Shor’s Algorithm Does Not Factor Large Integers in the Presence of Noise

We consider Shor’s quantum factoring algorithm in the setting of noisy quantum gates. Under a generic model of random noise for (controlled) rotation gates, we prove that the algorithm does not factor integers of the form pq when the noise exceeds a vanishingly small level in terms of n — the number of bits of the integer to be factored, where p and q are from a well-deﬁned set of primes of positive density. We further prove that with probability 1 − o (1) over random prime pairs ( p, q ), Shor’s factoring algorithm does not factor numbers of the form pq , with the same level of random noise present.


Introduction
One of the most stunning achievements of computer science in the last several decades is Shor's quantum algorithm to factor large integers [36,37].The algorithm provably can factor an nbit integer in polynomial time with high probability, assuming certain quantum operations can be performed.These are called quantum logic gates.In particular, they include the familiar Hadamard gate 1 −1 , the rotation gates (Phase) S = [ 1 0 0 i ], (π/8 gate) T = 1 0 0 e 2πi/8 , and more generally R k = 1 0 0 e 2πi/2 k , and their controlled versions.Note that S = R 2 and T = R 3 .It has often been pointed out that the availability of these quantum gates at high precision (with arbitrarily small angles in R k with k → ∞) is a challenge, both intellectually and practically on engineering grounds [16,23,24,1].To a large extent, such concerns motivated another great intellectual achievement that is the development of quantum error correcting codes [38,40,8,19,32].There is a substantial body of work on fault tolerant quantum computing, starting with Shor's work [39].Strong threshold theorems are proved which show that in certain error models, if the error rate is below a certain threshold, quantum computation can achieve arbitrarily high accuracy [3,17,6,19,41,18,5].These are beautiful mathematical theorems.But they fundamentally assume that the group SU(2) exactly corresponds to operations on a qubit in reality, especially in its composition-that group composition (in its infinite precision defined over C) exactly corresponds to sequential application of realizable quantum operations.Opinions differ, as to whether such arbitrary precision is ever achievable.It is certainly a possibility.However, this author is skeptical about this, based on the belief that quantum mechanics itself (just as any other physical theory) is not, and is not meant to be, infinitely accurate when comparing reality with what the mathematical statements say in the theory (some speculations are in Section 4).Meanwhile, enormous efforts have been underway in the past few decades, and with much renewed momentum and enthusiasm more recently, to achieve ever increasingly accurate hardware implementations of quantum circuitry.
In this paper, we consider Shor's quantum factoring algorithm in the setting where each quantum controlled rotation gate is subject to a small random noise in the angle.We assume each application of the controlled-R k gate is given an independent random error of angle e 2πiǫr/2 k .Thus, when the control bit is 1, the operator R k is substituted by R k = 1 0 0 e 2πi(1+ǫr)/2 k , where r is an independent noise random variable distributed r ∼ N (0, 1), and ǫ is a global magnitude parameter.So, the controlled-R k gate is , where ρ k = ρ k,ǫ = e 2πiǫr/2 k and ξ k = e 2πi/2 k .We show that there exist positive constants c, c ′ > 0 such that if ǫ > cn −1/3 , then Shor's algorithm does not factor n-bit integers of the form pq, where p and q are from a well-defined set of primes of density > c ′ .To the best knowledge of this author, this is the first provable statement of such failure of Shor's algorithm under any error model.
The noise model is similar to that of [30] (see also [14,29,31]).The specific random noise model including the independent normal distribution picked in this paper is not essential, as the proof will clearly show, but it is chosen to present the essential idea of the proof most transparently.For example, the noise r.v.r being distributed ∼ N (0, 1) can be replaced by any reasonable alternative distribution such as uniform U [−1, 1] or uniform bits from {−1, 0, 1}.While each individual controlled-R k gate is assumed to be accompanied by an independent r.v.r for noise, when an individual controlled-R k gate is applied, the same randomly perturbed controlled-R k gate is applied to each term in a sum of superpositions of quantum states.Regarding the random noise model, we do not make any claim that this model accurately reflects "reality"; our purpose is only to show that some vanishing amount of noise can already provably destroy the algorithm.
