Shor Factorization Algorithm

Size: px
Start display at page:

Download "Shor Factorization Algorithm"

Transcription

1 qitd52 Shor Factorization Algorithm Robert B. Griffiths Version of 7 March 202 References: Mermin = N. D. Mermin, Quantum Computer Science (Cambridge University Press, 2007), Ch. 3 QCQI = M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information (Cambridge University Press, 2000), Ch. 5 Pittenger = A. O. Pittenger, An Introduction to Quantum Computing Algorithms (Birkhäuser, 2000), Ch. 3 Contents Introduction 2 Factorization by Order Finding 3 Modular Exponentiation 3 4 Quantum Fourier Transform and Measurement 4 4. Introduction M a multiple of r M not a multiple of r Example Post-Processing: Continued Fractions 6 Introduction Shor s algorithm for factoring numbers remains one of the best-known quantum algorithms. It represents a substantial speedup over any classical competitor known at present, and addresses a problem of considerable significance, since the difficulty of factoring is the basis of the well-known RSA public-key cryptographic method. The purpose of these notes is to provide a big picture ; with numerous details left to the references. Mermin and Pittenger provide a somewhat gentler introduction to the subject than QCQI, which presents a detailed treatment. 2 Factorization by Order Finding Suppose we want to factor a large composite number N, i.e., one which can be written in the form N = pq, () where we assume that p and q are relatively prime, i.e., they have no common factors, their greatest common divisor (gcd) is. Exercise. Show that any composite N, i.e., integer with some nontrivial factor, can be written in the form () (perhaps in more than one way) with p > and q > relatively prime. Given any integer N >, the integers between and N which are relatively prime to N form an abelian group ZN under multiplication modn. The order (number of elements) in Z N is denoted by φ(n).

2 In the case N = 5, Z 5 is the set {, 2, 4, 7, 8,, 3, 4}, so φ(5) = 8 elements. Since ZN is a multiplicative group, if a is in Z N all its powers a, a2, a 3,... are also in ZN. Together they constitute the subgroup a of ZN generated by a. The order of this subgroup, the number of elements it contains, is the smallest integer r such that a r = mod N (2) Because the order of a subgroup always divides the order of a group (Lagrange), it will always be the case that r divides φ(n). The order of a = 2 in Z 5 is r = 4, because 24 = mod5, whereas a x mod5 for x =, 2, 3 is just a x. As expected, r = 4 divides φ(5) = 8. Exercise. What are the orders of the other elements of Z 5? The strategy employed by Shor to factor N begins with the observation that that if one can find the order r of some element a in ZN, and if one is not unlucky (more on that below), then by relatively efficient methods (polynomial in the number of bits) it is possible to factor N. The first bit of luck: r is an even number, which means that r/2 is an integer, and in view of (2) we can write (a r/2 ) (a r/2 + ) = a r = 0 mod N, so (a r/2 ) (a r/2 + ) = LN = Lpq, (3) where L is some integer, and in the last equality ordinary (not modular) multiplication is employed. From (3) we see that both p and q must divide the product (a r/2 ) (a r/2 + ). One possibility is that p divides (a r/2 ), but q does not divide (a r/2 ). Good luck! Because then s = gcd(n, (a r/2 )) must be p or a multiple of p, since it divides both arguments, but it cannot be N, because N = pq and by hypothesis q does not divide the second argument. Consequently s > is a nontrivial factor of N, and at least we have made a first step in finding the factors. It is of course equally good if p divides, but q does not divide, (a r/2 + ), or if q but not p divides (a r/2 ). If N is the product of two primes, the problem of finding its factors is solved. If N is the product of three or more primes, we have only made a beginning, but it we have an algorithm that works well for N, we ought to be able to apply it successfully to the smaller number(s) obtained by finding at least one factor. At this stage it won t hurt to work through a simple example. For N = 5 and a = 2 we know that r = 4, which is an even number. That looks encouraging. The product of interest to us is then We have successfully factored 5. Exercise. Try factoring 2. (a r/2 ) (a r/2 + ) = (a 2 ) (a 2 + ) = 3 5 = 5. (4) Alas, it could also be the case that we are unlucky and (a r/2 + ) is itself a multiple of N, divisible by both p and q, in which case the gcd(n, (a r/2 )) might be, and we will learn nothing useful. Also if (a r/2 ) turns out to be a multiple of N this would be equally bad luck. But such cannot be the case, for if it were then we would have a r/2 = modn, but r is the order of a, so it is the smallest positive integer such that a r = mod N. If at first you don t succeed, try again with a different a. After all, it is relatively easy to choose an a and check that gcd(a, N) =. But there might be a second failure... Hence the number-theoretic arguments which ensure a reasonably high probability of success are not without interest, though they lie outside the scope of these notes. What makes this attack on factoring difficult for a classical computer is that there is no known efficient way of finding the order of some a which is relatively prime to N. The problem with the straightforward attack of computing a, a 2, a 3..., all modn, is that even though each individual term can be computed efficiently, r can itself be a very large number, so one has to work through a vast forest of possibilities before reaching the goal. Which, of course, is why the quantum algorithm is so interesting. 2

