### UC Berkeley, MICS, W202-Cryptography
### Week 11 Breakout 1
### QC - Quantum Computing
### Shor's Algorithm to Break Factoring

Shor's Algorithm is a QC (Quantum Computing) algorithm for integer factorization.

Regarding cryptography, we are most interested in factoring the product of two large prime numbers, customarily written as n = pq, where p and q are the primes and n is the product.

Shor's Algorithm has 3 parts:
* Initial classical part
* Quantum part - period finding algorithm
* Final classical part



#### Simulate the quantum part - period finding algorithm - using classical

We will simulate the quantum part.  Given a from the initial classical part, the modulus n, we want to find the period of a in mod n

In [1]:
from sage.all import *

In [2]:
def my_simulate_quantum_period_finding_algorithm(a, n):
    "simulate the quantum period finding algorithm for a in mod n"
    
    # find the period r of the function f(x) = a^x (mod n)
    # equivalent to finding smallest positive integer r for which:
    #       f(x) = f(x + r)
    #   or  a^(x + r) is congruent to a^x (mod n)
    
    # start with f(0) == a^0 == 1 (mod n)
    # find the next r such that f(0+r) == f(r) == a^(x + r) == a^r == 1 (mod n)
    
    r_found = False
    r = 1
    
    while (not r_found):
        if power_mod(a, r, n) == 1:
            r_found = True
        else:
            r += 1
    return r

#### Shor's algorithm

This function will perform the initial classical part, call the function above to simulate the quantum part to find the period of a in mod n, and perform the final classical part.

If you have access to a quantum computer (or another quantum computer simulator), you may want to replace the call to the function above with a call to a quantum algorithm.

In [3]:
def my_shors_algorithm(n):
    "given n = pq, factor n into p and q using Shor's Algorithm"
    
   
    print ("Factoring n:", n)
    
    r_found = False
    
    while (not r_found):
        
        # pick a random number a < n
        
        upper_limit = (n - 1)
        lower_limit = 3
        
        a = Integer(randint(lower_limit, upper_limit))
        
        print ("\nRandom integer a:", a)
    
        # using the Euclidean Algorithm, find gcd(a,n)
        
        g = gcd(a,n)
        
        print ("gcd(a,n) = ", g)
    
        # if gcd(a,n) <> 1 then a is a factor of n, n/a is the other factor, we are done!
        
        if g != 1:
            print ("gcd(a,n) is not equal to 1, therefore", g, "is a factor and ", n//g, " is also a factor!")
            print ("quantum simulation was not needed")
            p = g
            q = n//g
            if q > p:
                temp = p
                p = q
                q = temp
        
            return(p, q)
                
        # call the quantum period finding subroutine to find r, 
        # which is the period of f(x) = a^x (mod n)
        # (we will simulate this using classic computing)
        
        r = my_simulate_quantum_period_finding_algorithm(a, n)
        
        print ("quantum simulation finds the period r:", r)
        
        # if r is odd, it's no good, continue loop
        if (r % 2 != 0):
            print ("r is odd, it's no good, we have to try another a")
            continue
    
        # if a^(r/2) is congruent to -1 (mod n), it's no good, continue loop
        if ( power_mod(a, r//2, n) == (n - 1) ):
            print ("r is congruent to -1 (mod n), it's no good, we have to try another a")
            continue
        
        # r is good !
        print ("r is good, we can factor!")
        r_found = True
        
    
    # having found r, at least one of these is a factor
    # gcd((a^(r/2) + 1), n)
    # gcd((a^(r/2) - 1), n)
    
    possible_factor_1 = gcd(power_mod(a, r//2, n) + 1, n)
    
    possible_factor_2 = gcd(power_mod(a, r//2, n) - 1, n)
    
    
    # if either one of the possible factors divides n, it's a factor 
    # we can recover the other factor by diving into n
    
    print ("\nChecking possible factor gcd(a^(r/2) + 1, n):")
    
    if (n % possible_factor_1) == 0:
        print (possible_factor_1, "is a factor, and so is", n // possible_factor_1)
        p = possible_factor_1
        q = n // possible_factor_1
            
    print ("\nChecking possible factor gcd(a^(r/2) - 1, n):")
    
    if (n % possible_factor_2) == 0:
        print (possible_factor_2, "is a factor, and so is", n // possible_factor_2)
        p = possible_factor_2
        q = n // possible_factor_2
        
        
    # traditionally, q < p
    if q > p:
        temp = p
        p = q
        q = temp
        
    return(p, q)

#### Since Shor's Algorithm relies on a random integer a, you may get different results every time you run these, so run each one several times

In [4]:
my_shors_algorithm(15)

