- The document discusses Shor's algorithm, which can be used to factor large numbers. - It introduces the quantum Fourier transform (QFT), which forms the core of Shor's algorithm. The QFT transforms the probability amplitudes of a quantum state. - RSA encryption relies on the difficulty of factoring large numbers for its security. However, Shor's algorithm, using a quantum computer, could factorize numbers efficiently and break RSA encryption.

1. AP3421 Fundamentals of Quantum Information
Week 5
Version: 2019/10/04
Shor’s algorithm
Photocredit:ErikLucero
1

2. 2
Class anouncements
● We will plan the optional evening lab tour for the week of Oct. 14-18. Please be
on the lookout for a Doodle signup. To be announced shortly on BrightSpace.
● Graded Quiz #2 back to you today. Please pick up during break or right after class.
We just decided in class that the tour will happen on Wednesday, October 16.

3. 3
Outline of today’s lecture
5
Quantum Fourier Transform
RSA encryption
Shor’s algorithm
H
H
H
H
2
π
4
π
2
π
π
π
π
QFTU
+ optional reading (Mermin’s slides) on BrightSpace3

4. 4
The quantum Fourier transform (QFT)
H
H
H
H
2
π
4
π
2
π
π
π
π
21 1
out in
0 0
1
i lkN N
N
l k
e l k
N
π− −
= =
 
Ψ= Ψ 
 
∑ ∑
21
0
1
i lkN
N
l k
k
e
N
π
α α
−
=
′ = ∑
inΨ outΨ
QFTU
QFT on n qubits:
2n
N =Recall:
Note: this transformation
performs a QFT on the
probability amplitudes
1
in
0
N
k
k
kα
−
=
Ψ =∑ 1
'
out
0
N
k
k
kα
−
=
Ψ =∑

5. 5
The quantum Fourier transform (QFT)
2
1
i lk
N
lkU e
N
π
=
QFT on n qubits:
2 4 6
4 8 12
6 12 18
1 1 1 1 1
1
1
1
1
i i i
N N N
i i i
N N N
i i i
N N NQFT
e e e
e e e
U e e eN
π π π
π π π
π π π
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



 
   
Question: What condition do you need to check to know that this transformation
can be realized by a circuit of gates on a qubit register?
Answer: Unitarity!

6. 6
The quantum Fourier transform
21 1
out in
0 0
1
i lkN N
N
l k
e l k
N
π− −
= =
 
Ψ= Ψ 
 
∑ ∑
21
0
1
i lkN
N
l k
k
e
N
π
α α
−
=
′ = ∑
QFT on n qubits:
2n
N =Recall:
H
H
H
H
4
π
8
π
4
π
2
π
2
π
2
π
inΨ outΨ

7. 7
The swap gate
As the name implies, the SWAP gate
swaps the state between two qubits:
SWAPU ψ ψ ψ ψ′ ′⊗ = ⊗
SWAP
1 0 0 0
0 0 1 0
0 1 0 0
0 0 0 1
U
 
 
 =
 
 
 
in the 2-qubit computational basis
= =
Question: Do you think the SWAP gate can generate entanglement from
a product state?
Answer: No!

8. 8
QFT simple examples
Case N=2:
1 11
1 12
QFTU
 
=  − 
1 1 1 1
1 11
?
1 1 1 14
1 1
QFT
i i
U
i i
 
 + − −
 = =
− − 
 − − + 
Case N=4:
H
H
2
π
H
H
2
π
HH=

9. 9
QFT simple examples
1 0 0 0 1 1 0 0 1 0 0 0 1 0 1 0
0 0 1 0 1 1 0 0 0 1 0 0 0 1 0 11
2 0 1 0 0 0 0 1 1 0 0 1 0 1 0 1 0
0 0 0 1 0 0 1 1 0 0 0 0 1 0 1i
    
    −
    
−    
    − −    

Case N=4:
H
H
2
π
QFTU
1 0 0 0 1 1 0 0 1 0 1 0
0 0 1 0 1 1 0 0 0 1 0 11
2 0 1 0 0 0 0 1 1 1 0 1 0
0 0 0 1 0 0 1 1 0 0i i
   