3 3 Modular Exponentiation Let x be any integer, and define the integer-valued function f(x) = a x mod N, (5) where a is a positive integer relatively prime to N lying somewhere between 2 and N. The function f(x) is periodic with period r, where r is the order of a, in the sease that where k is some integer. Exercise. Prove it. f(x) = f(y) mod N if and only if y = xmod r, or y = x + kr, (6) The ordinary definition of the period p of a periodic real-valued function g(z), where z is a real number, is the smallest positive number such that g(z + p) = g(z) for all z. Smallest, since of course it is then the case that g(z + kp) = g(z) where k is any integer. However, a function which is periodic in this sense can have g(z) = g(z ) without z z 0 being an integer multiple of p. The only if part of (6) excludes such a possibility, and this exclusion is important for what follows. Exercise. Find an example of a real valued periodic function g(z), z real, with the property that g(z) = g(z ) for some z and z whose difference is not an integer multiple of the period. The quantum factoring scheme is shown schematically as a circuit in Fig.. The two Hilbert spaces H A and H B have dimensions d A = M and d B = N, where we assume that systems A and B consist of m and n qubits, respectively, so M = 2 m, N = 2 n > N, (7) with n the smallest integer satisfying this inequality. x = 0 y = 0 A B H x x v Q F f(x) P Figure : Schematic representation of the Shor circuit for factoring. Note that the horizontal lines represent several qubits (or bits). Each of the solid horizontal lines in the figure represents a collection of m or n qubits. The standard basis of H A consists of kets x, where x is an integer in the range 0 x 2 m. Let the representation of x in bits be x x 2 x 3...x m, with x the most significant bit. (This convention agrees with QCQI, but disagrees with Mermin, who numbers the bits in the opposite order). Then write x = x x 2 x m, (8) where each x j is 0 or. The analogous convention is used for the standard basis of H B, consisting of kets of the form y. The initial kets of H A and H B in Fig., x = 0 and y = 0, are then tensor product states in which each individual qubit is in the state 0. In Fig. the very first gate, denoted by H, is really a collection of gates: a single Hadamard acts on each of the m qubits. A little thought will show that after these have acted, the state of H A is Φ = (/ M M) x. (9) x=0 3

4 Next comes the unitary transformation F, the F-gate or F-box, which maps H A H B onto itself in such a way that ( ) F x 0 = x f(x) (0) for the f(x) defined in (5). In fact (0) is not a complete definition of the unitary F, since it only tells us what F does to states of the form x 0 and not what F does to the x y states with y > 0. Since F in (0) maps the normalized and mutually orthogonal states on the left side onto normalized and mutually orthogonal states on the right side, it can be extended (in more than one way) to act as a unitary on the entire space H A H B. After the F gate has acted the state of H A H B is given by M Ψ2 = x f(x) = Φ(y) y, () x y where the item on the right side is the expansion of M Ψ 2 in the standard basis of H B, with the Φ(y) as expansion coefficients. Note that some of the Φ(y) will necessarily be zero, because f can only take values in the subgroup a of ZN consisting of powers of a mod N. 4 Quantum Fourier Transform and Measurement 4. Introduction Following the F box in Fig. a quantum Fourier transform (QFT) is applied to the H A system alone. This is a unitary gate Q mapping H A to itself and defined by Q = M M v=0 M x=0 e 2πixv/M v x. (2) For clarity the states of H A after Q has acted are labeled by an integer v rather than x, but of course v takes values in the range from 0 to M, just like x. To understand the effects of the Fourier transform Q, it is helpful to think about it in the following way. Imagine measuring system B in the standard basis when it emerges from the F gate, instead of simply throwing it away, as in Fig.. If the outcome of this measurement is ȳ = f( x), then the corresponding Φ(ȳ) defined in () will, since f(x) is periodic, be of the form Φ(ȳ) = x + x + r + x + 2r + x + (µ )r, (3) where we have assumed that x is the smallest one of the µ distinct values of x between 0 and M for which f(x) = ȳ. If M is a multiple of r, then µ = M/r. Otherwise µ will either be M/r or this quantity plus, depending on x. The QFT of Φ(ȳ) is ( M Q Φ(ȳ) = e 2πiv x/m)( + λ(v) + λ(v) 2 + λ(v) µ ) v = v v λ(v) = e 2πivr/M ; ( e 2πiv x/m) c(v) v ; c(v) = λ(v)µ λ(v). (4) Following the application of Q comes a measurement of H A in the standard basis, indicated by the symbol D in Fig.. That is, each of the m qubits is measured in the basis 0,. The outcome of the measurement, 0 or, on the j th qubit is then v j, the j th bit in the binary representation of v. The probability that this measurement yields a particular integer v is proportional to c(v) 2, where c(v) is the coefficient of v in (4). 4

