Seyoon Ragavan,Vinod Vaikuntanathan

2024-06-26

Abstract:We provide two improvements to Regev's recent quantum factoring algorithm (<a class="link-https" data-arxiv-id="2308.06572" href="https://arxiv.org/abs/2308.06572">arXiv:2308.06572</a>), addressing its space efficiency and its noise-tolerance. Our first contribution is to improve the quantum space efficiency of Regev's algorithm while keeping the circuit size the same. Our main result constructs a quantum factoring circuit using $O(n \log n)$ qubits and $O(n^{3/2} \log n)$ gates. We achieve the best of Shor and Regev (upto a logarithmic factor in the space complexity): on the one hand, Regev's circuit requires $O(n^{3/2})$ qubits and $O(n^{3/2} \log n)$ gates, while Shor's circuit requires $O(n^2 \log n)$ gates but only $O(n)$ qubits. As with Regev, to factor an $n$-bit integer $N$, we run our circuit independently $\approx \sqrt{n}$ times and applies Regev's classical postprocessing procedure. Our optimization is achieved by implementing efficient and reversible exponentiation with Fibonacci numbers in the exponent, rather than the usual powers of 2, adapting work by Kaliski (<a class="link-https" data-arxiv-id="1711.02491" href="https://arxiv.org/abs/1711.02491">arXiv:1711.02491</a>) from the classical reversible setting to the quantum setting. This technique also allows us to perform quantum modular exponentiation that is efficient in both space and size without requiring significant precomputation, a result that may be useful for other quantum algorithms. A key ingredient of our exponentiation implementation is an efficient circuit for a function resembling in-place quantum-quantum modular multiplication. Our second contribution is to show that Regev's classical postprocessing procedure can be modified to tolerate a constant fraction of the quantum circuit runs being corrupted by errors. In contrast, Regev's analysis of his classical postprocessing procedure requires all $\approx \sqrt{n}$ runs to be successful. In a nutshell, we achieve this using lattice reduction techniques to detect and filter out corrupt samples.

Quantum Physics

Richard Jozsa

DOI: https://doi.org/10.1109/5992.909000

2000-12-17

Abstract:Amongst the most remarkable successes of quantum computation are Shor's efficient quantum algorithms for the computational tasks of integer factorisation and the evaluation of discrete logarithms. In this article we review the essential ingredients of these algorithms and draw out the unifying generalization of the so-called abelian hidden subgroup problem. This involves an unexpectedly harmonious alignment of the formalism of quantum physics with the elegant mathematical theory of group representations and fourier transforms on finite groups. Finally we consider the non-abelian hidden subgroup problem mentioning some open questions where future quantum algorithms may be expected to have a substantial impact.

Quantum Physics

Martin Ekerå,Joel Gärtner

DOI: https://doi.org/10.1007/978-3-031-62746-0_10

2024-01-30

Abstract:Regev recently introduced a quantum factoring algorithm that may be perceived as a $d$-dimensional variation of Shor's factoring algorithm. In this work, we extend Regev's factoring algorithm to an algorithm for computing discrete logarithms in a natural way. Furthermore, we discuss natural extensions of Regev's factoring algorithm to order finding, and to factoring completely via order finding. For all of these algorithms, we discuss various practical implementation considerations, including in particular the robustness of the post-processing.

Cryptography and Security,Quantum Physics

Jin-Yi Cai,Ben Young

2024-12-23

Abstract:Recently, Cai showed that Shor's quantum factoring algorithm fails to factor large integers when the algorithm's quantum Fourier transform (QFT) is corrupted by a vanishing level of random noise on the QFT's precise controlled rotation gates. We show that under the same error model, Shor's quantum discrete log algorithm, and its various modifications, fail to compute discrete logs modulo P for a positive density of primes P and a similarly vanishing level of noise. We also show that the same noise level causes Shor's algorithm to fail with probability 1-o(1) to compute discrete logs modulo P for randomly selected primes P.

