Here is the **Revised Standard Algorithm Workbook Template** we established, which includes the coding and implementation section:

### **ðŸ“˜ Standard Algorithm Workbook Template**

For each algorithm, we will generate a dedicated section following this precise 5-step structure:

### **1. Algorithm Profile**
* **Name**: The formal name of the algorithm.
* **Origin**: Who discovered it and when? (Historical context).
* **Type**: Which category does it fall into? (Algebraic, Oracular, Simulation, Optimization).
* **Speedup Class**: Is it Polynomial, Superpolynomial, or Exponential?

### **2. Introduction & Context**
* **The "Elevator Pitch"**: A high-level, intuition-first explanation (no heavy math).
* **Real-World Use Cases**: Where is this applied? (e.g., Cryptography, Chemistry, Finance).
* **Current Status**: Is it runnable on today's NISQ hardware?

### **3. Deep Theoretical Dive ðŸ§ **
* **The Problem Statement**: Formal mathematical definition ($f(x)$, inputs, outputs).
* **The Classical Approach**: The best non-quantum method and its bottleneck.
* **The Quantum Mechanism**: Step-by-step breakdown.
    * *Initialization*: State preparation ($|0\rangle^{\otimes n} \to \dots$).
    * *The "Magic"*: The core trick (Phase Kickback, QFT, Amplitude Amplification).
    * *The Operator*: Mathematical description of the unitary evolution $U$.
* **Complexity Analysis**:
    * **Quantum vs. Classical**: Big-O notation comparison.
    * **Resource Cost**: Depth, gate count, and ancilla qubits required.

### **4. Practical Advantage & Future Outlook**
* **The "Quantum Advantage"**: Why exactly is the quantum method better? (e.g., "Global interference pattern vs. point-wise sampling").
* **Caveats**: Input/Output problems, noise sensitivity, error correction needs.
* **The Horizon**: What hardware specs (qubits/fidelity) are needed for a "Supreme" run?

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**
* **Step 5.1: The "Hello World" Example**:
    * A minimal, hard-coded version (1-3 qubits) to prove the concept.
    * *Code*: Defining the circuit, applying gates.
    * *Visual*: Drawing the circuit diagram.
* **Step 5.2: The Parameterized Circuit**:
    * Building a function to generate the circuit for *any* input size $n$.
    * Detailed comments explaining the mapping from Math $\to$ Gates.
* **Step 5.3: Execution & Analysis**:
    * Running the circuit (on a simulator or real backend).
    * *Visual*: Plotting the **Probability Histogram**.
    * **Interpretation**: Mapping the measurement bitstrings back to the mathematical answer.

***

We are currently working through **Chapter 2: Oracular Algorithms**.
Would you like to proceed with **Algorithm #11: Unstructured Search (Groverâ€™s Algorithm)** using this template?

Here is the first complete entry for **Chapter 1**, fully expanded using the new **Standard Algorithm Workbook Template**.

-----

# 1\. Integer Factorization (Shorâ€™s Algorithm)

### **1. Algorithm Profile**

  * **Name**: Shorâ€™s Algorithm
  * **Origin**: Discovered by **Peter Shor** in **1994** at Bell Labs.
  * **Type**: Algebraic & Number Theoretic Algorithm.
  * **Speedup Class**: **Superpolynomial / Exponential**. It reduces the complexity from sub-exponential (classical) to polynomial (quantum).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: Shorâ€™s algorithm is the most famous quantum algorithm because it breaks the rules of modern internet security. It takes a large composite number $N$ (which is incredibly hard to break apart classically) and efficiently finds its prime factors by finding the "period" or repeating pattern of a specific mathematical function related to $N$.
  * **Real-World Use Cases**:
      * **Cryptanalysis**: Its primary application is breaking **RSA encryption**, the protocol that secures web traffic, credit cards, and digital signatures.
      * **Benchmarking**: It serves as the ultimate "stress test" for quantum hardware; a computer that can run Shorâ€™s algorithm at scale is, by definition, a powerful, fault-tolerant machine.
  * **Current Status**: It has been experimentally demonstrated on small numbers (e.g., 15 and 21) using various hardware (NMR, photonics, superconducting qubits), but scaling to cryptographically relevant numbers (2048 bits) requires millions of physical qubits and robust error correction.

### **3. Deep Theoretical Dive ðŸ§ **

  * **The Problem Statement**: Given a composite odd integer $N$, find a non-trivial factor $p$ such that $N = p \times q$.

  * **The Classical Approach**: The best classical method is the **General Number Field Sieve (GNFS)**. It relies on finding congruences of squares. Its runtime grows sub-exponentially, roughly as $\exp(O(n^{1/3}))$, making it feasible for hundreds of bits but impossible for thousands.

  * **The Quantum Mechanism**: Shorâ€™s genius was to transform factoring into a **Period Finding** problem.

    1.  **Classical Reduction**: To factor $N$, pick a random base $a < N$. If we can find the period $r$ of the function $f(x) = a^x \pmod N$, we can find factors via $\text{gcd}(a^{r/2} \pm 1, N)$.
    2.  **Initialization**: We prepare two registers. The first (period register) is a superposition of integers $|0\rangle + \dots + |Q-1\rangle$. The second stores the function output.
    3.  **The "Magic" (Modular Exponentiation)**: We apply a unitary $U_f$ that computes $a^x \pmod N$ in superposition. The state becomes $\sum_x |x\rangle |a^x \pmod N\rangle$.
    4.  **Measurement & Collapse**: Measuring the second register collapses the first register into a periodic superposition of states: $|x_0\rangle, |x_0+r\rangle, |x_0+2r\rangle \dots$. The period $r$ is now encoded in the spacing of these states.
    5.  **Interference (QFT)**: We apply the **Quantum Fourier Transform (QFT)** to the first register. This acts like a lens, focusing the probability amplitudes onto integers $y$ that are close to multiples of $Q/r$. Measuring $y$ allows us to classically extract $r$.

  * **Complexity Analysis**:

      * **Quantum Complexity**: $O((\log N)^3)$, or cubic in the number of digits. This is a **polynomial** runtime.
      * **Classical Complexity**: Superpolynomial (sub-exponential).
      * **Resource Requirements**: Requires $2n$ to $3n$ logical qubits for an $n$-bit number, and a circuit depth dominated by the modular exponentiation, which is computationally expensive.

### **4. Practical Advantage & Future Outlook**

  * **The "Quantum Advantage"**: The advantage comes from the QFT's ability to extract a global property (periodicity) from an exponentially large superposition in a single step. A classical computer would have to test inputs one by one to find the repetition.
  * **Caveats**: The "bottleneck" is not the QFT, but the **modular exponentiation** step, which requires huge numbers of gates. Also, the algorithm is probabilistic; it might output a failure, requiring a re-run.
  * **Future Scope**: Optimizations like "Qubit recycling" are reducing the resource costs. The timeline for breaking 2048-bit RSA is estimated to be decades away, dependent on the realization of large-scale Fault-Tolerant Quantum Computing (FTQC).

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

We will demonstrate factoring the number **15** using **Shor's Algorithm**.

  * **Target**: $N = 15$
  * **Guess**: $a = 7$ (We chose 7 because it is coprime to 15).
  * **Goal**: Find the period $r$ of $7^x \pmod{15}$.

#### **Step 5.1: The "Hello World" Circuit (Factoring 15)**

Since implementing full modular exponentiation for arbitrary numbers is complex, we often hard-code the unitary for specific small cases like $a=7, N=15$ for pedagogical purposes.

**Mathematical Logic for the Circuit:**

  * $7^0 \pmod{15} = 1$
  * $7^1 \pmod{15} = 7$
  * $7^2 \pmod{15} = 4$
  * $7^3 \pmod{15} = 13$
  * $7^4 \pmod{15} = 1$ (Cycle repeats\! **Period r = 4**)

The quantum computer needs to find this **4** without us telling it.

**Qiskit Code Structure:**

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit.circuit.library import QFT
from qiskit_aer import AerSimulator
from qiskit.visualization import plot_histogram
import matplotlib.pyplot as plt

# --- 1. Define the Modular Exponentiation Function (U^x mod 15) ---
# For a=7, N=15, this operation effectively swaps states in a specific cycle.
# This specific unitary is hard-coded for the N=15, a=7 case.
def c_amod15(power):
    """Controlled multiplication by 7 mod 15"""
    U = QuantumCircuit(4)
    for _ in range(power):
        U.swap(2, 3)
        U.swap(1, 2)
        U.swap(0, 1)
        for q in range(4):
            U.x(q)
    U = U.to_gate()
    U.name = "%i^%i mod 15" % (7, power)
    c_U = U.control()
    return c_U

# --- 2. Set up the Shor's Circuit ---
# We need n counting qubits (for precision) and 4 target qubits (to store mod 15).
n_count = 3  # 3 qubits is enough to distinguish a period of 4
qc = QuantumCircuit(n_count + 4, n_count)

# Initialize counting qubits to |+> state
for q in range(n_count):
    qc.h(q)

# Initialize target register to |1> (required for modular exponentiation)
qc.x(n_count)

# --- 3. Apply Controlled Modular Exponentiation ---
# This is the "Phase Kickback" step where the period is encoded.
for q in range(n_count):
    qc.append(c_amod15(2**q), [q] + [i+n_count for i in range(4)])

# --- 4. Apply Inverse QFT ---
# This decodes the period from the phases of the counting qubits.
qc.append(QFT(n_count, inverse=True).to_gate(), range(n_count))

# --- 5. Measurement ---
qc.measure(range(n_count), range(n_count))

# Visualize
print("Circuit Diagram:")
qc.draw(output='text')
```

#### **Step 5.2: Execution & Analysis**

```python
# --- Run the Circuit ---
backend = AerSimulator()
# Transpile for the simulator
t_qc = transpile(qc, backend)
# Execute
result = backend.run(t_qc, shots=1024).result()
counts = result.get_counts()

