A low cost quantum factoring algorithm D. J. Bernstein, J.-F. Biasse and M. Mosca University of Illinois at Chicago University of South Florida University of Waterloo

Shor’s algorithm [Shor 94]: There is a quantum factoring algorithm to factor 𝑁. Runs in polynomial time in log 𝑁 . Requires O( log 𝑁) qubits ( 2log (𝑁) +𝑂(1) with [Beauregard 03, Ekerå-Håstad 17]) Question: Is there an algorithm which uses a sublinear number of qubits and still outperforms the best known classical factoring methods ? In this work, we describe an algorithm for factoring 𝑁 that Requires Õ (log 𝑁 ) 2 3 logical qubits. Has a complexity with a better exponent than the Number Field Sieve.

The Number Field Sieve (NFS) algorithm The best known pre-quantum method to factor 𝑁 runs in heuristic asymptotic time 𝐿 𝑝+𝑜(1) where: p ≈1.902 𝐿 ≔ 𝑒 (log 𝑁) 1/3 ( log log 𝑁) 2/3 This complexity is called “subexponential”. The NFS algorithm is practical for non- trivial key sizes: Factorization of a 768-bit RSA modulus [Kleinjung et al. 10]. Factorization of 512-bit moduli for $75 with Amazon Cloud [VCLFBH16] Starting idea: use a quantum NFS variant to achieve a heuristic run time of 𝐿 3 8 3 +𝑜(1) 3 8/3 ≈1.387<𝑝≈1.902

Relation collection in the Number Field Sieve (NFS) Search space 𝑈 𝑏∈ℤ Search for 𝑎,𝑏 ∈𝑈 such that 𝑔(𝑎,𝑏) is a product of primes ≤𝑦 where: 𝑦∈ℕ is a subexponential bound. 𝑔∈ℤ[𝑋,𝑌] depends on 𝑁. When enough relations are found, they are used to find 𝑋,𝑌∈ℤ such that: 𝑋 2 − 𝑌 2 ≡0 𝑚𝑜𝑑 𝑁 a ∈ℤ With good probability, this yields a non trivial divisor of 𝑁.

Testing the smoothness of an integer Problem: How do we decide if 𝑔(𝑎,𝑏) is a product of primes ≤𝑦 (i.e. 𝑦-smooth) ? Classical method Elliptic Curve Method (ECM) Complexity in 𝑒 Õ( log 𝑦 ) In the NFS, this step is negligible With a quantum computer, we can use Shor’s algorithm It runs in polynomial time. log (𝑔 𝑎,𝑏 ) ∈Õ log 𝑁 2 3 so it requires Õ log 𝑁 2 3 qubits

Grover’s search algorithm Suppose there is a polynomial time algorithm represented by the unitary 𝑈 with 𝑈 |𝑎,𝑏 = −|𝑎,𝑏 if 𝑔(𝑎,𝑏) is 𝑦-smooth. 𝑈 |𝑎,𝑏 = |𝑎,𝑏 otherwise. Then Grover’s algorithm can find 𝑎,𝑏 such that x=𝑔(𝑎,𝑏) is 𝑦-smooth in a range of 𝑘 elements in time 𝑂( 𝑘 ) Challenge: quantum algorithm for the smoothness test with Õ log 𝑁 2 3 qubits. Solution: Use iterations on Shor’s algorithm running ``in superposition’’.

Running Shor’s algorithm in superposition Let 𝑎∈ℤ of (unknown) order 𝑟 modulo 𝑥 𝑀 2 𝑛 ≈ 𝑗 𝑟 𝑗 𝑟 𝑎,𝑥 Quantum part Measurement Classical part We get 𝑥 𝑎 𝑟 2 −1 𝑎 𝑟 2 +1 Yields a non trivial factor of 𝑥 with probability 1/Ω( log log 𝑥 ) This work: completely quantum algorithm that returns a state that encodes a pair of divisors of 𝑥 Uses Õ log 𝑁 2/3 qubits when log 𝑥 ∈Õ log 𝑁 2/3

Smoothness test by iterations of Shor’s algorithm We have a quantum algorithm that performs |𝑥 → |𝑥 1 , 𝑥 2 where 𝑥= 𝑥 1 𝑥 2 Runs 𝑡= (log 𝑁) 2/3+𝑜(1) iterations | 𝑥 1 1 , 𝑥 2 (1) | 𝑥 1 2 , 𝑥 2 2 , 𝑥 3 (2) | 𝑥 1 𝑡 ,…, 𝑥 𝑙 (𝑡) |𝑥 … 𝑥= 𝑥 1 (1) 𝑥 2 (1) 𝑥 1 (1) =𝑥 1 (2) 𝑥 2 (2) 𝑥= 𝑥 1 (𝑡) … 𝑥 𝑙 (𝑡) Leaves 𝑥 𝑗 (𝑖) ≤𝑦 untouched Features Keeps them in the first indices Last test: is 𝑥 𝑙 (𝑡) ≤ 𝑦 ? Detects prime powers

Open problem: challenges of fault-tolerant implementations Standard version of the threshold theorem [Aharonov,Ben-Or 97]: 𝑚 qubits, 𝑇 gates A logical circuit containing can be replaced by a fault tolerant implementation using 𝑂 𝑚 Polylog 𝑚𝑇 qubits. Problem: here 𝑇 is subexponential, therefore log 𝑇 ∈Õ (log 𝑁) 1/3 . [Gottesman 13]: We can achieve a constant ratio #Physical qubits/#Logical qubits using quantum error correction with certain properties. Some LDPC codes meet these restrictions, but the (classical) decoding algorithms are inefficient.

Conclusion: other aspects we considered Smoothness test with quantum ECM Same run time. Qubit requirement in Õ log 𝑁 5/6 DLP in ℤ 𝒑 Useful for the precomputation phase Useless for individual logarithms Parallel variant of smoothness test Separates any two primes with good probability. Unclear if it reduces the run time.

Thank you for your attention