Training Quantum Physics Quantum Algorithms I: Quantum Fourier Transform and Shor's Algorithm
11 / 15

Quantum Algorithms I: Quantum Fourier Transform and Shor's Algorithm

40 min Quantum Physics

Quantum Algorithms I: Quantum Fourier Transform and Shor's Algorithm

The quantum Fourier transform (QFT) stands as the cornerstone of quantum speedup in number-theoretic problems, enabling algorithms that are exponentially faster than any known classical counterpart. At its core, the QFT maps a quantum state $|x\rangle$ in the computational basis to its quantum analog of the discrete Fourier transform, but does so in a way that exploits quantum superposition and entanglement to achieve a gate complexity of $O(n^2)$ on $n$ qubits — in contrast to the classical fast Fourier transform (FFT) which requires $O(n \cdot 2^n)$ operations to transform a vector of $2^n$ components. This exponential compression of circuit depth is not magic; it arises from the fact that the quantum computer manipulates all $2^n$ amplitudes simultaneously through interference, whereas the classical computer must access and process each component sequentially.

The discrete Fourier transform (DFT) of a complex vector $(x_0, x_1, \ldots, x_{N-1})$ of length $N = 2^n$ produces the vector $(y_0, y_1, \ldots, y_{N-1})$ where $y_k = \frac{1}{\sqrt{N}} \sum_{j=0}^{N-1} x_j \omega_N^{jk}$ and $\omega_N = e^{2\pi i / N}$ is the primitive $N$-th root of unity. The QFT performs this transformation on the amplitudes of a quantum state: if the input is $|\psi\rangle = \sum_{j=0}^{N-1} x_j |j\rangle$, the output is $\sum_{k=0}^{N-1} y_k |k\rangle$ where the $y_k$ are exactly the DFT coefficients. The QFT circuit achieves this using only $n(n+1)/2$ Hadamard and controlled-phase gates — polynomial in $n$, versus the exponential number of arithmetic operations required classically.

Phase estimation is the algorithmic primitive that transforms the QFT from a mathematical curiosity into a computational weapon. Given a unitary operator $U$ and one of its eigenstates $|u\rangle$ with eigenvalue $e^{2\pi i \varphi}$, phase estimation determines $\varphi$ to $t$ bits of precision using $t$ ancilla qubits and $O(t^2)$ gates. This is the subroutine at the heart of Shor's algorithm, the HHL algorithm for linear systems, and quantum simulation of molecular Hamiltonians. The elegance of phase estimation is that it converts a continuous eigenvalue — the phase $\varphi$ — into a discretely readable integer via the QFT, allowing quantum measurement to extract classical information about a continuous quantum property.

Shor's algorithm, published by Peter Shor in 1994, was the watershed moment that convinced the scientific community that quantum computers could solve problems intractable for classical computers. The algorithm factors an integer $N$ in $O((\log N)^3)$ quantum gate operations — polynomial in the number of digits — versus the best known classical algorithm (the general number field sieve) which runs in $\exp(O((\log N)^{1/3} (\log \log N)^{2/3}))$, a sub-exponential but still superpolynomial time. For a 2048-bit RSA modulus, a classical computer would need longer than the age of the universe, while a fault-tolerant quantum computer would require hours to days.

The key insight of Shor's algorithm is that factoring reduces to period-finding. If we define $f(x) = a^x mod N$ for a randomly chosen integer $a$ coprime to $N$, this function is periodic with some period $r$ (called the order of $a$ modulo $N$). If $r$ is even and $a^{r/2} \not\equiv -1 \pmod{N}$, then $\gcd(a^{r/2} \pm 1, N)$ yields a nontrivial factor of $N$ with high probability. The quantum period-finding step, which uses the QFT to extract $r$ from a superposition of function evaluations, is where the exponential speedup occurs. The classical post-processing using continued fractions is efficient and runs in $O((\log N)^2)$ time.