# Visualize Results
print("\nMeasurement Counts:", counts)
# plot_histogram(counts) # Uncomment to view
```

**Interpretation of Results:**

  * You will likely see peaks at binary strings like `000`, `010`, `100`, `110`.
  * These correspond to decimal values $0, 2, 4, 6$.
  * **Phase Calculation**: These measured values $y$ relate to the period $r$ by the formula: $\frac{y}{2^n} \approx \frac{k}{r}$.
      * For measurement `010` ($2$): $\frac{2}{2^3} = \frac{2}{8} = \frac{1}{4}$. The denominator is **4**.
      * For measurement `100` ($4$): $\frac{4}{8} = \frac{1}{2} = \frac{2}{4}$. The denominator is **4**.
  * **Conclusion**: The quantum computer tells us the period $r = 4$.
  * **Factoring**: Using $r=4$ classically:
      * $\text{gcd}(7^{4/2} - 1, 15) = \text{gcd}(48, 15) = \mathbf{3}$
      * $\text{gcd}(7^{4/2} + 1, 15) = \text{gcd}(50, 15) = \mathbf{5}$
      * **Success\!** We found factors 3 and 5.

-----

**Shall we proceed to the next algorithm: 2. Discrete Logarithm Problem?**

This is a significant upgrade. By integrating the specific insights from the `shor.ipynb` notebookâ€”particularly the eigenstate analysis and the specific construction of the modular exponentiation oracleâ€”we can create a truly comprehensive entry.

Here is the **fully expanded, pedagogical workbook entry** for Algorithm \#1.

-----

# 1\. Integer Factorization (Shorâ€™s Algorithm)

### **1. Algorithm Profile**

  * **Name**: Shorâ€™s Algorithm (Quantum Order Finding)
  * **Origin**: Discovered by **Peter Shor** in **1994** at Bell Labs.
  * **Type**: Algebraic & Number Theoretic Algorithm.
  * **Speedup Class**: **Exponential**. It reduces the complexity from the classical sub-exponential $\exp(O(N^{1/3}))$ to the quantum polynomial $O((\log N)^3)$.

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: Shorâ€™s algorithm allows a quantum computer to find the prime factors of a large integer $N$ exponentially faster than any known classical method. It achieves this not by "trying factors," but by converting the factoring problem into a **period-finding** problem. It detects the hidden repetition (period) in the mathematical function $f(x) = a^x \pmod N$.
  * **Real-World Use Cases**: The primary implication is **Cryptanalysis**. The RSA encryption standard, which secures virtually all internet traffic, relies on the difficulty of factoring. Shor's algorithm breaks this assumption.
  * **Current Status**: Experimental demonstrations are limited to small integers (e.g., 15, 21) due to the high cost of the modular exponentiation circuit. It is the "Holy Grail" benchmark for Fault-Tolerant Quantum Computing.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Given a composite odd integer $N$, find a non-trivial factor $p$.

#### **The Classical Reduction (Euler's Insight)**

We do not factor $N$ directly. Instead, we use a classical reduction from number theory:

1.  Pick a random integer $a < N$ such that $\text{gcd}(a, N) = 1$.
2.  Find the **order** (or period) $r$, which is the smallest non-zero integer such that:
    $$a^r \equiv 1 \pmod N$$
3.  If $r$ is even, we can compute the factors via the greatest common divisor:
    $$p = \text{gcd}(a^{r/2} - 1, N) \quad \text{and} \quad q = \text{gcd}(a^{r/2} + 1, N)$$

#### **The Quantum Mechanism: Phase Estimation**

The quantum computer is used solely for step 2: finding the period $r$.

**1. The Unitary Operator**
We define a unitary operator $U$ that performs multiplication by $a$ modulo $N$:
$$U|y\rangle = |ay \pmod N\rangle$$
If we apply this operator repeatedly to the state $|1\rangle$, we cycle through the sequence:
$$|1\rangle \xrightarrow{U} |a\rangle \xrightarrow{U} |a^2\rangle \dots \xrightarrow{U} |a^{r-1}\rangle \xrightarrow{U} |1\rangle$$

**2. The Eigenstates**
The "magic" lies in the eigenstates of this operator. The states in the cycle above can be combined to form eigenstates $|u_s\rangle$ (for $0 \le s < r$) with eigenvalues depending on $r$:
$$U|u_s\rangle = e^{\frac{2\pi i s}{r}} |u_s\rangle$$
Crucially, the easy-to-prepare state $|1\rangle$ is a uniform superposition of *all* these eigenstates:
$$|1\rangle = \frac{1}{\sqrt{r}} \sum_{s=0}^{r-1} |u_s\rangle$$

**3. Quantum Phase Estimation (QPE)**
Shor's algorithm is essentially QPE applied to the operator $U$ acting on the state $|1\rangle$.

  * Because $|1\rangle$ is a superposition of eigenstates, the QPE procedure will output a **random phase** from the set:
    $$\phi \approx \frac{s}{r}$$
    where $s$ is a random integer between $0$ and $r-1$.
  * By measuring $\phi$, we get a fraction. Using the **Continued Fractions Algorithm**, we can deduce the denominator $r$.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: The bottleneck is the modular exponentiation circuit ($a^x \pmod N$), which requires $O(n^3)$ gates for an $n$-bit number.
  * **Classical Complexity**: The best classical algorithm (Number Field Sieve) runs in $O(\exp(n^{1/3}))$.
  * **Caveats**: The algorithm requires huge depth. Without error correction, noise will destroy the phase information before the period can be detected.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

We will implement a complete pedagogical example to factor **$N=15$** using **$a=7$**.
We know classically that the period of $7^x \pmod{15}$ is **4** ($1 \to 7 \to 4 \to 13 \to 1$). We will see the quantum computer find this.

#### **Step 5.1: The Modular Exponentiation Oracle**

First, we need the unitary $U$ that implements multiplication by 7 mod 15.
Since designing a general arithmetic circuit is complex, we will build a specific one for this case based on the mapping:

  * $1 \to 7$ (binary $0001 \to 0111$)
  * $7 \to 4$ (binary $0111 \to 0100$)
  * $4 \to 13$ (binary $0100 \to 1101$)
  * $13 \to 1$ (binary $1101 \to 0001$)

This permutation can be implemented using `SWAP` gates on 4 qubits.

```python
import matplotlib.pyplot as plt
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from fractions import Fraction
from math import gcd

# Define the Controlled-U gate for a=7, N=15
# This function repeats the unitary 'power' times to implement a^(2^j)
def c_amod15(a, power):
    """Controlled multiplication by a mod 15"""
    if a not in [2,4,7,8,11,13]:
        raise ValueError("'a' must be 2,4,7,8,11 or 13")
    U = QuantumCircuit(4)
    for _iteration in range(power):
        if a in [2,13]:
            U.swap(2,3); U.swap(1,2); U.swap(0,1)
        if a in [7,8]:
            U.swap(0,1); U.swap(1,2); U.swap(2,3)
        if a in [4, 11]:
            U.swap(1,3); U.swap(0,2)
        if a in [7,11,13]:
            for q in range(4):
                U.x(q)
    U = U.to_gate()
    U.name = f"{a}^{power} mod 15"
    c_U = U.control()
    return c_U
```

#### **Step 5.2: The Inverse Quantum Fourier Transform (QFTâ€ )**

The QPE algorithm ends with an inverse QFT to translate the phase encoding back into the computational basis (binary numbers).

```python
def qft_dagger(n):
    """n-qubit Inverse QFT"""
    qc = QuantumCircuit(n)
    # 1. Swap qubits to match Qiskit ordering
    for qubit in range(n//2):
        qc.swap(qubit, n-qubit-1)
    # 2. Apply inverse rotations and Hadamards
    for j in range(n):
        for m in range(j):
            qc.cp(-np.pi/float(2**(j-m)), m, j)
        qc.h(j)
    qc.name = "QFTâ€ "
    return qc
```

#### **Step 5.3: Building the Shor's Algorithm Circuit**

We need two registers:

1.  **Counting Register**: $n_{count} = 8$ qubits. This determines the precision of our period estimation.
2.  **Work Register**: 4 qubits to store the modulo 15 results.

<!-- end list -->

```python
# Settings
N_COUNT = 8  # number of counting qubits
a = 7

# Create QuantumCircuit
qc = QuantumCircuit(N_COUNT + 4, N_COUNT)

# 1. Initialize counting qubits in state |+>
for q in range(N_COUNT):
    qc.h(q)

# 2. Initialize work register in state |1>
qc.x(N_COUNT)

# 3. Apply Controlled-U operations
# Note the power of 2^q: this corresponds to the binary expansion of the phase
for q in range(N_COUNT):
    qc.append(c_amod15(a, 2**q),
             [q] + [i+N_COUNT for i in range(4)])

# 4. Do inverse-QFT on counting qubits
qc.append(qft_dagger(N_COUNT), range(N_COUNT))

# 5. Measure counting qubits
qc.measure(range(N_COUNT), range(N_COUNT))

# Visualize the circuit
print("Circuit Depth:", qc.depth())
# qc.draw('mpl') # Uncomment to see the full schematic
```

#### **Step 5.4: Simulation and Analysis**

We run the circuit on a simulator. Ideally, we expect constructive interference at phases related to the period $r=4$.

```python
# Simulate Results
aer_sim = AerSimulator()
t_qc = transpile(qc, aer_sim)
results = aer_sim.run(t_qc, shots=1024).result()
counts = results.get_counts()

# Print Top Results
print("\nTop Measurement Results:")
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:5]
for output_bin, count in sorted_counts:
    decimal = int(output_bin, 2)
    phase = decimal / (2**N_COUNT)
    print(f"Register: {output_bin} ({decimal}) | Count: {count} | Measured Phase: {phase:.3f}")
```

**Expected Output Analysis**:
You should see peaks around:

  * $0$ (Phase 0.0)
  * $64$ (Phase 0.25) $\to 1/4$
  * $128$ (Phase 0.50) $\to 2/4 = 1/2$
  * $192$ (Phase 0.75) $\to 3/4$

#### **Step 5.5: Classical Post-Processing (Finding the Factors)**

Now we take the measured phases and use the **Continued Fractions Algorithm** to find the period $r$, and then the factors of $N=15$.

```python
print("\n--- Classical Post-Processing ---")
for output_bin, _ in sorted_counts:
    decimal = int(output_bin, 2)
    phase = decimal / (2**N_COUNT)
    
    # 1. Limit denominator to find the period r
    frac = Fraction(phase).limit_denominator(15)
    r = frac.denominator
    
    print(f"\nFor Phase {phase:.3f} -> Fraction: {frac} -> Period Guess r={r}")
    
    # 2. Check if r is even and useful
    if phase != 0 and r % 2 == 0:
        # Guesses for factors are gcd(a^(r/2) Â± 1 , N)
        guess1 = gcd(a**(r//2)-1, 15)
        guess2 = gcd(a**(r//2)+1, 15)
        
