Algorithms for Quantum Computation:
Discrete Logarithms and Factoring
Peter W.Shor
AT8zT Bell Labs
Room 2D- 149
600 Mountain Ave.
Murray Hill, NJ 07974, USA
Abstract
A computer is generally considered to be a universal
computational device; i.e., it is believed able to simulate
any physical computational device with a cost in com-
putation time of at most a polynomial factol: It is not
clear whether this is still true when quantum mechanics
is taken into consideration. Several researchers, starting
with David Deutsch, have developed models for quantum
mechanical computers and have investigated their compu-
tational properties. Thispaper gives Las Vegas algorithms
for finding discrete logarithms and factoring integers on
a quantum computer that take a number of steps which is
polynomial in the input size, e.g., the number of digits of the
integer to be factored. These two problems are generally
considered hard on a classical computer and have been
used as the basis of several proposed cryptosystems. (We
thus give the first examples of quantum cryptanulysis.)
1 Introduction
Since the discovery of quantum mechanics, people have
found the behavior of the laws of probability in quan-
tum mechanics counterintuitive. Because of this behavior,
quantum mechanical phenomena behave quite differently
than the phenomena of classical physics that we are used
to. Feynman seems to have been the first to ask what effect
this has on computation [13, 141. He gave arguments as
to why this behavior might make it intrinsically compu-
tationally expensive to simulate quantum mechanics on a
classical (or von Neumann) computer. He also suggested
the possibility of using a computer based on quantum me-
chanical principles to avoid this problem, thus implicitly
asking the converse question: by using quantum mechan-
ics in a computer can you compute more efficiently than
on a classical computer. Other early work in the field of
quantum mechanics and computing was done by Benioff
124
0272-5428/94 $04.00 0 1994 IEEE
[ 1,2]. Although he did not ask whether quantum mechan-
ics conferred extra power to computation, he did show that
a Thing machine could be simulated by the reversible uni-
tary evolution of a quantum process, which is a necessary
prerequisite for quantum computation. Deutsch [9,10]was
the first to give an explicit model of quantum computation.
He defined both quantum Turing machines and quantum
circuits and investigated some of their properties.
The next part of this paper discusses how quantum com-
putation relates to classical complexity classes. We will
thus first give a brief intuitive discussion of complexity
classes for those readers who do not have this background.
There are generally two resources which limit the ability
of computers to solve large problems: time and space (i.e.,
memory). The field of analysis of algorithms considers
the asymptotic demands that algorithms make for these
resources as a function of the problem size. Theoretical
computer scientists generally classify algorithms as effi-
cient when the number of steps of the algorithms grows as
a polynomial in the size of the input. The class of prob-
lems which can be solved by efficient algorithms is known
as P. This classification has several nice properties. For
one thing, it does a reasonable job of reflecting the per-
formance of algorithms in practice (although an algorithm
whose running time is the tenth power of the input size,
say, is not truly efficient). For another, this classification is
nice theoretically, as different reasonable machine models
produce the same class P. We will see this behavior reap-
pear in quantum computation, where different models for
quantum machines will vary in running times by no more
than polynomial factors.
There are also other computational complexity classes
discussed in this paper. One of these is PSPACE, which
are those problems which can be solved with an amount
of memory polynomial in the input size. Another impor-
tant complexity class is NP,which intuitively is the class
of exponential search problems. These are problems which
may require the search of an exponential size space to find
the solution, but for which the solution, once found, may
be verified in polynomial time (possibly with a polynomial
amount of additional supporting evidence). We will also
discuss two other traditional complexity classes. One is
BPP, which are problems which can be solved with high
probability in polynomial time, given access to a random
number generator. The other is P“, which are those prob-
lems which could be solved in polynomial time if sums
of exponentially many terms could be computed efficiently
(where these sums must satisfy the requirement that each
term is computable in polynomial time). These classes are
related as follows:
P c BPP, NP P#’ 5 PSPACE.
The relationship of BPP and NP is not known.
The question of whether using quantum mechanics in a
computer allows one to obtain more computational power
has not yet been satisfactorily answered. This question
was addressed in [ l l , 6, 71, but it was not shown how to
solve any problem in quantum polynomial time that was
not known to be solvable in BPP (the class of problems
which can be solved in polynomial time with a bounded
probability of error). Recent work on this problem was
stimulated by Bernstein and Vazirani’s paper [ 5 ] which
laid the foundations of the quantum computation theory of
computational complexity. One of the results contained in
this paper was an oracle problem (a problem involving a
“black box” subroutine) which can be done in polynomial
time on a quantum Turing machine and requires super-
polynomial time on a classical computer. This was the
first indication, other than the fact that nobody knew how
to simulate a quantum computer on a classical computer
without an exponential slowdown, that quantum computa-
tion might obtain a greater than polynomial speedup over
classical computation augmented with a random number
generator. This result was improved by Simon [28], who
gave a much simpler construction of an oracle problem
which takes polynomial time on a quantum computer and
requires exponential time on a classical computer. Indeed,
by viewing Simon’s oracle as a subroutine, this result be-
comes a promise problem which takes polynomial time on a
quantum computer and looks as if it would be very difficult
on a classical computer. The algorithm for the “easy case”
of discrete log given in this paper is directly analogous to
Simon’s algorithm with the group Z t replaced by the group
Z,- 1 ; I was only able to discover this algorithm after seeing
Simon’s paper.
