Quantum Computing (CST Part II)

Lecture 10: Application 1 of QFT / QPE: Factoring

The problem of distinguishing prime numbers from composites, and

of resolving composite numbers into their prime factors, is one of the
most important and useful in all of arithmetic.
Carl Friedrich Gauss

1 / 18
Resources for this lecture

Nielsen and Chuang p226–235 covers the material of this lecture.

2 / 18
Public-key cryptography

decrypt encrypt
private public

In public-key cryptography Alice publishes a public key, which Bob

uses to encode a message. Alice then uses her private key to decrypt
the message.
This relies on the asymmetry of the cryptography: it is easy to
encrypt the message using the public key, but hard to decrypt it
without knowledge of the private key.
This in turn relies on the existence of one-way functions.

3 / 18
One-way functions

One way function are functions that are easy to perform “forward”,
but hard to invert.
For example, the RSA public-key cryptosystem uses factoring as a
one-way function: multiplying two prime number p and q to give a
composite number N is easy, but the inverse, factoring a composite
number N into factors p and q is mathematically difficult.
In fact, the best known classical algorithm for factoring, the number
field sieve, requires exp(Θ(n1/3 log2/3 n)) operations, where
n = dlog2 N e, i.e., the number of bits required to express N .
For cryptographic applications it is crucial that the mathematical
definition of one-way functions is that they must be hard to invert
on average, not just in the worst case.

4 / 18
Factoring quantum mechanically

In 1994 Peter Shor invented a

quantum algorithm which can
factor numbers in polynomial time.
This remains one of the (or
probably the) most important and
impressive potential application of
quantum computing.

www.quora.com/profile/Peter-Shor

Peter Shor

5 / 18
Shor’s factoring algorithm

For factoring a n-bit composite integer N .

1. Is N even? If so, output 2 and stop.

2. There is an efficient classical algorithm to check whether N = cl for
some integers c, l ≥ 2 and compute c if so. Run this classical
algorithm and output c if obtained and stop.
3. If N is neither even nor a prime power, randomly choose
1 < x < N , and compute s = gcd(x; N ) (i.e., the greatest common
divisor) using Euclid’s division algorithm. If s 6= 1 output s, which is
a factor of N , and stop.
4. If s = 1 (i.e. x and N are co-prime), find the order r of the function
x mod N .
5. If r is odd, go back to step 3 and pick a different random number x.
If r is even then perform efficient classical post-processing to extract
a factor of N to output and stop.

6 / 18
Order finding

For co-prime positive integers x and N , such that x < N , the order of x
modulo N is defined to be the least positive integer r such that xr = 1
mod N .

Order finding is itself believed to be a hard problem classically.

We will now show how quantum phase estimation can be used to
find the order efficiently using a quantum computer.

7 / 18
Order finding using quantum phase estimation
To find the order of x modulo N quantumly, we simply apply QPE using
the unitary:
U |yi = |(xy) mod N i
where y is an integer such that 0 ≤ y < N .
U is unitary when x and N are co-prime because U is merely a
permutation matrix (i.e., it has exactly one 1 in each column and each
row). To see this, consider the following argument (in which y1 6= y2 ):

If U |y1 i = U |y2 i, then xy1 = xy2 + kN for some integer k 6= 0.

Therefore y1 − y2 = kN kN
x , i.e., x is an integer. However, as N and x are
co-prime, the least (positive) integer k which satisfies this is k = x, i.e.,
y1 − y2 = N (or y2 − y1 = N ). So it cannot be the case that
0 ≤ y1 , y2 < N .
So it follows, that for each integer y such that 0 ≤ y < N , U |yi
gives a different integer between 0 and N − 1 inclusive, so U is a
permutation matrix.
For completeness, for N ≤ y < 2n , we define U |yi → y.

8 / 18
Quantum phase estimation with U |yi = |(xy) mod N i
Recall that the QPE circuit is thus:

1 𝑡−1 𝜙)
0 H ( 0 +𝑒 2𝜋𝑖(2 1)
First 2
register 1 1 𝜙)
t qubits 0 H ( 0 +𝑒 2𝜋𝑖(2 1)
2
0 1 0 𝜙)
H ( 0 +𝑒 2𝜋𝑖(2 1)
2
Second 𝑢 0 1 𝑡−1
𝑈2 𝑈2 𝑈2 𝑢
register

j
To perform QPE we need to implement controlled-U 2 gates and prepare
the second register in an eigenstate of U . However, regarding the first of
these, if we were simply to take a naive approach, we would incur an
exponential amount of operations.

9 / 18
 j
Implementing the series of controlled-U 2 gates

There are a few variations on the method used to implement the series of
j
controlled-U 2 gates, so here we present one which can be (relatively)
easily understood. We begin by noting:
j j
U 2 |yi = |(x2 y) mod N i
2j
= |((x mod N )y) mod N i

Therefore:
j
1. We first pre-compute x2 mod N for all j, 0 ≤ j ≤ t − 1 (this is
known as modular exponentiation).
2. We then use these pre-computed values to implement the unitary
j
operation |yi → |((x2 mod N )y) mod N i (controlled as
appropriate) for all j, 0 ≤ j ≤ t − 1 in sequence as required.