The hidden subgroup problem (HSP) provides the unifying algebraic framework for understanding when quantum algorithms beat classical ones. The QFT-based algorithms — Shor's, Deutsch-Jozsa, Simon's — all solve instances of the HSP over abelian groups. The problem asks: given a function $f: G \to S$ that is constant on cosets of a hidden subgroup $H \leq G$ and distinct on different cosets, find $H$. For $G = \mathbb{Z}_N$, this is exactly period-finding. Quantum computers solve the abelian HSP exponentially faster than any classical algorithm; the non-abelian case (which would crack graph isomorphism) remains open and is one of the great open problems in quantum complexity theory.

The threat to cryptography is concrete and quantified. RSA-2048 encryption, used to secure the majority of internet traffic, relies on the difficulty of factoring a 2048-bit semiprime. Running Shor's algorithm on RSA-2048 would require approximately 4,000 logical qubits and $O(10^{10})$ fault-tolerant gate operations. Given realistic error rates of physical qubits (around $10^{-3}$ per gate), achieving 4,000 logical qubits requires roughly 4 million physical qubits with surface code error correction. Current state-of-the-art machines have thousands of physical qubits with insufficient fidelity. The timeline to cryptographically relevant quantum computers is estimated at 10–20 years, but the "harvest now, decrypt later" threat — where adversaries collect encrypted data today to decrypt once quantum computers arrive — makes post-quantum cryptography (lattice-based, hash-based, code-based) an urgent priority.

Beyond cryptography, quantum simulation is the application where quantum advantage is clearest and most near-term. Simulating the quantum mechanics of a molecule with $n$ electrons requires a Hilbert space of dimension $2^n$ — classically intractable for $n \gtrsim 50$. The Jordan-Wigner mapping transforms fermionic creation and annihilation operators $\hat{a}_j^\dagger, \hat{a}_j$ into Pauli strings of length $O(n)$, allowing the molecular Hamiltonian to be represented as a sum of $O(n^4)$ Pauli terms acting on $n$ qubits. This allows quantum computers to simulate chemical reactions, find ground-state energies of catalysts, and design new materials with applications from drug discovery to battery technology — all in polynomial quantum resources versus exponential classical resources.

Quantum Fourier Transform

The QFT on $n$ qubits (dimension $N = 2^n$) is the unitary operator:

$$\text{QFT}_N |j\rangle = \frac{1}{\sqrt{N}} \sum_{k=0}^{N-1} e^{2\pi i jk/N} |k\rangle$$

In binary representation $j = j_1 j_2 \cdots j_n$ (i.e., $j = j_1 2^{n-1} + \cdots + j_n 2^0$), the output has the product form:

$$\text{QFT}_N |j\rangle = \frac{1}{2^{n/2}} \bigotimes_{l=1}^{n} \left(|0\rangle + e^{2\pi i j / 2^l} |1\rangle\right)$$

This product structure is what makes efficient circuit implementation possible.

QFT Circuit Complexity

The QFT on $n$ qubits is implemented with exactly $\frac{n(n+1)}{2}$ gates: one Hadamard gate per qubit and $\binom{n}{2}$ controlled-$R_k$ phase gates, where $R_k = \begin{pmatrix} 1 & 0 \\ 0 & e^{2\pi i/2^k} \end{pmatrix}$. This gives gate complexity $O(n^2)$. The classical FFT requires $O(n \cdot 2^n)$ operations on $2^n$ amplitudes, giving an exponential separation. However, reading out all $2^n$ amplitudes from a quantum computer requires exponential measurements — the QFT speedup is only useful as a subroutine.

Quantum Phase Estimation

Given unitary $U$ with eigenstate $|u\rangle$ and eigenvalue $e^{2\pi i \varphi}$ (unknown $\varphi \in [0,1)$), phase estimation uses $t$ ancilla qubits to output $|\tilde{\varphi}\rangle$ — the best $t$-bit approximation to $\varphi$ — with probability at least $1 - \epsilon$ using $t = n + \lceil \log(2 + 1/(2\epsilon)) \rceil$ qubits. Circuit: prepare $|0\rangle^{\otimes t} |u\rangle$, apply Hadamards to ancillas, apply controlled-$U^{2^j}$ operations, then apply QFT$^{-1}$ to ancillas, measure. Gate depth: $O(t^2)$ from the inverse QFT plus $O(t)$ controlled-$U$ applications.