5 4.2 M a multiple of r To see most easily what is going on, make the assumption that M is a multiple of r, i.e., M = µr, and hence λ(v) = e 2πiv/µ, λ(v) µ =. (5) Consequently, c(v) = 0 unless v is a multiple of µ, and if it is, then λ(v) = and c(v) = µ. Consequently, the only measurement outcomes that occur with nonzero probability are those for which v = kµ for some integer k in the range between 0 and r, and the probability of this outcome is independent of k. Note that this conclusion is independent of the value of x, as this only enters the coefficient of v in (4) as a phase factor that does not influence the probability of a measurement outcome. Consequently, the outcome ȳ of the measurement on H B, which determines x, is irrelevant. (We have simply used the the measurement on B as an aid to understanding; it is not actually part of the Shor algorithm.) The measurement outcome v does not tell us the value of r, but only that there is some integer k such that v = Mk/r, or v/m = k/r. (6) It is often but not always, possible to extract the value of r from k/r using some post-processing on a classical computer. If this fails, the quantum computer can be run a second or third time, or perhaps more often, to yield additional values for v. 4.3 M not a multiple of r In general M is not a multiple of r and Mk/r is not be an integer, so the measurement outcome v will not satisfy (6). However, if M is sufficiently large one can argue that with reasonably high probability the measurement outcome v will be close to k(m/r) for some integer k, close enough that v/m provides a good estimate of k/r. In more detail. From (4), with λ = λ(v), c(v) 2 = λ µ λ 2 = λ µ/2 λ µ/2 λ /2 λ /2 2 = sin2 [πµrv/m] sin 2 [πrv/m]. (7) We are interested in a situation in which M is substantially larger than r. It then turns out, though it is not immediately obvious from looking at (7), that c(v) 2 is very small except when v/m is in the vicinity of k/r for some integer k, close enough that one has a reasonable chance of using the measured v to determine k/r. One way to get an idea of what is going on is to insert in (7), and, noting that µ and k are integers, write the right side as v = km/r + δv (8) sin 2 [(µr/m)δv] sin 2 [πδv/m] ( µ π ) 2 sin 2 (πδv) (δv) 2. (9) Here we are assuming that M/r is very large and therefore (µr/m). The function sin 2 (πδv)/(δv) 2 has its maximum value (π 2 ) at δv = 0, and then decreases reasonably rapidly in an oscillatory manner as δv increases. This sort of crude analysis of course needs to be bolstered by more careful calculations and inequalities, for which we refer the reader to the references. It is very helpful to make plots of (7) for small values of r and M to see how the right side behaves as a function of v. An example is given below. 5

6 4.4 Example To understand the behavior of the measurement outcome probabilities (7) it is helpful to look at examples. Figure 2 shows plots of these probabilities for r = 4 and various values of M = 2 m. One expects that the probability will peak for values of v near km/r, where k is some integer. Quantum Fourier Transform for M=32, r=4 Quantum Fourier Transform for M=64, r= Quantum Fourier Transform for M=28, r=4 Quantum Fourier Transform for M=256, r= Figure 2: Plots of probability (height of bar) as a function of measurement outcome v, for r = 4 and M = 32 and 64 on the top row; M = 28 and 256 on the bottom row, where not all v values are shown. For M = 32 there is a a jumble of 4 peaks, but the probability is rather spread out, and it would be difficult to draw a conclusion from a single measurement of v, or even several measurements. However, the 4 peaks are better separated for M = 64, and one sees that there is a reasonable chance that a measurement will yield v within a distance of 2 or less from the nearest integer to km/r = (64/4)k for k =, 2,.... Exercise. Calculate the nearest integer to (64/4)k for several choices of k, and locate it on the horizontal axis of the M = 64 plot. As M increases to 28 and then to 256, the peaks become better separated and their widths, measured in terms of v, remain roughly the same, as do their heights. The fractional width measured in terms of v/m is decreasing. 5 Post-Processing: Continued Fractions The preceding analysis at least makes it plausible that the value v obtained from the measurement of system A after the QFT is likely to be such that v/m is close to k/r, where k is an unknown integer and r is the unknown order of a that we are looking for. But how can we extract r, given that we do not know k in advance, and we only know k/r approximately? 6

7 The basic ideas is to use a value of M = 2 m which is very much larger than r. Let us assume that the number of bits in the argument register is twice that in the function register, which is to say m = 2n, M = (N ) 2 > N 2, so M > Nr > r 2, (20) since r cannot exceed φ(n), which cannot be bigger than N. The values of v/m for successive values of v are thus separated by an interval of /M, which is very much smaller than the interval /r between successive values of k/r with k an integer. This means that even if v differs by a small integer from the value closest to the relevant k(m/r), the value of k will be unambiguous. It may help to visualize this by thinking of points v/m laid out along the real axis for successive v, together with points k/r for successive k: v/m: M k/r: r But since we don t yet know r, how are we to find the correct k/r lying near v/m, and not some other k /r? Important observation. Suppose k/r k /r. What can we say about the difference? Assume without loss of generality that k/r < k /r ; then k r k r = rk r k rr rr > M, (2) as rk r k cannot be less than. The final inequality applies to the case where both r and r are smaller than N, see (20), which is of course the case of interest to us. So if we can find a fraction k/r with a small denominator that is near to v/m, we can be reasonably sure that r is the order of a that we are looking for. But r is not a prime number, so it might be the case that the k for which k/r is closest to our v/m has some factor in common with r. Then the denominator of this fraction will not be r itself but only some number that divides r. This is a worry. Let us put it aside for the moment and return to it later. So how do we find fractions k/r which are near to v/m and have small denominators? The trick is to expand v/m as a continued fraction and look at the convergents. Quick introduction to continued fractions. The kind we are interested in are of the form w 0 = a 0 + a + a 2 + a 3 + where w 0 is any real number, a 0 = w 0 is the integer part of w 0, the largest integer that is not greater than w 0, and a, a 2, and so forth are positive integers. Calculating a 0, a, etc., is fairly easy. Subtract a 0 from w 0 and take the reciprocal: w := w 0 a 0 = a + a 2 + (22). (23) a 3 + Thus a = w is the integer part of w. The integer part of w 2 = /(w a ) is a 2, and so forth. It at some stage we stop and throw away the following a j set them equal to zero the result is the j th convergent of the continued fraction expansion of w 0, written as [a 0, a,...a j ]. E.g., the second convergent of w 0 is a 2 [a 0, a, a 2 ] = a 0 + a + = a 0 + (24) + a a 2 a 2 7

