Quantum Factoring
Michele Mosca
The Fifth Canadian Summer School
on Quantum Information
August 3, 2005
Quantum Algorithms
Quantum Algorithms should exploit
quantum parallelism and quantum
interference.
 We have already seen some
elementary algorithms.

Quantum Algorithms
These algorithms have been computing
essentially classical functions on quantum
superpositions
 This encoded information in the phases of the
basis states: measuring basis states would
provide little useful information
 But a simple quantum transformation
translated the phase information into
information that was measurable in the
computational basis

Extracting phase information
with the Hadamard operation
x
1
2
n
 (1)
y
xy
H
y
n
H
1
2
n
n
x
 (1)
y
xy
y
Overview
Quantum Phase Estimation
 Eigenvalue Kick-back
 Eigenvalue estimation and orderfinding/factoring
 Shor’s approach
 Discrete Logarithm and Hidden
Subgroup Problem (if there’s time)

Quantum Phase Estimation

Suppose we wish to estimate a number
  [0,1) given the quantum state
2n 1
e
2 i
y
y
y 0

Note that in binary we can express
  0.x1x2x3 
2  x1 .x2x3 
2
n 1
  x1x2x3  xn 1 .xn xn 1 
Quantum Phase Estimation

e
Since e 2 ik  1 for any integer k, we have
2)  e2i( x1 .x2x3 ...)  e2ix1 e2i( 0.x2x3 ...)  e2i( 0.x2x3 ...)
2i(
e
2 )  e2i( 0.xk 1xk 2 ...)
2i( k
Quantum Phase Estimation

If
  0.x1 then we can do the following
0  e 2 i( 0.x1 ) 1

2
0  ( 1) x1 1
2
H
x1
Useful identity
We can show that
2n 1
2 iy
y
e

y 0

 0 e

2 i( 2n 1
 

) 1  0  e2 i(2n 2 ) 1 
  0  e2 i( ) 1
 



1
 0  e 2 i( 0.xn xn 1 ...) 1  0  e 2i( 0.xn 1xn xn 1 ...) 1 

  0  e2 i( 0.x1x2 ...)
Quantum Phase Estimation

So if   0.x1x2
following
0 e
2 i( 0. x2 )
1
2
0  e2i( 0.x1x2 ) 1
2
then we can do the
x2
H
R2
1
H
x1
0 
1
Rk  
2 i / 2k 
0 e

Quantum Phase Estimation

So if   0.x1x2x3 then we can do the
following
0 e
2 i( 0. x3 )
1
2
0  e2i( 0.x2x3 ) 1
2
0  e2i( 0.x1x2x3 ) 1
2
x3
H
R2
1
x2
H
R3
1
R2
1
H
x1
Quantum Phase Estimation

Generalizing this network (and reversing
the order of the qubits at the end) gives us
2
a network with O(n ) gates that
implements
n
2 1 2 i
e
y 0
x
y
n
2
y  x
Discrete Fourier Transform

The discrete Fourier transform maps
vectors of dimension N by transforming
the x th elementary vector according to
(0,0,...,0,1,0,...0)  (1, e

2i
x
N
,e
2i
2x
N
,, e
2i
( N1) x
N
)
The quantum Fourier transform maps
vectors in a Hilbert space of dimension N
according to
N 1 2 i x y
x  e N y
y 0
Discrete Fourier Transform

Thus we have illustrated how to implement
(the inverse of) the quantum Fourier
n
transform in a Hilbert space of dimension 2
Estimating arbitrary   [0,1)

What if
form x
2


is not necessarily of the
for some integer x?
n
2n 1
The QFT will map
superposition ~

z
z
e
2 i
x 0
   y y
y
where
1 8
 y
Pr ob      2
N 
N
to a




1 

y  O
 y

 N 


Quantum Phase Estimation
For any real   [0,1)
0  e2i ( 4 ) 1
H
2

0 e
) 1
2i (2
2
R2
1
0  e2i() 1
2

x3
With high probability
x2
H
R3
1
R2
4 x1  2 x2  x3
8
1
ω
H
x1
Eigenvalue kick-back

Recall the “trick”:
( 1)
x
0 1
 f(x)
f( x )
x
0 1
x ( 0  1 )  x ( f(x)  f(x)  1 )
f( x )
 x ( 1) ( 0  1 )
 ( 1)
f( x )
x(0  1)
Eigenvalue kick-back

