A low cost quantum factoring algorithm
D. J. Bernstein, J.-F. Biasse and M. Mosca
University of Illinois
at Chicago
University of
South Florida
University of
Waterloo
Shor’s algorithm
[Shor 94]: There is a quantum factoring algorithm to factor 𝑁.
 Runs in polynomial time in log 𝑁.
 Requires O(log 𝑁) qubits (2log(𝑁) + 𝑂(1) with [Beauregard 03, Ekerå-Håstad 17])
Question: Is there an algorithm which uses a sublinear number of qubits and still
outperforms the best known classical factoring methods ?
In this work, we describe an algorithm for factoring 𝑁 that
2
3
• Requires Õ (log 𝑁) logical qubits.
• Has a complexity with a better exponent than the Number Field Sieve.
The Number Field Sieve (NFS) algorithm
The best known pre-quantum method to factor 𝑁 runs in heuristic asymptotic time
𝐿𝑝+𝑜(1) where:
p ≈ 1.902
𝐿 ≔ 𝑒
(log 𝑁)1/3 (log log 𝑁)2/3
This complexity is called “subexponential”. The NFS algorithm is practical for nontrivial key sizes:
 Factorization of a 768-bit RSA modulus [Kleinjung et al. 10].
 Factorization of 512-bit moduli for $75 with Amazon Cloud [VCLFBH16]
Starting idea: use a quantum NFS variant to achieve a heuristic run time of 𝐿
3
8/3 ≈ 1.387 < 𝑝 ≈ 1.902
3 8
+𝑜(1)
3
Relation collection in the Number Field Sieve (NFS)
𝑏∈ℤ
Search space 𝑈
Search for 𝑎, 𝑏 ∈ 𝑈 such that 𝑔(𝑎, 𝑏)
is a product of primes ≤ 𝑦 where:
• 𝑦 ∈ ℕ is a subexponential bound.
• 𝑔 ∈ ℤ[𝑋, 𝑌] depends on 𝑁.
When enough relations are found, they
are used to find 𝑋, 𝑌 ∈ ℤ such that:
𝑋 2 − 𝑌 2 ≡ 0 𝑚𝑜𝑑 𝑁
a∈ ℤ
With good probability, this yields a non
trivial divisor of 𝑁.
Testing the smoothness of an integer
Problem: How do we decide if 𝑔(𝑎, 𝑏) is a product of primes ≤ 𝑦 (i.e. 𝑦-smooth) ?
Classical method
• Elliptic Curve Method (ECM)
• Complexity in 𝑒 Õ( log 𝑦)
In the NFS, this
step is negligible
With a quantum computer, we can use Shor’s algorithm
• It runs in polynomial time.
• log(𝑔 𝑎, 𝑏 ) ∈ Õ
log 𝑁
2
3
so it requires Õ
log 𝑁
2
3
qubits
Grover’s search algorithm
Suppose there is a polynomial time algorithm represented by the unitary 𝑈 with
 𝑈|𝑎, 𝑏 = −|𝑎, 𝑏 if 𝑔(𝑎, 𝑏) is 𝑦-smooth.
 𝑈|𝑎, 𝑏 = |𝑎, 𝑏 otherwise.
Then Grover’s algorithm can find 𝑎, 𝑏 such that x = 𝑔(𝑎, 𝑏) is 𝑦-smooth in a range
of 𝑘 elements in time 𝑂( 𝑘)
Challenge: quantum algorithm for the smoothness test with Õ
log 𝑁
2
3
Solution: Use iterations on Shor’s algorithm running ``in superposition’’.
qubits.
Running Shor’s algorithm in superposition
Shor’s algorithm
Let 𝑎 ∈ ℤ of (unknown) order 𝑟 modulo 𝑥
Quantum part
𝑟
2
𝑗
𝑟
𝑀 𝑗
≈
𝑛
2
𝑟
𝑎, 𝑥
𝑟
2
Measurement
Classical part
Yields a non trivial factor of 𝑥 with probability
1/Ω(log log 𝑥)
This work: completely quantum algorithm that
• returns a state that encodes a pair of divisors of 𝑥
• Uses Õ log 𝑁 2/3 qubits when log 𝑥 ∈ Õ log 𝑁 2/3
We get 𝑥
𝑎 −1
𝑎 +1
Smoothness test by iterations of Shor’s algorithm
We have a quantum algorithm that performs |𝑥 → |𝑥1 , 𝑥2 where 𝑥 = 𝑥1 𝑥2
Runs 𝑡 = (log 𝑁)2/3+𝑜(1) iterations
|𝑥
1
(1)
2
|𝑥1 , 𝑥2
(1) (1)
(1)
𝑥1
𝑥 = 𝑥1 𝑥2
(𝑖)
Leaves 𝑥𝑗
Features
2
(2)
|𝑥1 , 𝑥2 , 𝑥3
=
(2) (2)
𝑥1 𝑥2
…
(𝑡)
𝑡
|𝑥1 , … , 𝑥𝑙
(𝑡)
(𝑡)
𝑥 = 𝑥1 … 𝑥𝑙
≤ 𝑦 untouched
Keeps them in the first indices
Detects prime powers
(𝑡)
Last test: is 𝑥𝑙
≤𝑦?
Open problem: challenges of fault-tolerant implementations
Standard version of the threshold theorem [Aharonov,Ben-Or 97]:
A logical circuit containing
• 𝑚 qubits,
• 𝑇 gates
can be replaced by a fault tolerant implementation using
𝑂 𝑚 Polylog 𝑚𝑇 qubits.
Problem: here 𝑇 is subexponential, therefore log 𝑇 ∈ Õ (log 𝑁)1/3 .
• [Gottesman 13]: We can achieve a constant ratio #Physical qubits/#Logical qubits
using quantum error correction with certain properties.
• Some LDPC codes meet these restrictions, but the (classical) decoding algorithms
are inefficient.
Conclusion: other aspects we considered
Smoothness test with quantum ECM
• Same run time.
• Qubit requirement in Õ
DLP in ℤ𝒑
• Useful for the precomputation phase
• Useless for individual logarithms
log 𝑁
5/6
Parallel variant of smoothness test
• Separates any two primes with good
probability.
• Unclear if it reduces the run time.
Thank you for your attention