8 Exercise. Find the first, second, and third convergents of π, writing them as fractions k/l. In each case is the convergent greater than or less than π? (Do you see something systematic here?) How close to π is the third convergent? Thus the procedure to find r from v/m is to expand the latter as a continued fraction and look at the convergents. If one finds a fraction i/j which is close to v/m and for which the denominator j is not too large, there is a fair chance that j = r is the order of a that we are looking for. Note that while the order r of a is very hard to find using only a classical computer (at least by algorithms known at present), it is relatively simple to check whether some specific ˆr is a period of f(x) = a x mod N by calculating aˆr mod N and seeing if this is. If it is, that does not guarantee that ˆr is the order r of a, as it might be some integer multiple of r. But since the quantum algorithm yields significant probabilities for v/m only in the vicinity of k/r and not near fractions whose denominators are multiples of r, it seems reasonable that some ˆr that emerges from the process described above and is a period of f(x) will be r. But how do we know that a nearby k/r will actually show up as one of the convergents to v/m? There is a useful number-theoretic result in Appendix A4 of QCQI which tells us that if w is any real number and k/r a rational number which is close to it in the sense that w k r 2r 2, (25) then k/r is one of the convergents of the continued fraction expansion of w. So provided M is large enough, as in (20), we can be confident that the continued fraction expansion will yield the r we are looking for, unless k and r have some factor in common, in which case the continued fraction expansion will yield k/ r instead of k/r, where k and r are relatively prime, and k = l k, r = l r for some integer l. This r will not, of course, be the desired order of a. What to do? The most straightforward remedy is to run the quantum computation once again to get a different measurement outcome v, and carry out the continued fraction expansion on v /M in the hopes that k /r with k relatively prime to r will be one of the convergents. And if this does not succeed, try again... In QCQI, p. 23, there is an argument, based on the probability that a random integer k in the expected range will be relatively prime to r, that if the quantum algorithm is repeated the order of 2 log(n) times there is a high probability of successfully finding the denominator r in one of the convergents. Note that while log(n) may be large (say 000), it is not impossibly large, so it is easy to imagine that if a quantum computer can actually be built it will be possible to run it a thousand times. For a method that makes more efficient use of the results of repeating the quantum computation, see QCQI p

Shor s Prime Factorization Algorithm

Shor s Prime Factorization Algorithm Shor s Prime Factorization Algorithm Bay Area Quantum Computing Meetup - 08/17/2017 Harley Patton Outline Why is factorization important? Shor s Algorithm Reduction to Order Finding Order Finding Algorithm

More information

Unitary Dynamics and Quantum Circuits

Unitary Dynamics and Quantum Circuits qitd323 Unitary Dynamics and Quantum Circuits Robert B. Griffiths Version of 20 January 2014 Contents 1 Unitary Dynamics 1 1.1 Time development operator T.................................... 1 1.2 Particular

More information

Circuits for Shor Factorization

Circuits for Shor Factorization qitd521 Circuits for Shor Factorization Robert B. Griffiths Version of 22 March 2012 Contents 1 Introduction 1 2 Quantum Fourier Transform 2 3 Modular Exponentiation 5 1 Introduction ow can Shor s algorithm

More information

Stochastic Quantum Dynamics I. Born Rule

Stochastic Quantum Dynamics I. Born Rule Stochastic Quantum Dynamics I. Born Rule Robert B. Griffiths Version of 25 January 2010 Contents 1 Introduction 1 2 Born Rule 1 2.1 Statement of the Born Rule................................ 1 2.2 Incompatible

More information

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871 Introduction to Quantum Information Processing QIC 71 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 8 (217) Jon Yard QNC 3126 jyard@uwaterloo.ca http://math.uwaterloo.ca/~jyard/qic71 1 Recap of: Eigenvalue

More information

Stochastic Processes

Stochastic Processes qmc082.tex. Version of 30 September 2010. Lecture Notes on Quantum Mechanics No. 8 R. B. Griffiths References: Stochastic Processes CQT = R. B. Griffiths, Consistent Quantum Theory (Cambridge, 2002) DeGroot

More information

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 48 / C&O 68 Lecture (2) Richard Cleve DC 27 cleve@cs.uwaterloo.ca Order-finding via eigenvalue estimation 2 Order-finding

More information

Shor s Quantum Factorization Algorithm

Shor s Quantum Factorization Algorithm Shor s Quantum Factorization Algorithm Tayeb Aïssiou Department of Mathematics and Statistics McGill University, Montreal, Quebec Canada H3A K6 e-mail: tayeb.aissiou@mail.mcgill.ca November, 5 Abstract

More information

Checking Consistency. Chapter Introduction Support of a Consistent Family

Checking Consistency. Chapter Introduction Support of a Consistent Family Chapter 11 Checking Consistency 11.1 Introduction The conditions which define a consistent family of histories were stated in Ch. 10. The sample space must consist of a collection of mutually orthogonal

More information

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations. CS 94 //09 Fourier Transform, Period Finding and Factoring in BQP Spring 009 Lecture 4 Recap: Simon s Algorithm Recall that in the Simon s problem, we are given a function f : Z n Zn (i.e. from n-bit strings

More information

Phase estimation. p. 1/24

Phase estimation. p. 1/24 p. 1/24 Phase estimation Last time we saw how the quantum Fourier transform made it possible to find the period of a function by repeated measurements and the greatest common divisor (GCD) algorithm. We

More information

Q: How can quantum computers break ecryption?

