Editing Shor's algorithm (section)

== Algorithm ==
The problem that we are trying to solve is: ''given an odd [[composite number]] <math> N </math>, find its [[Integer factorization|integer factors]]''.

To achieve this, Shor's algorithm consists of two parts:

# A classical reduction of the factoring problem to the problem of [[Order (group theory)|order]]-finding. This reduction is similar to that used for other [[integer factorization|factoring algorithms]], such as the [[quadratic sieve]].
# A quantum algorithm to solve the order-finding problem.

=== Classical reduction ===
A complete factoring algorithm is possible if we're able to efficiently factor arbitrary <math> N </math> into just two integers <math> p </math> and <math> q </math> greater than 1, since if either <math> p </math> or <math> q </math> are not prime, then the factoring algorithm can in turn be run on those until only primes remain.

A basic observation is that, using [[Euclidean algorithm|Euclid's algorithm]], we can always compute the [[Greatest common divisor|GCD]] between two integers efficiently. In particular, this means we can check efficiently whether <math> N </math> is even, in which case 2 is trivially a factor. Let us thus assume that <math> N </math> is odd for the remainder of this discussion. Afterwards, we can use efficient classical algorithms to check whether <math> N </math> is a [[prime power]].<ref>{{cite journal |last1=Bernstein |first1=Daniel |title=Detecting perfect powers in essentially linear time |journal=Mathematics of Computation |date=1998 |volume=67 |issue=223 |pages=1253–1283 |doi=10.1090/S0025-5718-98-00952-1 }}</ref> For prime powers, efficient classical factorization algorithms exist,<ref>For example, computing the first <math>\log_2(N)</math> roots of <math>N</math>, e.g., with the [[Nth_root#Computing_principal_roots|Newton method]] and checking each integer result for primality ([[AKS primality test]]).</ref> hence the rest of the quantum algorithm may assume that <math> N </math> is not a prime power.

If those easy cases do not produce a nontrivial factor of <math> N </math>, the algorithm proceeds to handle the remaining case. We pick a random integer <math> 2 \leq a < N </math>. A possible nontrivial divisor of <math> N </math> can be found by computing <math> \gcd(a, N) </math>, which can be done classically and efficiently using the [[Euclidean algorithm]]. If this produces a nontrivial factor (meaning <math> \gcd(a, N) \ne 1 </math>), the algorithm is finished, and the other nontrivial factor is <math> N/\gcd(a, N) </math>. If a nontrivial factor was not identified, then this means that <math> N </math> and the choice of <math> a </math> are [[coprime]], so <math>a</math> is contained in the [[multiplicative group of integers modulo n|multiplicative group of integers modulo <math>N</math>]], having a [[multiplicative inverse]] modulo <math>N</math>. Thus, <math>a</math> has a [[multiplicative order]] <math> r </math> modulo <math>N</math>, meaning
: <math>a^r \equiv 1 \bmod N,</math>
and <math>r</math> is the smallest positive integer satisfying this congruence.

The quantum subroutine finds <math>r</math>. It can be seen from the congruence that <math> N </math> [[divides]] <math> a^r - 1 </math>, written <math> N \mid a^r - 1 </math>. This can be factored using [[difference of squares]]:
<math display="block">
 N \mid (a^{r/2} - 1)(a^{r/2} + 1).
</math>
Since we have factored the expression in this way, the algorithm doesn't work for odd <math> r </math> (because <math> a^{r/2} </math> must be an integer), meaning that the algorithm would have to restart with a new <math> a </math>. Hereafter we can therefore assume that <math> r </math> is even. It cannot be the case that <math> N \mid a^{r/2} - 1 </math>, since this would imply <math>a^{r/2} \equiv 1 \bmod N</math>, which would contradictorily imply that <math> r/2 </math> would be the order of <math> a </math>, which was already <math> r </math>. At this point, it may or may not be the case that <math> N \mid a^{r/2} + 1 </math>. If <math>N</math> does not divide <math> a^{r/2} + 1 </math>, then this means that we are able to find a nontrivial factor of <math> N </math>. We compute
<math display="block">
 d = \gcd(N, a^{r/2} - 1).
</math>
If <math> d = 1 </math>, then <math> N \mid a^{r/2} + 1 </math> was true, and a nontrivial factor of <math> N </math> cannot be achieved from <math> a </math>, and the algorithm must restart with a new <math> a </math>. Otherwise, we have found a nontrivial factor of <math> N </math>, with the other being <math> N/d </math>, and the algorithm is finished. For this step, it is also equivalent to compute <math> \gcd(N, a^{r/2} + 1) </math>; it will produce a nontrivial factor if <math> \gcd(N, a^{r/2} - 1) </math> is nontrivial, and will not if it's trivial (where <math> N \mid a^{r/2} + 1 </math>).

