CS 294-2 Shor’s Factoring Algorithm 10/5/04

Fall 2004 Lecture 9

1 Introduction
Now that we have talked about Quantum Fourier Transforms and discussed some of their properties, let us see an
application area for these ideas. We will talk about Shor’s algorithm for finding prime factors of large integers.

The statement of the problem of factoring integer is as follows: Given an integer N, find prime numbers pi and integers
ei such that
e
N = pe11 × pe22 × . . . × pkk

Let us make two simplifications of the problem without loosing generality: Firstly, given N, it is enough to split it into
integers N1 and N2 such that N = N1 × N2 . It is easy to see that after a linear number (in size of the input, i.e. log N) of
such steps, we are guaranteed to reach prime factors. Secondly, assume that N is a product of two primes, N = p × q,
where p, q ∈ P.
√
Classically, naive algorithm for the factoring problem works
√
in time O( N). The fastest known algorithm for this
3
problem is Field Sieve algorithm that works in time 2O( logN) .
In fact, Shor showed that we can do better with quantum computer.
Theorem 9.1: There exists quantum algorithm that solves the factoring problem with bounded error probability in
polynomial time.
The rest of the paper is a proof of this theorem. Specifically, the factoring problem turns out to be equivalent to the
order-finding problem (defined below), because from a fast algorithm for order-finding problem we can get a fast
algorithm for factoring problem. The section 2 shows the reduction of factoring to order-finding and the section 3
shows a fast quantum algorithm for order-finding.

2 The reduction of factoring to order-finding

Recall that the numbers {x mod N : gcd(x, N) = 1 } forms a group under multiplication modulo N. Given x and N such
that gcd(x, N) = 1 let ord(x) denote the minimum positive r such that xr ≡ 1(mod N). The order finding problem is
to find ord(x).
The reduction of factoring to order-finding follows from Lemma 9.1 and Lemma 9.3.
Lemma 9.1: Given a composite number N and x, s.t. x is a nontrivial square root of 1 over N (that is, x2 ≡ 1(mod N),
and neither x ≡ 1(mod N) nor x ≡ −1(mod N)), we can efficiently compute a nontrivial factor of N.
Proof:From x2 ≡ 1(mod N) follows that x2 − 1 ≡ (x − 1) × (x + 1) ≡ 0(mod N). Since neither x ≡ 1(mod N) nor
x ≡ −1(mod N) we know that 1 < x < N − 1, so one of gcd(x − 1, N) and gcd(x + 1, N) is a nontrivial factor of N.
Since there exist a fast algorithm for computing gcd (Euclid’s algorithm), the efficiency easy follows. 2
Example: Let N = 15. Then 42 ≡ 1(mod N) and 4 6= ±1(mod N). Both gcd(4 − 1, 15) = 3 and gcd(4 + 1, 15) = 5
are nontrivial factors of 15.
Lemma 9.2: Let p be an odd prime and let x be uniformly random element s.t. 0 ≤ x < p. Then ord(x) is even with
probability at least one-half.
Proof:By Fermat’s little theorem we know that for every x : x p−1 ≡ 1(mod p). It is well known that multiplicative
group modulo prime number is a cyclic group, that means, there is an element g which generates all elements of group

CS 294-2, Fall 2004, Lecture 9 1

in the sense that any element can be written x ≡ gk (mod p) for some k. Since x is chosen uniformly at random, k is
odd with probability one-half. Further assume that k is odd. Since x ≡ gk (mod p) it turns out that

xord(x) ≡ gk ord(x) ≡ 1(mod p).

Now we can deduce that p − 1|k ord(x). Since p is odd, p − 1 is even, and k is odd, ord(x) has to be even. 2
Lemma 9.3: Let N = p × q, p, q ∈ P is composite odd number and x is taken uniformly at random from 0..N − 1. If
r
gcd(x, N) = 1 then with probability at least 83 ord(x) = r is even and x 2 6= ±1(mod N).
Proof:
By the Chinese remainder theorem, choosing x uniformly at random from 0..N −1 is the same as choosing x1 uniformly
at random from 0..p − 1 and independently x2 uniformly at random from 0..q − 1. Order for those numbers also are
related. Let r1 = ord(x1 ) and r2 = ord(x2 ). It is easy to see that both r1 |r and r2 |r.
Firstly, let us prove that the probability that r is even is at least 3/4. Since N is odd, p and q are odd primes. Thus r1 is
even when x1 is odd and r2 is even when x2 is odd. Since r is even when either r1 is even or r2 is even, and x1 and x2
are chosen uniformly at random, the probability that r is even is at least 3/4 from Lemma 2.
r
Secondly, let us prove that the probability that x 2 ≡ ±1(mod N) is at most one-half when r is even. Note that xr ≡
1(mod p) and xr ≡ 1(mod p) and there are only two square roots of 1 modulo prime number, namely ±1. By Chinese
r
reminder theorem it follows that there are only four roots of 1 modulo N. Only two of them makes x 2 6= ±1(mod N).
2
It is easy to see from Lemma 9.1 and Lemma 9.3 that if someone computs ord() function for us, we can find prime
factors of N classicaly. By checking answer (easy can be done efficiently) and repeating several times we can increase
the probability of success.