        print(f"  Candidate Factors: {guess1} and {guess2}")
        if guess1 not in [1, 15]:
            print(f"  *** SUCCESS: Found Non-trivial factor: {guess1} ***")
        if guess2 not in [1, 15]:
            print(f"  *** SUCCESS: Found Non-trivial factor: {guess2} ***")
```

-----

This completes the detailed workbook entry for **Algorithm \#1**.
Shall we move on to **Algorithm \#2: Discrete Logarithm Problem**, or would you like to refine any part of this entry?

Here is the detailed workbook entry for **Algorithm \#2**, continuing our journey into the algorithms that break modern public-key cryptography.

-----

# 2\. Discrete Logarithm Problem (DLP)

### **1. Algorithm Profile**

  * **Name**: Shorâ€™s Algorithm for Discrete Logarithms
  * **Origin**: Published alongside the factoring algorithm by **Peter Shor** in **1994**.
  * **Type**: Algebraic & Number Theoretic Algorithm.
  * **Speedup Class**: **Exponential**. Reduces complexity from exponential (classically) to polynomial (quantum).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: While factoring breaks RSA, the Discrete Logarithm algorithm breaks the *other* half of the internet's security: **Diffie-Hellman** key exchange and **Elliptic Curve Cryptography (ECC)**. The problem is to find the exponent $s$ that turns a base number $g$ into a target number $y$ (i.e., $g^s = y$). Classically, this is like trying to find a specific grain of sand in a desert by checking them one by one. Quantumly, we transform this into a 2-dimensional period-finding problem, allowing us to see the "slope" $s$ directly.
  * **Real-World Use Cases**:
      * **Breaking ECC**: Elliptic Curve keys are used in Bitcoin, SSH, and TLS because they are smaller and faster than RSA keys. This algorithm renders them insecure.
      * **Diffie-Hellman**: Used for secure key exchange in VPNs and HTTPS.
  * **Current Status**: Implementing this is slightly more resource-intensive than factoring because it requires managing two interacting quantum registers, but it relies on the same underlying hardware capabilities (FTQC).

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Given a cyclic group $G$ of order $r$, a generator $g$, and an element $y \in G$, find the integer $s$ (where $0 \le s < r$) such that:
$$g^s \equiv y$$

#### **The Classical Approach**

  * **Brute Force**: Check every power $g^1, g^2, \dots$ until you hit $y$. Complexity: $O(r)$.
  * **Baby-step Giant-step / Pollard's Rho**: These sophisticated algorithms improve the runtime to roughly $O(\sqrt{r})$.
  * **Index Calculus**: For certain groups (like integers modulo $p$), this is sub-exponential. For Elliptic Curves, the best known is still exponential, which is why ECC keys can be short.

#### **The Quantum Mechanism: 2D Period Finding**

Unlike factoring, which looks for a period on a line (1D), the DLP algorithm looks for a hidden structure on a 2D plane.

**1. The Function**
We define a function of *two* variables, $x_1$ and $x_2$:
$$f(x_1, x_2) = g^{x_1} y^{-x_2}$$
Substitute $y = g^s$:
$$f(x_1, x_2) = g^{x_1} (g^s)^{-x_2} = g^{x_1 - s x_2}$$

**2. The Hidden Symmetry**
Notice that this function is constant whenever the exponent $(x_1 - s x_2)$ is constant.
Specifically, if we shift our input by the vector $\vec{v} = (s, 1)$, the value doesn't change:
$$f(x_1+s, x_2+1) = g^{(x_1+s) - s(x_2+1)} = g^{x_1 + s - s x_2 - s} = g^{x_1 - s x_2} = f(x_1, x_2)$$
The function has a **hidden period** given by the vector $\vec{v} = (s, 1)$. The entire problem reduces to finding the "direction" or slope of this symmetry.

**3. The Algorithm**

1.  **Superposition**: Prepare two registers in a uniform superposition of integers: $\sum |x_1\rangle |x_2\rangle$.
2.  **Oracle Query**: Compute the function into a third register: $|g^{x_1} y^{-x_2}\rangle$.
3.  **QFT**: Apply the **Quantum Fourier Transform** to the first two registers.
4.  **Measurement**: The QFT interferes the amplitudes such that we only measure pairs $(u, v)$ that are orthogonal to the period vector $(s, 1)$. Mathematically, this means:
    $$u \cdot s + v \cdot 1 \equiv 0 \pmod r$$
    $$s \equiv -u \cdot v^{-1} \pmod r$$
5.  **Solution**: We measure $u$ and $v$, compute $v^{-1}$, and solve for the secret key $s$.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: $O((\log r)^2)$. This is polynomial in the number of bits.
  * **Resource Requirements**: It requires $3n$ logical qubits (two input registers of size $n$, one output of size $n$) and a circuit depth comparable to factoring.
  * **Caveat**: We must know the order of the group $r$. For ECC and safe primes, this is public knowledge. If unknown, we can use Shor's order-finding first.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

We will solve a "toy" DLP instance.

  * **Group**: Integers modulo 7 ($\mathbb{Z}_7^*$).
  * **Generator**: $g = 3$. The powers are $\{3^1=3, 3^2=2, 3^3=6, 3^4=4, 3^5=5, 3^6=1\}$. Order $r=6$.
  * **Target**: $y = 4$. (We can see $x=4$, but the quantum computer must find it).
  * **Goal**: Find $s$ such that $3^s \equiv 4 \pmod 7$.

**The Oracle Logic**:
We need to implement $f(a, b) = 3^a \cdot 4^{-b} \pmod 7$.
Note: In $\mathbb{Z}_7^*$, the inverse of $4$ is $2$ (since $4 \times 2 = 8 \equiv 1$).
So our function is $f(a, b) = 3^a \cdot 2^b \pmod 7$.

#### **Step 5.1: Building the Oracle Components**

We need gates for "multiply by 3" and "multiply by 2" modulo 7.

  * $x \to 3x \pmod 7$: Permutation $[1, 2, 3, 4, 5, 6] \to [3, 6, 2, 5, 1, 4]$.
  * $x \to 2x \pmod 7$: Permutation $[1, 2, 3, 4, 5, 6] \to [2, 4, 6, 1, 3, 5]$.

<!-- end list -->

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.circuit.library import QFT
from math import gcd

# 1. Define the "Multiply by 3 mod 7" gate
# Permutation: 1->3, 2->6, 3->2, 4->5, 5->1, 6->4
mul_3_gate = QuantumCircuit(3)
# We implement this specific permutation using swaps and X gates for the demo
# Logic derived from truth table for 3x mod 7
mul_3_gate.swap(0, 2)
mul_3_gate.swap(0, 1)
mul_3_gate.x(0)
mul_3_gate.x(1)
mul_3_gate.x(2)
c_mul_3 = mul_3_gate.to_gate().control(1) # Controlled version

# 2. Define the "Multiply by 2 mod 7" gate (This is y^-1)
# Permutation: 1->2, 2->4, 3->6, 4->1, 5->3, 6->5
mul_2_gate = QuantumCircuit(3)
# Logic derived from truth table for 2x mod 7
mul_2_gate.swap(1, 2)
mul_2_gate.swap(0, 1)
mul_2_gate.x(1)
c_mul_2 = mul_2_gate.to_gate().control(1) # Controlled version
```

#### **Step 5.2: The DLP Circuit**

We need two input registers (for $a$ and $b$) and one target register.
Since order $r=6$, we need registers large enough to hold values $0-5$. 3 qubits each is sufficient ($2^3=8$).

```python
# Setup
n_qubits = 3
qc = QuantumCircuit(3*n_qubits, 2*n_qubits)

# Registers:
# Qubits 0-2: Input 'a' (exponent for g)
# Qubits 3-5: Input 'b' (exponent for y^-1)
# Qubits 6-8: Target (stores f(a,b))

# Initialize inputs to superposition |+>
for i in range(2 * n_qubits):
    qc.h(i)

# Initialize target to |1> (001) for multiplication
qc.x(6)

# --- Apply Modular Exponentiation ---
# Ideally we apply 3^(a) * 2^(b). 
# For this toy example with limited depth, we apply just the first power 
# to demonstrate the phase kickback principle on the first bit.
# A full Shor implementation repeats these controlled gates 2^j times.

# Apply 3^a (controlled by register 'a')
for i in range(n_qubits):
    # For a full algo, we would power this gate: c_mul_3^(2^i)
    # Here we apply the base gate for demonstration
    qc.append(c_mul_3, [i] + list(range(2*n_qubits, 3*n_qubits)))

# Apply 2^b (controlled by register 'b')
for i in range(n_qubits):
    qc.append(c_mul_2, [i+n_qubits] + list(range(2*n_qubits, 3*n_qubits)))

# --- Apply Inverse QFT to both input registers ---
qc.append(QFT(n_qubits, inverse=True), range(n_qubits))
qc.append(QFT(n_qubits, inverse=True), range(n_qubits, 2*n_qubits))

# --- Measure Inputs ---
qc.measure(range(2*n_qubits), range(2*n_qubits))

print("Circuit created with depth:", qc.depth())
```

#### **Step 5.3: Execution & Interpretation**

Ideally, we look for the relation $v \cdot s = -u \pmod r$.

```python
# Run simulation
backend = AerSimulator()
t_qc = transpile(qc, backend)
result = backend.run(t_qc, shots=2048).result()
counts = result.get_counts()

# Filter and interpret top results
# Note: On a toy circuit without full exponentiation depth, 
# peaks will be noisy, but this illustrates the data flow.
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:5]
print("\nTop Measurements (b, a):")
for outcome, count in sorted_counts:
    # outcome is a bitstring of length 6. First 3 bits are 'b', next 3 are 'a'
    b_bits = outcome[0:3]
    a_bits = outcome[3:6]
    
    v = int(b_bits, 2)
    u = int(a_bits, 2)
    
    print(f"b={v}, a={u} (Count: {count})")
    
    # Pedagogical Check:
    # We are looking for s=4. The ideal relation is u + s*v = 0 mod r
    # Let's check if this pair satisfies it for s=4, r=6
    if (u + 4 * v) % 6 == 0:
        print(f"  -> Valid pair! (u + 4v = {u + 4*v} which is 0 mod 6)")
```

**Success Criterion**:
If you find pairs $(u, v)$ where $(u + 4v)$ is a multiple of the order 6, the algorithm has successfully encoded the discrete logarithm $s=4$ into the measurement statistics. In a full-scale run, recovering $s$ from these $u, v$ pairs is a simple system of linear modular equations.

-----

**This concludes Algorithm \#2.**
**Shall we proceed to Algorithm \#3: Pell's Equation (Hallgren's Algorithm)?**

Here is the detailed workbook entry for **Algorithm \#3: Pell's Equation**. This algorithm is particularly fascinating because it extends the quantum advantage from the discrete world (integers) to the continuous world (real numbers), mimicking the behavior of finding an irrational period.

-----

# 3\. Pell's Equation (Hallgren's Algorithm)

### **1. Algorithm Profile**

  * **Name**: Hallgrenâ€™s Algorithm for Pellâ€™s Equation.
  * **Origin**: Developed by **Sean Hallgren** in **2002**.
  * **Type**: Algebraic & Number Theoretic Algorithm (Continuous Hidden Subgroup Problem).
  * **Speedup Class**: **Superpolynomial / Exponential**. The classical complexity is sub-exponential ($O(e^{\sqrt{\log d}})$), while the quantum complexity is polynomial ($O(\text{poly}(\log d))$).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: While Shorâ€™s algorithm finds the period of a function over integers (like finding the repeat in a song), Hallgrenâ€™s algorithm finds the period of a function over **real numbers** (like finding the precise length of a wave that doesn't perfectly align with a grid). It solves the ancient Diophantine equation $x^2 - dy^2 = 1$ by treating the solution as a hidden periodic structure in a continuous mathematical landscape.
  * **Real-World Use Cases**:
      * **Cryptanalysis**: It breaks the **Buchmann-Williams cryptosystem**, which relies on the hardness of finding the "regulator" (period) in number fields.
      * **Mathematical Physics**: It provides a framework for solving problems with irrational periods, which has applications in simulating quantum systems with incommensurate frequencies.
  * **Current Status**: This is an advanced theoretical algorithm. While the underlying primitives (QFT) are standard, implementing the specific "continuous" oracle requires fault-tolerant hardware and high-precision arithmetic not yet available on NISQ devices.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Given a non-square integer $d$, find integer solutions $(x, y)$ to **Pell's Equation**:
$$x^2 - dy^2 = 1$$
The solutions are infinite, but they are all generated by a **fundamental solution** $(x_1, y_1)$. The goal is to find the **Regulator**, $R = \ln(x_1 + y_1\sqrt{d})$. Since $x_1, y_1$ can be astronomically large (exponential in $d$), we compute $R$ to a specific precision.

#### **The Classical Approach**

The best classical methods involve computing the **continued fraction** expansion of $\sqrt{d}$. The period of this expansion relates to the solution. However, the period length can scale roughly as $d^{1/2}$ or sub-exponentially, making it intractable for large $d$.

#### **The Quantum Mechanism: Continuous Period Finding**

Hallgren's insight was to define a function $f(z)$ over the **real numbers** $\mathbb{R}$ that is periodic with period $R$.

