Closed-form formula on quantum factorization effectiveness

The quantum factorization effectiveness is limited both by inherent randomness of the quantum measurement and requirement of special selection of parameters controlling behavior of classic algorithms supporting quantum device operation. However, only coarse bounds on probability of successful parameters selection have been published so far. The proof of an exact expression on factorization efficiency constitutes the main contribution of the paper. The proved expression simply relates Shor’s algorithm efficiency to properties of the factors forming the composite number.


Introduction
Theoretical study of quantum systems used in computational devices has achieved tremendous progress in the last few years. It is shown that quantum computers are capable of efficiently performing some tasks, which are intractable for presently used computers. The quantum order finding [8] is one of the most preeminent applications in quantum information processing. It stimulates research in the field as it provides time complexity reduction of factoring problem from sub-exponential to polynomial one. The interest in efficient solution of that problem is especially great for composite integers being a product of two large prime numbers-the ability to factor such integers is equivalent to breaking the Rivest, Shamir and Adleman (RSA) cryptographic system [3]. The random behavior of Shor's algorithm is related to both inherent features of the quantum measurement and the selection of parameters that control the operation of classic algorithms that assist in quantum computations. It was shown that the uncertainty introduced by quantum measurements could be minimized to an arbitrarily small value by enlarging the size of the registers used by the quantum device [6]. The classic part of the algorithm leads to successful factorization only if some random number x fed as input meets some specific requirements and the result of post processing of the quantum measurement by continued fraction expansion is relatively prime to the order of x. The lower bound on probability of finding parameter x is derived in [2] as where M is the number of prime factors of N . That expression has a maximum value when the composite number is a product of only two prime numbers, which in fact represents the most interesting situation. Some proposals [1,4,5] related to the improvement of the algorithm efficiency have been put forth. However, those modifications have focused on probability of order recovery from quantum measurement. The aim of this paper is to provide a closed formula on factorization success probability expressed in terms of properties of the factors forming the composite number. The derived analytical expression provides additional insight into the algorithm properties and permits a statistical analysis of its behavior. Factorization of the composite number N is equivalent to order finding of some number 1 < x < N when the following conditions are simultaneously satisfied [8]: where r N (x) denotes the order of x. Classical order finding gives no advantage over other factorization algorithms as its complexity is also exponential. However, it is possible to determine the order of x in polynomial time by the quantum algorithm [8].
The quantum method for finding order is not a reliable procedure because of the inherent uncertainty of quantum measurement. The probability distribution of the possible quantum measurement outcomes has sharp peaks in the vicinity of values that may lead to the successful order recovery. However, there exists a nonzero probability of measurement failure. This probability may be arbitrarily minimized because of its direct relation to the size of the quantum registers [6]. The following steps summarize quantum factorization: 1. Select random number x coprime to N (otherwise gcd (x, N ) is a factor of N ).
Only some x are good candidates for further processing as the order r N (x) determined in the next step must satisfy conditions (2). 2. Find the order of x with the quantum computer. The correct order value is successfully recovered only for some subset of valid quantum measurements. 3. Calculate divisor gcd x r N (x)/2 − 1, N and return to point 1.
It is clear that the nature of the quantum factorization algorithm is probabilistic even if perfect fidelity of the quantum measurement is assumed. The success ratio of the algorithm depends on the following random factors: -the selection of the "lucky" x that fulfills condition (2), -the order recovery from the quantum measurement result. The success of the order recovery depends on the order value itself. Assuming the infinite accuracy of the quantum measurement and the single use of the quantum device, the continued fraction expansion algorithm, which is applied to post process the measurement result, provides the correct order recovery when the result of its operation is formed by relatively prime numbers. The count of numbers relatively prime to r N (x) is given by Euler's totient function (r N (x)). As a consequence, the order of x may be recovered with probability (r N (x)) /r N (x). In a case of failure, the post processing procedure returns a value that is underestimated by some factor. However, if it is possible to use the quantum device over many repetitions, consecutive measurements lead to different factors of r N (x). The least common multiple of those factors gives the correct value of the order with probability quickly approaching certainty as the number of measurements grows [1]. It follows from the above discussion that the order recovery procedure may be regarded as reliable provided that multiple use of the quantum device is allowed.
Two scenarios of Shors algorithm operation were considered in provided herein analysis of its effectiveness. In the first one it was assumed that quantum device can be used only once. Such scenario will be used in the initial phase of quantum information processing deployment when repetitive runs of aquantum computer will be undoubtedly costly in terms of money and effort. The second scenario assumed that multiple usage of quantum device does not pose a technological challenge, so it is applicable when quantum computation technology will become a mature solution.

Mathematical preliminaries
The aim of this work is to provide closed form formulas on the effectiveness of the classic part of Shor's algorithm. However, the concise presentation of the proof requires an introduction of additional definitions and lemmas. Definition 1 Let n be a positive integer. The factor level of b relative to n is the greatest integer α such that b α divides n (n = b α μ and b does not divide μ).

Lemma 1 Let x ∈ Z *
p for prime p. The order of x relative to p is given by where s is a positive integer such that x = g s mod p and g is the generator of Z * p . Proof It follows from Euler's theorem and the order definition that Thus, sr p must be multiple of totient function ( p) = ( p − 1). The order r p is by definition the smallest positive integer satisfying sr p = k ( p − 1). Thus, sr p = lcm (s, p − 1) = s( p − 1)/gcd (s, p − 1).
α is a positive integer, and μ is not divisible by b. Then b m (m > 0) is a factor of the order r p (x) of some x ∈ Z * p with probability Proof All elements x ∈ Z * p may be expressed as x = g s mod p, where g is the group generator. The generator exponents may be formally expressed as s = b β ν, where β ≥ 0 and ν is not divisible by b. Then, for β ≥ α, the number b is not a factor of the order of x because r p ( Thus, the number of orders divisible by b m can be found as The first part of the thesis results after division by p − 1 = b α μ and generalization for any m > 0. The number of orders not divisible by b is equal to μ directly leads to the second part of the thesis.

Remark 1
The factor level of b relative to r p (x) is equal to m with probability Lemma 3 Let p > 2 be a prime number. If prime number b is not a divisor of ( p − 1), then it is also not a divisor of r p (x).
It follows from the definition of order and Euler's theorem that Thus, for some integer k, kr p (x) = ( p) = p−1. But because of r p (x)'s divisibility by b m , the ( p − 1) must also contain b m as a factor which leads to a contradiction.
Remark 2 Let p − 1 have the following factorization It follows from Lemmas 2 and 3 that the order of any x ∈ Z * p can be represented as follows where 0 ≤ m l ≤ α l . The probability of occurrence of the set of specified divisors results from Remark 1 and is given by the following expression The special case m 1 = m 2 = · · · = m K = 0 corresponds to selection of the element with order r p (x) = 1. If p is prime, there exists only one such element x = 1. The probability of such an event is equal to is also prime relatively prime to N , β k ≥ 0 and μ k are not divisible by b. The probability that b m for m > 0 divides the order relative to N of some randomly selected x ∈ Z * N that is relatively prime to N is equal to The probability that b does not divide r N (x) is equal to Proof Let r p k (x) and r N (x) denote orders of x relative to p k and N , respectively. It follows from r p k (x)'s definition that It also immediately follows that b is not a factor of r N with probability One can define function Q N (b, m) that returns the probability that m is a factor level of b relative to r N (x) (i.e. r N (x) = b m μ and b does not divide μ) as follows If the following factorization is assumed then for each x < N and coprime to N , there exists a set of exponents 0 ≤ m l ≤ γ l such that The probability of the given set occurring is given by what contradicts initial assumption. Due to symmetry the above reasoning holds for any p k what leads to conclusion that factor level of 2 is the same relative to all r p k and in consequence to r N (x) = lcm ( p 1 , p 2 , . . . , p M ). This proves the if clause. Lets assume that 2 has the same positive factor level relative to any r p k , thus each r p k may be represented as r p k = 2 α μ k , where α > 0 and μ k is odd. If factor level of 2 relative to r p k is nonzero, then (x r p k /2 − 1)(x r p k /2 + 1) mod p k = 0. There are only trivial solutions to this equation, namely x r p k /2 mod p k = 1 and x r p k /2 mod p k = −1 for the prime modulus, and the first solution must be excluded because it contradicts the definition of r p k as the order. This leads to the set of M equations of the form This is equivalent to x r N /2 mod N = −1.

Effectiveness of Shor's algorithm
Let X * N and F * N be the sets of all x entering order finding algorithm and the values of parameters suitable for successful factorization, respectively The probability of the algorithm success in the single run is the quotient The calculation of the denominator is straightforward where r k are distinct values of the possible orders of x and l k (x) is the number of x with the specified value of the order. But the value of r k is unambiguously defined by its factorization, thus the number of elements with the given r k value is equal to where X * N = M k=1 ( p k − 1) denotes the number of x relatively prime to N and K l=1 Q N (c l , m l ) describes the probability of occurrence of the given factorization of r N (x). In consequence the summation may be carried out over all distinct factorizations of r N (x) where identity r N (x) = K l=1 c m l l was used. Similarly, the numerator of (6) can be found. Additional complications come from the constraints specified in F * N definition. First of all, the order r N (x) of parameters suitable for factorization has to be even. But because of p k 's primality, the numbers ( p k − 1) are even and the factor 2 is always present in lcm ( p 1 − 1, p 2 − 1, . . . , p M − 1). This is equivalent to setting c 1 = 2, γ 1 ≥ 1 and summation should be carried out for m 1 ≥ 1. The condition x r N (x)/2 mod N = −1 may be expressed in terms of the order factors with the help of Lemma 5. It follows that number of orders r N (x) with factor level of 2 equal to m that are taken into account in the numerator calculation should be diminished by the number of parameters x with orders r p k (x) that have concurrently factor level of 2 also equal to m. The probability of finding x conforming with that constraint is equal to for m > 0. Thus, the second condition resulted in special handling of the first term of (5). The probability that the given set of exponents m l corresponds to the number suitable for factorization is given by the product of the following terms The last modification is related to the summed term. The value of totient function can be calculated as when n = K l=1 c α l l . Unfortunately, the above schema cannot be directly applied as not all factors of lcm ( p 1 − 1, p 2 − 1, . . . , p M − 1) are always present in r N (x) factorization. One can easily overcome that difficulty by substitution of 1 when the given factor is absent and where 0 ≤ m l ≤ γ l and γ l are taken from factorization 1cm( The value of the numerator may be then calculated as where special handling of m 1 is taken into account. The probability of the successful quantum factorization of the composite number in the single execution of Shor's algorithm is given by The above probability solely depends on the properties of factors p k . In the second scenario, when repetitive runs of quantum device are permitted, the probability of successful factorization is just given by the quotient of number of elements in the sets F * N and X * N , respectively Observations used in calculation of the numerator of (6) still may be used. The only difference relies in the summed term. Thus, the number of elements in the set F * N is equal to and the sought probability is given by Further simplification results from calculation of the failure probability Let the factors of N be represented as p k = 2 α k μ k where μ k is odd. The value of the first term directly follows from Remark 3 and Lemma 4 In the second term the upper summation limit is equal to γ 1 = max (α 1 , α 2 , . . . , α M ).
On the basis of Lemma 2 and Remark 1: Q p k (2, m 1 ) = 0 for m 1 > α k because in this case P p k (2, m 1 ) = 0. Therefore the summed term does not vanish only if m 1 ≤ min (α 1 , α 2 , . . . , α M ) = α min . In the calculation of Q p k (2, m 1 ) two separate cases 0 < m 1 < α k and m 1 = α k must be considered. In the first case In the second case Q p k (2, α k ) = P p k (2, α k ) − P p k (2, α k + 1) = P p k (2, α k ) = 1 2 Thus, independently of the case (i.e., for 0 < m 1 ≤ α k ), Q p k (2, m 1 ) = 2 m 1 −1 /2 α k . Finally, the probability that x is not suitable for factorization is equal to The lower bound (1) is reached when all prime factors of N may be represented as p k = 2μ k for odd μ k . In this case α min = 1 and M k=1 α k = M. The expression (21) may be also easily adapted to the case of quantum cracking of Rivest, Shamir and Adleman (RSA) cryptographic system [7], which is one of the most widely used methods for key agreement and document signing. Its security is based on the assumed computational inability to perform factoring of a modulus comprised of the product of two large prime numbers. Let modulus N = pq, p = 2 α μ + 1, q = 2 β ν + 1. The RSA resistance to quantum attack is then described by the expression Equation (22) predicts minimal value of P R = 1/2 for α = β = 1, which is consistent with the lower bound presented in [2]. It is also in agreement with numerical Monte-Carlo estimation of probability P R for small composite numbers of the form N = pq obtained in [9] and presented on Fig. 1. The numbers α and β are positive integers, thus based on (22), the probability P R can take values only in discrete set. Those values are plotted by solid lines and respective combination of α and β is marked on the right axis. The points on Fig. 1 which are not associated with solids lines can be assigned to other levels resulting from (22) which are not marked on the figure for clarity reasons.

Conclusion
Prior work has been focused on the analysis of the quantum portion of Shor's algorithm [1,5]. However, little attention has been paid to the properties of the classic algorithms that support its operation, and only crude estimations of their efficiency have been proposed [2]. In this study, the probabilistic behavior of classic algorithms that assist in quantum factorization was analyzed also in the context of code-breaking RSA cryptographic systems. An expression that relates factorization effectiveness with the properties of the factors forming the composite number was introduced. The derived analytical expression provides additional insight into the algorithm's properties and permits an in-depth analysis of its efficiency.
Open Access This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.