3 Shor’s order-finding algorithm

How do we efficiently find ord(x) = r? Here is how Shor’s quantum algorithm does it. The next subsection will
describe algorithm and will analyze it in a simplified case.

3.1 The simplified case

Let Q be sufficiently large, s.t. Q  N 2 . Let us assume now that r|Q. Case where r - Q algorithm is similar, just
analysis is somewhat more complicate.
The algorithm uses two registers:

• register 1 stores a number mod Q = 2q ,

• register 2 stores a number mod N,

and has several steps.

1. The registers are initially in the state |0i ⊗ |0i.

2. On applying the Fourier Transform modulo Q to register 1 we get the state

1 Q−1
√ ∑ |ai ⊗ |0i
Q a=0

3. Consider f (a) = xa mod N, a function that is easy to compute classically (can be computed in log a multiplica-
tions using repeated squaring, x2 = x × x, x4 = x2 × x2 , x8 = x4 × x4 , ...), and has r as its smallest period. Figure 1

CS 294-2, Fall 2004, Lecture 9 2

 shows such a function graphically. Note that f is distinct on [0, r − 1] since otherwise it would have a smaller
period. Applying function f to the contents of register 1 and storing the result in register 2, we get

1 Q−1
√ ∑ |ai| f (a)i
Q a=0

4. Now we measure the second register. When we measure, we must get some value; let it be f (l), where l is
uniformly random over 0..r −1. Then all superposed states inconsistent with the measured value must disappear.
So, the state of the two registers must be given by
Q
r −1
1
q ∑ | jr + li| f (l)i
Q j=0
r

5. Thus we have set up a periodic superposition of period r in register 1. Now we can drop the second register.
The first register has a periodic superposition whose period is the value we wanted to compute in the first place.
How do we get that period ?
Can we get anywhere by measuring the first register ? It’s no good, because all we will get is a random point,
with no correlation across independent trials (because l is random). Here’s what Shor’s algorithm does next.

0 r 2r

Figure 1: Function with smallest period r

Fourier sample modulo Q:

Since the next step is Fourier sampling, we can drop the shift value l by the properties of Fourier Transforms
discussed in the previous lecture. This allows move l to phase. Applying the Fourier sample to state
Q
r −1
1
q
Q j=0
∑ | jr + li
r

gives us

1 r−1 Q
√ ∑ ω kl |k i
r k=0 r

where ω is a primitive qth root of unity,

2π i
ω =e Q .

6. Let us measure register 1. The measurement gives us k Qr , where k is random variable uniformly from 0..r-1. It
is easy to see that with big probability gcd(k, Qr ) = 1. If so, then by computing gcd(k Qr , Q) we get Qr . Since we
know Q, from Qr it is straightforward to compute r.

CS 294-2, Fall 2004, Lecture 9 3

 3.2 The general case
In the previous lecture we made assumption that r|Q. It is very strong assumption because we do not know any
algorithm for computing such Q given x. Now we will show that the algorithm works correctly with constant
probability even if r - Q.
Now, in the 4th step, after applying the first measurement, we get state

b Qr c−1
1
q ∑ | jr + li
b Qr c j=0

This is no longer a coset of a subgroup, so earlier reasoning does not apply. Nevertheless, we will take a
Fourier transform anyway, and we will show that we get constructive interference primarily at the points close
to multiples of Qr . In fact, we will be close enough to essentially ”round” to the nearest multiple, and this will
allow us to calculate r with some reasonable probability.
Applying a Fourier transform to the expression above, we get

Q−1
∑ αl |li,
l=0

where
b Qr c−1
1 1
αl = √ × q
Q
∑ (ω rl ) j .
bQc r
j=0

Notice that if rl mod Q is small, then terms in the sum cover only a small angle in the complex plane, and hence,
the magnitude of the sum is almost the sum of the magnitudes. Next lemmas makes it precise.
Lemma 9.4: If − 2r ≤ lr mod Q ≤ r
2 for some lr then |αl | ≥ 1
22/3
× √1r .
Proof:
Let
2π irl
β = e Q j
= ω rl .

This stands for a vector on the complex plane. The sum

b Qr c−1
∑ βj
j=0

is a geometric series with common ratio β .

