# Shor's Algorithm

Prerequisites: Quantum Fourier Transformation, Quantum Phase Estimation  

Shor's algorithm is an algorithm used to factor integers in polynomial time. To do so, we first find a solution for the problem of period finding for $a^x\ mod\ N$. If we can do so, we can factor integers in polynomial time too, as it is possible to convert the factoring problem to the period finding problem in polyomial time.

# Period Finding.
### Problem 
Find the period of the function : $a^x\ mod\ N$  
Where $a,\ N \in \mathbb{N},\ a\ <\ N,\ gcd(a,\ N)\ =\ 1$  
The period of the function, $r$, is defined as the smallest non-zero integer such that  
$a^r\ mod\ N\ =\ 1$

  
For example, for a = 3, and N = 35, the period r = 12.  

### Solution
Shor's solution used quantum phase estimation on the unitary operator : $U|y\rangle \equiv |ay \bmod N \rangle$  
To see how this helps us, lets say we start in state |1⟩. Now suppose that each successive application of U will multiply the state of our register by a (mod N), then after r applications we will arrive at state |1⟩ again. Example with a = 3, and N = 35.  
$\begin{aligned}
U|1\rangle &= |3\rangle & \\
U^2|1\rangle &= |9\rangle \\
U^3|1\rangle &= |27\rangle \\
& \vdots \\
U^{(r-1)}|1\rangle &= |12\rangle \\
U^r|1\rangle &= |1\rangle 
\end{aligned}$  

So a superposition of the states in this cycle ( |u0⟩ ) would be an eigenstate of  U :

$|u_0\rangle = \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{|a^k \bmod N\rangle}$

For a = 3, N = 35, it would be:  
$\begin{aligned}
|u_0\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + |3\rangle + |9\rangle \dots + |4\rangle + |12\rangle) \\[10pt]
U|u_0\rangle &= \tfrac{1}{\sqrt{12}}(U|1\rangle + U|3\rangle + U|9\rangle \dots + U|4\rangle + U|12\rangle) \\[10pt]
 &= \tfrac{1}{\sqrt{12}}(|3\rangle + |9\rangle + |27\rangle \dots + |12\rangle + |1\rangle) \\[10pt]
 &= |u_0\rangle
\end{aligned}$

The eigenstate has an eigen value of 1, but this is not that useful. A more useful case is when the phase of the kth state is proportional to k:  
$\begin{aligned}
|u_1\rangle &= \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{e^{-\tfrac{2\pi i k}{r}}|a^k \bmod N\rangle}\\[10pt]
U|u_1\rangle &= e^{\tfrac{2\pi i}{r}}|u_1\rangle 
\end{aligned}$

For a = 3, N = 35, it would be: 
$\begin{aligned}
|u_1\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + e^{-\tfrac{2\pi i}{12}}|3\rangle + e^{-\tfrac{4\pi i}{12}}|9\rangle \dots + e^{-\tfrac{20\pi i}{12}}|4\rangle + e^{-\tfrac{22\pi i}{12}}|12\rangle) \\[10pt]
U|u_1\rangle &= \tfrac{1}{\sqrt{12}}(|3\rangle + e^{-\tfrac{2\pi i}{12}}|9\rangle + e^{-\tfrac{4\pi i}{12}}|27\rangle \dots + e^{-\tfrac{20\pi i}{12}}|12\rangle + e^{-\tfrac{22\pi i}{12}}|1\rangle) \\[10pt]
U|u_1\rangle &= e^{\tfrac{2\pi i}{12}}\cdot\tfrac{1}{\sqrt{12}}(e^{\tfrac{-2\pi i}{12}}|3\rangle + e^{-\tfrac{4\pi i}{12}}|9\rangle + e^{-\tfrac{6\pi i}{12}}|27\rangle \dots + e^{-\tfrac{22\pi i}{12}}|12\rangle + e^{-\tfrac{24\pi i}{12}}|1\rangle) \\[10pt]
U|u_1\rangle &= e^{\tfrac{2\pi i}{12}}|u_1\rangle
\end{aligned}$

