a complexity analysis of shor's quantum factoring algorithm
TRANSCRIPT
Wherry 1
John Caleb Wherry
Dr. Jim Vandergriff
CSCI 4800 - 04A
5 May 2011
A Complexity Analysis of Shor's Quantum Factoring Algorithm
I. Abstract
RSA has long been one of the most widely used public key encryption algorithms to
secure information. The privacy provided by this algorithm stems from the fact that no classical
algorithm is known to factor large numbers in polynomial time. Even “fast” classical factoring
algorithms such as the General Number Field Sieve (GNFS) take exponential time when faced
with the factoring problem.
In 1994, Peter Shor of Bell Labs (now at MIT) developed a quantum algorithm that can
factor large numbers exponentially faster than classical algorithms by using a quantum computer.
This task is accomplished by reducing factoring to a period finding problem and making use of
the quantum entanglement and quantum superposition properties of elementary particles to factor
such numbers. The use of quantum logic gates and the quantum Fourier transform (QFT) yield
the factorization of the said large numbers in polynomial time when the entanglement and
superposition properties of quantum bits (qubits) are exploited. Although this algorithm resides
in the BQP (“Bounded-error Quantum Polynomial Time”) complexity class, it poses a major
threat to RSA encryption because it can factor large numbers exponentially faster than classical
algorithms.
We will briefly introduce the ideas of composite and prime numbers along with a
classical algorithm for factoring. The complexity of classically factoring will be examined and
Wherry 2
we will cast it in the hierarchy of complexity classes. The main complexity classes we will focus
on will be P, NP, BPP, and BQP. The physical process by which a classical computer carries out
these operations will be briefly explained in theoretical terms as a preface to a short introduction
to quantum computation and the quantum properties of qubits. This will give us the foundation to
explore how Shor‟s algorithm collapses the classical problem of factoring in NP down to the
complexity class BQP.
II. Preliminaries
We start by giving an overview of some basic concepts that the reader will need to know
in order to understand Shor‟s algorithm. Some of these concepts are defined for completeness
since the reader might have slightly different definitions from the author. One of the most
important concepts that we need to be comfortable with is that of computational complexity
theory and the complexity classes that spring forth from it. Each of these classes is composed of
functions which represent running times of computations based on either input or space required.
We will take our functions as being classed based on their running time. Space requirements will
not be regarded in this formulation of complexity classes. The most archetypical class of these
functions is P, polynomial-time. Functions that are contained in this class have a running time
that is polynomial and denoted with Big-Oh notation consisting of only the highest ordered term:
We also have need for 3 other important complexity classes: NP, BPP, and BQP. The
class of NP (Non-Deterministic Polynomial Time) problems is those which have answers that
can be checked in polynomial time (Arora 42). This class of problems is fundamental in many
fields of science. Many problems are thought to be contained in this class and research is being
done on trying to decide if we can actually solve problems in this class in polynomial time,
Wherry 3
making them P problems. This is the famous “P = NP?” question. The topic we are considering
in this paper is thought to be in NP if working on a classical computer. As a side note many
people believe that this problem is in the complexity class NP-Complete. This class of problems
is such that if a problem resides in it, a polynomial-time solution to it works for any other NP
problem. The factoring problem is not known or thought to be in NP-Complete although it is
commonly thought to be. The class, in which the factoring problem does reside, BQP (Bounded-
Error Quantum Polynomial Time) (Arora 209) is also somewhat ambiguous. We do not as of yet
know the actual bounds of this class which is why in Fig. 2, the bounds are dashed and go
through both P, NP, and beyond classes.
BQP is a very interesting class of problems. We will start off by defining the classical
analog of this complexity class: BPP (Bounded-Error Probabilistic Polynomial Time). BPP is the
class of problems that can be solved in polynomial time but have a probability of correctness to
them. The usual criteria for this class is that if the problem has a probability greater than equal to
of being correct, then it falls into this class. By recalculating the problem multiple times, you
can average the answers or take the majority answer to be the correct result with a certain
probability. This follows straight from the notion of probabilities (Arora 135). The quantum
analog, BQP, works exactly the same. The only difference is that we now allow quantum
phenomenon like superposition and entanglement. These properties supposedly give quantum
computers more power than classical computers. It is interesting to note that we do not yet
understand exactly the bounds of BQP. We know it contains some problems in NP and P but we
are not sure if there are problems that quantum computers can solve that are beyond even NP.
