# Shor's algorithm

Shor's algorithm uses the phase estimation algorithm to find the *order*.


The order is defined as follows:

Given two positive integers $N$ and $a$, which are *coprimes*, i.e. gcd(N,a)=1, the order of $a$ is the integer $r$ which:

$$a^r \equiv 1 ( \mathrm{mod N})$$

Let us do some insights here. a mod N = 1 means the division of a/N has rest = 1. For example, 8 mod 7 = 1.

$$M_a|x\rangle = |ax\rangle$$

which is $$M_a|x \mathrm{ mod N}\rangle = |ax \mathrm{ mod N}\rangle$$


---

For example, if gcd (a,N) = a $\neq$ 1, i.e. the a is a factor of N. Let us say N = a$\cdot$b

$M_a |i\rangle = |a\cdot i\rangle$

for each i below b

Now, when i = b the result is just zero. Above b, we have basically N + a mod N, N + 2a mod N,.... which is just the same results as before. This will imply the operator M to be non-unitary.

![image.png](attachment:image.png)


this never happens when gcd(a,N)=1, since a is not a factor of N, there is not any number at which a $\cdot$ b = N, so it does not repeat (at numbers below N, that is what we are considering).

---

Let us define the next state:
$$
\left|\psi_0\right\rangle=\frac{|1\rangle+|a\rangle+\cdots+\left|a^{r-1}\right\rangle}{\sqrt{r}}
$$
This state is an eigenvalue of the unitary operator $M_a$:
$$
M_a\left|\psi_0\right\rangle=\frac{|a\rangle+\cdots+\left|a^{r-1}\right\rangle+\left|a^r\right\rangle}{\sqrt{r}}=\frac{|a\rangle+\cdots+\left|a^{r-1}\right\rangle+|1\rangle}{\sqrt{r}}=\left|\psi_0\right\rangle
$$
Thus, the state $|\psi_0\rangle$ is an eigenstate with eigenvalue a phase with $\theta$ = 0.

The same state, but with a term $\omega^{-i}\rangle$ in each $|a^i\rangle$.

$$
\left|\psi_1\right\rangle=\frac{|1\rangle+\omega_r^{-1}|a\rangle+\cdots+\omega_r^{-(r-1)}\left|a^{r-1}\right\rangle}{\sqrt{r}}
$$

Alternatively, we can write this vector using a summation as follows.

$$
\left|\psi_1\right\rangle=\frac{1}{\sqrt{r}} \sum_{k=0}^{r-1} \omega_r^{-k}\left|a^k\right\rangle
$$

Here we see the complex number $\omega_r=e^{2 \pi i / r}$ showing up naturally, due to the underlying structure of multiplication by $a$ modulo $N$. This time the corresponding eigenvalue is $\omega_r$. To see this, we can first compute like this:

$$
M_a\left|\psi_1\right\rangle=\sum_{k=0}^{r-1} \omega_r^{-k} M_a\left|a^k\right\rangle=\sum_{k=0}^{r-1} \omega_r^{-k}\left|a^{k+1}\right\rangle=\sum_{k=1}^r \omega_r^{-(k-1)}\left|a^k\right\rangle=\omega_r \sum_{k=1}^r \omega_r^{-k}\left|a^k\right\rangle
$$

Using the same reasoning, we can identify additional eigenvector/eigenvalue pairs for $M_a$. Indeed, for any choice of $j \in\{0, \ldots, r-1\}$ we have that

$$
\left|\psi_j\right\rangle=\frac{1}{\sqrt{r}} \sum_{k=0}^{r-1} \omega_r^{-j k}\left|a^k\right\rangle
$$

is an eigenvector of $M_a$ whose corresponding eigenvalue is $\omega_r^j$.

$$
M_a\left|\psi_j\right\rangle=\omega_r^j\left|\psi_j\right\rangle=e^{2\pi i \cdot j/r}\left|\psi_j\right\rangle
$$


There are other eigenvectors, such as $|0\rangle$, which has eigenvalue 1 , but we'll only be concerned with the eigenvectors $\left|\psi_0\right\rangle, \ldots,\left|\psi_{r-1}\right\rangle$ that we've just identified.

![image.png](attachment:image.png)

**THE KEY IN THE M_a AND PSI EIGENVECTOR REASONING ABOUT WHY IS E^{1/r} AND NOT OTHER THING, IS THAT IT IS USED THAT $\omega_r^{r}=1, and they are only an eigenvector if they are like this.**

![image.png](attachment:image.png)