In short

Shor's algorithm does not attack the factoring problem head-on. Instead, it attacks a related problem — given N and a random a coprime to N, find the smallest r > 0 with a^r \equiv 1 \pmod N. This integer r is the multiplicative order of a modulo N. Once you have it, a two-line classical trick — compute \gcd(a^{r/2} \pm 1, N) — extracts a non-trivial factor of N with probability at least 1/2. This reduction is purely classical; the quantum magic lives entirely in the order-finding subroutine (chapters 76–77). The reduction is due to Miller (1976) and Rabin (1980), long before Shor. What Shor contributed in 1994 was the observation that order-finding — classically as hard as factoring — becomes easy on a quantum computer.

Shor's algorithm has a clever shape. You might expect a quantum factoring algorithm to directly pull p and q out of N using quantum interference. It does not. Instead, it reaches for a completely different number-theoretic problem — one that, from the outside, has nothing to do with factoring — and uses a pre-existing classical result to connect the two.

The problem is order-finding. Given N and a random integer a between 2 and N-1 (with a coprime to N), the multiplicative order of a modulo N is the smallest positive integer r such that

a^r \equiv 1 \pmod N.

If you could find r, it turns out you can factor N. Not always, but with probability at least 1/2, and you only need the factoring to work once — any success tells you a factor and you're done.

This chapter explains the reduction. No quantum mechanics appears anywhere in these pages. The reduction is elementary number theory, stitched together from Fermat-style modular identities and the Euclidean algorithm. It is the kind of result a motivated undergraduate can prove in a lecture. What makes it interesting is that Shor's algorithm sits on top of it — the quantum computer does only the order-finding, and this classical wrapper does the rest.

The reduction, in one picture

The entire Shor algorithm is a sandwich.

The Shor algorithm sandwich: classical pre-processing, quantum order-finding, classical post-processingA three-layer vertical diagram. Top layer labelled classical pre-processing describes picking a random a mod N and checking gcd of a and N. Middle layer, coloured accent, labelled quantum order finding, gives r such that a to the r equals 1 mod N. Bottom layer, classical post-processing, describes computing x equals a to the r over 2 mod N and then gcd of x minus 1 and N and gcd of x plus 1 and N, producing the two factors.Step 1: Classical pre-processingPick random a ∈ {2, ..., N-1}. If gcd(a, N) ≠ 1, you already have a factor — done.Otherwise, a is coprime to N — move to step 2.Step 2: Quantum order-findingFind r = order of a mod N: smallest r > 0 with a^r ≡ 1 mod N.This is the only quantum step. Takes poly(log N) time on a fault-tolerant QC.Step 3: Classical post-processingIf r is odd, or a^(r/2) ≡ −1 mod N, retry from step 1 with new a.Otherwise compute gcd(a^(r/2) − 1, N) and gcd(a^(r/2) + 1, N).Each gcd is a non-trivial factor with probability ≥ 1/2 per random a.
The Shor algorithm in three layers. The top and bottom slices are classical and elementary — just gcd computations and modular arithmetic. The middle slice, the quantum order-finding, is the only step that needs a quantum computer. This chapter is entirely about the top and bottom; the middle is the subject of the next two chapters.

The top slice is trivial: pick a, run Euclidean gcd with N, branch. The bottom slice is the content of this chapter — given r, produce a factor. The middle slice, where the quantum magic happens, is covered in chapters 76–77.

Why the reduction works — the one key identity

The entire reduction hinges on a single observation. Suppose you have r such that a^r \equiv 1 \pmod N, and suppose further that r is even. Then

a^r - 1 \equiv 0 \pmod N.

Factor the left-hand side using the difference-of-squares identity, which is just the observation that X^2 - 1 = (X-1)(X+1):

a^r - 1 \;=\; (a^{r/2})^2 - 1 \;=\; (a^{r/2} - 1)(a^{r/2} + 1).

Why this factorisation: a^r = (a^{r/2})^2 by laws of exponents, so a^r - 1 is a perfect square minus one, which factors as a product of two consecutive integers either side of a^{r/2}. Elementary algebra, but it is the only load-bearing move.

Define x = a^{r/2} \bmod N. Then

(x - 1)(x + 1) \equiv 0 \pmod N.

This is the miracle. Two integers, x - 1 and x + 1, whose product is divisible by N. If neither of them is divisible by N individually — that is, if x \not\equiv \pm 1 \pmod N — then N must share some prime factor with x - 1 and some other prime factor with x + 1. In that case, the greatest common divisor \gcd(x - 1, N) is a proper, non-trivial divisor of N. A factor.

