Improving the Success Probability for Shor’s Factorization Algorithm

In Shor’s factorization algorithm (SFA), the task is to find a non-trivial factor of a given composite integer N. Briefly said, SFA works as follows. It chooses randomly an integer \(y<N\) and checks whether y and N are co-primes. If y is co-prime with N, then SFA runs a special quantum subroutine to obtain the order 2r of N with a certain probability (2r is here an integer). In the original SFA and all previous SFAs, if 2r was an even integer and \(y^{r}\not \equiv -1(\text {mod}~N)\), then SFA used y and 2r to get a non-trivial factor of N. However, if the result \(r'\) obtained by the quantum order finding subroutine was not 2r, or 2r was not an even integer, or \(y^{r}\equiv -1(\text {mod}~N)\), then the quantum subroutine had to be run again (and perhaps again and again). In this paper, we show that the three constraints are strong and the success probability for the quantum subroutine can be improved. In general, if a non-trivial factor of N can be got, we can call the result \(r'\) an available result. Naturally, two issues arise: (1) If one of these constraints does not hold, whether these results \(r'\) can also be used to make SFA succeed sometimes? (2) If there exist some other available results, then what is the success probability when these results are considered? This paper proves that some factorization results are still available or possible even if not all of the above constraints are met, and, in addition, that a new success probability can be bigger than those of the previous SFAs. Finally, in order to demonstrate a potential of our approach, we consider factorization of those integers N that are used as moduli for RSA, that is those N that are products of two safe primes, and we show that in this case the fault probability can be reduced to O(1 / N) with our method.