An important modification of Shor's algorithm by Coppersmith [10] shows that if we just ignore (not to perform) all (controlled-) R k -gates for sufficiently large k ≥ b, where b is some global parameter, then Shor's algorithm still retains its effectiveness (and uses a reduced number of quantum gates).The specific suggested change [10] for 500-qubits, which would require rotations of magnitude 2π/2 500 in Shor's original algorithm, is to ignore all rotations of angle smaller than 2π/2 20 .It is estimated that this would incur an error on the order of 1% in the probability of each desirable final state.Asymptotically, Coppersmith improves the precision requirement of exponentially small angles to just slightly less than π/n.This is of enormous practical implications.This version of Shor's algorithm is called the "banded" version with parameter b, which is set to be slightly greater than log n, rather than n in the original version.Nonetheless, rotation gates (as primitive steps of the algorithm) of asymptotically infinitely small angles would still be required as n, the number of bits to be factored, tends to infinity.
Our result is consistent with Coppersmith's improvement.Indeed we will present our proof in the "banded" version, with perfect controlled-R k -gates for all k < b, but every controlled-R k -gate is replaced by a controlled-R k -gate for all k ≥ b, i.e., it is independently perturbed by a random noise.Our negative result will be stated in terms of b + log 2 (1/ǫ).When b + log 2 (1/ǫ) < 13 log 2 n − c for some constant c > 0, the noise takes hold so as to destroy the desired peak in the probability of observing a useful state that leads to factorization.This condition is essentially equivalent to having both b being less than a small constant multipple of log n and ǫ greater than the reciprocal of a small positive power of n.We prove that, under this condition in this noise model, Shor's algorithm does not factor n-bit integers of the form pq, where p and q are from a well-defined set of primes of positive density c ′ > 0. 1 The proof will in fact show that, the same result holds under the same condition b + log 2 (1/ǫ) < 1  3 log 2 n − c, even if the noise gates are applied only at the single level R b , with all other controlled-R k -gates applied perfectly for k = b (or alternatively, no controlled-R k -gates are applied at all for k > b as in the banded version by Coppersmith).
Theorem 1.There exist constants c, c ′ > 0, such that if each controlled-R k -gate in the quantum Fourier transform circuit is replaced by controlled-R k -gate for all k ≥ b, where b + log 2 (1/ǫ) < 1 3 log 2 n − c, then with exponentially small exceptional probability, Shor's algorithm does not factor n-bit integers of the form pq, where p and q are from a well-defined set of primes of density > c ′ .
Here "exceptional probability" is over the random choices of Shor's algorithm as well as probabilistic outcomes of quantum measurements.More precisely, the expectation over random noise r's, of the success probability (over the random choices of the algorithm and quantum measurements) of the algorithm is exponentially small in n.This will be the meaning of "does not factor" below.
3 log 2 n − c, then the statement in Theorem 1 still holds, if only each controlled-R b -gate is replaced by a controlled-R b -gate while all other controlled-R k -gates remain unchanged.Alternatively, the same statement holds if each controlled-R k -gate is: (1) applied perfectly for k < b, (2) replaced by a controlled-R b -gate for k = b, and (3) deleted for k > b.
Our proof focuses on the essential "period-finding" part using quantum Fourier transform (QFT) in Shor's algorithm.In our proof, we use a theorem of Fouvry [13].This theorem states that the set of all primes p such that the largest prime factor in p − 1 is greater than p 2/3 has positive density among all primes.We use this theorem to produce candidate inputs of the form N = pq to Shor's algorithm where p and q are of this type, and argue that a random element x ∈ Z * N has (exponentially) large order ω = ω N (x) as an element of the multiplicative group Z * N .This large order ω allows us to give a lower bound for a lattice counting argument, which leads to a sufficiently large number of independent perturbations in the complex arguments (in the exponent) in a crucial sum of exponentials, (which would have been a perfect geometric sum without noise) in the analysis of Shor's algorithm.This perturbation, at the appropriate setting of parameters, destroys this geometric sum, and degrades the probability of observing any useful quantum state to negligible, and thus fails to gain any useful information on the period ω.