In another result in Bernstein and Vazirani’s paper, a
particular class of quantum Turing machine was rigorously
defined and a universal quantum Turing machine was given
which could simulate any other quantum Turing machine
of this class. Unfortunately, it was not clear whether these
125
quantum Turing machines could simulate other classes of
quantum Turing machines, so this result was not entirely
satisfactory. Yao [32] has remedied the situation by show-
ing that quantum Turing machines can simulate, and be
simulated by, uniform families of polynomial size quantum
circuits, with at most polynomial slowdown. He has further
defined quantum Turing machines with k heads and showed
that these machines can be simulated with slowdown of a
factor of 2k. This seems to show that the class of problems
which can be solved in polynomial time on one of these
machines, possibly with a bounded probability E < 113
of error, is reasonably robust. This class is called BQP in
analogy to the classical complexity class BPP, which are
those problems which can be solved with a bounded prob-
ability of error on a probabilistic Turing machine. This
class BQP could be considered the class of problems that
are efficiently solvable on a quantum Turing machine.
c
Since BQP P#‘ C PSPACE [ 5 ] , any non-relativized
proof that BQP is strictly larger than BPP would imply the
structural complexity result BPP PSPACE which is not
yet proven. In view of this difficulty, several approaches
come to mind; one is showing that BQP C BPP would
lead to a collapse of classical complexity classes which are
believed to be different. A second approach is to prove
results relative to an oracle. In Bennett et al. [4] it is shown
that relative to a random oracle, it is not the case that NP
& BQP. This proof in fact suggests that a quantum com-
puter cannot invert one-way functions, but only proves this
for one-way oracles, i.e. “black box” functions given as a
subroutine which the quantum computer is not allowed to
look inside. Such oracle results have been misleading in
the past, most notably in the case of IP = PSPACE [ 15,271.
A third approach, which we take, is to solve in BQP some
well-studied problem for which no polynomial time algo-
rithm is known. This shows that the extra power conferred
by quantum interference is at least hard to achieve using
classical computation. Both Bernstein and Vazirani [5] and
Simon [28] also gave polynomial time algorithms for prob-
lems which were not known to be in BPP, but these problems
were invented especially for this purpose, although Simon’s
problem does not appear contrived and could conceivably
be useful.
Discrete logarithms and integer factoring are two
number-theory problems which have been studied exten-
sively but for which no polynomial-time algorithms are
known [16, 19, 20, 251. In fact, these problems are so
widely believed to be hard that cryptosystems based on
their hardness have been proposed, and the RSA public key
cryptosystem [26], based on the hardness of factoring, is in
use. We show that these problems can be solved in BQP.
Currently, nobody knows how to build a quantum com-
puter, although it seems as though it could be possible
within the laws of quantum mechanics. Some suggestions
have been made as to possible designs for such computers
[29, 21, 22, 121, but there will be substantial difficulty in
building any of these [18, 311. Even if it is possible to
build small quantum computers, scaling up to machines
large enough to do interesting computations could present
fundamental difficulties. It is hoped that this paper will
stimulate research on whether it is feasible to actually con-
struct a quantum computer.
Even if no quantum computer is ever built, this research
does illuminate the problem of simulating quantum me-
chanics on a classical computer. Any method of doing this
for an arbitrary Hamiltonian would necessarily be able to
simulate a quantum computer. Thus, any general method
for simulating quantum mechanics with at most a polyno-
mial slowdown would lead to a polynomial algorithm for
factoring.
2 Quantum computation
In this section we will give a brief introduction to quan-
tum computation, emphasizing the properties that we will
use. For a more complete overview I refer the reader to
Simon’s paper in this proceedings [28] or to earlier papers
on quantum computational complexity theory [5,32].
In quantum physics, an experiment behaves as if it pro-
ceeds down all possible paths simultaneously. Each of these
paths has a complex probability amplitude determined by
the physics of the experiment. The probability of any par-
ticular outcome of the experiment is proportional to the
square of the absolute value of the sum of the amplitudes
of all the paths leading to that outcome. In order to sum
over a set of paths, the outcomes have to be identical in
all respects, i.e., the universe must be in the same state. A
quantum computer behaves in much the same way. The
computation proceeds down all possible paths at once, and
each path has associated with it a complex amplitude. To
determine the probability of any final state of the machine,
we add the amplitudes of all the paths which reach that final
state, and then square the absolute value of this sum.
An equivalent way of looking at this process is to imag-
ine that the machine is in some superposition of states at
every step of the computation. We will represent this su-
perposition of states as
a algorithms for quantum machines.
where the amplitudes a, are complex numbers such that
xi lai = 1 and each IS*) is a basis state of the machine;
in a quantum Thing machine, a basis state is defined by
what is written on the tape and by the position and state of
the head. In a quantum circuit a basis state is defined by
126
the values of the signals on all the wires at some level of
the circuit. If the machine is examined at a particular step,
the probability of seeing basis state IS,) is la,[’; however,
by the Heisenberg uncertainty principle, looking at the ma-
chine during the computation will disturb the rest of the
computation.
The laws of quantum mechanics only permit unitary
transformations of the state. A unitary matrix is one whose
conjugate transpose is equal to its inverse, and requiring
state transformations to be represented by unitary matri-
ces ensures that the probabilities of obtaining all possible
outcomes will add up to one. Further, the definitions of
quantum Turing machine and quantum circuit only allow
local unitary transformations, that is, unitary transforma-
tions on a fixed number of bits.
Perhaps an example will be informative at this point.
Suppose our machine is in the superposition of states
and we apply the unitary transformation
00 01 10 11
11 I f --21
to the last two bits of our state. That is, we multiply the
last two bits of the components of the vector (2.2) by the
matrix (2.3). The machine will then go to the superposition
*
of states
+ 1001) + [OlO)+ 1011))+ f(101)+f 1 1 1 1 ) .
