1. A low cost quantum factoring algorithm
D. J. Bernstein, J.-F. Biasse and M. Mosca
University of Illinois
at Chicago
University of South Florida
University of
Waterloo

2. Shor’s algorithm
[Shor 94]: There is a quantum factoring algorithm to factor 𝑁.
Runs in polynomial time in log 𝑁 .
Requires O( log 𝑁) qubits ( 2log (𝑁) +𝑂(1) with [Beauregard 03, Ekerå-Håstad 17])
Question: Is there an algorithm which uses a sublinear number of qubits and still outperforms the best known classical factoring methods ?
In this work, we describe an algorithm for factoring 𝑁 that
Requires Õ (log 𝑁 ) logical qubits.
Has a complexity with a better exponent than the Number Field Sieve.

3. The Number Field Sieve (NFS) algorithm
The best known pre-quantum method to factor 𝑁 runs in heuristic asymptotic time 𝐿 𝑝+𝑜(1) where:
p ≈ 𝐿 ≔ 𝑒 (log 𝑁) 1/3 ( log log 𝑁) 2/3
This complexity is called “subexponential”. The NFS algorithm is practical for non- trivial key sizes:
Factorization of a 768-bit RSA modulus [Kleinjung et al. 10].
Factorization of 512-bit moduli for $75 with Amazon Cloud [VCLFBH16]
Starting idea: use a quantum NFS variant to achieve a heuristic run time of 𝐿 𝑜(1)
3 8/3 ≈1.387<𝑝≈1.902

4. Relation collection in the Number Field Sieve (NFS)
Search space 𝑈
𝑏∈ℤ
Search for 𝑎,𝑏 ∈𝑈 such that 𝑔(𝑎,𝑏) is a product of primes ≤𝑦 where:
𝑦∈ℕ is a subexponential bound.
𝑔∈ℤ[𝑋,𝑌] depends on 𝑁.
When enough relations are found, they are used to find 𝑋,𝑌∈ℤ such that:
𝑋 2 − 𝑌 2 ≡0 𝑚𝑜𝑑 𝑁
a ∈ℤ
With good probability, this yields a non trivial divisor of 𝑁.

5. Testing the smoothness of an integer
Problem: How do we decide if 𝑔(𝑎,𝑏) is a product of primes ≤𝑦 (i.e. 𝑦-smooth) ?
Classical method
Elliptic Curve Method (ECM)
Complexity in 𝑒 Õ( log 𝑦 )
In the NFS, this step is negligible
With a quantum computer, we can use Shor’s algorithm
It runs in polynomial time.
log (𝑔 𝑎,𝑏 ) ∈Õ log 𝑁 so it requires Õ log 𝑁 qubits

6. Grover’s search algorithm
Suppose there is a polynomial time algorithm represented by the unitary 𝑈 with
𝑈 |𝑎,𝑏 = −|𝑎,𝑏 if 𝑔(𝑎,𝑏) is 𝑦-smooth.
𝑈 |𝑎,𝑏 = |𝑎,𝑏 otherwise.
Then Grover’s algorithm can find 𝑎,𝑏 such that x=𝑔(𝑎,𝑏) is 𝑦-smooth in a range of 𝑘 elements in time 𝑂( 𝑘 )
Challenge: quantum algorithm for the smoothness test with Õ log 𝑁 qubits.
Solution: Use iterations on Shor’s algorithm running ``in superposition’’.

7. Running Shor’s algorithm in superposition
Let 𝑎∈ℤ of (unknown) order 𝑟 modulo 𝑥
𝑀 2 𝑛 ≈ 𝑗 𝑟
𝑗 𝑟
𝑎,𝑥
Quantum part
Measurement
Classical part
We get 𝑥 𝑎 𝑟 2 −1 𝑎 𝑟 2 +1
Yields a non trivial factor of 𝑥 with probability 1/Ω( log log 𝑥 )
This work: completely quantum algorithm that
returns a state that encodes a pair of divisors of 𝑥
Uses Õ log 𝑁 2/3 qubits when log 𝑥 ∈Õ log 𝑁 2/3

8. Smoothness test by iterations of Shor’s algorithm
We have a quantum algorithm that performs |𝑥 → |𝑥 1 , 𝑥 2 where 𝑥= 𝑥 1 𝑥 2
Runs 𝑡= (log 𝑁) 2/3+𝑜(1) iterations
| 𝑥 , 𝑥 2 (1)
| 𝑥 , 𝑥 , 𝑥 3 (2)
| 𝑥 1 𝑡 ,…, 𝑥 𝑙 (𝑡) |𝑥 …
𝑥= 𝑥 1 (1) 𝑥 2 (1)
𝑥 1 (1) =𝑥 1 (2) 𝑥 2 (2)
𝑥= 𝑥 1 (𝑡) … 𝑥 𝑙 (𝑡)
Leaves 𝑥 𝑗 (𝑖) ≤𝑦 untouched
Features
Keeps them in the first indices
Last test: is 𝑥 𝑙 (𝑡) ≤ 𝑦 ?
Detects prime powers

9. Open problem: challenges of fault-tolerant implementations
Standard version of the threshold theorem [Aharonov,Ben-Or 97]:
𝑚 qubits,
𝑇 gates
A logical circuit containing
can be replaced by a fault tolerant implementation using
𝑂 𝑚 Polylog 𝑚𝑇 qubits.
Problem: here 𝑇 is subexponential, therefore log 𝑇 ∈Õ (log 𝑁) 1/3 .
[Gottesman 13]: We can achieve a constant ratio #Physical qubits/#Logical qubits using quantum error correction with certain properties.
Some LDPC codes meet these restrictions, but the (classical) decoding algorithms are inefficient.

10. Conclusion: other aspects we considered
Smoothness test with quantum ECM
Same run time.
Qubit requirement in Õ log 𝑁 5/6
DLP in ℤ 𝒑
Useful for the precomputation phase
Useless for individual logarithms
Parallel variant of smoothness test
Separates any two primes with good probability.
Unclear if it reduces the run time.

11. Thank you for your attention