C/CS/Phys C9 Sho s ode (peiod) finding algoithm and factoing /2/4 Fall 204 Lectue 22 With a fast algoithm fo the uantum Fouie Tansfom in hand, it is clea that many useful applications should be possible. Fouie tansfoms ae typically used to extact the peiodic components in functions, so this is an immediate one. One vey impotant example is finding the peiod of a modula exponential function, which is also known as ode-finding. This is a key element of Sho s algoithm to facto lage integes N. In Sho s algoithm, the quantum algoithm fo ode-finding is combined with a seies of efficient classical computational steps to make an algoithm that is oveall polynomial in the input size n = log 2 N, scaling as O(n 2 lognloglogn). This is bette than the best known classical algoithm, the numbe field sieve, which scales supepolynomially in n, i.e., as exp(o(n /3 (logn) 2/3 )). In this lectue we shall fist pesent the quantum algoithm fo ode-finding and then summaize how this is used togethe with tools fom numbe theoy to efficiently facto lage numbes. Modula exponentiation Recall the exponential function y(x) = a x. The modula exponential function is obtained by taking this function and calculating the emainde on division by N, i.e., f (x) = a x mod N. The ode of the modula exponential, efeed to as the ode of a mod N o od(a), is the smallest positive intege such that a mod N = Equivalently, we can say that is the peiod of this function, since fom the above equation we have a = k N + a + = k N a + a a + mod N = a mod N a +x mod N = a x mod N whee k is some intege. So f (x + ) = f (x), i.e., is the peiod of f (x). Note that N. Thee cases aise:. is odd 2. is even and a /2 mod N = 3. is even and a /2 mod N. Cases ) and 2) ae not elevant to factoization of N, but in case 3) at least one of the two numbes gcd(n,a /2 ± ) is a non-tivial facto of N whee gcd(x,y) is the geatest common denominato of x and y (see below). How do we find od(a) =? The stategy is to calculate the modula exponential function f (x) fo many values of x in paallel and to use Fouie techniques to detect the peiod in the sequence of function values. In the next section we show that Sho s quantum algoithm does this efficiently using the quantum fouie tansfom. C/CS/Phys C9, Fall 204, Lectue 22
Peiod finding The algoithm uses two egistes: egiste (souce) has K qubits and stoes a numbe = 2 K, with N 2 2N 2, o equivalently a numbe mod egiste 2 (taget) has at least n = log 2 N qubits, so can stoe N o moe basis states, o equivalently, a numbe mod N. The algoithm can be decomposed into 6 steps.. Both egistes ae initialized in the state 0 0. 2. The souce egiste is tansfomed to an equal supeposition ove all basis states. This can be done eithe by applying the K qubit Hadamad tansfom H K x = H K 0 = 2 K ( ) xy y y 2 K y y o by applying the Fouie Tansfom q q =0 exp 0 q. q =0 ) (2πi qq q In both cases (what does this tell you about the elation of Hadamad to Fouie tansfom?) we get the full quantum state (of souce and egiste) q 0 q=0 3. Now we apply a quantum gate U a that implements the modula exponentiation q f (q) = a q mod N, whee a is chosen andomly. This is a function that is easy to compute classically (see Nielsen and Chuang, p. 228 fo a detailed analysis). As descibed above, f (q) has as its smallest peiod. Note that f is distinct on [0, ] (i.e., all values ae diffeent) since othewise it would have a smalle peiod. Applying the function f to the contents of souce egiste and stoing the esult in taget egiste 2 gives q a q mod N. q=0 Hee > N 2 values of the function f (q) ae computed in paallel. Since < N, the peiod must manifest itself in the esulting sequence of function values now stoed in the second egiste. So thee can only be diffeent function values. C/CS/Phys C9, Fall 204, Lectue 22 2
4. Now we measue the second egiste. When we measue, we must get some value which has to be one of the distinct values of f (q). Suppose it is f (q 0 ). Then all supeposed states of the fist egiste inconsistent with this measued value must disappea. Fo simplicity, we shall estict ou detailed exposition to the case whee = m, i.e., thee ae m diffeent values of q which have the same value of f (q). Then exactly m = / states of egiste will contibute to the measued state of egiste 2, and afte this measuement the combined state of the two egistes must be given by / j + q 0 f (q 0 ) / 5. We now have a peiodic supeposition of states in egiste, with peiod. Fom now on the second egiste is ielevant and we can dop it fom discussion. The fist egiste has a peiodic supeposition whose peiod is the value that we wanted to compute in the fist place. How