Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
quantum-kittens
GitHub Repository: quantum-kittens/platypus
 Path: blob/main/notebooks/ch-algorithms/shor.ipynb
3855 views
Kernel: Python 3

Shor's Algorithm

Shor’s algorithm is famous for factoring integers in polynomial time. Since the best-known classical algorithm requires superpolynomial time to factor the product of two primes, the widely used cryptosystem, RSA, relies on factoring being impossible for large enough integers.

In this chapter we will focus on the quantum part of Shor’s algorithm, which actually solves the problem of period finding. Since a factoring problem can be turned into a period finding problem in polynomial time, an efficient period finding algorithm can be used to factor integers efficiently too. For now its enough to show that if we can compute the period of axmodNa^x\bmod N efficiently, then we can also efficiently factor. Since period finding is a worthy problem in its own right, we will first solve this, then discuss how this can be used to factor in section 5.

import matplotlib.pyplot as plt
import numpy as np
from qiskit import QuantumCircuit, Aer, transpile, assemble
from qiskit.visualization import plot_histogram
from math import gcd
from numpy.random import randint
import pandas as pd
from fractions import Fraction

1. The Problem: Period Finding

Let’s look at the periodic function:

f(x)=axmodNf(x) = a^x \bmod{N}
Reminder: Modulo & Modular Arithmetic (Click here to expand)

The modulo operation (abbreviated to 'mod') simply means to find the remainder when dividing one number by another. For example:

17mod5=217 \bmod 5 = 2

Since 17÷5=317 \div 5 = 3 with remainder 22. (i.e. 17=(3×5)+217 = (3\times 5) + 2). In Python, the modulo operation is denoted through the % symbol.

This behaviour is used in modular arithmetic, where numbers 'wrap round' after reaching a certain value (the modulus). Using modular arithmetic, we could write:

17=2(mod5)17 = 2 \pmod 5

Note that here the (mod5)\pmod 5 applies to the entire equation (since it is in parenthesis), unlike the equation above where it only applied to the left-hand side of the equation.

where aa and NN are positive integers, aa is less than NN, and they have no common factors. The period, or order (rr), is the smallest (non-zero) integer such that:

armodN=1a^r \bmod N = 1

We can see an example of this function plotted on the graph below. Note that the lines between points are to help see the periodicity and do not represent the intermediate values between the x-markers.

N = 35
a = 3

# Calculate the plotting data
xvals = np.arange(35)
yvals = [np.mod(a**x, N) for x in xvals]

# Use matplotlib to display it nicely
fig, ax = plt.subplots()
ax.plot(xvals, yvals, linewidth=1, linestyle='dotted', marker='x')
ax.set(xlabel='$x$', ylabel='$%i^x$ mod $%i$' % (a, N),
       title="Example of Periodic Function in Shor's Algorithm")
try: # plot r on the graph
    r = yvals[1:].index(1) +1 
    plt.annotate('', xy=(0,1), xytext=(r,1), arrowprops=dict(arrowstyle='<->'))
    plt.annotate('$r=%i$' % r, xy=(r/3,1.5))
except ValueError:
    print('Could not find period, check a < N and have no common factors.')
Image in a Jupyter notebook

2. The Solution

Shor’s solution was to use quantum phase estimation on the unitary operator:

UyaymodNU|y\rangle \equiv |ay \bmod N \rangle

To see how this is helpful, let’s work out what an eigenstate of U might look like. If we started in the state 1|1\rangle, we can see that each successive application of U will multiply the state of our register by a(modN)a \pmod N, and after rr applications we will arrive at the state 1|1\rangle again. For example with a=3a = 3 and N=35N = 35:

U1=3U21=9U31=27U(r1)1=12Ur1=1\begin{aligned} U|1\rangle &= |3\rangle & \\ U^2|1\rangle &= |9\rangle \\ U^3|1\rangle &= |27\rangle \\ & \vdots \\ U^{(r-1)}|1\rangle &= |12\rangle \\ U^r|1\rangle &= |1\rangle \end{aligned}
ax.set(xlabel='Number of applications of U', ylabel='End state of register',
       title="Effect of Successive Applications of U")
fig
Image in a Jupyter notebook

