Order-Finding and Shor's Algorithm
Multiplying two large primes together is easy; pulling the product apart again is the problem that
a huge slice of modern cryptography is built on. RSA and
Diffie–Hellman are secure precisely because nobody knows how to factor a several-hundred-digit number
in any reasonable time on a classical machine — the best classical method, the number field sieve,
still takes sub-exponential time. In 1994 Peter Shor found a quantum algorithm that factors
in polynomial time. It was the moment quantum computing stopped being a curiosity and
became a threat model.
The surprise is that the quantum part of Shor's algorithm has nothing directly to do with factoring.
The quantum computer solves a completely different-looking problem — finding the
order
of a number modulo N — and a short chain of classical number
theory turns that into a factor. This page follows the whole pipeline: the classical reduction that
makes factoring a question about periods, the quantum core that reads a period off using
phase
estimation, and the continued-fraction step that decodes the answer.
Step 1 — the classical reduction: factoring becomes order-finding
Here is the trick that lets a quantum computer factor without ever "trying" a divisor. To factor
N (odd, composite, not a prime power), pick a random
a in the range 1 < a < N. Compute
\gcd(a, N) with the
Euclidean
algorithm; on the wild chance it isn't 1 you have already
stumbled onto a factor and are done. Otherwise a is coprime to
N, so it has an order — the smallest
r > 0 with
a^{r} \equiv 1 \pmod{N}.
Suppose we can find that r. Rewrite the defining equation as
a^{r} - 1 \equiv 0 \pmod N. If r is
even, we can factor the left side as a difference of two squares:
a^{r} - 1 = \left(a^{r/2} - 1\right)\left(a^{r/2} + 1\right) \equiv 0 \pmod{N}.
So N divides the product
\left(a^{r/2} - 1\right)\left(a^{r/2} + 1\right). Now the key observation:
a^{r/2} \not\equiv 1 \pmod N automatically (else the order would be
r/2, not r), so the first factor isn't a
multiple of N. As long as the second also avoids being a multiple
— that is, as long as a^{r/2} \not\equiv -1 \pmod N — then
N's prime factors must be split between the two brackets. Compute
\gcd\!\left(a^{r/2} - 1,\; N\right) \qquad\text{and}\qquad \gcd\!\left(a^{r/2} + 1,\; N\right),
and each is a nontrivial factor of N. Two GCDs — cheap,
classical, exact — turn a period into a factorisation.
The conditions, and when to retry
Two things had to go right: the order r must be even, and
a^{r/2} must not be \equiv -1 \pmod N. Either can
fail for an unlucky a — if r is odd there is no
a^{r/2} to speak of, and if a^{r/2} \equiv -1
then \gcd(a^{r/2}+1, N) = N, a trivial factor that tells you nothing. In
both cases you simply throw a away and draw a fresh random one.
This is not a fatal flaw, because the good a's are common. A theorem
guarantees that for an odd N with at least two distinct prime factors, a
randomly chosen coprime a gives a usable (even order, non--1)
result with probability at least \tfrac12. So a handful of
attempts almost certainly succeeds — Shor's algorithm is a randomised algorithm that may need
a retry, not a machine that fails outright.
Worked example: factoring N = 15 with a = 7
Let's run the whole classical wrapper by hand on the textbook case
N = 15. Draw a = 7; since
\gcd(7, 15) = 1, it has an order. List the powers modulo
15 until we return to 1:
7^1 \equiv 7, \qquad 7^2 = 49 \equiv 4, \qquad 7^3 \equiv 28 \equiv 13, \qquad 7^4 \equiv 91 \equiv 1 \pmod{15}.
We first hit 1 at the fourth power, so the order is
r = 4. Check the conditions: r = 4 is
even (good), and a^{r/2} = 7^{2} \equiv 4, which is
neither 1 nor -1 \equiv 14 \pmod{15} (good). Both
conditions hold, so we're clear to extract factors from a^{r/2} \equiv 4:
\gcd(4 - 1,\; 15) = \gcd(3, 15) = 3, \qquad \gcd(4 + 1,\; 15) = \gcd(5, 15) = 5.