The main focus of this paper is to explore how Shor‟s algorithm takes a classical problem like
Wherry 4
factoring, which is thought to be in NP, and collapse it to BQP. Below is a Venn-Diagram of
some of the basic complexity classes and BQP:
Figure 1 - http://en.wikipedia.org/wiki/File:BQP_complexity_class_diagram.svg
The last topic we need to discuss before continuing to the quantum realm is that of
classical factoring. Since this paper has to do with quantum factoring, we need to explain the
very basics of classical factoring and a general algorithm for doing so and its complexity. We
first define a number to be prime if it has as factors only itself and 1. We also define a number n
to be composite if we can decompose it as such:
The numbers p and q here are called the factors of N. This is the basis for many
encryption schemes that are on the market these days. Given N, it is exponentially hard to find
the factors of N because the search space of possible answers grows as . Thus adding one bit to
the number doubles the total possible amount of combinations that could compose N. We can be
clever and realize that we only want numbers up to but this still does not reduce the
exponential nature of the problem (Nielsen 233). The best known algorithm to factor numbers
classical is the General Number Field Sieve (GNFS). The complexity of this algorithm for an M-
bit number is exponential. Many people call the complexity sub-exponential but in true
Wherry 5
complexity terms, it is still in the class of problems that take exponential time. This is the reason
that the RSA encryption scheme has at its heart factoring. We want an encryption standard to be
hard to crack and basing the protocol on factoring is a great way of doing this (Hayward 4).
III. Quantum Computing
We will briefly introduce the concept of quantum computers and how they are built and
what they are built out of. The concept of a quantum computer is very simple: we use
fundamental particles (electrons, photons, ions, etc) as our bits. The normal bit in a computer is
composed of around (Hayward 6) electrons (heavily dependant on many parameters, of
course)! In a quantum computer, we only use 1 particle for our bit. This allows for an enormous
scalability increase for the size of computers. But this is not the only added bonus of using
quantum computers. Fundamental particles have intrinsic properties that are very strange to
normal intuition. These properties are rightly named “quantum weirdness” (Shor 124). They
include both quantum superposition and quantum entanglement. We will briefly describe these
properties and how we use them to compute.
In a classical computer, a bit can either take on a value of 0 or 1. If we have a string of
classical bits (cbits) 01010101, then that is the only value that string has (neglecting different
parsing styles). However, in a quantum computer, we use quantum bits (qubits). A qubit has the
property of not only being able to be in 0 or 1, but it can also be in 0 and 1 at the same time. We
call this property quantum superposition. We present these qubits as vectors in a complex vector
space called Hilbert Space normalized to 1. These qubits 0 and 1 are represented below in both
Dirac-notation and column vector notation:
Wherry 6
These two vectors are our basis vectors. Below is a pictorial representation of the above
vectors in what we call the Bloch Sphere:
Figure 2 - Bloch Sphere: http://en.wikipedia.org/wiki/Bloch_sphere
We clearly see the two states |0> and |1>, which are orthonormal basis vectors. Just as
with any other orthonormal basis set, we can present linear combinations of these vectors. This
is, as stated, the superposition principle (Nielson 13). We can represent any arbitrary
combination of these basis vectors in the below Dirac-notation and equally in column vector
notation:
Such that .
As stated, the Bloch Sphere is normalized which is why we restrain the values of
to be normed to 1. This is why the qubits reside on the surface of the sphere of radius 1.
Also, from the diagram, we notice the values for the arbitrary state. We can alternately
define the arbitrary state to be defined by these angles:
Wherry 7
The normalization can be checked for this state and the basis vectors to meet the
normalization criteria. If further reading is done in quantum computing, this normalization
criterion is relaxed for mixed quantum states. We are only dealing with pure quantum states that
meet this criterion so we need not bother with states that are not normalized.
This superposition of states is extremely powerful. What this means is that if you have 1
qubit, it can be in both 0 and 1 at the same time. So, we do not have just 1 qubit with 1 bit of
information, we have 1 qubit that has 2 bits of information!
We can also “stitch” together multiple qubits to gain even more computing power. We do
this by entangling the qubits. Take for examples 5 cbits. With 5 cbits, at any one time we have a
state that unique and are composed of a combination of 1‟s and 0‟s out of the possible
states. However, if we turn to 5 qubits and entangle them, we now are in all 32 states at the same
time! This is the power behind quantum computer. We can entangle and superposition qubits to
compute at an exponential rate. However, there is a problem: the measurement problem (Nielsen
84). If we measure a quantum state, their original entanglement and superposition are lost and we
collapse the state to the measured value. Thus, we have to be extremely clever in the way we
measure and use experimental techniques. Once such method used in almost all quantum
experiments is that of interference. Incorrect answers can be made to interfere if we are smart
enough to realize the space in which we are dealing. This is why there are very few quantum
algorithms currently because they are so hard to construct and are extremely counterintuitive.
Just as with classical computing, quantum computing can be formulated in a circuit
model. We will not delve into this in this paper but we will use some circuit model concepts in
the following algorithm so it is good to know that this model holds throughout quantum
computing.