1.  **The Function**: The function $f(z)$ maps a real number $z$ to a "reduced ideal" in the ring $\mathbb{Z}[\sqrt{d}]$. This map is periodic: $f(z + R) = f(z)$.
2.  **Approximating the Continuous**: A quantum computer is discrete. We approximate the real line $\mathbb{R}$ using a large integer register with $N$ states, where state $|k\rangle$ represents the real number $z = k \cdot \delta$ (for some small spacing $\delta$).
3.  **Superposition**: We prepare a superposition of these discrete points: $\sum_{k=0}^{N-1} |k\rangle$.
4.  **Oracle**: We apply $U_f$ to compute the ideal $f(z)$ into a second register. Measuring the second register leaves the first register in a superposition of points separated by the period $R$ (conceptually $|z_0\rangle + |z_0 + R\rangle + |z_0 + 2R\rangle \dots$).
5.  **Quantum Fourier Transform (QFT)**: We apply the QFT. Unlike Shor's case where the period is an integer, here the period $R$ is likely irrational. The peaks in the Fourier spectrum will not be single sharp spikes but will be concentrated around multiples of $N/R$.
6.  **Extraction**: We measure the state to get a value close to $j \frac{N}{R}$. Using the continued fractions algorithm (just like in Shor's), we can recover the rational approximation of the irrational period $R$.

### **4. Practical Advantage & Complexity**

  * **Quantum Advantage**: The QFT allows us to extract the global periodicity $R$ without traversing the entire cycle step-by-step (which would take exponential time classically).
  * **Caveats**: The "oracle" involves calculating with ideals and performing a "reduction" step, which is computationally intensive (though polynomial). The measurement provides only an approximation of the irrational $R$, so high precision requires large registers.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

Since implementing algebraic number theory oracles is too complex for a notebook, we will simulate the **core quantum mechanical principle**: estimating an **irrational phase/period** using Quantum Phase Estimation (QPE). This mimics the step where Hallgren's algorithm extracts the regulator $R$.

**The Task**: Estimate an unknown irrational phase $\phi$ (representing $1/R$) of a unitary operator $U$.

#### **Step 5.1: Setup - The "Irrational" Unitary**

We define a gate $U$ such that $U|1\rangle = e^{2\pi i \phi} |1\rangle$, where $\phi$ is a number we choose (e.g., $1/\pi \approx 0.3183...$) but assume is unknown.

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit.circuit.library import QFT
from qiskit_aer import AerSimulator
from qiskit.visualization import plot_histogram
import matplotlib.pyplot as plt

# 1. Choose our "Hidden" Irrational Phase (analogous to 1/Regulator)
# Let's use 1/pi approx 0.3183098...
HIDDEN_PHASE = 1 / np.pi 

# 2. Define the Oracle Gate (U^2^k)
# This applies a phase shift of 2^k * 2*pi*phi
def get_phase_oracle(power, true_phase):
    qc = QuantumCircuit(1)
    # CP gate adds a phase if control is |1>
    # Since we are simulating the eigenvalue part, we just use P gate on target
    # In full QPE, this P gate is controlled by the counting qubit
    angle = 2 * np.pi * true_phase * power
    qc.p(angle, 0)
    return qc.to_gate(label=f"U^{power}")
```

#### **Step 5.2: The Phase Estimation Circuit**

We use a counting register of $t$ qubits. The precision of our estimate for $R$ depends on $t$. In Hallgren's algorithm, this register must be large enough to approximate the irrational period accurately.

```python
# Settings
n_precision = 6  # Number of counting qubits (determines precision)
qc = QuantumCircuit(n_precision + 1, n_precision)

# 1. Initialize counting qubits to |+>
for q in range(n_precision):
    qc.h(q)

# 2. Initialize the target eigenstate |psi>
# The operator U adds a phase to |1>, so we set target to |1>
qc.x(n_precision)

# 3. Apply Controlled-U operations (Phase Kickback)
for q in range(n_precision):
    # The 'power' of U is 2^q, applied to target, controlled by qubit q
    # We implement this manually with a Controlled Phase gate
    power = 2**q
    angle = 2 * np.pi * HIDDEN_PHASE * power
    qc.cp(angle, q, n_precision)

# 4. Apply Inverse QFT to counting qubits
qc.append(QFT(n_precision, inverse=True), range(n_precision))

# 5. Measure counting qubits
qc.measure(range(n_precision), range(n_precision))

print(f"Circuit depth: {qc.depth()}")
```

#### **Step 5.3: Execution & Analysis**

We interpret the binary output fraction as our estimate for the irrational phase.

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=2048).result()
counts = result.get_counts()

# Visualize Top Results
print(f"\nTrue Hidden Phase: {HIDDEN_PHASE:.6f}")
print("\nTop Measurement Outcomes:")
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:3]

for bitstring, count in sorted_counts:
    # Convert binary fraction to decimal
    # e.g., '010' -> 0*(1/2) + 1*(1/4) + 0*(1/8)
    decimal_val = int(bitstring, 2)
    estimated_phase = decimal_val / (2**n_precision)
    
    error = abs(estimated_phase - HIDDEN_PHASE)
    print(f"Bitstring: {bitstring} | Estimate: {estimated_phase:.6f} | Error: {error:.6f}")

# Plot
# plot_histogram(counts) # Uncomment to view
```

**Interpretation**:

  * Unlike Shor's algorithm, where we got exact peaks (like 0.25 or 0.5), here we get a **distribution** of peaks.
  * Since the true phase ($1/\pi \approx 0.3183$) cannot be perfectly represented by a 6-bit binary fraction, the probability "leaks" into nearby states.
  * The highest peak will be the best $n$-bit approximation.
      * Example: $0.3125$ (binary $0.010100$) vs $0.3183$.
  * Increasing `n_precision` (qubits) increases the accuracy of the regulator estimate, analogous to increasing the register size in Hallgren's algorithm to pin down the real-valued period $R$.

-----

**This concludes Algorithm \#3.**
**Shall we proceed to Algorithm \#4: Principal Ideal Problem?**

[Hallgren's Algorithm Video Overview](https://www.google.com/search?q=https://www.youtube.com/watch%3Fv%3DIw9qXoK9-hU)
The video provides an overview of Hallgren's Algorithm for solving Pell's equation using quantum computing.

Here is the detailed workbook entry for **Algorithm \#4: Principal Ideal Problem**. This algorithm generalizes the concepts from Pell's Equation, tackling the broader and deeper problem of finding generators in algebraic number fields.

-----

# 4\. Principal Ideal Problem (Hallgren's Algorithm)

### **1. Algorithm Profile**

  * **Name**: Hallgrenâ€™s Algorithm for the Principal Ideal Problem (PIP).
  * **Origin**: Developed by **Sean Hallgren** in **2002** (extended in 2007).
  * **Type**: Algebraic & Number Theoretic Algorithm (Continuous Hidden Subgroup Problem).
  * **Speedup Class**: **Superpolynomial / Exponential**. Classical algorithms are sub-exponential ($\exp(O(\sqrt{\log \Delta}))$), while the quantum algorithm is polynomial ($O(\text{poly}(\log \Delta))$) in the discriminant $\Delta$.

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: In the world of "generalized integers" (algebraic number theory), numbers behave strangely. Factors are not always unique. To fix this, mathematicians use "ideals" (sets of numbers). A **Principal Ideal** is an ideal generated by a single "master number." Finding this generator is incredibly hard. This algorithm finds the generator by turning the algebraic structure of the number field into a **periodic landscape** and using a quantum computer to measure the length of the repeating pattern (the "Regulator").
  * **Real-World Use Cases**:
      * **Cryptanalysis**: It breaks cryptosystems based on the hardness of the PIP, such as the **Buchmann-Williams** key exchange and schemes based on real quadratic fields.
      * **Computational Mathematics**: It is a foundational subroutine for computing the **Class Group** (Algorithm \#6) and **Unit Group** (Algorithm \#5), essential tasks in number theory.
  * **Current Status**: Like Pell's Equation, this requires a fault-tolerant quantum computer with significant depth to handle the arithmetic of high-precision real numbers and large integers.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

We work in a quadratic number field $K = \mathbb{Q}(\sqrt{\Delta})$.

  * An **Ideal** $I$ is a subset of the ring of integers $\mathcal{O}_K$.
  * An ideal is **Principal** if it consists of all multiples of a single element $\alpha$, written as $I = (\alpha)$.
  * **Goal**: Given a principal ideal $I$, find the generator $\alpha$.
      * *Twist*: $\alpha$ can be exponentially large (too big to write down). Instead, we must find its logarithm, called the **Regulator** $R = \ln|\alpha|$.

#### **The Classical Approach**

Classical algorithms walk along the "cycle of reduced ideals."

1.  Start with the ideal $I$.
2.  Apply a "reduction" step to make the ideal smaller/simpler.
3.  This sequence of reduced ideals eventually repeats. The length of this cycle is related to the regulator $R$.
4.  **Bottleneck**: The cycle length can be $O(\Delta^{1/2})$. Walking it step-by-step is impossible for large $\Delta$.

#### **The Quantum Mechanism: The Continuous Hidden Subgroup**

Hallgren's genius was to frame this cycle as a periodic function over the real numbers $\mathbb{R}$.

1.  **The Distance Function**: We define a distance along the cycle of ideals. Let $f(x)$ be the "reduced ideal" closest to the distance $x$ along the cycle.
2.  **Periodicity**: The cycle repeats every time we travel a distance equal to the **Regulator** $R$.
    $$f(x + R) = f(x)$$
    The function $f$ maps real numbers $\mathbb{R}$ to a set of ideals. It is a periodic function with a hidden, real-valued period $R$.
3.  **The Hidden Subgroup**: This is an instance of the Hidden Subgroup Problem where the group is $G = (\mathbb{R}, +)$ and the hidden subgroup is $H = R\mathbb{Z}$ (all integer multiples of the period).
4.  **Discretization**: Since we can't put continuous variables on qubits, we approximate $\mathbb{R}$ using a large integer grid of size $N$. We treat the period $R$ as a non-integer period on this grid.
5.  **Quantum Fourier Transform**:
      * Prepare a superposition of inputs: $\sum |x\rangle$.
      * Apply the oracle: $\sum |x\rangle |f(x)\rangle$.
      * Measure the second register to collapse the first into a periodic train of spikes: $|x_0\rangle + |x_0+R\rangle + |x_0+2R\rangle \dots$
      * Apply the **QFT**. The QFT of a periodic train with period $R$ yields peaks at frequencies $k \frac{N}{R}$.
6.  **Extraction**: Measurement yields a value close to a multiple of $1/R$. We compute $R$ using continued fractions.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: $O(\text{poly}(\log \Delta))$. The algorithm jumps directly to the period using the QFT, skipping the exponential walk.
  * **Classical Complexity**: Sub-exponential, roughly $L(1/2)$.
  * **Caveats**: Implementing the function $f(x)$ (ideal reduction) is complex. It involves high-precision arithmetic and managing "drift" in the continuous approximation.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

Simulating the full arithmetic of algebraic number fields is too heavy for a notebook. Instead, we will create a **Synthetic Period Finding** experiment. We will construct a circuit that mimics the core mathematical structure of the Principal Ideal Problem: finding the period of a function $f(x)$ where the period $R$ is not necessarily an integer.

