Algorithm of Shor

In Arithmetic modular, the algorithm of Shor is a quantum algorithm for to factorize a number NR in time O ((log NR ) ³) and spaces some O (log NR ), named in the honor of Peter Shor.

Many cryptosystèmes to public key, such as RSA, would become breakable by a third if the algorithm of Shor were one day programmed in a quantum Calculateur practical. A coded message with RSA can be deciphered by factorization of its public key NR , which is the product of two prime numbers. It is known that the traditional algorithms cannot do that in time O ((log NR ) ^K) for any K , therefore, they quickly become impracticable when NR increases, unlike the algorithm of Shor which can break the RSA in polynomial time. It was also wide to attack many others cryptosystèmes with public key.

Like all the algorithms for quantum calculator, the algorithm of Shor is probabilist: it gives the correct answer with a high probability and the probability of failure can be decreased by repeating the algorithm.

The algorithm of Shor was used in 2001 by a group of IBM, which factorized 15 into 3 and 5, by using a quantum calculator of 7 Qubit S.

Procedure

The problem that we will try to solve is the following, that is to say a whole given NR , we try to find another entirety p ranging between 1 and NR which divides NR .

The algorithm of Shor consists of two parts:

a reduction of the problem of factorization in a problem of search for order, which can be carried out on a traditional computer.
a quantum algorithm to solve the problem of search for order.

Traditional part

Prendre a pseudo-random number has < NR
To calculate the pgcd ( has , NR ). This can be carried out by the use of the Algorithme of Euclide.
If pgcd ( has , NR ) ≠ 1, then it is a not-commonplace factor of NR , therefore carried out.
Differently, to use the sub-routine of search for period (below) to find R , the period of the following function:
$f (X) = a^x \ \ mbox {MOD} \ N$ ,
c.a.d. the smallest entirety R for which $f (x+r) = F (X)$ .
If R is odd, to turn over at stage 1.
If has ^{R /2} ≡ -1 (MOD NR ), to turn over at stage 1.
the factors of NR is pgcd (a^{R /2} ± 1, NR ). Carried out.

Quantum part: sub-routine of search for period

Commencer with exit and input registers of each one log₂ NR qubits, and to initialize them with:

$N^ {- 1/2} \ sum_x \ left|X \ right \ rangle \ left|0 \ right \ rangle$

where X goes from 0 to NR - 1.

Construire F ( X ) like a quantum function and to apply it at the preceding state, to obtain

$N^ {- 1/2} \ sum_x \ left|X \ right \ rangle \ left|F (X) \ right \ rangle$

Appliquer the transformed of quantum Fourier to the input register. The quantum transform of Fourier on NR points is defined by:

$U_ {QFT} \ left|X \ right \ rangle$

N^ {- 1/2} \ sum_y e^ {2 \ pi I X y/N} \ left|there \ right \ rangle

What gives the following state:

$N^ {- 1} \ sum_x \ sum_y e^ {2 \ pi I X y/N} \ left|there \ right \ rangle \ left|F (X) \ right \ rangle$

Effectuer a measurement. One obtains a certain value thus there in the input register and $f (x_0)$ in the register of exit. As F is periodic, the probability of measuring some is given there by

$N^ {- 1} \ sum_ {x:\, F (X) =f (x_0)} \ left| e^ {2 \ pi I X y/N} \ right|^2$

N^ {- 1} \ sum_ {B} \ left| e^ {2 \ pi I (x_0 + R b) y/N} \ right|^2

Calculation shows that this probability is higher when yr/N is close to a entier.

Mettre y/N in irreducible form, and to extract the denominator R ′, which is a candidate for R .

Vérifier if F ( X ) = F ( X + R ′). If it is the case, it is terminé.

Autrement, to obtain more candidates for R by using values close to there , or multiples of R ′. If another candidate walks, it is terminé.

Sinon, to turn over at stage 1 of the sous-routine.

