The Story of Shor's Algorithm

The quantum factoring algorithm of Peter Shor (FOCS 1994, SIAM Review 1999) turns thirty this year. Before his algorithm, quantum computing lacked the killer app, something practical that quantum could do that seems hard for classical computers. Back in 1994, I said Shor's algorithm bought quantum computing another twenty years. How I misjudged the longevity of quantum hype. 

Peter got the idea for his algorithm from a paper by Daniel Simon solving a theoretical complexity problem. The quantum factoring algorithm is a great example of how a complexity result can open doors to new algorithmic ideas.

Simon came up with a beautifully simple example of a problem that required exponential-time on a probabilistic machine but polynomial-time on a quantum computer. Let's define addition over the \(n\)-bit strings, for \(x\) and \(y\) in \(\{0,1\}^n\), \(x+y\) is the bitwise parity of \(x\) and \(y\). For example if \(x\) is 0110 and \(y\) is 1100, \(x+y = 1010\).

Suppose we have a Boolean function \(f:\{0,1\}^n\rightarrow\{0,1\}^n\) (maps \(n\) bits to \(n\) bits) with the property that \(f(x)=f(y)\) iff \(x=y+z\) for some fixed \(z\). The problem is given \(f\) as an oracle or a circuit, find the \(z\). A classical machine would need exponential steps in to find \(z\) in the worst case.

Simon gave a simple quantum algorithm that would with a single query output a random w such that \(w\cdot z=0\). With \(n = \log N\) linearly independent \(w\), you can solve for \(z\).

Shor's asked what if we could do the same for regular integer addition instead of bitwise parity. Suppose you have a function \(f(x)=f(y)\) iff \(x-y\) is a multiple of \(z\) for a fixed \(z\). (In Simon's case over bits the only multiples are zero and one.) That means \(f\) is periodic and \(z\) is the period. Shor knew that by an algorithm by Miller, finding a period leads to factoring.

Let m be an odd number with multiple prime factors. Consider \(f(x)=a^x\bmod m\) for a randomly chosen \(a\) relatively prime to \(m\). If this function has a period \(z\), then \(a^z\bmod m=a\), \(a^{z-1}\bmod m=1\) and with probability at least one-half, the gcd of \(a^{\frac{z-1}{2}}\) and \(m\) will be a nontrivial factor of m. 

Getting all this to work on a quantum computer requires a number of addition tricks beyond what Simon did but once Shor had the inspiration the rest followed. 

Peter Shor really understood the landscape of theory from complexity to cryptography, a curiosity for quantum computing and the vision to see how it all connected together to get the quantum algorithm that almost single-handedly brought billions of dollars to the field. 

Peter just received the Shannon Award for his work on quantum error correction that would help enable quantum computers to run his algorithm. Still the largest number present day quantum computers can factor with the algorithm is 21. If (and its a big if) that number gets up past the RSA challenge numbers, Peter will have far larger prizes in his future.