Write that out explicitly:

\boxed{\;\text{if }\; x \neq \pm 1 \pmod N,\; \text{ then } \gcd(x-1, N) \text{ and } \gcd(x+1, N) \text{ are non-trivial factors of } N.\;}

The \gcd is cheap — the Euclidean algorithm runs in O((\log N)^2) time — so if you have r, you have a factor in milliseconds.

What can go wrong. Two failure modes:

  1. r is odd. Then a^{r/2} is not an integer (it is an integer raised to a half-power), and the factorisation a^r - 1 = (a^{r/2} - 1)(a^{r/2} + 1) doesn't hold over the integers. You cannot use this r. Retry with a different random a.
  2. r is even but x = a^{r/2} \equiv -1 \pmod N. Then x + 1 \equiv 0 \pmod N, so \gcd(x+1, N) = N — trivial. And x - 1 \equiv -2 \pmod N, so \gcd(x-1, N) is usually just \gcd(-2, N) = \gcd(2, N) = 1 or 2 — also essentially trivial. Both gcds give no useful factor. Retry with a different a.

The case x \equiv +1 \pmod N cannot happen: if a^{r/2} \equiv 1 \pmod N, then by definition r/2 is an exponent at which a returns to 1, but r was supposed to be the smallest such positive exponent, so r/2 < r is a contradiction. You can safely rule this out.

Why r was chosen to be the smallest: the definition of "order" — the smallest positive r with a^r \equiv 1 \pmod N — is exactly what rules out the x \equiv 1 case. If you used any exponent r' with a^{r'} \equiv 1 (not necessarily the smallest), r'/2 could also give a^{r'/2} \equiv 1, and the reduction wouldn't work. The quantum order-finding algorithm does return the smallest r, which is why it matters that we define order this way.

Why it succeeds with probability at least 1/2

The failure modes — r odd, or x = -1 \pmod N — are not catastrophic. For any odd composite N with at least two distinct prime factors, a theorem of Ekert and Jozsa (tightening an earlier result by Miller and Rabin) says:

Fact. If N is odd, composite, and not a prime power, and a is chosen uniformly at random from the integers in \{1, \ldots, N-1\} coprime to N, then

\Pr\bigl[r \text{ is even and } a^{r/2} \not\equiv -1 \pmod N\bigr] \;\geq\; \frac{1}{2}.

So at least half the time, the reduction works and you get a factor. If it fails, you draw a new a and try again. After k attempts, the probability of never succeeding is at most (1/2)^k. Twenty attempts give you 2^{-20} \approx 10^{-6} failure probability — essentially guaranteed.

Why the bound is only \geq 1/2, not something larger: the proof goes through the Chinese Remainder Theorem. For N = p_1^{e_1} \cdots p_k^{e_k}, the multiplicative group mod N decomposes as a product of groups mod p_i^{e_i}, each cyclic of order \varphi(p_i^{e_i}). The condition "r even and a^{r/2} \not\equiv -1" translates into conditions on the 2-adic valuations of a's order in each factor — and when N has at least two distinct primes, those conditions agree with probability at most 1/2. The proof is a page of elementary group theory; the lower bound is tight for some N.

This is why the full Shor algorithm has a repeat loop built in: pick a, find order, try the reduction, if it fails pick a new a and go again. The expected number of attempts before success is at most 2.

Why N needs to be odd, composite, and not a prime power. Each exclusion is mild:

After these classical pre-checks, what's left is the case the reduction handles: odd, composite, not a prime power. Which is exactly the interesting case — RSA moduli N = pq with p and q distinct large primes.

Probability tree: why half the random a's give a factorA decision tree starting from pick random a coprime to N. The first branch splits on whether r is odd or even, roughly each fifty percent. If odd, retry. If even, second branch splits on whether a to the r over 2 is minus one mod N or not. If it is minus one, retry. If not, compute gcd and get a factor. The combined probability of success is at least one half.pick random acoprime to Nr oddr evenretrycomputex = a^(r/2) mod Nx ≡ −1x ≠ ±1retrygcd(x ± 1, N)= factor of Nprobability ≥ 1/2 per attempt
The decision tree for each random $a$. Two failure branches (odd $r$, or $a^{r/2} \equiv -1 \bmod N$) send you back to the start with a fresh $a$. The success branch produces a non-trivial factor via a $\gcd$. Combined success probability per attempt is $\geq 1/2$, so the expected number of attempts is $\leq 2$.

A full worked factoring — N = 15 via order-finding

The canonical warm-up example is N = 15 = 3 \times 5. Small enough to do by hand, structured enough to show every step of the reduction. The quantum order-finding can be simulated on paper, so this is a complete factoring — reduction wrapper and all — with nothing hidden.