Our proof is actually more generally applicable.In an appendix we prove the following theorem: but ultimately heuristic, assumptions for the bahavior of various sums, augmented by numerical simulations, they suggest that if b is not too large compared to n, Shor's algorithm can tolerate imprecisions of rotation angles.Some small concrete values of n are on the order of 10-qubits (n = 10, 14).These values are quite outside the range where our proof applies.Their numerical simulation does seem to suggest a logarithmic threshold of b.Thus, these positive results are not logically inconsistent with, and in fact, complement our proof.N.B. the notation b in [29] is our b − 2.
Theorem 3.There exists a constant c > 0, such that for random primes p and q chosen uniformly from all primes of binary length m, if b + log 2 (1/ǫ) < 1 3 log 2 m − c, as m → ∞ with probability 1 − o(1), Shor's algorithm with noisy rotation gates does not factor N = pq.
A version analogous to Theorem 2 also holds for random primes.We make a few brief remarks.Arguably, factoring integers N = pq for random primes p and q is more important in cryptography than for primes that satisfy the property in Fouvry's theorem, and the statement of failure probability being 1 − o(1) is stronger than that of positive density guaranteed by Fouvry's theorem.We present the proof in the main text for the latter, and relegate the proof of Theorem 3 to the appendix, in order to concentrate on the main idea of how random noise degrades the performance of Shor's algorithm.The additional work needed for Theorem 3 is mainly of a number theoretic nature, and for the purpose of this paper, of secondary importance.Also, one can prove other versions of Theorem 3. E.g., we can restrict the random primes p and q to be of length m and both ≡ 3 mod 4, so that the numbers N = pq are the so-called Blum integers, which are favored in cryptography [28].Despite the strong failure demonstrated by the proof, our theorems do not rule out the possibility that at some future time, quantum algorithm is superior to the best "classical" factoring algorithms for factoring integers of a certain size, in practice.But our proof indicates that there is a limit to this possible superiority when n is large, if arbitrarily small random noise cannot be eliminated.
Many people have made strong arguments [32] supporting the viewpoint that Shor's algorithm presents a convincing evidence that the so-called Strong Church-Turing thesis needs a necessary modification.This Strong thesis identifies efficient computation with P or BPP.The argued-for modification states that this should be replaced by BQP.This author is personally not convinced of this.I will make some comments at the end of this paper. 2

Preliminaries
Fouvry's theorem Let N = pq, where p and q are distinct odd primes.By the Chinese remainder theorem, the multiplicative group Moreover, Z * p is a cyclic group of order p − 1, and is isomorphic to a direct product of factors according to the prime factorization of p − 1; and similarly for . Let P + (m) denote the largest prime in the prime factorization of m.

Theorem 4 (Fouvry).
There exist constants c > 0 and n 0 > 0, such that for all x > n 0 , |{p | p is a prime, p < x, and We say a prime p satisfies the Fouvry property if P + (p − 1) > p 2/3 .If N = pq, where p and q are distinct odd primes satisfying the Fouvry property, then clearly p ′ = P + (p − 1) appears with exponent 1 in the factorization of p − 1, and so does P + (q − 1) in the factorization of q − 1.If 2 These comments are speculative, and should not be conflated with the theorems proved in the paper.
p ′ = P + (p−1) > P + (q −1), then Z p ′ appears as an isolated factor in the direct product form of Z * N .Thus, with probability N has order at least p ′ > max{p 2/3 , q 2/3 } ≥ N 1/3 .If it so happens that p ′ = P + (p − 1) = P + (q − 1), then Z p ′ × Z p ′ appears as a factor in the direct product form of Z * N .In this case, a random element x in Z * N also has order at least . Thus, in either case, in terms of the number of bits, such products N = pq have the property that a random element x in Z * N has an exponentially large period, ω = ω N (x) ≥ max{P + (p − 1), P + (q − 1)} > N 1/3 , with exponentially small exceptional probability.Below we assume ω has this property.