The algorithm restated shortly follows: let <math> N </math> be odd, and not a prime power. We want to output two nontrivial factors of <math> N </math>.
# Pick a random number <math> 1 < a < N </math>.
# Compute <math> K = \gcd(a, N) </math>, the [[greatest common divisor]] of <math> a </math> and <math> N </math>.
# If <math> K \neq 1 </math>, then <math>K</math> is a [[nontrivial]] factor of <math> N </math>, with the other factor being <math>N/K</math>, and we are done.
# Otherwise, use the quantum subroutine to find the order <math> r </math> of <math>a</math>.
# If <math> r </math> is odd, then go back to step 1.
# Compute <math>g = \gcd(N, a^{r/2} + 1)</math>. If <math>g </math> is nontrivial, the other factor is <math>N/g</math>, and we're done. Otherwise, go back to step 1.

It has been shown that this will be likely to succeed after a few runs.<ref name="siam"/> In practice, a single call to the quantum order-finding subroutine is enough to completely factor <math>N</math> with very high probability of success if one uses a more advanced reduction.<ref name="Ekerå21">{{cite journal |last1=Ekerå |first1=Martin |title=On completely factoring any integer efficiently in a single run of an order-finding algorithm |journal=Quantum Information Processing |date=June 2021 |volume=20 |issue=6 |page=205 |doi=10.1007/s11128-021-03069-1 |arxiv=2007.10044 |bibcode=2021QuIP...20..205E |doi-access=free }}</ref>

=== Quantum order-finding subroutine ===
The goal of the quantum subroutine of Shor's algorithm is, given [[coprime integers]] <math> N </math> and <math> 1< a<N </math>, to find the [[Multiplicative order|order <math> r </math> of <math>a</math> modulo <math>N</math>]], which is the smallest positive integer such that <math>a^r \equiv 1 \pmod N</math>. To achieve this, Shor's algorithm uses a quantum circuit involving two registers. The second register uses <math> n </math> qubits, where <math> n </math> is the smallest integer such that <math> N\le 2^n </math>, i.e., <math> n = \left \lceil {\log_2N} \right \rceil </math>. The size of the first register determines how accurate of an approximation the circuit produces. It can be shown that using <math> 2n </math> qubits gives sufficient accuracy to find <math> r </math>. The exact quantum circuit depends on the parameters <math>a</math> and <math>N</math>, which define the problem. The following description of the algorithm uses [[bra–ket notation]] to denote quantum states, and <math>\otimes</math> to denote the [[tensor product]], rather than [[logical AND]].

The algorithm consists of two main steps:

# Use [[Quantum phase estimation algorithm|quantum phase estimation]] with unitary <math>U</math> representing the operation of multiplying by <math>a</math> (modulo <math>N</math>), and input state <math>|0\rangle^{\otimes 2 n}\otimes|1\rangle</math> (where the second register is <math>|1\rangle</math> made from <math>n</math> qubits). The eigenvalues of this <math>U</math> encode information about the period, and <math>|1\rangle</math> can be seen to be writable as a sum of its eigenvectors. Thanks to these properties, the quantum phase estimation stage gives as output a random integer of the form <math>\frac{j}{r} 2^{2n}</math> for random <math>j=0,1,...,r-1</math>.
# Use the [[simple continued fraction|continued fractions algorithm]] to extract the period <math>r</math> from the measurement outcomes obtained in the previous stage. This is a procedure to post-process (with a classical computer) the measurement data obtained from measuring the output quantum states, and retrieve the period.

The connection with quantum phase estimation was not discussed in the original formulation of Shor's algorithm,<ref name="siam" /> but was later proposed by Kitaev.<ref>{{cite arXiv |eprint=quant-ph/9511026 |last1=Kitaev |first1=A. Yu |date=1995 |title=Quantum measurements and the Abelian Stabilizer Problem }}</ref>

