Mathematical aspects of Shor’s algorithm

Christophe Pittet

To cite this version:

Christophe Pittet. Mathematical aspects of Shor’s algorithm. 3rd cycle. Shillong - Inde, 2013, pp.15.
�cel-00963668�

HAL Id: cel-00963668

https://cel.hal.science/cel-00963668v1
Submitted on 21 Mar 2014

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est

archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents
entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non,
lished or not. The documents may come from émanant des établissements d’enseignement et de
teaching and research institutions in France or recherche français ou étrangers, des laboratoires
abroad, or from public or private research centers. publics ou privés.
MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM

CHRISTOPHE PITTET

Abstract. Given a large n-bits integer N < 2n , Shor’s algorithm

finds with positive probability a factor of N after
O(n2 log n log log n)
quantum steps. We describe some of the mathematical aspects of
Shor’s algorithm. We mainly follow a description due to M. Batty,
S.L. Braunstein, A. J. Duncan and S. Rees.

1. Introduction
There exist (determistic) algorithms, based on the Agrawal-Kayal-
Saxena primality test, which decide wether a large n-bits integer N is
prime or not in O(n6 ) classical steps (see [5] and [3]). But the best
known algorithms (including probabilistic ones) which deliver a factor
of N , all require a superpolynomial number of classical steps in n. For
example, the Schnorr-Seysen-Lenstra probabilistic algorithm factorizes
N < 2n in
1
exp(O((n log n) 2 ))
classical steps [4]. In constrast, Shor’s algorithm [7] delivers (with
positive probability) a factor of N < 2n in O(n2 log n log log n) quantum
steps.
Implementing efficiently a quantum algorithm on a quantum com-
puter is a major goal in today’s science and technology. It involves sta-
bility issues in quantum technology. But the mathematical aspects of
Shor’s algorithm are elementary: the algorithm relies on the structure
of cyclic groups, on Fourier transform on cyclic groups, on orthogonal
projections in finite dimensional Hilbert spaces, on continued fraction,
on properties of the Euler function, and on the Euclidean algorithm.

Date: February 26, 2014.

2010 Mathematics Subject Classification. Primary: 68Q12, 20K01; Secondary:
11A41,
Key words and phrases. Shor’s algorithm, quantum factorization prime numbers,
quantum algorithms, fast Fourier transform.
Ch. Pittet is partially supported by the CNRS.
1
2 CHRISTOPHE PITTET

The goal of this note is to explain how those tools beautifully com-
bine in Shor’s algorithm. We mainly follow [2] where the interested
reader will find more details. It is obvious from our exposition that
O(n4 ) bounds the complexity of the algorithm. Shor’s tight bound
O(n2 log n log log n)) is more technical and we do not attempt to ex-
plain it.

2. Reducing the factorization problem to a period

finding problem
2.1. The Euclidean algorithm is efficient. Let a, b ∈ N, b 6= 0,
a ≥ b. It is convenient to define r−1 = a and r0 = b. For i ≥ 0, the
Euclidian division
ri−1 = qi+1 ri + ri+1 ,
with qi+1 ∈ N and 0 ≤ ri+1 < ri , defines the Euclidean algorithm: the
smallest n ∈ N with rn = 0 is such that the greatest common divisor
of a and b is
GCD(a, b) = rn−1 .
It also defines the continuous fraction
a 1
= q1 + .
b q2 + ··· +1 1
qn

Any truncation of it is called a convergent of the continuous fraction.

It is easy to check that ri+2 < ri hence the algorithm finds GDC(a, b)
after O(log a) divisions.

2.2. The first steps in Shor’s algorithm are classical and they
involve the structure of the unit group (Z/N Z)∗ . We are given a
large integer N < 2n and the goal is to find a factor of N . We choose
an integer
1<y<N
at random. We compute GCD(y, N ) (on a classical computer) with
the Euclidean algorithm. As explained above it requires at most O(n)
divisions. If it turns out that GCD(y, N ) 6= 1 then we have found a
factor of N and the algorithm stops. In the case GCD(y, N ) = 1, that
is if y has an inverse modulo N , then we consider y as an element of
the multiplicative group of units (Z/N Z)∗ of the ring Z/N Z. Let r be
the order of y in (Z/N Z)∗ .
Assume we are lucky in the sense that r is even. We have:
(y r/2 − 1)(y r/2 + 1) = y r − 1 = 0[N ].
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 3