Sum of random unit vectors
Let ξ m = e 2πi/m be a primitive root of unity of order m.Let We will give a simple estimate for the expectation of Expanding the square norm expression we get Moments of even orders of a normal random variable Y ∼ N (0, σ 2 ) are known as follows [33] from which we get (by the dominated convergence theorem, the exchange of orders of summation and integration is justified) Hence, the expectation of (1) is at most K + 2 K 2 e −2π 2 t .We will need a slight generalization of this.Let σ > 0, and let ϕ k ∈ [0, 2π) be any angle, 1 ≤ k ≤ K.We replace each Σ k by ϕ k + σ i∈S k X i .Then, Lemma 6.Let σ > 0 and ξ m = e 2πi/m .Let X i ∼ N (0, 1), i.i.d. for i = 1, 2, . . ., n, and let {S k ⊆ [n] | 1 ≤ k ≤ K} be a finite collection of sets.Assume, all except at most δ fraction of pairwise symmetric differences We only need to note in addition to the above that cos (ϕ + T jk ) = cos ϕ cos T jk − sin ϕ sin T jk , and we have cos ϕ ≤ 1 for any ϕ, and E[sin T jk ] = 0 since sin is an odd function and T jk is symmetrically distributed.The lemma follows.

Corrupted geometric sums
Suppose N is an integer we wish to factor, and 2 n ≈ N 2 as in [37] 3 .For definiteness assume 2 n−1 < N 2 ≤ 2 n .Assume ω is the period of the function f (k) = x k mod N for a randomly chosen x ∈ Z * N , and by Lemma 5 we assume ω > N 1/3 and ord 2 (ω) < log 2 ω 2 .Also ω < N clearly.Let us write out a few terms as the controlled-R k gates are applied successively in the QFT circuit (e.g., see [32] p.219), but now with random noise added whenever the controlled-rotation gate is R k -gates with k ≥ b, i.e., we apply controlled-R k -gates when k < b but controlled-R k -gates for all k ≥ b. (As the first controlled-R k -gate has k = 2, we have b > 1.) Suppose we start with the state |u = |u n−1 . . .u 1 u 0 .After the first gate H on the qubit |u n−1 , we have the state The next is the controlled-R 2 -gate on target qubit |u n−2 controlled by the left most qubit (which was initially |u n−1 ), after which we have (assuming b > 2) The random noise starts at the controlled-R b -gate, after which we get where r After all the rotation gates controlled by the left most qubit (initially |u n−1 ) we have where r n−b are i.i.d.∼ N (0, 1).Then, similarly, after all the rotation gates controlled by the two left most qubits (initially where r The crucial step in Shor's algorithm, after the quantum Fourier transform, is to take a quantum measurement, with the property that the probability of observing a state that is close to an integral multiple of 2 n ω is high.Such a state has an n-bit integer expression v ∈ {0, 1} n that has value close to the rational number 2 n ω j, for some 0 ≤ j ≤ ω.States |v such that the number v is not close to an integral multiple of 2 n ω have negligible probability of being observed, while states in a small vicinity of each of the integral multiple of 2 n ω get observed with probability on the order of 1/ω (per each multiple), and these add up to give a good probability that some such state is observed, whereby the period is deduced with good probability.(I am omitting steps of the continued fraction algorithm in the post quantum processing steps.) For each v, the probability of |v being observed has an expression as a square norm of a sum over a set of the form u ∈ {u * + kω : k ≥ 0, and u * + kω < 2 n } (for some initial 0 ≤ u * < ω), with cardinality K, which is approximately 2 n /ω.For u (k) = u * + kω, we write the n-bit integers When there is no noise in the controlled-R k -gates used in the QFT this probability expression for observing |v = |v n−1 . . .v 1 v 0 can be written as With independent random noise present starting with controlled-R b -gates, this becomes where n−b , r 0 , . . ., r n−b−1 , . . ., r are random variables i.i.d.∼ N (0, 1).Our first goal is to show that among states |v such that the binary number v is close to an integral multiple 2 n ω j (for some 0 ≤ j ≤ ω), it is the case that for most j, a linear number of bits in the binary expansion of v are one: v s = 1.This will leave us with a linear number of terms of the form in the exponent Eventually we will show that, fixing any such v, among those s where v s = 1, for most k, there are a linear number of terms with u ω j⌋, for 0 ≤ j < ω; it will be clear from the proof below that what is proved is also true for any v in the vicinity of a polynomial range of such a number.