Since − 2r ≤ lr mod Q ≤ 2r , the terms of the series fan out less than or equal to an angle π on the complex plane.
This happens when β makes a small angle with the real line. Then as shown in Figure 2 half of the terms in the
above series make an angle less than or equal to π4 with the resultant of the vector addition of the terms in the
series. Then each such term contributes a fraction at least
π 1
cos = √
4 2
of its length to the resultant vector. So the magnitude of the resultant is at least
1 1 Q 1 1 1 1
×√ × ×√ ×q = 3/2 × √
2 2 r Q bQc 2 r
r

CS 294-2, Fall 2004, Lecture 9 4

 resultant vector

Figure 2: β makes small angle with real line

2
Lemma 9.5: − 2r ≤ lr mod Q ≤ r
2 with probability Θ(1).
Proof:
If gcd(r, Q) = 1 then r−1 mod Q exists. Thus as l varies in the range [0, Q − 1], lr must take values forming
a permutation of {0, 1, 2, . . . Q − 1}. Thus, as Figure 3 shows, at least r values of lr lie in the range [Q − r/2, r/2].

r/2

0
Q−1 r

Q−r/2

Figure 3: At least r values of lr satisfy the constraint

If gcd(r, Q) 6= 1, then lr mod Q is distributed as shown in Figure 4. In this case, at least r/2 values of lr lie in a
range [Q − r/2, r/2] of size r.
2gcd(r,Q) gcd(r,Q)
r/2
3gcd(r,Q)
... 0 r

Q−r/2

Figure 4: At least r/2 values of lr satisfy the constraint in the worst case

Thus, in any case, at least r/2 values of l satisfy the condition

r r
− ≤ lr mod Q ≤
2 2
From Lemma 9.4 each of them has amplitude at least
1 1
×
23/2 r1/2

CS 294-2, Fall 2004, Lecture 9 5

 Thus the probability of sampling such an l is at least
r 1 1 1
× ( 3/2 × 1/2 )2 ≥
2 2 r 16

1
So with probability more than 16 we will sample an l such that
r r
− ≤ lr mod Q ≤ .
2 2
2
1
So with probability more than 16 we will sample an l such that
r r
− ≤ lr mod Q ≤
2 2
i.e.
r
|lr − kQ| ≤
2
for some integer k; equivalently,

l k 1
| − | ≤
Q r 2Q

Thus, Ql is an 2Q
1
-approximation of the rational kr . We can measure l, and we know Q. The ratio l
Q, when
reduced to lowest terms, leads to a rational ab , say, which is a 2Q
1
-good approximation to kr .
1
Since k is randomly chosen from the range [0, r − 1], with probability at least log k , k and r are co-prime. Thus
k
by computing r we can compute r as well.
This suggests a way to make a good approximation, by simply choosing Q to be much larger than N. How much
larger than N does Q need to be, for us to evaluate r accurately?
The answer is given by Lemma 9.7 using continued fractions in the next subsection. We just compute continued
0
1
fractions until precision is at least 2Q . Assume, that the approximation is some rational number kr0 . If r = r0 then
we succeed otherwise

k k0 1 1
− ≥ 0 ≥ 2.
r r0 rr N

k0
It is contradiction because both k
r and r0 is 1
2Q ≤ 1
2N 2
close to ba . Therefore r = r0 .

3.3 Continued Fractions

The idea of continued fractions is to approximate real numbers using finite number of integers.
Definition 9.1 (Continued Fractions): A real number α can be approximated by a set of positive integers a0 ,
a1 , . . . , an as CFn (α ) = a0 + 1
1 = QPnn , where Pn and Qn are integers.
a1 + 1
a2 +
···+ a1n

CS 294-2, Fall 2004, Lecture 9 6

 Example: Let us try to approximate π to the first two decimal places with a rational number. We know that

π = 3.14 . . .
14
= 3+
100
1
= 3 + 100
14
1
= 3+ 2
7 + 14
1
≈ 3+
7
22
=
7
If we decided to approximate π to four decimal places, we would have

π = 3.1415 . . .
1415
= 3+
10000
1
= 3 + 10000
1415
1
= 3+ 95
7 + 1415
1
= 3+ 1
7 + 1415
95
1
= 3+ 1
7+ 85
14+ 95
1
≈ 3+ 1
7 + 14
311
=
99

The following two lemmas are well known facts about continued fractions that we will leave without a proof.
Lemma 9.6: CFn (α ) is the best rational approximation of α with denominator ≤ Qn .
Lemma 9.7: If α is rational then it occurs as one of the approximations CFn (α ).
Moreover, it is easy to see that continued fractions are easy to compute for any rational number.

CS 294-2, Fall 2004, Lecture 9 7