(~ooo)
(2.4)
Notice that the result would have been different had we
started with the superposition of states
which has the same probabilities of being in any particular
configuration if it is observed.
We now give certain properties of quantum computation
that will be useful. These facts are not immediately ap-
parent from the definition of quantum Thing machine or
quantum circuit, and they are very useful for constructing
Fact 1: A deterministic computation is performable on a
quantum computer if and only if it is reversible.
From results on reversible computation [3,30], we
can compute any polynomial time function f(a)
as long as we keep the input, a, on the machine. To
 erase a and replace it with f ( a )we need in addition
that f is one-to-one and that a is computable in
polynomial time from f ( a ) ;i.e., that both f and
f - I are polynomial-time computable.
Fact 2: Any polynomial size unitary matrix can be approx-
imated using a polynomial number of elementary
unitary transformations [ 10,5,32] and thus can be
approximated in polynomial time on a quantum
computer. Further, this approximation is good
enough so as to introduce at most a bounded prob-
ability of error into the results of the computation.
3 Building unitary transformations
Since quantum computation deals with unitary transfor-
mations, it is helpful to be able to build certain useful unitary
transformations. In this section we give some techniques
for constructing unitary transformations on quantum ma-
chines, which will result in our showing how to construct
one particular unitary transformation in polynomial time.
These transformations will generally be given as matrices,
with both rows and columns indexed by states. These states
will correspond to representations of integers on the com-
puter; in particular, the rows and columns will be indexed
beginning with 0 unless otherwise specified.
A tool we will use repeatedly in this paper is the follow-
ing unitary transformation, the summation of which gives
a Fourier transform. Consider a number a with 0 5 a < q
for some q where the number of bits of q is polynomial.
We will perform the transformation that takes the state la)
to the state
a- 1
( b )exp(27riab/q) (3.1)
q’I2
b=O
That is, we apply the unitary matrix whose ( a ,b)’th entry
is & exp(2mab/q). This transformation is at the heart
of our algorithms, and we will call this matrix A,. Since
we will use A , for q of exponential size, we must show
how this transformation can be done in polynomial time.
In fact, we will only be able to do this for smooth numbers
q, that is, ones with small prime factors. In this paper, we
will deal with smooth numbers q which contain no prime
power factor that is larger than (logq)“ for some fixed c.
It is also possible to do this transformation in polynomial
time for all smooth numbers q; Coppersmith shows how to
do this for q = 2k using what is essentially the fast Fourier
transform, and that this substantially reduces the number of
operations required to factor [ 81.
If we know a factorization q = qlq2q3 . . . qk where
gcd(ql, q3) = 1 and where IC and all of the qz are of poly-
nomial size we will show how to build the transformation
127
A , in polynomial time by composing the A,, . For this, we
first need a lemma on quantum computation.
Lemma3.1 Suppose the matrix B is a block-diagonal
mn x mn unitary matrix composed of n identical unitary
m x m matrices B’ along the diagonal and 0’s everywhere
else. Suppose further that the state transformation B’ can
be done in time T ( B ‘ )on a quantum Turing machine. Then
the matrix B can be done in T (B’) + (log mn)“time on a
quantum Turing machine, where c is a constant.
We will call this matrix B the direct sum of n copies of B’
and use the notation B = $, B’. This matrix B is the
tensor product of B’ and I,,, where I,, is the n x n identity
matrix.
Proof Suppose that we have a number a on our tape.
We can reversibly compute a1 and a 2 from a where a =
+
mal a2. This computation erases a from our tape and
replaces it with crl and 1x2. Now a1 tells in which block the
row a is contained, and a 2 tells which row of the matrix
within that block is the row a. We can then apply B’ to a 2
to obtain p2 (erasing a 2 in the process). Now, combining
+
a1 and p2 to obtain b = mal p2 gives the result of B
applied to a (with the right amplitude). The computation
of B’ takes T(B’)time, and the rest of the computation is
+
polynomial in log m log n. I
We now show how to obtain A , for smooth q. We
will decompose A , into a product of a polynomial number
of unitary transformations, all of which are performable
in polynomial time; this enables us to construct A , in
polynomial time. Suppose that we have q = q1q2 with
gcd(ql, q2) = 1. What we will do is represent A , = C D ,
where by rearranging the rows and columns of D we obtain
e,, A,, and rearranging the rows and columns of C we
obtain $,, A,, . As long as these rearrangements of the
rows and columns of C and D are performable in polyno-
mial time (i.e., given row r , we can find in polynomial time
the row r’ to which it is taken) and the inverse operations
are also performable in polynomial time, then by using the
lemma above and recursion we can obtain a polynomial-
time way to perform A , on a quantum computer.
We now need to define C and D and check that
A, = C D . To define C and D we need some preliminary
definitions. Recall that q = qlq2 with q1 and q2 relatively
prime. Let w = exp(27ri/q). Let U be the number (mod q )
such that U E 0 (mod 41) and U = - 1 (mod 42). Such a
number exists by the Chinese remainder theorem, and can
be computed in polynomial time. We will decompose row
+
and column indices a, b and c as follows: a = a1q2 a 2 ,
+
b = plql p2, and c = 7141 + 72. Note the asymmetry in
the definitions of a, b and c.
