A Complexity Analysis of Shor's Quantum Factoring Algorithm
Wherry 1John Caleb WherryDr. Jim VandergriffCSCI 4800 - 04A5 May 2011 A Complexity Analysis of Shors Quantum Factoring Algorithm I. Abstract RSA has long been one of the most widely used public key encryption algorithms tosecure information. The privacy provided by this algorithm stems from the fact that no classicalalgorithm is known to factor large numbers in polynomial time. Even “fast” classical factoringalgorithms such as the General Number Field Sieve (GNFS) take exponential time when facedwith the factoring problem. In 1994, Peter Shor of Bell Labs (now at MIT) developed a quantum algorithm that canfactor large numbers exponentially faster than classical algorithms by using a quantum computer.This task is accomplished by reducing factoring to a period finding problem and making use ofthe quantum entanglement and quantum superposition properties of elementary particles to factorsuch numbers. The use of quantum logic gates and the quantum Fourier transform (QFT) yieldthe factorization of the said large numbers in polynomial time when the entanglement andsuperposition properties of quantum bits (qubits) are exploited. Although this algorithm residesin the BQP (“Bounded-error Quantum Polynomial Time”) complexity class, it poses a majorthreat to RSA encryption because it can factor large numbers exponentially faster than classicalalgorithms. We will briefly introduce the ideas of composite and prime numbers along with aclassical algorithm for factoring. The complexity of classically factoring will be examined and
Wherry 2we will cast it in the hierarchy of complexity classes. The main complexity classes we will focuson will be P, NP, BPP, and BQP. The physical process by which a classical computer carries outthese operations will be briefly explained in theoretical terms as a preface to a short introductionto quantum computation and the quantum properties of qubits. This will give us the foundation toexplore how Shor‟s algorithm collapses the classical problem of factoring in NP down to thecomplexity class BQP. II. Preliminaries We start by giving an overview of some basic concepts that the reader will need to knowin order to understand Shor‟s algorithm. Some of these concepts are defined for completenesssince the reader might have slightly different definitions from the author. One of the mostimportant concepts that we need to be comfortable with is that of computational complexitytheory and the complexity classes that spring forth from it. Each of these classes is composed offunctions which represent running times of computations based on either input or space required.We will take our functions as being classed based on their running time. Space requirements willnot be regarded in this formulation of complexity classes. The most archetypical class of thesefunctions is P, polynomial-time. Functions that are contained in this class have a running timethat is polynomial and denoted with Big-Oh notation consisting of only the highest ordered term: We also have need for 3 other important complexity classes: NP, BPP, and BQP. Theclass of NP (Non-Deterministic Polynomial Time) problems is those which have answers thatcan be checked in polynomial time (Arora 42). This class of problems is fundamental in manyfields of science. Many problems are thought to be contained in this class and research is beingdone on trying to decide if we can actually solve problems in this class in polynomial time,
Wherry 3making them P problems. This is the famous “P = NP?” question. The topic we are consideringin this paper is thought to be in NP if working on a classical computer. As a side note manypeople believe that this problem is in the complexity class NP-Complete. This class of problemsis such that if a problem resides in it, a polynomial-time solution to it works for any other NPproblem. The factoring problem is not known or thought to be in NP-Complete although it iscommonly thought to be. The class, in which the factoring problem does reside, BQP (Bounded-Error Quantum Polynomial Time) (Arora 209) is also somewhat ambiguous. We do not as of yetknow the actual bounds of this class which is why in Fig. 2, the bounds are dashed and gothrough both P, NP, and beyond classes. BQP is a very interesting class of problems. We will start off by defining the classicalanalog of this complexity class: BPP (Bounded-Error Probabilistic Polynomial Time). BPP is theclass of problems that can be solved in polynomial time but have a probability of correctness tothem. The usual criteria for this class is that if the problem has a probability greater than equal to of being correct, then it falls into this class. By recalculating the problem multiple times, youcan average the answers or take the majority answer to be the correct result with a certainprobability. This follows straight from the notion of probabilities (Arora 135). The quantumanalog, BQP, works exactly the same. The only difference is that we now allow quantumphenomenon like superposition and entanglement. These properties supposedly give quantumcomputers more power than classical computers. It is interesting to note that we do not yetunderstand exactly the bounds of BQP. We know it contains some problems in NP and P but weare not sure if there are problems that quantum computers can solve that are beyond even NP.The main focus of this paper is to explore how Shor‟s algorithm takes a classical problem like
