COMPUTING φ(N ) FOR AN RSA MODULE WITH A

SINGLE QUANTUM QUERY

LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

Abstract. In this paper we give a polynomial time algorithm to

compute φ(N ) for an RSA module N using as input the order
modulo N of a randomly chosen integer. The algorithm consists
only on a computation of a greatest common divisor, two multipli-
cations and a division. The algorithm works with a probability of
at least 1 − NC1/2 .
Keywords: factorization of integers, Shor’s algorithm.

1. Introduction
In this paper we give a polynomial time algorithm to compute φ(N )
for an RSA module N using as input the order modulo N of a ran-
domly chosen integer. The algorithm consists only on a computation
of a greatest common divisor, two multiplications and a division (see
Theorems 3.9 and 2.1). As it is well-known, from this value it is easy
to factor N by just solving a quadratic equation. The algorithm works
with a probability greater than 1− NC1/2 , where C is a constant (in prac-
tice it could be C = 16 for example), and the input can be obtained
from a quantum computer by a single application of Shor’s algorithm
(cf. [7] and [8]), assuming that the output of that algorithm is exactly
the order module N of a randomly chosen integer. This assumption is
reasonable since, as explained in [3], the probability that Shor’s algo-
rithm fails to give the right order is negligible, under suitable conditions
on the parametrization and post-processing of the quantum algorithm
(cf. [3], section 2.1).

In the paper [3], another polynomial time algorithm is given that

factors an integer taking as input the order of a random integer, which
is based on a variation of a method of V. Miller (the same method used
by Shor to end his factorization algorithm, but this time with the extra
Affiliations are included at the end of the paper. The second named author
is supported by the grant PID2022-136944NB-I00 of the Ministerio de Ciencia,
Innovación y Universidades (Spain).
1
2 LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

clever idea of moving the base in a post-processing process in a classical

computer). The algorithm in [3] can be used to factor arbitrary inte-
gers, not only RSA modules, but even for the case of RSA modules the
probability of success is smaller than 1 − C log1 2 N (see [3], Theorem 1 1),
thus the probability of failure is exponentially larger than the one we
obtain. Also, our algorithm is simpler and faster, it consists in giving
a formula for φ(N ) in terms of the order of a random integer modulo
N (involving just one application of Euclid’s algorithm, two multipli-
cations and a division) which is correct with very high probability.

The possibility of computing φ(N ) for an RSA module given the

order of a random integer was also observed in [4] but only for the case
of safe semiprimes (i.e., modules of the form p · q where both p and q
are safe primes, which are by definition primes of the form 2 · t + 1 for
another prime t), whereas our algorithm works without this restriction.

To finalize this introduction we would like to mention an aditional re-

sult that comes from our method. Concretely, in 1978, Rivest, Shamir
and Adleman in [6] gave a probabilistic algorithm proving that factor-
ing N is equivalent to knowing the secret key on the RSA cryptosystem.
Namely knowing the public information N and the public exponent e,
if one can compute d, the inverse of e modulo φ(N ), then one can fac-
tor N in polynomial time with high probability. Then May and Coron
in [2] improved the result showing a deterministic algorithm for the
reduction of the knowledge of d to factor N . For that, they use an
improvement of Coppersmith algorithm (cf. [1]) valid not only for the
integer of unknown factorization, but any divisor of it. Here we show a
straightforward proof of this equivalence, in the case that the exponent
e is not too large. Recall that, in practice, the most common exponent
is the constant 3 or 65537 .

To simplify the presentation, instead of working with an arbitrary

RSA module, we will restrict to the case of a module N such that
the two prime factors p and q have the same number of bits. This is
the case for RSA modules in practice, in agreement with the Digital
Signature Standards fixed by the National Institute of Standards and
Technology (see [5], Appendix A.1.1).

1we omit here the term −1/2k , where k denotes the number of iterations, since
this term is dominated by the other, for k sufficiently large
COMPUTING φ(N ) FOR AN RSA MODULE WITH A SINGLE QUANTUM QUERY
3

We remark that our results can be easily adapted to cover also the
case of arbitrary RSA modules. In fact, if we assume that both prime
factors of N are larger than N 1/4 then a result similar to Theorem 3.9
can be proved, just changing 1 − NC1/2 by 1 − NC1/4 in the probability
of success. On the other hand, there is no need to consider the case
where one of the prime factors of N is smaller than N 1/4 , since as it
is well-known in that case the method of Coppersmith (see [1]) gives a
polynomial time deterministic algorithm to factor N (with a classical
computer).

