# Shor's Algorithm

In 1994, mathematician Peter Shor developed a polynomial time quantum algorithm for the factoring problem. It is one of the most remarkable algorithms in quantum computing which combines *quantum Fourier transform*, *phase estimation* and *period finding* algorithms that we describe on notebooks *03,04,05* in detail.

The best-known algorithm for integer factorization is of exponential time. The factoring problem comes from the *Fundamental Theorem of Arithmetic*, which states that any integer $N>1$ can be uniquely expressed as a product of one or more *prime numbers*. This lies at the heart of widely used encryption algorithms, the most famous being *Rivest-Shamir-Adleman (RSA)* cryptosystem. Without much detail, RSA picks two prime numbers $p$ and $q$ to construct the number $N=p \cdot q$ as one of the public keys and utilizes number theory to encrypt some message. If someone can get those two prime numbers, the message can be easily decrypted. However, number $N$ consists of hundreds or thousand digits, so the two primes are large enough for a classical computer to process the information in a reasonable time.

<img src="./images/cryptography.jpg" width="40%" align="center">

It was already known that factorization can be reduced to order finding algorithm and at the background of Shor's work lies the exponential speed up that comes from the quantum Fourier transform.

## Setup

Shor's algorithm consists of the following steps: (with *gcd* we denote the *greatest common divisor*)

- Pick $x$ randomly in the range $1$ to $N-1$, such that $gcd(x,N)=1$ (*relatively prime*)
- Use *order finding algorithm* to find order of $x\pmod{N}$, which will be denoted by $r$.
- If $r$ is even and $x^{r/2} \neq -1 \pmod{N}$, then compute $gcd(x^{r/2} -1, N)$ and  $gcd(x^{r/2}+1, N)$.
- Test to see if one of these is a non-trivial factor. If so return, otherwise the algorithm fails. If that is the case, repeat.

Before setting up the algorithm, we give two optional theorems involved for further investigation:

<b>Theorem 1</b> Suppose $N$ is an $L$ bit composite number and $x$ is a non-trivial solution to the equation $x^2 \equiv 1 \pmod{N}$ in the range $1\leq x \leq N$, that is neither $x \equiv 1 \pmod{N}$ nor $x \equiv N-1=-1 \pmod{N}$. Then at least one of $gcd(x-1,N)$ and $gcd(x+1,N)$ is a non-trivial factor of $N$ that can be computed using $O(L^3)$ operations.

<b>Theorem 2</b> Suppose $N={p_1}^{l_1} \dots {p_m}^{l_m}$ is the prime factorization of an odd composite positive integer. Let $x$ be an integer uniformly chosen at random, such that $0 \leq x \leq N-1$ and $x$ is co-prime to $N$. Let $r$ be the order of $x \pmod{N}$. In such a case,
	\begin{align*}
	P(\text{r is even and } {x}^{r/2} \neq -1 \pmod{N}) > 1- \frac{1}{2^{m-1}}.
	\end{align*}

### Python Implementation (Cirq)

We are ready to use Shor's algorithm and try to factor the number 21.

#### Step 1

Pick a random $x$ which is relatively prime with 21, i.e $\gcd(x, 21)$. We will use *random* and *numpy* modules for this.

In [1]:
N = 21

In [2]:
import random as rand
import numpy as np

counter = 0

while(True):
    x = rand.randrange(1,N)
    counter = counter + 1
    if np.gcd(x,N) == 1:
        break
        
print(x, " is picked after ", counter, " trials")

11  is picked after  1  trials


#### Step 2

Now, we will use order finding algorithm to find the order of $x \pmod{N}$. We need to run the *operator.py* and *qpe.py* files as in the previous notebook.

In [3]:
run ./include/operator.py

In [4]:
run ./qpe.py

Then, we write the code to find the order of $x \pmod{N}$.

In [5]:
import matplotlib
import cirq
import math
from cirq.circuits import InsertStrategy

L = math.ceil(math.log2(N))
e = 0.1
num_t = 2*L+1+math.ceil(math.log2(2+1/(2*e)))

# create a circuit
circuit = cirq.Circuit()

# assign the size of the registers
t = num_t
n = L

# create control and target qubits
control = [cirq.LineQubit(i) for i in range(1,t+1) ]
target = [cirq.LineQubit(i) for i in range(t+1,t+1+n) ]
circuit.append(cirq.X(target[n-1]))

# create operator CU
CU = Ux(x,N)

# call phase estimation circuit
qpe(t,control, target, circuit, CU)

# measure the control register
circuit.append(cirq.measure(*control, key='result'))

# sample the circuit
s = cirq.Simulator()
print('Sample the circuit:')
samples = s.run(circuit, repetitions=1000)

# call the simulator and print the result
s = cirq.Simulator()
results = s.simulate(circuit)
print(results)

Sample the circuit:
measurements: result=11010101010101

qubits: (cirq.LineQubit(1),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(2),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(3),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(4),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(5),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(6),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(7),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(8),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(9),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(10),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(11),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(12),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(13),)
output vector: (0.5+0.866j)|0⟩

qubits: (cirq.LineQubit(14),)
output vector: (0.5+0.866j)|1⟩

qubits: (cirq.LineQubit(15), cirq.LineQubit(16), cirq.LineQubit(17), cirq.LineQubit(

Let us convert the binary result given by the simulator to its decimal form:

In [6]:
bitstring = results.measurements['result']
dec = int("".join(str(i) for i in bitstring), 2)
print(dec)

13653


Next, we need to use the continued fractions algorithm to find out the order $r$.

In [7]:
run ./include/helpers.py

In [8]:
coefficients = contFrac(dec/(2**t))
print(coefficients)
cv = convergents(coefficients)
print(cv)

[0, 1, 4, 1, 1364, 2]
[Fraction(0, 1), Fraction(1, 1), Fraction(4, 5), Fraction(5, 6), Fraction(6824, 8189), Fraction(6829, 8195)]


#### Step 3

At this point, we check whether $r$ is even and $x^{\frac{r}{2}} \neq -1 \pmod{N}$. We pick only the even numbers from the possible orders given by the convergents above. If those conditions are valid, then we proceed to compute $gcd(x^{r/2} -1, N)$ and  $gcd(x^{r/2}+1, N)$, else we should repeat the algorithm from step 1 by picking some other $x$.

In [11]:
r = 6

if (r%2 == 0 and (x**(r/2))%N != -1) :
    print("Proceed")
else:
    print("Repeat the algorithm")

Proceed


Notice here that we may have to edit variable $r$ on the above cell based on the convergents found previously.

#### Step 4

Compute $\gcd$: (if Step 3 let us proceed)

In [12]:
print("Factors of",N,":",np.gcd((x**int(r/2)-1),N), "and",np.gcd((x**int(r/2)+1),N))

Factors of 21 : 7 and 3


## Summary & Remarks

- After of the aforementioned, we can see that we may not obtain the same results when we run the notebook cells again. This is due to the fact that $x$ is picked randomly in range $[1,N-1]$ such that $\gcd(x,N)=1$.

- One drawback of Shor's algorithm is the runtime for quantum modular exponeniation, which is by far slower than the quantum Fourier transform.

- Shor's algorithm can break *assymetric encryption* with twice as many qubits as the key size.

- Even with an efficient implementation, Shor's algorithm may not break some of the cryptography standards used in *blockchain* technology, such as *SHA-256* used in *Bitcoin*. The latter standard is theorized to be quantum-resistant up to this time.