So a superposition of the states in this cycle (u0|u_0\rangle) would be an eigenstate of UU:

u0=1rk=0r1akmodN|u_0\rangle = \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{|a^k \bmod N\rangle}
Click to Expand: Example with $a = 3$ and $N=35$u0=112(1+3+9+4+12)$10pt]Uu0=112(U1+U3+U9+U4+U12)$10pt]=112(3+9+27+12+1)$10pt]=u0\begin{aligned} |u_0\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + |3\rangle + |9\rangle \dots + |4\rangle + |12\rangle) $10pt] U|u_0\rangle &= \tfrac{1}{\sqrt{12}}(U|1\rangle + U|3\rangle + U|9\rangle \dots + U|4\rangle + U|12\rangle) $10pt] &= \tfrac{1}{\sqrt{12}}(|3\rangle + |9\rangle + |27\rangle \dots + |12\rangle + |1\rangle) $10pt] &= |u_0\rangle \end{aligned}

This eigenstate has an eigenvalue of 1, which isn’t very interesting. A more interesting eigenstate could be one in which the phase is different for each of these computational basis states. Specifically, let’s look at the case in which the phase of the kkth state is proportional to kk:

u1=1rk=0r1e2πikrakmodN$10pt]Uu1=e2πiru1\begin{aligned} |u_1\rangle &= \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{e^{-\tfrac{2\pi i k}{r}}|a^k \bmod N\rangle}$10pt] U|u_1\rangle &= e^{\tfrac{2\pi i}{r}}|u_1\rangle \end{aligned}
Click to Expand: Example with $a = 3$ and $N=35$u1=112(1+e2πi123+e4πi129+e20πi124+e22πi1212)$10pt]Uu1=112(3+e2πi129+e4πi1227+e20πi1212+e22πi121)$10pt]Uu1=e2πi12112(e2πi123+e4πi129+e6πi1227+e22πi1212+e24πi121)$10pt]Uu1=e2πi12u1\begin{aligned} |u_1\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + e^{-\tfrac{2\pi i}{12}}|3\rangle + e^{-\tfrac{4\pi i}{12}}|9\rangle \dots + e^{-\tfrac{20\pi i}{12}}|4\rangle + e^{-\tfrac{22\pi i}{12}}|12\rangle) $10pt] U|u_1\rangle &= \tfrac{1}{\sqrt{12}}(|3\rangle + e^{-\tfrac{2\pi i}{12}}|9\rangle + e^{-\tfrac{4\pi i}{12}}|27\rangle \dots + e^{-\tfrac{20\pi i}{12}}|12\rangle + e^{-\tfrac{22\pi i}{12}}|1\rangle) $10pt] U|u_1\rangle &= e^{\tfrac{2\pi i}{12}}\cdot\tfrac{1}{\sqrt{12}}(e^{\tfrac{-2\pi i}{12}}|3\rangle + e^{-\tfrac{4\pi i}{12}}|9\rangle + e^{-\tfrac{6\pi i}{12}}|27\rangle \dots + e^{-\tfrac{22\pi i}{12}}|12\rangle + e^{-\tfrac{24\pi i}{12}}|1\rangle) $10pt] U|u_1\rangle &= e^{\tfrac{2\pi i}{12}}|u_1\rangle \end{aligned}

(We can see r=12r = 12 appears in the denominator of the phase.)

This is a particularly interesting eigenvalue as it contains rr. In fact, rr has to be included to make sure the phase differences between the rr computational basis states are equal. This is not the only eigenstate with this behaviour; to generalise this further, we can multiply an integer, ss, to this phase difference, which will show up in our eigenvalue:

us=1rk=0r1e2πiskrakmodN$10pt]Uus=e2πisrus\begin{aligned} |u_s\rangle &= \tfrac{1}{\sqrt{r}}\sum_{k=0}^{r-1}{e^{-\tfrac{2\pi i s k}{r}}|a^k \bmod N\rangle}$10pt] U|u_s\rangle &= e^{\tfrac{2\pi i s}{r}}|u_s\rangle \end{aligned}
Click to Expand: Example with $a = 3$ and $N=35$us=112(1+e2πis123+e4πis129+e20πis124+e22πis1212)$10pt]Uus=112(3+e2πis129+e4πis1227+e20πis1212+e22πis121)$10pt]Uus=e2πis12112(e2πis123+e4πis129+e6πis1227+e22πis1212+e24πis121)$10pt]Uus=e2πis12us\begin{aligned} |u_s\rangle &= \tfrac{1}{\sqrt{12}}(|1\rangle + e^{-\tfrac{2\pi i s}{12}}|3\rangle + e^{-\tfrac{4\pi i s}{12}}|9\rangle \dots + e^{-\tfrac{20\pi i s}{12}}|4\rangle + e^{-\tfrac{22\pi i s}{12}}|12\rangle) $10pt] U|u_s\rangle &= \tfrac{1}{\sqrt{12}}(|3\rangle + e^{-\tfrac{2\pi i s}{12}}|9\rangle + e^{-\tfrac{4\pi i s}{12}}|27\rangle \dots + e^{-\tfrac{20\pi i s}{12}}|12\rangle + e^{-\tfrac{22\pi i s}{12}}|1\rangle) $10pt] U|u_s\rangle &= e^{\tfrac{2\pi i s}{12}}\cdot\tfrac{1}{\sqrt{12}}(e^{-\tfrac{2\pi i s}{12}}|3\rangle + e^{-\tfrac{4\pi i s}{12}}|9\rangle + e^{-\tfrac{6\pi i s}{12}}|27\rangle \dots + e^{-\tfrac{22\pi i s}{12}}|12\rangle + e^{-\tfrac{24\pi i s}{12}}|1\rangle) $10pt] U|u_s\rangle &= e^{\tfrac{2\pi i s}{12}}|u_s\rangle \end{aligned}

We now have a unique eigenstate for each integer value of ss where 0sr1.0 \leq s \leq r-1. Very conveniently, if we sum up all these eigenstates, the different phases cancel out all computational basis states except 1|1\rangle:

1rs=0r1us=1\tfrac{1}{\sqrt{r}}\sum_{s=0}^{r-1} |u_s\rangle = |1\rangle
Click to Expand: Example with $a = 7$ and $N=15$

For this, we will look at a smaller example where a=7a = 7 and N=15N=15. In this case r=4r=4:

12(u0=12(1e2πi12+7e12πi12+4e12πi12+13)$10pt]+u1=12(1+e2πi47+e14πi44+e16πi413)$10pt]+u2=12(1+e4πi47+e18πi44+e12πi413)$10pt]+u3=12(1+e6πi47+e12πi44+e18πi413))=1$10pt]\begin{aligned} \tfrac{1}{2}(\quad|u_0\rangle &= \tfrac{1}{2}(|1\rangle \hphantom{e^{-\tfrac{2\pi i}{12}}}+ |7\rangle \hphantom{e^{-\tfrac{12\pi i}{12}}} + |4\rangle \hphantom{e^{-\tfrac{12\pi i}{12}}} + |13\rangle)\dots $10pt] + |u_1\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{2\pi i}{4}}|7\rangle + e^{-\tfrac{\hphantom{1}4\pi i}{4}}|4\rangle + e^{-\tfrac{\hphantom{1}6\pi i}{4}}|13\rangle)\dots $10pt] + |u_2\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{4\pi i}{4}}|7\rangle + e^{-\tfrac{\hphantom{1}8\pi i}{4}}|4\rangle + e^{-\tfrac{12\pi i}{4}}|13\rangle)\dots $10pt] + |u_3\rangle &= \tfrac{1}{2}(|1\rangle + e^{-\tfrac{6\pi i}{4}}|7\rangle + e^{-\tfrac{12\pi i}{4}}|4\rangle + e^{-\tfrac{18\pi i}{4}}|13\rangle)\quad) = |1\rangle $10pt] \end{aligned}

Since the computational basis state 1|1\rangle is a superposition of these eigenstates, which means if we do QPE on UU using the state 1|1\rangle, we will measure a phase:

ϕ=sr\phi = \frac{s}{r}

Where ss is a random integer between 00 and r1r-1. We finally use the continued fractions algorithm on ϕ\phi to find rr. The circuit diagram looks like this (note that this diagram uses Qiskit's qubit ordering convention):

We will next demonstrate Shor’s algorithm using Qiskit’s simulators. For this demonstration we will provide the circuits for UU without explanation, but in section 4 we will discuss how circuits for U2jU^{2^j} can be constructed efficiently.