This is extremely useful as the eigenvalue contains r. The r has to be included to make sure the phase differences between the r computational basis states are equal. To generalise it further, we can multiply an integer s to this phase difference, and it will still show up in our eigenvalue:  
$\begin{aligned}
|u_s\rangle &= \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{e^{-\tfrac{2\pi i s k}{r}}|a^k \bmod N\rangle}\\[10pt]
U|u_s\rangle &= e^{\tfrac{2\pi i s}{r}}|u_s\rangle 
\end{aligned}$

Example for a = 3, N = 35:  
$\begin{aligned}
|u_s\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + e^{-\tfrac{2\pi i s}{12}}|3\rangle + e^{-\tfrac{4\pi i s}{12}}|9\rangle \dots + e^{-\tfrac{20\pi i s}{12}}|4\rangle + e^{-\tfrac{22\pi i s}{12}}|12\rangle) \\[10pt]
U|u_s\rangle &= \tfrac{1}{\sqrt{12}}(|3\rangle + e^{-\tfrac{2\pi i s}{12}}|9\rangle + e^{-\tfrac{4\pi i s}{12}}|27\rangle \dots + e^{-\tfrac{20\pi i s}{12}}|12\rangle + e^{-\tfrac{22\pi i s}{12}}|1\rangle) \\[10pt]
U|u_s\rangle &= e^{\tfrac{2\pi i s}{12}}\cdot\tfrac{1}{\sqrt{12}}(e^{-\tfrac{2\pi i s}{12}}|3\rangle + e^{-\tfrac{4\pi i s}{12}}|9\rangle + e^{-\tfrac{6\pi i s}{12}}|27\rangle \dots + e^{-\tfrac{22\pi i s}{12}}|12\rangle + e^{-\tfrac{24\pi i s}{12}}|1\rangle) \\[10pt]
U|u_s\rangle &= e^{\tfrac{2\pi i s}{12}}|u_s\rangle
\end{aligned}$

We now have a unique eigenstate for each integer value of s where $0 \leq s \leq r-1$. If we sum up all these eigenstates, the different phases cancel out all computational bias states except $|1\rangle$:  
$\tfrac{1}{\sqrt{r}}\sum_{s=0}^{r-1} |u_s\rangle = |1\rangle$

Example with a = 7 and N = 15 (smaller r, r = 4):  
$\begin{aligned}
\tfrac{1}{2}(\quad|u_0\rangle &= \tfrac{1}{2}(|1\rangle \hphantom{e^{-\tfrac{2\pi i}{12}}}+ |7\rangle \hphantom{e^{-\tfrac{12\pi i}{12}}} + |4\rangle \hphantom{e^{-\tfrac{12\pi i}{12}}} + |13\rangle)\dots \\[10pt]
+ |u_1\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{2\pi i}{4}}|7\rangle + e^{-\tfrac{\hphantom{1}4\pi i}{4}}|4\rangle + e^{-\tfrac{\hphantom{1}6\pi i}{4}}|13\rangle)\dots \\[10pt]
+ |u_2\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{4\pi i}{4}}|7\rangle + e^{-\tfrac{\hphantom{1}8\pi i}{4}}|4\rangle + e^{-\tfrac{12\pi i}{4}}|13\rangle)\dots \\[10pt]
+ |u_3\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{6\pi i}{4}}|7\rangle + e^{-\tfrac{12\pi i}{4}}|4\rangle + e^{-\tfrac{18\pi i}{4}}|13\rangle)\quad) = |1\rangle \\[10pt]
\end{aligned}$  

Since the computational basis state  |1⟩  is a superposition of these eigenstates, which means if we do QPE on  U  using the state  |1⟩ , we will measure a phase $\phi = \frac{s}{r}$, where  s  is a random integer between  0  and  r−1 . We finally use the continued fractions algorithm on  ϕ  to find  r .

# Factoring:

Now we have  r , we might be able to use this to find a factor of  N . Since:  

$a^r \bmod N = 1$  
 
then:  

$(a^r - 1) \bmod N = 0$
 
which mean  N  must divide  $a^r−1$ . And if  r  is also even, then we can write:

$a^r -1 = (a^{r/2}-1)(a^{r/2}+1)$
 
(if  r  is not even, we cannot go further and must try again with a different value for  a ). There is then a high probability that the greatest common divisor of either  $a^{r/2}−1$ , or  $a^{r/2}+1$  is a factor of  N