That is N divides (y r/2 − 1)(y r/2 + 1). So at least one of the prime
factors of N must divide y r/2 + 1 (otherwise N would divide y r/2 − 1
and this would contradict the definition of r). This implies
1 < GCD(y r/2 + 1, N ).
Assume we are super lucky in the sense that r is even and
y r/2 + 1 6= 0[N ]
(see the proposition below for a lower bound on the probabiliy of being
super lucky in the above sense). In this case,
1 < GCD(y r/2 + 1, N ) < N
is a non trivial factor of N and we can efficiently compute it with the
Euclidian algorithm, provided we know r.
If E is a finite set, let |E| denotes its cardinal.
Proposition 2.1. (A lower bound on the probability of picking y with
good properties.) Assume N is odd. Let m be the number of distinct
prime factors of N . The set
{y ∈ (Z/N Z)∗ : the order r of y is even and y r/2 + 1 6= 0[N ]}
contains at least  
1
ϕ(N ) 1 −
2m−1
∗
elements, where ϕ(N ) = | (Z/N Z) | is the Euler function.
(The proof is based on the fact that if p is an odd prime and m ∈ N
then (Z/pm Z)∗ is cyclic.)
As it is obvious to find a factor in the case N is even and as it is
easy to find a factor if N is a power of a single prime (compute the
d-root of N for d ≤ log N/ log 3 and check if it is a factor of N ), we
may apply the above proposition, with m ≥ 2. In this case, we see that
we are super lucky in the above sense more than half of the time. So if
we have a device which efficiently compute the order r of y, then the
strategy is straightforward: first we efficiently compute a candidate for
a factor of N as explained above. Then we check if the candidate is
indeed a factor. If not, we pick another y and try again. The chance
we don’t get a factor after 10 tries for example, is less than 2110 = 1024
1
.

3. Mathematical concepts for classical/quantum

computations
3.1. Classical bits versus quantum bits. A (classical) bit is the
field Z/2Z with two elements. It has two states 0 and 1.
4 CHRISTOPHE PITTET

A quantum bit, (a q-bit), is the group algebra over the field of complex
numbers of the group with two elements:
C[Z/2Z] ∼ = C2 ∼ = {α0 + β1 : α, β ∈ C}.
It has two fundamental states 0 and 1. A state of a q-bit is a unit
vector in C2 for the standard hermitian product on C2 which makes 0
and 1 an orthonormal basis. Hence any state v of the q-bit C[Z/2Z] is
a complex superposition
v = α0 + β1
of the fundamental states with the condition
|α|2 + |β|2 = 1.
We will view C[Z/2Z] as a Hilbert space with two distinguished ele-
ments 0 and 1.
3.2. Classical memory versus quantum memory. An n-bit regis-
ter (or memory) is the Z/2Z-vector space (Z/2Z)n . It has dimension
n over Z/2Z. A state of it is any of its 2n elements.
An n-q-bit register (or memory) Vn is the Hilbert tensor product of
n copies of the q-bit C[Z/2Z]:
Vn = C[Z/2Z]⊗n ∼

⊗n
= C2 .
The Hilbert product of two pure tensors is
n
Y
(v1 ⊗ · · · ⊗ vn , w1 ⊗ · · · ⊗ wn ) = (vi , wi ).
i=1

Hence if we denote
e0 = 0, e1 = 1,
n
then the 2 fundamental states
{ei1 ⊗ · · · ⊗ ein }(i1 ,...,in )∈(Z/2Z)n ,
form an orthonormal basis of Vn . A state of Vn is any of its unit vector.
Hence any state v is a complex superposition
X
v= αI eI
I∈(Z/2Z)n

of the fundamental states with the condition

X
|αI |2 = 1.
I∈(Z/2Z)n

We may view a quantum n-register as an enhancement of a classi-

cal n-register: not only it contains the 2n fundamental states but it
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 5

contains also any of their complex superposition (of unit norm). This
makes possible to consider the homogeneous state
1 X
eI
2n n
I∈(Z/2Z)

of the quantum register Vn which entangles all fundamental states in a

single quantum state. This entanglement of information is a common
feature in quantum algorithms and as we will see, it is the first step in
the period finding part of Shor’s algorithm.
We will use the following identifications:

C[Z/2Z]⊗n → C[(Z/2Z)n ] → C[Z/2n Z],

n
X
ei1 ⊗ · · · ⊗ ein 7→ (i1 , . . . , in ) 7→ ik 2k−1 .
k=1

The two maps are isomorphisms of Hilbert spaces: each of the above
three families of elements, on which we have specified the maps, forms
an orthonormal basis with respect to the chosen Hermitian product on
the complex vector space it belongs to. In any of the three models of Vn ,
we will refer to the above orthonormal basis as the set of fundamental
states.