3. Qiskit Implementation

In this example we will solve the period finding problem for a=7a=7 and N=15N=15. We provide the circuits for UU where:

Uy=aymod15U|y\rangle = |ay\bmod 15\rangle

without explanation. To create UxU^x, we will simply repeat the circuit xx times. In the next section we will discuss a general method for creating these circuits efficiently. The function c_amod15 returns the controlled-U gate for a, repeated power times.

def c_amod15(a, power):
    """Controlled multiplication by a mod 15"""
    if a not in [2,4,7,8,11,13]:
        raise ValueError("'a' must be 2,4,7,8,11 or 13")
    U = QuantumCircuit(4)        
    for iteration in range(power):
        if a in [2,13]:
            U.swap(0,1)
            U.swap(1,2)
            U.swap(2,3)
        if a in [7,8]:
            U.swap(2,3)
            U.swap(1,2)
            U.swap(0,1)
        if a in [4, 11]:
            U.swap(1,3)
            U.swap(0,2)
        if a in [7,11,13]:
            for q in range(4):
                U.x(q)
    U = U.to_gate()
    U.name = "%i^%i mod 15" % (a, power)
    c_U = U.control()
    return c_U

We will use 8 counting qubits:

# Specify variables
n_count = 8  # number of counting qubits
a = 7

We also import the circuit for the QFT (you can read more about the QFT in the quantum Fourier transform chapter):

def qft_dagger(n):
    """n-qubit QFTdagger the first n qubits in circ"""
    qc = QuantumCircuit(n)
    # Don't forget the Swaps!
    for qubit in range(n//2):
        qc.swap(qubit, n-qubit-1)
    for j in range(n):
        for m in range(j):
            qc.cp(-np.pi/float(2**(j-m)), m, j)
        qc.h(j)
    qc.name = "QFT†"
    return qc

With these building blocks we can easily construct the circuit for Shor's algorithm:

# Create QuantumCircuit with n_count counting qubits
# plus 4 qubits for U to act on
qc = QuantumCircuit(n_count + 4, n_count)

# Initialize counting qubits
# in state |+>
for q in range(n_count):
    qc.h(q)
    
# And auxiliary register in state |1>
qc.x(3+n_count)

# Do controlled-U operations
for q in range(n_count):
    qc.append(c_amod15(a, 2**q), 
             [q] + [i+n_count for i in range(4)])

# Do inverse-QFT
qc.append(qft_dagger(n_count), range(n_count))

# Measure circuit
qc.measure(range(n_count), range(n_count))
qc.draw(fold=-1)  # -1 means 'do not fold'
Image in a Jupyter notebook

Let's see what results we measure:

aer_sim = Aer.get_backend('aer_simulator')
t_qc = transpile(qc, aer_sim)
results = aer_sim.run(t_qc).result()
counts = results.get_counts()
plot_histogram(counts)
Image in a Jupyter notebook

Since we have 8 qubits, these results correspond to measured phases of:

rows, measured_phases = [], []
for output in counts:
    decimal = int(output, 2)  # Convert (base 2) string to decimal
    phase = decimal/(2**n_count)  # Find corresponding eigenvalue
    measured_phases.append(phase)
    # Add these values to the rows in our table:
    rows.append([f"{output}(bin) = {decimal:>3}(dec)", 
                 f"{decimal}/{2**n_count} = {phase:.2f}"])
# Print the rows in a table
headers=["Register Output", "Phase"]
df = pd.DataFrame(rows, columns=headers)
print(df)
Register Output Phase 0 00000000(bin) = 0(dec) 0/256 = 0.00 1 11000000(bin) = 192(dec) 192/256 = 0.75 2 01000000(bin) = 64(dec) 64/256 = 0.25 3 10000000(bin) = 128(dec) 128/256 = 0.50

