Benchmarks for quantum computers from Shor’s algorithm

E. D. Davis david.davis@spu.ac.za Department of Physical and Earth Sciences, Sol Plaatje University, Private Bag X5008, Kimberley 8300, South Africa

Abstract

Properties of Shor’s algorithm and the related period-finding algorithm could serve as benchmarks for the operation of a quantum computer. Distinctive universal behaviour is expected for the probability for success of the period-finding algorithm as the input quantum register is increased through its critical size of $\mathfrak{m}_{0}=\lceil 2\log_{2}r\rceil$ qubits (where $r$ is the period sought). Use of quadratic non-residues permits unequivocal predictions to be made about the outcome of the factoring algorithm.

1 Introduction

The rapid development of quantum technologies over the last decade has prompted much research on techniques for checking that the carefully engineered quantum devices are, in fact, functioning properly [1, 2, 3]. In the survey of the field presented in [2], a distinction is drawn between certification (or verification) and benchmarking. Certification is taken to be confined to the assessment the accuracy of the output, whereas benchmarking protocols are any more general measures of performance. Clearly, in this parlance, Shor’s factoring algorithm and the associated period-finding algorithm can be used for verification as the validity of their output is easily checked, but the ancillary properties mentioned in the abstract and discussed below could serve as the basis for benchmarks that test circuits as a whole.

In Shor’s version of his factoring algorithm [4], a square-free semiprime $N$ is factored by first using a quantum computer to determine the order $r$ of an arbitrary element $b\in(\mathbb{Z}/N\mathbb{Z})^{\times}$ , or, more colloquially, the period of $b^{x}\mathrm{mod}\,N$ , and then using a classical computer to calculate the candidate $f_{b}=\gcd(b^{r/2}-1,N)$ for a non-trivial factor of $N$ . (Unless specified otherwise, the notation of [5] is adopted.)

Refer to caption — Figure 1: A plot of the approximation $\mathsf{P}_{\infty}^{(\mathfrak{q})}$ in (2) to the probability of success of the period-finding algorithm versus the increment $\mathfrak{q}$ of the input register size from its critical size of $\mathfrak{m}_{0}=\lceil 2\log_{2}r\rceil$ qubits.

It is the dependence on the period $r$ of the probability for success of the period-finding algorithm which is relevant to benchmarking. The nature of this dependence can be established by considering the sequence of input register sizes $\{\mathfrak{m}_{\mathfrak{q}}\}$ , where $\mathfrak{m}_{\mathfrak{q}}$ is the smallest positive integer such that

2^{\mathfrak{m}_{\mathfrak{q}}}>2^{\mathfrak{q}}r^{2},

(1)

and $\mathfrak{q}$ is any integer consistent with the requirement that the input register is large enough for the quantum Fourier transform of its state to yield information on $r$ , i.e. $2^{\mathfrak{m}_{\mathfrak{q}}}\geq 2r$ from the $k=r-1$ version of the first inequality in (5), or $\mathfrak{q}\geq\mathfrak{q}_{\min}=\lceil\log_{2}r\rceil-\lfloor 2\log_{2}r\rfloor$ .

A systematic asymptotic analysis implies that, when $r\gg 1$ , a useful approximation to the probability of finding a divisor of $r$ (or $r$ itself) with an input register of $\mathfrak{m}_{\mathfrak{q}}$ qubits is

\mathsf{P}^{(\mathfrak{q})}_{\infty}=\frac{2}{\pi}\operatorname{Si}(2^{\mathfrak{q}}\pi)-\Bigl{(}\frac{\sin 2^{\mathfrak{q}-1}\pi}{2^{\mathfrak{q}/2-1}\pi}\Bigr{)}^{2}

(2)

( $\operatorname{Si}(x)$ is the sine integral of Eq. 6.2.9 in [6]). The monotonically increasing sequence $\{\mathsf{P}^{(\mathfrak{q})}_{\infty}\}$ is depicted in Fig. 1. The interpolating curve is obtained with the same function used to evaluate the $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ ’s. As the derivation of section 2 and (28) make clear, the result in (2) pertains to the determination of the period of any function of the integers $\mathbb{Z}$ provided it is one-to-one within a period, and the period $r$ is not a divisor of $2^{\mathfrak{m}_{\mathfrak{q}}}$ . When $r$ is a power of two (and, hence, a divisor of $2^{\mathfrak{m}_{\mathfrak{q}}}$ ), the probability of success is independent of $\mathfrak{q}$ [see (28)].

The register of $\mathfrak{m}_{0}=\lceil 2\log_{2}r\rceil$ qubits is distinguished by the fact that it is, generically, the smallest for which $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ exceeds 50%. Among the inferences that one can draw from Fig. 1 is that the magnitude of the probability of success for the period-finding algorithm amounts to a fingerprint of the critical input register. Statistics on the success or failure of runs for $\mathfrak{m}_{0}$ qubits would permit empirical determination of the corresponding probability of success of the period-finding algorithm; unambiguous comparison of the probability found with $\mathsf{P}^{(\mathfrak{q=0})}_{\infty}$ should be possible in view of its clear separation in value from the other $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ ’s: this comparison constitutes the first benchmark, applicable whenever $r$ is not a divisor of $2^{\mathfrak{m}_{0}}$ (as is typically the case).

Corrections to $\mathsf{P}_{\infty}^{(\mathfrak{q})}$ , considered in section 3, do not invalidate any of the observations above. In fact, it is found that, for $\mathfrak{q}\geq 0$ , these corrections are negligible (see (30), (31) and Table 2). The clear difference between the success probability for the critical input register and input registers of other sizes also survives (see Fig. 3).

Another opportunity for benchmarking is provided by the choice of the element $b\in(\mathbb{Z}/N\mathbb{Z})^{\times}$ . Leander has pointed out [7] that if $b$ is selected so that the Jacobi symbol $(b/N)=-1$ (“Choice L”), then, not only is the order $r$ of $b$ guaranteed to be even, but also the probability that $f_{b}=\gcd(b^{r/2}-1,N)$ is a non-trivial factor of $N$ is enhanced; for $r$ even, $f_{b}$ is the desired factor provided $b^{r/2}\not\equiv-1(\mathrm{mod}\,N)$ : the conditional probability

	$\displaystyle\Pr$	$\displaystyle\left(b^{r/2}\not\equiv-1(\mathrm{mod}\,N)\;\middle\|\;(b/N)=-1\right)$
		$\displaystyle\hskip 50.0pt=1-\frac{1}{2^{1+c_{p}-c_{q}}}(1-\delta_{c_{p},c_{q}}),$		(3)

where the positive integer powers $c_{p}\geq c_{q}$ are related to the square-free semiprime $N$ by the parametrisation $N=(2^{c_{p}}d_{p}+1)(2^{c_{q}}d_{q}+1)$ , it being understood that $d_{p}$ and $d_{q}$ are, by definition, odd. The success rate of the prescription for $f_{b}$ is at least 75% as compared with 50% if $b$ is chosen at random from $(\mathbb{Z}/N\mathbb{Z})^{\times}$ , but this observation does not do justice to the full implications of (1).

The crux to building on Leander’s criterion for $b$ is to recognise that, in principle, it can only fail to generate a factor of $N$ if $c_{p}>c_{q}$ . When it is known that $c_{p}>c_{q}$ , then $b$ should be a quadratic non-residue modulo $N$ for which $(b/N)=+1$ (“Choice $\overline{\mathrm{L}}$ ”); the corresponding probability that $f_{b}$ is a prime factor of $N$ is $1-\delta_{c_{p},c_{q}}$ : if $c_{p}>c_{q}$ , $f_{b}$ must then be a non-trivial factor of $N$ . (As for choice L, the fact that $b$ is a quadratic non-residue ensures that its order is even.)