3.3. Classical computation versus quantum computation. A com-

putation is a map
f : (Z/2Z)m → (Z/2Z)n
from the m-register to the n-register. A quantum computation is a
unitary transformation
U : Vn → Vn
from the quantum n-register Vn to itself.
Notice that a classical computation may not be reversible (for exam-
ple if m > n), whereas a quantum computation always is, by definition
of a unitary transformation. Nevertheless any (classical) computation
can be handled with a quantum computation. Indeed, if f is as above,
we define
Uf : Vm ⊗ Vn → Vm ⊗ Vn ,
x ⊗ y 7→ x ⊗ (f (x) + y).
Some caution about notation is in order here. The element x varies
among the 2m fundamental states of Vm and y varies among the 2n
6 CHRISTOPHE PITTET

fundamental states of Vn . Hence x ⊗ y varies among the 2n+m funda-

mental states of Vm+n = Vm ⊗ Vn which form an orthonormal basis.
The right hand side of the tensor
x ⊗ (f (x) + y) ∈ Vm ⊗ Vn
is best described in the model
Vn = C[(Z/2Z)n ]
where the sum f (x) + y makes sense (because f (x) ∈ (Z/2Z)n and we
may see y ∈ C[(Z/2Z)n ]) and is by definition a fundamental state.
Obviously f (x) + f (x) = 0 in (Z/2Z)n . Hence Uf is a well defined
unitary involution. We can recover f from Uf by choosing y = 0⊗· · ·⊗0
and projecting
Uf (x ⊗ 0 ⊗ · · · ⊗ 0) = x ⊗ f (x),
to the second register.
The Walsh-Hadamard transform
W1 : V 1 → V 1
is defined as the unitary transformation of the q-bit V1 = C[Z/2Z] into
itself whose matrix in the basis of the fundamental states 0, 1 is
 
1 1 1
√ .
2 1 −1
(It is the complexification of the orthogonal reflexion in the real plane
generated by 0 and 1 whose axis forms an angle with R0 of measure
π/8.) The Walsh-Hadamard transform
Wn : V n → V n
is defined as
Wn = W1 ⊗ · · · W1 .
It is obviously a unitary transformation because W1 is a unitary trans-
formation. For example, if we allow ourself to denote also by W1 the
matrix of the unitary transformation W1 in the orthonormal basis of
the fundamental states, then the matrix of W2 in the orthonormal basis
of the fundamental states is
 
  1 1 1 1
1 W1 W1 1  1 −1 1 −1 
√ =  .
2 W1 −W1 2  1 1 −1 −1 
1 −1 −1 1
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 7

It is easy to check that

1 X
Wn (0 ⊗ · · · ⊗ 0) = eI
2n/2 n
I∈(Z/2Z)

is the homogeneous state.

3.4. Measurements on a quantum register. Let V be a finite di-
mensional Hilbert space over C. A measurement on V is a finite col-
lection of orthogonal projections
P1 , . . . , Pk : V → V,
(hence Pi2 = Pi and Pi∗
= Pi ) such that
(1) Pi Pj = 0 if i 6= j,
(2) idV = ki=1 Pi .
P

If V is a quantum register in a state v ∈ V , kvk = 1, and if the

measurement
(P1 , · · · , Pk )
is applied, the result of the measurement is the integer
1≤i≤k
with probability
P(i) = kPi (v)k2 .
Notice that according to Pythagoras
k
X k
X k
X
2
P(i) = kPi (v)k = k Pi (v)k2 = kvk2 = 1.
i=1 i=1 i=1

If the measurement (P1 , · · · , Pk ) is applied to a register V in the state

v ∈ V and if the integer i is observed, then the register after measure-
ment is in the state
Pi (v)
.
kPi (v)k
(Notice that if i is observed then Pi (v) 6= 0 because obviously P(i) 6= 0.)