**Goal**: Find the period $R$ of a function $f(x) = \sin^2(\pi x / R)$ using the Quantum Fourier Transform.

#### **Step 5.1: Creating the Periodic Oracle**

In a real PIP, the oracle computes a reduced ideal. Here, we simulate this by rotating an ancilla qubit by an angle proportional to $x/R$. The probability of measuring the ancilla as $|1\rangle$ will oscillate with period $R$.

```python
import numpy as np
import matplotlib.pyplot as plt
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.circuit.library import QFT
from fractions import Fraction

# 1. Define our "Hidden" Period (The Regulator)
# We treat this as a continuous value, though our grid is discrete integers.
REGULATOR_R = 5.33  # Example non-integer period

# 2. Create the Oracle
# The oracle applies a rotation Ry(theta) where theta depends on x and R.
# This encodes the periodicity into the amplitude of the ancilla.
def create_periodic_oracle(n_qubits, period):
    qc = QuantumCircuit(n_qubits + 1)
    
    # For each qubit 'i' in the input register (representing value 2^i),
    # we apply a controlled rotation.
    # The total angle for input x will be: theta = 2 * pi * x / period
    # We decompose x: x = sum(2^i * q_i)
    # So we apply rotations of 2 * pi * 2^i / period for each qubit i.
    
    for i in range(n_qubits):
        # Calculate angle for this bit's contribution
        angle = 2 * np.pi * (2**i) / period
        # Apply Controlled-Ry to the target qubit (index n_qubits)
        qc.cry(angle, i, n_qubits)
        
    qc.name = f"Oracle(R={period})"
    return qc
```

#### **Step 5.2: The Hallgren-Style Circuit**

We use an input register to sample the function and the QFT to extract the frequency.

```python
# Settings
N_PRECISION = 8  # Number of qubits for the domain (grid size 2^8 = 256)
qc = QuantumCircuit(N_PRECISION + 1, N_PRECISION)

# 1. Initialize input register to superposition |+>
for i in range(N_PRECISION):
    qc.h(i)

# 2. Apply the Periodic Oracle
# This entangles the input x with the ancilla state based on the period R
oracle = create_periodic_oracle(N_PRECISION, REGULATOR_R)
qc.append(oracle, range(N_PRECISION + 1))

# 3. Measure the Ancilla
# This collapses the input into a periodic superposition (weighted by sine waves)
# We don't actually need to read this bit, measuring it acts as the collapse.
qc.measure(N_PRECISION, 0) # Reuse classical bit 0 for now, we'll overwrite

# 4. Apply Inverse QFT to the Input Register
# This extracts the frequency 1/R from the periodic amplitude distribution
qc.append(QFT(N_PRECISION, inverse=True), range(N_PRECISION))

# 5. Measure the Input Register
qc.measure(range(N_PRECISION), range(N_PRECISION))

print(f"Circuit depth: {qc.depth()}")
```

#### **Step 5.3: Execution & Frequency Analysis**

The QFT will output peaks at integer values $y$ such that $\frac{y}{2^N} \approx \frac{k}{R}$. We can use these peaks to estimate $R$.

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=2048).result()
counts = result.get_counts()

# Visualize Top Results
print(f"\nTrue Hidden Period (Regulator): {REGULATOR_R}")
print("Top Measurement Peaks:")

# Filter noise and sort
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:5]

for bitstring, count in sorted_counts:
    # Convert bitstring to integer y
    y = int(bitstring, 2)
    
    # The QFT maps period R to frequency k/R.
    # Our domain is size N = 2^n.
    # The measured value y corresponds to frequency f = y / N.
    # Relationship: f approx k / R  =>  R approx k * N / y
    
    # We calculate R assuming k=1 (fundamental frequency)
    # Note: y=0 is the DC component, usually ignored for period finding
    if y != 0:
        estimated_R = (2**N_PRECISION) / y
        print(f"State: {y} | Count: {count} | Estimated R (for k=1): {estimated_R:.4f}")
    else:
        print(f"State: {y} | Count: {count} | (DC Component)")

```

**Interpretation of Results**:

  * You will likely see a peak (or cluster of peaks) around a specific value $y$.
  * **Example Calculation**:
      * If $N_{precision} = 8$, domain size is 256.
      * True $R = 5.33$.
      * Expected Peak $y \approx 256 / 5.33 \approx 48$.
      * If you measure $y=48$, then $R_{est} = 256/48 = 5.333$.
  * **Success**: The quantum computer successfully identified the continuous period $R$ by sampling the function on a discrete grid and using the QFT to find the underlying frequency. In the full PIP algorithm, this $R$ is the logarithm of the generator of the principal ideal.

-----

**This concludes Algorithm \#4.**
**Shall we proceed to Algorithm \#5: Unit Group & Class Group Algorithms?**

Here is the detailed workbook entry for **Algorithm \#5: Unit Group & Class Group**. This entry represents the pinnacle of algebraic quantum algorithms, tackling the complex structures that define number fields.

-----

# 5\. Unit Group & Class Group Algorithms

### **1. Algorithm Profile**

  * **Name**: Hallgrenâ€™s Algorithms for Unit Group and Class Group.
  * **Origin**: Solved by **Sean Hallgren** in **2005**, with further refinements by **Schmidt & Vollmer**.
  * **Type**: Algebraic & Number Theoretic Algorithm (General Abelian Hidden Subgroup Problem).
  * **Speedup Class**: **Superpolynomial / Exponential**. Classical algorithms are sub-exponential ($\exp(O(\sqrt{\log \Delta}))$); quantum algorithms are polynomial ($O(\text{poly}(\log \Delta))$).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: In high-level number theory, simple rules break down.
    1.  **Unique Factorization fails**: $6$ might equal $2 \times 3$ but also $(1+\sqrt{-5})(1-\sqrt{-5})$. The **Class Group** measures "how badly" factorization breaks.
    2.  **Infinite Units**: In regular integers, the only "units" (divisors of 1) are $1, -1$. In number fields, there can be infinitely many (e.g., powers of $1+\sqrt{2}$). The **Unit Group** describes this infinite structure.
        This algorithm uses a quantum computer to map the "shape" of these complex number systems, revealing their secret generators exponentially faster than classical supercomputers.
  * **Real-World Use Cases**:
      * **Advanced Cryptography**: Essential for the security analysis of **homomorphic encryption** schemes and **isogeny-based cryptography** (like CSIDH), which rely on the structure of Class Groups.
      * **Computational Number Theory**: Allows mathematicians to compute invariants of number fields with large discriminants, a task currently impossible.
  * **Current Status**: These are "nested" algorithms that require the Principal Ideal Problem (Algorithm \#4) as a subroutine. They are theoretically sound but require substantial fault-tolerant resources.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Let $K$ be a number field with ring of integers $\mathcal{O}_K$.

1.  **Unit Group Problem**: Find a basis for the group of units $\mathcal{O}_K^*$. By **Dirichlet's Unit Theorem**, this group is isomorphic to $\mu_K \times \mathbb{Z}^{r_1 + r_2 - 1}$, where $\mu_K$ are roots of unity (torsion) and the $\mathbb{Z}$ terms form a **Lattice**. The goal is to find the vectors generating this lattice.
2.  **Class Group Problem**: Find the structure of the Class Group $Cl_K$. This is a finite Abelian group. We want to find integers $d_1, d_2, \dots$ such that $Cl_K \cong \mathbb{Z}_{d_1} \times \mathbb{Z}_{d_2} \dots$.

#### **The Classical Approach**

Classical algorithms use **index calculus** methods. They search for "relations" between prime ideals. Generating enough relations to define the group structure requires sub-exponential time, similar to the integer factorization problem but significantly more complex.

#### **The Quantum Mechanism: Multi-Dimensional HSP**

Both problems are instances of the **Abelian Hidden Subgroup Problem (HSP)**, but they are more complex than Shor's algorithms because they are **multi-dimensional**.

**1. The Unit Group Strategy (Continuous HSP)**

  * **Mapping**: We use a logarithmic map $\mathcal{L}$ that sends multiplicative units to additive vectors in $\mathbb{R}^n$.
  * **Lattice Finding**: The units map to a discrete **lattice** hidden inside the continuous vector space $\mathbb{R}^n$.
  * **Quantum Algorithm**: We define a function periodic over this lattice. We use a **multi-dimensional Continuous Quantum Fourier Transform** to find the dual lattice, allowing us to reconstruct the fundamental units.

**2. The Class Group Strategy (Discrete HSP)**

  * **The Group**: We are probing a group $G = \mathbb{Z}^k$.
  * **The Oracle**: We define a function $f(\vec{x})$ that takes a vector of integers, computes a product of ideals $I = \mathfrak{p}_1^{x_1} \dots \mathfrak{p}_k^{x_k}$, and outputs the "class" of that ideal.
  * **The "Subroutine" Twist**: To determine the "class" of an ideal (i.e., to check if two inputs give the same output), the quantum computer must determine if an ideal is **principal**. This requires running **Hallgren's PIP Algorithm (Algorithm \#4)** as a subroutine inside the Class Group algorithm.
  * **Superposition & QFT**:
    1.  Prepare superposition over the grid $\mathbb{Z}^k$.
    2.  Compute ideal classes (using the PIP quantum subroutine).
    3.  Apply the **k-dimensional QFT** over $\mathbb{Z}$.
    4.  Sampling the output reveals the cycle structure (the generators) of the Class Group.

### **4. Practical Advantage & Complexity**

  * **Quantum Advantage**: The ability to perform QFT in multiple dimensions simultaneously allows the quantum computer to extract the entire group structure (the lattice basis or cyclic generators) efficiently.
  * **Complexity**: Polynomial in the invariants of the field ($\log \Delta$).
  * **Future Scope**: This is the "endgame" algorithm for number theory. Once we have hardware capable of running this, we essentially "solve" algebraic number theory for computational purposes.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

Since we cannot easily simulate algebraic number fields in a python notebook, we will simulate the **core quantum mechanism**: finding the hidden structure of a **2D Finite Abelian Group**.

**The Task**: We have a "black box" function with a 2D hidden period $(r_x, r_y)$.
$$f(x, y) = f(x + r_x, y) = f(x, y + r_y)$$
This is analogous to finding the structure $\mathbb{Z}_{r_x} \times \mathbb{Z}_{r_y}$ of a Class Group or the basis vectors of a Unit Group lattice.

#### **Step 5.1: Constructing a 2D Periodic Oracle**

We will create a function that adds phases proportional to $x/r_x$ and $y/r_y$.

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.circuit.library import QFT
import matplotlib.pyplot as plt

# 1. Define the Hidden Structure (Periods in X and Y dimensions)
PERIOD_X = 4
PERIOD_Y = 2 

# 2. Define the 2D Oracle
# Ideally: f(x,y) -> |x>|y>|f(x,y)>
# Phase Kickback shortcut: U|x>|y> -> e^{2pi*i*(x/Px + y/Py)} |x>|y>
def oracle_2d_period(n_qubits_x, n_qubits_y, px, py):
    qc = QuantumCircuit(n_qubits_x + n_qubits_y)
    
    # Apply phase rotations for X register
    # Phase = 2*pi * x / Px.  x = sum(2^j * x_j)
    for j in range(n_qubits_x):
        angle = 2 * np.pi * (2**j) / px
        qc.p(angle, j)  # Qubits 0 to nx-1 are X register
        
    # Apply phase rotations for Y register
    # Phase = 2*pi * y / Py.
    for k in range(n_qubits_y):
        angle = 2 * np.pi * (2**k) / py
        qc.p(angle, n_qubits_x + k) # Qubits nx to end are Y register
        
    qc.name = f"Oracle(Px={px}, Py={py})"
    return qc
```

#### **Step 5.2: The Multi-Dimensional QFT Circuit**

We apply the QFT to the X register and the Y register independently (a tensor product of QFTs).

```python
# Settings
N_X = 4  # Qubits for dimension X
N_Y = 3  # Qubits for dimension Y

qc = QuantumCircuit(N_X + N_Y, N_X + N_Y)

# 1. Initialize Superposition (Hadamard on all)
for i in range(N_X + N_Y):
    qc.h(i)

# 2. Apply the 2D Oracle (Hidden Structure)
oracle = oracle_2d_period(N_X, N_Y, PERIOD_X, PERIOD_Y)
qc.append(oracle, range(N_X + N_Y))

# 3. Apply Inverse QFT to X Register
qc.append(QFT(N_X, inverse=True), range(N_X))

# 4. Apply Inverse QFT to Y Register
qc.append(QFT(N_Y, inverse=True), range(N_X, N_X + N_Y))

# 5. Measure
qc.measure(range(N_X + N_Y), range(N_X + N_Y))

print(f"Circuit dimensions: {N_X}x{N_Y} qubits.")
```

#### **Step 5.3: Execution & Structural Analysis**

The measurement results will reveal the frequencies corresponding to the periods.