Wherry 4factoring, which is thought to be in NP, and collapse it to BQP. Below is a Venn-Diagram ofsome of the basic complexity classes and BQP: Figure 1 - http://en.wikipedia.org/wiki/File:BQP_complexity_class_diagram.svg The last topic we need to discuss before continuing to the quantum realm is that ofclassical factoring. Since this paper has to do with quantum factoring, we need to explain thevery basics of classical factoring and a general algorithm for doing so and its complexity. Wefirst define a number to be prime if it has as factors only itself and 1. We also define a number nto be composite if we can decompose it as such: The numbers p and q here are called the factors of N. This is the basis for manyencryption schemes that are on the market these days. Given N, it is exponentially hard to findthe factors of N because the search space of possible answers grows as . Thus adding one bit tothe number doubles the total possible amount of combinations that could compose N. We can beclever and realize that we only want numbers up to but this still does not reduce theexponential nature of the problem (Nielsen 233). The best known algorithm to factor numbersclassical is the General Number Field Sieve (GNFS). The complexity of this algorithm for an M-bit number is exponential. Many people call the complexity sub-exponential but in true
Wherry 5complexity terms, it is still in the class of problems that take exponential time. This is the reasonthat the RSA encryption scheme has at its heart factoring. We want an encryption standard to behard to crack and basing the protocol on factoring is a great way of doing this (Hayward 4). III. Quantum Computing We will briefly introduce the concept of quantum computers and how they are built andwhat they are built out of. The concept of a quantum computer is very simple: we usefundamental particles (electrons, photons, ions, etc) as our bits. The normal bit in a computer iscomposed of around (Hayward 6) electrons (heavily dependant on many parameters, ofcourse)! In a quantum computer, we only use 1 particle for our bit. This allows for an enormousscalability increase for the size of computers. But this is not the only added bonus of usingquantum computers. Fundamental particles have intrinsic properties that are very strange tonormal intuition. These properties are rightly named “quantum weirdness” (Shor 124). Theyinclude both quantum superposition and quantum entanglement. We will briefly describe theseproperties and how we use them to compute. In a classical computer, a bit can either take on a value of 0 or 1. If we have a string ofclassical bits (cbits) 01010101, then that is the only value that string has (neglecting differentparsing styles). However, in a quantum computer, we use quantum bits (qubits). A qubit has theproperty of not only being able to be in 0 or 1, but it can also be in 0 and 1 at the same time. Wecall this property quantum superposition. We present these qubits as vectors in a complex vectorspace called Hilbert Space normalized to 1. These qubits 0 and 1 are represented below in bothDirac-notation and column vector notation:
Wherry 6 These two vectors are our basis vectors. Below is a pictorial representation of the abovevectors in what we call the Bloch Sphere: Figure 2 - Bloch Sphere: http://en.wikipedia.org/wiki/Bloch_sphere We clearly see the two states |0> and |1>, which are orthonormal basis vectors. Just aswith any other orthonormal basis set, we can present linear combinations of these vectors. Thisis, as stated, the superposition principle (Nielson 13). We can represent any arbitrarycombination of these basis vectors in the below Dirac-notation and equally in column vectornotation: Such that . As stated, the Bloch Sphere is normalized which is why we restrain the values of to be normed to 1. This is why the qubits reside on the surface of the sphere of radius 1.Also, from the diagram, we notice the values for the arbitrary state. We can alternatelydefine the arbitrary state to be defined by these angles:
Wherry 7 The normalization can be checked for this state and the basis vectors to meet thenormalization criteria. If further reading is done in quantum computing, this normalizationcriterion is relaxed for mixed quantum states. We are only dealing with pure quantum states thatmeet this criterion so we need not bother with states that are not normalized. This superposition of states is extremely powerful. What this means is that if you have 1qubit, it can be in both 0 and 1 at the same time. So, we do not have just 1 qubit with 1 bit ofinformation, we have 1 qubit that has 2 bits of information! We can also “stitch” together multiple qubits to gain even more computing power. We dothis by entangling the qubits. Take for examples 5 cbits. With 5 cbits, at any one time we have astate that unique and are composed of a combination of 1‟s and 0‟s out of the possiblestates. However, if we turn to 5 qubits and entangle them, we now are in all 32 states at the sametime! This is the power behind quantum computer. We can entangle and superposition qubits tocompute at an exponential rate. However, there is a problem: the measurement problem (Nielsen84). If we measure a quantum state, their original entanglement and superposition are lost and wecollapse the state to the measured value. Thus, we have to be extremely clever in the way wemeasure and use experimental techniques. Once such method used in almost all quantumexperiments is that of interference. Incorrect answers can be made to interfere if we are smartenough to realize the space in which we are dealing. This is why there are very few quantumalgorithms currently because they are so hard to construct and are extremely counterintuitive. Just as with classical computing, quantum computing can be formulated in a circuitmodel. We will not delve into this in this paper but we will use some circuit model concepts inthe following algorithm so it is good to know that this model holds throughout quantumcomputing.