There are two clear-cut complementary benchmarking schemes $\mathcal{A}$ and $\mathcal{B}$ : scheme $\mathcal{A}$ ( $\mathcal{B}$ ) entails determination of the probability that $\overline{\mathrm{L}}$ -choices (L-choices) for $b$ do actually yield a prime factor of $N$ given that $c_{p}>c_{q}$ ( $c_{p}=c_{q}$ ). Identification of whether $c_{p}>c_{q}$ or $c_{p}=c_{q}$ requires successful factorization of $N$ , which can be achieved with a suitable sequence of initial runs, beginning with a few L-choices, and converting to $\overline{\mathrm{L}}$ -choices if these runs fail. For both $\mathcal{A}$ and $\mathcal{B}$ , the empirical probability is to be compared with a predicted value of unity. The overhead placed on classical computer resources by the selection of appropriate values of $b$ is acceptable: calculation of the Jacobi symbols is efficient, as is checking that a given $b\in(\mathbb{Z}/N\mathbb{Z})^{\times}$ is a quadratic non-residue.

Application of the benchmarking procedures $\mathcal{A}$ and $\mathcal{B}$ should be preceded by determination of $(-1/N)$ and $(2/N)$ . Provided $-1$ and 2 are quadratic non-residues modulo $N$ , the values of these two Jacobi symbols permit one to infer whether $c_{p}=c_{q}$ or $c_{p}>c_{q}$ for all semiprimes such that $c_{q}\leq 2$ — see Table 1. The import of Table 1 is that, for these semiprimes, the choice between $\mathcal{A}$ and $\mathcal{B}$ can be made before the order-finding algorithm is run. Blum integers are among the semiprimes to which the results of Table 1 apply.

	Interpretation	Scheme
$(-1/N)=-1$	$c_{p}>c_{q}=1$	$\mathcal{A}$
$(-1/N)=+1$	$c_{p}=1=c_{q}$	$\mathcal{B}$
$(2/N)=-1$	$c_{p}>c_{q}=2$	$\mathcal{A}$
$(2/N)=+1$	$c_{p}=2=c_{q}$	$\mathcal{B}$

Table 1: Choice of benchmarking scheme indicated by the Jacobi symbols

(-1/N)

and

(2/N)

. The interpretation of

(-1/N)=+1

and

(2/N)=+1

assumes that

-1

and 2, respectively, are quadratic non-residues modulo

N

. If

-1\;(2)

is a quadratic residue, then

c_{q}\geq 2\;(3)

It remains to justify the assertions made in this introduction. The exact reduction of the success probability associated with the period-finding algorithm to a form in (2.3) suitable for controlled approximation is presented in section 2, followed by its asymptotic analysis for large $r$ using the Euler-Maclaurin summation formula in section 3. Properties of choices L and $\overline{\mathrm{L}}$ are proven in section 4, and some closing comments are made in section 5. Appendices A, B and C contain technical results required in sections 2 and 3.

2 Period-finding: success probability

After the usual preparatory steps (outlined, for example, in Algorithm 5 of Ref. [5]), an $m$ -qubit input register is left in the superposition of computational basis states

\tfrac{1}{\sqrt{m_{k}}}\sum\limits_{l=0}^{m_{l}-1}|k+l\cdot r\rangle\hskip 10.83784pt\left(m_{k}=1+\left\lfloor\tfrac{2^{m}-1-k}{r}\right\rfloor\right),

(4)

where $k\in\mathbb{Z}/r\mathbb{Z}$ is unknown (and unknowable), and the constraint on $m$ that

2^{m}\geq r+1+k>r

(5)

guarantees that the superposition contains more than one term and, hence, that $S_{k}(x)$ in (7) can manifest dependence on $r$ . Since

r=r_{\mathrm{o}}2^{n_{r}}\hskip 10.83784pt\left(r_{\mathrm{o}}\ \mbox{odd}\right),

(6)

where $n_{r}$ is a non-negative integer, an implication of (5) found useful below is that $m>n_{r}$ .

Interpretation of the quantum Fourier transform of the one-dimensional “array” of uniformly spaced “atoms” in (4) is possible via its “structure factor”

S_{k}(x)=\frac{1}{m_{k}}\left|\sum\limits_{l=0}^{m_{k}-1}\left(e^{i2\pi l}\right)^{rx/2^{m}}\right|^{2},

(7)

which is related to the conditional probability $P(x|k)$ that the transform is detected in the state $|x\rangle$ by $P(x|k)=S_{k}(x)/2^{m}$ . Central to the standard analysis of $P(x|k)$ is the observation that, for non-zero integers $x$ , $S_{k}(x)$ is large ( $\sim m_{k}$ ) when the rational number $rx/2^{m}$ , which must lie in the closed interval $[r/2^{m},r(1-1/2^{m})]$ , is close to one of the $r-1$ integers $j$ in this interval, i.e.

j\in\mathbb{N}_{r}^{+}=\{1,2,\ldots,r-1\}.

(8)

Thus, the “frequencies” $x$ most likely to be returned by measurement are drawn from the set of integers $\{x_{j}\}$ closest to the first $r-1$ members of the harmonic series with fundamental “frequency” $2^{m}/r$ :

\left|x_{j}-j\frac{2^{m}}{r}\right|<\tfrac{1}{2}\hskip 10.83784pt\left(j\in\mathbb{N}^{+}_{r}\right),

(9)

where the inequality is strict because $2^{m}\,j/r=2^{m-n_{r}}\,j/r_{\mathrm{o}}$ can never be a half-integer. The solution of (9) is

x_{j}=\left\lfloor 2^{m}\tfrac{j}{r}+\tfrac{1}{2}\right\rfloor

(10)

as inspection of Fig. 2 confirms.

Equation (9) acquires additional significance if viewed from the perspective of rational approximation with continued fractions. Provided the input register size is such that $2^{m/2}>r$ , then one of the finite number of convergents to $x_{j}/2^{m}$ coincides with the ratio $j/r$ reduced to lowest terms; if $m=\mathfrak{m}_{0}$ , then the only observed values of $x$ from which information of this nature can be inferred are precisely those belonging to the set $\{x_{j}\}$ : the total probability for success of the period-finding algorithm is

P_{\mathrm{tot}}=\sum\limits_{j\in\mathbb{N}^{+}_{r}}P(x_{j}|k)=\frac{1}{2^{m}}\sum\limits_{j\in\mathbb{N}^{+}_{r}}S_{k}(x_{j}).

(11)

More generally, when $m=\mathfrak{m}_{\mathfrak{q}}$ , the restriction on useful values of $x$ reads

\left|x-j\frac{2^{\mathfrak{m}_{\mathfrak{q}}}}{r}\right|<2^{\mathfrak{q}-1}.

(12)

When $\mathfrak{q}\geq 1$ , there are $2^{\mathfrak{q}}-1$ or $2^{\mathfrak{q}}$ solutions of (12) dependent on whether $r_{\mathrm{o}}$ divides $j$ or not ( $j\in\mathbb{N}_{r}^{+}$ ); if $\mathfrak{q}<0$ , then the solutions are a subset of the $x_{j}$ ’s.