  * X register should peak at multiples of $2^{N_X} / P_X$.
  * Y register should peak at multiples of $2^{N_Y} / P_Y$.

<!-- end list -->

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=2048).result()
counts = result.get_counts()

# Visualize Top Results
print(f"\nHidden Structure: X-Period={PERIOD_X}, Y-Period={PERIOD_Y}")
print("Top Measurement Outcomes (Binary Y | Binary X):")

sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:5]

for bitstring, count in sorted_counts:
    # Split bitstring into Y and X parts. 
    # Qiskit order is reversed: [qubit n ... qubit 0]
    # So the first bits in string are the LAST qubits in circuit (Y register)
    bin_y = bitstring[0:N_Y]
    bin_x = bitstring[N_Y:]
    
    val_x = int(bin_x, 2)
    val_y = int(bin_y, 2)
    
    # Estimate Periods
    # measurement m approx N / r  =>  r approx N / m
    est_rx = (2**N_X) / val_x if val_x != 0 else 0
    est_ry = (2**N_Y) / val_y if val_y != 0 else 0
    
    print(f"Y={bin_y}({val_y}) X={bin_x}({val_x}) | Count: {count} | Est Periods: X~{est_rx} Y~{est_ry}")
```

**Interpretation of Results**:

  * With $N_X=4$ (size 16) and $P_X=4$, we expect peaks in X at $16/4 = 4, 8, 12$.
  * With $N_Y=3$ (size 8) and $P_Y=2$, we expect peaks in Y at $8/2 = 4$.
  * If you measure `Y=100 X=0100` (Y=4, X=4), the algorithm has correctly identified the "lattice points" in the frequency domain.
  * This demonstrates how the QFT can untangle a product group structure $\mathbb{Z}_4 \times \mathbb{Z}_2$ simultaneously.

-----

**This concludes Algorithm \#5.**
**Shall we proceed to Algorithm \#6: Estimating Gauss Sums?**

Here is the detailed workbook entry for **Algorithm \#6: Estimating Gauss Sums**. This entry explores a fascinating intersection of number theory and quantum interference, showing how quantum computers can act as "calculators" for complex mathematical constants that are intractable classically.

-----

# 6\. Estimating Gauss Sums

### **1. Algorithm Profile**

  * **Name**: The van Dam-Seroussi Algorithm for Estimating Gauss Sums.
  * **Origin**: Proposed by **Wim van Dam** and **Gadiel Seroussi** in **2002**.
  * **Type**: Algebraic & Number Theoretic Algorithm (Quantum Estimation).
  * **Speedup Class**: **Superpolynomial**. It estimates the sum to polynomial precision in polynomial time ($poly(\log q)$), whereas exact classical calculation takes exponential time ($O(q)$).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: A Gauss Sum is a special kind of total, adding up values scattered around the unit circle in the complex plane. These sums are "fingerprints" of finite fields used in number theory. Calculating them directly involves adding up an exponential number of terms ($q$ terms for a field of size $q$). This algorithm uses a quantum computer to prepare two states representing the mathematical functions and then measures how much they "overlap" (interfere) to estimate the sum instantly.
  * **Real-World Use Cases**:
      * **Cryptography**: Gauss sums are related to counting points on curves (see Algorithm \#50), which is vital for setting up secure Elliptic Curve Cryptography (ECC).
      * **Physics**: They appear in calculating **partition functions** for statistical models (like the Potts model), linking number theory to thermodynamics.
  * **Current Status**: This is a theoretical primitive. While the Hadamard Test (the core mechanism) is standard, preparing the specific states for large finite fields requires complex arithmetic circuits not yet standard in NISQ libraries.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

We work over a finite field $\mathbb{F}_q$.

  * **Multiplicative Character** $\chi(x)$: A function that maps field multiplication to complex multiplication ($\chi(xy) = \chi(x)\chi(y)$).
  * **Additive Character** $\psi(x)$: A function that maps field addition to complex multiplication ($\psi(x+y) = \psi(x)\psi(y)$).
  * **The Gauss Sum**: Defined as the sum over all non-zero elements of the field:
    $$G(\chi, \psi) = \sum_{x \in \mathbb{F}_q^*} \chi(x) \psi(x)$$
    The result is a complex number. The goal is to estimate its magnitude and phase.

#### **The Classical Approach**

The naive approach is to loop through all $q-1$ elements, compute $\chi(x)\psi(x)$, and add them up. Since $q$ can be huge (e.g., $2^{2048}$), an $O(q)$ loop is impossible. Efficient classical algorithms exist only for specific cases; the general case is hard.

#### **The Quantum Mechanism: Interference as Summation**

The algorithm relies on a beautiful identity: the Gauss sum is proportional to the **inner product** of two quantum states.

1.  **State Preparation**: We construct two quantum states. One encodes the multiplicative character in its amplitudes, the other encodes the complex conjugate of the additive character:
    $$|\chi\rangle = \frac{1}{\sqrt{q-1}} \sum_{x \neq 0} \chi(x) |x\rangle$$
    $$|\psi^*\rangle = \frac{1}{\sqrt{q-1}} \sum_{x \neq 0} \psi^*(x) |x\rangle$$
2.  **The Identity**: If we take the inner product of these two states (the "quantum overlap"), we get:
    $$\langle \psi^* | \chi \rangle = \frac{1}{q-1} \sum_{x \neq 0} \psi(x) \chi(x) = \frac{1}{q-1} G(\chi, \psi)$$
    Thus, estimating the Gauss sum is equivalent to estimating the overlap $\langle \psi^* | \chi \rangle$.
3.  **The Circuit (Hadamard Test)**: To measure the overlap of two states $|\phi\rangle$ and $|\xi\rangle$, we use the **Hadamard Test**:
      * Use an ancilla qubit in superposition.
      * Control the preparation of the two states: if ancilla is $|0\rangle$, prepare $|\chi\rangle$; if $|1\rangle$, prepare $|\psi^*\rangle$. (Alternatively, use a controlled-SWAP if both states are available).
      * Measure the ancilla in the $X$ and $Y$ bases. The statistics of these measurements give the real and imaginary parts of $\langle \psi^* | \chi \rangle$.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: $O(poly(\log q))$. The cost is dominated by the circuits needed to compute the characters $\chi(x)$ and $\psi(x)$ to prepare the states.
  * **Resource Requirements**: One ancilla qubit plus a register of size $\lceil \log_2 q \rceil$. Requires high-fidelity controlled operations.
  * **Caveats**: The algorithm only *estimates* the sum to polynomial precision. It does not give the exact algebraic integer value.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

Since implementing finite field arithmetic for characters is complex, we will focus on the **Core Quantum Mechanism**: the **Hadamard Test**.
We will simulate estimating the overlap (inner product) between two states $|\phi\rangle$ and $|\xi\rangle$.

  * In the real algorithm, these states would be $|\chi\rangle$ and $|\psi^*\rangle$.
  * In our demo, we will create two arbitrary 1-qubit states rotated by different angles and see if the quantum computer can calculate their overlap.

#### **Step 5.1: The Hadamard Test Circuit**

We want to estimate $\text{Re}(\langle \psi | \phi \rangle)$.
The circuit involves:

1.  An **Ancilla** qubit (initialized to $|+\rangle$).
2.  A **Register** (here, 1 qubit) initialized to $|0\rangle$.
3.  **Controlled-Operations**:
      * If Ancilla is $|0\rangle$, do nothing (implicitly prepare $|\psi\rangle = |0\rangle$).
      * If Ancilla is $|1\rangle$, apply unitary $U$ to create $|\phi\rangle = U|0\rangle$.
      * *Note*: The standard Hadamard test usually measures $\langle \psi | U | \psi \rangle$. To measure overlap between two arbitrary prepared states, we use a slightly different form involving a **Controlled-SWAP** (Swap Test), but for simplicity here, we'll assume one state is $|0\rangle$ and the other is $U|0\rangle$, effectively measuring the coefficient of $|0\rangle$ in $U|0\rangle$.

Let's implement the **Swap Test** version, which is more general. It measures $|\langle \phi | \xi \rangle|^2$.

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.visualization import plot_histogram

# 1. Prepare two states with a known overlap
# State |phi> = Ry(theta1)|0>
# State |xi>  = Ry(theta2)|0>
# Overlap should be related to cos((theta1-theta2)/2)

theta1 = np.pi / 2  # |+> state approx
theta2 = np.pi / 3  # Some other state

def create_swap_test_circuit(theta1, theta2):
    # 3 Qubits: 1 Ancilla, 1 for Phi, 1 for Xi
    qc = QuantumCircuit(3, 1)
    
    # 1. Prepare the states
    qc.ry(theta1, 1) # Prepare |phi> on q1
    qc.ry(theta2, 2) # Prepare |xi>  on q2
    
    # 2. Initialize Ancilla to |+>
    qc.h(0)
    
    # 3. Controlled-SWAP (Fredkin Gate)
    # Swaps q1 and q2 controlled by q0
    qc.cswap(0, 1, 2)
    
    # 4. Final Hadamard on Ancilla
    qc.h(0)
    
    # 5. Measure Ancilla
    qc.measure(0, 0)
    
    return qc

qc = create_swap_test_circuit(theta1, theta2)
print("Swap Test Circuit:")
qc.draw(output='text')
```

#### **Step 5.2: Analytical Prediction**

For the Swap Test, the probability of measuring $|0\rangle$ is given by:
$$P(0) = \frac{1}{2} + \frac{1}{2} |\langle \phi | \xi \rangle|^2$$
If the states are identical ($|\langle \phi | \xi \rangle|^2 = 1$), $P(0) = 1$.
If they are orthogonal ($|\langle \phi | \xi \rangle|^2 = 0$), $P(0) = 0.5$.

