Quantum Information and Computing

Topic 13 : Shor’s Factorization Algorithm

Dipan Kumar Ghosh
Physics Department,
Indian Institute of Technology Powai, Mumbai 400076
April 14, 2017

1 Introduction
In the last lecture we discussed the implementation of QFT for the case of one, two
and three qubits and provided a way to generalize to the case of n qubits. This was
an essential component in understanding Shor’s algorithm for integer factorization of a
large composite number. However, before we discuss the factorization algorithm, it will
be appropriate to make a few comments about the problem of factorization in classical
computation.
Consider a number N = pq where p and q are large prime numbers, though for the
purpose of illustration in this lecture, we will take these numbers to be small so that
a back of the envelop calculation can be done. There are several classical algorithms
to do this job though they are not fast enough. The √ most elementary algorithm is the
one due to Euclid which requires of the order of √N operations, as if there exists a
factor, one of them has to be less than or equal to N . Euclid algorithm is inefficient
for handling large numbers. There are faster classical algorithms, the best among them


requiring exp (log N )1/3 (log log N )2/3 steps, which is still slow. A point which needs to be
appreciated is that multiplication of two numbers can be done in polynomial time though
the factorization cannot. To get an idea of the difficulty involved consider factorization
of a reasonably sized number such as 29803. To factorize this we may use, for instance,
Euclid algorithm. If you are manually doing this factorization, you may take a couple of
hours doing this. However, if we are told that this number is 229 × 127, we can check it
by doing a multiplication in under a minute. Thus multiplication is easy but factorizaton
is hard. It is good to recollect Euclid algorithm, as is taught to us in schools.
Suppose we take two numbers a and b whose greatest common divisor is c. By definition,
c divides both a and b, where a > b. Let a = mc and b = nc, where m and n are integers.
When we divide a by b, unless b is a factor of a, a long division of a by b will leave a
c D. K. Ghosh, IIT Bombay 2

remainder. Let r = a − bq be the remainder of such a division. Clearly, since c divides

both a and b, it alsoh divides r. Euclid algorithm works like this. We do a long division
ai
of a by b. Let q1 = be the quotient where [ ] is the greatest integer function and let
b
r1 = a − bq1 be the remainder. We now divide b by this remainder r1 , getting a quotient q2
and a remainder r2 . We carry on like this till we find a zero remainder at the n-th stage of
the algorithm. The last divisor rn then is the greatest common divisor that we are trying
to find. The problem in this method is while this is a reasonably good algorithm to find
gcd of two numbers, it is not particularly useful in finding factors of a single number √ as
there is no suitable starting point and we must check numbers from 2 upward up to N .
In this lecture we discuss an algorithm due to Peter Shor, which could be implemented
using a quantum computer to provide a fast factorization. This is done by solving an
equivalent problem of finding a period of a function.

2 Shor’s Algorithm
Shor’s algorithm for factorizing N has the following steps:

1. Take a random number m < N . Calculate G.C.D. of m, N by some standard

algorithm, such as Euclid algorithm. If GCD(m, N ) 6= 1, we have found a factor!.
Very unlikely scenario. The number m that we choose is obviously co-prime with
N , i.e. m and n have no common factor. We will illustrate by choosing N = 799
whose factors are 17 and 47. Choose m = 7 whose GCD with 799 is 1.

2. Define a function fN : N → N such that fN (a) = ma mod N . We need to find the

smallest P ∈ N such that mP = 1 mod N . This is called the period of fN This step
(period finding) requires a quantum computer. It turns out that 7368 = 1 mod 799,
i.e. P = 368..