==== Quantum phase estimation ====
[[File:Shor's algorithm.svg|frame|Quantum subroutine in Shor's algorithm]]
In general the [[quantum phase estimation algorithm]], for any unitary <math>U</math> and eigenstate <math>|\psi\rangle</math> such that <math>U|\psi\rangle=e^{2\pi i\theta} |\psi\rangle</math>, sends input states <math>|0\rangle|\psi\rangle</math> to output states close to <math>|\phi\rangle|\psi\rangle</math>, where <math>\phi</math> is a superposition of integers close to <math>2^{2n} \theta</math>. In other words, it sends each eigenstate <math>|\psi_j\rangle</math> of <math>U</math> to a state containing information close to the associated eigenvalue. For the purposes of quantum order-finding, we employ this strategy using the unitary defined by the action
<math display="block">
 U|k\rangle = \begin{cases}
  |ak \pmod N\rangle & 0 \le k < N, \\
  |k\rangle & N \le k < 2^n.
\end{cases}</math>
The action of <math>U</math> on states <math>|k\rangle</math> with <math> N \leq k < 2^n </math> is not crucial to the functioning of the algorithm, but needs to be included to ensure that the overall transformation is a well-defined quantum gate. Implementing the circuit for quantum phase estimation with <math>U</math> requires being able to efficiently implement the gates <math> U^{2^j} </math>. This can be accomplished via [[modular exponentiation]], which is the slowest part of the algorithm.

The gate thus defined satisfies <math>U^r = I</math>, which immediately implies that its eigenvalues are the <math>r</math>-th [[Root of unity|roots of unity]] <math>\omega_r^k = e^{2\pi ik/r}</math>. Furthermore, each eigenvalue <math>\omega_r^j</math> has an eigenvector of the form <math display="inline">|\psi_j\rangle=r^{-1/2}\sum_{k=0}^{r-1}\omega_r^{-kj}|a^k\rangle </math>, and these eigenvectors are such that
<math display="block">\begin{align}
 \frac{1}{\sqrt{r}} \sum_{j = 0}^{r - 1} |\psi_j\rangle &= \frac{1}{r} \sum_{j = 0}^{r - 1} \sum_{k = 0}^{r - 1} \omega_r^{jk}|a^k\rangle \\
 &= |1\rangle + \frac{1}{r} \sum_{k = 1}^{r - 1} \left(\sum_{j = 0}^{r - 1} \omega_r^{jk} \right) |a^k\rangle =|1\rangle,
\end{align}</math>
where the last identity follows from the [[geometric series]] formula, which implies <math display="inline">\sum_{j = 0}^{r - 1} \omega_r^{jk} = 0</math>.

Using [[Quantum phase estimation algorithm|quantum phase estimation]] on an input state <math>|0\rangle^{\otimes 2 n}|\psi_j\rangle</math> would then return the integer <math>2^{2n} j/r</math> with high probability. More precisely, the quantum phase estimation circuit sends <math>|0\rangle^{\otimes 2 n}|\psi_j\rangle</math> to <math>|\phi_j\rangle|\psi_j\rangle</math> such that the resulting probability distribution <math>p_k \equiv|\langle k|\phi_j\rangle|^2</math> is peaked around <math>k=2^{2n} j/r</math>, with <math>p_{2^{2n}j/r} \ge 4/\pi^2 \approx 0.4053</math>. This probability can be made arbitrarily close to 1 using extra qubits.

Applying the above reasoning to the input <math>|0\rangle^{\otimes 2 n}|1\rangle</math>, quantum phase estimation thus results in the evolution
<math display="block">
 |0\rangle^{\otimes 2 n}|1\rangle =
  \frac{1}{\sqrt{r}} \sum_{j = 0}^{r - 1} |0\rangle^{\otimes 2 n} |\psi_j\rangle \to
  \frac{1}{\sqrt{r}} \sum_{j = 0}^{r - 1} |\phi_j\rangle|\psi_j\rangle.
</math>
Measuring the first register, we now have a balanced probability <math>1/r</math> to find each <math>|\phi_j\rangle</math>, each one giving an integer approximation to <math>2^{2 n} j/r</math>, which can be divided by <math>2^{2n}</math> to get a decimal approximation for <math>j/r</math>.