2.1 The case $\mathfrak{q}=0$

Simplification of $P_{\mathrm{tot}}$ in (11) for arbitrary $m\geq\mathfrak{m}_{0}$ prepares the ground for analysis of the general case when (12) applies. The $j$ -fold invocation of the periodicity property $S_{k}(x)=S_{k}(x+2^{m}/r)$ permits substitution of $S_{k}(x_{j})$ by $S_{k}(\Delta_{j})$ , where

	$\displaystyle\Delta_{j}$	$\displaystyle=x_{j}-2^{m}\frac{j}{r}$		(13)
		$\displaystyle=\left\lfloor 2^{m-n_{r}}\tfrac{j}{r_{\mathrm{o}}}+\tfrac{1}{2}\right\rfloor-2^{m-n_{r}}\tfrac{j}{r_{\mathrm{o}}},$

which, significantly, is periodic in $j$ with period $r_{\mathrm{o}}$ . As a result, the partition of $\mathbb{N}^{+}_{r}$ into congruence classes modulo $r_{\mathrm{o}}$ serves to identify the summands $S(\Delta_{j})$ for different $j$ in (11) which are identical. For $r_{\mathrm{o}}>1$ , the congruence classes $\overline{1}_{r_{\mathrm{o}}},\overline{2}_{r_{\mathrm{o}}},\ldots,\overline{r_{\mathrm{o}}-1}_{r_{\mathrm{o}}}$ in $\mathbb{N}^{+}_{r}$ all contain $r/r_{\mathrm{o}}(=2^{n_{r}})$ elements, but the congruence class $\overline{0}_{r_{\mathrm{o}}}$ has only $r/r_{\mathrm{o}}-1$ elements (because $0\not\in\mathbb{N}^{+}_{r}$ ); for $r_{\mathrm{o}}=1$ , all $r-1\ (=r/r_{\mathrm{o}}-1)$ elements of $\mathbb{N}^{+}_{r}$ trivially belong to the single congruence class $\overline{0}_{1}$ : thus,

P_{\mathrm{tot}}=\frac{r}{r_{\mathrm{o}}}\sum\limits_{j\in\mathbb{Z}/r_{\mathrm{o}}\mathbb{Z}}P(\Delta_{j}|k)-P(\Delta_{0}|k),

(14)

where the sum over $j$ now includes $j=0$ .

As shown in appendix A, the properties of least non-negative residues modulo $r_{\mathrm{o}}$ imply that the $r_{\mathrm{o}}$ distinct values of $\Delta_{j}$ are equal to $\mathfrak{j}/r_{\mathrm{o}}$ , where the $\mathfrak{j}$ ’s are the absolute least residues modulo $r_{\mathrm{o}}$ :

\mathfrak{j}\in\mathfrak{B}[r_{\mathrm{o}}]=\bigl{\{}0,\pm 1,\pm 2,\ldots,\pm\lfloor\tfrac{1}{2}r_{\mathrm{o}}\rfloor\bigr{\}}.

(15)

The change of summation variable in (14) from $j$ to $\mathfrak{j}=\mathfrak{j}(j)$ is indicated. The argument $\Delta_{j}$ is replaced by $\Delta_{\mathfrak{j}}=\mathfrak{j}/r_{\mathrm{o}}$ and

P_{\mathrm{tot}}=\frac{r}{2^{m}}\left[\frac{1}{r_{\mathrm{o}}}\sum\limits_{\mathfrak{j}\in\mathfrak{B}[r_{\mathrm{o}}]}S_{k}(\mathfrak{j}/r_{\mathrm{o}})-\frac{1}{r}S_{k}(0)\right],

(16)

which suffices to analyse the case $m=\mathfrak{m}_{0}$ .

2.2 Generalization to $\mathfrak{q}<0$

The result in (16) is easily adapted to accommodate all cases in which $\mathfrak{q}<0$ . Solutions of (12) are those members of $\{x_{j}\}$ for which $|\Delta_{j}|<1/2^{1-\mathfrak{q}}$ . In terms of the index $\mathfrak{j}$ introduced in connection with (15), this inequality specifies that $|\mathfrak{j}|<r_{\mathrm{o}}/2^{1-\mathfrak{q}}$ or, as $r_{\mathrm{o}}$ is odd,

|\mathfrak{j}|\leq\lfloor 2^{\mathfrak{q}-1}r_{\mathrm{o}}\rfloor.

(17)

It follows that (16) is replaced by

P_{\mathrm{tot}}\!=\!\frac{r}{2^{m}}\!\left[\frac{1}{r_{\mathrm{o}}}\sum\limits_{\mathfrak{j}\in\mathfrak{B}[2^{\mathfrak{q}}r_{\mathrm{o}}]}S_{k}(\mathfrak{j}/r_{\mathrm{o}})-\frac{1}{r}S_{k}(0)\right]\!.

(18)

Unfortunately, the generalization to $\mathfrak{q}>0$ is not so immediate.

2.3 Generalization to $\mathfrak{q}>0$

If $j\in\overline{0}_{r_{\mathrm{o}}}$ , then (12) amounts to the inequality $\left|x-x_{j}\right|<2^{\mathfrak{q}-1},$ which has the integer solutions $x_{j}+\kappa$ with

\kappa\in\mathfrak{S}_{0}=\{0,\pm 1,\pm 2,\ldots,\pm(2^{\mathfrak{q}-1}-1)\}.

(19)

For members of the remaining congruence classes summed over in (16), (12) can be recast in terms of the congruence class label $\mathfrak{j}$ of (15) as $\left|x-x_{j}+\mathfrak{j}(j)/r_{\mathrm{o}}\right|<2^{\mathfrak{q}-1}.$ Now, the set of integer solutions $\{x_{j}+\kappa\}$ depends on $\mathfrak{j}=\mathfrak{j}(j)$ via its sign: $\kappa$ takes on all values in the set

\mathfrak{S}_{\mathfrak{j}}=\mathfrak{S}_{0}\cup\{-(\mathrm{sgn}\,\mathfrak{j})2^{\mathfrak{q}-1}\},

(20)

where $\mathrm{sgn}\,\mathfrak{j}$ denotes the sign of the non-zero $\mathfrak{j}$ in (20).

Ostensibly, the summation in Eq, (16) is replaced by the double summation

\sum\limits_{\mathfrak{j}\in\mathfrak{B}[r_{\mathrm{o}}]}\,\sum\limits_{\kappa\in\mathfrak{S}_{\mathrm{j}}}S_{k}(\kappa+\mathfrak{j}/r_{\mathrm{o}}),

(21)

but it can be more usefully rewritten in terms of a single summation formally like that in (18) as

\sum\limits_{\mathfrak{j}\in\mathfrak{B}[2^{\mathfrak{q}}r_{\mathrm{o}}]}\!\!S_{k}(\mathfrak{j}/r_{\mathrm{o}})\,-\epsilon_{k}(\mathfrak{q}),

(22)

provided the endpoint “correction”

\epsilon_{k}(\mathfrak{q})=S_{k}(2^{\mathfrak{q}-1})+S_{k}(-2^{\mathfrak{q}-1})

(23)

is included. A simpler substitution is that of the coefficient $S_{k}(0)$ of $1/r$ in (16) by

\sum\limits_{\kappa\in\mathfrak{S}_{0}}S_{k}(\kappa)=\sum\limits_{\kappa\in\mathfrak{B}[2^{\mathfrak{q}}]}\!\!S_{k}(\kappa)\,-\epsilon_{k}(\mathfrak{q}).

