A Note on Shor’s Quantum

Algorithm for Prime Factorization

Zhengjun Cao
Institute of System Science, Chinese Academy of Sciences.

Beijing, P.R. China. [email protected]

Abstract It’s well known that Shor[1] proposed a polynomial time algorithm
for prime factorization by using quantum computers. For a given number n, he gave
an algorithm for finding the order r of an element x (mod n) instead of giving an
algorithm for factoring n directly. The indirect algorithm is feasible because factor-
ization can be reduced to finding the order of an element by using randomization[2].
But a point should be stressed that the order of the number must be even. Actually,
the restriction can be removed in a particular case. In this paper, we show that
factoring RSA modulus (a product of two primes) only needs to find the order of 2,
whether it is even or not.
Keywords Shor’s quantum algorithm, RSA modulus.

1 Introduction

Factoring integers is generally thought to be hard on a classical computer. But it is now hold
that prime factorization can be accomplished in polynomial time on a quantum computer. This
remarkable work is due to Peter W. Shor[1]. For a given number n, he gave a quantum computer
algorithm for finding the order r of an element x (mod n) instead of giving a quantum computer
algorithm for factoring n directly. The indirect algorithm is feasible because factorization can
be reduced to finding the order of an element by using randomization[2]. We now briefly give
this reduction.
To find a factor of an odd number n, given a method for computing the order r of x, choose
a random x (mod n), find its order r, and compute gcd(xr/2 − 1, n). The Euclidean algorithm[3]
can be used to compute gcd(xr/2 − 1, n) in polynomial time. Since (xr/2 − 1)(xr/2 + 1) =
xr − 1 ≡ 0(mod n), the numbers gcd(xr/2 − 1, n) and gcd(xr/2 + 1, n) will be two factor of n.
This procedure fails only if r is odd, in which case r/2 is not integral, or if xr/2 ≡ −1(mod n),
in which case the procedure yields the trivial factors 1 and n. Using this criterion, it can be

1
shown that this procedure, when applied to a random x(mod n), yields a nontrivial factor of n
with probability at least 1 − 1/2k−1 , where k is the number of distinct odd prime factors of n.
Refer to [1] for a brief sketch of the proof of this result.
One phenomena might be observed that existing prime factorization algorithms[4, 5, 6, 7, 8,
9] as well as Shor’s quantum algorithm all aim to factor arbitrary numbers. No algorithm pays
more attentions to some numbers of particular structure, for instance, product of two primes.
But those numbers are of great importance in public key cryptography. They are usually called
RSA modulus. In this paper, we give a new algorithm to factor a product of two primes based
on Shor’s quantum algorithm, which takes advantage of the special structure. we show that
factoring RSA modulus only needs to find the order of 2, whether it is even or not.

2 Preliminary

Let N = pq be a product of two odd primes, Φ(N ) be Euler Totient Function. We know

Φ(N ) = (p − 1)(q − 1) = pq − p − q + 1

and
N − Φ(N ) + 1 = p + q

Considering the following equation

x2 − M x + N = 0 (∗)

where M is undetermined. Hence, we obtain two roots

√ √
M + M 2 − 4N M − M 2 − 4N
x1 = , x2 =
2 2
If
M = N − Φ(N ) + 1

then equation (∗) can be rewritten as

x2 − (p + q)x + pq = 0

Therefore,
x1 | N, x2 | N.

If
M 6= N − Φ(N ) + 1

then neither x1 nor x2 is an integer (since x1 x2 = pq).

The above discussion leads to the following theorem:

2
 Theorem 1 If N = pq is a product of two distinct odd primes, then
√
M + M 2 − 4N
| N ⇐⇒ M = N − Φ(N ) + 1.
2

Proof ⇐=) It is trivial.