Q: How can quantum computers break ecryption? Q: How can quantum computers break ecryption? Posted on February 21, 2011 by The Physicist Physicist: What follows is the famous Shor algorithm, which can break any RSA encryption key. The problem: RSA,

More information

Quantum Information Types

Quantum Information Types qitd181 Quantum Information Types Robert B. Griffiths Version of 6 February 2012 References: R. B. Griffiths, Types of Quantum Information, Phys. Rev. A 76 (2007) 062320; arxiv:0707.3752 Contents 1 Introduction

More information

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT Quantum algorithms (CO 78, Winter 008) Prof. Andrew Childs, University of Waterloo LECTURE : Quantum circuits and the abelian QFT This is a course on quantum algorithms. It is intended for graduate students

More information

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n). 18.310 lecture notes April 22, 2015 Factoring Lecturer: Michel Goemans We ve seen that it s possible to efficiently check whether an integer n is prime or not. What about factoring a number? If this could

More information

QFT, Period Finding & Shor s Algorithm

QFT, Period Finding & Shor s Algorithm Chapter 5 QFT, Period Finding & Shor s Algorithm 5 Quantum Fourier Transform Quantum Fourier Transform is a quantum implementation of the discreet Fourier transform You might be familiar with the discreet

More information

Quantum Computing: Foundations to Frontier Fall Lecture 3

Quantum Computing: Foundations to Frontier Fall Lecture 3 Quantum Computing: Foundations to Frontier Fall 018 Lecturer: Henry Yuen Lecture 3 Scribes: Seyed Sajjad Nezhadi, Angad Kalra Nora Hahn, David Wandler 1 Overview In Lecture 3, we started off talking about

More information

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best

More information

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Quantum algorithms for computing short discrete logarithms and factoring RSA integers Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short

More information

Commutative Rings and Fields

Commutative Rings and Fields Commutative Rings and Fields 1-22-2017 Different algebraic systems are used in linear algebra. The most important are commutative rings with identity and fields. Definition. A ring is a set R with two

More information

Basic counting techniques. Periklis A. Papakonstantinou Rutgers Business School

Basic counting techniques. Periklis A. Papakonstantinou Rutgers Business School Basic counting techniques Periklis A. Papakonstantinou Rutgers Business School i LECTURE NOTES IN Elementary counting methods Periklis A. Papakonstantinou MSIS, Rutgers Business School ALL RIGHTS RESERVED

More information

Ph 219b/CS 219b. Exercises Due: Wednesday 4 December 2013

Ph 219b/CS 219b. Exercises Due: Wednesday 4 December 2013 1 Ph 219b/CS 219b Exercises Due: Wednesday 4 December 2013 4.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the

More information

[Disclaimer: This is not a complete list of everything you need to know, just some of the topics that gave people difficulty.]

[Disclaimer: This is not a complete list of everything you need to know, just some of the topics that gave people difficulty.] Math 43 Review Notes [Disclaimer: This is not a complete list of everything you need to know, just some of the topics that gave people difficulty Dot Product If v (v, v, v 3 and w (w, w, w 3, then the

More information

Quantum Fourier Transforms

Quantum Fourier Transforms Quantum Fourier Transforms Burton Rosenberg November 10, 2003 Fundamental notions First, review and maybe introduce some notation. It s all about functions from G to C. A vector is consider a function

More information

9 Knapsack Cryptography

9 Knapsack Cryptography 9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and

More information

Classical RSA algorithm

Classical RSA algorithm Classical RSA algorithm We need to discuss some mathematics (number theory) first Modulo-NN arithmetic (modular arithmetic, clock arithmetic) 9 (mod 7) 4 3 5 (mod 7) congruent (I will also use = instead

More information

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of

More information

Factoring on a Quantum Computer

Factoring on a Quantum Computer Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation

More information

C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19

C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19 C/CS/Phys 9 Shor s order (period) finding algorithm and factoring /0/05 Fall 2005 Lecture 9 Readings Benenti et al., Ch. 3.2-3.4 Stolze and Suter, uantum Computing, Ch. 8.3 Nielsen and Chuang, uantum Computation

More information

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013 1 h 219b/CS 219b Exercises Due: Wednesday 20 November 2013 3.1 Universal quantum gates I In this exercise and the two that follow, we will establish that several simple sets of gates are universal for

More information

6 Cosets & Factor Groups

6 Cosets & Factor Groups 6 Cosets & Factor Groups The course becomes markedly more abstract at this point. Our primary goal is to break apart a group into subsets such that the set of subsets inherits a natural group structure.

