The security of messages encoded via the widely used RSA public key encryption system rests on the enormous computational effort required to find the prime factors of a large number N using classical (conventional) computers. In 1994 Peter Shor showed that for sufficiently large N, a quantum computer could perform the factoring with much less computational effort. This paper endeavors to explain, in a fashion comprehensible to the nonexpert, the RSA encryption protocol; the various quantum computer manipulations constituting the Shor algorithm; how the Shor algorithm performs the factoring; and the precise sense in which a quantum computer employing Shor’s algorithm can be said to accomplish the factoring of very large numbers with less computational effort than a classical computer. It is made apparent that factoring N generally requires many successive runs of the algorithm. Our analysis reveals that the probability of achieving a successful factorization on a single run is about twice as large as commonly quoted in the literature.

1.
N. D.
Mermin
, “
From cbits to qbits: Teaching computer scientists quantum mechanics
,”
Am. J. Phys.
71
,
23
30
(
2003
).
2.
L. K.
Grover
, “
From Schrodinger’s equation to the quantum search algorithm
,”
Am. J. Phys.
69
,
769
777
(
2001
).
3.
P. W. Shor, “Algorithms for quantum computation: Discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on the Foundations of Computer Science, edited by S. Goldwasser (IEEE Computer Society, Los Alamitos, CA, 1994), pp. 124–134.
P. W.
Shor
,
SIAM J. Comput.
26
,
1484
1509
(
1997
) provides an expanded version of Shor’s original paper.
4.
I. V.
Volovich
, “
Quantum computing and Shor’s factoring algorithm
,” quant-ph/0109004.
5.
A.
Ekert
and
R.
Josza
, “
Quantum computation and Shor’s factoring algorithm
,”
Rev. Mod. Phys.
68
,
733
753
(
1996
).
6.
M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information (Cambridge U.P., Cambridge, 2000), pp. 232–247.
7.
C. P. Williams and S. H. Clearwater, Explorations in Quantum Computing (Springer, New York, 1998), pp. 130–145.
8.
G. Johnson, A Shortcut Through Time (Knopf, New York, 2003), pp. 66–82.
9.
J. Brown, The Quest for the Quantum Computer (Simon and Schuster, New York, 2000), pp. 170–188.
10.
See, for example, 〈arXiv.org/archive/quant-ph〉. See also 〈www.eg.bucknell.edu/ ̃dcollins/research/qcliterature.html〉.
11.
An exposition (suitable for the nonspecialist readers of this journal) of what is now termed the RSA public key system can be found in Ref. 7, pp. 122–127.
12.
An important reference, probably useful to cryptography specialists only, is A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography (CRC, Boca Raton, FL, 1996), Chap. 8.
13.
The RSA system was first proposed by R. Rivest, A. Shamir, and L. Adleman, “On digital signatures and public-key cryptosystems,” MIT Laboratory for Computer Science Technical Report MIT/LCS/TR-212 (January 1979).
14.
A.
Ekert
, “
From quantum code-making to quantum code-breaking
,” quant-ph/9703035.
15.
D. Kahn, The Codebreakers: The Story of Secret Writing (Scribner, New York, 1996). For the definitions adopted here, see pp. xv–xviii and 989.
16.
S. Singh, The Code Book (Doubleday, New York, 1999), especially Chaps. 6 and 7.
17.
N.
Gisin
,
Grégoire
Ribordy
,
Wolfgang
Tittel
, and
Hugo
Zbinden
, “
Quantum cryptography
,”
Rev. Mod. Phys.
74
,
145
195
(
2002
), pp. 147–148, and Ref. 16, pp. 268–273.
18.
Reference 15, pp. 71–88.
19.
Reference 15, pp. 93–105.
20.
“The Gold-Bug,” published in 1843. See, for example, Complete Stories and Poems of Edgar Allan Poe (Doubleday, New York, 1966), pp. 70 and 819.
21.
“The Adventure of the Dancing Men.” See, for example, The Complete Sherlock Holmes (Doubleday, New York, 1966), p. 593.
22.
Reference 16, pp. 20–25, and Ref. 15, pp. 99–105, provide detailed illustrative cryptanalyses of such cryptograms.
23.
Reference 16, Chap. 4, describes the Enigma machine and recounts the remarkable story of how its cryptograms were cryptanalyzed. See also A. Hodges, Alan Turing: The Enigma (Simon and Schuster, New York, 1983), Chap. 4.
24.
Actually it is possible, though intrinsically inconvenient, for Alice and Bob to establish a secure key via conventional communication channels without meeting, as was discovered in 1976; see Ref. 16, pp. 253–267. Secure key distribution also is possible (in theory at least) via “quantum channels,” for example, channels that carry pairs of spin 12 particles whose spin orientations can be measured by Alice and Bob; see Ref. 14. These secure key distribution schemes are beyond the scope of this paper.
25.
I do not pretend that this analogy between cryptographic keys and safes is original. See, for example, Ref. 17.
26.
Reference 16, pp. 245–249 and 379.
27.
ASCII is the acronym for the American Standard Code for Information Interchange. For more information on ASCII, see 〈www.jimprice.com/jim-asc.htm〉, especially the link to a decimal-to-ASCII chart.
28.
See any textbook on elementary number theory, for example, K. H. Rosen, Elementary Number Theory and its Applications (Addison-Wesley, Reading, MA, 1993), pp. 119–125.
29.