Let's compute the expected overlap classically:
$|\phi\rangle = \cos(\theta_1/2)|0\rangle + \sin(\theta_1/2)|1\rangle$
$|\xi\rangle = \cos(\theta_2/2)|0\rangle + \sin(\theta_2/2)|1\rangle$
Inner product $\langle \phi | \xi \rangle = \cos(\theta_1/2)\cos(\theta_2/2) + \sin(\theta_1/2)\sin(\theta_2/2) = \cos((\theta_1-\theta_2)/2)$.

```python
# Classical Calculation
overlap = np.cos((theta1 - theta2) / 2)
expected_fidelity = overlap**2
expected_p0 = 0.5 + 0.5 * expected_fidelity

print(f"Angle 1: {theta1:.3f}")
print(f"Angle 2: {theta2:.3f}")
print(f"True Squared Overlap: {expected_fidelity:.4f}")
print(f"Expected P(Measure 0): {expected_p0:.4f}")
```

#### **Step 5.3: Execution & Analysis**

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=8192).result()
counts = result.get_counts()

# Analyze Results
p0_measured = counts.get('0', 0) / 8192
measured_fidelity = 2 * (p0_measured - 0.5)

print(f"Measured P(0): {p0_measured:.4f}")
print(f"Estimated Squared Overlap: {measured_fidelity:.4f}")
print(f"Error: {abs(expected_fidelity - measured_fidelity):.4f}")

# In the Gauss Sum algorithm, this 'measured_fidelity' (or the complex equivalent from Hadamard test)
# is multiplied by (q-1) to estimate the sum.
```

**Interpretation**:

  * You should see `Measured P(0)` very close to `Expected P(0)`.
  * **Connection to Algorithm**: In the full Van Dam-Seroussi algorithm, the quantum computer prepares the complex character states $|\chi\rangle$ and $|\psi^*\rangle$. By running a variant of this test (Hadamard Test for complex values), we extract the real and imaginary parts of their overlap.
  * If the overlap is small, the Gauss sum is near 0. If large, the sum is large. This allows us to calculate these sums without adding up $q$ terms individually.

-----

**This concludes Algorithm \#6.**
**Shall we proceed to Algorithm \#7: Primality Proving?**

Here is the detailed workbook entry for **Algorithm \#7: Primality Proving**. This entry highlights a fascinating application of quantum search to a problem that is classically solvable but computationally expensive.

-----

# 7\. Primality Proving

### **1. Algorithm Profile**

  * **Name**: The Donis-Vela & Garcia-Escartin Algorithm (Quantum Primality Proving).
  * **Origin**: Proposed by **A. Donis-Vela** and **J.C. Garcia-Escartin** in **2012**.
  * **Type**: Algebraic / Oracular (Grover-based).
  * **Speedup Class**: **Polynomial**. It improves the best deterministic classical complexity from $\tilde{O}(n^4)$ to roughly $\tilde{O}(n^3)$.

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: We all know how to *test* if a number is prime (like the Miller-Rabin test), but those tests only give a probabilistic answer ("It's probably prime"). *Proving* it is much harder. The classical **AKS algorithm** proved that primality can be solved deterministically in polynomial time, but it is very slow (degree 4 polynomial). This quantum algorithm speeds up the process by using **Grover's Search** to find a "witness" numberâ€”a mathematical certificate that guarantees primalityâ€”faster than any classical computer could look for it.
  * **Real-World Use Cases**:
      * **Certified Cryptography**: Generating parameters for Diffie-Hellman or RSA often requires numbers that are *provably* prime, not just probably prime, to avoid subtle attacks involving composite order subgroups.
      * **Number Theory**: Validating conjectures involving large primes.
  * **Current Status**: Since this algorithm relies on **Grover's Search** (Algorithm \#11), it is a standard target for fault-tolerant quantum computers but requires significant circuit depth for the modular arithmetic oracles.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Given a positive integer $N$, deterministically decide if $N$ is prime and provide a certificate (proof) of this fact.

#### **The Classical Approach: Pocklingtonâ€™s Criterion**

While AKS is the famous polynomial-time algorithm, this quantum approach improves upon a different method based on **Pocklington's Theorem**.
To prove $N$ is prime, we need to find a "witness" integer $a$ that satisfies two conditions relative to the prime factors of $N-1$:

1.  **Fermat Condition**: $a^{N-1} \equiv 1 \pmod N$.
2.  **Coprimality Condition**: For every prime factor $q$ of $N-1$, $\text{gcd}(a^{(N-1)/q} - 1, N) = 1$.

If such an $a$ exists, $N$ is prime.

  * **Classical Bottleneck**: We have to verify potential witnesses $a$ one by one. In the worst case, finding a valid witness takes significant trial and error.

#### **The Quantum Mechanism: Searching for a Witness**

The algorithm replaces the classical trial-and-error search for $a$ with **Grover's Algorithm**.

1.  **Factorization**: First, partially factor $N-1$ (using classical methods or Shor's if needed, though usually small factors suffice for Pocklington). Let's assume we know the prime factors $\{q_i\}$ of $N-1$.
2.  **The Oracle**: We construct a quantum oracle $U_w$ that takes an input $|a\rangle$ and checks the Pocklington conditions:
      * Computes $val_1 = a^{N-1} \pmod N$.
      * Computes $val_{2,i} = \text{gcd}(a^{(N-1)/q_i} - 1, N)$ for all $q_i$.
      * Flips the phase if $val_1 = 1$ AND all $val_{2,i} = 1$.
3.  **Grover Search**: We initialize a superposition of all possible witnesses $a \in [2, N-1]$. We apply the Grover iterator (Oracle + Diffuser) $\approx \sqrt{N}$ times (or fewer, since witnesses are dense).
4.  **Measurement**: We measure the register to obtain a witness $a$. We can then classically verify this witness to construct the primality certificate.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: $\tilde{O}(n^3)$, where $n$ is the number of bits in $N$. This beats the best classical (AKS) bound of $\tilde{O}(n^4)$.
  * **Quantum Advantage**: It provides a speedup for a problem *already in P*. This is distinct from Shor's or Grover's usual use cases, proving that quantum computers can optimize "easy" problems too.
  * **Caveats**: The oracle must implement modular exponentiation and GCD, which are expensive. The speedup is polynomial, so it requires a very fast clock cycle on the quantum hardware to beat highly optimized classical code.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

We will implement a **Quantum Witness Search** for proving the primality of **$N=17$**.

  * $N-1 = 16 = 2^4$.
  * The only prime factor of $N-1$ is $q=2$.
  * **Pocklington Conditions** for witness $a$:
    1.  $a^{16} \equiv 1 \pmod{17}$ (True for all $a \neq 0$).
    2.  $\text{gcd}(a^{16/2} - 1, 17) = 1 \implies \text{gcd}(a^8 - 1, 17) = 1$.
    <!-- end list -->
      * This implies $a^8 \not\equiv 1 \pmod{17}$.
      * Since $a^{16} \equiv 1$, $a^8$ must be $1$ or $-1$ ($16$ in mod 17).
      * So, we are looking for an $a$ where **$a^8 \equiv 16 \pmod{17}$**.

#### **Step 5.1: Defining the Pocklington Oracle**

Instead of building a full arithmetic circuit (which is huge), we will define the oracle logically. We calculate the "good" witnesses classically to define the diagonal phase matrix, simulating how the quantum computer would mark them.

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.circuit.library import GroverOperator, MCMT, ZGate
from qiskit.visualization import plot_histogram
import matplotlib.pyplot as plt

N = 17
TARGET_EXPONENT = (N - 1) // 2  # 8

# 1. Identify valid witnesses classically to construct the Oracle matrix
# (In a real run, the quantum circuit logic computes this)
valid_witnesses = []
for a in range(1, N): # Search space 1 to 16
    # Check Pocklington condition: a^8 != 1 mod 17
    # (We know a^16 = 1, so this checks if a is a quadratic non-residue)
    val = pow(a, TARGET_EXPONENT, N)
    if val != 1:
        valid_witnesses.append(a)

print(f"Valid witnesses for N={N}: {valid_witnesses}")

# 2. Build the Oracle (Phase Oracle)
# We need 5 qubits to represent numbers up to 16 (2^4 = 16 is not enough for N=17 range, need 5)
num_qubits = 5 

def pocklington_oracle(n_qubits, witnesses):
    qc = QuantumCircuit(n_qubits)
    # A Phase Oracle applies a Z gate (or phase flip) to the marked states
    # We construct a diagonal matrix where marked states have -1, others +1
    matrix = np.ones(2**n_qubits)
    for w in witnesses:
        matrix[w] = -1 
    
    qc.diagonal(list(matrix), range(n_qubits))
    qc.name = "Witness Oracle"
    return qc
```

#### **Step 5.2: The Grover Search Circuit**

We construct the standard Grover search loop.

```python
# Setup
oracle = pocklington_oracle(num_qubits, valid_witnesses)
grover_op = GroverOperator(oracle)

# Optimal number of iterations
# k = number of solutions, N_search = search space size
k = len(valid_witnesses)
N_search = 2**num_qubits
optimal_iterations = int(np.floor(np.pi/4 * np.sqrt(N_search/k)))

print(f"Search Space: {N_search}, Solutions: {k}")
print(f"Optimal Grover Iterations: {optimal_iterations}")

# Build Circuit
qc = QuantumCircuit(num_qubits)

# 1. Superposition
qc.h(range(num_qubits))

# 2. Grover Iterator
for _ in range(optimal_iterations):
    qc.append(grover_op, range(num_qubits))

# 3. Measurement
qc.measure_all()

# print(qc.draw(output='text')) # Uncomment to view
```

#### **Step 5.3: Execution & Verification**

The measurement should return one of the valid witnesses (like 3, 5, 6, 7, 10, 11...) with high probability.

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=1024).result()
counts = result.get_counts()

# Filter results
print("\nTop Measurement Results (Witness Candidates):")
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)[:5]

for bitstring, count in sorted_counts:
    witness_candidate = int(bitstring, 2)
    