3. If P is odd, the method fails and we must return to step 1 to choose a different m
and start all over. (In the lecture a small number N = 21 is used to illustrate, which
can be worked out easily. We can choose m to be any number which is co-prime
with 21. Thus m ∈ {2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20}. Choosing m = 2, various
powers of 2 are22 = 4, 23 = 8, 124 = 6, 25 = 32, 26 = 64of which the last number 64
is 1 mod 21. Thus in this case P=6).
Let us consider some results from linear algebra which we will only illustrate here
but not prove them (these can be found in any text book on discrete mathematics
at college level). Consider a quadratic equation, e.g. x2 = 1 mod N . Now if N
is an odd prime, one can show that this equation only has the trivial solutions,
viz., x = ±1. On the other hand, if N is a composite number, there are non-
trivial solutions of the type x = ±a. (Remember we are doing modular arithmetic
here which implies that to a we could add kN . )To illustrate consider an example.
Consider the equation x2 = 1 mod 41. This equation only has trivial solutions ±1.
c D. K. Ghosh, IIT Bombay 3

However consider N = 55, in this case x2 = 1 mod 55, in addition to having the
trivial pair has non trivial solutions x = ±21 as x2 = 441 = 1 mod 55 because
441 = 55 × 8 + 1. Since we have, by definition of a period, mP = 1 mod N , if we
choose x = mP/2 , this equation would become equivalent to the quadratic equation
x2 = 1. In order that we may do it P should be even and we should then choose a
different m and repeat the algorithm.

4. if P is even, then, we can factorize mP − 1

mP − 1 = (mP/2 + 1)(mP/2 − 1)

Since by definition mP = 1 mod N , mP −1 = 0 mod N . If Now, (mP/2 −1) 6= 0 mod

N because P is the smallest integer which satisfies mP − 1 = 0. If mP/2 + 1 = kN
for some integer k, then again the problem is not solved and we need to go back to
step 1 and select a different m. If, however, mP/2 + 1 is a not a multiple of N then,
mP/2 ± 1 must contain factors of N . One can find the factor by finding the GCD of
these two numbers. For the example given, P = 368 so that P/2 = 184. We then
have
(7184 + 1)(7184 − 1) = 799k
One can check that the factors are 17 and 47.
As an example which you can work out, let N = 21. choose m = 2 for which we
have seen that P = 6 Check that Thus

(23 + 1)(23 − 1) = 21k

Thus factors of 21 are contained in 9 and 7. (the factors are 3 and 7).
As yet another example consider N = 35. Choose m = 13 for which various even
powers (mod 35) are 13, 132 = 169 ≡ 29, 134 = 28561 = 13 × 816 + 1 so that in this
case P = 4. So we get (132 + 1)(132 − 1) = 170 × 168, the former contains the factor
5 and trhe latter by 7.
We assume that N is not power of some prime for Shor’s algorithm fails in this case. (It
has been shown that the probabilities of these two things happening is greater than 1/2).
it is this order finding part which needs to be done by a quantum computer because such
a computer can calculate various powers of m simultaneously.

2.1 Implementation of Quantum computation part of the algo-

rithm
Assume N = pq with p and q primes. We first find l ∈ N such that 2N 2 ≤ 2l ≤ 3N 2 . We
will also denote Q = 2l . we define a quantum computer with Q2 = 22l quits, plus extra
quits for work space. The two registers contain vectors of length l

| Reg1 i | Reg2 i =| an−1 . . . a0 i | bn−1 . . . b0 i ≡| ai | bi

c D. K. Ghosh, IIT Bombay 4

2j aj and b = 2j bj any time the state of the computer is given by

P P
where a = j j

Q−1 Q−1
XX
| ψi = Cab | a, bi
a=0 b=0

where Cab ∈ C.
We now follow the following steps.

1. Set both the registers to n qubit null states: | ψ0 i =| 0i⊗l | 0i⊗l .

2. Apply QFT on the first register to get

Q−1
1 X
| ψ1 i = √ | xi | 0i
Q x=0

For instance, if Q = 22 = 4, we have

1
| ψ1 i = [| 00, 00i+ | 01, 00i+ | 00, 10i+ | 11, 00i]
2

3. For a randomly chosen m, apply an oracle which calculates f = mx mod N . Suppose

Uf realizes the action of f on x such that (oracle)