For 0 ≤ j < ω, the integer v = ⌊ 2 n ω j⌋ has the i-th leading bit v n−i = 1 iff the i-th most significant bit, among the first n bits, in the binary expansion of j ω is 1.This is true iff for some So, j needs to be placed in the alternate ("odd" indexed) segments of length ω 2 i .This is a lattice counting problem.
Recall that ω > N 1/3 ≈ 2 n/6 .We take i 0 = ⌊ 3 4 log 2 ω⌋ ≥ ⌊ 1 4 log 2 N ⌋ = Ω(n).Then ω 2 i 0 ≥ ω 1/4 > N 1/12 = 2 Ω(n) .We will only count those i-th (significant) bits v n−i that are one, within 1 ≤ i ≤ i 0 , and first show that for most j, even just among the first i 0 bits v n−1 , . . ., v n−i 0 , there are a linear number of ones.(Any additional bits that are 1 can only add more noise to the perturbation.) Now we divide the range [0, ω) of real numbers into 2 i 0 segments of equal length ω where α ∈ {0, 1} i 0 is a binary string, and (α) 2 is the binary number it represents 4 .Note that any real interval of the form [A, A + B) has either ⌊B⌋ or ⌊B⌋ + 1 many integers.Thus, each I α contains either ⌊ ω 2 i 0 ⌋ or ⌊ ω 2 i 0 ⌋+ 1 many integers, which is ω 2 i 0 + η for some −1 ≤ η ≤ 1.We consider two distributions on the integers 0 ≤ j < ω.Let Pr. denote the uniform distribution and let Pr α denote the distribution induced by first picking α ∈ {0, 1} i 0 uniformly, and then picking j ∈ I α uniformly.They are exponentially close: For any 0 ≤ j < ω, Pr.(j) = 1/ω, and 4 The reason we cut off at i0 is to avoid having to deal with intervals that are too small and such odd indexed segments may just miss most integers.We can afford to cut off at i0, and still get a linear number Ω(n) of 1's in the first i0 bits of the n bit binary expansion.This is where we use the fact that ω is large.
Similarly, we can see that every j ∈ I α satisfies the equation ( 5) for every i ∈ {1, . . ., i 0 } such that the corresponding bit in α is 1.For any constant 0 < δ < 1/2, the proportion of 0-1 sequences of length i 0 that have δi 0 ones is asymptotically 2 −(1−H(δ))i 0 , where H(•) is the entropy function.For any fixed constant c > 0, consider any Then, for a random α ∈ {0, 1} i 0 , with exponentially small exceptional probability 2 −Ω(n) , there are Ω(n) bits α i = 1 in those bit positions i ∈ J. Then any j ∈ I α gives the corresponding bit v n−i = 1.By (6) this is true under the uniform distribution Pr. for j as well.It follows that with exponentially small exceptional probability 2 −Ω(n) , a uniformly chosen j defines a number v = ⌊ 2 n ω j⌋ with a linear number of bit v n−i = 1, for i ∈ J.
Lemma 7.For any fixed constant c > 0 and any

Now back to the expression (4) for the probability of observing |v when noise is present. Regardless what values
, and r n−b , r 1 , . . ., r n−b−1 , . . ., r are, let us consider only those terms We will further throw away some noise terms in (7).
In general, 0 and for any u * , the most significant ω ⌋}.Then using the same argument with the entropy function H(•), for all except a fraction of 2 −Ω(n) of the pairs (k, k ′ ), we have u Lemma 8. Assume |T j | = Ω(n).There exists c 0 > 0, such that for random pairs (k, k ′ ), Pr. {i ∈ T j : u It follows that, except for a 2 −Ω(n) fraction of pairs (k, k ′ ), the sum To summarize the error estimates: (I) except with probability 2 −Ω(n) , we have ω > N 1/3 and ord 2 (ω) <  Lemma 7; (III) except for a fraction of 2 −Ω(n) of all pairs (k, k ′ )'s, the sums (8) defined by k and k ′ all have a symmetric difference with cardinality ≥ (2 b /ǫ) 3 , by Lemma 8.
