# Shor's Algorithm
## Abstract
Although all integers have a unique breakdown of prime factors, finding those prime factors is thought to be a hard problem in computer science; in fact, most modern cyber security and encryption measures depend on the assumption that solving this problem for integers of a thousand or more digits is not feasibly possible <cite data-cite="6038973/5MJ5Z6XZ"></cite>. However, in 1995, MIT professor Peter Shor presented a quantum algorithm (an algorithm that runs on a quantum computer) to solve the factoring problem in polynomial time. Shor's algorithm thus drastically changed the set of problems in computer science that can be considered feasible.

## Introduction
Shor's algorithm could potentially break nearly all modern cryptography. Most encryption schemes use a public & private key paradigm; each device has two keys (public and private key), and the public keys are exchanged between devices. The keys are generated such that data encrypted using the public key can only be decrypted using the private key. Since the keys must be mathematically related (often based on arithmetic involving prime factors), the private key can theoretically be calculated from the public key. However, finding the prime factors of an integer of a thousand digits or more becomes infeasible on a classical computer; thus, calculating the private key from the public key could take hundreds of years on a classical computer, depending on the encryption scheme used.

Shor's algorithm is a quantum algorithm for efficiently finding the prime factors of large integers, and thus calculating a private key from a public key could become a feasible problem in the near future. For this reason, it is important that software professionals prepare for the eventuality of accessible quantum computing. While theoretically effective post-quantum cryptography has been proposed, existing cyber security infrastructure (made up of classical computers) is not equipped to protect against attacks by a quantum computer.

## Implementation
### Period Finding
It has been widely known by mathematicians and computer scientists since the 1970's that the factorization problem becomes easy if given a "period finding machine"; that is, a machine which can efficiently find a period of the modular exponentiation function <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

The period finding problem is defined as follows:
Given two integers $N$ and $a$, find the smallest possible integer $r$ such that $a^r-1$ is a multiple of $N$. The number $r$ is the period of $a\mod N$. Or, more simply, find the minimum possible value for $r$ such that:

$$a^{x+r} = a^x\pmod N$$

where $x$ is any integer. Consider the following example for $N=15$ and $a=7$:

$$7^2=4\pmod{15}=4$$
$$7^3=4\times 7=13\pmod{15}=13$$
$$7^4=13\times 7=91\pmod{15}=1$$

This sequence gives rise to the pattern $7^{x+4}=7^x\pmod{15}$, and thus $r=4$ is the period of the modular exponentiation function $7\pmod{15}$.

### Using Period Finding Machine to Find Prime Factors
Suppose a period finding machine is given that takes two co-prime integers $a$ and $N$ and outputs the period of $a\mod N$. Then, the prime factors $p_1, p_2$ of $N$ can be found by the following procedure:
1. Choose a random integer $a$ between $2..N-1$.
2. Compute the greatest common divisor (GCD) of $a$ and $N$ (can be calculated efficiently using [Euclid's algorithm](https://en.wikipedia.org/wiki/Euclidean_algorithm)); if this value is not equal to $1$, then it equals either $p_1$ or $p_2$, and the other can be computed from the found factor (e.g. $N/p_1$ or $N/p_2$). Otherwise, continue.
3. Let $r$ be the period of $a\mod N$; repeat steps 1-3 until $r$ is even. At this point, a value for $r$ has been found such that $a^r-1$ is a multiple of $N$.
4. Consider the following identity:
$$a^r-1=(a^{r/2}-1)(a^{r/2}+1)$$

Thus, $a^{r/2}-1$ is not a multiple of $N$ (or else $r$ would equal $r/2$). If $a^{r/2}+1$ is a multiple of $N$, return to step 1. Otherwise, this means that neither of the values $a^{r/2}\pm 1$ are multiples of $N$, but the product of these two values *is* a multiple of $N$. This is possible if and only if $p_1$ is a prime factor of $a^{r/2}-1$ and $p_2$ is a prime factor of $a^{r/2}+1$ or vice versa. Therefore, $p_1$ and $p_2$ can now be computed by $p_1=GCD(N, a^{r/2}-1)$ and $p_2=GCD(N, a^{r/2}+1)$. Consider the following table showing the calculated prime factors of $N=15$ given different $a$ values:

<table style="width: 60%; font-size: 110%;">
<thead>
<tr>
    <th style="text-align: center;">$a$</th>
    <th style="text-align: center;">$r$</th>
    <th style="text-align: center;">$GCD(N, a^{r/2}-1)$</th>
    <th style="text-align: center;">$GCD(N, a^{r/2}+1)$</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">1</td>
<td style="text-align: center;">1</td>
<td style="text-align: center;"></td>
<td style="text-align: center;"></td>
</tr>
<tr>
<td style="text-align: center;">2</td>
<td style="text-align: center;">4</td>
<td style="text-align: center;">3</td>
<td style="text-align: center;">5</td>
</tr>
<tr>
<td style="text-align: center;">4</td>
<td style="text-align: center;">2</td>
<td style="text-align: center;">3</td>
<td style="text-align: center;">5</td>
</tr>
<tr>
<td style="text-align: center;">7</td>
<td style="text-align: center;">4</td>
<td style="text-align: center;">3</td>
<td style="text-align: center;">5</td>
</tr>
<tr>
<td style="text-align: center;">8</td>
<td style="text-align: center;">4</td>
<td style="text-align: center;">3</td>
<td style="text-align: center;">5</td>
</tr>
<tr>
<td style="text-align: center;">11</td>
<td style="text-align: center;">2</td>
<td style="text-align: center;">5</td>
<td style="text-align: center;">3</td>
</tr>
<tr>
<td style="text-align: center;">13</td>
<td style="text-align: center;">4</td>
<td style="text-align: center;">3</td>
<td style="text-align: center;">5</td>
</tr>
<tr>
<td style="text-align: center;">14</td>
<td style="text-align: center;">2</td>
<td style="text-align: center;">1</td>
<td style="text-align: center;">15</td>
</tr>
</tbody>
</table>

Notice that $a=14$ is the only "unlucky" integer chosen (i.e. it results in $GCD(N, a^{r/2}+1)$ being a multiple of $N$); in general, it can be shown that selection of "unlucky" integers are rather infrequent <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

### Using a Quantum Computer to Simulate Period Finding Machine 
The true power of Shor's algorithm lies in the ability of a quantum computer to simulate such a "period finding machine" required to efficiently solve the factoring problem. By exploiting quantum parallelism and constructive interference, certain "global properties" can be derived from a complex function. The Deutsch-Jozsa algorithm uses this technique to determine if a function has the global property of being a balanced function <cite data-cite="6038973/JGE9DZ5X"></cite>. In Shor's algorithm, it can be used to determine the periodicity of the modular exponentiation function.

Suppose two co-prime integers $a$ and $N$ are given; the goal is to find the smallest possible integer $r$ such that $a^r=1\pmod N$. A unitary operator $U_a$ can be constructed which implements the modular multiplication function such that $U_a: x\rightarrow ax\pmod N$. With this definition of $U_a$, it can be shown that the each Eigenvalue of $U_a$ is of the form $e^{i\phi}$ where $\phi=2\pi k/r$ for some integer $k$ <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

Eigenvalues of a unitary operator can be efficiently measured using the quantum phase estimation algorithm <cite data-cite="6038973/MQPZCEWP"></cite>. However, the value of $r$ can only be derived from a given Eigenvalue if the Eigenvalue is measured *exactly* or with exponentially small precision; for example, a factorization of a $1000$ digit integer would require an Eigenvalue measured with a precision of $10^{-2000}$ <cite data-cite="6038973/5MJ5Z6XZ"></cite>. Such a level of precision cannot be achieved using the phase estimation algorithm because it would require too large a pointer system. 

Instead, define a family of unitary operators $U_b$ with $b=a, a^2, a^4, a^8,\dots a^{2^P}$ where $P\approx N^2$. Notice that all $U_b$ are integer powers of $U_a$; thus, if $b=a^t$ for some integer $t$, then $U_b=(U_a)^t$, which implies that all $U_b$ have the same Eigenvectors as $U_a$. Further, this means that the Eigenvalues of all $U_b$ can be derived simultaneously. Additionally, the implementation of $U_b$ is as easy as implementing $U_a$; simply pre-compute the powers of $U_a$ by repeated squaring method. Conveniently, each squaring of $a$ reduces the margin of error in the estimation of $U_a$ by a factor of $1/_2$; this mitigates the requirement for exact or exponentially small precision in the phase estimation algorithm. For example, a precision of $10^{-2000}$ can be achieved by a series of $10^6$ less precise measurements (up to 10% error) of $U_b$, and selecting a few Eigenvalues $\phi=2\pi k/r$ at random to estimate with a precision of $1/N^2$ is enough to derive an exact value of $r$ using rational approximation to estimate $k/r$ <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

#### Reversible Classical Circuits
A quantum circuit which implements the modular multiplication operator is required in order to use the phase estimation gate. Quantum algorithms can call classical subroutines if the classical subroutine is first transformed into a *reversible form*, i.e. represented by a sequence of reversible logic gates (CNOT gate, Toffoli gate, etc). That is, the number of input wires must equal the number of output wires for each gate. Further, the classical subroutine can use scratch memory for local variables, but the scratch memory must be wiped clean upon termination of the subroutine; leaving residual values in the scratch memory could potentially destroy quantum coherence, preventing the quantum routine from being able to detect interference between quantum states <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

