The Factoring Problem


Given some positive integer \(N\) consider the problem of determining  its factors. Factors of \(N\) are just the integers that evenly divide \(N\). For a number that is not too large this calculation seems reasonable. The factoring problem can naturally be phrased as a decision problem, in which case the question is: `Does \(N\) have any nontrivial factors  less than some other integer \(p\)?'. As a decision problem, this problem can always be decided in the sense that there always exists a way in principle to answer this question with a `yes' or `no' answer. For instance, some algorithm can simply perform an exhaustive test to check whether or not each integer less than \(N\) divides \(N\) evenly. Suppose now that the number N is some large 500 digit number, or even larger still! Unless this algorithm was able to make some lucky guesses at what the factors may be, this task would take an algorithm like this an impractical amount of time to accomplish. Without prior knowledge to any properties the number N may have, factoring a large N using a computer takes a long time since the computer has to test many potential factors to actually find them.

  On the other hand, the task of simply multiplying two numbers together is a task that computers can efficiently solve. The difference in these two computational tasks, which is the ease in multiplying and the difficulty in factoring, forms the basis of a widely used cryptographic scheme known as  the RSA protocol.\cite{rivest} The RSA protocol is used mainly for purposes of digital security such as banking and other internet transactions. However, for this security, the implementors of RSA are relying on the assumption that no one has an algorithm or  computer fast enough to successfully factor N. For all practical purposes this assumption is reasonable since no classical algorithm is known which enables  efficient factoring. The current best being the number field sieve.\cite{lenstra}

In 1994, Peter Shor \cite{shor} constructed an algorithm to be implemented on a quantum computer that can factor a large integer exponentially faster than the best classical algorithms. This is interesting because Shor's algorithm provides evidence that quantum computers may have greater capabilities than traditional classical computers. One of these being the ability for quantum computers to render the RSA protocol obsolete. The running time of the algorithm is bounded by a polynomial in \(n\), where \(n\approx log(N)\) is the number of qubits used, thus placing the problem of factoring in the complexity class \(\mathbf{BQP}\). Although this problem is in \(\mathbf{NP}\) since its easy to verify that a factor is indeed a factor, it is not known if it is also in \(\mathbf{BPP}\) or even \(\mathbf{P}\). In other words, Shor's quantum algorithm is exponentially faster than any classical algorithm that is known at present.

 The essence of Shor's algorithm lies in the fact that the problem of factoring an integer can be reduced to the problem of finding the period of a certain function, which is a problem that can be  efficiently solved on a quantum computer by making use of the eigenvalue estimation algorithm as it will be shown. This reduction can be done classically, meaning that there already exists known efficient and classical algorithmic means for factoring an integer provided with the period of a certain function. To understand why these reductions work requires some number theoretic results. The rest of this section will be invested on explaining the details of this reduction and how a quantum algorithm enables an efficient solution.