Quantum Physics

Oded Regev

2024-01-07

Abstract:We show that $n$-bit integers can be factorized by independently running a quantum circuit with $\tilde{O}(n^{3/2})$ gates for $\sqrt{n}+4$ times, and then using polynomial-time classical post-processing. The correctness of the algorithm relies on a number-theoretic heuristic assumption reminiscent of those used in subexponential classical factorization algorithms. It is currently not clear if the algorithm can lead to improved physical implementations in practice.

Quantum Physics,Computational Complexity

Martin Ekerå

2024-09-14

Abstract:We heuristically show that Shor's algorithm for computing general discrete logarithms achieves an expected success probability of approximately 60% to 82% in a single run when modified to enable efficient implementation with the semi-classical Fourier transform. By slightly increasing the number of group operations that are evaluated quantumly and performing a single limited search in the classical post-processing, or by performing two limited searches in the post-processing, we show how the algorithm can be further modified to achieve a success probability that heuristically exceeds 99% in a single run. We provide concrete heuristic estimates of the success probability of the modified algorithm, as a function of the group order $r$, the size of the search space in the classical post-processing, and the additional number of group operations evaluated quantumly. In the limit as $r \rightarrow \infty$, we heuristically show that the success probability tends to one. In analogy with our earlier works, we show how the modified quantum algorithm may be heuristically simulated classically when the logarithm $d$ and $r$ are both known. Furthermore, we heuristically show how slightly better tradeoffs may be achieved, compared to our earlier works, if $r$ is known when computing $d$. We generalize our heuristic to cover some of our earlier works, and compare it to the non-heuristic analyses in those works.

Cryptography and Security,Quantum Physics

Martin Ekerå,Johan Håstad

DOI: https://doi.org/10.1007/978-3-319-59879-6_20

2017-02-01

Abstract:In this paper we generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand. Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This immediately gives rise to an algorithm for factoring RSA integers that is less complex than Shor's general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer. In both our algorithm and Shor's algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an n bit integer, the exponent is of length 2n bits in Shor's algorithm, compared to slightly more than n/2 bits in our algorithm.

Cryptography and Security,Quantum Physics

Dennis Willsch,Philipp Hanussek,Georg Hoever,Madita Willsch,Fengping Jin,Hans De Raedt,Kristel Michielsen

2024-10-18

Abstract:We report on the current state of factoring integers on both digital and analog quantum computers. For digital quantum computers, we study the effect of errors for which one can formally prove that Shor's factoring algorithm fails. For analog quantum computers, we experimentally test three factorisation methods and provide evidence for a scaling performance that is absolutely and asymptotically better than random guessing but still exponential. We conclude with an overview of future perspectives on factoring large integers on quantum computers.

Quantum Physics,Computational Physics

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

John A. Smolin,Graeme Smith,Alex Vargo

DOI: https://doi.org/10.1038/nature12290

2013-01-30

Abstract:Shor's algorithm for factoring in polynomial time on a quantum computer\cite{Shor} gives an enormous advantage over all known classical factoring algorithm. We demonstrate how to factor products of large prime numbers using a compiled version of Shor's quantum factoring algorithm. Our technique can factor all products of $p,q$ such that $p,q$ are unequal primes greater than two, runs in constant time, and requires only two coherent qubits. This illustrates that the correct measure of difficulty when implementing Shor's algorithm is not the size of number factored, but the length of the period found.

Quantum Physics

John Proos,Christof Zalka

DOI: https://doi.org/10.48550/arXiv.quant-ph/0301141

2004-01-23

Abstract:We show in some detail how to implement Shor's efficient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits. In this paper we only consider elliptic curves over GF($p$) and not yet the equally important ones over GF($2^n$) or other finite fields. The main technical difficulty is to implement Euclid's gcd algorithm to compute multiplicative inverses modulo $p$. As the runtime of Euclid's algorithm depends on the input, one difficulty encountered is the ``quantum halting problem''.