 We can now define C and D: product is larger than 2n, divide it by the largest prime
that keeps the number larger than n. This produces the
desired q. There is always a prime between m and 2m [ 17,
Theorem 4 181, so n 5 q < 2n. The prime number theorem
[ 17, Theorem 61 and some calculation show that the largest
and prime dividing q is of size O(1og n). I
Note that if we are using Coppersmith’s transformation
A2k using the 2% roots of unity, we set q = 2k where
IC = [logznJ + 1.
It is easy to see that C D ( a ,c ) = C(a,b)D(b,c) where
+
6 = a2ql 7 2 since we need a2 = P1 and PZ = 72 to 4 Discrete log: the easy case
ensure non-zero entries in C(a,b) and D(b,c). Now,
The discrete log problem is: given a prime p, a generator
g of the multiplicative group (mod p) and an x (mod p ) ,
- 1 Wai~z~+a2~~q1+a2~2
- p find an T such that g’ = x (mod p). We will start by
giving a polynomial-time algorithm for discrete log on a
- $ W(alqz+a2)(Yl~l+-fz)
quantum computer in the case that p - 1 is smooth. This
algorithm is analogous to the algorithm in Simon’s paper
= $Wac (3.4)
e
[28], with the group replaced by &-I. The smooth case
is not in itself an interesting accomplishment,since there are
SO CD(a,C) = A,(a, c).
We will now sketch how to rearrange the rows and already polynomial time algorithms for classical computers
columns of C to get the matrix eq2 A q l . The matrix C in this case [24]; however, explaining this case is easier
can be put in block-diagonal form where the blocks are than explaining either the general case of discrete log or the
indexed by cy2 = 01 (since all entries with az # /31 are 0). factoring algorithm, and as the three algorithms are similar,
+ =
Let U 1 tqz (mod q). Within a given block a2 = PI, this example will illuminate how the more complicated
the entries look like algorithms work.
We will start our algorithm with x,g and p on the tape
f i qa,
b) = w~1P29z+PIP2(u+~)
(i.e., in the quantum memory of our machine). We are
= exp(274a1P2 + PlPZt)QZ/Q) trying to compute T such that g‘ E x (mod p). Since we
+
= exp(27ri(a1 azt)PZ/ql). (3.5) will never delete them, x, g , and p are constants, and we
will specify a state of our machine by the other contents of
Thus, if we rearrange the rows within this block so that they the tape.
are indexed by a’ cy1 +a2t (mod q l ) , we obtain the trans- The algorithm starts out by “choosing” numbers a and
formation a’ -+ & with amplitude +
‘I1
exp(2nia’h/ql); b (mod p - 1) uniformly, so the state of the machine after
this step is
that is, the transformation given by the unitary matrix with
the (a‘,Pz) entry equal to % exp(2?ricrf&/ql), which is p-Zp-2

A,, . The matrix D

‘I1
can similarly be rearranged to obtain
-yY)oJ)*
- a=O b=O
(4.1)
the matrix eq, Aq2.
We also need to show how to find a smooth q that lies The algorithm next computes gax-b (mod p) reversibly, so
between n and 2n in polynomial time. There are actually we must keep the values a and b on the tape. The state of
smooth q much closer to n than this, but this is all we need. the machine is now
It is not known how to find smooth numbers very close to
n in polynomial time.

Lemma 3.2 Given n, there is a polynomial-time algorithm

to find a number q with n 5 q < 2n such that no prime
power larger than clogq divides q, for some constant c
independent of n.
Proof To find such a q, multiply the primes 2 ~3 ~5 a7 .
11 . . .pk until the product is larger than n. Now, if this
What we do now is use the transformation Ap-l to map
a -+ c with amplitude (p-‘)L/Iexp(2~iac/(p - 1)) and
b + d with amplitude (p--l)l/l.exp(2?ribd/(p- 1)). As was
discussed in the previous sechon, this is a unitary transfor-
mation, and since p - 1 is smooth it can be accomplished

128
in polynomial time on a quantum machine. This leaves the
machine in state
P--2
02 (
exp s ( a c + b d ) ) IC, d, g a x P b(mod p ) ) .
a,b,c,d=O
(4.3)
We now compute the probability that the computation ends
IC,
with the machine in state d , y) with y g k (mod p ) .
This probability is the absolute value of the square of the
sum over all ways the machine could produce this state, or
l2
I a-rbik I We thus need to show that the computations in the pre-
where the sum is over all a, b satisfying a - rb IC (mod =
p - 1). This condition arises from the fact that compu-
tational paths can only interfere when they give the same
y ga-rb f g k (mod p ) . We now substitute the equation
a +
k rb (mod p - 1) in the above exponential. The
above sum then reduces to
However, if d + rc $ 0 (mod p - 1) the above sum is
over a set of (p - l)stroots of unity evenly spaced around
the unit circle, and thus the probability is 0. If d -rc
the above sum is over the same root of unity p - 1 times,
giving (p - l)e2nzkc/(p--1), so the probability is l/(p- 1)2.
We can check that these probabilities add up to one by
counting that there are (p - 1)2 states IC, -rc, y) since
there are p - 1 choices of c (mod p - 1) and p - 1 choices
of y $ 0 (mod p ) .
Our computation thus produces a random c (mod p - 1)
and the corresponding d = --TC (mod p - 1). If c and p - 1
are relatively prime, we can find T by division. Because
we are choosing among all possible c's with equal proba-
bility, the chance that c and p - 1 are relatively prime is
$ ( p - l ) / ( p - l), where 4 is the Euler $-function. It is
easy to check that 4 ( p - l ) / ( p - 1) > 1/ log@). (Actu-
ally, from [ 17, Theorem 3281, liminf 4 ( p - I)/(p - 1) M
e-7 / log log p . ) Thus we only need a number of exper-
iments that is polynomial in logp to obtain T with high
probability. In fact, we can find a set of c's such that at least
one is relatively prime to every prime divisor of p - 1 by
repeating the experiment only an expected constant number
of times. This would also give us enough information to
obtain T .