Shor's Algorithm — Structure

Input: Composite integer $N$, $\gcd(a, N) = 1$.
Quantum subroutine: Find period $r$ of $f(x) = a^x \bmod N$.

Procedure:
1. Prepare $\frac{1}{\sqrt{Q}} \sum_{x=0}^{Q-1} |x\rangle |0\rangle$ where $Q = 2^m \geq N^2$.
2. Compute $f$: $\frac{1}{\sqrt{Q}} \sum_x |x\rangle |a^x \bmod N\rangle$.
3. Measure second register; first collapses to $\frac{1}{\sqrt{Q/r}} \sum_{k} |x_0 + kr\rangle$.
4. Apply QFT: peaks at multiples of $Q/r$.
5. Measure; use continued fractions to extract $r$.
Classical post-processing: Compute $\gcd(a^{r/2} \pm 1, N)$.
Total complexity: $O((\log N)^3)$ quantum gates.

Continued Fractions for Period Extraction

After measuring $m/Q$ from the QFT (where $m \approx jQ/r$ for integer $j$), compute the continued fraction expansion of $m/Q$. The convergents $p_k/q_k$ of this expansion satisfy $|m/Q - p_k/q_k| < 1/(2q_k^2)$ when $r \leq N$. The denominator $q_k = r$ with probability $\Omega(1/\log \log N)$, and repeating $O(\log \log N)$ times gives $r$ with high probability.

Example 1

Compute the QFT of $|2\rangle$ in a 3-qubit system ($N = 8$). Express the output as a superposition.

With $j = 2$ and $N = 8$, $\omega_8 = e^{2\pi i/8} = e^{i\pi/4}$:

$$\text{QFT}_8 |2\rangle = \frac{1}{\sqrt{8}} \sum_{k=0}^{7} e^{2\pi i \cdot 2k/8} |k\rangle = \frac{1}{\sqrt{8}} \sum_{k=0}^{7} e^{i\pi k/2} |k\rangle$$

The phases are: $k=0$: $1$; $k=1$: $i$; $k=2$: $-1$; $k=3$: $-i$; $k=4$: $1$; $k=5$: $i$; $k=6$: $-1$; $k=7$: $-i$.

$$\text{QFT}_8|2\rangle = \frac{1}{\sqrt{8}}\bigl(|0\rangle + i|1\rangle - |2\rangle - i|3\rangle + |4\rangle + i|5\rangle - |6\rangle - i|7\rangle\bigr)$$

All 8 states have equal amplitude $1/\sqrt{8}$, so measurement gives each basis state with probability $1/8$. The information is entirely in the phases, accessible only via interference.

Example 2

Trace through Shor's algorithm to factor $N = 15$ using $a = 7$. Find the period of $f(x) = 7^x \bmod 15$.

Compute $f(x) = 7^x \bmod 15$:
$f(0)=1,\ f(1)=7,\ f(2)=49 \bmod 15=4,\ f(3)=28 \bmod 15=13,\ f(4)=91 \bmod 15=1$.

The sequence $1,7,4,13,1,7,4,13,\ldots$ has period $r = 4$.

Post-processing: $a^{r/2} = 7^2 = 49 \equiv 4 \pmod{15}$.

Check: $4 \not\equiv -1 \pmod{15}$ (since $-1 \equiv 14$). ✓

$\gcd(4-1, 15) = \gcd(3, 15) = 3$ — a factor! $\gcd(4+1, 15) = \gcd(5, 15) = 5$ — another factor!

$$15 = 3 \times 5 \checkmark$$

On a quantum computer, the QFT of the state $\frac{1}{2}(|0\rangle + |4\rangle + |8\rangle + |12\rangle)$ would produce sharp peaks at $k = 0, Q/4, Q/2, 3Q/4$, from which $r = 4$ is read via continued fractions.

Example 3

The QFT circuit for $n=3$ uses Hadamard gates $H$ and controlled phase gates $R_k$. Write the explicit circuit and count the gates.