(24)

Together, (22) and (24) imply that the generalisation to positive $\mathfrak{q}$ of (16) is

	$\displaystyle P_{\mathrm{tot}}^{(\mathfrak{q})}=\frac{r}{2^{\mathfrak{m}_{\mathfrak{q}}}}$	$\displaystyle\Biggl{[}\frac{1}{r_{\mathrm{o}}}\sum\limits_{\mathfrak{j}\in\mathfrak{B}[2^{\mathfrak{q}}r_{\mathrm{o}}]}\!\!S_{k}(\mathfrak{j}/r_{\mathrm{o}})-\frac{1}{r}\sum\limits_{\mathfrak{j}\in\mathfrak{B}[2^{\mathfrak{q}}]}S_{k}(\mathfrak{j})$
		$\displaystyle\hskip 43.36464pt-\left(\frac{1}{r_{\mathrm{o}}}-\frac{1}{r}\right)\epsilon_{k}(\mathfrak{q})\Biggr{]}.$		(25)

The choice of $2^{m}$ appropriate to (2.3) (namely, $2^{\mathfrak{m}_{\mathfrak{q}}}$ ) has been made for the overall multiplicative factor; it has also to be adopted in the expression for $S_{k}(x)$ in (7). With the extended definition of $\epsilon_{k}(\mathfrak{q})$ in terms of the Heaviside function $H(x)$ ([6], Eq. 1.16.13) as

\epsilon_{k}(\mathfrak{q})=H(\mathfrak{q})\left[S_{k}(2^{\mathfrak{q}-1})+S_{k}(-2^{\mathfrak{q}-1})\right],

(26)

(2.3) continues to hold when $\mathfrak{q}\leq 0$ .

Equation (2.3) is the goal of this section. It is a generalization and refinement of results in [8], which, in addition to the features mentioned in the introduction, includes a more careful treatment of endpoint corrections. The derivation has invoked only the periodicity of $S_{k}(x)$ and is independent of its precise form, which, in (2.3), happens to be

S_{k}(x)=S_{k}(0)\left[\frac{\operatorname{sinc}(m^{(\mathfrak{q})}_{k}rx/2^{\mathfrak{m}_{\mathfrak{q}}})}{\operatorname{sinc}(rx/2^{\mathfrak{m}_{\mathfrak{q}}})}\right]^{2},

(27)

where $S_{k}(0)=m_{k}^{(\mathfrak{q})}=1+\left\lfloor(2^{\mathfrak{m}_{\mathfrak{q}}}-1-k)/r\right\rfloor$ and $\operatorname{sinc}(x)$ is the normalized sinc function [for $x\not=0$ , $\operatorname{sinc}(x)=\sin(\pi x)/(\pi x)$ ].

The endpoint correction term in (2.3) does not influence the approximate estimates of $P_{\mathrm{tot}}^{(\mathfrak{q})}$ considered next. Terms involving non-zero $\epsilon_{k}(\mathfrak{q})$ are suppressed by at least three powers of $r$ relative to the dominate large $r$ contribution.

3 Asymptotic analysis of $P_{\mathrm{tot}}^{(\mathfrak{q})}$

If $r$ is a power of two (i.e. $r_{\mathrm{o}}=1$ ), then $m_{k}^{(\mathfrak{q})}=2^{\mathfrak{m}_{\mathfrak{q}}}/r$ , $S_{k}(x)=\delta_{x,0}\,m_{k}^{(\mathfrak{q})}$ (for integer $x$ ), and (2.3) reduces without approximation to

P_{\mathrm{tot}}^{(\mathfrak{q})}=1-\frac{1}{r}.

(28)

The first summation in (2.3) is dominant, and the remaining terms are suppressed by one power of $r$ or more. The same pattern is also evident in an expansion of (2.3) for large $r$ which embraces the cases in which $r$ is not a power of two. If the negligible terms of order $1/r$ and higher are discarded, then the following approximation to $P_{\mathrm{tot}}^{(\mathfrak{q})}$ emerges:

\mathsf{P}^{(\mathfrak{q})}=\frac{1}{r_{\mathrm{o}}}\sum\limits_{\mathfrak{j}\in\mathfrak{B}[2^{\mathfrak{q}}r_{\mathrm{o}}]}\!\!\operatorname{sinc}^{2}(\mathfrak{j}/r_{\mathrm{o}}).

(29)

The expansions in support of (29) are given in appendix B. Like (28), (29) is independent of $k$ , but, when specialized to $r_{\mathrm{o}}=1$ , yields $\mathsf{P}^{(\mathfrak{q})}=1$ .

Table 2: Sample of dependence of

\mathsf{P}^{(\mathfrak{q})}

r_{\mathrm{o}}

for

\mathfrak{q}\geq 0

. The last row contains the values of

\mathsf{P}^{(\mathfrak{q})}_{\infty}

from (2).

$r_{\mathrm{o}}\backslash\mathfrak{q}$	0	1	2
3	0.7893	0.90326	0.949999
5	0.7792	0.90288	0.949946
7	0.7765	0.902837	0.9499411
9	0.7754	0.902828	0.9499400
11	0.7748	0.902826	0.9499396
13	0.7745	0.9028245	0.94993949
15	0.7743	0.9028240	0.94993942
$\infty$	0.7737	0.9028233	0.94993934

Simple as the expression for $\mathsf{P}^{(\mathfrak{q})}$ is, it would seem of little utility because of its reliance on the factor $r_{\mathrm{o}}$ of the unknown (but large) period $r$ . However, the numerical data in Table 2 suggests that $\mathsf{P}^{(\mathfrak{q})}$ is a monotonically decreasing function of $r_{\mathrm{o}}$ when $\mathfrak{q}\geq 0$ . This trend can be confirmed for large $r_{\mathrm{o}}$ with the aid of the Euler-Maclaurin summation formula, which, for $\mathfrak{q}\geq 1$ , implies straightforwardly that

\mathsf{P}^{(\mathfrak{q})}=\frac{2}{\pi}\mathrm{Si}(2^{\mathfrak{q}}\pi)+\frac{4}{15\cdot 8^{\mathfrak{q}}}\frac{1}{r_{\mathrm{o}}^{4}}+\ldots\,.

(30)

The calculation is trickier for $\mathfrak{q}=0$ ; application of the Euler-Maclaurin summation formula has to be followed by an expansion in inverse powers of $r_{\mathrm{o}}$ (details are given in appendix C): the outcome of these manipulations is

\mathsf{P}^{(\mathfrak{q}=0)}=\frac{2}{\pi}\left(\mathrm{Si}(\pi)-\frac{2}{\pi}\right)+\frac{4}{3\pi^{2}}\frac{1}{r_{\mathrm{o}}^{2}}+\ldots\,.

(31)

The results in (30), (31) and Table 2 justify the claim that, provided $1/r$ is negligible, $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ in (2) is always an excellent approximation to $P_{\mathrm{tot}}^{(\mathfrak{q})}$ in (2.3) when $\mathfrak{q}$ is non-negative.

Table 3: Sample of deviation of

\mathsf{P}^{(\mathfrak{q})}

from

\mathsf{P}^{(\mathfrak{q})}_{\infty}

for

\mathfrak{q}<0

. The scaled deviation

\mathsf{D}^{(\mathfrak{q})}=r_{\mathrm{o}}\bigl{(}\mathsf{P}^{(\mathfrak{q})}-\mathsf{P}^{(\mathfrak{q})}_{\infty}\bigr{)}

. The last row contains the values of

\mathsf{D}^{(-2)}

in the limit

r_{\mathrm{o}}\rightarrow\infty

$r_{\mathrm{o}}$	$\mathsf{D}^{(-2)}$	$r_{\mathrm{o}}$	$\mathsf{D}^{(-2)}$	$r_{\mathrm{o}}$	$\mathsf{D}^{(-2)}$	$r_{\mathrm{o}}$	$\mathsf{D}^{(-2)}$
		3	0.263	5	$-$ 0.229	7	$-$ 0.720
9	0.708	11	0.243	13	$-$ 0.234	15	$-$ 0.716
17	0.7098	19	0.240	21	$-$ 0.235	23	$-$ 0.7144
25	0.7105	27	0.239	29	$-$ 0.236	31	$-$ 0.7138
	0.7122		0.237		$-$ 0.237		$-$ 0.7122

The behaviour of $\mathsf{P}^{(\mathfrak{q})}$ for $\mathfrak{q}<0$ is quite different. Now, the expansion in inverse powers of $r_{\mathrm{o}}$ , which is obtained along the same lines as (31), reads

	$\displaystyle\frac{2}{\pi}\mathrm{Si}(2^{\mathfrak{q}}\pi)$	$\displaystyle-2^{\mathfrak{q}}\operatorname{sinc}^{2}(2^{\mathfrak{q}-1})$		(32)
		$\displaystyle+\operatorname{sinc}^{2}(2^{\mathfrak{q}-1})\left(1-\frac{\nu}{2^{\|\mathfrak{q}\|}}\right)\frac{1}{r_{\mathrm{o}}}+\ldots,$

where $\nu$ is the least non-negative residue of $r_{\mathrm{o}}$ modulo $2^{|\mathfrak{q}|+1}$ . The correction to the leading term $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ is of either sign and, being of order $1/r_{\mathrm{o}}$ (see Table 3), can be substantial for small $r_{\mathrm{o}}$ – see Fig. 3. Despite the scatter about $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ in the values of $\mathsf{P}^{(\mathfrak{q})}$ for $\mathfrak{q}<0$ , none are close to $\mathsf{P}^{(0)}$ .