do we get that peiod? Can we get anything simply by measuing the fist egiste? No, since all we will get is a andom point, with no coelation acoss independent tials (because q 0 is andom). Instead, we fist make a quantum Fouie tansfom on egiste. To apply the Fouie tansfom modulo to state φq0 = j + q 0 we fist ewite φq0 as a sum ove all states: φ q0 = g(a) a a=0 by defining g(a) = / if a q 0 is a multiple of and g(a) = 0 othewise. Then Fouie tansfoming this modulo (this just means the Fouie tansfom base K o with = 2 K basis states), gives c = c ( ) 2πi( j + q0 )c g( j + q 0 )exp c [ ( ) ] ( ) 2πi( j)c 2πiq0 c g( j + q 0 )exp exp c. Now looking at the ight hand side, you can see that when c/ is an intege, i.e., c is a multiple of /, the phase facto of each tem in the sum inside the squae backets will be equal to +. Now this sum only contains / non-zeo tems, because of the way in which g(a) was defined. So the squae backet tem is then equal to (/) / = /. Taking the oveall nomalization facto into account, this yields the value exp(2πiq 0 c/)/ fo the coefficient of basis state c in the sum ove c. On the othe hand, when c/ is not an intege, the sum in the squae backets cancels to zeo (see Benenti p. 63 fo an example). So the only states in the sum ove c that suvive ae those fo which c is a multiple of /. Thus the Fouie tansfomed state has peiod /, and futhemoe C/CS/Phys C9, Fall 204, Lectue 22 3
it has non-zeo values only at values of c that ae multiples of this peiod. Witing c = k/, we get then the FT state FT φ q0 = exp k=0 ( 2πiq0 k ) k which is what was given above. Note that the Fouie tansfom has moved the shift value q 0 in the index of the oiginal state to a phase facto in the fouie tansfomed state. 6. Now we measue egiste. The measuement gives us a value C = k, whee k is a andom numbe between 0 and -. Now we have, C, and hence also the atio C/ = k/. Now if gcd(k,) =, i.e., if k and have no common divisos, we have the atio C/ as an ieducible faction and can ead off the values k and fom numeato and denominato, espectively. See Benenti p. 63 fo an example. Now k is chosen at andom by the measuement: fo lage, the pobability that gcd(k,) = is geate than /log (see Appendix A.3 in Eket and Jozsa, RMP 68, 733 (996)). So we assume that this is the case and extact. Then by epeating the calculation O(log) < O(logN) times, one can amplify the success pobability (of finding ) to get as close to one as desied. So we have an efficient detemination of the ode. In the geneal case, when m, one has a slightly modified analysis that esults in the ode being detemined to a high pobability. Using ode-finding to facto lage numbes N efficiently Once we have the ode of a x mod N, we fist check if is even and a /2 mod N (case 3) above). If so, then lets poceed with y = a /2. Since y 2 mod N =, then y 2 = (y+)(y ) is divisible by N. So N has a common facto with eithe y + o y. The common facto must be one of geatest common divisos gcd(n,y ± ). These can be efficiently computed with Euclid s algoithm (classical). Euclid s algoithm fo gcd(x,y) Let x,y be 2 integes, x > y and z = gcd(x,y). Then both x and y and the numbes x y, x 2y,... ae multiples of z. Theefoe the emainde = x ky < y in the division of x by y is also a multiple of z. Now if = 0, then z = y and the poblem is solved. So we only have to figue out how to get to zeo emainde fom the stating integes x and y. This is easy. We simply epeatedly take the emainde: z = gcd(x,y) = gcd(y, ) = gcd(, 2 ) = gcd( 2, 3 ) =... = gcd( n, n ), whee, 2,... ae the successive emaindes, i = i k i y. The last non-zeo emainde n is z. Sho s factoing algoithm The oveall quantum factoing algoithm is as follows:. If N even, etun the facto 2 (you could extend this to check fo othe small pime factos, e.g., 5) 2. Detemine whethe N = a b fo integes a and b 2: if yes, etun the facto a 3. Randomly choose y between and N. If z = gcd(y,n) >, etun the facto z. 4. Use the ode-finding algoithm to find the ode of a mod N, i.e., such that a mod N =. 5. If is even and a /2 mod N, then evaluate gcd(a /2 ±,N). If one of these is a non-tivial facto (i.e., othe than ), etun that value as a facto. If not, go back to step 3 and epeat. C/CS/Phys C9, Fall 204, Lectue 22 4
The success ate of the last thee steps must be easonably high since this is a pobabilistic algoithm. See discussions in the texts and in the pape of Eket and Jozsa. Readings Benenti et al., Ch. 3.4 Kaye et al., Ch. 7.3 Nielsen and Chuang, uantum Computation and uantum Infomation, Ch. 5.3 liteatue: Sho, quant-ph/9508027, Eket and Jozsa, Rev. Mod. Phys. 68, 733 (996) C/CS/Phys C9, Fall 204, Lectue 22 5