Consider a standard AND gate; it can be transformed into a reversible equivalent (R-AND) by adding an extra input wire $d$ (so, inputs $a, b, d$), which is a dummy wire expecting a value of $d=0$, and adding two extra output wires (so, outputs $a, b, c$) where $c$ is the result of $d\oplus (a\wedge b)$ (see figure 1). Thus, all inputs of the R-AND can be derived from its outputs since $c=d\oplus (a\wedge b)$ <cite data-cite="6038973/5MJ5Z6XZ"></cite>.

![Reversible AND Gate](./r-and-gate.png)
<div style="text-align: right;">*Figure 1: Reversible AND (R-AND) gate. (Source: "Shor's Algorithm"*)</div>
<br /><br />
Similar logic can be applied to any gate with two inputs and one output; if gate F computes a boolean function $c=F(a,b)$, then a reversible transformation (R-F gate) would map inputs $a, b, d$ to outputs $a, b, c$ where $c=d\oplus F(a, b)$ <cite data-cite="6038973/5MJ5Z6XZ"></cite>. See figure 2.

![Reversible F Gate](./r-f-gate.png)
<div style="text-align: right;">*Figure 2: Reversible F (R-F) gate. (Source: "Shor's Algorithm"*)</div>

### Quantum Circuit for Modular Multiplication
The modular exponentiation function can be derived from a series of modular multiplication functions. Let the modular multiplication function be defined as $f(x)=ax\pmod N$. If the integer results of $f(x)$ are stored as $n$-bit strings, then $f(x)$ can be implemented as a classical circuit $U_a$ (unitary operator described above) using 3-bit reversible classical gates with $n$ inputs and $n$ outputs via the reversible gate transformation technique described above <cite data-cite="6038973/5MJ5Z6XZ"></cite>. Since $U_a$ is now composed completely of reversible classical circuits, it can be called as a classical subroutine from a quantum routine.

### IBM Quantum Experience
IBM has a platform called the IBM Quantum Experience which allows curious computer scientists to experiment with quantum computing concepts. IBM quantum hardware runs [OpenQASM](https://github.com/QISKit/openqasm) quantum assembly code, but the web interface also features called "Composer" which allows quantum and classical gates to be click-and-dragged onto a virtual circuit diagram. IBM also has a Python SDK which allows developers to implement and run quantum subroutines from within Python code, either on a local quantum simulator, an IBM Quantum Experience simulator, or on real IBM quantum hardware.

A basic, crude implementation of Shor's algorithm can be run below as an interactive Python program. The full Python script can be found in the appendix.

In [1]:
# %load QuantumProgramRunner.py
#!/usr/bin/env python3
from Runner import run

if __name__ == "__main__":
    while run(None):
        pass

[1A[1A[1A[2K
[2K
[2K
[1A[1A[1A[94mFactorizing N=7389...[0m
[93mChose unlucky 'a' value, trying again with new 'a' value (2nd try so far)...[0m
[94mSelected random value a=5241 to find period.[0m
[94mFound common period between N=7389 and a=5241[0m
[92mTook 2 guesses for 'a' value.             [0m
[92mFound factors: 3 X 2463 = 7389[0m

[1m[4m[92mAvailable programs:[0m
[94m  1. find_period: Takes two integers, a and N, and finds the period of the modular exponentiation function.[0m
[94m  2. factorize_N: Takes an integer N and finds factors of N using Shor's algorithm.[0m
Select a program to run, or type 'exit' to quit.
> exit


## Results


## Conclusion
Shor's algorithm is perhaps the most radical example of how quantum computing has changed (and can continue to change) the set of problems considered feasible. In the past, prime factorization was a problem considered so infeasible that a significant portion of existing cryptography infrastructure is based on this assumption; this means that quantum computing technology, along with Shor's algorithm, could be used to crack nearly any common encryption used today. Shor's algorithm is on the bleeding edge of quantum computing; as quantum computing technology has gained traction in recent years, it has been used as a sort of litmus test for quantum computer viability. IBM first demonstrated a simple implementation of Shor's algorithm on one of their early quantum computers in 2001, factorizing the number 15 into its factors 3 and 5 <cite data-cite="6038973/JAVDPU78"></cite>. Significant progress has been made since 2001 in the realm of quantum computing technology, and for this reason, its important to begin considering it as an inevitability which will come to fruition sooner rather than later.

## Works Cited
<div class="cite2c-biblio"></div>