4. The Fourier transform on finite cyclic groups

Let n be an integer. Let C[Z/nZ] be the complex group algebra of the
cyclic group Z/nZ and let L2 (Z/nZ) be the Hilbert space of complex
valued functions on Z/nZ. We perform the natural identification
C[Z/nZ] → L2 (Z/nZ),
X X
ax x 7→ ax δ x ,
x∈Z/nZ x∈Z/nZ
8 CHRISTOPHE PITTET

where ax ∈ C and δx (y) = 0 if x 6= y and δx (x) = 1. The basis

{δx }x∈Z/nZ is an orthonormal basis of L2 (Z/nZ) for the scalar product
X
(φ, ψ) = φ(x)ψ(x).
x∈Z/nZ

It is easy to check that the characters

χc : Z/nZ → C∗
x 7→ exp(2iπcx/n),
when normalized as
χc
 
√
n c∈Z/nZ
2
also form an orthonormal basis of L (Z/nZ). We define the Fourier
transform F as the unique unitary transformation which extends
L2 (Z/nZ) → L2 (Z/nZ)
χc
√ 7→ δc .
n
That is  

fˆ(c)δc ,
X X
F f (x)δx  =
x∈Z/nZ c∈Z/nZ

where
χc
fˆ(c) = (f, √ ).
n
Although the following proposition is not needed in building Shor’s
algorithm (a more elaborated version of it is needed; see Proposition
8.1 below), it is helpful to have it in mind.
Proposition 4.1. Assume r is a factor of n. Let
f : Z/nZ → C
be a function of period r. Then
fˆ(c) = 0
excepted if
n n
c ∈ {0; ; · · · ; (r − 1) }
r r
Proof. The subspace of periodic functions of period r has dimension r.
It is generated by
χn/r , . . . , χ(r−1)n/r , χn = 1Z/nZ .

 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 9

5. Construction of the double quantum register in

Shor’s algorithm
As explained in the first section, the factorization problem is reduced
to a finding period problem. We explain how a double quantum register
encodes the relevant periodic function. Let N be the large integer we
want a factor of. Let n be the unique integer such that
2n−1 < N 2 ≤ 2n .
Let
L = ⌈log2 N ⌉.
Let 1 < y < N such that GCD(y, N ) = 1. Let
f : Z/2n Z → Z/2L Z
x 7→ y x mod[N ].
In the definition of f it is understood that
y x ∈ {0; 1; . . . ; N − 1} ⊂ Z/2L Z.
(Notice that there is no reason for the order r of y in (Z/N Z)∗
to divide 2n , hence strictly speaking, the function f is not necessary
periodic. But as we will see, f captures enough of the periodicity of
Z → (Z/N Z)∗
x 7→ y x
so that the order r of y can be extracted from it.)
Let Vn ⊗ VL be a double quantum register. Let it be in the state
(0 ⊗ · · · ⊗ 0) ⊗ (0 ⊗ · · · ⊗ 0) ∈ Vn ⊗ VL .
We have:
Uf (Wn ⊗ idVL )(0 ⊗ · · · ⊗ 0) ⊗ (0 ⊗ · · · ⊗ 0)
 
1 X
= Uf  n/2 x ⊗ (0 ⊗ · · · ⊗ 0)
2 n
x∈Z/2 Z

1 X
= Uf (x ⊗ (0 ⊗ · · · ⊗ 0))
2n/2
x∈Z/2n Z
1 X
= x ⊗ f (x).
2n/2
x∈Z/2n Z

The unitary operator Uf can be theoretically implemented on a quan-

tum computer as the composition of O(n3 log n log log n) elementary
quantum gates because the classical modular exponentiation y x mod[N ],
10 CHRISTOPHE PITTET

with N ≤ 2n , needs less than O(n3 log n log log n) classical gates: ex-
ponentiation by squaring needs O(n2 ) multiplications between n-bits
numbers, and multiplication of two n-bits number needs less than
O(n log n log log n) classical gates. On the other hand Wn needs O(n)
elementary quantum gates.
At this point, it may seem that the goal is reached: it is possible to
entangle all the values of the function f (x) = y x mod[N ] in a single state
of a quantum register which is the tensor product of O(log N ) quantum
bits, using O(n2 log n log log n) elementary quantum gates, where N <
N 2 ≤ 2n . In fact there are two obstacles left. First, as mentioned above,
the function f is not really periodic. A well-known rigidity feature from
number theory handles this issue (see Proposition 9.1 below). The
second obstacle is the measurement problem: extracting information
from a quantum register perturbs its state. So it is not obvious to
extract a period from it. This problem is solved by first measuring the
second register VL , then applying a Fourier transform, then measuring
the first register Vn . We explain these points in what follows.