Finally we estimate the sum of the expectations of the square norm sum (4) indexed by all v = ⌊ 2 n ω j⌋.Note that the sum K−1 k=0 is over K complex numbers of unit norm, and thus has norm at most K.With probability ≤ 2 −Ω(n) , (I) may be violated and the sum over all v = ⌊ 2 n ω j⌋ of (4) can be at most ω 2 n K K 2 = O(1).Assume (I) holds, then the sum of the terms (4) indexed by the ≤ 2 −Ω(n) fraction of exceptional v's regarding (II) has value at most ( 2 Assume (I) and (II) are both not violated, we apply Lemma 6.By (III), we get the estimate over all v, the expectation ω ) .We conclude that the expectation (over the random noise bits r's) of the probability of observing a member in {|v : v = ⌊ 2 n ω j⌋, 0 ≤ j < ω} is exponentially small.The proof carries over easily to those |v that are in the vicinity of a polynomial range of ⌊ 2 n ω j⌋.And since the estimate is exponentially small, the proof shows that the probability of observing any member of the set of those |v that are polynomially close to an integral multiple ⌊ 2 n ω j⌋ is still exponentially small in expectation.

Some comments
This section contains some comments and personal opinions.They are speculative, and are not to be conflated with the provable part.
Quantum mechanics is unquestionably an accurate model of microscopic physical reality.However, I believe every physical theory is an approximate description of the real world, and quantum mechanics is no exception.In particular, I believe the SU(2) description of possible operations of a qubit to be only approximately true.Specifically, I don't believe arbitrarily small angles have physical meaning.
The real numbers R, the continuum, is a human logical construct in terms of Dedekind cut or Cauchy sequence in the language of ǫ-δ definition.SU(2) (or equivalently SO(3)) as a group, is built on top of the continuum.That these mathematical objects provide remarkable fit in some mathematical theory for physical reality, is an extraordinary fact.But this extraordinary fit is always within a certain range; its unlimited extrapolation is mathematical idealization.The Schrödinger equation i d dt |Ψ(t) = Ĥ|Ψ(t) suggests that small angles are related to small time periods.But physicists have suggested that time ultimately also comes in discrete and indivisible "units".The concept "chronon" has been proposed as a quantum of time [25].It has even been proposed that one chronon corresponds to about 6.27 × 10 −24 seconds for an electron, much longer than the Planck time, which is only about 5.39 × 10 −44 [9] (see also [12,4]).(Of course the literal form of the mathematical meaning of Schrödinger equation, as a differential equation, suggests time is infinitely divisible.But my personal view is that this is just mathematical abstraction.)Thus, I view arbitrarily small angles permitted under SU(2) as mere mathematical abstraction.It is true that using a fixed finite set of rotations of reasonable angles such as π/8 along various axes can compose to rotations of arbitrarily small angles.But my view is that these compositional rules as specified by the group SU(2) must not be exact for physical reality.And thus, it seems to me permitting some noise in the model is reasonable.The random noise model in this paper is just a model, is not meant as reality.
Of course, in addition to its intrinsic interest, factoring integers of the form pq is at the heart of the RSA public-key cryptosystem [34].But several results and conjectures in number theory suggest that the failure reported in this paper of Shor's factoring algorithm in the presence of noise can be more severe in the asymptotic sense.We used a theorem of Fouvry [13] to produce a set of primes of positive density that have the desired properties of the period of a random element.