   −
   =
−   
   − −   
1 0 0 0 1 1 1 1
0 0 1 0 1 1 1 11
2 0 1 0 0 1 1
0 0 0 1 1 1
i i
i i
  
  − −
  =
− −  
  − −  
1 1 1 1
1 11
1 1 1 14
1 1
i i
i i
 
 + − −
 =
− − 
 − − + 

10. 10
The quantum Fourier transform
A quantum circuit is said to be efficient if the number of elementary operations taken to execute it
increases no faster than a polynomial function of the number of qubits n.
QFT requires 1+2+3+4+…+n=n(n+1)/2 gates, so it is O(n2).
Constructing the QFT from another universal set of gates only affects the circuit size by a multiplicative
constant which does not affect the quadratic scaling.
H
H
H
H
4
π
8
π
4
π
2
π
2
π
2
π
inΨ outΨ

11. 11
Context: Public key encryption (nothing to do with quantum)
Diffie & Hellman, late 1970s
( ) ( )e dE M P D P M=
● Xavi publicly announces the encryption method and the public key e.
Holds on super tightly to his private key d.
● Mohammad encrypts his message M, and publicly sends the result P.
● Xavi decrypts using his private key d.
The key point: Anyone can encrypt using the public key,
but only the holder of the private key (Xavi) can decrypt.
confidential message M
Mohammad Xavi
Goal:

12. 12
RSA encryption
Xavi takes 2 prime numbers and computes their product,p q
(Rivest, Shamir and Adleman, 1977)
N pq=
Xavi chooses coprime withe ( )( )1 1p q− −
Xavi announces public key: ,N e
Encryption: ( )( ) mod
e
i iP M N=
Decoding key:
( )( ) mod
d
i iM P N=
( ) ( )( )( )such that mod 1 1 1d de p q− − =
Checking if chosen e is coprime with (p-1)(q-1) is efficient using Euclid’s algorithm O(n3).
Finding the modular inverse of e modulo (p-1)(q-1) as well.
To crack RSA: factor N into its prime factors p and q
How it works:

13. 13
RSA encryption: trivial example
15N =
3, 5p q= =
( 1)( 1) 8p q− − =
Xavi choose e=3, which is indeed co-prime with 8.
M P M
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
0
1
8
12
4
5
6
13
2
9
10
11
3
7
14
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
( ) mode
M N ( ) modd
P N
Notice that this
is a one-to-one
map
Notice that this
is also a one-to-
one map
3e = 3d =
encryption decryption
For this choice of e, d=3 as (3e) mod 8=1.

14. 14
(check )
RSA encryption example (slightly less trivial as N=143)
_ A B C D E F G H I J K L M N O
00000 00001 00010 00011 00100 00101 00110 00111 01000 01001 01010 01011 01100 01101 01110 01111
P Q R S T U V W X Y Z ’ , ; . :
10000 10001 10010 10011 10100 10101 10110 10111 11000 11001 11010 11011 11100 11101 11110 11111
Mohammad uses a simple 5-bit digital alphabet:
M= 01001 01011 00000 01000 01111 10101 00100 00000 10110 00001 01110 00000 00100 00101 11010 00101 00000 00011 10101 10010 10011 10101 10011
Privately, Xavi chooses 11, 13, 17p q e= = =
143, 17N e= =
gcd[ ,( 1)( 1)] 1e p q− − =
2log ( ) 7N =   bits
Mi= 0100101 0110000 0010000 1111101 0100100 0000010 1100000 1011100 0000001 0000101 1101000 1010000 0000111 0101100 1010011 1010110 0110000
37 48 16 125 36 2 96 92 1 5 104 80 7 44 83 86 48
Pi= 137 16 113 60 108 84 57 27 1 135 91 97 50 44 96 125 16
( )
17
mod 143i iP M=
Mohammad wants to send a very private message to Xavi.
and publicly announces
Mohammad divides his message into packets of
and computes
Mohammad publicly sends the encrypted packets to Xavi.