Consider a unitary operation U with
2 i
eigenvalue e
and eigenvector 

e
1
1

2 i
U
1   1U


 1e

2 i
e
1 
2 i
Eigenvalue kick-back
0
0

U

Eigenvalue kick-back

As a relative phase, e 2 i becomes
measurable

0 e
1
 0 1

2 i
U

Eigenvalue kick-back

If we exponentiate U, we get multiples of 

x
e
1
1

2i
U
x

Eigenvalue kick-back

x
0 e
1
0  1

2i
U
x

Eigenvalue kick-back
0  1
0 e
0  1
0 e


0  1
0  1

2n 1
U
2

U U
U
2n2
2 i(2n 1
2 i(2n 2
) 1
) 1

)
0 e
1
2 i
0 e
1
2 i( 2

Phase estimation
0 e
2 i(2n 1
0 e
) 1
2 i(2n 2
) 1

)
0 e
1
2 i
0 e
1
2 i( 2
H
xn

R2
1


R3
xn1

H
1

R2
1
2n 1 x1 2n 2 x2 xn
2n
H

x2
x1
Eigenvalue estimation
0  1
0  1
0  1

x3
H
R2 1
x2
H
R2 1 R3 1
U
4
U
2
U

H
x1
Eigenvalue estimation
0
0
0

x3
QFT8
QFT8 1
x2
x1
U
x

Eigenvalue estimation

Given U with eigenvector  and
eigenvalue e 2 i we thus have an
algorithm that maps
~
0         
QFT I,c Ux ,QFT 1 I
Eigenvalue kick-back

Given U with eigenvectors k
and
respective eigenvalues e2ik we thus have
an algorithm that maps
~ 
0 k  
k
k
and therefore
0
~ 




0




 k k  k
 k k k
k
k
k
k
Eigenvalue kick-back

Measuring the first register of
~ 


 k k k
~
is equivalent to measuring 
k
probability  2
k
i.e.
with
k



* ~
~
   k k k    k k k 
 k
 k

2 ~
Tr
2

   ~

k
k
k
k
Example
Suppose we have a group G and we wish to
find the order of a  G (I.e. the smallest
positive r such that ar  1 )
 If we can efficiently do arithmetic in the
group, then we can realize a unitary
operator Ua that maps x  ax
 Notice that U r  U
I

a

a
r
This means that the eigenvalues of Ua are
k
2

i
of the form
r where k is an integer
e
(Aside: more on reversible
computing)
If we know how to efficiently compute
and f 1 then we can efficiently and
reversibly map
b
x
y
c
Uf
Uf 1
b  f (x )
x
y
c f
1
(y )
f
(Aside: more on reversible
computing)
And therefore we can efficiently map
x  f (x )
0
x
Uf
Uf 1
f (x )
0
Example
G  Z5  {1,2,3,4} mod 5
Let
1
4
4
2
 Then 1  1, 2  1, 3  1, 4  1
 We can easily implement, for example,U
2
*

U2 001  010
U2 001  100
U2 001  011
U 2 001  001
3

2
4
The eigenvectors of U2 include
3
k   e
j 0
jk
2 i
4
2 mod 5
j
Example
3
 001  e
 001  e
3
2 i
4
2 i
3
4
010  e
010  e
6
2 i
4
2 i
2
4
100  e
100  e
9
2 i
4
2 i
1
4
011
011
Example
U2 3
 010  e
e
2 i
3
4
e
2 i
3
4
(e
2 i
2 i
3
3
4
3
4
100  e
010  e
2 i
2 i
2
4
2
4
011  e
100  e
2 i
2 i
1
4
1
4
001
011  001 )
Example
U2 0  0
U2 1  e
2 i
1
4
U2 2  e
2 i
2
4
U2 3  e
2 i
3
4
1
2
3
1
 0  1  2  3
2

001
Example
c  U2  0  1  0   0  1  0
c  U2  0  1  1
1
2 i


  0  e 4 1  1


c  U2  0  1  2
2
2 i


4
  0  e
1  2


c  U2  0  1  3
3
2 i


4
  0  e
1  3


Example
c  U2  0  1  0   0  1  0
2
c  U2  0  1  1
2
c  U2  0  1  2
2
c  U2  0  1  3
2
2
2 i