Example 1: factor N = 15 using a = 7

Setup. N = 15. Pick a = 7. First check \gcd(7, 15): Euclidean algorithm gives 15 = 2 \times 7 + 1, then 7 = 7 \times 1 + 0, so \gcd(7, 15) = 1. Coprime. Good.

Step 1. Find the order r of 7 \pmod{15}. Compute successive powers of 7:

\begin{aligned} 7^1 &\bmod 15 \;=\; 7 \\ 7^2 &\bmod 15 \;=\; 49 \bmod 15 \;=\; 49 - 3 \cdot 15 \;=\; 4 \\ 7^3 &\bmod 15 \;=\; 7 \cdot 4 \bmod 15 \;=\; 28 \bmod 15 \;=\; 13 \\ 7^4 &\bmod 15 \;=\; 7 \cdot 13 \bmod 15 \;=\; 91 \bmod 15 \;=\; 91 - 6 \cdot 15 \;=\; 1 \end{aligned}

So 7^4 \equiv 1 \pmod{15}, and no smaller power of 7 hits 1. Therefore r = 4. Why compute step by step rather than jumping ahead: to check "is this the smallest r", you must verify 7^1, 7^2, 7^3 are all \neq 1. They are: 7, 4, 13. The smallest r for which the sequence returns to 1 is r = 4.

Step 2. Check r is even. r = 4 is even. Continue.

Step 3. Compute x = a^{r/2} \bmod N = 7^2 \bmod 15 = 4. Check x \neq \pm 1 \pmod{15}. Here x = 4, which is neither 1 nor 14 \equiv -1. Continue.

Step 4. Compute the gcds.

\gcd(x - 1, N) \;=\; \gcd(3, 15) \;=\; 3
\gcd(x + 1, N) \;=\; \gcd(5, 15) \;=\; 5

Why both gcds give a factor here: x = 4, so x - 1 = 3 shares the factor 3 with 15, and x + 1 = 5 shares the factor 5 with 15. Both primes of 15 are recovered in a single attempt — a clean case.

Result. N = 15 = 3 \times 5. Factored in five lines of arithmetic.

Factoring N=15 via the order of 7: power sequence and gcdsA tree diagram. At the top, a row of boxes shows the power sequence 7, 4, 13, 1 labelled 7 to the 1, 2, 3, 4 mod 15, with the fourth box highlighted in accent. An arrow down labelled r equals 4 leads to a box computing x equals 7 squared mod 15 equals 4. Two arrows from there branch to gcd 3 comma 15 equals 3 and gcd 5 comma 15 equals 5, each labelled as a factor.Powers of 7 mod 157^1 mod 1577^2 mod 1547^3 mod 15137^4 mod 151 ✓so r = 4x = 7^(r/2) mod 15= 7^2 mod 15 = 4gcd(x − 1, 15) = gcd(3, 15)= 3 (factor)gcd(x + 1, 15) = gcd(5, 15)= 5 (factor)
Order-finding for $N = 15$ with base $a = 7$. The power sequence $7^k \bmod 15$ returns to $1$ at $k = 4$, giving $r = 4$. Then $x = 7^2 = 4$, and the two gcds $\gcd(3, 15) = 3$ and $\gcd(5, 15) = 5$ peel off the two prime factors of $15$ in one shot.

What this shows. Every step after the order-finding is elementary. Euclidean gcd and modular arithmetic, nothing quantum. The entire point of Shor's algorithm is to compute step 1 — the order r — quickly, because classically computing r is as hard as factoring N in the first place. The quantum computer does exactly that one line; everything else a laptop can finish in microseconds.

A second worked example — N = 21 showing the retry

A slightly larger example shows the retry mechanism in action: the first a you pick might fail, and you have to pick another.

Example 2: factor N = 21, first attempt fails, second succeeds

Setup. N = 21 = 3 \times 7. The game: pick random a, find order, apply reduction, retry on failure.

Attempt 1: Pick a = 8. Check \gcd(8, 21) = 1. Compute powers of 8 mod 21:

8^1 = 8, \quad 8^2 = 64 \bmod 21 = 1.

Why 8^2 is already 1: 64 = 3 \cdot 21 + 1, so 8^2 \equiv 1. This gives r = 2, which is small.

So r = 2. It is even. Compute x = 8^{r/2} = 8^1 = 8 \bmod 21. Check x = \pm 1 \pmod{21}? 8 \neq 1 and 8 \neq 20 \equiv -1. Good.