The following notation will be used through the whole paper. Given
two integers a, b, (a, b) will be their greatest common divisor, while
[a, b] will be their least common multiple. It will be useful to recall
that
(1.1) ab = [a, b](a, b)
Also, N = pq will be the product of the two prime numbers p and q
such that
Y r
p−1 = pai i P
i=1
r
Y
(1.2) q−1 = pbi i Q
i=1

where a prime l|(p − 1, q − 1) if and only if l = pi for some 1 ≤ i ≤ r.

We will denote mi = min{ai , bi } and Mi = max{ai , bi } for i = 1, . . . , r.

2. Explicit formulas for φ(N ) and factoring

It is well known that an RSA modulus N = pq can be factored know-
ing φ(N ), simply solving a system of two equations in the unknown p, q.
We now prove that, in fact, it is enough to know either a big enough
factor of φ(N ), or a small enough multiple of φ(N ).
Theorem 2.1. Let N = pq be the product of two unknown prime
numbers p, q of at most L bits, say p < q ≤ 2L . Suppose we know D
such that DX = (p − 1)(q − 1) and D ≥ 2L+1 . Then, we can find p, q
in polynomial time.
Proof.
DX = (p − 1)(q − 1) = N − (p + q) + 1,
so
N +1 p+q
=X+ ,
D D
4 LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

where
p+q
0< < 1,
D
so  
N +1
= X,
D
and once we know X, then we know (p − 1)(q − 1) and we solve the
system
N = pq
N + 1 − DX = p + q.
Corollary 2.2. Let N = pq be the product of two unknown prime
numbers p, q of at most L bits, say p < q ≤ 2L . Suppose we know D
such that DX = (p − 1)(q − 1) and D ≥ 2L+1 . Then,
 
N +1
φ(N ) = D.
D
Theorem 2.3. Let N = pq be the product of two unknown prime
numbers p, q of at most L bits, and suppose (p − 1, q − 1) = D > 2L/2+1
is known. Then we can factor N in polynomial time.
Proof. We know that
p = 1 + Rp D
q = 1 + Rq D,
where Rq + Rp < D by our conditions. Then since
N = 1 + (Rq + Rp )D + Rq Rp D2
we get
N −1
Rp + Rq = (mod D),
D
in particular reducing N − 1/D modulo D we get Rp + Rq and, from
there p + q = 2 + Rp D + Rq D and we factor N by solving the system
in p + q and pq as before.

Our next result is about the mentioned relation between factoring

and finding the secret key on an RSA cryptosystem
Theorem 2.4. Let N = pq be the product of two prime√
numbers of
L bits 2L−1 < p < q < 2L , with (e, φ(N ) = 1, e < 2N and suppose
we know its inverse d modulo φ(N ), namely 1 ≤ d ≤ φ(N ), such
that ed ≡ 1 (mod φ(N )). Then, we can factor N performing just one
multiplication and two divisions.
COMPUTING φ(N ) FOR AN RSA MODULE WITH A SINGLE QUANTUM QUERY
5

In fact, we prove a bit more. If we let M = ed − 1 = kφ(N ) we have

the following explicit formula of independent interest
Corollary 2.5. Let N = pq the product of √two prime numbers of L
bits 2L−1 < p < q < 2L (e, φ(N )) = 1, e < 2N and suppose we know
its inverse d modulo φ(N ), namely 1 ≤ d ≤ φ(N ). Then, denoting
M = ed − 1 we have
M
φ(N ) =  M  .
N
+ 1
Proof. (Of the theorem and the corollary) We know that
M = ed − 1 = kφ(N ) = k(N − (p + q) + 1),
and dividing by N we get
M k(p + q − 1)
=k− .
N N
√ √
but since M < ed < 2N φ(N ), we have k < 2N and hence we get
k(p+q−1) < k(p+q) < N . The last inequality comes from maximizing
p + q restricted to pq = N and 2L−1 < p < q < 2L . Hence,
k(p + q − 1)
0< < 1,
N
M 
which gives k = N + 1, and hence the result in the corollary. Once
we know φ(N ) we can factor N as usual by solving the system in p + q
and pq. □

