Why should we care?

Why should we care?

RSA (Rivest-Shamir-Adleman) is a public-key cryptosystem used for much of today's secure communications like HTTPS, email, VPNs, etc.

 

But RSA relies on the intractability of factoring large numbers to remain secure.

Why should we care?

The longest RSA key that has ever been cracked (factored) was 768 bits long.

• But it took 4 years and the world's best number theorists!

 

Today's 2048 bit RSA keys are impossible to crack using classical computers.

Why should we care?

But in 1994, Peter Shor developed an algorithm for quantum computers that can factor \(n\)-bit numbers in polynomial time.

 

Shor's algorithm undermines the basic assumption that keeps RSA secure. And has inspired research into "post-quantum cryptography".

Why should we care?

Quantum computers are already here, and quickly getting more powerful.

 

In 2016, the 18-bit number 200,099 was factored using quantum annealing on a D-Wave 2X processor.

Some Number Theory

Prime Factorization

Defn: The prime factorization of an integer \(N\) is a set of primes \(\{P_1, P_2, ..., P_k\}\) such that \(N = P_1P_2...P_k\).

 

RSA depends on the difficulty of factoring a number \(N = PQ\) the product of two large primes \(P, Q\).

 

Repeated applications of Shor's algorithm can find general prime factorizations, but one iteration returns a single factor \(P\).

Modulo Operator

Defn: The modulo operation finds the remainder after integer division \(r = x \bmod N\)

 

Defn: Modulo exponentiation is defined

$$f(a) = x^a \bmod N$$

 

Defn: The order of the modular exponential

\(f(a) = x^a \bmod N\) is the smallest positive integer \(r\) such that \(x^r \bmod N = 1\)

Order of Modulo Exponentiation

Defn: The period of a function \(f(x)\) is a constant \(r\) such that \(f(x + r) = f(x)\) for all values of \(x\) in the domain.

 

Note that order \(r\) of a modulo exponential is also its period.

$$f(a + r) = x^{a+r} \bmod N = x^a \bmod N = f(a + r)$$

Modulo Square Root

Defn: The modulo square root of \(q \bmod N\) is an integer \(x\) such that \(x^2 \bmod N =  q \bmod N\).

 

We can use modulo square roots to factor prime numbers.

Factoring With Modulo Square Root

Let \(x \in [1, N-1]\) be a nontrivial square root of \(1 \bmod N\).

 

Since \(x^2 \bmod N = 1 \bmod N \iff (x^2 - 1) \bmod N = 0\),

\(N\) divides \(x^2 - 1 = (x + 1)(x - 1)\).

 

But since \(x\) is a nontrivial square root, meaning

\(x \bmod N \neq \pm1\), \(N\) does not divide \((x +1), (x-1)\).

 

Therefore, \(P = \) either \(\gcd(N, x + 1), \gcd(N, x - 1)\) a nontrivial factor of \(N\).

Factoring With Even Period

We know that if we find a nontrivial square root

\(x \in [1, N-1]\) of \(1 \bmod N\) that we can factor \(N\).

 

In addition, if we have an even period \(r\), since

\(x^r \bmod N = 1\), then \((x^{r/2})^2 \bmod N = 1 \bmod N\), meaning that \(x^{r/2}\) is a square root of \(1 \bmod N\).

 

If this is \(x^{r/2}\) is a nontrivial square root, this gives us

\(P = \gcd(N, x^{r/2} + 1)\) or \(\gcd(N, x^{r/2} - 1)\).

But how do we find a period \(r\) efficiently?

Shor's Algorithm

Overview

Shor's algorithm is a hybrid classical-quantum algorithm to factor numbers.

It uses a quantum subroutine to efficiently find modulo square roots.

 

For an \(n\)-bit number, runs in \(O(n^3 \log n)\) time, using \(O(n^2lognloglogn)\) gates. Meanwhile the best known classical algorithm (General Number Field Sieve) is superpolynomial.

This is a huge speedup!

Procedure

1. Given \(N\), check if it is a perfect square. If so, \(P = \sqrt N\) and we are done.

2. Otherwise, pick a random \(x \in [1, N-1]\).

2. Compute \(\gcd(N, x)\). If \(\gcd(N, x) = 1\) then \(P = x\) is a nontrivial factor of \(N\) and we are done.

3. Otherwise, use a quantum period finding subroutine to find period \(r\) of \(\bmod N\).

4. If \(r\) is odd, or \(x^{r/2} \bmod N = \pm 1\), go back to step 2 and pick new random \(x\).

5. Otherwise, at least one of

\(\gcd(N, x^{r/2} + 1), \gcd(N, x^{r/2} - 1)\) is a nontrivial factor \(P\) of \(N\).

Set Up

1. We use two registers, each with \(n = \log_2M\) qubits where \(M > 2N^2\), initialized into state \(|0\rangle \otimes |0\rangle\)

 

2. Put first register in superposition using \(n\)-qubit Hadamard gate, giving us the full system state

$$(H^{\otimes n}|0\rangle) \otimes |0\rangle = \frac1{\sqrt M}\sum_{q=0}^{M-1} |q\rangle |0\rangle$$

Now we have states \(|0\rangle ... |M-1\rangle\) in superposition in the first register. 