\gcd(x - 1, N) = \gcd(7, 21) = 7, \qquad \gcd(x + 1, N) = \gcd(9, 21) = 3.

Factors: 3 and 7. Done in one attempt.

Wait — that worked. Let me show a genuine failure instead.

Attempt 1 (real): Pick a = 20. \gcd(20, 21) = 1. Compute powers:

20^1 = 20, \quad 20^2 = 400 \bmod 21.

Compute 400 \bmod 21: 19 \cdot 21 = 399, so 400 \bmod 21 = 1. r = 2.

But now x = 20^1 = 20 \equiv -1 \pmod{21}. The reduction fails! Retry.

Attempt 2: Pick a = 2. \gcd(2, 21) = 1. Compute powers:

\begin{aligned} 2^1 &= 2 \\ 2^2 &= 4 \\ 2^3 &= 8 \\ 2^4 &= 16 \\ 2^5 &= 32 \bmod 21 = 11 \\ 2^6 &= 22 \bmod 21 = 1. \end{aligned}

So r = 6, even. Compute x = 2^3 = 8 \bmod 21. Check x \neq \pm 1: 8 \neq 1, 8 \neq 20. Good.

\gcd(x - 1, N) = \gcd(7, 21) = 7, \qquad \gcd(x + 1, N) = \gcd(9, 21) = 3.

Factors: 3 and 7. N = 21 = 3 \times 7.

Factoring N=21: attempt 1 fails, attempt 2 succeedsTwo rows. Top row shows attempt one with a equals 20, r equals 2, x equals 20 which is minus one mod 21, retry indicated with a red x. Bottom row shows attempt two with a equals 2, r equals 6, x equals 8, gcd 7 comma 21 equals 7 and gcd 9 comma 21 equals 3, factors three and seven.Two attempts at factoring N = 21Attempt 1:a = 20r = 2x = 20 ≡ −1 ✗retryAttempt 2:a = 2r = 6x = 8, ≠ ±1 ✓factors 3, 7gcd(8−1, 21) = gcd(7, 21) = 7gcd(8+1, 21) = gcd(9, 21) = 3N = 21 = 3 × 7 ✓
Two attempts at factoring $N = 21$. Attempt 1 with $a = 20$ hits the failure mode $x \equiv -1$. Attempt 2 with $a = 2$ finds $r = 6$, computes $x = 2^3 = 8$, and both gcds produce the prime factors $3$ and $7$. The retry cost is minimal — each attempt is one quantum run plus a handful of classical arithmetic.

What this shows. Failures happen, but they are cheap. When a = 20 leads to x = -1 \pmod{21}, the classical post-processing simply returns "retry" and you re-run order-finding on a fresh a. The expected number of attempts is \leq 2, so Shor's algorithm spends at most a few runs of the quantum circuit per factoring job. For an RSA modulus, that is a few hours of quantum computation total.

What this means for the quantum part

Zoom out for a moment. The reduction above shows that factoring is no harder than order-finding — if you can solve order-finding, you can factor. The converse is also true: order-finding is no harder than factoring (see "Going deeper" below). So the two problems are computationally equivalent: an efficient algorithm for either gives an efficient algorithm for the other.

Why, then, is Shor's algorithm phrased as order-finding rather than as direct factoring? Because order-finding has a quantum-native structure that factoring does not. The function f(k) = a^k \bmod N is periodic with period r, and the quantum Fourier transform excels at extracting periods from periodic functions. Direct factoring — pull p and q out of N — has no such periodic structure. The reduction lets Shor's algorithm attack the easy-looking quantum version of the problem and then translate the answer back to factoring through pure classical number theory.

This is a pattern you will see throughout quantum algorithms. The reduction is classical. The core subroutine exploits some mathematical structure — periodicity, symmetry, an interference pattern — that quantum mechanics is natively good at. Shor's algorithm, the HHL linear-systems algorithm, and quantum chemistry all share this shape: classical wrapper, quantum core.

Common confusions

Going deeper

If you understand the reduction — find the order, check it's even, compute \gcd(a^{r/2} \pm 1, N), retry on failure — you have chapter 75. The quantum part follows in the next chapters. Below are the proof of the 1/2 probability bound, the reverse reduction from order-finding to factoring, the parallel reduction for discrete logarithm, and why prime-power moduli need special treatment.

Proof that the success probability is at least 1/2

Let N = p_1^{e_1} p_2^{e_2} \cdots p_k^{e_k} be an odd composite with at least two distinct prime factors. For each i, let r_i be the order of a modulo p_i^{e_i}. By the Chinese Remainder Theorem, the order r of a modulo N is the least common multiple of the r_i.