Uf | xi | 0i =| xi | f (x)i

This makes the states entangled

Q−1
1 X
Uf | ψ1 i =| ψ2 i = √ | xi | f (x) = mx mod N i
Q x=0

4. Measure the second register only. The second register, before measurement, was
in a linear combination of various possible base states which are obtained by the
modular exponentiation. As a result of measurement, it will be found to be in one
of the base states | ki where k is some power of m mod N . We write
1 X
| ψ2 i = √ | x, ki
M x∈A

where A is the set of all x < Q such that mx mod N is k

A = {x0 , x0 + r, x0 + 2r + . . . , x0 + (M − 1)r}
Q
and M ≈  1.
r
The following numerical example with small number will illustrate the steps (1) to
(4) above. Let N = 55. We have N 2 = 552 = 3025, 2N 2 = 6050 and 3N 2 = 9075.
c D. K. Ghosh, IIT Bombay 5

We choose Q = 2l such that 6050 < Q < 9075, which gives l = 13, yielding
Q = 8192. Let us choose m = 13 (arbitrary nothing to do with the l value which
coincidentally was 13). Various powers of 13 mod 55 are listed below:
131 = 13 132 = 4 133 = 52 134 = 16 135 = 43
136 = 9 137 = 7 138 = 36 139 = 28 1310 = 34
1311 = 2 1312 = 26 1313 = 8 1314 = 49 1315 = 32
1316 = 31 1317 = 18 1318 = 14 1319 = 17 1320 = 1
Our initial state, | 000 . . . 0, 000 . . . 0i ≡| 00i , after passing the first register through
Hadamard gate becomes
1
| ψ1 i = √ (| 0, 0i+ | 1, 0i + . . . + | 8191, 0i)
8192
This is now subjected to the oracle which computes the modular exponentiation of
13, as shown in the table above. Note that since 1320 = 1, the second register will
repeat with a periodicity of 20. The last state, for instance can be calculated as
follows:
138191 = 13409×20+11 ≡ 1311 = 2 mod 55
The oracle gives
1 
| 0, 1i+ | 1, 13i+ | 1, 132 mod 55i + . . . + | 20, 1320 ≡ 1i+ | 21, 13i + . . . + | 8191, 2i

| ψ2 i = √
8192
We now measure the second register. Suppose this gives the state of the second
register to be | 9i. Looking at the table above, the state of the system is then
1
| ψ3 i √ [| 6, 9i+ | 26, 9i + . . . + | 8186, 9i]
410
(Since the periodicity is 20, there are 410 states with the second register being | 9i.
Quite generally, the state at this stage is
M −1
1 X
| ψ3 i = √ | x0 + dr, ki
M d=0

where mx+dr = mx = k mod N . Clearly r is the period and d is the number of

terms within a period.
c D. K. Ghosh, IIT Bombay 6

5. If we now apply QFT on the first register once more on ZQ , we would get

| ψ4 i = (UQF T ) ⊗ I) | ψ2 i
Q−1 M −1
1 XX
=√ exp2πiy(x0 +dr)/Q | y, ki
QM y=0 d=0
Q−1 M −1
1 X 2πiyx0 /Q X 2πiydr/Q
=√ e × e | y, ki
QM y=0 d=0
Q−1 M −1
1 X 2πiyx0 /Q X
=√ e ×[ z d ] | y, ki
QM y=0 d=0

where z = e2πiyr/Q .

6. We now measure the first register. It will be in a state | yi with a probability

1 P −1 d 2
| Md=0 z | . The sum over d is done by observing the series to be a geometric
QM
one which gives the sum to be

1 − z M 2 | z −M/2 − z M/2 |2 sin2 (πyrM/Q)

| |= =
1−z | z −1/2 − z 1/2 |2 sin2 (πyr/Q)