  0  e 4 1

  0  1  2

 1

2
2 i


4
  0  e
1  3


Eigenvalue Kickback
0 e
0  1
0  1
3
0 e
U2 U2
2
2i( 0.1)
2i( 0.11)
1
1
Eigenvalue Kickback
3  21  1
0  1
0  1
3
H
1
R2 1
U2 U2
2
1
H
3
Eigenvalue Kickback
k  2k1  k2
0  1
0  1
k
H
k2
R2 1
U2 U2
2
k1
H
k
Eigenvalue Kickback
0  1
0  1
1
H
R2 1
U2 U2
2
1
  k
2 k 0
3
H
1
k k

2 k 0
3
Quantum Factoring
The security of many public key
cryptosystems used in industry today
relies on the difficulty of factoring
large numbers into smaller factors.
 Factoring the integer N into smaller
factors can be reduced to the following
task:
Given integer a, find the smallest positive
integer r so that ar  1 mod N

Example
a 1
Let a  G  ZN
 We can easily implement

Ua x  ax
Ua

r
*
2n
x U n
2
a
Ua x  U 2 x  a x
a
2n
x  a x
2
2
The eigenvectors of Ua include
r 1
k   e
j 0
jk
2 i
r
a
j
Example
Ua k  Ua ( 1  e
 a e
e
2 i
k
r
e
2 i
k
r
2 i
k
r
a2  e
(1 e
k
2 i
2 i
k
r
k
r
2 i
a e
2k
r
a e
2 i
2k
r
a2    e
a3    e
2 i
2k
r
2 i
( r 1)k
r
a2    e
2 i
2 i
( r 1)k
r
ar
( r 1)k
r
ar1 )
ar1 )
Example
c  U j  0  1  k
a2

 0 e


2j k
2 i
r
1
 0  1  2    r1
r

1  k


 1
Eigenvalue kick-back

Given U with eigenvectors k
and
k
2

i
respective eigenvalues
we thus have
r
e
an algorithm that maps
~
k
0 k 
k
r
and therefore
0

k
k
k   k 0 k
k
~
k
  k
k
r
k
Eigenvalue Estimation
0  1

0  1
0  1
n 1
1
2
U2
1

k

r k 0
r 1



U2 U2
QFT
1
2n

2
1

2 k 0
r 1
~
k
k
r
Eigenvalue kick-back

Measuring the first register of

~
1 k
k
r r
~
k
is equivalent to measuring
r
probability 1
r
k
with
Finding r
k
For most integers k, a good estimate of
r
1
(with error at most 2r2 ) allows us to
determine r (even if we don’t know k).
(using continued fractions)
(aside: how does factoring reduce
to order-finding??)

The most common approach for factoring
integers is the difference of squares
technique:
» “Randomly” find two integers x and y satisfying
x  y mod N
2
2
» So N divides x  y  ( x  y )( x  y )
» Hope that gcd( N , x  y ) is non-trivial
 If r is even, then let x  a r / 2 mod N
so that x 2  12 mod N
2
2
Shor’s approach
This eigenvalue estimation approach is not
the original approach discovered by Shor
 Kitaev developed an eigenvalue estimation
approach (to the more general “Hidden
Stabilizer Problem”)
 We’ve presented the CEMM version here

Discrete Fourier Transform

The discrete Fourier transform maps
uniform periodic states, say with period r
dividing N, and offset w, to a periodic state
with period N/r.
r
(0,0,1,0,0,0,1,0,0,0,1,0)
N
1

(1,0,0, e
r
2i
w
r
,0,0, e
2i
2w
r
,0,0, e
2i
r 1 w
r
)
Discrete Fourier Transform

The quantum Fourier transform maps
vectors in a Hilbert space of dimension N
according to
N
1
r

x 0
r 1
r
xr  w  e
N
k 0
2i
wk
r Nk
r
Shor’s Factoring Algorithm
x
-1
F

r 1

w0y
r 1
(
w0
0
\
x
1
r r
/
x
x\
a/
w\
\
w ry/ a /


\
\
x/ 1 /
k
r
)
w\
a/
Network for Shor’s
Factoring Algorithm
\
0
/
\
1/
F
-1
F
x
Ua
Eigenvalue Estimation
Factoring Algorithm
\
0
/
\
1
/
\
\
x/ k /

x
k
2π i x k

e
x
r
k
(
k
k
r
)
\
\
x/ k /
\

k/
Network for Eigenvalue
Estimation Factoring Algorithm
\
0
/
\
1/
F
-1
F
x
Ua
Equivalence of Shor&CEMM
Shor analysis
CEMM analysis
0 1   0 s
x
s
1   x  s
x
r 1

