← Quantum Information & Computing
πŸ”
Topic 8 of 12

Shor's Factoring Algorithm

Shor's algorithm (1994) factors an integer N in O((log N)Β³) time β€” exponentially faster than the best classical algorithms, which run in sub-exponential but super-polynomial time. Since RSA encryption relies on the hardness of factoring large numbers, a large-scale quantum computer running Shor's algorithm would break RSA and most public-key cryptography currently protecting the internet.

Key Concepts

Period Finding
Shor's key insight: factoring N reduces to finding the period rr of the function f(x)=axβ€Šmodβ€ŠNf(x) = a^x \bmod N for a random aa coprime to NN. If we find rr, then ar≑1(modN)a^r \equiv 1 \pmod{N}, and with high probability gcd⁑(ar/2Β±1,N)\gcd(a^{r/2} \pm 1, N) gives non-trivial factors of NN.
Quantum Period Finding
The QFT detects the period rr exponentially efficiently. Prepare a uniform superposition of all xx values, apply the modular exponentiation ∣x⟩∣0βŸ©β†’βˆ£x⟩∣axβ€Šmodβ€ŠN⟩|x\rangle|0\rangle \to |x\rangle|a^x \bmod N\rangle, measure the second register (which collapses the first to a periodic superposition), then apply QFT and measure to extract N/rN/r.
Continued Fractions
After the QFT measurement yields a rational approximation s/qs/q to j/rj/r for some integer jj, the classical continued fractions algorithm recovers rr efficiently. This is the classical post-processing step that converts the quantum frequency measurement into the actual period.
RSA Cryptography
RSA encryption uses a public key (N,e)(N, e) where N=pqN = pq is a product of two large primes. Security relies on the assumption that factoring NN is computationally infeasible classically (sub-exponential time). Shor's algorithm breaks this assumption β€” a 4000-logical-qubit quantum computer could factor 2048-bit RSA keys.
Post-Quantum Cryptography
Cryptographic schemes resistant to quantum attacks, standardized by NIST in 2024. Leading approaches: lattice-based cryptography (Learning With Errors), hash-based signatures, and code-based cryptography. These problems are believed to resist both classical and quantum attacks.
Modular Exponentiation
Computing axβ€Šmodβ€ŠNa^x \bmod N for all xx simultaneously in quantum superposition requires O(n3)O(n^3) gates (where n=log⁑Nn = \log N) using repeated squaring and modular arithmetic circuits. This is the most resource-intensive part of Shor's algorithm on real hardware.

Key Equations

Reduction to Period Finding
N=pqβ€…β€ŠβŸΉβ€…β€ŠfindΒ periodΒ rΒ ofΒ axβ€Šmodβ€ŠNβ€…β€ŠβŸΉβ€…β€Šp,q=gcd⁑(ar/2Β±1,N)N = pq \implies \text{find period } r \text{ of } a^x \bmod N \implies p,q = \gcd(a^{r/2}\pm 1, N)
Factoring reduces to period finding via number theory.
Period Condition
ar≑1(modN),gcd⁑(a,N)=1a^r \equiv 1 \pmod{N}, \quad \gcd(a,N) = 1
r is the multiplicative order of a modulo N.
Factor Extraction
gcd⁑(ar/2βˆ’1, N)Β andΒ gcd⁑(ar/2+1, N)\gcd(a^{r/2}-1,\, N) \text{ and } \gcd(a^{r/2}+1,\, N)
These GCDs give non-trivial factors of N with probability β‰₯ 1/2.
Shor's Complexity
TShor(N)=O((log⁑N)3)β‰ͺTclassical=eO((log⁑N)1/3(log⁑log⁑N)2/3)T_{\text{Shor}}(N) = O((\log N)^3) \ll T_{\text{classical}} = e^{O((\log N)^{1/3}(\log\log N)^{2/3})}
Shor is polynomial; the best classical factoring (GNFS) is sub-exponential.
Worked Example

Factoring N=15 with a=7

Problem

Use period finding to factor N=15N=15 with base a=7a=7.

Solution

Compute powers of 7 mod 15 to find the period:

71β€Šmodβ€Š15=7,72β€Šmodβ€Š15=49β€Šmodβ€Š15=47^1 \bmod 15 = 7,\quad 7^2 \bmod 15 = 49 \bmod 15 = 4
73β€Šmodβ€Š15=7β‹…4β€Šmodβ€Š15=28β€Šmodβ€Š15=13,74β€Šmodβ€Š15=7β‹…13β€Šmodβ€Š15=91β€Šmodβ€Š15=17^3 \bmod 15 = 7\cdot4 \bmod 15 = 28 \bmod 15 = 13,\quad 7^4 \bmod 15 = 7\cdot13 \bmod 15 = 91 \bmod 15 = 1

Period r=4r=4. Now compute the factors:

gcd⁑(72βˆ’1, 15)=gcd⁑(48, 15)=gcd⁑(3, 15)=3\gcd(7^2 - 1,\, 15) = \gcd(48,\, 15) = \gcd(3,\, 15) = 3
gcd⁑(72+1, 15)=gcd⁑(50, 15)=gcd⁑(5, 15)=5\gcd(7^2 + 1,\, 15) = \gcd(50,\, 15) = \gcd(5,\, 15) = 5
Answer Factors of 15: 3 and 5. (15 = 3 Γ— 5)
Practice

Exercises

6 problems
1 of 6

72β€Šmodβ€Š15=?7^2 \bmod 15 = ?

2 of 6

gcd⁑(48,15)=?\gcd(48, 15) = ?

3 of 6

Find the period rr of 2xβ€Šmodβ€Š152^x \bmod 15: 21=2,22=4,23=8,24=16β€Šmodβ€Š15=12^1=2, 2^2=4, 2^3=8, 2^4=16\bmod15=1. What is rr?

Unlock Exercise 3

Subscribe to PhysWeb Pro to access all exercises and track your progress.

Upgrade to Pro β†’
4 of 6

210β€Šmodβ€Š15=?2^{10} \bmod 15 = ? (Use period r=4r=4: 10=2Γ—4+210 = 2\times4+2, so answer =22β€Šmodβ€Š15= 2^2 \bmod 15.)

Unlock Exercise 4

Subscribe to PhysWeb Pro to access all exercises and track your progress.

Upgrade to Pro β†’
5 of 6

gcd⁑(24/2βˆ’1,15)=gcd⁑(3,15)=?\gcd(2^{4/2}-1, 15) = \gcd(3, 15) = ?

Unlock Exercise 5

Subscribe to PhysWeb Pro to access all exercises and track your progress.

Upgrade to Pro β†’
6 of 6

Shor's algorithm time complexity is O((log⁑N)k)O((\log N)^k). What is kk?

Unlock Exercise 6

Subscribe to PhysWeb Pro to access all exercises and track your progress.

Upgrade to Pro β†’

Key Takeaways

  • Shor's algorithm factors NN in O((log⁑N)3)O((\log N)^3) time β€” exponentially faster than any known classical method.
  • The key step is period finding: find rr s.t. ar≑1(modN)a^r \equiv 1 \pmod N; then gcd⁑(ar/2Β±1,N)\gcd(a^{r/2}\pm1, N) gives factors.
  • The QFT efficiently extracts the period rr from the periodic amplitude pattern of ∣axβ€Šmodβ€ŠN⟩|a^x \bmod N\rangle.
  • RSA security relies on factoring being hard classically; Shor's algorithm breaks this assumption.
  • Post-quantum cryptography (lattice-based, hash-based) is being standardized to resist quantum attacks.
← Previous Grover's Search Algorithm