15. 15
RSA decryption example
( )
113
mod 143i iM P=
17 mod 120 1d × = 113d⇒ =( 1)( 1) 120p q− − =
M= Ik houd van deze cursus
Xavi, who knows privately that p=11, q=13 and e=17, calculates d
Xavi receives the packets.
To decrypt the packets, Xavi calculates
M= 01001 01011 00000 01000 01111 10101 00100 00000 10110 00001 01110 00000 00100 00101 11010 00101 00000 00011 10101 10010 10011 10101 10011
Mi= 0100101 0110000 0010000 1111101 0100100 0000010 1100000 1011100 0000001 0000101 1101000 1010000 0000111 0101100 1010011 1010110 0110000
Mi= 37 48 16 125 36 2 96 92 1 5 104 80 7 44 83 86 48
Pi= 137 16 113 60 108 84 57 27 1 135 91 97 50 44 96 125 16
So, what was Mohammad’s message?

16. 16
Some serious stuff.
The very great computational effort required by all known classical factorization
techniques underlies the security of the widely used RSA method. Any computer
that can efficiently find periods would be an enormous threat to the security of
both military and commercial communications. This is why research into the
feasibililty of quantum computers is a matter of considerable interest in the
worlds of war and business.
-N.D. Mermin
RSA is practically safe only because factoring is hard to do.

17. 17
The challenge of factoring large numbers
RSA-704
Van Meter (2006)
RSA-768
From Wikipedia:

18. 18
Some big bucks stood to be made!
•
•
•

19. 19
The period, r, called the order of a modulo N, satisfies
Preliminaries to Shor: Some number theory.
( ) ( )modx
f x a N=
( ) mod 1r
a N =
is a periodic function of integer x, provided a and N are coprime.
r N≤
( )1 mod 0r
a N− =
Note: the following also has nothing to do with quantum mechanics.
(a and N coprime iff gcd(a,N)=1)
Either or is a trivial multiple of N,
Or and are non-trivial factors
( )( )/2 /2
1 1 mod 0r r
a a N + − = 
( )/2
1r
a + ( )/2
1r
a −
( )/2
gcd 1,r
a N+ ( )/2
gcd 1,r
a N−
If r is even:

20. 20
r ar/2-1 ar/2+1 gcd(ar/2-1,N) gcd(ar/2+1,N)
4 3 5 3 5
2 3 5 3 5
4 48 50 3 5
4 63 65 3 5
2 10 12 5 3
4 168 170 3 5
2 13 15 1 15
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 1 2 4 8 1 2 4 8 1 2 4 8 1 2 4
4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1
7 1 7 4 13 1 7 4 13 1 7 4 13 1 7 4
8 1 8 4 2 1 8 4 2 1 8 4 2 1 8 4
11 1 11 1 11 1 11 1 11 1 11 1 11 1 11 1
13 1 13 4 7 1 13 4 7 1 13 4 7 1 13 4
14 1 14 1 14 1 14 1 14 1 14 1 14 1 14 1
Possible choices of
Breaking RSA encryption: back to trivial example
{ }: 2,4,7,8,11,13,14a
( ) ( ) mod15x
f x a=
a x
15N =
3, 5p q= =
Success!

21. 21
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 1 2 4 8 1 2 4 8 1 2 4 8 1 2 4
4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1
7 1 7 4 13 1 7 4 13 1 7 4 13 1 7 4
8 1 8 4 2 1 8 4 2 1 8 4 2 1 8 4
11 1 11 1 11 1 11 1 11 1 11 1 11 1 11 1
13 1 13 4 7 1 13 4 7 1 13 4 7 1 13 4
14 1 14 1 14 1 14 1 14 1 14 1 14 1 14 1
Possible choices of
Breaking RSA encryption: back to trivial example
{ }: 2,4,7,8,11,13,14a
( ) ( ) mod15x
f x a=
a x r ar/2-1 ar/2+1 gcd(ar/2-1,N) gcd(ar/2+1,N)
4 3 5 3 5
2 3 5 3 5
4 48 50 3 5
4 63 65 3 5
2 10 12 5 3
4 168 170 3 5
2 13 15 1 15
15N =