Wherry 8
IV. Shor‟s Quantum Factoring Algorithm
Shor‟s quantum factoring algorithm is an extremely interesting and difficult algorithm to
grasp. We have to know and understand Number Theory and Quantum Theory extremely well to
get a complete view of its power. Here we will step through the process of the algorithm and
examine the complexity of each of its parts. The most difficult step in this process is to explain
and understand the quantum Fourier transform (QFT). It is at the heart of the algorithm and is
why this it is so powerful.
The most basic idea behind Shor‟s algorithm is reducing the commonly known factoring
problem to an order-finding problem. We can exploit the structure of the integers we use as
composite numbers and gain knowledge about their factors through manipulation and analysis of
a number‟s order and period. Most of this process can be done classically. Only a very few parts
have to be done on a quantum computer. These few parts, however, are what makes Shor‟s
algorithm so strong.
We start off with an integer N that we want to factor (which is M bits long). What we
want to do is create a function with certain properties to exploit the structure of this number so
we can factor it. We do this by finding out what the period of this function is. We define another
integer x where x < N. x is said to be coprime to N meaning their Greatest Common Divisor
(GCD) is 1 with N being the number we are factoring. We also have an integer „a‟ that will be all
the possible integers in a certain range (this will be described in more detail when we introduce
the quantum formation of this function). This function is stated below:
To factor N, we want to find the period of this function, as stated above. We say a
function is periodic if for some r:
Wherry 9
Finding the period of such a function is exponentially hard because, for each „a‟ we have,
the search space increases exponentially for potential values of r. Another way of expressing this
is to say that, since r is the period of the function, it reverts back to the same value after every
cycle of the period (Hayward 7). So:
, , etc.
We can manipulate the above expression using simple algebra into a form that will be
suitable to us:
If and only if r is even will we continue onto the next step and continue the algorithm
(Hayward 10). If the r we have is even we can rewrite this as:
From this equation we can directly see that if is not 1, then is an
integer multiple of N. That means that one of the elements of the product must have a nontrivial
factor in common with N (Nielsen 236). From here we can again use the classical Euclidean
Algorithm for GCD and calculate both of the below values:
GCD( ,N)
GCD( ,N)
Wherry 10
Evaluating these will yield a factor of N, which is exactly what we are looking for!
Unfortunately, as stated above, finding r is exponentially hard since we have to guess and check
all of the „a‟ we have above. So, we need a way to find r in polynomial time.
The first step in the process of finding this r is to find out if our number N is an actual
composite, odd number. (These are the types of numbers that are used in RSA and that are of
interest. All other forms of numbers such as prime, even, or integer power of a prime are of no
concern because they can classical be deconstructed into their factors in an efficient manner.)
Once we have found that our number is in the form we need, we have to construct some other
terms that will help when performing this algorithm. We first need to pick an integer q that is a
power of two such that:
This q will serve as the limits of the quantum register we will construct and be the basis
for when we apply the QFT (Hayward 12). It is of great importance in the overall success of the
algorithm. We shall recall that this algorithm is seeded in BQP, which means there is some error
associated with each outcome. Since we can efficiently check to see if two numbers multiplied
together produce N, it is easy and efficient to check any answer Shor‟s algorithm gives us. If the
outcome is wrong, most of the time it is because the q we chose above does not yield the correct
answer. So, we would go back pick another and continue on to the next steps.
Our next step is to randomly pick another integer x, which is shown in the above function
f(a). We note from earlier that it has to be coprime to N and less than N.
We now have all the classical parts we need. What we want to do now is create a
quantum register on our quantum computer. A quantum register is simple a state vector of
entangled qubits. We will want to have two registers for this algorithm and they will both we
Wherry 11
represented as |R1> and |R2> (more briefly: |R1,R2>), in Dirac-Notation (Shor 126). R1 will
need to have enough qubits to represent the integer q above. So, we will need q-1 qubits in R1.
R2 will need enough qubits to represent the integer N, the number to be factored. So, we will
need N-1 qubits in R2. We now want to initialize these two registers. R1 will be loaded with a
superposition of every integer from 0 to q-1 which we will call the state |a>. Based on N, this is
an exponential number of numbers. We will load R2 with all zeroes. All of these operations can
be done by the quantum computer and at most take a linear amount of time to complete. The
state of out quantum computer at this point in time is:
The factor of out front is a normalization constant because quantum states inherently
live in a 2 dimensional Hilbert space where all state amplitudes (the from the definition
of a qubit) are normed to equal 1 (Nielsen 238-40).