Reference 12, especially p. 292.
30.
“How large a key should be used in the RSA cryptosystem?” 〈www.rsasecurity.com/rsalabs/node.asp?id=2218〉. See also “TWIRL and RSA key size,” 〈www.rsasecurity.com/rsalabs/node.asp?id=2004〉.
31.
A. Ekert, “Quantum cryptoanalysis—Introduction” (as updated by Wim van Dam, June 1999), 〈www.qubit.org/library/intros/cryptana.html〉.
32.
R. Roskies, Scientific Director Pittsburgh Supercomputing Center, private communication.
33.
“How Old is the Universe?” (NASA 4/30/04) at 〈map.gsfc.nasa.gov/m_;uni/uni_101age.html〉.
34.
Reference 9, pp. 164–166.
35.
R. Crandall and C. Pomerance, Prime Numbers. A Computational Perspective (Springer, New York, 2001), pp. 225–232.
36.
“What is the RSA Factoring Challenge?” 〈www.rsasecurity.com/rsalabs/node.asp?id=2192〉.
37.
Reference 35, pp. 242–258.
38.
“What are the best factoring methods in use today?” 〈www.rsasecurity.com/rsalabs/node.asp?id=2190〉.
39.
“RSA-160 is factored!” 〈www.rsasecurity.com/rsalabs/node.asp?id=2097〉.
40.
“The RSA challenge numbers,” 〈www.rsasecurity.com/rsalabs/node.asp?id=2093〉.
41.
Reference 35, p. 265.
42.
N. Koblitz, A Course in Number Theory and Cryptography (Springer, New York, 1987), pp. 3–4.
43.
Reference 7, p. 35.
44.
P. Ribenboim, The New Book of Prime Number Records (Springer, New York, 1995), p. 156, writes: “It is fairly easy, in practice, to produce large primes. It is, however, very difficult to produce a theoretical justification for the success of the method.”
See also
P.
Ribenboim
, “
Selling Primes
,”
Math. Mag.
68
,
175
182
(
1995
). The essential point is that finding the primes p and q which will be multiplied to construct N can be accomplished in computing times at most polynomial in L=log2 N, whereas factoring N to find its prime factors p and q requires computing times subexponential in L (as we have discussed, assuming only classical computers are available).
45.
A recent test run demonstrated that even with an RSA key number of 2048 binary bits (that is, an RSA-617) a message consisting of approximately 32 000 ASCII characters could be routinely enciphered and deciphered in times of the order of seconds and at most minutes, respectively, employing merely a 700 MHz desktop computer (hardly a supercomputer). For example, using block sizes of 52 ASCII characters (recall Sec. II C), the encryption and decryption times were 1.46 and 30.3 s, respectively. Sam Scheinman, software engineer consultant, private communication.
46.
Reference 28, pp. 278–279.
47.
Reference 35, p. 386.
48.
Reference 42, p. 94.
49.
A.
Odlyzko
, “
Discrete logarithms: The past and the future
,”
Designs, Codes, Cryptogr.
19
,
129
145
(
2000
).
50.
J.
Eisen
and
M.
Wolf
, “
Quantum computing
,” quant-ph/0401019, cf, especially, p. 16.
51.
See, for example, Ref. 6, Chap. 7.
52.
D. J. Griffiths, Introduction to Quantum Mechanics (Prentice Hall, Englewood Cliffs, NJ, 1994), pp. 154–159.
53.
V.
Scarani
, “
Quantum computing
,”
Am. J. Phys.
66
,
956
960
(
1998
).
54.
Reference 52, p. 12.
55.
Reference 1, especially Eq. (35).
56.
See, for example, Ref. 6, Chap. 4.
57.
Reference 35, p. 7.
58.
Reference 7, especially pp. 136–137.
59.
See, for example, Ref. 6, pp. 18–19.
60.
Reference 6, pp. 194–198.
61.
Reference 6, pp. 217–220.
62.
Reference 28, pp. 394–403.
63.
See, for example, Ref. 5. These authors refer to G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers (Clarendon, Oxford, 1965), Sec. 10.15, for a proof of the theorem.
64.
Reference 35, p. 11.
65.
Reference 44, pp. 319–320.
66.
D. E. Knuth, The Art of Computer Programming (Addison-Wesley, Reading, MA, 1981), 3rd ed., Vol. 2, pp. 290 and 300 (see Problem 8).
67.
L.
Vandersypen
,
Matthias
Steffen
,
Gregory
Breyta
,
Costantino S.
Yannoni
,
Mark H.
Sherwood
, and
Isaac L.
Chuang
, “
Experimental realization of Shor’s quantum factoring algorithm using nuclear magnetic resonance
,”
Nature (London)
414
,
883
887
(
2001
).
68.
Reference 28, pp. 201–204.
69.
Reference 28, p. 187; L. E. Dickson, Modern Elementary Theory of Numbers (University of Chicago, Chicago, 1939), p. 12, quotes the date of Fermat’s Little Theorem.
70.
Reference 28, pp. 80–84.
71.
Reference 42, pp. 6–7.
72.
Reference 28, p. 61; Ref. 66, p. 295.
73.
Reference 28, p. 210.
74.
Reference 28, pp. 132–133.
This content is only available via PDF.
AAPT members receive access to the American Journal of Physics and The Physics Teacher as a member benefit. To learn more about this member benefit and becoming an AAPT member, visit the Joining AAPT page.