3. Factoring and the order of elements modulo N .

The results in the previous section are directly related with the prob-
lem of factoring N knowing the order of an element in (Z/N Z)∗ , an
information that can be obtained from Shor’s algorithm. Concerning
this problem, in [3] it is proved that knowing the order of a randomly
chosen element modulo N one can factor N with probability smaller
than 1 − C log1 2 N by applying a procedure that is a variation of the
method of Miller proposed by Shor himself in this context, but with
the novel feature that the base is allowed to vary while a smooth fac-
tor is added to the order. On the other hand, in [4] the authors show
that φ(N ) can be computed for an RSA module from the order of
an element modulo N , with high probability, but only for the case of
safe semiprimes. In the remaining of this section, we improve dramat-
ically the previous results and prove that the knowledge of the order
of an element in (Z/N Z)∗ gives the factorization of N with probability
1 − NC1/2 assuming that the prime factors of the RSA modulus N have
6 LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

the same length (also, as remarked in the introduction, a variant of this

algorithm also works for arbitrary RSA modules). We shall do this by
giving a short procedure to obtain the value of φ(N ) given the order
of a random element.

We start by proving the following lemmata:

Lemma 3.1. Let N be an integer, and consider the function defined as
N (x) = #{a ∈ (Z/N Z)∗ : ordN (a) = x}. Then N (x) is a multiplicative
function.
Proof. Suppose (x1 , x2 ) = 1 are two coprime integers so that
N (x1 ) = n1 , and N (x2 ) = n2 . We will prove that if Cx1 = {a1 , . . . , an1 }
are the elements with order x1 and Cx2 = {b1 , . . . , bn2 } are the elements
with order x2 , then Cx1 ,x2 = {ai bj : 1 ≤ i ≤ n1 , 1 ≤ j ≤ n2 } contains
the elements with order x1 x2 .

Suppose ordN (a) = x and let (x, y) = 1. Then ordN (ay ) = x. In-
deed suppose ordN (ay ) = z. Since (ay )x = (ax )y = 1 (mod N ), z|x.
But we know that for some integers u, v we have az = (az )uy+vx =
(ay )zu (ax )zv = 1, so x|z and they are the same.

Now, we see that every element in Cx1 ,x2 has order x1 x2 . First note
that (ai bj )x1 x2 = 1 (mod N ), so ordN (ai bj )|x1 x2 Suppose ordN (ai bj ) =
z then z = z1 z2 where z1 = (z, x1 ), and z2 = (z, x2 ), but then
(ai bj )z1 z2 = 1 (mod N ) so (azi 2 )z1 = ((bj )−1 )z1 )z2 , but ordN (azi 2 ) = x1
and ordN (bj )−1 )z1 = x2 , so they can not be equal unless z1 = x1 and
z2 = x2 . On the other hand ai bj ̸= aI bJ for any (i, j) ̸= (I, J), again
for the same reason since otherwise aaIi = bbJj which is impossible since
ordN ( aaIi )|x1 and ordN ( bbJj )|x2 .

So we have proved that the n1 n2 elements in Cx1 ,x2 are indeed dis-
tincts and have order x1 x2 . Now we need to prove that there are no
more. Suppose w ∈ (Z/N Z)∗ has ordN (w) = x1 x2 . We will prove that
w is the product of two elements w = ai bj for ai ∈ Cx1 and bj ∈ Cx2 .
But for some integers u, v such that (ux1 , vx2 ) = 1 we have
w = wux1 +vx2 = wux1 wvx2
But if ordN (wux1 ) = z then z|x2 and (u, z) = 1 so ordN (wx1 ) = z and
hence z = x2 in the same way we prove that ordN (wvx1 ) = x1 finishing
the proof of the lemma.
COMPUTING φ(N ) FOR AN RSA MODULE WITH A SINGLE QUANTUM QUERY
7