We can now use the continued fractions algorithm to attempt to find ss and rr. Python has this functionality built in: We can use the fractions module to turn a float into a Fraction object, for example:

Fraction(0.666)
Fraction(5998794703657501, 9007199254740992)

Because this gives fractions that return the result exactly (in this case, 0.6660000...), this can give gnarly results like the one above. We can use the .limit_denominator() method to get the fraction that most closely resembles our float, with denominator below a certain value:

# Get fraction that most closely resembles 0.666
# with denominator < 15
Fraction(0.666).limit_denominator(15)
Fraction(2, 3)

Much nicer! The order (r) must be less than N, so we will set the maximum denominator to be 15:

rows = []
for phase in measured_phases:
    frac = Fraction(phase).limit_denominator(15)
    rows.append([phase, f"{frac.numerator}/{frac.denominator}", frac.denominator])
# Print as a table
headers=["Phase", "Fraction", "Guess for r"]
df = pd.DataFrame(rows, columns=headers)
print(df)
Phase Fraction Guess for r 0 0.00 0/1 1 1 0.75 3/4 4 2 0.25 1/4 4 3 0.50 1/2 2

We can see that two of the measured eigenvalues provided us with the correct result: r=4r=4, and we can see that Shor’s algorithm has a chance of failing. These bad results are because s=0s = 0, or because ss and rr are not coprime and instead of rr we are given a factor of rr. The easiest solution to this is to simply repeat the experiment until we get a satisfying result for rr.

Quick Exercise

  • Modify the circuit above for values of a=2,8,11a = 2, 8, 11 and 1313. What results do you get and why?

4. Modular Exponentiation

You may have noticed that the method of creating the U2jU^{2^j} gates by repeating UU grows exponentially with jj and will not result in a polynomial time algorithm. We want a way to create the operator:

U2jy=a2jymodNU^{2^j}|y\rangle = |a^{2^j}y \bmod N \rangle

that grows polynomially with jj. Fortunately, calculating:

a2jmodNa^{2^j} \bmod N

efficiently is possible. Classical computers can use an algorithm known as repeated squaring to calculate an exponential. In our case, since we are only dealing with exponentials of the form 2j2^j, the repeated squaring algorithm becomes very simple:

def a2jmodN(a, j, N):
    """Compute a^{2^j} (mod N) by repeated squaring"""
    for i in range(j):
        a = np.mod(a**2, N)
    return a

a2jmodN(7, 2049, 53)
47

If an efficient algorithm is possible in Python, then we can use the same algorithm on a quantum computer. Unfortunately, despite scaling polynomially with jj, modular exponentiation circuits are not straightforward and are the bottleneck in Shor’s algorithm. A beginner-friendly implementation can be found in reference [1].

5. Factoring from Period Finding

Not all factoring problems are difficult; we can spot an even number instantly and know that one of its factors is 2. In fact, there are specific criteria for choosing numbers that are difficult to factor, but the basic idea is to choose the product of two large prime numbers.

A general factoring algorithm will first check to see if there is a shortcut to factoring the integer (is the number even? Is the number of the form N=abN = a^b?), before using Shor’s period finding for the worst-case scenario. Since we aim to focus on the quantum part of the algorithm, we will jump straight to the case in which N is the product of two primes.

Example: Factoring 15

To see an example of factoring on a small number of qubits, we will factor 15, which we all know is the product of the not-so-large prime numbers 3 and 5.