The leading term $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ in all of the above expansions in (30), (31) and (32) is found by evaluation of

\int\limits_{-2^{\mathfrak{q}-1}}^{2^{\mathfrak{q}-1}}\operatorname{sinc}^{2}(x)dx

(33)

for integer $\mathfrak{q}$ . The integral in (33) defines an entire function of $z=2^{\mathfrak{q}}$ . In the limit $r_{\mathrm{o}}\rightarrow\infty$ , when $\mathsf{P}^{(\mathfrak{q})}\rightarrow\mathsf{P}^{(\mathfrak{q})}_{\infty}$ , the lower limit on the integers $\mathfrak{q}$ of $\mathfrak{q}_{\min}\rightarrow-\infty$ ; the values of $2^{\mathfrak{q}}$ then belong to a set with an accumulation point, and the identity theorem for holomorphic functions can be invoked to assert that the integral representation in (33) is the unique analytic continuation of $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ to all values of $\mathfrak{q}$ , real and complex: thus, the right-hand side of (2), which is obtained from (33) for arbitrary $\mathfrak{q}$ by integration by parts, is a natural choice of interpolation function in Fig. 1.

4 Foundations for choices L and $\overline{\mathrm{L}}$

Insight into good choices of $b$ for the factorization of square-free odd semiprimes $N=pq$ is gained through the isomorphism between $(\mathbb{Z}/N\mathbb{Z})^{\times}$ and the direct product $(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}$ of the cyclic groups $(\mathbb{Z}/p\mathbb{Z})^{\times}$ and $(\mathbb{Z}/q\mathbb{Z})^{\times}$ . The Jacobi symbol permits some consequences of this isomorphism to be recast in a manner which does not require any knowledge of the odd primes $p$ and $q$ .

4.1 Use of $(\mathbb{Z}/N\mathbb{Z})^{\times}\cong(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}$

The two simultaneous congruence relations

b\equiv b_{p}(\mathrm{mod}\,p),\quad b\equiv b_{q}(\mathrm{mod}\,q)

(34)

establish (via the Chinese Remainder theorem) a bijection between elements $b\in(\mathbb{Z}/N\mathbb{Z})^{\times}$ and ordered pairs $(b_{p},b_{q})\in(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}$ , and there is a one-to-one correspondence between $b^{k}\,(\mathrm{mod}\,N)$ and $\bigl{(}b_{p}^{k}(\mathrm{mod}\,p),b_{q}^{k}(\mathrm{mod}\,q)\bigr{)}$ for any positive integer power $k$ . Hence, the order $r$ of $b$ to be used in $f_{b}=\gcd(b^{r/2}-1,N)$ is determined by the orders $r_{p}$ and $r_{q}$ of $b_{p}$ and $b_{q}$ , respectively, via

r=\operatorname{lcm}(r_{p},r_{q}),

(35)

and the conditions for the failure of $f_{b}$ as a factor of $N$ find neat expression as a property of $r_{p}$ and $r_{q}$ : the powers of two in the prime factorizations of $r_{p}$ and $r_{q}$ are equal ([5], Lemma 2).

The appeal of this characterisation is that the distribution of the powers of two associated with either of the orders $r_{p}$ or $r_{q}$ is easily constructed. For odd primes $h=2^{c}d+1$ ( $c\geq 1$ , $d$ odd), the group $(\mathbb{Z}/h\mathbb{Z})^{\times}$ comprises elements which are powers (modulo $h$ ) of a generator $\mathfrak{g}_{h}$ of order $h-1=2^{c}d$ . As a result, the element $\mathfrak{g}_{h}^{k}(\mathrm{mod}\,h)$ (where $k=1,2,\ldots,2^{c}d$ ) has order

r_{h}^{(k)}=\frac{2^{c}d}{\gcd(k,2^{c}d)}.

(36)

For the $2^{c-1}d$ odd values of $k$ , (36) simplifies to $r_{h}^{(k)}=2^{c}d_{k}$ , where the odd number $d_{k}=d/\gcd(k,d)$ ; the corresponding result for the equal number of even values of $k=2j$ ( $j=1,2,\ldots,2^{c-1}d$ ) is

r_{h}^{(k=2j)}=\frac{2^{c-1}d}{\gcd(j,2^{c-1}d)},

(37)

which resembles (36) with the factor of $2^{c}$ replaced by $2^{c-1}$ : on the basis of the recursive pattern implied by the similarity of (37) to (36), there are $2^{l-1}d$ elements of $(\mathbb{Z}/h\mathbb{Z})^{\times}$ with the even orders $2^{l}d_{j}$ ( $j=1,3,5,\ldots,2^{l}d-1$ ) for each $l\in\{1,2,3,\ldots,c\}$ , and only $d$ elements with the odd orders $d_{j}$ ( $j=1,2,\ldots,d$ ). Altogether, there are $c+1$ different powers of two: $\{0,1,\dots,c-1\}$ for the even choices of $k$ in (36), and exclusively $c$ for the odd choices.

An element $(b_{p},b_{q})\in(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}$ has the representation $\bigl{(}\mathfrak{g}_{p}^{k_{p}}(\mathrm{mod}\,p),\mathfrak{g}_{q}^{k_{q}}(\mathrm{mod}\,q)\bigr{)}$ in terms of generators $\mathfrak{g}_{p}$ and $\mathfrak{g}_{q}$ of $(\mathbb{Z}/p\mathbb{Z})^{\times}$ and $(\mathbb{Z}/q\mathbb{Z})^{\times}$ , respectively. Consistent with the earlier parametrization of $N$ in connection with (1), the primes $p$ and $q$ are taken to be $p=2^{c_{p}}d_{p}+1$ and $q=2^{c_{q}}d_{q}+1$ , where $d_{p},d_{q}$ are odd and $c_{p}\geq c_{q}$ . The results of the previous paragraph can be used to determine the number of pairs $(b_{p},b_{q})$ for which the powers of two in the prime factorizations of the corresponding orders $r_{p}$ and $r_{q}$ are identical. By way of example, whenever both indices $k_{p}$ and $k_{q}$ are odd, the respective powers of two are $c_{p}$ and $c_{q}$ ; as there are $\tfrac{1}{2}(p-1)$ odd values of $k_{p}$ and $\tfrac{1}{2}(q-1)$ odd values of $k_{q}$ , the corresponding number of pairs $(b_{p},b_{q})$ with orders sharing the same power of two is

\tfrac{1}{2}(p-1){\times}\tfrac{1}{2}(q-1)\hskip 0.5pt\delta_{c_{p},c_{q}}=4^{c_{q}-1}d_{p}d_{q}\hskip 0.5pt\delta_{c_{p},c_{q}}.

