Order finding and factoring

The order-finding and subsequent factoring algorithm is a canonical (and rare) example of an application of quantum computers. Certain cryptography protocols (e.g., public key cryptography) leverage factoring, a com-putationally challenging problem, to generate a secure key. We will show below that quantum computers can be used to factor large numbers more efficiently than classical computers, and quantify the speedup. Order finding and factoring is also another application of the QFT. In this section, we will describe the order finding and factoring algorithms in detail.

Consider two positive integers a and N such that a < N , and which have no common factors. We call r an order of amodN if r is the smallest integer such that a^r= 1modN . This is equivalent to

a^r= bN + 1, (205)

for b ∈ Z. As a simple example, consider a = 5, N = 44. We can brute force check r = 2, 3, .. to check which r is the order. In this case, we find that r = 5 is the order, since 5⁵ = 3125, and we see that 3125 − (71 × 44) = 1, satisfying (205). For large numbers, this procedure is computationally challenging. We can get some intuition for why in our original approach for finding the order r, the simple example above, where we “brute-force” checked the values of r in ascending order.

Mathematical remarks

Order finding is very closely related to factoring. In the factoring problem, we are given the large number N , and we need to find its factors p, q where N = pq. Of course, if we know p or q, finding the other factor is easy.

However, if neither is known, this is believed to be hard classically. This problem serves as the basis for public key cryptography (such as RSA, which is widely used today). The basic idea of RSA is that Alice can choose two values p and q, send N to Bob, and to decrypt the message, one must know either p or q. A few statements are in order:

• The fastest known classical algorithm for factoring scales with O(N^1/3), where N is exponential in the number of digits, or number of bits required to encode the number.

• It is actually believed that faster classical algorithms exist, but they are not yet known.

• In fact, the problem itself is not computationally hard on a quantum computer, since we will see that Shor’s algorithm, reducing factoring to order finding, can solve the problem in a number of steps that scales with logN .

In fact, in the following we will describe an algorithm which shows that order finding is equivalent to factoring.

We consider a large number N to be factored. The steps are as follows:

1. Pick some a < N , and check if the greatest common denominator is 1. This can be done using the Euclid algorithm, where if we assume N = pq, and a = pz, and that an integer b₁ exists such that:

N = b₁a + r₁, (206)

then r1is also divisible by p.

2. We can continue the Euclidean algorithm another step:

a = b2r1+ r2, (207)

where we find that by the same logic r2 is also divisible by p if N and a are divisible by p. Recall that for factoring, we need to find these two numbers which have a common factor different than 1. Therefore, if after many steps we find p 6= 1, our problem is solved.

3. However, if p = 1, we must find r such that (an order-finding problem) a^ris

a^r= bN + 1. (208)

If r is odd, we have to repeat this procedure from the beginning (picking another a).

4. If r is even, we can write this expression as

(a^r/2+ 1)(a^r/2− 1)

= bN

= bpq.

(209)

At this point, one should check if (a^r/2±1) is divisible by N . If it is, then we must start from the beginning.

5. However, if not, (a^r/2 ± 1) shares a common divisor with N . At this point, one can use the efficient Euclidean algorithm to find the divisor.

In other words, if we can efficiently find r that satisfies (205), we can use the Euclidean algorithm to find the factors of N efficiently. So the problem of factoring indeed reduces to order finding.

Now, with this mathematical remark aside, let us consider the quantum algorithm for order finding. Our approach will be based on quantum phase estimation. We begin by constructing a unitary

Ua|yi = |aymodN i , 0 ≤ y ≤ N − 1. (210)

Consider the eigenstates of Ua, which can be formally written in the following form

|usi = 1

where r is the order as seen above. We can show formally that this is true by acting Ua|usi, which will simply lead to

where we can now rewrite the terms in the sum using the fact that r obeys a^r= 1 from (205), so that the last term |a^rmodN i can be rewritten as |1i. We can rewrite (212) as

Ua|usi = exp 2πis 2



|usi , (213)

so we see that |usi are all eigenstates of UAwith eigenvalue given by exp(^2πis₂ ). At this point, we can implement order finding using the following steps:

1. Prepare some eigenstate (or superposition of eigenstates)

2. Perform QPE to find s/r. With k auxiliary qubits, we can determine with high accuracy k digits of the fraction s/r.

3. Extract s and r, which are integers, from the ratio. This is a bit subtle, but suppose we know the fractional number s/r exactly (e.g. 0.153 in decimal). We can easily write this as ₁₀₀₀¹⁵³, and simplify to get s and r.

The subtlety arises from the fact that we have an approximation to s/r, but it turns out since we know this with exponential accuracy, we can use so-called continued fractions to obtain very good estimates of s and r.

4. Once we have a vaule of r, we can easily check that it is an order.

Remarks

1. How do we prepare |usi? Let us consider the superposition

If s 6= 0, each term will have a phase, these terms will interfere destructively and add to 0. So we can rewrite (214) as

r−1

X

m=0

δm,0|a^m, modN i = |1i . (215)

This means that we can actually produce the superposition in (214) by simply preparing the binary state

|1i, and run this phase estimation. Then, for different instances of phase estimation, we will sample different eigenstates for U_A.

To summarize this approach, we will start in |1i and run phase estimation several times. In the first instance, we will estimate ^s_r¹, then ^s_r², etc. Knowing a few si/r will help us determine the simplified expression ^s_r.

2. It remains to show that we can implement QPE efficiently. This is done using modular exponentiation.

Recall that we need to implement e.g.

U_a²|yi = |a²ymodN i U_a⁴|yi = |a⁴ymodN i

. . .

(216)

Consider the register |xi |yi, where |xi is the auxiliary register we use to implement QPE, and |yi stores the superposition of eigenvectors to Ua. We want to implement the transformation

|xi |yi → |xi U_a^xk2k−1...U_a^x020|yi

= |xi |a^{xk2k−1+x020}ymodN i

= |xi |a^xymodN i.

(217)

If we can implement |1i → |amodN i, then |1i → |a²modN i, etc, then the entire procedure will only require k steps to implement the unitary to the power 2^k. What remains is to show how to implement this modulo square. This is similar to conventional multiplication and requires only n² operations. This step is a bit cumbersome, but is related to finding a classical multiplication algorithm/circuit and making it reversible.

At this point, one can implement it using e.g. Toffoli gates. In total, this requires kn²∼ n³∼ (logN )³. 3. We can consider starting with

H^⊗k|0...0i |1i =X

|xi |1i , (218)

and after the modulo square and subsequent exponentials, we get

X|xi |a^xmodN i . (219)

Note that r is exactly the period of the function (a^x mod N ). At this point we can perform QFT. We can see the effect of this by writing the expression in (219)

X

Now we see that QFT will exactly reveal this period r. (More precisely, QFT will give us a very precise estimate of r.)