129
5 A note on precision
The number of bits of precision needed in the ampli-
tude of quantum mechanical computers could be a barrier
to practicality. The generally accepted theoretical divid-
ing line between feasible and infeasible is that polynomial
precision (i.e., a number of bits logarithmic in the problem
size) is feasible and that more is infeasible. This is because
on a quantum computer the phase angle would need to be
obtained through some physical device, and constructing
such devices with better than polynomial precision seems
unquestionably impractical. In fact, even polynomial pre-
cision may prove to be impractical; however, using this
as the theoretical dividing line results in nice theoretical
properties.
vious section need to use only polynomial precision in the
amplitudes. The very act of writing down the expression
exp(27riac/(p - 1)) seems to imply that we need exponen-
tial precision, as this phase angle is exponentially precise.
Fortunately, this is not the case. Consider the same ma-
trix A,-, with every term exp(27riac/(p - l ) ) replaced by
exp(27rzac/(p - 1) f 7rz/20). Each positive case, i.e., one
resulting in d = -rc, will still occur with nearly as large
probability as before; instead of adding p - 1 amplitudes
which have exactly the same phase angle, we add p - 1
amplitudes which have nearly the same phase angle, and
thus the size of the sum will only be reduced by a constant
factor. The algorithm will thus give a (c, d ) with d -rc
with constant probability (instead of probability 1).
Recall that we obtain the matrix Ap-l by multiplying at
most logp matrices Aq,. Further, each entry in A,-, is the
product of at most logp terms. Suppose that each phase
angle were off by at most E / logp in the Aq,' s . Then in
the product, each phase angle would be off by at most 6 ,
which is enough to perform the computation with constant
probability of success. A similar argument shows that the
magnitude of the amplitudes in the Aq, can be off by a
polynomial fraction. Similar arguments hold for the general
case of discrete log and for factoring to show that we need
only polynomial precision for the amplitudes in these cases
as well.
We still need to show how to construct Aq, from con-
stant size unitary matrices having limited precision. The
arguments are much the same as above, but we will not give
them in this paper because, in fact, Bennett et al. 141 have
shown that it is sufficient to use polynomial precision for
any computation on a quantum Turing machine to obtain
the answer with high probability.
Since precision could easily be the limiting factor for
practicality of quantum computation, it might be advisable
to investigate how much precision is actually needed for
quantum algorithms. Although Bemstein and Vazirani [4] with amplitude -&exp(2?riac/q). This leaves our ma-
show that the number of bits of precision needed is never chine in state
more than the logarithm of the number of computational
- 0-1
steps a quantum computer takes, in some algorithms it
could conceivably require less. Interesting open questions
1 exp(2?riac/q) IC, za (mod n ) ) . (6.3)
Q a=O
are whether it is possible to do discrete logarithms or factor-
ing with less than polynomial precision and whether some Finally, we observe the machine. It would be sufficient
tradeoff between precision and time is possible. to observe solely the value of c, but for clarity we will
assume that we observe both c and za (mod n). We now
6 Factoring compute the probability that our machine ends in a particu-
larstatelc,~' (modn)),wherewemayassumeO5 IC < T .
The algorithm for factoring is similar to the one for the Summing over all possible ways to reach this state, we find
general case of discrete log, only somewhat simpler. I that this probability is
present this algorithm before the general case of discrete
log so as to give the three algorithms in this paper in order
of increasing complexity. Readers interested in discrete log
may skip to the next section.
Instead of giving a quantum computer algorithm to
where the sum is over all a, 0 5 a < q, such that
factor n, we will give a quantum computer algorithm za = x k (mod n). Because the order of 2 is T , this sum is
for finding the order of an element z in the multiplica- equivalently over all a satisfying a = IC (mod T ) . Writing
tive group (mod n); that is, the least integer T such that
zr 1 (mod n). There is a randomized reduction from
+
a = br IC, we find that the above probability is
factoring to the order of an element [23].

12
l(g-k-l)/rJ
To factor an odd number n, given a method for comput-
ing the order of an element, we choose a random z,find
- exp(2ni(b + k)c/q) . (6.5)
b=O
the order T, of z,and compute gcd(zr=/2- 1,n). This
fails to give a non-trivial divisor of n only if T , is odd or if We can ignore the term of exp(2niICc/q), as it can be
z r z I 2 E - 1 (mod n). Using this criterion, it can be shown
factored out of the sum and has magnitude 1. We can
that the algorithm finds a factor of n with probability at also replace TC with { T C } ~ ,where { T C } ~ is the residue
least 1 - 1/2k, where IC is the number of distinct prime which is congruent to TC (mod q ) and is in the range
factors of n. This scheme will thus work as long as n is -q/2 < { T C } , 5 q/2. This leaves us with the expres-
not a prime power; however, factoring prime powers can sion
be done efficiently with classical methods.
=
Given z and n,to find T such that zr 1 (mod n), we - exp(2?rib{~c),/q)
do the following. First, we find a smooth q with 2n2 5 q <
b=O
4n2. Next, we put our machine in the uniform superposition
of states representing numbers a (mod q). This leaves our We will now show that if { T C } ~ is small enough, all the
machine in state amplitudes in this sum will be in nearly the same direction,
I 9-1
giving a large probability. If { T C } , is small with respect
-
q'/2
.)1. (6.1) to q, we can use the change of variables t = b/q and
a=O
approximate this sum with the integral
As in the algorithm for discrete log, we will not write n, 5,
or q in the state of our machine, because we never change
these values.