Now that we have our initial state register, we need to do some operations! Classically, if
we wanted to compute the transformation on the first register, it would take
exponential time based on the input a, for every a. With a quantum computer, we only have to
apply this transformation once because of the quantum properties of entanglement. What we are
in essence doing is applying for the entire state of the register. Once we apply the
transformation to the register, it applies to all the others (Shor 127). So, after we apply this
transformation to R1, we save the result in R2. Our quantum state is now:
Wherry 12
We have now seen our first reduction in computing cost (Shor 129). Classically, we
would have had to use an exponential amount of time to calculate the above transformation but
with out quantum register, we can do it in polynomial time. We will not describe the process for
brevity sake but it takes at most , m being the number of bits N is, operations to do this
process based on the way our quantum circuit is setup (Shor 130).
The next step is of great importance for Shor‟s algorithm. It has to do with measurement
of quantum systems. What we want to do is measure the state if R2. Measurements of a quantum
system collapse a system to the observed value. So, when we measure R2, we get some value k
that is saved in that register. Also, since R1 and R2 are correlated (entangled), we collapse R1
into an equal superposition of states of a denoted a‟. Thus, our system is left in the state:
We note that X is now the new vector that the original a values have been collapsed to.
So, the above norm is the new normalization factor of the components of this new vector and the
values denoted a‟. We are no longer dealing with the original a‟s because we collapsed them to
a‟ (Hayward 13).
We now are going to apply the QFT to the above quantum state. It takes the newly
formed a‟, which are constructed such that a‟ are all the numbers which satisfy ,
and “peaks” the values in a‟ which are, with high probability, multiples of (Shor 132). This
follows from the normal definition of FT in that it takes a function with an undefined position
(i.e. oscillating function) and peaks it around one value that is definite in Fourier space. In our
case, the QFT peaks around the multiples in Fourier space. So, we apply the QFT to R1 which is
represented by:
Wherry 13
Which yields a final state:
This final state is what is most important to us. As said, what the above QFT does is peak
the values around multiples of (Nielsen 240-45). Classically, computing this transform is not an
efficient task. But because of the entanglement properties, we can construct our quantum circuit
such that we only need , M being the number of bits N is, quantum gates to carry out the
computation. Thus, so far this is the highest order we have for the algorithm so we are still in
polynomial time (Shor 132-34).
Our last step is a one step process. We have to measure R1 and obtain a value we will call
M. As before, all of the a‟ are now collapsed to and peaked at multiples of so our measurement
will be one of these values with a very high probability (greater than or equal to ). With this
value M, we can estimate r classically with continued fractions. This process is both lengthy and
does not contribute valuable information in this context to we leave it out for brevity. After we
have calculated the continued fraction, we will have an estimate of r with a very high probability
of being correct. We can then go back and calculate the GCD‟s mentioned above to find
nontrivial factors of N and the given equations (Hayward 17).
With a high probability, we will have obtained a nontrivial factor of N. If we did not, we
can rerun the algorithm again with a new q or x. Running the process multiple times in a
polynomial setting is still much faster than the classical exponential setting. From the above
Wherry 14
analysis, we see that Shor‟s algorithm has a complexity of roughly (Shor 134) with m
being the number of bits that N is defined on. As opposed to the GNFS, this is quite an
improvement. Sometimes the above algorithm will give you the trivial factors of 1 or N so you
will have to rerun the process. But, as we stated, this is of little importance since the algorithm is
polynomial in running time.
V. Conclusion
We have seen the basics of Shor‟s factoring algorithm and explored its complexity.
Shor‟s algorithm takes the factoring problem that is classically thought to be exponentially hard
and provides a polynomial-time solution using a quantum computer. Unfortunately, quantum
computers are extremely expensive to build and can only compute with roughly 5-10 qubits at
the present time. This hinders the amount of work that we can perform on them. One of the main
difficulties currently is we do not have the technology to accurately and precisely control
quantum systems. These systems decohere (lose their entanglement and/or superposition) if they
are allowed to interact with external systems very quickly. Being able to completely control such
closed quantum systems is both theoretically and experimentally hard so a workable quantum
computer is a few (maybe more?) years off. Thus, encryption schemes such as RSA have a little
while longer before they will be susceptible to quantum attacks based on Shor‟s quantum
factoring algorithm.
Wherry 15
Works Cited
Arora, Sanjeev; Barak, Boaz. “Computational Complexity: A Modern Approach.” New York:
Cambridge University Press. 2009. Print.
Hayward, Matthew. “Quantum Computing and Shor‟s Algorithm.” Sydney: Macquarie
University Mathematics Department. 2008. Print.
Nielsen, Michael A.; Chuang, Isaac L. “Quantum Computation and Quantum Information.” New
York: Cambridge University Press. 2000. Print.
Shor, Peter W. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring.”
Proc. 35th
Annual Symposium on Foundations of Computer Science. Ed. Shafi
Goldwasser. IEEE Computer Society Press, 1994. 124-136. Print.