I know that Shor's algorithm can factor semi-primes ($N = p \times q \space, \{p, \space q \in \Bbb{P} \space \vert \space p, \space q \gt 0 \} $).
Assuming that all prime numbers are so large that it's infeasible to compute with any known classical algorithm, can Shor's algorithm also factor multi-primes, meaning where $N$ has more than two prime-factors?
Shor's algorithm finds the prime factors of any integer, regardless of the number of primes. This is explained in this Wikipedia article which describes how the algorithm takes an odd integer and finds another integer which divides it. If the composite number is not a semiprime, then you just run Shor's algorithm on the result again to get another integer which divides it. Repeat until only primes remain.
Yes, it can. Quoting the document of DJB: "Post-quantum RSA" by Daniel J. Bernstein, Nadia Heninger, Paul Lou and Luke Valenta, which forest has linked to:
If $n$ is a product of more primes, say $k \ge 3$ primes, then the same speedup becomes even more effective, using $k$ exponentiations with ($1/k$)-size exponents and ($1/k$)-size moduli. Prime generation also becomes much easier since the primes are smaller. Of course, if primes are too small then the attacker can find them using the ring algorithms discussed in the previous section|specifically EECM before quantum computers, and GEECM after quantum computers.
As we don't know how to factor multi-prime RSA, with e.g. 3 exponents of 1024 bits using classical computing, we can surmise that Shor can factor multi-primes that would be out of reach otherwise.
The article then goes on to exploring how many primes and how large a modulus size would be sufficient to ward off attacks by a full quantum computer, and comes out at 1-terabyte key, 4096-bit primes and $2^{31}$ multiplications to create the modulus.
Probably we should look at other alternatives before turning to RSA for Post Quantum Cryptography, another one of the conclusions of the paper.
Shor's algorithm works by using quantum magic to compute a period of $f\colon x \mapsto a^x \bmod n$ for random $a$; if it gives $2t$ so that $a^{2t} \equiv 1 \pmod n$, and if $a^t \not\equiv -1 \pmod n$, then $\gcd(a^t \pm 1, n)$ is a nontrivial factor of $n$. (Otherwise, repeat with another $a$.) If $n = p q r$ and $\gcd(a^t \pm 1, n) = p$, then you can lather, rinse, and repeat for $n' = n/p = q r$.
The cost is dominated by $(\lg n)^{2 + o(1)}$ qubit operations to compute $f$—that is, it is quadratic in the size of the modulus $n$.
Post-quantum RSA chooses $n$ so large that this quadratic gap is infeasible for an attacker (of course, merely using pqRSA is also only barely feasible as a joke for well-funded users), but that's not the only avenue for attack:
If a prime factor is bounded by $y$, then $\gcd(f(n, u), n)$ may be a nontrivial factor of $n$, where $f(n, u)$ is a product of many distinct primes below $y$ modulo $n$, randomized by $u$—e.g., trial division, Pollard's $\rho$, ECM, etc. If $n = p q r$ and you find $u$ so that $\gcd(f(n, u), n) = p$, then you can lather, rinse, and repeat for $n' = n/p = q r$.
Grover's algorithm finds a preimage of 0 under $u \mapsto [\gcd(n, f(n, u)) = 1]$ in the time for about $\sqrt{y}$ quantum evaluations of $f$. For the best $f$, ECM, where $u$ is a random curve choice, the combined cost of Grover-ECM is $L^{1 + o(1)}$ where $L = e^{\sqrt{\log y \log \log y}}$—that is, it is superpolynomial but subexponential in the size of the factors $p$, $q$, and $r$.
Consequently, post-quantum RSA chooses $p$, $q$, $r$, and millions of other factors, to be 4096 bits apiece so that this superpolynomial/subexponential gap is infeasible for an attacker while the user can still compute arithmetic modulo $p$, $q$, $r$, and the other factors individually at reasonable cost.