√
2
=⇒) Since N = pq is a product of√two distinct odd primes and M + M
2
−4N
| N , without
2
M + M −4N
√
loss of generality, we assume that 2 = p. Hence M + M − 4N = 2p, M 2 − 4N =
2

4p2 − 4pM + M 2 . Therefore, M = p + q = N − Φ(N ) + 1. ut

3 A quantum computer algorithm for factoring RSA modulus

Denote by ordN (2) the order of 2 relative to N, where N is a product of two distinct odd
primes. Obviously,
ordN (2) | Φ(N )
N
Set s := [ ], where [x] denotes the integer part of number x. Clearly,
ordN (2)
Φ(N ) ≤ s × ordN (2)

Therefore,

Φ(N ) ∈ {ordN (2), 2 × ordN (2), · · · , (s − 1) × ordN (2), s × ordN (2)} .

It is well known that Φ(N ) must be kept in secret. How to search for Φ(N ) in the set

{ordN (2), 2 × ordN (2), · · · , (s − 1) × ordN (2), s × ordN (2)}

In the following, We design a quantum computer algorithm by theorem 1, which takes advantage
of the relation between computing Φ(N ) and factoring N . The algorithm succeeds to compute
Φ(N ) and factor N synchronously.
A Quantum Algorithm for Factoring RSA Modulus:

(1) input N, compute ordN (2) by using Shor’s quantum algorithm

(2) s ← [ ordN
N (2)
]
(3) M ← N − s × ordN (2) + 1

(4) if M 2 − 4N is not a square, then s ← s − 1, goto step (3)

√
M + M 2 −4N
(5) t ← 2 , if t is not an integer, then s ← s − 1, goto step (3)

(6) output t, N/t.

3
 How much time does this algorithm take? Apart from the time of computing ordN (2) in step
(1), it seems that the running time of the algorithm mainly depends on the number of loops,
i.e., the value of s. In fact, it only depends on the upper bound for p+q−1 . If p+q−1 ≤ k,
ordpq (2) ordpq (2)
where k is an integer, then above algorithm will halt in k loops.
As for to verify that whether M 2 − 4N is a square, easy!

4 Conclusion

In this paper, we take advantage of the particular structure of a product of two primes
to design a quantum computer algorithm for factoring RSA modulus. we show that factoring
RSA modulus does not need to randomly choose number x such that the order of x relative to
modulus N is even. It only needs to find the order of 2 relative to modulus N , whether it is
even or not.

References
[1] Peter W. Shor. Polynomial-time algorithm for prime factorization and discrete logarithms on a
quantum computer. SIAM Journal on Computing Vol. 26, No. 5, pp. 1484-1509. 1997.

[2] G.L. Miller. Riemann’s hypothesis and tests for primality. J. Comput. System Sci., 13, pp. 300-317.
1976.

[3] D.E. Knuth. The art of computer programming, Vol. 2: Seminumerical algorithms, 2nd ed., Addison-
Wesley. 1981.

[4] L.M. Adleman. Algorithm number theory–the complexity contribution, in Pro. 35th Annual sym-
posium on foundations of computer science, IEEE Computer Society Press, pp. 88-113. 1994.

[5] A.K. Lenstra and H.W. Lenstra. The development of the number field sieve. Lecture Notes in
Mathematics 1554, 1993. Springer-Verlag, Berlin.

[6] A.K. Lenstra and H.W. Lenstra, JR., M.S. Manasse, and J.M. Pollard. The number field sieve, in
Proc. 22nd Annual ACM symposium on theory of computing, Association for Computing Machinery,
New York, pp. 564-572, 1990.

[7] J.M. Pollard. A Monte Carlo method for factorization. BIT 15, 331-334, 1975.

[8] Carl Pomerance and S.S. Wagstaff. Implementation of the continued fraction integer factoring algo-
rithm. Congressus Numerantium 37, 99-118, 1983.

[9] Carl Pomerance. The quadratic sieve factoring algorithm. In Advances in Cryptology: Proceedings
of Euro’1984. LNCS 209, pp. 169-182. Springer-Verlag, Berlin.