Quantum Fourier Transform and Its Application in Shor’s Algorithm

Quantum Fourier transform (QFT) plays an eminent role in quantum computation. It creates a superposition of different quantum states, allowing simultaneous calculation, which would take many steps were the same program implemented on a classical computer. The computational speed of a quantum computer is thus boosted dramatically. In this article, we explain the application of QFT in Shor’s algorithm, which was proposed by Peter Shor to factor large integers on quantum computers. Specifically, the principle and design of quantum Fourier transform are explained. We stress the subtle distinction between QFT and its inverse. Since former articles did not emphasize it, we hope it could be a supplement to former articles. Our next work is to verify the existing articles on executing Shor’s algorithm by conducting two experiments on IBMQ of factoring N = 15 in two ways (a = 7 and a = 11). We find that the effect of quantum entanglement might be crucial to the speed boost of factoring large integers in Shor’s algorithm.


Introduction
Fourier transform is one of the most powerful tools in math and physics, eluding almost no theoretical work from the theory of deferent and epicycles proposed in 3rd century BCE, to the latest theory of solid state physics, signal processing, and optical imaging. Based on the most simple but also most profound belief that everything can be decomposed into a superposition of waves of certain pure frequencies, Fourier transform enables us to perceive the unperceivable space to our naked eyes -the reciprocal space, which is also characterized by a four-vector (ω, , , ), as opposed to the four-vector (t, x, y, z) which characterizes real space. Owing to the mighty power of Fourier transform shown in myriad fields of math and physics, there is no surprise that its quantum version, or rather the discrete version, could also play an eminent role in quantum computation, such as in quantum phase estimation algorithm [1] for estimating the eigenvalues of a unitary operator, and in algorithms for hidden subgroup problem [2].
One of the most prominent roles quantum Fourier transform has played in quantum computation is that in Shor's algorithm, proposed in 1994. Running on the quantum circuit, Shor's algorithm can factor large numbers into the multiplication of two integers in polynomial time O((log ) ) [3], much faster than the classical algorithm which takes up sub-exponential time, O( 1.9(log ) 2/3 (log log ) 1/3 ), at best to factor the same number [4]. The contrast between the two algorithms will become strikingly stark as N goes up. For example, to factor a 200-digit number N, it will take a common PC 10 3 years. However, it would be nearly instantly broken down by Shor's algorithm were there an available quantum computer. The reason why factoring large numbers is crucial is that modern public key cryptography used in internet communication, such as the RSA scheme [5], is based on the assumption that large integer factorization is computationally intractable. However, this assumption holds for non-quantum computers, but not for quantum computers. Consequently, anyone with a quantum computer can pose an immediate threat to the privacy and security of the Internet nowadays. The efficiency of Shor's algorithm is attributed to two key elements: quantum Fourier transform and modular exponentiation. The former takes advantage of quantum superposition to do multiple calculations simultaneously. The latter creates a quantum entanglement between register A and register B in Figure so that the measuring of register B will affect that of register A. The explanation will become clear in the latter context. However, the distinction between quantum Fourier transform and the inverse quantum Fourier transform is not sufficiently illustrated in the previous research. And most research on Shor's algorithm mainly focus on the theoretical basis, not on the specific construction of the circuit. Thus, we illustrate the distinction between QFT and IQFT both in the formula and circuit design. Furthermore, this article is dedicated to the specific construction of Shor's algorithm with the experiments of factoring N = 15 with a = 7 and a = 11 separately conducted on IBMQ. We also made a flow chart (See Figure) of Shor's algorithm, hoping it could make the procedure easier to understand.

QFT and IQFT
Mathematically speaking, quantum Fourier transform is a special case of discrete Fourier transform in Hilbert space. It projects a vector in Hilbert space to another vector in the same space.

Figure 2 Circuit of QFT [7]
The circuit of QFT is shown in Figure 2. The quantum gates used in this circuit are the Hadamard gate, which is designed for creating superposition states and defined as follow.
And the controlled-Rz gate, which is defined as follow.
Assume the input is |x 1 x 2 … x n 〉. The first operation of this circuit is to apply the Hadamard gate to the first qubit, which produces the quantum state.
Note that [ 1 2 … ] is the expression for binary number 1 2 −1 + 2 2 −2 + ⋯ + 2 0 , and ⊗ denotes the state product. Then apply the controlled-R 2 , R 3 through R n gate successively to the first qubit, producing the state.
By the same token, apply the Hadamard gate and the controlled-R 3 , R 4 ℎ ℎ R n gate to the second qubit, outputting the state.
Operate the rest of the qubits in the same manner. That is, generally, apply the Hadamard gate and the controlled-R m+1 , R m+2 through R n gate to the m-th qubit. After applying all quantum gates, it can be thus concluded that the final state that the circuit above produces is as follow.
On the other hand, from the definition of QFT: Note that It seems that the order in (14) is reversed with respect to (7). However, the output should be read from bottom to top, just It shows that the circuit in Figure 2 is indeed the circuit for QFT. Obviously, QFT is a unitary transform because each gate in the circuit is unitary.