Write each r_i = 2^{v_i} \cdot m_i with m_i odd, where v_i \geq 0 is the 2-adic valuation. Then r = \text{lcm}(r_i) has v(r) = \max_i v_i. The reduction fails in two cases:

Miller (1976) showed that for random a coprime to N, the probability of the combined failure event — "odd order modulo every factor, or a^{r/2} \equiv -1 in every factor" — is at most 2^{1-k} where k is the number of distinct prime factors. For k = 2 (the RSA case), this is 1/2. For k \geq 3, the success probability is even higher.

The proof uses the structure of the multiplicative group modulo p^e, which is cyclic of order \varphi(p^e) = p^{e-1}(p-1). In a cyclic group, the fraction of elements with any specific 2-adic valuation pattern is exactly 1/2 per factor — which combines multiplicatively via CRT. The full argument is a few pages in Nielsen and Chuang §5.3.2.

The reverse reduction — order-finding from factoring

Suppose you could factor any N. Can you find orders?

Given N and a coprime to N, factor N = p_1^{e_1} \cdots p_k^{e_k}. Then \varphi(N) = \prod p_i^{e_i - 1}(p_i - 1) is an exact multiple of every element's order. Factor \varphi(N) itself, and the order of a is the smallest divisor of \varphi(N) for which a^d \equiv 1. You can check divisors of \varphi(N) in polynomial time (there are at most O(\log \varphi(N)) prime factors, so only O(2^{\log \varphi(N)}) divisors — but the greedy approach of removing one prime factor at a time works in polynomial time).

This shows factoring implies order-finding. Combined with the forward reduction, the two problems are polynomial-time equivalent.

The same trick for discrete logarithm — ch. 82 preview

Shor's algorithm also breaks the discrete logarithm problem: given g, h, p, find x such that g^x \equiv h \pmod p. The reduction is analogous: express the DLP as a period-finding problem over a two-dimensional function f(k, \ell) = g^k h^{-\ell} \bmod p, which is periodic along the diagonal (k, \ell) = (x m, m) where m is a parameter. Quantum Fourier transform on the two-dimensional lattice extracts this diagonal, from which x falls out.

Since elliptic-curve cryptography (ECC) is built on discrete logarithm in elliptic-curve groups, Shor's algorithm also breaks ECC. This doubles the cryptographic stakes: RSA, finite-field Diffie-Hellman, and ECC all fall to variants of the same quantum circuit.

Why prime powers need separate handling

The reduction as stated requires N to have at least two distinct prime factors. For N = p^e (a prime power), two things break down:

Classical root-extraction handles prime powers separately: for each candidate k from 2 to \log_2 N, compute \lfloor N^{1/k} \rfloor using Newton's method, test whether its k-th power equals N, and check if that base is prime. Total cost O((\log N)^3). So in the Shor pipeline, you check for prime-power structure classically before invoking the quantum order-finder.

Indian context — where this matters

Every RSA-2048 modulus used in Aadhaar signatures, UPI transactions, and banking TLS is specifically the "interesting case" for this reduction: odd, composite, the product of exactly two large primes, not a prime power. The classical pre-checks (test for 2, test for primality, test for prime-power) all pass through quickly, and the reduction-success probability is the full 1/2.

When India's National Quantum Mission researchers build early demonstrations of Shor's algorithm on Indian-built hardware — the NQM's Thematic Hub on quantum computing, headquartered at IIT Madras, has exactly this on its 2028 roadmap — the first milestones will be factoring small primes-products (15, 21, 35, 91) exactly as shown in this chapter. The target for 2030s is factoring semiprimes of up to 8 bits using fully fault-tolerant circuits, after which scaling to cryptographically relevant sizes becomes an engineering problem of error-correction overhead rather than an algorithmic one.

Where this leads next

References

  1. Peter Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer (1994) — arXiv:quant-ph/9508027. The original paper; the reduction in this chapter is in §4.
  2. Gary Miller, Riemann's Hypothesis and Tests for Primality (1976) — DOI:10.1016/S0022-0000(76)80043-8. The original probabilistic-factoring argument.
  3. Nielsen and Chuang, Quantum Computation and Quantum Information (2010), §5.3.2 — the cleanest textbook presentation of the reduction and its probability analysis — Cambridge University Press.
  4. John Preskill, Lecture Notes on Quantum Computation, Chapter 6 — theory.caltech.edu/~preskill/ph229.
  5. Wikipedia, Shor's algorithm — the reduction and classical post-processing section.
  6. Wikipedia, Multiplicative order — definitions and basic properties.