Explanation of the algorithm

The algorithm is composed of two parts. The first part transforms the problem of factorization into a problem of search for period of a function and can be implemented in a traditional way. The second part finds the period by using the quantum transform of Fourier and is responsible for quantum acceleration.

I. To obtain factors as from the period

The entireties lower than NR and first with NR form a group finished provided with the multiplication modulo NR , which is typically noted ( Z / NR Z ) ^×. By the end of stage 3, we have an entirety has in this group. As the group is finished, has must have an order finished R , the smallest positive entirety such as

$a^r \ equiv 1 \ \ mbox {MOD} \ N$

Consequently, NR | ( has ^R - 1). Let us suppose that we summons able to obtain R and that it is even. Then

$a^r - 1 = (a^ {r/2} - 1) (a^ {r/2} + 1) \ equiv 0 \ \ mbox {MOD} \ N$

\ Rightarrow NR \ | (a^ {r/2} - 1) (a^ {r/2} + 1)

R is the smaller whole positive such as has ^R ≡ 1, therefore NR cannot divide ( has ^{R /2} - 1). If NR does not divide either ( has ^{R /2} + 1), then NR must have a not-commonplace common factor with each one of ( has ^{R /2} - 1) and ( has ^{R /2} + 1).

Proof: to simplify, let us note ( has ^{R /2} - 1) and ( has ^{R /2} + 1) by U and v respectively. NR | UV , therefore kN = UV for certain entirety K . Let us suppose that pgcd ( U , NR ) = 1; then driven + nN = 1 for certain entireties m and N (this is a property of the pgcd.) By multiplying both dimensioned by v , we find that mkN + nvN = v , therefore NR | v . By contradiction, pgcd ( U , NR ) ≠ 1. By a similar argument, pgcd ( v , NR ) ≠ 1.

This provides us a factorization of NR . If NR is the product of two prime numbers, this is the alone possible factorization.

II. To find the period

The algorithm of search for period of Shor is strongly connected to the capacity of a quantum Calculateur to be in many states simultaneously. The physicists call this behavior a “superposition” of states. To calculate the period of a function F , we simultaneously evaluate the function in all its points.

However, the quantum physics do not enable us to reach all information directly. A measurement will provide only one among all the possible values by destroying all the others. Consequently we have to transform with precaution the superposition into another state which will turn over the correct answer with a high probability. This is completed by the transformed of quantum Fourier.

Shor had thus to solve three problems of “implementation”. All were implemented “quickly”, which wants to say that they can be implemented with a number of quantum doors which is polynomial in $\ log N$ .

To create a superposition of states.
This can be made by applying doors of Hadamard to all the qubits in the input register. Another approach would be to use the quantum transform of Fourier (see below).
To implement the function F like a quantum transformation.
To complete that, Shor used the rise with the square for its transformation in modular exponentiation.
To carry out a quantum transformation of Fourier.
By using the NOT controlled doors and them doors rotating qubit single Shor designed a circuit for the quantum transform of Fourier who uses just $O ((\ log NR) ^2)$ doors.

After all these transformations, a measurement will provide an approximation of the period R . To simplify, we ensure that there exists a such as yr/N is an entirety there. Then the probability of measuring is 1 there. To see that, let us note that then

e^ {2 \ pi I B yr/N} = 1

For all the entireties B . Consequently, the sum which gives us the probability of measuring there will be of N/r as B takes N/r values overall and thus, the probability is 1/r . There exists R such as yr/N is an entirety there thus the probabilities add up 1.

Note: another manner of explaining the algorithm of Shor is to note that it is right the disguised Algorithme of quantum estimate of phase.

References

Préimpression of the original article of Peter Shor:

'' Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms one has Quantum Computer '', Peter W. Shor

A book general practitioner on quantum calculation:

Quantum Computation and Quantum Information , Michael A. Nielsen, Isaac L. Chuang, Cambridge University Near, 2000

Random links: