On completely factoring any integer efficiently in a single run of an order-finding algorithm

We show that given the order of a single element selected uniformly at random from ZN∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {Z}}_N^*$$\end{document}, we can with very high probability, and for any integer N, efficiently find the complete factorization of N in polynomial time. This implies that a single run of the quantum part of Shor’s factoring algorithm is usually sufficient. All prime factors of N can then be recovered with negligible computational cost in a classical post-processing step. The classical algorithm required for this step is essentially due to Miller.


Introduction
In what follows, let p ei i be an m bit integer, with n ≥ 2 distinct prime factors p i , for e i some positive exponents.
Let an algorithm be said to factor N if it computes a non-trivial factor of N , and to completely factor N if it computes the set {p 1 , . . ., p n }.Let φ be Euler's totient function, λ be the Carmichael function, and λ (N ) = lcm(p 1 − 1, . . ., p n − 1).Furthermore, let Z * N denote the multiplicative group of Z N , the ring of integers modulo N , and let ln and log be the natural and base two logarithms, respectively.Denote by [a, b] the integers from a up to an including b.
Throughout this paper, we shall assume N to be odd for proof-technical reasons.This does not imply a loss of generality: It is easy to fulfill this requirement by using trial division.Indeed, one would in general always remove small prime factors before calling upon more elaborate factoring algorithms.Note furthermore that order finding may be performed prior to trial division being applied to N if desired, see section 3.2.2 for further details.
There exists efficient probabilistic primality tests, such as Miller-Rabin [14,17], and efficient algorithms for reducing perfect powers z = q e to q: A simple option is to test if z 1/d is an integer for some d ∈ [2, log z ].For more advanced options, see e.g.Bernstein et al. [1].

Earlier works
Shor [20,21] proposed to factor N by repeatedly selecting a random g ∈ Z * N , computing its order r via quantum order finding, and executing a classical procedure inspired by Miller [14].Specifically, Shor proposed to use that if r is even, and g r/2 ≡ −1 (mod N ), it must be that (g r/2 − 1)(g r/2 + 1) = g r − 1 ≡ 0 (mod N ) so gcd((g r/2 ± 1) mod N, N ) yields non-trivial factors of N .Note that g r/2 ≡ 1 (mod N ) by definition, as r is otherwise not the order of g.Shor proved that the probability of the above two requirements being met is at least 1/2.If both requirements are not met, the algorithm may be re-run for a new g, in which case the probability is again at least 1/2 of succeeding.
This implies that Shor's algorithm will eventually succeed in finding two non-trivial factors of N .However, as re-running the quantum order finding part of the algorithm is expensive, it is natural to consider improved strategies.To completely factor N , recursive calls to Shor's factoring algorithm, and hence to the quantum order finding part, would naïvely be required, albeit with consecutively smaller factors, until the factors are prime, perfect powers, or sufficiently small to factor using classical algorithms.Again, it is natural to consider improved strategies to avoid re-runs in this setting.

On the success probability of quantum order finding
Shor's factoring algorithm as originally described can fail either because the order r of g is not amenable to factoring N , in the sense that r is odd or g r/2 ≡ −1 (mod N ), or because the order finding part of the algorithm fails to return r given g.
The probability of the algorithm failing for the latter reason is negligible, however, if the quantum part is correctly parameterized and post-processed, and if it is executed as per its mathematical description by the quantum computer, see e.g.Appendix A to [4] or [2].
In what follows, we therefore primarily focus our attention on classically recovering nontrivial factors of N given r.When referring to factoring in a single run of an order finding algorithm, we assume the order finding algorithm to yield r given g.

Tradeoffs in quantum order finding
Seifert [19] has proposed to modify the order finding part of Shor's algorithm to enable tradeoffs between the number of runs that need be performed on the quantum computer, and the complexity of each run.In essence, Seifert's idea is to compute only partial information on the order in each run, thereby reducing the number of operations that need to be performed by the computer in each run without loss of coherence.Given the outputs from a sufficiently large number of such partial runs, the order may then be re-constructed efficiently classically, yielding a complete order finding algorithm that returns r with high probability given g.
Making tradeoffs may prove advantageous in the early days of quantum computing when the capabilities of the computers available are limited.On a side note, Knill [9] has proposed a different kind of tradeoffs, where the goal is not to perform fewer operations in each run, but rather to obtain improved lower bounds on the success probability of the order being returned.

Improvements for odd orders
Several improvements to Shor's original classical post-processing approach have been proposed, including in particular ways of recovering factors of N from odd orders [6,8,10,13].Grosshans et al. [6] point out that if a small prime factor q divides r, then gcd((g r/q − 1) mod N, N ) is likely to yield non-trivial factors of N .Johnston [8] later made similar observations.
In the context of Shor's algorithm, the observation that odd r may yield non-trivial factors of N seems to first have been made by Martín-López et al. [13] in an actual experimental implementation.This is reported in a work by Lawson [10] and later by Grosshans et al. [6].
We may efficiently find all small and moderate prime factors of r.This often gives us several attempts at recovering non-trivial factors of N , leading to an increase in the probability of factoring N .Furthermore, we can try all combinations of these prime factors, with multiplicity when applicable, to increase the number of non-trivial divisors.

Improvements for special form integers
Ekerå and Håstad [3,5] have introduced a specialized quantum algorithm for factoring RSA integers that is more efficient than Shor's general factoring algorithm.The problem of factoring RSA integers merits special consideration because it underpins the security of the widely deployed RSA cryptosystem [18].
The algorithm of Ekerå and Håstad classically reduces the RSA integer factoring problem to a short discrete logarithm problem in a cyclic group of unknown order, using ideas from [7], and solves this problem quantumly.It is more efficient primarily because the quantum step is less costly compared to traditional quantum order finding, both when not making tradeoffs and comparing to Shor, and when making tradeoffs and comparing to Seifert.It furthermore allows for the two factors of the RSA integer to be recovered deterministically, once the short discrete logarithm has been computed.This implies that there is little point in optimizing the post-processing in Shor's original algorithm if the goal is to factor RSA integers.
On the topic of factoring special form integers, Grosshans et al. [6] have shown how so-called safe semi-primes may be factored deterministically after a single run of Shor's original order finding algorithm.Xu et al. [22] have presented similar ideas.Leander [11] has shown how the lower bound of 1/2 in Shor's original analysis may be improved to 3/4 for semi-primes.

Other related works on factoring via order finding
There is a considerable body of literature on factoring.The specific problem of factoring via number theoretical oracles has been widely explored, in the scope of various contexts.Many of the results have a lineage that can be traced back to the seminal works of Miller [14].
More recently, Morain et al. [15] have investigated deterministic algorithms for factoring via oracles that yield φ(N ), λ(N ) or the order r of an element g ∈ Z * N .They find that given φ(N ), it is possible to factor N unconditionally and deterministically in polynomial time, provided that certain conditions on the prime factors of N are met: It is required that N be square-free and that N has a prime factor p > √ N .Their approach leverages the Lenstra-Lenstra-Lovász (LLL) [12] lattice basis reduction algorithm.
Morain et al. furthermore explicitly note that their work is connected to Shor's factoring algorithm, and that efficient randomized factoring algorithms are produced by all three oracles (see sections 2.3 and 2.5 in [15]).They recall the method of Miller [14] for factoring via an oracle that yields the order r of g ∈ Z * N , and its use in Shor's algorithm, and the fact that it may be necessary to consider multiple g to find one with even order suitable for factoring N .This implies that multiple oracle calls may be required to find non-trivial factors.
The authors furthermore state that if one has access to an oracle that yields e.g.φ(N ) or λ(N ), it is possible to do better: It is then possible to find a g ≡ ±1 (mod N ) such that g 2 ≡ 1 (mod N ).In particular, one may use that the order of g must divide φ(N ) = 2 t o for some t > 0 and odd o to efficiently find such g.This is closely related to the observations made in this paper.The original algorithm is from Miller [14].

On the relation to our contribution
Given the abundance of literature on the topic of factoring, it is admittedly hard to make new original contributions, or even to survey the existing literature in its entirety.
We are however not aware of anyone previously demonstrating, within the context of Shor's algorithm, that a single call to the order finding algorithm is in general sufficient to completely factor any composite integer with high probability.On the contrary, it is sometimes said that Shor's original post-processing algorithm should be used, potentially requiring several runs to find even a non-trivial factor, let alone the complete factorization.

Our contribution
We give an efficient classical probabilistic polynomial time algorithm, that is essentially due to Miller [14], for completely factoring N given the order r of a single element g selected uniformly at random from Z * N .We furthermore analyze the runtime and success probability of the algorithm: In particular, we give a lower bound on its success probability.

Notes on our original intuition for this work
Given the order r of g, we can in general correctly guess the orders of a large fraction of the other elements of Z * N with high probability.To see why this is, note that g is likely to have an order such that λ(N )/r is a moderate size product of small prime factors.Hence, by multiplying on or dividing off small prime factors to r, we can guess λ(N ), and by extension the orders of other elements in the group.
The above observation served as our original intuition for pursuing this line of work.In this paper, we do however take matters a few steps further: In particular, instead of guessing the orders of individual elements in Z * N , we instead guess some positive multiple of λ (N ).Furthermore, we show that even if we only manage to guess some positive multiple of a divisor of λ (N ), we are still often successful in recovering the complete factorization of N .

The algorithm
In what follows, we describe a classical algorithm, essentially due to Miller [14] (see the algorithm in Lemma 5 ERH), for completely factoring N given a positive multiple of λ (N ).
We have slightly modified it, however, by adding a step in which we attempt to guess such a multiple, denoted r below, given the order r of g.Furthermore, we select k group elements x j uniformly at random from Z * N , for k ≥ 1 some small parameter that may be freely selected, whereas Miller iterates over all elements up to some bound.
With these modifications, we shall prove that the resulting probabilistic algorithm runs in polynomial time, with the possible exception of the call to an order finding algorithm in the first step, and analyze its success probability.To be specific, the resulting algorithm first executes the below procedure once to find non-trivial factors of N : 1 Select g uniformly at random from Z * N .Compute the order r of g via an order finding algorithm.
2 Let P(B) be the set of primes ≤ B.
Let η(q, B) be the largest integer such that q η(q,B) ≤ B.
Let m = cm for some constant c ≥ 1 that may be freely selected.
3 Let r = 2 t o where o is odd.
4 For j = 1, 2, . . ., k for some k ≥ 1 that may be freely selected do: 4.1 Select x j uniformly at random from Z * N .4.2 For i = 0, 1, . . ., t do: We then obtain the complete factorization from the d i,j reported as follows: A set is initialized and N added to it before executing the above algorithm.For each non-trivial factor reported, the factor is added to the set.The set is kept reduced, so that it contains only non-trivial pairwise coprime factors.It is furthermore checked for each factor in the set, if it is a perfect power q e , in which case q is reported as a non-trivial factor.The algorithm succeeds if the set contains all distinct prime factors of N when the algorithm stops.
Recall from the introduction that there are efficient methods for reducing q e to q, and methods for testing primality in probabilistic polynomial time.

Notes on efficient implementation
Note that the algorithm as described in section 3.2 is not optimized: Rather it is presented for ease of comprehension and analysis.In an actual implementation, it would for example be beneficial to perform arithmetic modulo N throughout step 4 of the algorithm, for N a composite divisor of N that is void of prime factors that have already been found.
The algorithm would of course also stop incrementing j as soon as the factorization is complete, rather than after k iterations, and stop incrementing i as soon as x 2 i o j ≡ 1 (mod N ) rather than continue up to t.It would select x j and g from Z * N \{1} in steps 1 and 4.1 rather than from Z * N .In step 4.2.1, it would compute d i,j = gcd(u i,j −1, N ), where u 0,j = x o j mod N , and u i,j = u 2 i−1,j mod N for i ∈ [1, t], to avoid raising x j to o repeatedly.Ideas for potential optimizations: To further speed up the exponentiations, instead of raising each x j to a pre-computed guess r for a multiple of λ (N ), a smaller exponent that is a multiple of the order of x j mod N may conceivably be speculatively computed and used in place of r .To obtain more non-trivial factors from each x j , combinations of small divisors of the exponent may conceivably be exhausted; not only the powers of two that divide the exponent.
Missing factors: If an x j is such that w j = x N r j ≡ 1 (mod N ), a factor q equal to the order of w j mod N is missing in the guess r for a multiple of λ (N ).Should this lead the algorithm to fail to completely factor N , it may be worthwhile to attempt to compute the missing factor: The options available include searching for q by exponentiating to all primes up to some bound, which is essentially analogous to increasing c, or using some form of cycle finding algorithm that does not require a multiple of q to be known in advance.
In short, there are a number of optimizations that may be applied, but doing so above would obscure the workings of the algorithm, and the analysis that we are about to present.It is furthermore not necessary, since the algorithm as described is already very efficient.

Notes on performing order finding for a multiple of N
Note that the order finding in step 1 may be performed for a multiple of N if desired.This can only cause r to grow by some multiple, which in turn can only serve to increase the success probability, in the same way that growing r to r in step 2 serves to increase the success probability, see section 3.3.In turn, this explains why we can replace N with N as described in the previous section, and why a restriction to odd N does not imply a loss of generality.

Notes on analogies with Miller's and Rabin's works
Miller's original version of the algorithm in section 3.2 is deterministic, and proven to work only assuming the validity of the extended Riemann hypothesis (ERH), as is Miller's primality test in the same thesis [14].This may be because the notion of probabilistic polynomial time algorithms was not universally recognized when Miller did his thesis work.
Rabin [17] later converted Miller's primality test algorithm into a probabilistic polynomial time algorithm that is highly efficient in practice.
It is perhaps interesting to note that we perform essentially the same conversion in section 3.2 with respect to Miller's factoring algorithm: We convert it into an efficient probabilistic polynomial time factoring algorithm, that recovers the complete factorization of N given the order r of g selected uniformly at random from Z * N .

Notes on analogies with Pollard's works
Miller's algorithm may be regarded as a generalization of Pollard's p − 1 algorithm [16]: Miller essentially runs Pollard's algorithm for all prime factors p i in parallel by using that a multiple of λ (N ) = lcm(p 1 − 1, . . ., p n − 1) is known.Pollard, assuming no prior knowledge, uses a product of small prime powers up to some smoothness bound B in place of λ (N ).This factors out p i from N if p i − 1 is B-smooth, giving Pollard's algorithm its name.Since we only know r, a multiple of some divisor of λ (N ), we grow r to r by multiplying on a product of small prime powers.This is in analogy with Pollard's approach.

Analysis of the algorithm
A key difference between our modified algorithm in section 3.2, and the original algorithm in Miller's thesis [14], is that we compute the order of a random g and then add a guessing step: We guess an r in step 2 that we hope will be a multiple of p i − 1 for all i ∈ [1, n], and if not all, then at least for all but one index on this interval, in which case the algorithm will still be successful in completely factoring N .This is shown in the below analysis.Specifically, we lower-bound the success probability and demonstrate the polynomial runtime of the algorithm.Definition 1.The prime p i is unlucky if r is not a multiple of p i − 1.
Lemma 1.The probability that p i is unlucky is at most log p i /(m log m ).
Proof.For p i to be unlucky, there has to exist a prime power q e such that i) q e > m , as q e otherwise divides r , ii) q e divides p i − 1, and iii) g is a q e -power modulo p i , to reduce the order of g by a factor q e .The number of such prime powers q e that divide p i − 1 is at most log p i / log m , as q e > m and the product of the prime powers in question cannot exceed p i − 1.For each such prime power, the probability that g is a q e -power is at most 1/q e ≤ 1/m .The lemma follows by taking the product of these two expressions.Lemma 2. If at most one p i is unlucky, then except with probability at most all n prime factors of N will be recovered by the algorithm after k iterations.
Proof.For us not to find all prime factors, there must exist two distinct prime factors q 1 and q 2 that both divide N , such that for all combinations of i ∈ [0, t] and j ∈ [1, k], either both factors divide x 2 i o j − 1, or none of them divide x 2 i o j − 1.To see why this is, note that the two factors will otherwise be split apart for some combination of i and j in step 4.2.1 of the algorithm in section 3.2, and if this occurs pairwise for all factors, the algorithm will recover all factors.
There are n 2 ways to select two distinct primes from the n distinct primes that divide N .For each such pair, at most one of q 1 and q 2 is unlucky, by the formulation of the lemma.i) If either q 1 or q 2 is unlucky: Without loss of generality, say that q 1 is lucky and q 2 is unlucky.
-The lucky prime q 1 then divides x 2 t o j − 1.To see why this is, recall that x j ∈ Z * N and that q 1 − 1 divides r since q 1 is lucky, so ).
-The unlucky prime q 2 divides x 2 t o j − 1 iff x 2 t o j ≡ 1 (mod q 2 ).For x j selected uniformly at random from Z * N , and odd q 2 , where we recall that we assumed N and hence q 2 to be odd in the introduction, this event occurs with probability at most 1/2.To see why this is, note that since q 2 is unlucky, only an element x j with an order modulo q 2 that is reduced from the maximum order q 2 − 1 by some factor dividing q 2 − 1 can fulfill the condition.The reduction factor must be at least two.It follows that at most 1/2 of the elements in Z * N can fulfill the condition.For each iteration j ∈ [1, k], the failure probability is hence at most 1/2.Since there are k iterations the total failure probability is at most 2 −k .
ii) If both q 1 and q 2 are lucky: In this case, both q 1 and q 2 divide x 2 t o j − 1, since x j ∈ Z * N , and since r = 2 t o where q 1 − 1 and q 2 − 1 both divide r , so x 2 t o j = x r j ≡ 1 (mod q) for q ∈ {q 1 , q 2 }.The algorithm fails iff x o j has the same order modulo both q 1 and q 2 .To see why this is, note that is computed in step 4.2.1 of the algorithm, for i ∈ [0, t], and that the prime q ∈ {q 1 , q 2 } divides d i,j iff x 2 i o j ≡ 1 (mod q).It is only if this occurs for the same i for both q 1 and q 2 that q 1 and q 2 will not split apart, i.e. if x o j has the same order modulo both q 1 and q 2 .To analyze the probability of x o j having the same order modulo q 1 and q 2 , we let 2 t1 and 2 t2 be the greatest powers of two to divide q 1 − 1 and q 2 − 1, respectively.Recall furthermore that we assumed N , and hence q 1 and q 2 , to be odd in the introduction.This implies that we may assume that t ≥ t 1 ≥ t 2 ≥ 1 without loss of generality.Furthermore, we shall use that x j is selected uniformly at random from n , where q 1 , q 2 ∈ {p 1 , . . ., p n }, which implies that x j mod q 1 and x j mod q 2 are selected independently and uniformly at random from Z * q1 and Z * q2 .Consider x 2 t 1 −1 o j : -If t 1 = t 2 , the probability that x 2 t 1 −1 o j − 1 is divisible by q 1 but not by q 2 is 1/4, and vice versa for q 2 and q 1 .Hence, the probability is at most 1/2 that x o j has the same order modulo both q 1 and q 2 .-If t 1 > t 2 , the probability that x 2 t 1 −1 o − 1 is divisible by q 1 is 1/2, whereas the same always holds for q 2 .Hence, the probability is again at most 1/2 that x o j has the same order modulo q 1 and q 2 .For each iteration j ∈ [1, k], the probability is hence again at most 1/2.Since there are k iterations the total failure probability is 2 −k .The lemma follows from the above argument, as there are n 2 combinations with probability at most 2 −k each.
By definition q is said to divide u iff u ≡ 0 (mod q).Note that this implies that all q = 0 divide u = 0.This situation arises in the above proof of Lemma 2. Lemma 3. At least two primes are unlucky with probability at most 1 2c 2 log 2 cm .
Proof.The events of various primes being unlucky are independent.Hence, by Lemma 1, we have that the probability of at least two primes being unlucky is upper-bounded by where we used that n i = 1 log p i ≤ log N ≤ m and m = cm, and where S is the set of all pairs (i 1 , i 2 ) ∈ [1, n] 2 such that the product p i1 • p i2 is distinct, and so the lemma follows.Proof.By the prime number theorem, there are O(m / ln m ) primes less than m .As r < N we have log r < m.Furthermore, as each prime power q e in r /r is less than m , we have as m = cm for some constant c ≥ 1, and so the claim follows.

Main theorem
Theorem 1.The factoring algorithm, with the possible exception of the single order finding call, completely factors N in polynomial time, except with probability at most where n is the number of distinct prime factors of N , m is the bit length of N , c ≥ 1 is a constant that may be freely selected, and k is the number of iterations performed in the classical post-processing.
Proof.It is easy to see that the non-order finding part of the algorithm runs in polynomial time in m, as all integers are of length O(m), including in particular r by Claim 1.The theorem then follows from the analysis in section 3.3, by summing the upper bound on the probability of a failure occurring when at most one prime is unlucky in Lemma 2, and on the probability of at least two primes being unlucky in Lemma 3.
By the above main theorem, the algorithm will be successful in completely factoring N , if the constant c is selected so that 1/(2c 2 log 2 cm) is sufficiently small, and if 2 −k for k the number of iterations is sufficiently small in relation to n 2 for n the number of distinct prime factors in N .Note that the latter requirement is easy to meet: Pick k = (2 + τ ) log n for some τ ≥ 1.Then 2 −k • n 2 ≤ n −τ where n ≥ 2 for composite N .The time complexity of the algorithm is dominated by k exponentiations of an integer modulo N to an exponent of length O(m) bits.This is indeed very efficient.Note furthermore that our analysis of the success probability of the algorithm is a worst case analysis.In practice, the actual success probability of the algorithm is higher.Also, nothing in our arguments strictly requires c to be a constant: We can make c a function of m to further increase the success probability at the expense of working with O(cm) bit exponents.

Summary and conclusion
When factoring an integer N via order finding, as in Shor's factoring algorithm, computing the order of a single element selected uniformly at random from Z * N suffices to completely factor N , with very high probability, depending on how c and k are selected in relation to the number of factors n and the bit length m of N , for N any integer.