Quantum Physics

Zhengjun Cao,Zhenfu Cao,Lihua Liu

DOI: https://doi.org/10.48550/arXiv.1408.6252

2014-10-08

Abstract:An efficient quantum modular exponentiation method is indispensible for Shor's factoring algorithm. But we find that all descriptions presented by Shor, Nielsen and Chuang, Markov and Saeedi, et al., are flawed. We also remark that some experimental demonstrations of Shor's algorithm are misleading, because they violate the necessary condition that the selected number $q=2^s$, where $s$ is the number of qubits used in the first register, must satisfy $n^2 \leq q < 2n^2$, where $n$ is the large number to be factored.

Data Structures and Algorithms

Martina Rossi,Luca Asproni,Davide Caputo,Stefano Rossi,Alice Cusinato,Remo Marini,Andrea Agosti,Marco Magagnini

DOI: https://doi.org/10.1007/s42484-022-00072-2

2022-07-02

Quantum Machine Intelligence

Abstract:Considering its relevance in the field of cryptography, integer factorization is a prominent application where Quantum computers are expected to have a substantial impact. Thanks to Shor’s algorithm, this peculiar problem can be solved in polynomial time. However, both the number of qubits and applied gates detrimentally affect the ability to run a particular quantum circuit on the near term Quantum hardware. In this work, we help addressing both these problems by introducing a reduced version of Shor’s algorithm that proposes a step forward in increasing the range of numbers that can be factorized on noisy Quantum devices. More specifically, the structure of the Shor’s circuit has been modified to reduce the number of gates in the modular arithmetic and the Quantum Fourier Transform. The implementation presented in this work is general and does not use any assumptions on the number to factor. In particular, we have found noteworthy results in most cases, often being able to factor the given number with only one iteration of the proposed algorithm. Finally, comparing the original quantum algorithm with our version on simulator, the outcomes are identical for some of the numbers considered.

Edward Gerjuoy

DOI: https://doi.org/10.1119/1.1891170

IF: 0.835

2005-06-01

American Journal of Physics

Abstract:The security of messages encoded via the widely used RSA public key encryption system rests on the enormous computational effort required to find the prime factors of a large number N using classical (conventional) computers. In 1994 Peter Shor showed that for sufficiently large N, a quantum computer could perform the factoring with much less computational effort. This paper endeavors to explain, in a fashion comprehensible to the nonexpert, the RSA encryption protocol; the various quantum computer manipulations constituting the Shor algorithm; how the Shor algorithm performs the factoring; and the precise sense in which a quantum computer employing Shor’s algorithm can be said to accomplish the factoring of very large numbers with less computational effort than a classical computer. It is made apparent that factoring N generally requires many successive runs of the algorithm. Our analysis reveals that the probability of achieving a successful factorization on a single run is about twice as large as commonly quoted in the literature.

physics, multidisciplinary,education, scientific disciplines

Zhengjun Cao,Zhenfu Cao

DOI: https://doi.org/10.48550/arxiv.1409.7352

2014-01-01

Abstract:Shor's factoring algorithm uses two quantum registers. By introducing more registers we show that the measured numbers in these registers which are of the same pre-measurement state, should be equal if the original Shor's complexity argument is sound. This contradicts the argument that the second register has r possible measured values. There is an anonymous comment which argues that the states in these registers are entangled. If so, the entanglement involving many quantum registers can not be interpreted by the mechanism of EPR pairs and the like. In view of this peculiar entanglement has not yet been mentioned and investigated, we think the claim that the Shor's algorithm runs in polynomial time needs more physical verifications. We also discuss the problem to certify quantum computers.

Gregory D. Kahanamoku-Meyer,Seyoon Ragavan,Vinod Vaikuntanathan,Katherine Van Kirk