10 / 18
 j
Complexity of implementing the controlled-U 2 gates
Noting that multiplication takes O(m2 ) operations, where m is the
number of bits needed to specify the numbers being multiplied, the
computational complexity of the two steps required to implement the
j
controlled-U 2 gates is therefore as follows:
j
1. Pre-computing x2 mod N for all j, 0 ≤ j ≤ t − 1 can be achieved
by repeated modular squaring of x – i.e., a total of t squaring
j
operations. Note that x2 mod N < N , so a maximum of n bits
are needed to specify the numbers being squared, so the total
number of operations required is O(n2 t).
j
2. With the pre-computed values of x2 mod N we need to implement
j
the multiplication ((x2 mod N )y) mod N for all j,
0 ≤ j ≤ t − 1, i.e., t times in total. y < N , so a total of n bits are
required to express each of the numbers being multiplied, therefore
the complexity of this step is also O(n2 t).

To extract the order from the phase it suffices that t ∈ O(n), so putting
these together we have that the number of operations required to
j
perform the series of controlled-U 2 gates is O(n3 ).
11 / 18
The eigenvalues of U
QPE also requires that we prepare the input to the series of
j
controlled-U 2 gates in an eigenstate of U . States defined by:
r−1
1 X −2πisk/r k
|us i = √ e |x mod N i
r
k=0
for 0 ≤ s ≤ r − 1 are eigenstates of U , because:
r−1
1 X −2πisk/r k+1
U |us i = √ e |x mod N i
r
k=0
r
1 X
=√ e−2πis(k−1)/r |xk mod N i
r
k=1
r
1 X −2πisk/r k
= e2πis/r √ e |x mod N i
r
k=1
r−1
1 X −2πisk/r k
= e2πis/r √ e |x mod N i
r
k=0

= e2πis/r |us i
12 / 18
A superposition of eigenstates of U
To prepare an eigenstate as defined on the previous slide requires
knowledge of r, which we clearly don’t have, so instead we prepare an
equal superposition of eigenstates for 0 ≤ s ≤ r − 1:
r−1 r−1 r−1
1 X 1 X 1 X −2πisk/r k
√ |us i = √ √ e |x mod N i
r s=0 r s=0 r k=0
 
!
r−1 r−1 X
r−1
1 X 0 0 X 
= e |x mod N i + e−2πisk/r |xk mod N i

r  s=0

k=1 s=0

| {z }
=0 when k>0
1
= r |1i
r
= |1i

Which is a state that can be prepared easily.

13 / 18
Order finding: quantum circuit
We previously saw that |us i has eigenvalue e2πis/r – i.e., its phase is s/r,
so we now run QPE, with the second register in the state |1i (note this is
|1i such that 1 is an n-bit binary number, rather than simply [0, 1]T ).

0 H⊗𝑡 QFT†
𝑗

1 𝑥 𝑗 mod 𝑁

The measurements will collapse the state into one of the eigenstate
components of |1i because each digital eigenvalue phase estimation in
the first register will be entangled with its corresponding eigenvector in
the second register:
r−1 r−1
1 X ⊗n 1 X g
√ |0i |us i → √ |s/ri |us i
r s=0 r s=0

Thus QPE returns an estimate of the phase s/r g for some (unknown)
integer s, however there is a classical algorithm (the continued fractions
algorithm) that can extract r from s/r
g with high probability.
14 / 18
Reduction of factoring to order-finding
From the order-finding subroutine we have found r such that xr
mod N = 1, i.e.,
(xr − 1) mod N = 0
If r is even this factorises:

(xr/2 − 1)(xr/2 + 1) mod N = 0

For which there are four possibilities:

1. xr/2 = 1 mod N : but we know this cannot actually occur, as r is
the least integer satisfying xr = 1 mod N .
2. xr/2 = −1 mod N : in which case the algorithm fails.
3. (xr/2 − 1)(xr/2 + 1) = N in which case (xr/2 − 1) and (xr/2 + 1)
are factors that we output.
4. (xr/2 − 1)(xr/2 + 1) = kN for some k ≥ 2, in which case there is a
result that guarantees that one of gcd((xr/2 + 1); N ) or
gcd((xr/2 − 1); N ) is a non-trivial factor of N , which we can run
Euclid’s algorithm to find and then output.

15 / 18
Shor’s algorithm: success probability

A single run of Shor’s algorithm only returns a factor with a certain

probability. In particular:
1. The order-finding subroutine could return even r.
2. The order-finding subroutine could return r such that xr/2 = −1
mod N .
3. It is possible that the classical post-processing required to extract
the order from the phase can fail.

The probability that r is such that neither of the first two occur is at
least one half. The probability that the order-finding subroutine is such
that the classical post-processing correctly returns the order is at least
1 −  for some constant .
Therefore a single run of Shor’s algorithm correctly returns a factor with
probability O(1), which is acceptable, as the expected number of
iterations needed to find a factor does not grow with n.

16 / 18
Shor’s algorithm: computational complexity
Recall that the best classical algorithm for factoring requires
exp(Θ(n1/3 log2/3 n)) operations.
Shor’s algorithm (as we have expressed it here) calls two classical
algorithms as subroutines – the prime power checker, and Euclid’s
algorithm – both of which require a number of operations that is
only polynomial in n.
The quantum circuit used in Shor’s algorithm requires O(n3 ) gates
to perform the modular exponentiation, and O(n2 ) gates to perform
the QFT.
As the success probability of a single run of Shor’s algorithm is
O(1), the number of iterations we expect does not grow with n.

Therefore Shor’s algorithm can factor in a number of operations that is

polynomial in the number of bits required to express the number being
factored. An exponential speed-up compared to the best classical
algorithm.

17 / 18
Summary

In this lecture we have studied Shor’s factoring algorithm:

Performing quantum phase estimation with U |yi = |(xy) mod N i
to achieve order finding:
j
Implementing controlled-U 2 using modular P exponentiation.
Preparing a superposition of eigenstates √1r r−1
s=0 |us i = |1i as the
input to the second register.
Reduction of factoring to order-finding.

18 / 18