Lemma 3.2. Let N = pq the product of two primes, x|[p − 1, q − 1]

and let N (x) = #{a ∈ (Z/N Z)∗ : ordN (a) = x}. Then
X µ2 (d)
(3.1) N (x) = φ(x)(x, N − 1)
d
d|(x,N −1)
(d, (x,Nx−1) )=1
Proof. We will denote x as x = 1≤i≤r pαi i Px Qx where Px |P and
Q
Qx |Q, with the notation in (1.2). Since N (x) is multiplicative, we just
need to compute N (la ) for l a prime number. Now if l ∤ (p − 1, q − 1)
and l|p − 1, then if ep |(p − 1) and eq |q − 1 are such that [ep , eq ] = la ,
then ep = la , eq = 1 and we have N (la ) = φ(la ). If l = pi for some
1 ≤ i ≤ r, then we have to distinguish two cases.
Case 1. Suppose αi ≤ mi Then, if ep |(p−1) and eq |q −1 are such that
[ep , eq ] = pαi i , then either ep = pαi i and eq = pci i for some 0 ≤ ci ≤ αi or
eq = pαi i and ep = pci i for some 0 ≤ ci ≤ αi . And, since we are counting
pαi i twice, we get in this case
X
2 φ(pαi i )φ(pci i ) − φ(pαi i )2 = 2pαi i φ(pαi i ) − φ(pαi i )2
0≤ci ≤αi
 
1
= φ(pαi i )(2pαi i − pαi i + pαi i −1 ) = φ(pαi i )pαi i 1+
pi

Case 2. Suppose mi < αi and let ai = Mi . Then, if ep |(p − 1) and

eq |q − 1 are such that [ep , eq ] = pαi i , then ep = pαi i while eq = pci i for
some 0 ≤ ci ≤ mi , so in this case
X
N (pαi i ) = φ(pαi i ) φ(pci i ) = φ(pαi i )pm
i
i

0≤ci ≤mi

Putting all together we get

  Y
Y
αi αi 1
N (x) = φ(Px Qx ) φ(pi )pi 1 + φ(pαi i )pm
i
i

αi ≤mi
p i αi >mi
 
x Y 1
= φ(Px Qx )(x, N − 1)φ( ) 1+
Px Qx α ≤m pi
i i

X µ2 (d)
= φ(x)(x, N − 1) .
d
d|(x,N −1)
(d, (x,Nx−1) )=1
Lemma 3.3. Let N = pq be the product of two prime numbers p and
q and let D|[p − 1, q − 1]. Then, (D, p − 1, q − 1) = (D, N − 1).
8 LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

Proof. First we note that for any prime l so that la |[p−1, q −1] then
either la |p−1 or la |q−1 and hence, noting that N −1 = (p−1)q+(q−1),
if la |([p − 1, q − 1], N − 1), then la |(p − 1, q − 1) and hence we deduce
(D, N −1)|(D, p−1, q−1). On the other hand (D, p−1, q−1)|(D, N −1),
so they must be equal.
Corollary 3.4. If D|[p − 1, q − 1] then D(D, N − 1)|φ(N ).
Proof. Using the previous Lemma we see that
D(D, N − 1) = D(D, (p − 1, q − 1))
= [D, (D, (p − 1, q − 1))](D, (D, (p − 1, q − 1))
= D(D, (p − 1, q − 1))
and since D|[p − 1, q − 1] and (D, (p − 1, q − 1))|(p − 1, q − 1) we get
D(D, N − 1)|[p − 1, q − 1](p − 1, q − 1) = (p − 1)(q − 1) = φ(N ).
Corollary 3.5. Let p − 1 = ri=1 pai i P , q − 1 = ri=1 pbi i Q where a
Q Q
prime l|(p − 1, q − 1) if and only if l = pi for some 1 ≤ i ≤ r. Suppose
D
D|[p − 1, q − 1] and consider the sequence D1 = D, Dj+1 = (Dj ,Nj −1) .
Then for some j0 we have Dj = Dj0 for all j ≥ j0 and Dj0 |P Q.
Proof. Let mi = min{ai , bi } and suppose pαi i ||Dj for 1 ≤ i ≤ r.
Then if αi ≤ mi then pαi i ||(Dj , N − 1) and pi ∤ Dj+1 . If αi > mi then
αi −mi
pm
i ||(Dj , N − 1) and pi
i
||Dj+1 and iterating we get the result.
Remark 3.6. Observe that if D = ri=1 pαi i PD Q
Q
D
QDr = CαD PD QD , where
PD |P and QD |Q, then Dj0 = PD QD and Dj = i=1 pi . i
0