==== Continued-fraction algorithm to retrieve the period ====
Then, we apply the [[continued fraction|continued-fraction]] algorithm to find integers <math>b</math> and <math>c</math>, where <math>b/c</math> gives the best fraction approximation for the approximation measured from the circuit, for <math>b, c < N</math> and [[Coprime integers|coprime]] <math>b</math> and <math>c</math>. The number of qubits in the first register, <math>2n</math>, which determines the accuracy of the approximation, guarantees that
<math display="block">
 \frac{b}{c} = \frac{j}{r},
</math>
given the best approximation from the superposition of <math>|\phi_j\rangle</math> was measured<ref name="siam"/> (which can be made arbitrarily likely by using extra bits and truncating the output). However, while <math>b</math> and <math>c</math> are coprime, it may be the case that <math>j</math> and <math>r</math> are not coprime. Because of that, <math>b</math> and <math>c</math> may have lost some factors that were in <math>j</math> and <math>r</math>. This can be remedied by rerunning the quantum order-finding subroutine an arbitrary number of times, to produce a list of fraction approximations
<math display="block">
 \frac{b_1}{c_1}, \frac{b_2}{c_2}, \ldots, \frac{b_s}{c_s},
</math>
where <math>s</math> is the number of times the subroutine was run. Each <math>c_k</math> will have different factors taken out of it because the circuit will (likely) have measured multiple different possible values of <math>j</math>. To recover the actual <math>r</math> value, we can take the [[least common multiple]] of each <math>c_k</math>:
<math display="block">
 \operatorname{lcm}(c_1, c_2, \ldots, c_s).
</math>
The least common multiple will be the order <math>r</math> of the original integer <math>a</math> with high probability. In practice, a single run of the quantum order-finding subroutine is in general enough if more advanced post-processing is used.<ref name="Ekerå24">{{cite journal |last1=Ekerå |first1=Martin |title=On the Success Probability of Quantum Order Finding |journal=ACM Transactions on Quantum Computing |date=May 2024 |volume=5 |issue=2 |pages=1–40 |doi=10.1145/3655026 |doi-access=free |arxiv=2201.07791 }}</ref>

==== Choosing the size of the first register ====
Phase estimation requires choosing the size of the first register to determine the accuracy of the algorithm, and for the quantum subroutine of Shor's algorithm, <math>2n</math> qubits is sufficient to guarantee that the optimal bitstring measured from phase estimation (meaning the <math>|k\rangle</math> where <math display="inline">k / 2^{2n}</math> is the most accurate approximation of the phase from phase estimation) will allow the actual value of <math>r</math> to be recovered.

Each <math>|\phi_j\rangle</math> before measurement in Shor's algorithm represents a superposition of integers approximating <math>2^{2 n} j/r</math>. Let <math>|k\rangle</math> represent the most optimal integer in <math>|\phi_j\rangle</math>. The following theorem guarantees that the continued fractions algorithm will recover <math>j/r</math> from <math>k/2^{2 {n}}</math>:
{{Math theorem
| math_statement = If <math>j</math> and <math>r</math> are <math>n</math> bit integers, and
<math display="block">\left\vert \frac{j}{r} - \phi\right\vert \leq \frac{1}{2 r^2}</math>
then the continued fractions algorithm run on <math>\phi</math> will recover both <math display="inline">\frac{j}{\gcd(j,\; r)}</math> and <math display="inline">\frac{r}{\gcd(j,\; r)}</math>.
}}
<ref name=":0" /> As <math>k</math> is the optimal bitstring from phase estimation, <math>k/2^{2 {n}}</math> is accurate to <math>j/r</math> by <math>2n</math> bits. Thus,<math display="block">\left\vert\frac{j}{r} - \frac{k}{2^{2n}}\right\vert \leq \frac{1}{2^{2 {n} + 1}} \leq \frac{1}{2N^2} \leq \frac{1}{2r^2}</math>which implies that the continued fractions algorithm will recover <math>j</math> and <math>r</math> (or with their greatest common divisor taken out).

=== The bottleneck ===
The runtime bottleneck of Shor's algorithm is quantum [[modular exponentiation]], which is by far slower than the [[quantum Fourier transform]] and classical pre-/post-processing. There are several approaches to constructing and optimizing circuits for modular exponentiation. The simplest and (currently) most practical approach is to mimic conventional arithmetic circuits with [[reversible computing|reversible gates]], starting with [[Adder (electronics)#Ripple-carry adder|ripple-carry adders]]. Knowing the base and the modulus of exponentiation facilitates further optimizations.<ref>{{cite journal |first1=Igor L. |last1=Markov |first2=Mehdi |last2=Saeedi |title=Constant-Optimized Quantum Circuits for Modular Multiplication and Exponentiation |journal=Quantum Information and Computation |volume=12 |issue=5–6 |pages=361–394 |year=2012 |doi=10.26421/QIC12.5-6-1 |arxiv=1202.6614 |bibcode = 2012arXiv1202.6614M |s2cid=16595181 }}</ref><ref>{{cite journal |first1=Igor L. |last1=Markov |first2=Mehdi |last2=Saeedi |title=Faster Quantum Number Factoring via Circuit Synthesis |journal=Phys. Rev. A |volume=87 |issue= 1|pages=012310 |year=2013 |arxiv=1301.3210 |bibcode = 2013PhRvA..87a2310M |doi = 10.1103/PhysRevA.87.012310 |s2cid=2246117 }}</ref> Reversible circuits typically use on the order of <math>n^3</math> gates for <math>n</math> qubits. Alternative techniques asymptotically improve gate counts by using [[quantum Fourier transform]]s, but are not competitive with fewer than 600 qubits owing to high constants.