6. Measurement on the second register

Let L = ⌈log2 N ⌉, as in the previous section. Let

VL = C[Z/2L Z].

Let b ∈ Z/2L Z ⊂ C[Z/2L Z] be a fundamental state. Let

Pb : V L → V L

be the orthogonal projection onto the complex line Cb. The family of
projectors

{idVn ⊗ Pb }b∈Z/2L Z

obviously forms a measurement on Vn ⊗ VL . If this measurement is

applied to the state

1 X
x ⊗ f (x),
2n/2
x∈Z/2n Z
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 11

then b ∈ Z/2L Z is observed with probability

 
1 X
k(idVn ⊗ Pb )  n/2 x ⊗ f (x) k2
2 n x∈Z/2 Z

1 X
=k x ⊗ bk2
2n/2
x∈f −1 (b)

|f −1 (b)|
= .
2n
Notice that if b is observed, then after measurement the double register
is in the state  
p 1
X
x ⊗ b.
|f −1 (b)| x∈f −1 (b)
Notice also that if b is observed then the above formula for the proba-
bility of observing b implies that f −1 (b) is nonempty. Let us denote
ψb : Z/2n Z → C,
the normalized characteristic function of the set f −1 (b):
1f −1 (b)
ψb = p .
|f −1 (b)|
With this notation, the state of the double register can be written as
 
X
 ψb (x)x ⊗ b.
x∈Z/2n Z

7. Applying the Fourier transform

As explained above the Fourier transform F on the group Z/2n Z is
a unitary transformation of Vn = C[Z/2n Z]. We have
 
X
(F ⊗ idV )  ψb (x)x ⊗ b
x∈Z/2n Z
 
X
= ψ̂b (c)c ⊗ b.
c∈Z/2n Z

It can be performed by running O(n2 ) elementary quantum gates.

12 CHRISTOPHE PITTET

8. Measurement on the first register

Let c ∈ Z/2n Z. Let
Pc : V n → V n
be the orthogonal projection onto the complex line Cc. The family of
projectors
{Pc ⊗ idVL }c∈Z/2n Z
obviously forms a measurement on Vn ⊗ VL . If this measurement is
applied to the state  
X
 ψ̂b (c)c ⊗ b,
c∈Z/2n Z

then c ∈ Z/2n Z is observed with probability

kψ̂b (c)c ⊗ bk2 = |ψ̂b (c)|2 .
Recall that the order r of y ∈ (Z/N Z)∗ satisfies r2 < N 2 ≤ 2n .
Proposition 8.1. The probability of observing 0 ≤ c < 2n with the
property that there exists an integer s such that 0 ≤ s < r with
GCD(s, r) = 1 and
c s 1
n
− < 2,
2 r 2r
is greater or equal to  
4 ϕ(r) 1
1− ,
π2 r N
where ϕ denotes the Euler function.
Notice that the inequality in the above proposition can be rewritten
as
2n 1 2n
c−s < .
r 2 r2
As r2 < 2n , the above inequality imposes a weaker constrain on c than
the inequality
2n 1
c−s ≤ .
r 2
But in the special case of periodic functions we have seen that there
exists an integer s such that the left hand side of the above inequality
vanishes. Hence, it is expected that the almost periodic distribution
of the set f −1 (b) implies the existence of an s satisfying the above
inequality. Technically, notice that there exists 0 ≤ a < r, where r is
the order of y in (Z/N Z))∗ , such that
f −1 (b) = {a + kr : k = 0, . . . , Ka − 1}
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 13

where Ka is the largest integer such that a + (Ka − 1)r < 2n . Hence
by definition |f −1 (b)| = Ka and the probability of observing c is
χc
|ψ̂b (c)|2 = |(ψb , n/2 )|2
2
K a −1  2
1 X 2iπc(a + kr)
= exp − .
Ka 2n k=0 2n
The above formula enables one to prove the proposition.