 x
  rk  x  a

x 0  k

r 1

x 0
0
r
1
r
2 k 

r r
a
x
s
x
sx
2i


    e r x   s
s  x


s
s
r
s
Equivalence of Shor&CEMM
Shor analysis
r 1

x 0
0
r
1
r
a
2 k 

r r
CEMM analysis
x
s
r 1

x 0
0
r
1
r
2 k 

r r
0
r

1
r
2 k

r r



s
s
r
s
r
s
s
r
Discrete Logarithm Problem
Consider two elements a, b  G from a
r
group G satisfying
a 1
s
ba
Find s.
Ua x

ax
Discrete Logarithm Problem
We know
Uahas eigenvectors
r 1
ψk   e
k
-i2j
r
a
j
j 0
Ua k e
i2π
k
r
k
Discrete Logarithm Problem
U
Thus
has the same eigenvectors but
b
with eigenvalues exponentiated to the power
of s
i2π r
ψ

ψ

Ub k Ua s k e
ks
ψk
Discrete Logarithm Problem
0
Fr
Fr
1
Ua
x
1
k
Ψk
Discrete Logarithm Problem
0
Fr
Fr
Ψk
Ub
x
1
ks
Ψk
Given k and ks, we can compute s mod r
(provided k and r are coprime)
Abelian Hidden Subgroup
Problem
G
f: G
f(y)
Z

M0
X
f(x)
Z
 ... 
M1
ZM
n
K G
iff
x -y K
Find generators for
K
Network for AHS
\
0
/
F
-1
F
Uf
AHS Algorithm in standard
basis

\
\
(
)
x fx

w K \/ f( )\/
(
)
s0 s sn
1
K
\
f( )/
w
w
w
F

-1
/
w
x
/
AHS for
\

s/

n
Z2 in eigenbasis
.
xs
(- 1)
(Simon’s Problem)
\
f(x) /
is an eigenvector of

x
F
\
\
(
)
x/ f x /
s K
f(x)
f(xy)
-1
(
s
K
s
)
\

s/
Other applications of
Abelian HSP
Any finite Abelian group G is the direct sum
of finite cyclic groups g1  g2  gn
 But finding generators g1 , g 2 , , g n
satisfying G  g1  g2  gn is not always
easy, e.g. for G  Z N* it’s as hard as factoring N
 Given any polynomial sized set of generators,
we can use the Abelian HSP algorithm to find
new generators that decompose G into a
direct sum of finite cyclic groups.

Examples:
Deutsch’s Problem: G 
{0,1} X {0,1}
K {0} or {0,1}
Order finding:
G Z
f(x)  a x
X
K  rZ
any group
Example:
Discrete Log of bak to base a:
G  Zr  Zr
y
x
f(x, y)  a b
K 
k ,1
X
any group
Examples:
Self-shift equivalences:
G  GF(q)
n
X  GF(q)[X1 , X2,..., Xn ]
f (a1 , a2,..., an )  P(X1  a1 ,..., Xn  an )
K  {(a1 ,..., an ) :
P(X1  a1 ,..., Xn  an )  P(X1 ,..., Xn )}
What about non-Abelian HSP
Consider the symmetric group G  S n
 Sn is the set of permutations of n elements
 Let G be an n-vertex graph
 Let X  {π (G ) | π  S }
G
n

Define
 Then
where

fG : Sn  X G
f G π   π (G)
f G π1   f G π 2   π1K  π 2 K
K  AUT (G)  π | π G  G
Graph automorphism problem
So the hidden subgroup of f G is the
automorphism group of G
 This is a difficult problem in NP that is
believed not to be in BPP and yet not NPcomplete.

Other
Progress on the Hidden Subgroup Problem in
non-Abelian groups (not an exhaustive list)
•Ettinger, Hoyer arxiv.gov/abs/quant-ph/9807029
•Roetteler,Beth quant-ph/9812070
•Ivanyos,Magniez,Santha arxiv.org/abs/quant-ph/0102014
•Friedl,Ivanyos,Magniez,Santha,Sen quant-ph/0211091
(Hidden Translation and Orbit Coset in Quantum Computing);
they show e.g. that the HSP can be solved for solvable
groups with bounded exponent and of bounded derived series
•Moore,Rockmore,Russell,Schulman, quant-ph/0211124