22. 22
A slightly less trivial example
5a =143;N =
( ) ( ) modx
f x a N=

23. Coffee break

24. Shor’s quantum algorithm
From Mermin’s paper

25. 25
Shor’s period finding algorithm.
Measure
all t qubits
Measure
all l qubits
( )2
O t
22 log +1 bitst N=   
2log bitsl N=   
( )3
O l
Modular
exponentiation
( )O t
0...0
0...0
ˆZ
ˆZ
t
H ⊗
fU
( )( ) modx
f x a N=
QFT
tm′
1m′
lm
1m
1. initialize 2. superpose 3. evaluate 4. process 5. measure

26. 26
Shor’s period finding algorithm.
0...0
0...0
1
0
1
0
T
x
x
T
−
=
∑
1
0
1
( )mod
T
x
x
x a N
T
−
=
∑
1s.t. ( )mod ....x
lx a N m m
x
=
∑
finalx s
T r
≈
for some integer s
ˆZ
ˆZ
fU
( )( ) modx
f x a N=
QFT
tm′
1m′
lm
1m
finalxt
H ⊗

27. 27
Factoring N=143 with Shor’s
5a =
( ) 53f x =
For bottom-register
measurement result
xα

28. 28
Factoring N=143 with Shor’s
( ) 125f x =
For bottom-register
measurement result
xα
5a =

29. 29
Factoring N=143 with Shor’s
5a =
( ) 86f x =
For bottom-register
measurement result
xα

30. 30
Fourier transform of pulse trains
or mr+
( )
2
'
0
ox r mr
i
T
x
m
e
π
α
+
=
= ∑
2 2
0
oxr xrm
i i
T T
m
e e
π π
=
= ∑
2
22'
0
xrm
i
T
x
m
e
π
α
=
= ∑
Large probability
(constructive interference)
for x such that
is close to an integer.
QFT
xr
T
5a =
xα

31. 31
Simple examples
32, 2T r= =
0fx
T r
=
1fx
T r
=

32. 32
Simple examples
32, 4T r= =
0fx
T r
=
1fx
T r
=
2fx
T r
=
1fx r
T r
−
=

33. 33
Simple examples
32, 6T r= =
0fx
T r
=
2fx
T r
≈
3fx
T r
=
1fx r
T r
−
≈
1fx
T r
≈
4fx
T r
≈

34. 34
Simple examples
64, 6T r= =

35. 35
Simple examples
128, 6T r= =

36. 36
Back to factoring N=143 with Shor’s
( )gcd 9765626, 143 13=
( )gcd 9765624, 143 11=
Online continued fraction calculator:
http://www.maths.surrey.ac.uk/hosted-sites/R.Knott/Fibonacci/cfCALC.html
Discard as
denominator is odd
For top-register
measurement result
xfinal=101
101
estimate of :
2048
finalx
T
Continued fractions: 1/20, 3/61, 4/81, 7/142 …
/2
1 9765626r
a + =Try r=20.
/2
1 9765624r
a − =
SUCCESS!
5a =

37. 37
Back to factoring N=143 with Shor’s
1331
estimate of :
2048
finalx
T
Continued fractions: 1/2, 2/3, 11/17, 13/20…
Try r=2.
Try r=20.
( )/2
gcd 1, {1,1}r
a N± =
( )/2
gcd 1, {13,11}r
a N± =
Discard as
denominator is odd
SUCCESS!
FAIL.
For top-register
measurement result
xfinal=1331
5a =
Online continued fraction calculator:
http://www.maths.surrey.ac.uk/hosted-sites/R.Knott/Fibonacci/cfCALC.html

38. 38
Classical versus quantum factoring
NFS=Number Field Sieve

39. 39
Some wrong statements in the popular literature
From Mermin’s paper

40. 40
Summary points
● Shor’s quantum algorithm finds periods. Period!
● Period finding is non-trivial for functions that look like random
noise within a period.
● The problem of factoring can be reduced to the problem of
finding the period of a function that looks random.
● The QFT for n qubits is built from O(n2) gates, each of which acts
on either one qubit or a pair of qubits. The QFT is efficient but the
classical FFT is not.
● The bottleneck in Shor’s algorithm is the modular exponentiation,
requiring O(n3) gates. Shor’s algorithm is efficient.

41. End of Friday’s lecture