The algorithm that put quantum computing on the map — and on the radar of every cryptographer. Its secret is a swerve: don’t factor the number, find a hidden rhythm instead, and let the factors fall out.
Pick a number you want to factor, say 15, and any companion a. Look at the sequence a¹, a², a³, … all taken mod 15. It always repeats — it has a period r. Finding that period is the hard part, and it’s the only part a quantum computer does. Once you know r, ordinary grade-school arithmetic turns it into the factors.
Tuning a radio. You don't know the station's frequency, but you sweep the dial and the signal snaps into focus at one spot — the frequency reveals itself. Shor turns factoring into exactly this: the number hides a repeating rhythm, and the quantum Fourier transform is the dial that locks onto it in one sweep. Find the rhythm, and the factors fall out by plain arithmetic.
Choose a base a. The strip shows ax mod 15 repeating; the spectrum below is what the quantum Fourier transform sees — evenly spaced spikes whose spacing hands you the period r. Then watch the two factors of 15 drop out of a single gcd.
If r is even and ar/2 ≠ −1 (mod N), then ar/2 is a non-trivial square root of 1, and the factors come straight from Euclid’s gcd:
Only one step needs a quantum computer: finding r. The quantum Fourier transform takes the periodic superposition and concentrates it into sharp peaks spaced by M/r — so one measurement reveals the rhythm that a classical machine would need exponentially long to detect.
“Shor tries all possible factors in parallel.” It never divides by trial factors at all. It reframes factoring as period-finding, and only the period hunt is quantum — the rest is multiplication and gcd you could do by hand. The QFT isn’t checking answers; it’s detecting a frequency.
This is the exponential one — the reason RSA encryption is built on the difficulty of factoring, and the reason a large enough quantum computer would undo it. Note the honest caveat the lab shows: sometimes a base gives a useless result and you simply pick another and retry. A handful of tries is still astronomically faster than classical factoring.