One can use the previous remark to give a result that allows factor-
ization directly in terms of (p − 1, q − 1), improving Theorem 2.3 in
some cases.
Theorem 3.7. Let N = pq where p and q and D = CD PD QD = CD Dj0
are as in Corollary 3.5 and denote F = (CD , N − 1). Then, if
(p − 1 + q − 1)
Dj0 > ,
F2
we can factor N in polynomial time.
Proof. The proof is the same as in Theorem 2.1. Note that
N − 1 − (p − 1 + q − 1) = φ(N ) = [p − 1, q − 1](p − 1, q − 1)
and since D|[p − 1, q − 1], and F |(p − 1, q − 1), we have
N − 1 − (p − 1 + q − 1) = DF X,
COMPUTING φ(N ) FOR AN RSA MODULE WITH A SINGLE QUANTUM QUERY
9

for some integer X. Dividing by DF we get

N −1 p−1+q−1
=X+ ,
DF DF
but, by hypothesis,
DF = Dj0 CD F ≥ Dj0 F 2 > (p − 1 + q − 1)
 −1 
and, in particular X = NDF . Once we have X, we have φ(N ) and we
can factor N .
We are now ready to prove the main theorem. We need the following:
Definition 3.8. Let O be the random oracle defined in the following
way: each time we call O, it selects uniformly at random a pair from
the set C = {(a, d) : a ∈ (Z/N Z)∗ , d|[p − 1, q − 1], ordN (a) = d} , and
returns d.
Theorem 3.9. Let N = pq the product of two unknown primes of L
bits 2L−1 < p < q < 2L We can factor N in polynomial time with
probability bigger than 1 − NC1/2 with just one call to O.
Proof Let x be the integer returned by O. Note that if we denote
P (x) the probability that the oracle returns x, then since the oracle
N (x)
selects x and d uniformly at random, we have P (x) = φ(N )
.
1
If x ≥ 4N 2 , recalling that x|[p−1, q−1]|φ(N ), we just apply Theorem
2.1 to get the factorization. So we suppose x < 4N 1/2 . If , moreover,
N (x) < 4N 1/2 , O will select x with probability smaller than N16 1/2 , by
noticing that
√
φ(N ) = N − (p + q) + 1 ≥ N − 4 N > CN.
For example
√ if N > 30, we could take C = 16, since then we have
N − 4 N > N/4.
√
Otherwise we may assume N (x) ≥ 4 N . In this case we consider
the integer x(x, N − 1) wich is a divisor of φ(N ) by Corollary 3.4, and
by Lemma 3.2,
√ X µ2 (d)
4 N ≤ N (x) = φ(x)(x, N − 1)
d
d|(x,N −1)
(d, (x,Nx−1) )=1
 
Y 1
≤ x(x, N − 1) 1 − 2 < x(x, N − 1),
p
p|(x,N −1)
10 LUIS VÍCTOR DIEULEFAIT AND JORGE URRÓZ

where we have used

Y 1
 Y 
1

φ(x) = x 1− ≤x 1− ,
p p
p|x p|(x,N −1)

and
µ2 (d) µ2 (d)
 
X X Y 1
≤ = 1+ .
d d p
d|(x,N −1) d|(x,N −1) p|(x,N −1)
(d, (x,Nx−1) )=1
So, we can apply Theorem 2.1 with D = x(x, N − 1) to get the factor-
ization.
References
[1] D. Coppersmith. Small solutions to polynomial equations, and low exponent rsa
vulnerabilities. J. Cryptology, 10(233-266), 1997.
[2] J.-S. Coron and A. May. Deterministic polynomial time equivalence of comput-
ing the rsa secret key and factoring. Journal of Cryptology, (2004/208), 2004.
[3] M Ekera. On completely factoring any integer efficiently in a single run of an
order finding algorithm. Quantum Inf. Process, 20(205), 2021.
[4] F. Grosshans, T. Lawson, Morain F., and B Smith. Factoring safe semiprimes
with a single quantum query,. preprint at https://arxiv.org/pdf/1511.04385.
[5] National Institute of Standards and Technology. Digital signature standards.
FIPS, 186-5, 2023.
[6] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures
and public-key cryptosystems. Communications of the ACM, 21(2):120–126,
1978.
[7] P. W. Shor. Algorithms for quantum computation: Discrete logarithms and
factoring. SFCS, Proceedings of the 35th Annual Symposium on Foundations of
Computer Science, pages 124–134, 1994.
[8] P. W Shor. Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–
1509, 1997.

Departament de Matemàtiques i Informàtica, Universitat de Barcelona,

Barcelona, Spain. email: [email protected]

Departamento de Matemáticas e Informática aplicadas a la Inge-

nierı́a Civil y Naval, Universidad Politécnica de Madrid, Madrid, Spain.