And indeed 15 = 3 \times 5. The random choice
a = 7, its order 4, and two GCDs handed us the
full factorisation — no trial division ever tested "is 3 a factor?" The
entire difficulty was compressed into finding the order r = 4, and
that is the one step we now hand to the quantum computer.
Step 2 — the quantum core: order-finding is period-finding
Why is the order hard classically? Because r is the period
of the function
f(x) = a^{x} \bmod N,
which satisfies f(x + r) = f(x) — the sequence
a^0, a^1, a^2, \dots marches through residues and then repeats with period
exactly r. For a several-hundred-digit N that
period can be astronomically large, and classically there's no shortcut to it. Finding the hidden
period of a function is precisely the sort of global question a quantum computer is good at —
this is Simon's periodicity idea, lifted from bit-strings to the integers.
The quantum handle is a unitary operator. Define U by how it acts on a
residue |y\rangle:
U\,|y\rangle = |\,a\,y \bmod N\,\rangle.
Multiplying by a just permutes the residues coprime to
N (it's invertible, since a has an inverse mod
N), so U is a genuine unitary. And because
applying it r times returns every residue to itself
(a^{r} \equiv 1), the number r is baked into
U's eigenvalues.
The eigenphases spell out s/r
The eigenvectors of U are the "period waves"
|u_s\rangle = \frac{1}{\sqrt{r}} \sum_{k=0}^{r-1} e^{-2\pi i \, s k / r}\, \bigl|\,a^{k} \bmod N\,\bigr\rangle, \qquad U\,|u_s\rangle = e^{2\pi i \, s / r}\, |u_s\rangle,
one for each s = 0, 1, \dots, r-1. The eigenvalue is
e^{2\pi i \, s/r} — an eigenphase of exactly
s/r. So the period r we're hunting for is sitting
in the denominator of every eigenphase of U. And reading the phase
of a unitary's eigenvalue is exactly what
quantum phase
estimation (QPE) does.
Two conveniences make this practical. First, we never have to prepare a specific
|u_s\rangle (which would require knowing r
already): the simple state |1\rangle is an equal superposition of
all of them, |1\rangle = \tfrac{1}{\sqrt r}\sum_{s} |u_s\rangle, so feeding
|1\rangle into QPE returns an estimate of s/r for
a uniformly random s. Second, the controlled powers QPE
needs, U^{2^{j}}, are just "multiply by a^{2^{j}} \bmod N"
— modular exponentiation by repeated squaring, which is efficient. QPE hands back an
estimate of the fraction s/r, accurate to enough bits to pin it down.
Step 3 — continued fractions recover r
QPE doesn't give us s/r as a clean fraction — it gives a binary estimate,
some number very close to s/r but cluttered with trailing bits. We need to
recognise which simple fraction it is approximating, and read off the denominator. That is exactly
what continued
fractions are for: the convergents of a real number are the best rational approximations
with small denominators, so expanding the QPE estimate and taking the convergent whose denominator is
below N recovers s/r in lowest terms.
Take a tiny example with r = 4 (as in the
N = 15 case). Suppose s = 3, so the true phase is
s/r = \tfrac34 = 0.75, and QPE with a few bits returns the estimate
0.7500\ldots. Expand it as a continued fraction:
0.75 = \cfrac{1}{1 + \cfrac{1}{3}} = [0; 1, 3], \qquad\text{convergents}\quad 0, \; 1, \; \tfrac{3}{4}.
The last convergent is \tfrac34: in lowest terms its denominator is
4, so we read off r = 4. (When
\gcd(s, r) \neq 1 the denominator we recover is only a
divisor of r — another reason the algorithm sometimes repeats: a
quick check a^{r} \stackrel{?}{\equiv} 1 confirms the candidate, and a
couple of runs, or taking the least common multiple of two candidate denominators, nails the true
order.) With r in hand we fall straight back into the classical
GCD step from before.
The whole pipeline at a glance
Step through the diagram to see how little of Shor's algorithm is actually quantum. Four of the five
boxes are ordinary classical number theory; the quantum computer is called exactly once,
for the order-finding step in the middle. Everything else — the random choice, the continued-fraction
decoding, the GCDs — runs on your laptop.
This is the shape of almost every known quantum speed-up: a thin quantum kernel that exploits some
hidden algebraic structure (here, periodicity), wrapped in classical pre- and post-processing. The
quantum computer isn't "trying all divisors at once" — it is extracting one number, a period, that
classical machines can't get at efficiently.
Why it matters: polynomial time, and the clock on RSA
Counting the cost: the modular exponentiations dominate, and with fast arithmetic the whole algorithm
runs in roughly
O\!\left((\log N)^{2}\,(\log\log N)(\log\log\log N)\right) \;\approx\; \tilde{O}\!\left((\log N)^{2}\right)\ \text{to}\ O\!\left((\log N)^{3}\right)
quantum operations — polynomial in the number of digits of
N. Compare the best classical factoriser, the general number field sieve,
whose running time
\exp\!\big(c\,(\log N)^{1/3}(\log\log N)^{2/3}\big) is
sub-exponential but super-polynomial. That gap is the difference between "secure for the age
of the universe" and "broken over a long weekend."
The consequence is stark. RSA's security rests on factoring being hard; Diffie–Hellman's rests on the
closely related discrete logarithm, which Shor's technique also solves. A large enough,
error-corrected quantum computer would therefore break the public-key cryptography that
secures essentially all internet traffic. No such machine exists yet — today's devices are
nowhere near the millions of clean qubits required — but the mere existence of the algorithm is why
the world is already migrating to
post-quantum
cryptography: schemes based on problems (like lattices) that Shor's method does
not crack.
Summary
-
Reduction. To factor N, pick a random
a coprime to N and find its
order r (least r with
a^{r} \equiv 1 \pmod N). If r is even and
a^{r/2} \not\equiv -1 \pmod N, then
\gcd(a^{r/2} \pm 1, N) are nontrivial factors.
-
Quantum core. The order r is the period of
x \mapsto a^{x} \bmod N. Apply phase estimation to the
unitary U|y\rangle = |ay \bmod N\rangle, whose eigenphases are
s/r, to estimate s/r.
-
Decoding. A continued-fraction expansion of the estimate recovers
r (as the denominator in lowest terms).
-
Cost. Polynomial in \log N — versus sub-exponential for
the classical number field sieve — so a scalable quantum computer breaks RSA and Diffie–Hellman.
-
Retries. A bad a (odd r, or
a^{r/2} \equiv -1) just means draw again; success has probability
\ge \tfrac12 per attempt.
Before 1994, quantum computing was a beautiful idea in search of a reason to exist — Feynman and
Deutsch had argued it should be more powerful, but nobody had a problem where the power was
undeniable and the payoff enormous. Peter Shor's factoring algorithm supplied exactly that. Overnight
it connected an abstract model of computation to the single most consequential hard problem in applied
mathematics: the one guarding bank transfers, state secrets, and every "https" in the world.
The effect was electric. Funding, talent, and a whole field of experimental physics reoriented around
building a machine that could one day run it. And it started a slow-motion race that is still on: the
entire push toward post-quantum cryptography — new standards, migrations, "harvest now, decrypt later"
worries about encrypted traffic being stored today to crack tomorrow — traces back to this one
algorithm. It didn't just prove quantum computers could do something useful; it told the security
world that a clock had started ticking.
The headline "quantum computers try every possibility at once, so they'll crush every hard problem" is
wrong, and Shor's algorithm is where the misunderstanding usually starts. Keep three things straight:
-
Factoring is not NP-complete. It lives in the mild corner NP∩co-NP, not among
the hardest NP problems like SAT. So a fast quantum factoriser says nothing about whether
quantum computers can solve NP-complete problems — the expert consensus is that they cannot. Shor is
a scalpel for one structured problem, not a sledgehammer for NP.
-
The quantum part is only order-finding. The quantum computer never "factors." It
finds a period via phase estimation; the classical reduction and continued fractions do the
rest. Strip those away and there is no factoring algorithm — the magic is the periodicity, not brute
parallelism.
-
It can fail and need a retry. An unlucky a can give an
odd order, or a^{r/2} \equiv -1, yielding only the trivial factor
N. That's expected: you draw a fresh a and try
again, succeeding with probability at least \tfrac12 each time. Shor's
algorithm is a randomised algorithm, not a deterministic oracle.