N = 15

The first step is to choose a random number, aa, between 11 and N1N-1:

np.random.seed(1) # This is to make sure we get reproduceable results
a = randint(2, 15)
print(a)
7

Next we quickly check it isn't already a non-trivial factor of NN:

from math import gcd # greatest common divisor
gcd(a, N)
1

Great. Next, we do Shor's order finding algorithm for a = 7 and N = 15. Remember that the phase we measure will be s/rs/r where:

armodN=1a^r \bmod N = 1

and ss is a random integer between 0 and r1r-1.

def qpe_amod15(a):
    n_count = 8
    qc = QuantumCircuit(4+n_count, n_count)
    for q in range(n_count):
        qc.h(q)     # Initialize counting qubits in state |+>
    qc.x(3+n_count) # And auxiliary register in state |1>
    for q in range(n_count): # Do controlled-U operations
        qc.append(c_amod15(a, 2**q), 
                 [q] + [i+n_count for i in range(4)])
    qc.append(qft_dagger(n_count), range(n_count)) # Do inverse-QFT
    qc.measure(range(n_count), range(n_count))
    # Simulate Results
    aer_sim = Aer.get_backend('aer_simulator')
    # Setting memory=True below allows us to see a list of each sequential reading
    t_qc = transpile(qc, aer_sim)
    result = aer_sim.run(t_qc, shots=1, memory=True).result()
    readings = result.get_memory()
    print("Register Reading: " + readings[0])
    phase = int(readings[0],2)/(2**n_count)
    print("Corresponding Phase: %f" % phase)
    return phase

From this phase, we can easily find a guess for rr:

phase = qpe_amod15(a) # Phase = s/r
Fraction(phase).limit_denominator(15) # Denominator should (hopefully!) tell us r
Register Reading: 00000000 Corresponding Phase: 0.000000
Fraction(0, 1)
frac = Fraction(phase).limit_denominator(15)
s, r = frac.numerator, frac.denominator
print(r)
1

Now we have rr, we might be able to use this to find a factor of NN. Since:

armodN=1a^r \bmod N = 1

then:

(ar1)modN=0(a^r - 1) \bmod N = 0

which means NN must divide ar1a^r-1. And if rr is also even, then we can write:

ar1=(ar/21)(ar/2+1)a^r -1 = (a^{r/2}-1)(a^{r/2}+1)

(if rr is not even, we cannot go further and must try again with a different value for aa). There is then a high probability that the greatest common divisor of NN and either ar/21a^{r/2}-1, or ar/2+1a^{r/2}+1 is a proper factor of NN [2]:

guesses = [gcd(a**(r//2)-1, N), gcd(a**(r//2)+1, N)]
print(guesses)
[15, 1]

The cell below repeats the algorithm until at least one factor of 15 is found. You should try re-running the cell a few times to see how it behaves.

a = 7
factor_found = False
attempt = 0
while not factor_found:
    attempt += 1
    print("\nAttempt %i:" % attempt)
    phase = qpe_amod15(a) # Phase = s/r
    frac = Fraction(phase).limit_denominator(N) # Denominator should (hopefully!) tell us r
    r = frac.denominator
    print("Result: r = %i" % r)
    if phase != 0:
        # Guesses for factors are gcd(x^{r/2} ±1 , 15)
        guesses = [gcd(a**(r//2)-1, N), gcd(a**(r//2)+1, N)]
        print("Guessed Factors: %i and %i" % (guesses[0], guesses[1]))
        for guess in guesses:
            if guess not in [1,N] and (N % guess) == 0: # Check to see if guess is a factor
                print("*** Non-trivial factor found: %i ***" % guess)
                factor_found = True
Attempt 1: Register Reading: 01000000 Corresponding Phase: 0.250000 Result: r = 4 Guessed Factors: 3 and 5 *** Non-trivial factor found: 3 *** *** Non-trivial factor found: 5 ***

6. References

  1. Stephane Beauregard, Circuit for Shor's algorithm using 2n+3 qubits, arXiv:quant-ph/0205095

  2. M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, Cambridge Series on Information and the Natural Sciences (Cambridge University Press, Cambridge, 2000). (Page 633)

import qiskit.tools.jupyter
%qiskit_version_table
/usr/local/anaconda3/envs/terra-unstable/lib/python3.9/site-packages/qiskit/aqua/__init__.py:86: DeprecationWarning: The package qiskit.aqua is deprecated. It was moved/refactored to qiskit-terra For more information see <https://github.com/Qiskit/qiskit-aqua/blob/main/README.md#migration-guide> warn_package('aqua', 'qiskit-terra')