The most important property is that this period is sufficiently large.In Theorem 3 we prove a version of the theorem for primes of density one.There are deep results and many conjectures about the distribution of prime factorizations of p − 1.In the extreme there are the so-called Sophie Germain primes p ′ such that p = 2p ′ + 1 is also a prime.It is conjectured that there are 2C x (log e x) 2 many Sophie Germain primes up to x, where C = p>2 p(p−2) (p−1) 2 ≈ 0.660161 is the Hardy-Littlewood twin prime constant.This is just slightly less than positive density.(However, it has not been proved that there are infinitely many Sophie Germain primes.)Sophie Germain primes were studied in (the first case of) Fermat's Last Theorem.Indeed, Adleman and Heath-Brown [2], and Fouvry [13] proved that the first case of Fermat's Last Theorem holds for infinitely many primes p. (See also [22].)In [20], Håstad, Schrift and Shamir (acknowledging Noga Alon) proved that, for any fixed constant k, for randomly chosen primes p and q of equal size, and N = pq of size n, a random element in Z * N has order ≥ φ(pq)/n k except with probability O(n −(k−5)/5 ).We improve this slightly in Theorem 13 in the process of proving Theorem 3.
Another property we use of primes of the property of Theorem 4 is that the period of a random element in Z * N does not have high ord 2 .Erdös and Odlyzko [11] proved that the set of odd divisors of p − 1 has a positive density.
Finally, a few comments on the Strong Church-Turing thesis.It is conceivable that some other quantum algorithm in the BQP model can factor integers (or some other seemingly difficult problem) in polynomial time, and withstand the random noise discussed in this paper.Separately, it is definitely conceivable that at some future time, a quantum algorithm is superior to the best "classical" factoring algorithms for integers of a certain range.But I am not convinced that BQP requires that we revise the Strong Church-Turing thesis, even if factoring is eventually known to be outside P or BPP.In Turing's careful definition of computability, he made a deliberate choice that the "primitive" steps of such a computing device must be discrete.Thus, the set of states of a TM is finite; the symbols are placed in discrete cells; the alphabet set is finite.At its most fundamental level, it is not permitted to ask the computing machine to scan a continuously deformed symbol from ξ to ζ, while a mathematical homotopy can easily be envisioned.I believe the model BQP, in its use of the full SU(2) as primitive steps (or what amounts to equivalently, the assumption that the exact rule of composition of SU(2) corresponds exactly to realizable computational steps), is a departure from the Turing model.equivalent to b + log 1/ǫ < 1  3 log(4m) − c ′ for some c ′ > 0. We note that to carry through the same proof of the Main theorem in the paper, we only need to have the property that 1. ω N (x) is large, say ω N (x) = 2 Ω(m) , and 2. ord 2 (ω N (x)) is not too large, say ord 2 (ω N (x)) = o(m).
Håstad, Schrift and Shamir proved a version of the following theorem (Theorem 9) (acknowledging Noga Alon) [20] [Proposition 1, p. 378].Their theorem is sufficient to address item (1) for our purpose.But we will give a minor improvement using the Brun-Titchmarsh theorem, which will be used to derive a bound for item (2) as well.The proof will be essentially the same as in [20]; the minor improvement comes from using the Brun-Titchmarsh theorem and an estimate due to Rosser and Schoenfeld [35] [Theorem 15]: where φ(•) is the Euler totient function, γ = 0.577 . . . is Euler's constant, and log denotes natural logarithm (as it will be for the rest of this section).The estimate is valid for every d ≥ 3, except one case d = 2 • 3 • . . .• 23 when the constant 2.5 should be replaced by 2.50637.We will just use Denote by There exists a constant C, such that for any m and any randomly chosen distinct primes p and q of binary length m, N = p • q, and let g be a randomly chosen element in Z * N , then for all m 2 ≤ A < X, , where the probability is over all random Y ≤ p = q ≤ X and g ∈ Z * N .Note that φ(N ) = (p − 1)(q − 1) ≈ 2 2m .If we take A = 2 2ǫm then a random ω N (g) ≥ 2 2(1−ǫ)m with probability 1 − O(m2 −ǫm/5 ).This is more than sufficient for our required item (1) above.