Parallel Modular Exponentiation

3. Apply a quantum gate that implements modular exponentiation using the first register as input, mapping onto the second register. Now we have the state

$$\frac1{\sqrt M} \sum_{q=0}^{M-1} |q\rangle |x^q \bmod N\rangle$$

 

 

Measure 2nd Register

4. Measure the second register to obtain

\(|x^{q_0} \bmod N \rangle\) one of the \(r\) distinct values of \(x^q \bmod N\).

This collapses the superposition of the first register so that all values inconsistent with the measurement disappear.

For simplicity, assume \(M = mr\), giving us state

$$\frac1{\sqrt m} \sum_{j=0}^{m-1} |jr + q_0\rangle |x^{q_0} \bmod N\rangle$$

Apply QFT

5. From now on, forget about second register.

Now apply the QFT, giving

$$QFT|\psi_{q_0}\rangle = \frac1{\sqrt M} \sum_{j=0}^{m-1} \frac1{\sqrt m} \sum_{c=0}^{M-1} e^{2 \pi i (jr+q_0)c / M} |c\rangle$$

$$= \frac1{\sqrt M} \sum_{c=0}^{M-1} (\frac1{\sqrt m}\sum_{j=0}^{m-1} e^{\frac{2 \pi ijrc}M}) e^{2 \pi i q_o c / M} |c\rangle$$

and when \(c\) is a multiple of \(M / r\), the phase factor of each term of sum inside parenthesis will equal +1.

This occurs \(m = \frac{M}{r}\) times.

Apply QFT

5. So we rewrite state as

$$= \frac1{\sqrt M} \sum_{k=0}^{m-1} \sqrt{m} e^{2 \pi i q_0 / M} |k \frac{M}{r} \rangle$$

 

Note that the Fourier transform has turned the shift value \(q_0\) to a phase factor in the Fourier transformed state, which does not effect measurement.

Measurement

5. Now we measure register one, getting a value

\(C = k \frac{M}{r}\) where \(k\) is a random number in \( [0, r-1]\). Now we have \(M, C\) and by that the ratio \(C / M = k / r\). If \(\gcd(k, r) = 1\), then we have the ration \(C / M\) as an irreducible fraction, and can obtain numerator \(k\) and denominator \(r\).

 

Thm: For large \(r\), and random \(k \in [0, r-1]\),

$$P(\gcd(k, r)) = 1) > \frac1{\log r}$$

 

So if we repeat the period finding calculation

\(O(\log r) < O(\log N)\) times, we can find \(r\) with probability as close to one as desired.

Ensuring an Even, Nontrivial Square Root

So now we have found the order \(r\) of \(\bmod N\), but how do we know that it allows us to find a nontrivial square root?

 

Lemma: Let \(N\) be an odd composite with at least two distinct prime factors, and let \(x\) be uniformly random \(\in [1, N-1]\). If \(\gcd(N, x) = 1\), then with probability at least \(\frac12\), the order \(r\) of \(\bmod N\) is even, and \(x^{r/2}\) is a nontrivial square root of \(1 \bmod N\).

Review of Procedure

1. Given \(N\), check if it is a perfect square. If so, \(P = \sqrt N\) and we are done.

2. Otherwise, pick a random \(x \in [1, N-1]\).

2. Compute \(\gcd(N, x)\). If \(\gcd(N, x) = 1\) then \(P = x\) is a nontrivial factor of \(N\) and we are done.

3. Otherwise, use a quantum period finding subroutine to find period \(r\) of \(\bmod N\).

4. If \(r\) is odd, or \(x^{r/2} \bmod N = \pm 1\), go back to step 2 and pick new random \(x\).

5. Otherwise, at least one of

\(\gcd(N, x^{r/2} + 1), \gcd(N, x^{r/2} - 1)\) is a nontrivial factor \(P\) of \(N\).

Complexity

The classical parts (gcd computations) are polynomial and efficient.

 

The quantum portion has runtime \(O(n^3 \log n)\)

with the number of gates about \(O(n^2 \log n \log \log n)\).

 

The bottleneck is in the modular exponentiation.

Moving Forward

When will QC be a threat to modern crypto?

While quantum computers are here, the record of factoring an 18-bit number is still a long way off from todays 1024 and 2048-bit RSA keys.

 

When will quantum computers be able to factor numbers of these sizes?

10 years, 20? Nobody really knows.

 

Will require millions of gates, and longer much runtime before decoherence.

Post Quantum Crypto

Most of today's public-key crypto relies upon the difficulty of either prime factorization or discrete logarithm, both of which can be efficiently computed by Shor's algo.

 

Research into quantum-secure cryptography is ongoing, and has yielded some successes.

 

In short, cryptography will evolve and find new ways to keep information secure even with the advent of more powerful quantum computers.