    # Verify Classical Proof
    is_valid = False
    if witness_candidate < N and witness_candidate > 0:
        val = pow(witness_candidate, 8, 17)
        if val == 16: # equivalent to -1 mod 17
            is_valid = True
            
    status = "VALID PROOF" if is_valid else "Invalid"
    print(f"Candidate: {witness_candidate} | Count: {count} | Status: {status}")
```

**Interpretation**:

  * **Measurement**: You should see high counts for numbers like 3, 5, 6, etc.
  * **The Proof**: If the quantum computer outputs `3`, we calculate $3^8 \equiv 16 \pmod{17}$ classically. Since $16 \not\equiv 1$, and $\text{gcd}(16-1, 17)=1$, `3` serves as a mathematical **certificate**. We have proven 17 is prime without relying on trust in the hardware; the hardware simply helped us find the proof faster.

-----

**This concludes Algorithm \#7.**
**Shall we proceed to Algorithm \#8: Solving Exponential Congruences?**

Here is the detailed workbook entry for **Algorithm \#8: Solving Exponential Congruences**. This algorithm represents the generalization of Shorâ€™s work from one dimension to many, tackling systems of equations in the exponent.

-----

# 8\. Solving Exponential Congruences

### **1. Algorithm Profile**

  * **Name**: Quantum Algorithm for Exponential Congruences (Multidimensional Abelian HSP).
  * **Origin**: Generalized by **Boneh and Lipton (1995)** and **Kitaev (1995)** as an extension of the Hidden Subgroup Problem.
  * **Type**: Algebraic & Number Theoretic Algorithm.
  * **Speedup Class**: **Superpolynomial**. It solves systems of equations in polynomial time that require exponential time classically (e.g., Index Calculus methods).

### **2. Introduction & Context**

  * **The "Elevator Pitch"**: Imagine trying to discover a secret recipe where you know the ingredients (bases) and the final taste (the result), but you don't know the quantities (exponents). If you have multiple ingredients interacting in a complex modular way ($A^x B^y C^z \equiv D$), finding the exponents $x, y, z$ is classically incredibly hard. This algorithm uses quantum parallelism to find the "mixing ratio" of these generators simultaneously by treating the problem as finding a hidden lattice structure in a multi-dimensional space.
  * **Real-World Use Cases**:
      * **Advanced Cryptanalysis**: This generalizes the Discrete Log attack. It is used to break cryptosystems based on the "Representation Problem" or "Knapsack-like" problems in groups.
      * **Electronic Voting**: Some voting protocols rely on the difficulty of finding relationships between multiple generators (Pedersen Commitments). This algorithm challenges those assumptions.
  * **Current Status**: Like DLP, it requires fault-tolerant hardware. However, it is a key algorithm for testing the limits of **post-quantum cryptography** candidates that rely on abelian group structures.

### **3. Deep Theoretical Dive ðŸ§ **

#### **The Problem Statement**

Given a finite abelian group $G$ (e.g., $\mathbb{Z}_N^*$), a set of $k$ generators $g_1, g_2, \dots, g_k$, and a target element $b$, find the integers $x_1, x_2, \dots, x_k$ such that:
$$g_1^{x_1} g_2^{x_2} \dots g_k^{x_k} \equiv b \pmod N$$

#### **The Classical Approach**

  * **Naive Method**: Brute force search over the $k$-dimensional grid of exponents. Complexity $O(|G|^k)$.
  * **Index Calculus / Meet-in-the-Middle**: These sophisticated algorithms can reduce the complexity, but generally remain exponential or sub-exponential in the size of the group order.

#### **The Quantum Mechanism: The Multidimensional HSP**

This problem is equivalent to the **Hidden Subgroup Problem** over the group $\mathbb{Z}_r^k$ (where $r$ is the order of the group $G$).

1.  **Define the Function**: We construct a function $f: \mathbb{Z}_r^k \to G$. For simplicity, let's solve for the relation between generators ($g_1^{x_1} \dots g_k^{x_k} = 1$).
    $$f(x_1, \dots, x_k) = g_1^{x_1} \dots g_k^{x_k} \pmod N$$
2.  **The Hidden Kernel**: The set of vectors $\vec{x} = (x_1, \dots, x_k)$ such that $f(\vec{x}) = 1$ forms a **lattice** (a subgroup) $K$. Finding a basis for this kernel allows us to solve any congruence equations involving these generators.
3.  **Superposition**: We prepare $k$ input registers, each in a superposition of all integers $0$ to $r-1$.
    $$|\psi_0\rangle = \sum_{x_1, \dots, x_k} |x_1\rangle \dots |x_k\rangle$$
4.  **Oracle**: We compute the function into a target register.
    $$|\psi_1\rangle = \sum_{\vec{x}} |x_1\rangle \dots |x_k\rangle |g_1^{x_1} \dots g_k^{x_k}\rangle$$
5.  **Multidimensional QFT**: We apply the Quantum Fourier Transform to *each* of the $k$ input registers simultaneously.
    $$QFT^{\otimes k} = QFT \otimes QFT \otimes \dots \otimes QFT$$
6.  **Sampling the Dual Lattice**: Measuring the input registers yields a vector $\vec{u} = (u_1, \dots, u_k)$. Because of quantum interference, this vector is guaranteed to be **orthogonal** to the hidden solution vectors $\vec{x}$ in the kernel:
    $$\vec{x} \cdot \vec{u} \equiv 0 \pmod r$$
    $$x_1 u_1 + x_2 u_2 + \dots + x_k u_k \equiv 0 \pmod r$$
7.  **Linear Algebra**: By repeating this process $k$ times, we get a system of linear equations that we can solve classically to find the hidden exponents $x_i$.

### **4. Practical Advantage & Complexity**

  * **Quantum Complexity**: $O(k \cdot \text{poly}(\log N))$. The dependence on the number of variables $k$ is linear (or polynomial), whereas classically it is often exponential in $k$.
  * **Resource Requirements**: Requires $k$ quantum registers of size $\log r$, plus the target register.
  * **Caveats**: Requires knowledge of the group order $r$. If $r$ is unknown, it must be found first using Shorâ€™s algorithm.

-----

### **5. Implementation & Code Walkthrough (Qiskit) ðŸ’»**

We will solve a specific 2-variable congruence:
**Problem**: Find $x, y$ such that $2^x \cdot 3^y \equiv 1 \pmod 5$.

  * **Group**: $\mathbb{Z}_5^* = \{1, 2, 3, 4\}$.
  * **Order**: $r=4$.
  * **Generators**: $g_1 = 2$, $g_2 = 3$.
  * **Goal**: Find a non-trivial relation $(x, y)$ where $2^x 3^y = 1$.

We know classically that $2^2 = 4 \equiv -1$ and $3^2 = 9 \equiv 4 \equiv -1$. Thus $2^2 \cdot 3^2 \equiv (-1)(-1) = 1$. So $(2, 2)$ is a solution. Let's see the quantum computer find the orthogonal constraint.

#### **Step 5.1: Constructing the Multivariable Oracle**

We need a circuit that applies $2^x$ controlled by register 1, and $3^y$ controlled by register 2.

```python
import numpy as np
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.circuit.library import QFT

# Problem Parameters
N = 5
ORDER_R = 4
n_qubits_per_reg = 2 # 2 qubits can hold values 0-3 (Order is 4)

# 1. Define Controlled-Multipliers
# We need U1|z> = |z * 2^x mod 5>
# We need U2|z> = |z * 3^y mod 5>

# Hardcoded permutations for N=5
# Mapping: 1->001, 2->010, 3->011, 4->100 (Using 3 qubits for target to handle value 4)
# Actually, standard binary: 1=001, 2=010, 3=011, 4=100.

def apply_controlled_2_power(qc, ctrl_qubit, target_qubits, power):
    # 2^1 mod 5 = 2. Permutation: 1->2, 2->4, 3->1, 4->3
    # 2^2 mod 5 = 4. Permutation: 1->4, 2->3, 3->2, 4->1
    # 2^3 mod 5 = 3. Permutation: 1->3, 2->1, 3->4, 4->2
    
    val = pow(2, power, 5)
    # In a general solver, we generate the circuit for 'val'.
    # For this small example, we assume the unitary U_val is available.
    # To keep the workbook code runnable and simple, we will simulate the phase effect
    # directly if we were doing QPE, but here we need the actual modular multiply state.
    pass 

# SIMPLIFIED APPROACH FOR DEMO:
# Implementing full modular multiplication for 2 variables on a simulator is circuit-heavy.
# We will demonstrate the Phase Kickback Logic which is the core of the algorithm.
# We assume the target eigenstates |u_s> output eigenphases related to s/r.

# We want to find x,y such that x*u + y*v = 0 mod 4.
# We setup a circuit that encodes the phases for 2^x and 3^y.
```

*Self-Correction for Pedagogical Value*: Implementing the full arithmetic $2^x 3^y \pmod 5$ requires many qubits. Instead, we will implement the **Abstract Core**: finding the hidden linear relation between two registers.
We will simulate an oracle that "kicks back" phases corresponding to the linear relation $2x + 2y \equiv 0 \pmod 4$ (which corresponds to the solution $x=2, y=2$).

#### **Step 5.2: The Hidden Linear Relation Circuit**

We create an oracle that applies a phase of $e^{\frac{2\pi i}{4}(2x + 2y)}$.
If the algorithm works, measuring the output should give us values $u, v$ such that we can reconstruct the relation.

```python
# Setup Registers
# Reg 1: x (2 qubits)
# Reg 2: y (2 qubits)
qc = QuantumCircuit(4, 4)

# 1. Initialize Superposition
for i in range(4):
    qc.h(i)

# 2. Apply "Abstract" Oracle for relation 2x + 2y = 0 mod 4
# We apply a phase shift based on the value of the qubits.
# For bit 0 of x (value 1): Phase += 2 * 1 / 4
# For bit 1 of x (value 2): Phase += 2 * 2 / 4 = 1 (No effect)
# The hidden slope is s1=2, s2=2.

# Apply phases for x register (qubits 0, 1)
# Rotation angle = 2 * pi * (slope * 2^j) / r
# Here slope=2, r=4.
qc.cp(2 * np.pi * (2 * 1) / 4, 0, 1) # This isn't quite right.
# Let's use single qubit Z-rotations (Phase gates) to imprint the function f(x,y).
# But f(x,y) must be kicked back from a target.
# Let's stick to the standard QFT extraction.

# Correct Logic:
# We want to find s such that x.s = 0.
# We imprint phases and use Inverse QFT to find the frequency.

qc = QuantumCircuit(4, 4)
for i in range(4): qc.h(i)

# Encode relation 2x + 2y (mod 4)
# We rotate the relative phases. 
# Qubit 0 (x_0, val 1): angle = 2pi * 2 * 1 / 4 = pi
qc.p(np.pi, 0)
# Qubit 1 (x_1, val 2): angle = 2pi * 2 * 2 / 4 = 2pi = 0
qc.p(0, 1)
# Qubit 2 (y_0, val 1): angle = 2pi * 2 * 1 / 4 = pi
qc.p(np.pi, 2)
# Qubit 3 (y_1, val 2): angle = 2pi * 2 * 2 / 4 = 2pi = 0
qc.p(0, 3)

# 3. Apply Inverse QFT to Register X and Register Y independently
qc.append(QFT(2, inverse=True), [0, 1])
qc.append(QFT(2, inverse=True), [2, 3])

# 4. Measure
qc.measure(range(4), range(4))

print("Abstract Hidden Relation Circuit:")
qc.draw(output='text')
```

#### **Step 5.3: Execution & Linear Algebra**

```python
# Run Simulation
sim = AerSimulator()
t_qc = transpile(qc, sim)
result = sim.run(t_qc, shots=1024).result()
counts = result.get_counts()

print("\nMeasured Outcomes (y, x):")
# We expect to find the values 'u' and 'v' that define the relation
sorted_counts = sorted(counts.items(), key=lambda x: x[1], reverse=True)
for bitstring, count in sorted_counts:
    # Parse output (Qiskit order: y1 y0 x1 x0)
    x_measure = int(bitstring[2:], 2)
    y_measure = int(bitstring[:2], 2)
    
    if count > 50: # Filter noise
        print(f"u={x_measure}, v={y_measure} | Count: {count}")
```

**Interpretation**:

  * You should measure the peak `u=2, v=2`.
  * This corresponds to the relation:
    $$u \cdot x + v \cdot y \equiv 0 \pmod 4$$
    $$2x + 2y \equiv 0 \pmod 4$$
  * This tells us that $x=1, y=-1$ (or $y=3$) is *not* the unique solution, but rather that the exponents are constrained by this linear equation.
  * In the full algorithm, solving these linear equations for multiple runs allows us to reconstruct the exact values of $x$ and $y$ that satisfy $2^x 3^y = 1$. For instance, $x=2, y=2$ works: $2(2) + 2(2) = 8 \equiv 0 \pmod 4$.

-----

**This concludes Algorithm \#8.**
**Shall we proceed to Algorithm \#9: Verifying Matrix Products?**