The Brun-Titchmarsh theorem is a reasonably sharp estimate for the number of primes up to any upper bound x, in an arithmetic progression.The bound is applicable even when the modulus of the arithmetic progression is large.The following version is an improvement of the original Brun-Titchmarsh theorem proved by Montgomery and Vaughan [26,21].Suppose a and d are relatively prime.Let π(x; d, a) denote the number of primes p ≡ a mod d, with p ≤ x.Lemma 11.There exists a constant C 1 > 0, such that for randomly chosen distinct primes p and q of binary length m, N = p • q, and for any 1 Proof.It is trivial if m ≤ 2. We will assume m > 2. Clearly O N = φ(N )/gcd(p − 1, q − 1).So, By the Prime Number Theorem, the number of primes of length m is π(X) − π(Y ) ≈ x 2 log x .And so the number of ordered pairs of distinct primes of length m is approximately ( x 2 log x ) 2 .Now we bound the cardinality of S = {(p, q) : Y ≤ p = q ≤ X, p, q are primes, and gcd(p − 1, q − 1) > A 1 }.
It follows that And The lemma is proved.
where the first expression is over primes Y ≤ p = q ≤ X and the second expression is over p, q and g ∈ Z * N .This is seen by the contrapositive: if φ(N ) ≤ A 1 O N and O N ≤ A 2 ω N (g) then φ(N ) ≤ Aω N (g).
It follows that, after taking Since both required items (1) and ( 2) are separately true with probability approaching 1, they are jointly true with probability approaching 1.
n−b−1 are i.i.d.∼ N (0, 1).The circuit continues to apply controlled rotation gates with random noise starting at the controlled-R b -gate, producing a final expression with n tensor factors.When written out the tensor product, this is a sum indexed by |v n−1 . . .v 0 , such that v 0 = 0 or 1 corresponds to selecting respectively the term |0 or e 2πi [••• ] |1 in (2) (or equivalently, to selecting one of the two terms in the first tensor factor in (3)), and v 1 = 0 or 1 corresponds to selecting respectively the term |0 or e 2πi [••• ] |1 in the second tensor factor in (3), and similarly for v s = 0 or 1, for all 0 ≤ s ≤ n − 1.
−s = 1, which will give us the perturbation as a sum of 2πiǫ 2 b • r (s) 0 .Let us consider integers v = ⌊ 2 n

log 2 ω 2 by
Lemma 5;  (II) except for a fraction of 2 d φ(d) ≤ C log log d for some universal constant C, and all d ≥ 3.

2 ,Theorem 13 .
subject to 1 ≤ A 1 ≤ X 1/4 , A 1 B 2 = A, B > 1, where A is given as m 2 ≤ A < X.We can set B = (A 2 m) 1/5 log Ato achieve the bound in Theorem 9.We remark that, for polynomial bounded A = m k , we can choose B slightly better, B = With the same setting as in Theorem 9, for any k ≥ 2Pr.ω N (g) < 1 m k φ(N ) ≤ O 1 m (k−2)/5 (log m) 2/5 ,where the probability is over all random Y ≤ p = q ≤ X and g ∈ Z *N .(The constant in O depends on k.) Finally, to finish the proof of Theorem 2, we address the required item (2), again using the Brun-Titchmarsh theorem.For any prime p, we have the prime factorization p − 1 = 2 e 0 p e 1 1 • • • p e k k .We havePr.∃g ∈ Z * p : ord 2 (ω p (g)) ≥ e ≤ 1 π(X) − π(Y ) 2X φ(2 e ) log(X/2 e ) ,where the probability is over a random Y ≤ p ≤ X.We have φ(2 e ) = 2 e−1 for e ≥ 1, and π(X) − π(Y ) = Θ(X/ log X).Using the Rosser-Schoenfeld estimate again, we havePr.∃g ∈ Z * p : ord 2 (ω p (g)) ≥ e ≤ O log X log(X/2 e ) log log 2 e 2 e .If we set m c = 2 e , then we get an upper bound of O log log m m c, where the constant in O depends on c.Thus, for any c > 0,Pr.∃g ∈ Z * p : ord 2 (ω p (g)) ≥ c log 2 m ≤ O log log m m c .As ω N (g) = lcm(ω p (g), ω q (g)), it follows that, Pr. (∃g ∈ Z * N : ord 2 (ω N (g)) ≥ c log 2 m) ≤ O log log m m c .