Implementation of QFT and IQFT [8]
The structure of IQFT is similar to QFT. One only needs to reverse the sequence of QTF and replace each gate with its conjugate. This is because if IQFT for n = 3 is the right half part of Figure    Different colors stand for different phase from 0 to 2 . As is shown Figure 5, when the input is x=1, the output is a superposition of all 8 possible states which have the same amplitude, only differ from adjacent states in phase by 4 ⁄ .

Shor's Algorithm [9]
Shor's algorithm consists of two subroutines: the classical one and the quantum one. The classical subroutine is operated on a traditional circuit while the quantum part works on a quantum circuit, using the property of quantum superposition to drastically boost the computational speed.

Classical Subroutine
Suppose a large integer N is given to be factored. The classical circuit generates a random integer < and calculates the great common divisor between a and N by the Euclidean algorithm.
•If gcd(a, N) ≠ 1 , then gcd(a, N) is a non-trivial factor of N. The factorization is thus completed.
However, the following two cases are exceptions. If the period p is odd, /2 is not an integer. Or if N|( /2 + 1) or N|( /2 − 1) , then gcd� /2 + 1, N� = N or gcd� /2 − 1, N� = N , which tells us nothing about the factors of N. In these two cases, another random number a will be generated and the process above will iterate. Nevertheless, the probability of finding the number which satisfies the previous two conditions is about 25%, not bad [6]. Figure 6 Circuit for Shor's Algorithm [12] Figure 6 is composed of two registers: A and B. Suppose A contains q qubits, and B contains n qubits. Denote 2q = Q. There are some conditions for q and n to meet. q should at least make Q − 1 > 2p. The reasons will become clear later (See Figure ). 2 should at least be greater than N because register B is used to store ax mod N, which has the multitude of N. Conveniently, as is shown in Figure , q is chosen to be 2n to guarantee Q − 1 > 2p since the period p is always less than N.

Quantum Subroutine (Period-Finding)
First, implement n Hadamard gates on register A. To see the results, recall the Hadamard gate on a single qubit: It converts |0⟩ to a superposition of all possible states with the same amplitude. Hadamard gates on q qubits are similar, transforming the initial state into all possible states with the same amplitude. So, at position 1, Uf gate is built as follow.
where f(x) = ax mod N. We can see Uf is dependent on specific a and N. Implement Uf to register B. So at position 2.
Where f(x) = . Unluckily, the specific design of U f is contingent on the specific a and N, which means we have to redesign or adjust the whole structure on register B every time a new set of (a, N) is given. This unsatisfactory fact is the bottleneck to Shor's algorithm. But instead of getting bogged down in the specific structure of U f , nor the method to adjust the circuit, let's just assume U f has been constructed a priori.
Apply an IQFT to |ψ2⟩. So at position 3, P(|y, z〉) is the conditional probability of measuring state |y⟩ in the register A, given that |z⟩ in the register B was observed. It implies that |z⟩ must be measured before |y⟩. Then the wavefunction in register B collapsed from a superposition of all possible |z⟩ states into a certain |z⟩. Due to the entanglement established by between register A and register B, the probability of measuring register A is consequently changed [10]. In reality, the circuit in Figure is connected to classical circuit at both ends, so we do not have to measure which state will |z⟩ will turn out to be in register B. Recall that p is the period of f(x), so x = x0 + np, where x0 is the first integer that makes f(x)=z, and n = 0, 1, 2, ...m -1, where m is the upper bound for n. Since Q is usually much larger than p, m is roughly estimated as Q/p for every possible z falling into the set S. As is shown in Figure 7, it's better to make q sufficiently large. That's because as m ∼ Q/p approaches to infinity, P(s) approaches to  In summary, Uf gate selects the x that make f(x) =a certain z. They are the very x that are put in the IQFT. Note that x's are separated by a constant value p, and the IQFT detects the periods of the input states. Accordingly, the measurement of the output will reflect the periodicity of the input by showing yet another periodicity. We can utilize the period of the measurement in the output to deduce the period of the input.

The procedure of Shor's Algorithm
To wrap up, Shor's algorithm is composed of two parts: the classical subroutine and the quantum subroutine. The flowchart is summarized in Figure 8. The circuit for Shor's algorithm is designed as Figure 9. Qubits 0-2 form register A; qubits 3-6 form register B.   There is no general U f gate that can be applied universally, which means that the circuits above are limited to the case a = 7 and N = 15.

Conclusion
Based on quantum Fourier transform and modular exponentiation, Shor's algorithm operated on a quantum computer is exceedingly efficient in factoring large integers than the classical algorithm. Despite the intricacy and annoyance of adjusting modular exponentiation gate ( ) whenever a new set of (a, N) is fed in, Shor's algorithm is feasible on quantum computers, at least for the case (a, N) = (7, 15) and case (a, N) = (11,15), which are verified on IBM Q. It is promising that a general method of designing the modular exponentiation could be invented so that the circuit can be modified according to any given set of (a, N). If so, the classical method of encryption will be in jeopardy.