For $n = 3$ qubits (labeled $q_1, q_2, q_3$ from most to least significant):

Step 1 ($q_1$): $H$ on $q_1$; then $CR_2(q_2 \to q_1)$; then $CR_3(q_3 \to q_1)$.

Step 2 ($q_2$): $H$ on $q_2$; then $CR_2(q_3 \to q_2)$.

Step 3 ($q_3$): $H$ on $q_3$.

Step 4: SWAP $q_1 \leftrightarrow q_3$ (bit-reversal, implemented as 3 CNOTs).

Gate count (ignoring SWAPs): $3H + 3$ controlled-phase gates $= 6$ gates. Formula: $n(n+1)/2 = 3 \times 4/2 = 6$. ✓

The controlled-$R_k$ gate applies $e^{2\pi i/2^k}$ phase to $|1\rangle$ of the target qubit when the control is $|1\rangle$.

Example 4

Explain the Jordan-Wigner transformation for quantum chemistry simulation. Map the two-site Hubbard model to qubits.

The Jordan-Wigner (JW) transformation maps fermionic operators obeying $\{\hat{a}_i, \hat{a}_j^\dagger\} = \delta_{ij}$ to Pauli operators:

$$\hat{a}_j = \left(\bigotimes_{k=1}^{j-1} Z_k\right) \otimes \frac{X_j + iY_j}{2}, \quad \hat{a}_j^\dagger = \left(\bigotimes_{k=1}^{j-1} Z_k\right) \otimes \frac{X_j - iY_j}{2}$$

The string of $Z$ operators enforces fermionic anticommutation. For the two-site Hubbard model with sites $\uparrow,\downarrow$ spins on each site (4 modes total, 4 qubits):

$$H = -t\sum_{\sigma}(\hat{a}_{1\sigma}^\dagger \hat{a}_{2\sigma} + \text{h.c.}) + U\sum_i \hat{n}_{i\uparrow}\hat{n}_{i\downarrow}$$

After JW: hopping terms become $(XX + YY)/2$ acting on pairs of qubits; the interaction term $U\hat{n}_{i\uparrow}\hat{n}_{i\downarrow} = U(I-Z_1)(I-Z_3)/4$ becomes a 2-qubit $ZZ$ interaction. The full Hamiltonian is a sum of $O(n^4)$ Pauli strings, each efficiently simulable on a quantum processor.

Interactive Explorer: QFT Amplitude Visualizer & Period Finder
Register size $N = 2^n$: 8
QFT output: all amplitudes $= 1/\sqrt{N}$, phases $e^{2\pi i xk/N}$
Period $r$ of $f(k)=2^k \bmod N$:
QFT peak spacing $= N/r$:

Practice Problems

1. Compute $\text{QFT}_4 |1\rangle$. Write all four output amplitudes including phases.
2. How many gates does the QFT circuit require for $n = 10$ qubits?
3. The classical FFT on $N = 2^{20}$ requires approximately $N \log_2 N$ operations. Compare to the QFT gate count on 20 qubits.
4. In Shor's algorithm for $N = 21$, try $a = 2$. Compute $f(x) = 2^x \bmod 21$ for $x = 0, \ldots, 5$ and identify the period $r$.
5. Using the period found in Problem 4, compute $\gcd(a^{r/2} \pm 1, N)$ and verify you get a factor of 21.
6. Why must we require $r$ to be even and $a^{r/2} \not\equiv -1 \pmod{N}$ in Shor's post-processing?
7. State the hidden subgroup problem. How does Simon's algorithm solve the HSP over $\mathbb{Z}_2^n$ in $O(n)$ quantum queries versus $\Omega(2^{n/2})$ classical queries?
8. Phase estimation: if $U|u\rangle = e^{2\pi i \times 0.375}|u\rangle$, how many ancilla qubits are needed to determine $\varphi = 0.375 = 3/8$ exactly?
9. Explain why measuring the QFT output in Shor's algorithm gives $k \approx jQ/r$ (an integer multiple of $Q/r$) and how continued fractions extract $r$.
10. The Jordan-Wigner mapping of a molecule with $n$ spin-orbitals requires $n$ qubits and $O(n^4)$ Pauli terms. For the nitrogen molecule ($n = 20$ spin-orbitals), how many Pauli terms are there?
11. RSA-2048 requires $\approx 4000$ logical qubits. If each logical qubit needs 1000 physical qubits, how many total physical qubits are needed? Compare to the best current quantum computers.
12. Prove that $\text{QFT}_{N}^\dagger \cdot \text{QFT}_{N} = I$ (the QFT is unitary) by showing the output states form an orthonormal basis.
Show Answer Key