(38)

Table 4 contains a summary of all the findings on the numbers of pairs with such matching powers of two. No match is possible when $k_{p}$ is odd and $k_{q}$ is even because $c_{q}-1<c_{p}$ . The entry for even $k_{p}$ and $k_{q}$ excludes the pair $(1,1)$ since it corresponds to a choice of $b$ ( $b=1$ ) that cannot yield non-trivial factors of $N$ ( $f_{b=1}=N$ ).

Table 4: The numbers of pairs

(b_{p},b_{q})\in(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}

for which the powers of two in the prime factorizations of the two related orders

r_{p}

and

r_{q}

coincide. The sum

S=4^{c_{q}-1}d_{p}d_{q}

	$k_{q}$ even	$k_{q}$ odd
$k_{p}$ even	$\tfrac{1}{3}S+\tfrac{2}{3}d_{p}d_{q}-1$	$S(1-\delta_{c_{p},c_{q}})$
$k_{p}$ odd	0	$S\hskip 0.5pt\delta_{c_{p},c_{q}}$

4.2 Role of the Jacobi symbol

Quadratic residues modulo $N$ are those elements of $(\mathbb{Z}/N\mathbb{Z})^{\times}$ for which both of the indices $k_{p}$ and $k_{q}$ are even. Table 4 exhibits a partition of $(\mathbb{Z}/N\mathbb{Z})^{\times}$ into the subgroup comprising its quadratic residues and the three cosets of this subgroup, all elements of which are quadratic non-residues modulo $N$ . The Jacobi symbol distinguishes two of these cosets from the subgroup of quadratic residues.

For odd primes $h$ , it is the Legendre symbol $(a/h)$ which differentiates between quadratic residues and non-residues modulo $h$ : $(a/h)$ is $+1$ ( $-1$ ) if $a$ is a quadratic residue (non-residue), and 0 if $h$ is a divisor of $a$ . A consequence of Fermat’s little theorem is that $a^{(h-1)/2}\,(\mathrm{mod}\,h)$ must have one of $+1$ , $-1$ or 0 as its least absolute residue. As a result ([9], Theorem 83), it is possible to express $(a/h)$ in terms of least absolute residues as

\left(\frac{a}{h}\right)\equiv a^{(h-1)/2}\,(\mathrm{mod}\,h).

(39)

Furthermore, as the values $+1$ and 0 are inadmissible for any generator $\mathfrak{g}_{h}$ of $(\mathbb{Z}/h\mathbb{Z})^{\times}$ because they are incompatible with the requirement that it be of even order $h-1$ , it is necessarily the case that $\mathfrak{g}_{h}^{(h-1)/2}\equiv-1(\mathrm{mod}\,h)$ , and

	$\displaystyle\left(\frac{\mathfrak{g}_{h}^{k}}{h}\right)$	$\displaystyle\equiv\bigl{(}\mathfrak{g}_{h}^{(h-1)/2}\bigr{)}^{k}\,(\mathrm{mod}\,h)$		(40)
		$\displaystyle\equiv(-1)^{k}\,(\mathrm{mod}\,h)=(-1)^{k},$

in accord with the expectation that even (odd) powers of a generator are quadratic residues (non-residues).

For an integer $b$ relatively prime to the square-free semiprime $N=pq$ , the Jacobi symbol

\left(\frac{b}{N}\right)=\left(\frac{b}{p}\right)\left(\frac{b}{q}\right),

(41)

where the right-hand side is the product of the two Legendre symbols $(b/p)$ and $(b/q)$ , which, in view of the congruences in (34), can be substituted by $(b_{p}/p)$ and $(b_{q}/q)$ , respectively. Use of the further congruences $b_{p}\equiv(\mathfrak{g}_{p})^{k_{p}}\,(\mathrm{mod}\,p)$ and $b_{q}\equiv(\mathfrak{g}_{q})^{k_{q}}\,(\mathrm{mod}\,q)$ as well as (40) imply finally that

\left(\frac{b}{N}\right)=(-1)^{k_{p}+k_{q}},

(42)

which is the basis for the observation exploited in [7] that, when $(b/N)=-1$ , $b$ belongs to the union of the ( $k_{p}$ odd, $k_{q}$ even) and ( $k_{p}$ even, $k_{q}$ odd) cosets in $(\mathbb{Z}/h\mathbb{Z})^{\times}$ .

According to Table 4, $S(1-\delta_{c_{p},c_{q}})$ of the $\tfrac{1}{2}(p-1){\times}(q-1)=2^{c_{p}-c_{q}+1}S$ members in this union are unsuitable for the purposes of factoring the semiprime $N$ . The result for the conditional probability in (1) follows immediately. Another inference from Table 4, which forms the basis for choice $\overline{\mathrm{L}}$ , is that, when it is known $c_{p}\not=c_{q}$ , then all quadratic non-residues $b$ for which $(b/N)=+1$ [i.e. the whole of the ( $k_{p}$ odd, $k_{q}$ odd) coset] are good candidates for factoring $N$ .

4.3 Value of $c_{q}$ : special cases

Specialization to the square-free semiprime $N=(2^{c_{p}}d_{p}+1)(2^{c_{q}}d_{q}+1)$ of the standard formulae for the Jacobi symbols $(-1/N)$ and $(2/N)$ ([6], §27.9) proves serendipitously fruitful. To begin with, on the basis of

	$\displaystyle\left(\frac{-1}{N}\right)$	$\displaystyle=(-1)^{(N-1)/2}$		(43)
		$\displaystyle=(-1)^{2^{c_{p}-1}}(-1)^{2^{c_{q}-1}},$

it is possible to interpret the value of $(-1/N)$ as follows: if $(-1/N)=-1$ , then, without further ado, $c_{p}>c_{q}=1$ ; if, instead, $(-1/N)=+1$ , then $c_{p}=1=c_{q}$ when $-1$ is a quadratic non-residue modulo $N$ , and otherwise it can be deduced that $c_{p}\geq c_{q}\geq 2$ . In the latter case, it is appropriate to move onto $(2/N)$ . Under the assumption that $c_{p}\geq c_{q}\geq 2$ ,

	$\displaystyle\left(\frac{2}{N}\right)$	$\displaystyle=(-1)^{(N^{2}-1)/8}$		(44)
		$\displaystyle=(-1)^{2^{c_{p}-2}}(-1)^{2^{c_{q}-2}},$

the implications of which parallel those of (43): if $(2/N)=-1$ , then $c_{p}>c_{q}=2$ ; if $(2/N)=+1$ , then $c_{p}=2=c_{q}$ when $+2$ is a quadratic non-residue modulo $N$ , and, by the exclusion above of other options, $c_{p}\geq c_{q}\geq 3$ when $+2$ is a quadratic residue. All of these findings are summarized in Table 1.

Larger values of $c_{q}$ can be identified if it is known that $c_{p}>c_{q}$ (because choice L has failed) by the elementary expedient of evaluating

s_{k}=(-1)^{(N-1)/2^{k}}

(45)

for $k=3,4,\ldots$ . As $s_{k}=(-1)^{2^{c_{q}-k}}$ for $k\leq c_{q}<c_{p}$ , the sequence of evaluations is to be terminated when the value $s_{k}=-1$ is encountered; $c_{q}$ is the corresponding value of $k$ .

4.4 Properties of orders

With the substitutions $r_{p}=2^{l_{p}}r_{p\mathrm{o}}$ and $r_{q}=2^{l_{q}}r_{q\mathrm{o}}$ ( $r_{p\mathrm{o}},r_{q\mathrm{o}}$ odd), (35) becomes

r=2^{{\max}(l_{p},l_{q})}\operatorname{lcm}(r_{p\mathrm{o}},r_{q\mathrm{o}}).

