Order Finding

The Classical Problem

First, let's briefly state the classical order finding problem. We are given two positive integers, $x$ and $N$, which are coprime (meaning $\gcd(x, N) = 1$). We want to find the order of $x$ modulo $N$. The order is defined as the smallest positive integer $r$ such that:

$$x^r \equiv 1 \pmod{N}$$

Pause and think
Why is there reason to expect that the quantum phase estimation algorithm could be useful here?
Think about what phase estimation actually does before reading further.
Constructing the Unitary

Remember, the quantum phase estimation algorithm takes as input a unitary operator $U$ and an eigenvector $|u\rangle$, and outputs an estimate for the phase of the corresponding eigenvalue $\theta$, where the eigenvalue $\lambda = e^{2\pi i\theta}$ with $0 \leq \theta \leq 1$.
Hence, if we are going to use the quantum phase estimation algorithm to find $r$, we need to invent a unitary operator $U$ that encodes this modular arithmetic, and we need to figure out its eigenvalues and eigenvectors.

To kick things off, let's figure out how this operator should behave.

Pause and think
How would you define the action of a unitary operator $U$ on a general computational basis state $|y\rangle$ (where $0 \leq y < N$) such that applying it repeatedly captures the cyclic nature of multiplying by $x$? In particular, what should $U^r|y\rangle$ be?
Pause and think
If the entire purpose of this operator is to directly encode the classical arithmetic of "multiplying by $x$ modulo $N$", what should the output state be when you apply $U$ to an arbitrary input state $|y\rangle$? How would you complete this equation?

$$U|y\rangle = |\text{?}\rangle$$

We define our unitary operator such that:

$$U|y\rangle = |xy \pmod{N}\rangle$$

(Note: to keep it strictly unitary, we usually say it does this for $0 \leq y < N$, and acts as the identity for $y \ge N$, but we only really care about the $0$ to $N-1$ subspace).

Now, let's connect this back to what we already know. The quantum phase estimation algorithm is a machine that takes a unitary operator $U$ and one of its eigenvectors $|u\rangle$, and spits out the phase $\theta$ of its corresponding eigenvalue $e^{2\pi i \theta}$.

If we want to use QPE to find the order $r$, our next mission is to figure out the eigenvalues and eigenvectors of this specific $U$.

Let's start with the eigenvalues. We established earlier that applying $U$ exactly $r$ times brings a state back to itself. In other words, on this relevant subspace:

$$U^r = I$$

Pause and think
Suppose $|u_s\rangle$ is an eigenvector of $U$ with eigenvalue $\lambda$, meaning $U|u_s\rangle = \lambda|u_s\rangle$. Using the fact that $U^r = I$, what are the possible values for the eigenvalue $\lambda$?
(Hint: Since there are $r$ distinct roots of unity, try using an index, let's call it $s$ (where $0 \leq s < r$), to label the different possible eigenvalues $\lambda_s$.)

$\lambda^r = e^{2\pi i \theta r} = 1$ is exactly the equation we need to solve.

Pause and think
If we set $2\pi \theta r$ equal to the general expression for any full rotation (let's use an integer $s$ to count the rotations, where $s \in \{0, 1, \dots, r-1\}$), what does that make our phase $\theta$? Once we have $\theta$, what is the general form for our $r$ distinct eigenvalues $\lambda_s$?

Make sure you see why $\theta=\frac{s}{r}$ and $\lambda_s = e^{2\pi i \frac{s}{r}}$.

Now we have our eigenvalues. If we can feed an eigenvector corresponding to one of these eigenvalues into the quantum phase estimation algorithm, it will spit out $\frac{s}{r}$. (And once we have the fraction $\frac{s}{r}$, we can use some classical number theory to extract $r$, which is our ultimate goal).

But to do that, we need to know what these eigenvectors $|u_s\rangle$ actually look like.

We know the operator $U$ just steps us through the cycle: $U|1\rangle = |x\rangle$, $U|x\rangle = |x^2\rangle$, ..., $U|x^{r-1}\rangle = |1\rangle$ (all modulo $N$).

We want to construct an eigenvector $|u_s\rangle$ such that applying $U$ just pulls out a global phase of $e^{2\pi i \frac{s}{r}}$, meaning $U|u_s\rangle = e^{2\pi i \frac{s}{r}} |u_s\rangle$.

Pause and think
If you were to build $|u_s\rangle$ as a superposition of the basis states in our cycle ($|1\rangle, |x\rangle, |x^2\rangle, \dots, |x^{r-1}\rangle$), what coefficients (or weights) would you put in front of each state so that shifting them all forward by one step is mathematically identical to multiplying the whole state by that specific phase $e^{2\pi i \frac{s}{r}}$? Try writing $|u_s\rangle=\alpha_0 |x^0\rangle+\alpha_1|x^1\rangle+\dots+\alpha_{r-1}|x^{r-1}\rangle$ and investigate the desired conditions to figure out what the coefficients $\alpha_{i}$ should be.
(Hint: Don't worry about normalization constants just yet, just focus on the relative phases of the terms in the superposition!)

Make sure you see why $U|u_s\rangle=\alpha_0 U|x^0\rangle+\alpha_1 U|x^1\rangle+\dots+\alpha_{r-1} U|x^{r-1}\rangle = \alpha_{r-1} |x^0\rangle+\alpha_0|x^1\rangle+\dots+\alpha_{r-2}|x^{r-1}\rangle$ and note that we also want $U|u_s\rangle=e^{2\pi is/r}|u_s\rangle$.

Hence, we choose coefficients such that $\alpha_{r-1}=e^{2\pi is/r} \alpha_0$, $\alpha_0=e^{2\pi is/r} \alpha_1$, $\alpha_1=e^{2\pi is/r} \alpha_2$ etc.

Pause and think
If we arbitrarily set $\alpha_0 = 1$ (we can worry about the overall normalization constant later), you can use those equations to find a pattern for every other coefficient. What is the explicit formula for the general coefficient $\alpha_k$ in terms of $s$, $r$, and $k$? Once you have that, write down the full, normalized expression for the eigenvector $|u_s\rangle$. (Keep in mind there are $r$ mutually orthogonal terms in this superposition, so what should the normalization factor be?)

Make sure you see why the general term is $\alpha_k=e^{-2\pi i s k / r}$.

So, we can write the eigenvector beautifully as:

$$|u_s\rangle = \frac{1}{\sqrt{r}} \sum_{k=0}^{r-1} e^{-2\pi i s k / r} |x^k \pmod{N}\rangle$$

The Catch-22

We now have our unitary $U$ and its eigenvectors $|u_s\rangle$. If we could feed just one of these $|u_s\rangle$ states into the second register of a quantum phase estimation circuit, the top register would measure the phase $\frac{s}{r}$. From there, we could easily classical-post-process our way to finding $r$.

But we have hit a massive roadblock: To construct the state $|u_s\rangle$ to plug into the circuit, we need to know $r$ in advance. But finding $r$ is the entire reason we are running the algorithm in the first place!

We cannot prepare $|u_s\rangle$. We need a workaround.

Pause and think
What happens if you take your formula for $|u_s\rangle$ and sum it up over all possible values of $s$? In other words, mathematically evaluate this sum:

$$\sum_{s=0}^{r-1} |u_s\rangle$$

(Hint: Substitute your expression for $|u_s\rangle$ into the sum, swap the order of the summations so you are summing over $s$ first, and see what happens to the coefficients. What is the sum of a full set of roots of unity for $k > 0$, and what happens when $k = 0$?) What state does this sum collapse into?
← Phase Estimation Factoring →