In [1]:
'''
5 prime factorization

it has been known since before euclid that every integer n is
uniquely decomposable into a product of primes. mathematicians
have been interested in the question of how to factor a number
into this product of primes for nearly as long. it was only in
the 1970's, however, that researchers applied the paradigms of
theoretical computer science to number theory, and looked at
the asymptotic running times of factoring algorithms [adleman
1994]. this has resulted in a great improvement in the
efficiency of factoring algorithms. the best factoring algorithm
asymptotically is currently the number field sieve [lenstra et
al. 1990, lenstra and lenstra 1993], which in order to factor an
integer n takes asymptotic running time exp(c (log n)^(1/3)
(log log n)^(2/3)) for some constant c. since the input, n, is
only log n bits in length, this algorithm is an exponential‑time
algorithm. our quantum factoring algorithm takes asymptotically
o((log n)² (log log n) (log log log n)) steps on a quantum
computer, along with a polynomial (in log n) amount of
post‑processing time on a classical computer that is used to
convert the output of the quantum computer to factors of n.
while this post‑processing could in principle be done on a
quantum computer, there is no reason not to use a classical
computer if they are more efficient in practice.

instead of giving a quantum computer algorithm for factoring
n directly, we give a quantum computer algorithm for finding
the order of an element x in the multiplicative group (mod n);
that is, the least integer r such that xʳ ≡ 1 (mod n). it is
known that using randomization, factorization can be reduced
to finding the order of an element [miller 1976]; we now
briefly give this reduction.

to find a factor of an odd number n, given a method for
computing the order r of x, choose a random x (mod n), find
its order r, and compute gcd(x^(r/2) − 1, n). here, gcd(a, b)
is the greatest common divisor of a and b, i.e. the largest
integer that divides both a and b. the euclidean algorithm
[knuth 1981] can be used to compute gcd(a, b) in polynomial time.
since (x^(r/2) − 1)(x^(r/2) + 1) = xʳ − 1 ≡ 0 (mod n), the
gcd(x^(r/2) − 1, n) fails to be a non‑trivial divisor of n only
if r is odd or if x^(r/2) ≡ −1 (mod n). using this criterion, it
can be shown that this procedure, when applied to a random x (mod n),
yields a factor of n with probability at least 1 − 1/2^(k−1), where
k is the number of distinct odd prime factors of n. a brief sketch
of the proof of this result follows. suppose that
n = ∏ over i=1..k of pᵢ^(aᵢ). let rᵢ be the order of x (mod pᵢ^(aᵢ)).
then r is the least common multiple of all the rᵢ. consider the
largest power of 2 dividing each rᵢ. the algorithm only fails if
all these powers of 2 agree: if they are all 1, then r is odd and
r/2 doesn't exist; if they are all equal and larger than 1, then
x^(r/2) ≡ −1 (mod n) since x^(r/2) ≡ −1 (mod pᵢ^(aᵢ)) for every i.
by the chinese remainder theorem [knuth 1981, hardy and wright 1979,
theorem 121], choosing an x (mod n) at random is the same as choosing
for each i a number xᵢ (mod pᵢ^(aᵢ)) at random, where pᵢ^(aᵢ) is the
i‑th prime power factor of n. the multiplicative group (mod p^α) for
any odd prime power p^α is cyclic [knuth 1981], so for any odd prime
power pᵢ^(aᵢ), the probability is at most 1/2 of choosing an xᵢ having
any particular power of two as the largest divisor of its order rᵢ.
thus each of these powers of 2 has at most a 50% probability of
agreeing with the previous ones, so all k of them agree with
probability at most 1/2^(k−1), and there is at least a 1 − 1/2^(k−1)
chance that the x we choose is good. this scheme will thus work as
long as n is odd and not a prime power; finding factors of prime
powers can be done efficiently with classical methods.

we now describe the algorithm for finding the order of x (mod n) on
a quantum computer. this algorithm will use two quantum registers
which hold integers represented in binary. there will also be some
amount of workspace. this workspace gets reset to 0 after each
subroutine of our algorithm, so we will not include it when we
write down the state of our machine.

given x and n, to find the order of x, i.e. the least r such
that xʳ ≡ 1 (mod n), we do the following. first, we find q,
the power of 2 with n² ≤ q < 2n². we will not include
n, x, or q when we write down the state of our machine, bc we
never change these values. in a quantum gate array we need not
even keep these values in memory, bc they can be built into
the structure of the gate array.
'''
import math

def find_q(n):
    u = n**2
    v = 2*n**2
    k1 = math.floor(math.log2(v))  # largest k so that 2^k <= v
    k2 = math.ceil(math.log2(u))   # smallest k so that 2^k >= u
    
    if k1 == k2:
        q = 2**k1
        if u <= q < v:
            return q
    return None

# demonstration
for n in [21, 22, 23, 10, 6]:
    q = find_q(n)
    print(f'n={n}, q={q}')

n=21, q=512
n=22, q=512
n=23, q=1024
n=10, q=128
n=6, q=64


In [None]:
'''
next, we put the first
register in the uniform superposition of states representing
numbers a (mod q). this leaves our machine in state

(1/√q) ∑ from a=0 to q−1 of |a⟩|0⟩.

This step is relatively easy, since all it entails is putting
each bit in the first register into the superposition
1/√2 (|0⟩ + |1⟩).
'''