More information

Introduction to Quantum Computing

Introduction to Quantum Computing Introduction to Quantum Computing The lecture notes were prepared according to Peter Shor s papers Quantum Computing and Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a

More information

6.080/6.089 GITCS May 13, Lecture 24

6.080/6.089 GITCS May 13, Lecture 24 6.080/6.089 GITCS May 13, 2008 Lecturer: Scott Aaronson Lecture 24 Scribe: Chris Granade 1 Quantum Algorithms Of course the real question is: can quantum computers actually do something more efficiently

More information

8 Primes and Modular Arithmetic

8 Primes and Modular Arithmetic 8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.

More information

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009 1 Ph 219b/CS 219b Exercises Due: Wednesday 11 February 2009 5.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the

More information

8 Elliptic Curve Cryptography

8 Elliptic Curve Cryptography 8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given

More information

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5 CS 70 Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes wish to work over a

More information

Chapter 11 - Sequences and Series

Chapter 11 - Sequences and Series Calculus and Analytic Geometry II Chapter - Sequences and Series. Sequences Definition. A sequence is a list of numbers written in a definite order, We call a n the general term of the sequence. {a, a

More information

Quantum Error Correction

Quantum Error Correction qitd213 Quantum Error Correction Robert B. Griffiths Version of 9 April 2012 References: QCQI = Quantum Computation and Quantum Information by Nielsen and Chuang(Cambridge, 2000), Secs. 10.1, 10.2, 10.3.

More information

Number Systems III MA1S1. Tristan McLoughlin. December 4, 2013

Number Systems III MA1S1. Tristan McLoughlin. December 4, 2013 Number Systems III MA1S1 Tristan McLoughlin December 4, 2013 http://en.wikipedia.org/wiki/binary numeral system http://accu.org/index.php/articles/1558 http://www.binaryconvert.com http://en.wikipedia.org/wiki/ascii

More information

Introduction to Group Theory

Introduction to Group Theory Chapter 10 Introduction to Group Theory Since symmetries described by groups play such an important role in modern physics, we will take a little time to introduce the basic structure (as seen by a physicist)

More information

Quantum Computers. Peter Shor MIT

Quantum Computers. Peter Shor MIT Quantum Computers Peter Shor MIT 1 What is the difference between a computer and a physics experiment? 2 One answer: A computer answers mathematical questions. A physics experiment answers physical questions.

More information

1 Measurement Uncertainties

1 Measurement Uncertainties 1 Measurement Uncertainties (Adapted stolen, really from work by Amin Jaziri) 1.1 Introduction No measurement can be perfectly certain. No measuring device is infinitely sensitive or infinitely precise.

More information

Hardy s Paradox. Chapter Introduction

Hardy s Paradox. Chapter Introduction Chapter 25 Hardy s Paradox 25.1 Introduction Hardy s paradox resembles the Bohm version of the Einstein-Podolsky-Rosen paradox, discussed in Chs. 23 and 24, in that it involves two correlated particles,

More information

Introduction to Quantum Computing

Introduction to Quantum Computing Introduction to Quantum Computing Part I Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 12, 2011 Overview Outline What is quantum computing? Background Caveats Fundamental differences

More information

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Compute the Fourier transform on the first register to get x {0,1} n x 0. CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary

More information

LECTURE NOTES ON QUANTUM COMPUTATION. Cornell University, Physics , CS 483; Spring, 2005 c 2006, N. David Mermin

LECTURE NOTES ON QUANTUM COMPUTATION. Cornell University, Physics , CS 483; Spring, 2005 c 2006, N. David Mermin LECTURE NOTES ON QUANTUM COMPUTATION Cornell University, Physics 481-681, CS 483; Spring, 2005 c 2006, N. David Mermin IV. Searching with a Quantum Computer Last revised 3/30/06 Suppose you know that eactly

More information

A Gentle Introduction to Quantum Computing

A Gentle Introduction to Quantum Computing A Gentle Introduction to Quantum Computing Abdullah Khalid 01-10-0168 School of Science and Engineering Lahore University of Management Sciences Friday 3 rd June, 011 Contents 1 Introduction to Quantum

More information

Lecture 7: More Arithmetic and Fun With Primes

Lecture 7: More Arithmetic and Fun With Primes IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Advanced Course on Computational Complexity Lecture 7: More Arithmetic and Fun With Primes David Mix Barrington and Alexis Maciel July

More information

Rings If R is a commutative ring, a zero divisor is a nonzero element x such that xy = 0 for some nonzero element y R.

Rings If R is a commutative ring, a zero divisor is a nonzero element x such that xy = 0 for some nonzero element y R. Rings 10-26-2008 A ring is an abelian group R with binary operation + ( addition ), together with a second binary operation ( multiplication ). Multiplication must be associative, and must distribute over

More information

Lecture 10: A (Brief) Introduction to Group Theory (See Chapter 3.13 in Boas, 3rd Edition)

Lecture 10: A (Brief) Introduction to Group Theory (See Chapter 3.13 in Boas, 3rd Edition) Lecture 0: A (Brief) Introduction to Group heory (See Chapter 3.3 in Boas, 3rd Edition) Having gained some new experience with matrices, which provide us with representations of groups, and because symmetries

More information

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate

More information

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Integer factorization, part 1: the Q sieve. D. J. Bernstein Integer factorization, part 1: the Q sieve D. J. Bernstein Sieving small integers 0 using primes 3 5 7: 1 3 3 4 5 5 6 3 7 7 8 9 3 3 10 5 11 1 3 13 14 7 15 3 5 16 17 18 3 3 19 0 5 etc. Sieving and 611 +

