# Shor's algorithm

Short description: Quantum algorithm for integer factorization

Shor's algorithm is a quantum computer algorithm for finding the prime factors of an integer. It was developed in 1994 by the American mathematician Peter Shor.

On a quantum computer, to factor an integer $\displaystyle{ N }$, Shor's algorithm runs in polylogarithmic time, meaning the time taken is polynomial in $\displaystyle{ \log N }$, the size of the integer given as input. Specifically, it takes quantum gates of order $\displaystyle{ O \! \left((\log N)^{2} (\log \log N) (\log \log \log N) \right) }$ using fast multiplication, or even $\displaystyle{ O \! \left((\log N)^{2} (\log \log N) \right) }$ utilizing the asymptotically fastest multiplication algorithm currently known due to Harvey and Van Der Hoven, thus demonstrating that the integer factorization problem can be efficiently solved on a quantum computer and is consequently in the complexity class BQP. This is almost exponentially faster than the most efficient known classical factoring algorithm, the general number field sieve, which works in sub-exponential time: $\displaystyle{ O \! \left(e^{1.9 (\log N)^{1/3} (\log \log N)^{2/3}} \right) }$. The efficiency of Shor's algorithm is due to the efficiency of the quantum Fourier transform, and modular exponentiation by repeated squarings.

If a quantum computer with a sufficient number of qubits could operate without succumbing to quantum noise and other quantum-decoherence phenomena, then Shor's algorithm could be used to break public-key cryptography schemes, such as

• The RSA scheme
• The Finite Field Diffie-Hellman key exchange
• The Elliptic Curve Diffie-Hellman key exchange

RSA is based on the assumption that factoring large integers is computationally intractable. As far as is known, this assumption is valid for classical (non-quantum) computers; no classical algorithm is known that can factor integers in polynomial time. However, Shor's algorithm shows that factoring integers is efficient on an ideal quantum computer, so it may be feasible to defeat RSA by constructing a large quantum computer. It was also a powerful motivator for the design and construction of quantum computers, and for the study of new quantum-computer algorithms. It has also facilitated research on new cryptosystems that are secure from quantum computers, collectively called post-quantum cryptography.

In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored $\displaystyle{ 15 }$ into $\displaystyle{ 3 \times 5 }$, using an NMR implementation of a quantum computer with $\displaystyle{ 7 }$ qubits. After IBM's implementation, two independent groups implemented Shor's algorithm using photonic qubits, emphasizing that multi-qubit entanglement was observed when running the Shor's algorithm circuits. In 2012, the factorization of $\displaystyle{ 15 }$ was performed with solid-state qubits. Later, in 2012, the factorization of $\displaystyle{ 21 }$ was achieved. In 2019 an attempt was made to factor the number $\displaystyle{ 35 }$ using Shor's algorithm on an IBM Q System One, but the algorithm failed because of accumulating errors. Though larger numbers have been factored by quantum computers using other algorithms, these algorithms are similar to classical brute-force checking of factors, so unlike Shor's algorithm, they are not expected to ever perform better than classical factoring algorithms.

## Procedure

The problem that we are trying to solve is, given a composite number $\displaystyle{ N }$, to find a non-trivial divisor of $\displaystyle{ N }$ (a divisor strictly between $\displaystyle{ 1 }$ and $\displaystyle{ N }$). Before attempting to find such a divisor, if there's any doubt whether $\displaystyle{ N }$ is composite or prime, one can use relatively quick primality-testing algorithms to verify that $\displaystyle{ N }$ is indeed composite, although this is not a part of Shor's algorithm.

Shor's algorithm consists of two parts:

1. A reduction, which can be done on a classical computer, of the factoring problem to the problem of order-finding.
2. A quantum algorithm to solve the order-finding problem.

The aim of the algorithm is to find a non-trivial square root $\displaystyle{ b }$ of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$ that is different from $\displaystyle{ 1 }$ and $\displaystyle{ - 1 }$, because then

$\displaystyle{ b^2 - 1 = (b+1)(b-1) = mN }$

for a non-zero integer $\displaystyle{ m }$ that gives us two distinct non-trivial divisors $\displaystyle{ \gcd(N, b+1) }$ and $\displaystyle{ \gcd(N, b-1) }$ of $\displaystyle{ N }$. This idea is similar to other factoring algorithms, such as the quadratic sieve, and a more detailed explanation can be found in the Explanation section below. Before starting the algorithm, it is imperative to check $\displaystyle{ N }$ to be odd (otherwise $\displaystyle{ 2 }$ is a divisor) and not to be any power of an integer (otherwise that integer is a divisor), so as to guarantee the existence of a non-trivial square root $\displaystyle{ b }$ of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$.

In turn, finding such a $\displaystyle{ b }$ is reduced to finding an element $\displaystyle{ a }$ as a parameter in an integer function, such that the function has an even period with a certain additional property (as explained below, it is required that the condition of Step 6 of the classical part does not hold). The quantum algorithm is used for finding the period of randomly chosen elements $\displaystyle{ a }$, as this is a difficult problem on a classical computer.

### Classical part

1. Pick a random number $\displaystyle{ 1 \lt a \lt N }$.
2. Compute $\displaystyle{ K=\gcd(a,N) }$, the greatest common divisor of $\displaystyle{ a }$ and $\displaystyle{ N }$. This may be done using the Euclidean algorithm.
3. If $\displaystyle{ K \neq 1 }$, then $\displaystyle{ K }$ is a nontrivial factor of $\displaystyle{ N }$, so we are done.
4. Otherwise, use the quantum period-finding subroutine (below) to find $\displaystyle{ r }$, which denotes the period of the following function:
$\displaystyle{ f(x) = a^{x} (\bmod N). }$
Equivalently, $\displaystyle{ r }$ is the smallest positive integer that satisfies $\displaystyle{ a^{r} \equiv 1 (\bmod N }$).
5. If $\displaystyle{ r }$ is odd, then go back to step 1.
6. If $\displaystyle{ a^{r / 2} = - 1 \bmod N }$, then go back to step 1.
7. Otherwise, both $\displaystyle{ \gcd(a^{r / 2} + 1,N) }$ or $\displaystyle{ \gcd(a^{r / 2} - 1,N) }$ are nontrivial factors of $\displaystyle{ N }$, so we are done.

For example: Given $\displaystyle{ N = 15 }$, $\displaystyle{ a = 7 }$, and $\displaystyle{ r = 4 }$, i.e.,$\displaystyle{ \bmod(1,15)=\bmod(7^4,15)=\bmod(7^8,15), }$ we have $\displaystyle{ \gcd(7^{2} \pm 1,15) = \gcd(49 \pm 1,15) }$, where $\displaystyle{ \gcd(48,15) = 3 }$ and $\displaystyle{ \gcd(50, 15) = 5 }$. For $\displaystyle{ N }$ that is a product of two distinct primes, $\displaystyle{ p }$ and $\displaystyle{ q }$, $\displaystyle{ \varphi(N)=(p-1)(q-1) }$, which for $\displaystyle{ N = 15 }$ is $\displaystyle{ 8 }$, and $\displaystyle{ r }$ divides $\displaystyle{ 8 }$.

### Quantum part: period-finding subroutine

The quantum circuits used for this algorithm are custom designed for each choice of $\displaystyle{ N }$ and each choice of the random $\displaystyle{ a }$ which have the relationship $\displaystyle{ f(x) = a^{x} \bmod N }$. Given value $\displaystyle{ N }$, a value $\displaystyle{ Q = 2^{q} }$ is chosen such that $\displaystyle{ N^{2} \leq Q \lt 2 N^{2} }$. Such a value of $\displaystyle{ Q }$ implies that $\displaystyle{ \dfrac{Q}{r} \gt N }$. The input and output qubit registers will store superpositions of values from $\displaystyle{ 0 }$ to $\displaystyle{ Q - 1 }$. Therefore, these registers have $\displaystyle{ q }$ qubits each. Using what might appear to be twice as many qubits as necessary guarantees that there are at least $\displaystyle{ N }$ different values of $\displaystyle{ x }$ that produce the same $\displaystyle{ f(x) }$, even as the period $\displaystyle{ r }$ approaches $\displaystyle{ \dfrac{N}{2} }$. The following uses bra-ket notation to denote quantum states.

Proceed as follows:

1. Initialize the registers to
$\displaystyle{ \frac{1}{\sqrt{Q}} \sum_{x = 0}^{Q - 1} | x \rangle = \left(\frac{1}{\sqrt{2}} \sum_{x_{1} = 0}^{1} | x_{1} \rangle \right) \otimes \cdots \otimes \left(\frac{1}{\sqrt{2}} \sum_{x_{q} = 0}^{1} | x_{q} \rangle \right). }$

where $\displaystyle{ \otimes }$ denotes the tensor product.

This initial state is a superposition of $\displaystyle{ Q }$ states, and is obtained by generating $\displaystyle{ q }$ independent qubits, each an equal superposition of $\displaystyle{ 0 }$ and $\displaystyle{ 1 }$ states. We can accomplish this by initializing the qubits to the zero-position, and then applying a Hadamard gate to each of the $\displaystyle{ q }$ qubits, where $\displaystyle{ 2^{q} = Q }$. This process is called the Hadamard transform.
2. Construct $\displaystyle{ f(x) }$ as a quantum function and apply it to the above state, to obtain
$\displaystyle{ U_f | x, 0^n \rangle = | x,f(x) \rangle }$
$\displaystyle{ U_f \frac{1}{\sqrt{Q}} \sum_{x = 0}^{Q - 1} | x, 0^n \rangle = \frac{1}{\sqrt{Q}} \sum_{x = 0}^{Q - 1} | x,f(x) \rangle }$
Note: $\displaystyle{ f(x) = a^{x} \bmod N }$. This is still a superposition of $\displaystyle{ Q }$ states. However, the $\displaystyle{ q + n }$ qubits, i.e, the $\displaystyle{ q }$ input qubits and $\displaystyle{ n }$ ($\displaystyle{ \gt {\log_{2}}(N) }$) output qubits, are now entangled or not separable, as the state cannot be written as a tensor product of states of individual qubits. Importantly, the value containing the $\displaystyle{ r }$ we are looking for is now stored in the phase of the input qubits $\displaystyle{ x }$ as a result of "phase kickback", where using qubits as control inputs to unitary gates alters the relative phase of the control qubits.
3. Apply the inverse quantum Fourier transform to the input register. This transform (operating on a superposition of $\displaystyle{ Q = 2^{q} }$ states) uses a $\displaystyle{ Q }$-th root of unity such as $\displaystyle{ \omega = e^{\frac{2 \pi i}{Q}} }$ to distribute the amplitude of any given $\displaystyle{ | x \rangle }$ state equally among all $\displaystyle{ Q }$ of the $\displaystyle{ | y \rangle }$ states, and to do so in a different way for each different $\displaystyle{ x }$. We thus obtain
$\displaystyle{ {U_{\operatorname{QFT}}}(| x \rangle) = \frac{1}{\sqrt{Q}} \sum_{y = 0}^{Q - 1} \omega^{x y} | y \rangle. }$
This leads to the final state
$\displaystyle{ \frac{1}{Q} \sum_{x = 0}^{Q - 1} \sum_{y = 0}^{Q - 1} \omega^{x y} | y,f(x) \rangle. }$
Now, we reorder this sum as
$\displaystyle{ \frac{1}{Q} \sum_{z = 0}^{N - 1} \sum_{y = 0}^{Q - 1} \left[ \sum_{x \in \{ 0,\ldots,Q - 1 \}; ~ f(x) = z} \omega^{x y} \right] | y,z \rangle. }$
This is a superposition of many more than $\displaystyle{ Q }$ states, but many fewer than $\displaystyle{ Q^{2} }$ states, as there are fewer than $\displaystyle{ Q }$ distinct values of $\displaystyle{ z = f(x) }$. Let
• $\displaystyle{ \omega = e^{\frac{2 \pi i}{Q}} }$ be a $\displaystyle{ Q }$-th root of unity,
• $\displaystyle{ r }$ be the period of $\displaystyle{ f }$,
• $\displaystyle{ x_{0} }$ be the smallest of the $\displaystyle{ x \in \{ 0,\ldots,Q - 1 \} }$ for which $\displaystyle{ f(x) = z }$ (we have $\displaystyle{ x_{0} \lt r }$), and
• write $\displaystyle{ m - 1 = \left\lfloor \frac{Q - x_{0} - 1}{r} \right\rfloor }$
• $\displaystyle{ b }$ indexes these $\displaystyle{ x }$, running from $\displaystyle{ 0 }$ to $\displaystyle{ m - 1 }$, so that $\displaystyle{ x_{0} + r b \lt Q }$.
Then $\displaystyle{ \omega^{r y} }$ is a unit vector in the complex plane ($\displaystyle{ \omega }$ is a root of unity, and $\displaystyle{ r }$ and $\displaystyle{ y }$ are integers), and the coefficient of $\displaystyle{ \dfrac{1}{Q} \left| y,z \right\rangle }$ in the final state is
$\displaystyle{ \sum_{x \in \{ 0,\ldots,Q - 1 \}; ~ f(x) = z} \omega^{x y} = \sum_{b = 0}^{m - 1} \omega^{(x_{0} + r b) y} = \omega^{x_{0} y} \sum_{b = 0}^{m - 1} \omega^{r b y}. }$
Each term in this sum represents a different path to the same result, and quantum interference occurs — constructive when the unit vectors $\displaystyle{ \omega^{r y b} }$ point in nearly the same direction in the complex plane, which requires that $\displaystyle{ \omega^{r y} }$ point along the positive real axis.
4. Perform a measurement. We obtain some outcome $\displaystyle{ y }$ in the input register and some outcome $\displaystyle{ z }$ in the output register. As $\displaystyle{ f }$ is periodic, the probability of measuring some state $\displaystyle{ | y,z \rangle }$ is given by
$\displaystyle{ \mathrm{Pr}(| y, z \rangle)= \left| \frac{1}{Q} \sum_{x \in \{ 0,\ldots,Q - 1 \}; ~ f(x) = z} \omega^{x y} \right|^{2} = \frac{1}{Q^{2}} \left| \sum_{b = 0}^{m - 1} \omega^{(x_{0} + r b) y} \right|^{2} = \frac{1}{Q^{2}} |\omega^{x_{0} y}|^{2}\left| \sum_{b = 0}^{m - 1} \omega^{b r y} \right|^{2} }$
$\displaystyle{ = \frac{1}{Q^{2}} \left| \sum_{b = 0}^{m - 1} \omega^{b r y} \right|^{2} = \frac{1}{Q^{2}} \left|\frac{\omega^{m r y} - 1}{\omega^{r y} - 1} \right|^{2} = \frac{1}{Q^{2}} \frac{\sin^2(\frac{\pi m r y}{Q})}{\sin^2(\frac{\pi r y}{Q})} }$
Analysis now shows that this probability is higher the closer the unit vector $\displaystyle{ \omega^{r y} }$ is to the positive real axis, or the closer $\displaystyle{ \dfrac{y r}{Q} }$ is to an integer. Unless $\displaystyle{ r }$ is a power of $\displaystyle{ 2 }$, it will not be a factor of $\displaystyle{ Q }$.
5. Since $\displaystyle{ \frac{y r}{Q} }$ is close to some integer $\displaystyle{ c }$, the known value $\displaystyle{ \dfrac{y}{Q} }$ is close to the unknown value $\displaystyle{ \dfrac{c}{r} }$. Performing [classical] continued fraction expansion on $\displaystyle{ \dfrac{y}{Q} }$ allows us to find approximations $\displaystyle{ \dfrac{d}{s} }$ of it that satisfy two conditions:
1. $\displaystyle{ s \lt N }$.
2. $\displaystyle{ \left| \dfrac{y}{Q} - \dfrac{d}{s} \right| \lt \dfrac{1}{2 Q} }$.
Given these multiple conditions (and assuming $\displaystyle{ \dfrac{d}{s} }$ is irreducible), $\displaystyle{ s }$ is very likely to be the appropriate period $\displaystyle{ r }$, or at least a factor of it.
6. Check (classically) if $\displaystyle{ f(x) = f(x + s) \Leftrightarrow a^{s} \equiv 1 \bmod N }$. If so, then we are done.
7. Otherwise, (classically) obtain more candidates for $\displaystyle{ r }$ by using multiples of $\displaystyle{ s }$, or by using other $\displaystyle{ s }$ with $\displaystyle{ \dfrac{d}{s} }$ near $\displaystyle{ \dfrac{y}{Q} }$. If any candidate works, then we are done.
8. Otherwise, try again starting from step 1 of this subroutine.

## Explanation of the algorithm

The algorithm is composed of two parts. The first part of the algorithm turns the factoring problem into the problem of finding the period of a function and may be implemented classically. The second part finds the period using the quantum Fourier transform and is responsible for the quantum speedup.

### Non-trivial square root of [1 modulo N]

Shor's algorithm hinges on finding a non-trivial square root of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$; That is, a solution to

$\displaystyle{ b^2\equiv 1\bmod N }$

where $\displaystyle{ b\not\equiv \plusmn1\bmod N }$.

If such $\displaystyle{ b }$ exists, we claim that $\displaystyle{ d = \gcd(b - 1,N) }$ is a proper factor of $\displaystyle{ N }$, i.e., $\displaystyle{ d \neq 1,N }$. In fact, if

$\displaystyle{ d = N }$, then $\displaystyle{ N }$ divides $\displaystyle{ b - 1 }$, so that $\displaystyle{ b \equiv 1 \bmod N }$, which goes against the construction of $\displaystyle{ b }$. If, on the other hand, $\displaystyle{ d = \gcd(b - 1,N) = 1 }$, then by Bézout's identity, there are integers $\displaystyle{ u,v }$ such that

$\displaystyle{ (b - 1) u + N v = 1. }$

Multiplying both sides by $\displaystyle{ b + 1 }$, we obtain

$\displaystyle{ (b^{2} - 1) u + N (b + 1) v = b + 1. }$

As $\displaystyle{ N }$ divides $\displaystyle{ b^{2} - 1 }$, we find that $\displaystyle{ N }$ divides $\displaystyle{ b + 1 }$, so that $\displaystyle{ b \equiv - 1 \bmod N }$, again contradicting the construction of $\displaystyle{ b }$.

Therefore, $\displaystyle{ d }$ is the required proper factor of $\displaystyle{ N }$. Similarly, it can be proven that $\displaystyle{ \gcd(b + 1,N) }$ is also a proper factor of $\displaystyle{ N }$.

For such a non-trivial square root of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$ to exist, notice that $\displaystyle{ -1\equiv 1\bmod 2 }$, and for any power of an odd prime $\displaystyle{ N=p^{n} }$, there is no non-trivial square root of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$: For any $\displaystyle{ (b+1)(b-1)=m p^{n}, }$ either $\displaystyle{ b-1 }$ or $\displaystyle{ b+1 }$ has to be a multiple of $\displaystyle{ N=p^{n} }$.

Therefore, for Shor's algorithm to work, we need $\displaystyle{ N }$ to be odd (otherwise $\displaystyle{ 2 }$ is a divisor) and not to be any power of an odd prime (otherwise that prime is a divisor). We can check that there are no integer roots $\displaystyle{ \sqrt[k]{N} }$ for $\displaystyle{ 2 \leq k \leq {\log_{3}}(N) }$, and if $\displaystyle{ N }$ is not a power of any integer, it is not a power of any odd prime. Here, the upper bound for the integer $\displaystyle{ k }$ that we need to check is determined by $\displaystyle{ \sqrt[k]{N}\geq3 }$, since for $\displaystyle{ N }$ to be odd, $\displaystyle{ \sqrt[k]{N} }$ cannot be $\displaystyle{ 2 }$. This check, however, cannot rule out that $\displaystyle{ N }$ may be an odd prime itself, which can only be ruled out by primality-testing algorithms.

Given that $\displaystyle{ N }$ is odd and not any power of an odd prime, based on the fundamental theorem of arithmetic, we may assume that $\displaystyle{ N }$ is the product of two coprime integers greater than $\displaystyle{ 2 }$ ($\displaystyle{ N=n_1n_2 }$ and $\displaystyle{ n_1,n_2\gt 2,\, \gcd(n_1,n_2)=1 }$). From the four combinations of choosing plus sign and minus sign in the integer equations $\displaystyle{ x=m_1n_1\plusmn1=m_2n_2\plusmn1 }$, based on the Chinese remainder theorem and $\displaystyle{ n_1,n_2\gt 2 }$, there are at least four distinct square roots of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$, and therefore at least two distinct non-trivial square roots exist. In fact, they are the solutions to $\displaystyle{ b'=m_1n_1+1=m_2n_2-1 }$ and $\displaystyle{ b''=m_1n_1-1=m_2n_2+1 }$.

### Obtaining factors from period

The integers less than $\displaystyle{ N }$ and coprime with $\displaystyle{ N }$ form the multiplicative group of integers modulo $\displaystyle{ N }$, which is a finite abelian group $\displaystyle{ G }$. The size of this group is given by $\displaystyle{ \varphi(N) }$. By the end of step 3, we have an integer $\displaystyle{ a }$ in this group. As the group is finite, $\displaystyle{ a }$ must have a finite order $\displaystyle{ r }$, which is the smallest positive integer such that

$\displaystyle{ a^{r} \equiv 1 \bmod N. }$

This is the order $\displaystyle{ r }$ of the finite cyclic subgroupa⟩ of the group $\displaystyle{ (\mathbb{Z} {N})^{\times} }$, which is the smallest positive integer $\displaystyle{ r }$ for which $\displaystyle{ a^{x + r} \bmod N \equiv a^{x} \bmod N }$. Since $\displaystyle{ a }$ and $\displaystyle{ N }$ are coprime, by Euler's totient theorem, $\displaystyle{ r }$ must exist, and divides $\displaystyle{ \varphi(N) }$, where $\displaystyle{ \varphi }$ denotes Euler's totient function.

Therefore, $\displaystyle{ N }$ divides $\displaystyle{ a^{r} - 1 }$ (also written $\displaystyle{ N \mid a^{r} - 1 }$). Suppose that we are able to obtain $\displaystyle{ r }$ and that it is even. (If $\displaystyle{ r }$ is odd, then by step 5, we have to restart the algorithm with a different random number $\displaystyle{ a }$) Now $\displaystyle{ b \equiv a^{r / 2} \bmod N }$ is a square root of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$ that is different from $\displaystyle{ 1 }$. This is because $\displaystyle{ r }$ is the order of $\displaystyle{ a }$ modulo $\displaystyle{ N }$, so $\displaystyle{ a^{r / 2} \not\equiv 1 \bmod N }$, or else the order of $\displaystyle{ a }$ in this group would be $\displaystyle{ \dfrac{r}{2} }$. If $\displaystyle{ a^{r / 2} \equiv - 1 \bmod N }$, then by step 6, we have to restart the algorithm with a different random number $\displaystyle{ a }$.

Eventually, we must hit an $\displaystyle{ a }$ of order $\displaystyle{ r }$ in $\displaystyle{ G }$ such that $\displaystyle{ b \equiv a^{r / 2} \not\equiv \pm 1 \bmod N }$. This is because such a $\displaystyle{ b }$ is a square root of $\displaystyle{ 1 }$ modulo $\displaystyle{ N }$ other than $\displaystyle{ 1 }$ and $\displaystyle{ - 1 }$, whose existence is guaranteed by the Chinese remainder theorem, as the odd number $\displaystyle{ N }$ is not a prime power.

### Finding the period

Shor's period-finding algorithm relies heavily on the ability of a quantum computer to be in many states simultaneously.

Physicists call this behavior a "superposition" of states. To compute the period of a function $\displaystyle{ f }$, we evaluate the function at all points simultaneously.

Quantum physics does not allow us to access all this information directly, however. A measurement will yield only one of all possible values, destroying all others. If not for the no-cloning theorem, we could first measure $\displaystyle{ f(x) }$ without measuring $\displaystyle{ x }$, and then make a few copies of the resulting state (which is a superposition of states all having the same $\displaystyle{ f(x) }$). Measuring $\displaystyle{ x }$ on these states would provide different $\displaystyle{ x }$ values which give the same $\displaystyle{ f(x) }$, leading to the period. Because we cannot make exact copies of a quantum state, this method does not work. Therefore, we have to carefully transform the superposition to another state that will return the correct answer with high probability. This is achieved by the quantum Fourier transform.

Shor thus had to solve three "implementation" problems. All of them had to be implemented "fast", which means that they can be implemented with a number of quantum gates that is polynomial in $\displaystyle{ \log N }$.

1. Create a superposition of states. This can be done by applying Hadamard gates to all qubits in the input register. Another approach would be to use the quantum Fourier transform (see below).
2. Implement the function $\displaystyle{ f }$ as a quantum transform. To achieve this, Shor used repeated squaring for his modular exponentiation transformation. It is important to note that this step is more difficult to implement than the quantum Fourier transform, in that it requires ancillary qubits and substantially more gates to accomplish.
3. Perform a quantum Fourier transform. By using controlled rotation gates and Hadamard gates, Shor designed a circuit for the quantum Fourier transform (with $\displaystyle{ Q = 2^{q} }$) that uses just $\displaystyle{ \dfrac{q (q - 1)}{2} = O \! \left((\log Q)^{2} \right) }$ gates.

After all these transformations, a measurement will yield an approximation to the period $\displaystyle{ r }$. For simplicity assume that there is a $\displaystyle{ y }$ such that $\displaystyle{ \dfrac{y r}{Q} }$ is an integer. Then the probability to measure $\displaystyle{ y }$ is $\displaystyle{ 1 }$. To see this, we notice that then

$\displaystyle{ e^{- \frac{2 \pi i b y r}{Q}} = 1 }$

for all integers $\displaystyle{ b }$. Therefore, the sum whose square gives us the probability to measure $\displaystyle{ y }$ will be $\displaystyle{ \dfrac{Q}{r} }$, as $\displaystyle{ b }$ takes roughly $\displaystyle{ \dfrac{Q}{r} }$ values and thus the probability is $\displaystyle{ \dfrac{1}{r^{2}} }$. There are $\displaystyle{ r }$ possible values of $\displaystyle{ y }$ such that $\displaystyle{ \dfrac{y r}{Q} }$ is an integer, and also $\displaystyle{ r }$ possibilities for $\displaystyle{ f(x_{0}) }$, so the probabilities sum to $\displaystyle{ 1 }$.

The period-finding routine can be considered a variation of the more general quantum phase estimation algorithm to determine the eigenvalue of a unitary corresponding to an eigenvector. In the case of the period-finding routine used in Shor's Algorithm, the unitary in question is modular multiplication by the chosen base mod $\displaystyle{ N }$. While the computational basis $\displaystyle{ |1\rangle }$ is not an eigenvector of this unitary, it is a uniform superposition of its $\displaystyle{ r }$ eigenvectors and thus the measurement will give the eigenvalue's phase for one of the eigenvectors. Since not all such phases can be used to extract the period, the retries of the subroutine may be necessary.

### The bottleneck

The runtime bottleneck of Shor's algorithm is quantum modular exponentiation, which is by far slower than the quantum Fourier transform and classical pre-/post-processing. There are several approaches to constructing and optimizing circuits for modular exponentiation. The simplest and (currently) most practical approach is to mimic conventional arithmetic circuits with reversible gates, starting with ripple-carry adders. Knowing the base and the modulus of exponentiation facilitates further optimizations. Reversible circuits typically use on the order of $\displaystyle{ n^3 }$ gates for $\displaystyle{ n }$ qubits. Alternative techniques asymptotically improve gate counts by using quantum Fourier transforms, but are not competitive with fewer than 600 qubits owing to high constants.

## Discrete logarithms

Given a group $\displaystyle{ G }$ with order $\displaystyle{ p }$ and generator $\displaystyle{ g \in G }$, suppose we know that $\displaystyle{ x = g^{r} \in G }$, for some $\displaystyle{ r \in \mathbb{Z}_p }$, and we wish to compute $\displaystyle{ r }$, which is the discrete logarithm: $\displaystyle{ r = {\log_{g}}(x) }$. Consider the abelian group $\displaystyle{ \mathbb{Z}_{p} \times \mathbb{Z}_{p} }$, where each factor corresponds to modular addition of values. Now, consider the function

$\displaystyle{ f \colon \mathbb{Z}_{p} \times \mathbb{Z}_{p} \to G \;;\; f(a,b) = g^{a} x^{- b} . }$

This gives us an abelian hidden subgroup problem, as $\displaystyle{ f }$ corresponds to a group homomorphism. The kernel corresponds to the multiples of $\displaystyle{ (r,1) }$. So, if we can find the kernel, we can find $\displaystyle{ r }$. A quantum algorithm for solving this problem exists. This algorithm is, like the factor-finding algorithm, due to Peter Shor and both are implemented by creating a superposition through using Hadamard gates, followed by implementing $\displaystyle{ f }$ as a quantum transform, followed finally by a quantum Fourier transform. Due to this, the quantum algorithm for computing the discrete logarithm is also occasionally referred to as "Shor's Algorithm."

The order-finding problem can also be viewed as a hidden subgroup problem. To see this, consider the group of integers under addition, and for a given $\displaystyle{ a\in\mathbb{Z} }$ such that: $\displaystyle{ a^{r}=1 }$, the function

$\displaystyle{ f \colon \mathbb{Z}\to \mathbb{Z} \;;\; f(x) = a^{x},\; f(x+r) = f(x) . }$

For any finite abelian group G, a quantum algorithm exists for solving the hidden subgroup for G in polynomial time.