Next, we compute xa (mod n). Since we keep z and a
on the tape, this can be done reversibly. This leaves our
machine in the state
If I{ T C } I~5 r/2, this quantity can be shown to be asymptot-
ically bounded below by 4/(7r2r2),and thus at least 1/3rZ.
.
1
9-1 IC,
The probability of seeing a given state x k (mod n ) ) will
q'I2
la, za (mod n)) . thus be at least 1/3r2if
a=O
-7-
We then perform our Fourier transform A, mapping a + c - < { T C } < E, (6.8)
2 - g-2

130
i.e., if there is a d such that As before, we use the Fourier transform A, to send a -+ c
andb -t d (mod q ) , withamplitude exp(27ri(ac+bd)/q),
giving us the state
p-2 ,-I
Dividing by rq and rearranging the terms gives
(p--1)9
exp ( y ( u c + b d ) ) IC, d, g a x P b(mod p ) ) .
a,b=O c,d=O
(6.10) (7.2)
Note that we now have two moduli to deal with, p - 1 and q .
While this makes keeping track of things more confusing,
We know c and q . Because q 2 2n2, there is at most one
we will still be able to obtain r using a algorithm similar to
fraction d / r with T < n that satisfies the above inequality.
the easy case. The probability of observing a state IC, d, y)
Thus, we can obtain the fraction d / r in lowest terms by
with y gk (mod p ) is, almost as before,
rounding c / q to the nearest fraction having a denominator
smaller than n. This fraction can be found in polynomial I 12
time by using a continued fraction expansion of c/q, which
finds all the best approximations of c/q by fractions [17, exp (?(ac + bd)) (7.3)
Chapter XI. a--rb=k

If we have the fraction d / r in lowest terms, and if d where the sum is over all ( a , b) such that a - r b z
happens to be relatively prime to r , this will give us r. Ic (mod p - 1). We now use the relation
We will now count the number of states IC, x k (mod n))
which enable us to compute r in this way. There are 4 ( r )
possible values ford relatively prime to r , where 4 is Euler’s
a = br + - ( p - 1) 1-1 (7.4)

4 function. Each of these fractions d / r is close to one and substitute in the above expression to obtain the ampli-
fraction c / q with Ic/q - d/rI 5 1/2q. There are also r tude
possible values for x k , since r is the order of x. Thus, there
( y(brc + Icc + bd - c(p - 1) 1-1
P--2
IC,
are r 4 ( r ) states x k (mod n)) which would enable us to
& exp )).
obtain r. Since each of these states occurs with probability b=O
at least 1/3r2,we obtain r with probability at least 4(r)/3r. (7.5)
Using the theorem that # ( r ) / r > Ic/loglogr for some The absolute value of the square of this amplitude is
fixed Ic [17, Theorem 3281, this shows that we find T at the probability of observing the state d, g k (mod p ) ) . IC,
least a k/ log log r fraction of the time, so by repeating this We will now analyze this expression. First, a factor of
experiment only O(1og log r ) times, we are assured of a exp(27riIcc/q) can be taken out of all the terms and ig-
high probability of success. nored, because it does not change the probability. Next, we
Note that in the algorithm for order, we did not use many split the exponent into two parts and factor out b to obtain
of the properties of multiplication (mod n ) . In fact, if we
have a permutation f mapping the set {0,1,2,. . . ,n - 1)
into itself such that its Icth iterate, f ( ‘ ) ( a ) , is computable
in time polynomial in log n and log Ic, the same algorithm
will be able to find the order of an element a under f, i.e., where
the minimum r such that f(‘)(a) = a. U = bT,

7 Discrete log: the general case

T = rc + d - *{c(p - l)},, (7.7)
and
For the general case, we first find a smooth number q
such that q is close to p , i.e., with p 5 q 5 2p (see Lemma
v = (5- (7.8)
3.2). Here by { z } , we mean the residue of z (mod q ) with
Next, we do the same thing as in the easy case, that is, we -q/2 < { z } , 5 q/2. We will show that if we get enough
choose a and b uniformly (mod p - l ) , and then compute “good” outputs, then we still can deduce r , and that fur-
gaxPb(mod p ) . This leaves our machine in the state thermore, the chance of getting a “good” output is constant.
p-2 p-2 The idea is that if
1
P-1 a=O b=O

13 1
where j is the closest integer to T / q ,then as b varies be-
tween 0 and p - 2, the phase of the first exponential term
in Eq. (7.6) only varies over at most half of the unit circle.
Further, if
I{C(P - 1)}l71 Iq/20, (7.10)
then [VI is always at most q/20, so the phase of the sec-
ond exponential term in Eq. (7.6) never is farther than
exp(nill0) from 1. By combining these two observa-
tions, we will show that if both conditions hold, then the
contribution to the probability from the corresponding term
is significant. Furthermore, both conditions will hold with
constant probability, and a reasonable sample of c’s for
which Condition (7.9) holds will allow us to deduce T .