More information

Finite Mathematics : A Business Approach

Finite Mathematics : A Business Approach Finite Mathematics : A Business Approach Dr. Brian Travers and Prof. James Lampes Second Edition Cover Art by Stephanie Oxenford Additional Editing by John Gambino Contents What You Should Already Know

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of

More information

Qubit Recycling. Ran Chu. May 4, 2016

Qubit Recycling. Ran Chu. May 4, 2016 Qubit Recycling Ran Chu May 4, 06 Abstract Shor s quantum algorithm for fast number factoring is a key example of quantum computational algorithm and the prime motivator in the international effort to

More information

2. FUNCTIONS AND ALGEBRA

2. FUNCTIONS AND ALGEBRA 2. FUNCTIONS AND ALGEBRA You might think of this chapter as an icebreaker. Functions are the primary participants in the game of calculus, so before we play the game we ought to get to know a few functions.

More information

Stochastic Histories. Chapter Introduction

Stochastic Histories. Chapter Introduction Chapter 8 Stochastic Histories 8.1 Introduction Despite the fact that classical mechanics employs deterministic dynamical laws, random dynamical processes often arise in classical physics, as well as in

More information

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve

22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve 22. The Quadratic Sieve and Elliptic Curves 22.a The Quadratic Sieve Sieve methods for finding primes or for finding factors of numbers are methods by which you take a set P of prime numbers one by one,

More information

Addition & Subtraction of Polynomials

Addition & Subtraction of Polynomials Chapter 12 Addition & Subtraction of Polynomials Monomials and Addition, 1 Laurent Polynomials, 3 Plain Polynomials, 6 Addition, 8 Subtraction, 10. While, as we saw in the preceding chapter, monomials

More information

GRE Quantitative Reasoning Practice Questions

GRE Quantitative Reasoning Practice Questions GRE Quantitative Reasoning Practice Questions y O x 7. The figure above shows the graph of the function f in the xy-plane. What is the value of f (f( ))? A B C 0 D E Explanation Note that to find f (f(

More information

2 = = 0 Thus, the number which is largest in magnitude is equal to the number which is smallest in magnitude.

2 = = 0 Thus, the number which is largest in magnitude is equal to the number which is smallest in magnitude. Limits at Infinity Two additional topics of interest with its are its as x ± and its where f(x) ±. Before we can properly discuss the notion of infinite its, we will need to begin with a discussion on

More information

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today? 2 Mod math Modular arithmetic is the math you do when you talk about time on a clock. For example, if it s 9 o clock right now, then it ll be 1 o clock in 4 hours. Clearly, 9 + 4 1 in general. But on a

More information

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem. CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 10 The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively

More information

Lecture 22: Quantum computational complexity

Lecture 22: Quantum computational complexity CPSC 519/619: Quantum Computation John Watrous, University of Calgary Lecture 22: Quantum computational complexity April 11, 2006 This will be the last lecture of the course I hope you have enjoyed the

More information

arxiv: v2 [quant-ph] 1 Aug 2017

arxiv: v2 [quant-ph] 1 Aug 2017 A quantum algorithm for greatest common divisor problem arxiv:1707.06430v2 [quant-ph] 1 Aug 2017 Wen Wang, 1 Xu Jiang, 1 Liang-Zhu Mu, 1, 2, 3, 4, and Heng Fan 1 School of Physics, Peking University, Beijing

More information

Incompatibility Paradoxes

Incompatibility Paradoxes Chapter 22 Incompatibility Paradoxes 22.1 Simultaneous Values There is never any difficulty in supposing that a classical mechanical system possesses, at a particular instant of time, precise values of

More information

Consistent Histories. Chapter Chain Operators and Weights

Consistent Histories. Chapter Chain Operators and Weights Chapter 10 Consistent Histories 10.1 Chain Operators and Weights The previous chapter showed how the Born rule can be used to assign probabilities to a sample space of histories based upon an initial state

More information

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers ALGEBRA CHRISTIAN REMLING 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers by Z = {..., 2, 1, 0, 1,...}. Given a, b Z, we write a b if b = ac for some

More information

Ph 219b/CS 219b. Exercises Due: Wednesday 22 February 2006

Ph 219b/CS 219b. Exercises Due: Wednesday 22 February 2006 1 Ph 219b/CS 219b Exercises Due: Wednesday 22 February 2006 6.1 Estimating the trace of a unitary matrix Recall that using an oracle that applies the conditional unitary Λ(U), Λ(U): 0 ψ 0 ψ, 1 ψ 1 U ψ

More information

Singlet State Correlations

Singlet State Correlations Chapter 23 Singlet State Correlations 23.1 Introduction This and the following chapter can be thought of as a single unit devoted to discussing various issues raised by a famous paper published by Einstein,

More information

Chapter 5. Number Theory. 5.1 Base b representations

Chapter 5. Number Theory. 5.1 Base b representations Chapter 5 Number Theory The material in this chapter offers a small glimpse of why a lot of facts that you ve probably nown and used for a long time are true. It also offers some exposure to generalization,

More information

Lecture note 8: Quantum Algorithms

Lecture note 8: Quantum Algorithms Lecture note 8: Quantum Algorithms Jian-Wei Pan Physikalisches Institut der Universität Heidelberg Philosophenweg 12, 69120 Heidelberg, Germany Outline Quantum Parallelism Shor s quantum factoring algorithm

More information

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by SUBGROUPS OF CYCLIC GROUPS KEITH CONRAD 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by g = {g k : k Z}. If G = g, then G itself is cyclic, with g as a generator. Examples

More information

Lecture 8: Finite fields

Lecture 8: Finite fields Lecture 8: Finite fields Rajat Mittal IIT Kanpur We have learnt about groups, rings, integral domains and fields till now. Fields have the maximum required properties and hence many nice theorems can be

More information

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number) Lecture 8 Shor's algorithm (quantum factoring algorithm) First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number) (1) Pick any number y less than 15: y=13.