1. $\text{QFT}_4|1\rangle = \frac{1}{2}\sum_{k=0}^{3} e^{2\pi i k/4}|k\rangle = \frac{1}{2}(|0\rangle + i|1\rangle - |2\rangle - i|3\rangle)$. Phases: $\omega_4^0=1$, $\omega_4^1=i$, $\omega_4^2=-1$, $\omega_4^3=-i$.

2. $n(n+1)/2 = 10 \times 11/2 = 55$ gates.

3. Classical FFT: $2^{20} \times 20 \approx 20{,}971{,}520$ operations. QFT circuit: $20 \times 21/2 = 210$ gates. Exponential compression: $\sim 10^5$ fewer gates (though measuring all amplitudes requires $2^{20}$ shots).

4. $2^0=1, 2^1=2, 2^2=4, 2^3=8, 2^4=16, 2^5=32\bmod 21=11, 2^6=22\bmod 21=1$. Period $r=6$.

5. $a^{r/2}=2^3=8$. $\gcd(8-1,21)=\gcd(7,21)=7$. $\gcd(8+1,21)=\gcd(9,21)=3$. So $21=3\times 7$. ✓

6. If $r$ is odd, $a^{r/2}$ is not an integer power. If $a^{r/2}\equiv -1\pmod{N}$, then $a^{r/2}+1\equiv 0\pmod{N}$ and $\gcd(a^{r/2}+1,N)=N$ (trivial factor).

7. HSP: find hidden subgroup $H\leq G$ given $f$ constant on $H$-cosets. Simon's algorithm: prepare $\frac{1}{\sqrt{2^n}}\sum_x |x\rangle|0\rangle$, evaluate $f$, measure second register to get $|x_0+h_1\rangle+|x_0+h_2\rangle$ (superposition over coset), apply Hadamard, measure to get string $y$ with $y\cdot s=0\pmod{2}$ where $s$ generates $H$. After $O(n)$ queries, solve the linear system for $s$. Classical requires $\Omega(2^{n/2})$ by birthday paradox.

8. $\varphi=3/8=0.011_2$ requires 3 bits. So $t=3$ ancilla qubits suffice for exact representation.

9. After measuring the second register at value $f(x_0)$, the first register collapses to $\frac{1}{\sqrt{M}}\sum_{k=0}^{M-1}|x_0+kr\rangle$. QFT of this uniform-spacing superposition produces peaks at $|jQ/r\rangle$ for $j=0,1,\ldots,r-1$. Measuring gives $m\approx jQ/r$; computing continued-fraction convergents of $m/Q$ yields $j/r$ in lowest terms, giving $r$ as denominator.

10. $O(n^4)=20^4=160{,}000$ Pauli terms.

11. $4000 \times 1000 = 4{,}000{,}000$ physical qubits. Current best (Google Willow, 2024): 105 qubits. Gap factor: $\sim 38{,}000\times$.

12. The QFT maps $|j\rangle \mapsto \frac{1}{\sqrt{N}}\sum_k \omega^{jk}|k\rangle$. Inner product: $\langle \text{QFT}(j')|\text{QFT}(j)\rangle = \frac{1}{N}\sum_k \omega^{(j-j')k} = \delta_{jj'}$ (geometric series sums to $N$ if $j=j'$, else 0). Hence rows are orthonormal, so QFT is unitary. ✓

Introduction to Quantum Computing: Qubits, Quantum Gates, and Quantum Circuits Quantum Algorithms II: Grover's Search, QAOA, and Variational Quantum Algorithms