9. End of the algorithm: recovering the period through

the convergents of a continuous fraction
The final step of Shor’s algorithm is based on the following well-
known number theoretical property of continued fractions.
Proposition 9.1. Let x ∈ Q. Let s, r 6= 0 be two integers. Assume
s 1
x− < 2.
r 2r
Then s/r is a convergent of x.
The quantum computer provides us with the integer c. According to
Proposition 8.1, with positive probability, the integer c satisfies
c s 1
n
− < 2,
2 r 2r
for some integer s such that 0 ≤ s < r and GCD(s, r) = 1. So with
positive probability, Proposition 9.1 applies with x = 2cn , r = order(y)
in (Z/N Z)∗ , and some s such that 0 ≤ s < r and GCD(s, r) = 1.
Therefore with positive probability, the order r is a denominator of the
reduced form of one of the convergents of 2cn . The Euclidean algorithm
computes efficiently the convergents in reduced form of 2cn . So it is
possible to efficiently list their denominators.

10. A lower bound on the Euler function

The efficiency of the algorithm depends on the lower bound
 
4 ϕ(r) 1
1−
π2 r N
from Proposition 8.1. When N goes to infinity the period r, which is
by definition the order of a random element in (Z/N Z)∗ , may also go
to infinity. The bad new is that for infinitely many integers m,
ϕ(m) 1
< ,
m exp(γ) log log m
14 CHRISTOPHE PITTET

where γ = 0, 57 . . . denotes Euler’s constant (see for example [1, The-

orem 13.14 (b)]). The good new is that the quotient admits a lower
bound which goes to zero extremely slowly: for m > 2,
ϕ(m) 1
> 2.50637 ,
m exp(γ) log log m + log log m

(see [6]).

11. Acknowledgments
We are indebted to Andrew Duncan for giving us a preprint version
of [2] when quantum algorithms were still considered as science fiction.
Most of the note is based on it and most of the proofs can be found in
it. We have been supported by the CNRS and the Poncelet Laboratory
in Moscow when giving a course on Shor’s algorithm at the Indepen-
dent University of Moscow. We are very grateful to Tatiana Smirnova
Nagnibeda and Stanislav Smirnov who invited us to give a talk at the
Chebyshev Laboratory in St-Petersburg (May 18, 2011). The video
of the talk is available on the net under the name: Shor’s algorithm.
A link is: http://www.lektorium.tv/lecture/?id=13296. The present
note is an isomorphic written version of the video and of talks we gave
at the CIMPA-UNESCO School on Fourier Analysis on groups and
combinatorics, November 18-30, 2013, Shillong (India). We are very
grateful to the organizers Gautami Bhowmik and Himadri Mukherjee
for inviting us to their School.

References
[1] Tom M. Apostol, Introduction to analytic number theory, Springer-Verlag, New
York, 1976. Undergraduate Texts in Mathematics. MR0434929 (55 #7892)
[2] Michael Batty, Samuel L. Braunstein, Andrew J. Duncan, and Sarah Rees,
Quantum algorithms in group theory, Computational and experimental group
theory, Contemp. Math., vol. 349, Amer. Math. Soc., Providence, RI, 2004,
pp. 1–62, DOI 10.1090/conm/349/06356.
[3] H. W. Lenstra Jr. and Carl Pomerance, Primality Testing with Gaussian Pe-
riods, In proceeding of: FST TCS 2002: Foundations of Software Technology
and Theoretical Computer Science, 22nd Conference Kanpur, India, December
12-14, posted on 2002, DOI 10.1007/3-540-36206-1-1.
[4] , A rigorous time bound for factoring integers, J. Amer. Math. Soc. 5
(1992), no. 3, 483–516, DOI 10.2307/2152702. MR1137100 (92m:11145)
[5] Carl Pomerance, Primality testing: variations on a theme of Lucas, Congr. Nu-
mer. 201 (2010), 301–312. MR2598366 (2010k:11191)
[6] J. Barkley Rosser and Lowell Schoenfeld, Approximate formulas for some func-
tions of prime numbers, Illinois J. Math. 6 (1962), 64–94. MR0137689 (25
#1139)
 MATHEMATICAL ASPECTS OF SHOR’S ALGORITHM 15

[7] Peter Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete
Logarithms on a Quantum Computer, SIAM J.Sci.Statist.Comput. 26 (1997).

I2M, Aix-Marseille Université

E-mail address: [email protected]