Factoring n: 15

Random integer a: 11
gcd(a,n) =  1
quantum simulation finds the period r: 2
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
3 is a factor, and so is 5

Checking possible factor gcd(a^(r/2) - 1, n):
5 is a factor, and so is 3


(5, 3)

In [5]:
my_shors_algorithm(21)

Factoring n: 21

Random integer a: 19
gcd(a,n) =  1
quantum simulation finds the period r: 6
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
7 is a factor, and so is 3

Checking possible factor gcd(a^(r/2) - 1, n):
3 is a factor, and so is 7


(7, 3)

In [6]:
my_shors_algorithm(33)

Factoring n: 33

Random integer a: 9
gcd(a,n) =  3
gcd(a,n) is not equal to 1, therefore 3 is a factor and  11  is also a factor!
quantum simulation was not needed


(11, 3)

In [7]:
my_shors_algorithm(35)

Factoring n: 35

Random integer a: 20
gcd(a,n) =  5
gcd(a,n) is not equal to 1, therefore 5 is a factor and  7  is also a factor!
quantum simulation was not needed


(7, 5)

In [8]:
my_shors_algorithm(55)

Factoring n:

 55

Random integer a: 51
gcd(a,n) =  1
quantum simulation finds the period r: 10
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
11 is a factor, and so is 5

Checking possible factor gcd(a^(r/2) - 1, n):
5 is a factor, and so is 11


(11, 5)

In [9]:
my_shors_algorithm(65)

Factoring n: 65

Random integer a: 34
gcd(a,n) =  1
quantum simulation finds the period r: 4
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
13 is a factor, and so is 5

Checking possible factor gcd(a^(r/2) - 1, n):
5 is a factor, and so is 13


(13, 5)

In [10]:
my_shors_algorithm(77)

Factoring n: 77

Random integer a: 59
gcd(a,n) =  1
quantum simulation finds the period r: 30
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
7 is a factor, and so is 11

Checking possible factor gcd(a^(r/2) - 1, n):
11 is a factor, and so is 7


(11, 7)

In [11]:
my_shors_algorithm(143)

Factoring n: 143

Random integer a: 91
gcd(a,n) =  13
gcd(a,n) is not equal to 1, therefore 13 is a factor and  11  is also a factor!
quantum simulation was not needed


(13, 11)

In [12]:
my_shors_algorithm(391)

Factoring n: 391

Random integer a: 90
gcd(a,n) =  1
quantum simulation finds the period r: 176
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
17 is a factor, and so is 23

Checking possible factor gcd(a^(r/2) - 1, n):
23 is a factor, and so is 17


(23, 17)

#### Run Shor's Algorithm on random values for the primes p and q of given bits

We will run this on 8 bits and 10 bits, as these are the most reasonable values.  Above 10 bits will take a really long time to run.

In [13]:
def my_find_p_q(b):
    "file random primes p and q of the given number of bits"
    
    upper_limit = (2^b) - 1
    lower_limit = (2^(b-1))
    
    p = random_prime(upper_limit, false, lower_limit)
    q = random_prime(upper_limit, false, lower_limit)
    
    if q > p:
        temp = p
        p = q
        q = temp
        
    return(p, q)


#### Random primes p and q of 8 bits - try running it multiple times

In [14]:
# 8 bit n
# get a different random n each time

b = 8

(p, q) = my_find_p_q(b)
n = p * q

print ("p:", "{:,}".format(p), "\n")
print ("q:", "{:,}".format(q), "\n")
print ("n:", "{:,}".format(n), "\n")

my_shors_algorithm(n)

p: 251 

q: 229 

n: 57,479 

Factoring n: 57479

Random integer a: 37733
gcd(a,n) =  1


quantum simulation finds the period r: 9500
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
229 is a factor, and so is 251

Checking possible factor gcd(a^(r/2) - 1, n):
251 is a factor, and so is 229


(251, 229)

#### Random primes p and q of 10 bits - try running it multiple times

In [15]:
# 10 bit n
# get a different random n each time

b = 10

(p, q) = my_find_p_q(b)
n = p * q

print ("p:", "{:,}".format(p), "\n")
print ("q:", "{:,}".format(q), "\n")
print ("n:", "{:,}".format(n), "\n")

my_shors_algorithm(n)

p: 1,019 

q: 619 

n: 630,761 

Factoring n: 630761

Random integer a: 236318
gcd(a,n) =  1


quantum simulation finds the period r: 314562
r is good, we can factor!

Checking possible factor gcd(a^(r/2) + 1, n):
619 is a factor, and so is 1019

Checking possible factor gcd(a^(r/2) - 1, n):
1019 is a factor, and so is 619


(1019, 619)

#### Above 10 bits will take a really long time to run - Shor's Algorithm is very efficient for QC but not very efficient for classical computers!