(46)

The properties of the indices $l_{p}$ and $l_{q}$ established in subsection 4.1 imply that, for choice L,

c_{q}\leq\max(l_{p},l_{q})\leq c_{p},

(47)

whereas, for choice $\overline{\mathrm{L}}$ ,

\max(l_{p},l_{q})=c_{p}.

(48)

For both choices, the order $r$ is even as asserted in the introduction.

Lagrange’s theorem for finite groups and the isomorphism $(\mathbb{Z}/N\mathbb{Z})^{\times}\cong(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}$ imply that an order $r$ modulo the square-free semiprime $N$ is a divisor of the value

\lambda(N)=\operatorname{lcm}(p-1,q-1)

(49)

of the Carmichael $\lambda$ -function. Thus, substituting for $\operatorname{lcm}(p-1,q-1)$ in terms of $\gcd(p-1,q-1)$ ,

r\leq\frac{(p-1)(q-1)}{\gcd(p-1,q-1)}\leq\frac{1}{2^{c_{q}}}(p-1)(q-1)

(50)

since $\gcd(p-1,q-1)\geq 2^{c_{q}}$ . In all cases of practical interest, $p+q>2$ and the right-hand side of (50) can be replaced by

r_{\max}=\tfrac{1}{2^{c_{q}}}(pq-1)=\tfrac{1}{2^{c_{q}}}(N-1).

(51)

Information gleaned from the analysis of the Jacobi symbols $(-1/N)$ and $(2/N)$ or the ad hoc construct $s_{k}$ can be used to fix a suitable lower limit to $c_{q}$ . The upper bound $r_{\max}$ can be used to improve on Shor’s recommendation that the input quantum register contain at least $m_{\mbox{\tiny Sh}}=\lceil 2\log_{2}N\rceil$ qubits. In terms of $\mathfrak{m}_{\mathfrak{q}}$ ,

m_{\mbox{\tiny Sh}}=\mathfrak{m}_{\mathfrak{q}=2c_{q}+\Delta},

(52)

where $\Delta=\lceil 2\log_{2}(N/2^{c_{q}})\rceil-\lceil 2\log_{2}r\rceil$ is a non-negative integer.

5 Discussion

As a tool for factoring RSA integers $N$ , Shor’s algorithm has been displaced by an approach which computes discrete logarithms [10, 11]. Nevertheless, the present paper suggests that there may remain an alternative use for Shor’s algorithm as a context for testing the operation of quantum computers. The benchmarks involving quadratic non-residues (schemes $\mathcal{A}$ and $\mathcal{B}$ above) derive from structural properties of $(\mathbb{Z}/N\mathbb{Z})^{\times}$ , and group-theoretical considerations pertinent to other algorithms may also imply similar benchmarks. The benchmark arising from the period-finding algorithm is fortuitous.

Further studies may yet show that the benchmarks identified in this paper are toothless. However, the findings on the period-finding algorithm should still be of interest in view of their generality. According to the results in section 3, the approximation $\mathsf{P}^{(\mathfrak{q})}_{\infty}$ has the merit of being a lower bound to the probability of success when $\mathfrak{q}\geq 0$ and $1/r$ is negligible.

References

[1] A. Gheorghiu, T. Kapourniotis and E. Kashefi, “Verification of quantum computation: an overview of existing approaches,” Theory Comput. Syst. 63, 715–808 (2019).
[2] J. Eisert, D. Hangleiter, N. Walk, I. Roth, D. Markham, R. Parekh, U. Chabaud and E. Kashefi, “Quantum certification and benchmarking,” Nat. Rev. Phys. 2, 382–90 (2020).
[3] M. Kliesch and I. Roth, “Theory of quantum system verification,” PRX Quantum 2, 010201 (2021).
[4] P. W. Shor, “Polynomial time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM J. Comput. 26(5), 1484–509 (1997).
[5] A. M. Childs and W. van Dam, “Quantum algorithms for algebraic problems,” Rev. Mod. Phys. 82(1), 1–52 (2010).
[6] NIST Digital Library of Mathematical Functions (Release 1.1.3 of 2021-09-15), F. W. J. Olver, A. B. Olde Daalhuis, D. W. Lozier, B. I. Schneider, R. F. Boisvert, C. W. Clark, B. R. Miller, B. V. Saunders, H. S. Cohl, and M. A. McClain (eds.).
[7] G. Leander, “Improving the success probability of Shor’s factoring algorithm,” arXiv: quant-ph/0208183.
[8] P. S. Bourdon and H. T. Williams, “Sharp probability estimates for Shor’s order-finding algorithm,” Quantum Information & Computation 7(5&6), 522–50 (2007).
[9] G. H. Hardy and E. M. Wright, “An introduction to the theory of numbers,” Oxford University Press, Oxford, UK, 6th ed., 2008.
[10] C. Gidney and M. Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433 (2021).
[11] É Gouzien and N. Sangouard, “Factoring 2048-bit RSA integers in 177 days with 13436 qubits and a multimode memory,” Phys. Rev. Lett. 127, 140503 (2021).

Appendix A Reduction $\Delta_{j}$ in (13)

With the substitution of $2^{m-n_{r}}j$ in (13) by

\left\lfloor\frac{2^{m-n_{r}}j}{r_{\mathrm{o}}}\right\rfloor r_{\mathrm{o}}+2^{m-n_{r}}j(\mathrm{mod}\,r_{\mathrm{o}}),

(53)

where it is understood that $2^{m-n_{r}}j(\mathrm{mod}\,r_{\mathrm{o}})$ is the least non-negative residue of $2^{m-n_{r}}j$ modulo $r_{\mathrm{o}}$ (and, hence, an element of $\mathbb{Z}/r_{\mathrm{o}}\mathbb{Z}$ ), $\Delta_{j}$ can be rewritten as

	$\displaystyle\Delta_{j}$	$\displaystyle=\left\lfloor\frac{2^{m-n_{r}}j(\mathrm{mod}\,r_{\mathrm{o}})}{r_{\mathrm{o}}}+\frac{1}{2}\right\rfloor$		(54)
		$\displaystyle\hskip 65.04034pt-\frac{2^{m-n_{r}}j(\mathrm{mod}\,r_{\mathrm{o}})}{r_{\mathrm{o}}}.$

Since $r_{\mathrm{o}}$ is odd, it is coprime to $2^{m-n_{r}}$ , and, just as the integers $j\in\mathbb{Z}/r_{\mathrm{o}}\mathbb{Z}$ form a complete set of residues modulo $r_{\mathrm{o}}$ , so do the $r_{\mathrm{o}}$ integers $2^{m-n_{r}}j$ (see, for example, Theorem 56 in [9]). The corresponding least non-negative residues $2^{m-n_{r}}j(\mathrm{mod}\,r_{\mathrm{o}})$ must then be identical to $\mathbb{Z}/r_{\mathrm{o}}\mathbb{Z}$ . By an appropriate change of the dummy variable of summation in (14), it can be arranged that

\Delta_{j}=\left\lfloor\frac{j}{r_{\mathrm{o}}}+\frac{1}{2}\right\rfloor-\frac{j}{r_{\mathrm{o}}}\hskip 21.68231pt(j\in\mathbb{Z}/r_{\mathrm{o}}\mathbb{Z}).

(55)

Evaluation of (55) yields the following $r_{\mathrm{o}}-1$ non-zero values for $\Delta_{j}$ :

\Delta_{j}=-\frac{j}{r_{\mathrm{o}}}

(56)

and

\Delta_{r_{\mathrm{o}}-j}=+\frac{j}{r_{\mathrm{o}}}

(57)

for $j\in\{1,2,\ldots,\tfrac{1}{2}(r_{\mathrm{o}}-1)\}$ . As (55) also trivially implies that $\Delta_{0}=0$ , the values of $\Delta_{j}$ in (55) clearly coincide with those given in connection with (15).