More information

Basic Algebra. Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series

Basic Algebra. Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series Basic Algebra Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series Cornerstones Selected Pages from Chapter I: pp. 1 15 Anthony

More information

1 Review of the dot product

1 Review of the dot product Any typographical or other corrections about these notes are welcome. Review of the dot product The dot product on R n is an operation that takes two vectors and returns a number. It is defined by n u

More information

ECEN 5022 Cryptography

ECEN 5022 Cryptography Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,

More information

Partial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions.

Partial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions. Partial Fractions June 7, 04 In this section, we will learn to integrate another class of functions: the rational functions. Definition. A rational function is a fraction of two polynomials. For example,

More information

Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2:

Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2: Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2: 03 17 08 3 All about lines 3.1 The Rectangular Coordinate System Know how to plot points in the rectangular coordinate system. Know the

More information

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS The integers are the set 1. Groups, Rings, and Fields: Basic Examples Z := {..., 3, 2, 1, 0, 1, 2, 3,...}, and we can add, subtract, and multiply

More information

PRACTICE PROBLEMS: SET 1

PRACTICE PROBLEMS: SET 1 PRACTICE PROBLEMS: SET MATH 437/537: PROF. DRAGOS GHIOCA. Problems Problem. Let a, b N. Show that if gcd(a, b) = lcm[a, b], then a = b. Problem. Let n, k N with n. Prove that (n ) (n k ) if and only if

More information

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time. 8 Modular Arithmetic We introduce an operator mod. Let d be a positive integer. For c a nonnegative integer, the value c mod d is the remainder when c is divided by d. For example, c mod d = 0 if and only

More information

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017 Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation

More information

Standard forms for writing numbers

Standard forms for writing numbers Standard forms for writing numbers In order to relate the abstract mathematical descriptions of familiar number systems to the everyday descriptions of numbers by decimal expansions and similar means,

More information

Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras

Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras Quantum Mechanics- I Prof. Dr. S. Lakshmi Bala Department of Physics Indian Institute of Technology, Madras Lecture - 4 Postulates of Quantum Mechanics I In today s lecture I will essentially be talking

More information

Fourier Sampling & Simon s Algorithm

Fourier Sampling & Simon s Algorithm Chapter 4 Fourier Sampling & Simon s Algorithm 4.1 Reversible Computation A quantum circuit acting on n qubits is described by an n n unitary operator U. Since U is unitary, UU = U U = I. This implies

More information

FINITE ABELIAN GROUPS Amin Witno

FINITE ABELIAN GROUPS Amin Witno WON Series in Discrete Mathematics and Modern Algebra Volume 7 FINITE ABELIAN GROUPS Amin Witno Abstract We detail the proof of the fundamental theorem of finite abelian groups, which states that every

More information

1 Continued Fractions

1 Continued Fractions Continued Fractions To start off the course, we consider a generalization of the Euclidean Algorithm which has ancient historical roots and yet still has relevance and applications today.. Continued Fraction

More information

Practical Algebra. A Step-by-step Approach. Brought to you by Softmath, producers of Algebrator Software

Practical Algebra. A Step-by-step Approach. Brought to you by Softmath, producers of Algebrator Software Practical Algebra A Step-by-step Approach Brought to you by Softmath, producers of Algebrator Software 2 Algebra e-book Table of Contents Chapter 1 Algebraic expressions 5 1 Collecting... like terms 5

More information

Mathematics for Cryptography

Mathematics for Cryptography Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1

More information

Slope Fields: Graphing Solutions Without the Solutions

Slope Fields: Graphing Solutions Without the Solutions 8 Slope Fields: Graphing Solutions Without the Solutions Up to now, our efforts have been directed mainly towards finding formulas or equations describing solutions to given differential equations. Then,

More information

Projective space. There are some situations when this approach seems to break down; for example with an equation like f(x; y) =y 2 (x 3 5x +3) the lin

Projective space. There are some situations when this approach seems to break down; for example with an equation like f(x; y) =y 2 (x 3 5x +3) the lin Math 445 Handy facts since the second exam Don't forget the handy facts from the first two exams! Rational points on curves For more general curves, defined by polynomials f(x; y) = 0 of higher degree,

More information

Number Theory. Introduction

Number Theory. Introduction Number Theory Introduction Number theory is the branch of algebra which studies the properties of the integers. While we may from time to time use real or even complex numbers as tools to help us study

More information

THE DIVISION THEOREM IN Z AND R[T ]

THE DIVISION THEOREM IN Z AND R[T ] THE DIVISION THEOREM IN Z AND R[T ] KEITH CONRAD 1. Introduction In both Z and R[T ], we can carry out a process of division with remainder. Theorem 1.1. For any integers a and b, with b nonzero, there

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory

More information

Lecture 11 - Basic Number Theory.

Lecture 11 - Basic Number Theory. Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,

More information