We now give a lower bound on the probability of each
good output, i.e., an output that satisfies Conditions (7.9)
and (7.10). We know that as b ranges from 0 to p - 2, the
phase of exp(2aiU/q) ranges from 0 to 27riW where
W = P-
-2
(TC
9
+d - *{c(p - l)}q- j q ) (7.11)
and j is as in Eq.(7.9). Thus, the component of the ampli-
tude of the first exponential in Eq. (7.6) in the direction
exp (niW) (7.12)
is at least cos(27r IW/2 - W b / ( p- 2)l). Now, by Condi-
tion (7.10). the phase can vary by at most 7ri/lO due to the
second exponential exp(27riVlq). Applying this variation
in the manner that minimizes the component in the direc-
tion (7.12), we get that the component in this direction is at
least cos(27r IW/2 - W b / ( p- 2)1+ n/lO). Since p < q,
and from Condition (7.9), IWI I1/2, putting everything
together, the probability of arriving at a state IC,d, y) that
satisfies both Condition (7.9) and (7.10) is at least
(-!: c I m c o s t dt)
2
, (7.13)
or at least .137/q2.
We will now count the number of pairs (c, d) satisfying
Conditions (7.9) and (7.10). The number of pairs ( c , d )
such that (7.9) holds is exactly the number of possible c’s,
since for every c there is exactly one d such that (7.9) holds
(round off the fraction to the nearest integer to obtain this d).
The number of c’s for which (7.10) holds is approximately
q/lO. Thus, there are q/10 pairs ( c , d ) satisfying both
conditions. Multiplying by p - 1, which is the number
of possible y’s, gives approximately w / 1 0 states IC,d, y).
Combining this calculation with the lower bound on the
probability of each good state gives us that the probability
of obtaining any good state is at least p/8Oq, or at least
1/160 (since q < 2p).
132
We now want to recover T from a pair c , d such that
where this equation was obtained from Condition (7.9) by
dividing by q. The first thing to notice is that the multiplier
on T is a fraction with denominator p - 1, since q evenly
divides c ( p - 1) - { c ( p - l)}q. Thus, we need only round
d / q off to the nearest multiple of l / ( p - 1) and divide
( m d p - 1) by
to find a candidate T . To show that this experiment need
only be repeated a polynomial number of times to find the
correct T requires only a few more details. The problem
is again that we cannot divide by a number which is not
relatively prime to p - 1.
For the general case of the discrete log algorithm, we
do not know that all possible values of c’ are generated
with reasonable likelihood; we only know this about one-
tenth of them. This additional difficulty makes the next
step harder than the corresponding step in the two previous
algorithms. If we knew the remainder of T modulo all prime
powers dividing p - 1, we could use the Chinese remainder
theorem to recover T in polynomial time. We will only be
able to find this remainder for primes larger than 20, but
with a little extra work we will still be able to recover T .
What we have is that each good ( c , d) pair is generated
with probability at least .137p/q > 1/ 16q, and that at least
a tenth of the possible c’s are in a good (c,d) pair. From
Eq.(7.15), it follows that these c’s are mapped from c / q to
c ‘ / ( p - 1) by rounding to the nearest integer multiple of
l/(p - 1). Further, the good c’s are exactly those in which
c / q is close to c ’ / ( p - 1). Thus, each good c corresponds
with exactly one c‘. We would like to show that for any
prime power p,”’ dividing p - 1. a random good c‘ is unlikely
to contain p,. If we are willing to accept a large constant for
the algorithm, we can just ignore the prime powers under
20; if we know T modulo all prime powers over 20, we can
try all possible residues for primes under 20 with only a
(large) constant factor increase in running time. Because at
least one tenth of the c’s were in a good ( c ,d) pair, at least
one tenth of the c”s are good. Thus, for a prime power
p;‘, a random good c’ is divisible by pga with probability
at most lO/p;’. If we have t good c”s, the probability of
having a prime power over 20 that divides all of them is
therefore at most
(7.16)
a.
’
P, IP-I
where the sum is over all prime powers greater than 20 that
divide p - 1. This sum (over all integers > 20) converges
for t = 2, and goes down by at least a factor of 2 for each
further increase o f t by 1; thus for some large constant t it
is less than 1/2.
Recall that each good c’ is obtained with probability at
least 1/16q from any experiment. Since there are q/10
good c”s, after 160t experiments, we are likely to obtain a
sample of t good C”S chosen equally likely from all good
c”s. Thus, we will be able to find a set of d ’ s such that all
prime powers pp’ > 20 dividing p - 1 are relatively prime
to at least one of these d ’ s . For each prime p , less than
20, we thus have at most 20 possibilities for the residue
modulo p p ’ , where Q, is the exponent on prime p , in the
prime factorization of p - 1. We can thus try all possibilites
for residues modulo powers of primes less than 20: for each
possibility we can calculate the corresponding r using the
Chinese remainder theorem, and then check to see whether
it is the desired discrete logarithm.
This algorithm does not use very many properties of Z,,
so we can use the same algorithm to find discrete logarithms
over other fields such as Z,-. What we need is that we know
the order of the generator, and that we can multiply and take
inverses of elements in polynomial time.
If one were to actually program this algorithm (which
must wait until a quantum computer is built) there are many
ways in which the efficiency could be increased over the
efficiency shown in this paper.
Acknowledgements
I would like to thank Jeff Lagarias for finding and fix-
ing a critical bug in the first version of the discrete log
algorithm. I would also like to thank him, Charles Ben-
nett, Gilles Brassard, Andrew Odlyzko, Dan Simon, Umesh
Vazirani, as well as other correspondents too numerous to
list, for productive discussions, for corrections to and im-
provements of early drafts of this paper, and for pointers to
the literature.
References
1. P. Benioff, “Quantum mechanical Hamiltonian models
of Turing machines,” J. Stat. Phys. Vol. 29, pp. 515-
546 (1982).