Appendix B Large $r$ expansion of $P_{\mathrm{tot}}^{(\mathfrak{q})}$

For large $r$ , the obvious expansion parameter is $1/r$ , but there are others which are more convenient for the treatment of $P_{\mathrm{tot}}^{(\mathfrak{q})}$ . Paralleling the derivation of (54) for $\Delta_{j}$ in appendix A, the difference

m_{k}^{(\mathfrak{q})}-\frac{2^{\mathfrak{m}_{\mathfrak{q}}}}{r}=\left\lfloor\frac{1}{r}(r-1-k+\mathfrak{r})\right\rfloor-\frac{\mathfrak{r}}{r},

(58)

where $\mathfrak{r}$ is the least non-negative residue of $2^{\mathfrak{m}_{\mathfrak{q}}}$ modulo $r$ . Inspection of the values that can be attained by the right-hand side of (58) leads to the conclusion that $-(1-1/r)\leq m_{k}^{(\mathfrak{q})}-2^{\mathfrak{m}_{\mathfrak{q}}}/r\leq 1-1/r$ . (The upper bound is attained when $k=0$ , $\mathfrak{r}=1$ and the lower bound when $k=r-1=\mathfrak{r}$ .) If $m_{k}^{(\mathfrak{q})}$ is parametrised as

m_{k}^{(\mathfrak{q})}=\frac{2^{\mathfrak{m}_{\mathfrak{q}}}}{r}(1+\mu),

(59)

then the small parameter $\mu$ is such that

|\mu|<r/2^{\mathfrak{m}_{\mathfrak{q}}}<1/(2^{\mathfrak{q}}r),

(60)

where the last inequality relies on relation (1) defining $2^{\mathfrak{m}_{\mathfrak{q}}}$ . In turn,

1/m_{k}^{(\mathfrak{q})}<(2^{\mathfrak{q}}r)^{-1}(1+\mu)^{-1}<1/(2^{\mathfrak{q}}r-1)

(61)

from the reciprocal of (59) and the inequalities $r/2^{\mathfrak{m}_{\mathfrak{q}}}<1/(2^{\mathfrak{q}}r)$ and $\mu>-(2^{\mathfrak{q}}r)^{-1}$ which can be read off from (60).

On the basis of the expansions

$\displaystyle\operatorname{sinc}^{2}$	$\displaystyle\!\left(\frac{rx}{2^{\mathfrak{m}_{\mathfrak{q}}}}\right)$	(62)
	$\displaystyle=1-\frac{\pi^{2}}{3}(1+\mu)^{2}\frac{x^{2}}{(m_{k}^{(\mathfrak{q})})^{2}}+\ldots,$
$\displaystyle\operatorname{sinc}^{2}$	$\displaystyle\!\left(\frac{m^{(\mathfrak{q})}_{k}r}{2^{\mathfrak{m}_{\mathfrak{q}}}}x\right)$	(63)
	$\displaystyle=\operatorname{sinc}^{2}(x)+2\left[\operatorname{sinc}(2x)-\operatorname{sinc}^{2}(x)\right]\mu+\ldots$

in $1/m_{k}^{(\mathfrak{q})}$ and $\mu$ , respectively, and the identity $rS_{k}(0)/2^{\mathfrak{m}_{\mathfrak{q}}}=1+\mu$ , the leading-order contribution to $P_{\mathrm{tot}}^{(\mathfrak{q})}$ is given by (29), corrections being of order $1/r$ .

Appendix C Expansion of $\mathcal{P}^{(\mathfrak{q})}$ for $\mathfrak{q}=0$

The Euler-Maclaurin summation formula ([6], Eq. 2.10.1) implies that

	$\displaystyle\mathcal{P}^{(\mathfrak{q})}$	$\displaystyle=2\int\limits_{0}^{a_{\mathfrak{q}}}f(x)\,dx+f(a_{\mathfrak{q}})\frac{1}{r_{\mathrm{o}}}+\tfrac{1}{6}f^{\prime}(a_{\mathfrak{q}})\frac{1}{r_{\mathrm{o}}^{2}}$
		$\displaystyle\hskip 21.68231pt-\tfrac{1}{360}f^{\prime\prime\prime}(a_{\mathfrak{q}})\frac{1}{r_{\mathrm{o}}^{4}}+\ldots,$		(64)

where $a_{\mathfrak{q}}=\lfloor 2^{\mathfrak{q}}r_{\mathrm{o}}\rfloor/r_{\mathrm{o}}$ , $f(x)=\operatorname{sinc}^{2}(x)$ , and use has been of its evenness and the oddness of its odd derivatives. For $\mathfrak{q}\geq 1$ , (C) is an expansion in inverse powers of $r_{\mathrm{o}}$ as it stands because $a_{\mathfrak{q}}\,(=2^{\mathfrak{q}-1})$ is independent of $r_{\mathrm{o}}$ . However,

a_{0}=\tfrac{1}{2}(1-1/r_{\mathrm{o}}),

(65)

and

$\displaystyle 2\int\limits_{0}^{a_{0}}$	$\displaystyle f(x)\,dx$	(66)
	$\displaystyle=\frac{2}{\pi}\mathrm{Si}(\pi-\pi/r_{\mathrm{o}})-(1-1/r_{\mathrm{o}})f(a_{0}),$
$\displaystyle f(a_{0})$	$\displaystyle=\left(\frac{2}{\pi}\right)^{2}\left(\frac{\cos\pi/2r_{\mathrm{o}}}{1-1/r_{\mathrm{o}}}\right)^{2},$	(67)
$\displaystyle f^{\prime}(a_{0})$	$\displaystyle=\frac{4}{1-1/r_{\mathrm{o}}}\left[\frac{\sin\pi/r_{\mathrm{o}}}{\pi(1-1/r_{\mathrm{o}})}-f(a_{0})\right].$	(68)

After substitution of (66) into (C), $f(a_{\mathrm{o}})$ appears in the combination $-(1-2/r_{\mathrm{o}})f(a_{\mathrm{o}})$ that has the expansion

-\left(\frac{2}{\pi}\right)^{2}+\left[1+\left(\frac{2}{\pi}\right)^{2}\right]\frac{1}{r^{2}_{\mathrm{o}}}+\ldots

(69)

in which terms linear in $1/r_{\mathrm{o}}$ are absent. Equation (31) is obtained when (69) is coupled with use of the expansion

\frac{2}{\pi}\mathrm{Si}(\pi-\pi/r_{\mathrm{o}})=\frac{2}{\pi}\mathrm{Si}(\pi)-\frac{1}{r_{\mathrm{o}}^{2}}+\ldots

(70)

and replacement of $f^{\prime}(a_{0})$ by $-4(2/\pi)^{2}$ in (C).

Benchmarks for quantum computers from Shor’s algorithm

Abstract

1 Introduction

2 Period-finding: success probability

2.1 The case 𝔮=0\mathfrak{q}=0

2.2 Generalization to 𝔮<0\mathfrak{q}<0

2.3 Generalization to 𝔮>0\mathfrak{q}>0

3 Asymptotic analysis of Ptot(𝔮)P_{\mathrm{tot}}^{(\mathfrak{q})}

4 Foundations for choices L and L¯\overline{\mathrm{L}}

4.1 Use of (ℤ/N​ℤ)×≅(ℤ/p​ℤ)××(ℤ/q​ℤ)×(\mathbb{Z}/N\mathbb{Z})^{\times}\cong(\mathbb{Z}/p\mathbb{Z})^{\times}\times(\mathbb{Z}/q\mathbb{Z})^{\times}