2024-12-17

Abstract:We present a compact quantum circuit for factoring a large class of integers, including some whose classical hardness is expected to be equivalent to RSA (but not including RSA integers themselves). To our knowledge, it is the first polynomial-time circuit to achieve sublinear qubit count for a classically-hard factoring problem; the circuit also achieves sublinear depth and nearly linear gate count. We build on the quantum algorithm for squarefree decomposition discovered by Li, Peng, Du and Suter (Nature Scientific Reports 2012), which relies on computing the Jacobi symbol in quantum superposition. Our circuit completely factors any number $N$, whose prime decomposition has distinct exponents, and finds at least one non-trivial factor if not all exponents are the same. In particular, to factor an $n$-bit integer $N=P^2 Q$ (with $P$ and $Q$ prime, and $Q<2^m$ for some $m$), our circuit uses $\tilde{O}(m)$ qubits and has depth at most $\tilde{O}(m + n/m)$, with $\tilde{O}(n)$ quantum gates. When $m=\Theta(n^a)$ with $2/3 < a < 1$, the space and depth are sublinear in $n$, yet no known classical algorithms exploit the relatively small size of $Q$ to run faster than general-purpose factoring algorithms. We thus believe that factoring such numbers has potential to be the most concretely efficient classically-verifiable proof of quantumness currently known. The technical core of our contribution is a new space-efficient and parallelizable quantum algorithm to compute the Jacobi symbol of $A$ mod $B$, in the regime where $B$ is classical and much larger than $A$. In the context of the larger Jacobi algorithm for factoring $N = P^2Q$, this reduces the overall qubit count to be roughly proportional to the length of $Q$, rather than the length of $N$. Finally, we note that our circuit for computing the Jacobi symbol generalizes to related problems, such as computing the GCD.

Quantum Physics,Computational Complexity

Manisha J. Nene,Gaurav Upadhyay

DOI: https://doi.org/10.1007/978-981-10-1023-1_33

2016-01-01

Abstract:The strength of the famous RSA algorithm depends on the difficulty of factoring large integers in polynomial time. Shor’s quantum algorithm has the potential to break RSA in reasonable time. Although, development and commercial availability of high power (16-qubit and more) quantum computers is still some years away, efforts in the direction of simulating quantum algorithms on a classical system are welcome. This paper presents a systematic approach in the direction of factoring integers using the Shor’s quantum algorithm on a classical system, where the results of simulation are corroborated with theoretical results.

Don Monroe

DOI: https://doi.org/10.1145/3644101

IF: 22.7

2024-05-23

Communications of the ACM

Abstract:In the mid-1990s, Peter Shor, at AT&T Bell Labs and then one of its heirs, AT&T Labs, devised the first algorithms that one day could exploit the intrinsic parallelism of quantum computing. In particular, Shor, now at the Massachusetts Institute of Technology (MIT), showed that quantum techniques could be exponentially faster than any classical computer at finding the factors of a very large number, a task whose difficulty is key to the security of widely used public-key cryptography techniques.

computer science, theory & methods, software engineering, hardware & architecture

Willie Aboumrad,Dominic Widdows,Ananth Kaushik

2023-08-15

Abstract:The availability of working quantum computers has led to several proposals and claims of quantum advantage. In 2023, this has included claims that quantum computers can successfully factor large integers, by optimizing the search for nearby integers whose prime factors are all small. This paper demonstrates that the hope of factoring numbers of commercial significance using these methods is unfounded. Mathematically, this is because the density of smooth numbers (numbers all of whose prime factors are small) decays exponentially as n grows. Our experimental reproductions and analysis show that lattice-based factoring does not scale successfully to larger numbers, that the proposed quantum enhancements do not alter this conclusion, and that other simpler classical optimization heuristics perform much better for lattice-based factoring. However, many topics in this area have interesting applications and mathematical challenges, independently of factoring itself. We consider particular cases of the CVP, and opportunities for applying quantum techniques to other parts of the factorization pipeline, including the solution of linear equations modulo 2. Though the goal of factoring 1000-bit numbers is still out-of-reach, the combinatoric landscape is promising, and warrants further research with more circumspect objectives.

Quantum Physics,Cryptography and Security

Martin Roetteler,Michael Naehrig,Krysta M. Svore,Kristin Lauter

DOI: https://doi.org/10.48550/arXiv.1706.06752

2017-10-31

Abstract:We give precise quantum resource estimates for Shor's algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQ$Ui|\rangle$. We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an $n$-bit prime field can be computed on a quantum computer with at most $9n + 2\lceil\log_2(n)\rceil+10$ qubits using a quantum circuit of at most $448 n^3 \log_2(n) + 4090 n^3$ Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor's algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor's factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.

Quantum Physics,Emerging Technologies