If yr/Q is not close to an integer, the powers of z will nearly cancel out, i.e., the
probability is small except where z ≈ 1. If yr/Q is an integer, say n, Pr(y) =
M/QM = 1/Q. Thus the observed probability of distribution of y is concentrated
y n
around values such that ≈ , where n is an integer.
Q r
Let us return to our example to illustrate this last step. We had, after measurement
of the second register,
1
| ψ3 i = √ [| 6, 9i+ | 26, 9i + . . . + | 8186, 9i]
410
On applying Fourier transform to the first register, this becomes
8191
1 X X
| ψ4 i = √ e2πi×6y/8192 ( z 409 ) | y, 9i
3358720 y=−0 d=0

The denominator arose because 3358720 = 8192 × 410 Recalling that r = 20, we
have,
z = e2πi×20y/8192
The probability of the first register to be in a particular state | yi is
409
1 X
×| z d |2
3358720 d=0
c D. K. Ghosh, IIT Bombay 7

Suppose our measurement gave the state to be y = 4096. We have z =

e2πi×20×4096/8192 = e20πi = 1, so that the probability becomes (410)2 /3358720 ≈ 0.05,
i.e. about 5%. There are 20 states in the second register. The coefficient of each
vector becomes sizable when y becomes a multiple of 410. Thus we may infer the
period r by repeated measurement. As N becomes large, the number of measure-
ment required becomes large and the method becomes inefficient. In the following
we discuss the method of continued fraction, which is more efficient.

3 Method of Continued Fraction

Let us define ceiling and floor functions as
dxe = inf{n ∈ Z | x ≤ n}
bxc = sup{n ∈ Z | x ≥ n}
For example,
d2e = 2, d2.6e = 3, d−4.5e = −4, d−5e = 5
Thus the ceiling function evaluates to the nearest integer greater than or equal to the
argument of the function. Similarly,

b4.5c = 4, b2.6c = 2, b−4.5c = −5, b−5c = −5

Thus the floor function is the nearest integer less than or equal to the argument of the
function. If the argument is positive, the floor function is just the integer part of the
argument. Continued function expansion of a rational number is obtained as follows:
Example:

17 1 1
=0+ =0+
47 47/17 13
2+
17
1 1
=0+ =0+
1 1
2+ 2+
17/13 1
1+
13/4
1
=0+
1
2+
1
1+
1
3+
4
≡ [0, 2, 1, 3, 4]
c D. K. Ghosh, IIT Bombay 8

The steps to find the continued fraction are as follows:

1. First find the integral part a0 of the argument x. In our case the integral problem is
zero.
2. Find the fractional part by x − a0 = r0 .
1
3. Find integral part of r0−1 . b c = a1
r0
1 1
4. r1 = − a1 and a2 = b c
r0 r1
1 1
5. Let m = 1, we have am = b c and rm = − am . The process is continued till
rm−1 rm−1
rM = 0. M always turns out to be finite and we get

1
x = a0 +
1
a1 +
1
a2 +
1
a3 +
...
Given x = [a0 , a − 1, . . . aM ], the expansion in continued fraction [a0 , a1 , . . . , aj ] with
j ≤ M is the j−th convergent of x the M th convergent is x itself. Suppose we got as
a result of measurement of the first register y/Q = 409/8192. We can write this as a
continued fraction as

y 409
=
Q 8192
1
=0+
12
20 +
409
1
=0+
1
20 +
1
34 +
12

Various convergence are as follows:

1
20
1 34
=
1 681
20 +
34
c D. K. Ghosh, IIT Bombay 9

1 409
=
1 8192
20 +
1
34 +
12
We stop when the denominator of the approximated fraction exceed the number N ; in
this case in the first convergent itself, i.e. r = 20.
y 4095
Suppose, our result of measurement was = . The number is represented as
Q 8192
[1, 1, 2, 1638]. The first convergent is 1, the second is 1/2, the third is 3/5 but the fourth
is 409/8192. Thus the approximation that we use is 3/5, which gives r1 = 5. Possible
values of the period r are multiples of 5. We have
a 13a mod 55
5 43
10 34
15 32
20 1
which gives the period correctly as 20. The factors are in (1310 +1)(1310 −1) = 35×33.
The factors are
p = gcd(33, 55) = 11
and
q = gcd(35, 55) = 5