2. P. Benioff, “Quantum mechanical Hamiltonian models
of Turing machines that dissipate no energy,” Phys.
Rev. Lett. Vol. 48, pp. 1581-1585 (1982).
3. C. H. Bennett, “Logical reversibility of computation,”
IBM J. Res. Develop. Vol. 17, pp. 525-532 (1973).
133
4. C. H. Bennett, E. Bernstein, G. Brassard and U. Vazi-
rani, “What is feasible on a quantum computer,”
manuscript (1994).
5. E. Bernstein and U. Vazirani, “Quantum complexity
theory,” in Proc. 25th ACM Symp. on Theory of Com-
putation, pp. 11-20 (1993).
6. A. Berthiaume and G. Brassard, “The quantum
challenge to structural complexity theory,” in Proc.
7th IEEE Con$ on Structure in Complexity Theory,
pp. 132-137 (1992).
7. A. Berthiaume and G. Brassard, “Oracle quantum com-
puting,” in Proc. Workshopon Physics of Computation,
pp. 195-199, IEEE Press (1992).
8. D. Coppersmith, “An approximate Fourier transform
useful in quantum factoring,” IBM Research Report
RC 19642 (1994).
9. D. Deutsch, “Quantum theory, the Church-Turing
principle and the universal quantum computer,” Proc.
Roy. Soc. Lond. Vol. A400, pp. 96-1 17 (1985).
10. D. Deutsch, “Quantum computational networks,” Proc.
Roy. Soc. Lond. Vol. A425, pp. 73-90 (1989).
11. D. Deutsch and R. Jozsa, “Rapid solution of prob-
lems by quantum computation,” Proc. Roy. Soc. Lond.
Vol. A439, pp. 553-558 (1992).
12. D. P. DiVincenzo, “Two-bit gates are universal for
quantum computation,” manuscript ( 1994).
13. R. Feynman, “Simulating physics with computers,” In-
ternational Joumal of Theoretical Physics, Vol. 21,
No. 6/7, pp. 467-488 (1982).
14. R. Feynman, “Quantum mechanical computers,” Foun-
dationsofPhysics, Vol. 16, pp. 507-531 (1986). (Orig-
inally appeared in Optics News, February 1985.)
15 L. Fortnow and M. Sipser, “Are there interactive proto-
cols for CO-NPlanguages?’ Inform. Proc. Lett. Vol. 28,
pp. 249-25 1 (1988).
16. D. M. Gordon, “Discrete logarithms in GF(p) using
the number field sieve,” SIAM J. Discrete Math. Vol. 6,
pp. 124-139 (1993).
17. G. H. Hardy and E. M. Wright, An Introduction to the
Theory of Numbers, Fifth Edition, Oxford University
Press, New York (1979).
18. R. Landauer, “Is quantum mechanics useful?’ Proc.
Roy. Soc. Lond., to appear (1994).
19. A. K. Lenstra and H. W. Lenstra, Jr., eds., The Devel-
opment of the Number Field Sieve, Lecture Notes in
Mathematics No. 1554, Springer-Verlag (1993).
20. H. W. Lenstra, Jr. and C. Pomerance, “A rigorous time
bound for factoring integers, J. Amer: Math. Soc. Vol. 5,
pp. 483-516 (1992).
21. S. Lloyd, “A potentially realizable quantum computer,”
Science, Vol. 261, pp. 1569-1571 (1993).
22. S. Lloyd, “Envisioning a quantum supercomputer,”
Science, Vol. 263, p. 695 (1994).
23. G. L. Miller, “Riemann’s hypothesis and tests for pri-
mality,” J. Comp. Sys. Sci. Vol. 13, pp. 300-317 (1976).
24. S. Pohlig and M. Hellman, “An improved algorithm
for computing discrete logarithms over GF(p) and its
cryptographic significance,” IEEE Trans. Information
Theory, Vol. 24, pp. 106-1 10 (1978).
25. C. Pomerance, “Fast, rigorous factorization and dis-
crete logarithm algorithms,” in Discrete Algorithms
and Complexity (Proc. Japan-US Joint Seminar),
pp. 119-143, Academic Press (1986).
26. R. L. Rivest, A. Shamir, and L. Adleman “A method of
obtaining digital signatures and public-key cryptosys-
tems,” CommunicationsACM, Vol. 21, No. 2, pp. 120-
126 (1978).
27. A. Shamir, “IP = PSPACE,” in Proc. 31th Ann. Symp.
Foundations of Computer Science, pp. 11-15, IEEE
Press (1990).
134
28. D.Simon, “On the power of quantum computation,”
in Proc. 35th Ann. Symp. Foundations of Computer
Science, IEEE Press (1994).
29. W. G. Teich, K. Obermayer, and G. Mahler, “Struc-
tural basis of multistationary quantum systems 11: Ef-
fective few-particle dynamics,” Phys. Rev. B, Vol. 37,
pp. 8111-8121 (1988).
30. T. Toffoli, “Reversible computing,” in Automat4 Lan-
guages and Programming, Seventh Colloq., Lecture
Notes in Computer Science No. 84 (J. W. De Bakker
and J. van Leeuwen, 4 s . ) pp. 632-644, Springer-
Verlag (1980).
31. W. G. U m h , “Maintaining coherence in quantum
computers,” manuscript (1994).
32. A. Yao, “Quantum circuit complexity,” in Proc. 34th
Ann. Symp. Foundations of Computer Science, pp. 352-
361, IEEE Press (1993).