Wherry 8 IV. Shor‟s Quantum Factoring Algorithm Shor‟s quantum factoring algorithm is an extremely interesting and difficult algorithm tograsp. We have to know and understand Number Theory and Quantum Theory extremely well toget a complete view of its power. Here we will step through the process of the algorithm andexamine the complexity of each of its parts. The most difficult step in this process is to explainand understand the quantum Fourier transform (QFT). It is at the heart of the algorithm and iswhy this it is so powerful. The most basic idea behind Shor‟s algorithm is reducing the commonly known factoringproblem to an order-finding problem. We can exploit the structure of the integers we use ascomposite numbers and gain knowledge about their factors through manipulation and analysis ofa number‟s order and period. Most of this process can be done classically. Only a very few partshave to be done on a quantum computer. These few parts, however, are what makes Shor‟salgorithm so strong. We start off with an integer N that we want to factor (which is M bits long). What wewant to do is create a function with certain properties to exploit the structure of this number sowe can factor it. We do this by finding out what the period of this function is. We define anotherinteger x where x < N. x is said to be coprime to N meaning their Greatest Common Divisor(GCD) is 1 with N being the number we are factoring. We also have an integer „a‟ that will be allthe possible integers in a certain range (this will be described in more detail when we introducethe quantum formation of this function). This function is stated below: To factor N, we want to find the period of this function, as stated above. We say afunction is periodic if for some r:
Wherry 9 Finding the period of such a function is exponentially hard because, for each „a‟ we have,the search space increases exponentially for potential values of r. Another way of expressing thisis to say that, since r is the period of the function, it reverts back to the same value after everycycle of the period (Hayward 7). So: , , etc. We can manipulate the above expression using simple algebra into a form that will besuitable to us: If and only if r is even will we continue onto the next step and continue the algorithm(Hayward 10). If the r we have is even we can rewrite this as: From this equation we can directly see that if is not 1, then is aninteger multiple of N. That means that one of the elements of the product must have a nontrivialfactor in common with N (Nielsen 236). From here we can again use the classical EuclideanAlgorithm for GCD and calculate both of the below values: GCD( ,N) GCD( ,N)
Wherry 10 Evaluating these will yield a factor of N, which is exactly what we are looking for!Unfortunately, as stated above, finding r is exponentially hard since we have to guess and checkall of the „a‟ we have above. So, we need a way to find r in polynomial time. The first step in the process of finding this r is to find out if our number N is an actualcomposite, odd number. (These are the types of numbers that are used in RSA and that are ofinterest. All other forms of numbers such as prime, even, or integer power of a prime are of noconcern because they can classical be deconstructed into their factors in an efficient manner.)Once we have found that our number is in the form we need, we have to construct some otherterms that will help when performing this algorithm. We first need to pick an integer q that is apower of two such that: This q will serve as the limits of the quantum register we will construct and be the basisfor when we apply the QFT (Hayward 12). It is of great importance in the overall success of thealgorithm. We shall recall that this algorithm is seeded in BQP, which means there is some errorassociated with each outcome. Since we can efficiently check to see if two numbers multipliedtogether produce N, it is easy and efficient to check any answer Shor‟s algorithm gives us. If theoutcome is wrong, most of the time it is because the q we chose above does not yield the correctanswer. So, we would go back pick another and continue on to the next steps. Our next step is to randomly pick another integer x, which is shown in the above functionf(a). We note from earlier that it has to be coprime to N and less than N. We now have all the classical parts we need. What we want to do now is create aquantum register on our quantum computer. A quantum register is simple a state vector ofentangled qubits. We will want to have two registers for this algorithm and they will both we
Wherry 11represented as |R1> and |R2> (more briefly: |R1,R2>), in Dirac-Notation (Shor 126). R1 willneed to have enough qubits to represent the integer q above. So, we will need q-1 qubits in R1.R2 will need enough qubits to represent the integer N, the number to be factored. So, we willneed N-1 qubits in R2. We now want to initialize these two registers. R1 will be loaded with asuperposition of every integer from 0 to q-1 which we will call the state |a>. Based on N, this isan exponential number of numbers. We will load R2 with all zeroes. All of these operations canbe done by the quantum computer and at most take a linear amount of time to complete. Thestate of out quantum computer at this point in time is: The factor of out front is a normalization constant because quantum states inherentlylive in a 2 dimensional Hilbert space where all state amplitudes (the from the definitionof a qubit) are normed to equal 1 (Nielsen 238-40). Now that we have our initial state register, we need to do some operations! Classically, ifwe wanted to compute the transformation on the first register, it would takeexponential time based on the input a, for every a. With a quantum computer, we only have toapply this transformation once because of the quantum properties of entanglement. What we arein essence doing is applying for the entire state of the register. Once we apply thetransformation to the register, it applies to all the others (Shor 127). So, after we apply thistransformation to R1, we save the result in R2. Our quantum state is now:
Wherry 12 We have now seen our first reduction in computing cost (Shor 129). Classically, wewould have had to use an exponential amount of time to calculate the above transformation butwith out quantum register, we can do it in polynomial time. We will not describe the process forbrevity sake but it takes at most , m being the number of bits N is, operations to do thisprocess based on the way our quantum circuit is setup (Shor 130). The next step is of great importance for Shor‟s algorithm. It has to do with measurementof quantum systems. What we want to do is measure the state if R2. Measurements of a quantumsystem collapse a system to the observed value. So, when we measure R2, we get some value kthat is saved in that register. Also, since R1 and R2 are correlated (entangled), we collapse R1into an equal superposition of states of a denoted a‟. Thus, our system is left in the state: We note that X is now the new vector that the original a values have been collapsed to.So, the above norm is the new normalization factor of the components of this new vector and thevalues denoted a‟. We are no longer dealing with the original a‟s because we collapsed them toa‟ (Hayward 13). We now are going to apply the QFT to the above quantum state. It takes the newlyformed a‟, which are constructed such that a‟ are all the numbers which satisfy ,and “peaks” the values in a‟ which are, with high probability, multiples of (Shor 132). Thisfollows from the normal definition of FT in that it takes a function with an undefined position(i.e. oscillating function) and peaks it around one value that is definite in Fourier space. In ourcase, the QFT peaks around the multiples in Fourier space. So, we apply the QFT to R1 which isrepresented by:
Wherry 13 Which yields a final state: This final state is what is most important to us. As said, what the above QFT does is peakthe values around multiples of (Nielsen 240-45). Classically, computing this transform is not anefficient task. But because of the entanglement properties, we can construct our quantum circuitsuch that we only need , M being the number of bits N is, quantum gates to carry out thecomputation. Thus, so far this is the highest order we have for the algorithm so we are still inpolynomial time (Shor 132-34). Our last step is a one step process. We have to measure R1 and obtain a value we will callM. As before, all of the a‟ are now collapsed to and peaked at multiples of so our measurementwill be one of these values with a very high probability (greater than or equal to ). With thisvalue M, we can estimate r classically with continued fractions. This process is both lengthy anddoes not contribute valuable information in this context to we leave it out for brevity. After wehave calculated the continued fraction, we will have an estimate of r with a very high probabilityof being correct. We can then go back and calculate the GCD‟s mentioned above to findnontrivial factors of N and the given equations (Hayward 17). With a high probability, we will have obtained a nontrivial factor of N. If we did not, wecan rerun the algorithm again with a new q or x. Running the process multiple times in apolynomial setting is still much faster than the classical exponential setting. From the above
Wherry 14analysis, we see that Shor‟s algorithm has a complexity of roughly (Shor 134) with mbeing the number of bits that N is defined on. As opposed to the GNFS, this is quite animprovement. Sometimes the above algorithm will give you the trivial factors of 1 or N so youwill have to rerun the process. But, as we stated, this is of little importance since the algorithm ispolynomial in running time. V. Conclusion We have seen the basics of Shor‟s factoring algorithm and explored its complexity.Shor‟s algorithm takes the factoring problem that is classically thought to be exponentially hardand provides a polynomial-time solution using a quantum computer. Unfortunately, quantumcomputers are extremely expensive to build and can only compute with roughly 5-10 qubits atthe present time. This hinders the amount of work that we can perform on them. One of the maindifficulties currently is we do not have the technology to accurately and precisely controlquantum systems. These systems decohere (lose their entanglement and/or superposition) if theyare allowed to interact with external systems very quickly. Being able to completely control suchclosed quantum systems is both theoretically and experimentally hard so a workable quantumcomputer is a few (maybe more?) years off. Thus, encryption schemes such as RSA have a littlewhile longer before they will be susceptible to quantum attacks based on Shor‟s quantumfactoring algorithm.
Wherry 15 Works CitedArora, Sanjeev; Barak, Boaz. “Computational Complexity: A Modern Approach.” New York: Cambridge University Press. 2009. Print.Hayward, Matthew. “Quantum Computing and Shor‟s Algorithm.” Sydney: Macquarie University Mathematics Department. 2008. Print.Nielsen, Michael A.; Chuang, Isaac L. “Quantum Computation and Quantum Information.” New York: Cambridge University Press. 2000. Print.Shor, Peter W. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring.” Proc. 35th Annual Symposium on Foundations of Computer Science. Ed. Shafi Goldwasser. IEEE Computer Society Press, 1994. 124-136. Print.