1411.6758 [quant-ph].**^**Shor 1999, p. 14**^**Markov, Igor L.; Saeedi, Mehdi (2012). "Constant-Optimized Quantum Circuits for Modular Multiplication and Exponentiation".*Quantum Information and Computation*.**12**(5–6): 361–394. arXiv:1202.6614. Bibcode:2012arXiv1202.6614M.**^**Markov, Igor L.; Saeedi, Mehdi (2013). "Faster Quantum Number Factoring via Circuit Synthesis".*Phys. Rev. A*.**87**(1): 012310. arXiv:1301.3210. Bibcode:2013PhRvA..87a2310M. doi:10.1103/PhysRevA.87.012310.**^**Bernstein, Daniel J.; Heninger, Nadia; Lou, Paul; Valenta, Luke (2017). "Post-quantum RSA" (PDF).*International Workshop on Post-Quantum Cryptography*: 311–329. Archived (PDF) from the original on 2017-04-20.

## Further reading[edit]

This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (September 2010) (Learn how and when to remove this template message) |

- Nielsen, Michael A. & Chuang, Isaac L. (2010),
*Quantum Computation and Quantum Information, 10th Anniversary Edition*, Cambridge University Press, ISBN 9781107002173. - Phillip Kaye, Raymond Laflamme, Michele Mosca,
*An introduction to quantum computing*, Oxford University Press, 2007, ISBN 0-19-857049-X - "Explanation for the man in the street" by Scott Aaronson, "approved" by Peter Shor. (Shor wrote "Great article, Scott! That’s the best job of explaining quantum computing to the man on the street that I’ve seen."). An alternate metaphor for the QFT was presented in one of the comments. Scott Aaronson suggests the following 12 references as further reading (out of "the 10
^{105000}quantum algorithm tutorials that are already on the web."): - Shor, Peter W. (1997), "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer",
*SIAM J. Comput.*,**26**(5): 1484–1509, arXiv:quant-ph/9508027v2, Bibcode:1999SIAMR..41..303S, doi:10.1137/S0036144598347011. Revised version of the original paper by Peter Shor ("28 pages, LaTeX; this is an expanded version of a paper that appeared in the Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, Nov. 20--22, 1994. Minor revisions made January, 1996"). - Quantum Computing and Shor's Algorithm, Matthew Hayward's Quantum Algorithms Page, 2005-02-17, imsa.edu, LaTeX2HTML version of the original LaTeX document, also available as PDF or postscript document.
- Quantum Computation and Shor's Factoring Algorithm, Ronald de Wolf, CWI and University of Amsterdam, January 12, 1999, 9 page postscript document.
- Shor's Factoring Algorithm, Notes from Lecture 9 of Berkeley CS 294-2, dated 4 Oct 2004, 7 page postscript document.
- Chapter 6 Quantum Computation, 91 page postscript document, Caltech, Preskill, PH229.
- Quantum computation: a tutorial by Samuel L. Braunstein.
- The Quantum States of Shor's Algorithm, by Neal Young, Last modified: Tue May 21 11:47:38 1996.
- III. Breaking RSA Encryption with a Quantum Computer: Shor's Factoring Algorithm, Lecture notes on Quantum computation, Cornell University, Physics 481-681, CS 483; Spring, 2006 by N. David Mermin. Last revised 2006-03-28, 30 page PDF document.
- Lavor, C.; Manssur, L. R. U.; Portugal, R. (2003). "Shor's Algorithm for Factoring Large Integers". arXiv:quant-ph/0303175.
- Lomonaco, Jr (2000). "Shor's Quantum Factoring Algorithm". arXiv:quant-ph/0010034. This paper is a written version of a one-hour lecture given on Peter Shor's quantum factoring algorithm. 22 pages.
- Chapter 20 Quantum Computation, from
*Computational Complexity: A Modern Approach*, Draft of a book: Dated January 2007, Comments welcome!, Sanjeev Arora and Boaz Barak, Princeton University. - A Step Toward Quantum Computing: Entangling 10 Billion Particles, from "Discover Magazine", Dated January 19, 2011.
- Josef Gruska -
*Quantum Computing Challenges*also in Mathematics unlimited: 2001 and beyond, Editors Björn Engquist, Wilfried Schmid, Springer, 2001, ISBN 978-3-540-66913-5

## External links[edit]

- Version 1.0.0 of libquantum: contains a C language implementation of Shor's algorithm with their simulated quantum computer library, but the width variable in shor.c should be set to 1 to improve the runtime complexity.
- PBS Infinite Series created two videos explaining the math behind Shor's algorithm, "How to Break Cryptography" and "Hacking at Quantum Speed with Shor's Algorithm".