Modifying Shor s algorithm to compute short discrete logarithms
Size: px
Start display at page:

Download "Modifying Shor s algorithm to compute short discrete logarithms"

Transcription

1 Modifying Shor s algorithm to compute short discrete logarithms Martin Ekerå Decemer 7, 06 Astract We revisit Shor s algorithm for computing discrete logarithms in F p on a quantum computer and modify it to compute logarithms d in groups g of prime order q in the special case where d q. As a stepping stone to performing this modification, we first introduce a modified algorithm for computing logarithms on the general interval 0 < d < q for comparison. We demonstrate conservative lower ounds on the success proaility of our algorithms in oth the general and the special case. In oth cases, our algorithms initially set the index registers to a uniform superposition of all states, compared to p states in Shor s original algorithm. In the special case where d q, our algorithm uses 3 log d quits for the two index registers and computes two QFTs of size log d and log d, compared to log q quits for the index registers and two QFTs oth of size log q in the general case. A quantum circuit for computing [a d] g is furthermore required, where 0 a < log d and 0 < log d in the special case, compared to 0 a, < log q in the general case. This implies that the complexity of computing discrete logarithms on a quantum computer can e made to depend not only on the choice of group, and on its order q, ut also on the logarithm d. In the special case where d q, our algorithm does not require q to e prime. It may hence e generalized to finite aelian groups. Introduction In a groundreaking paper [0] from 994, susequently extended and revised in a later pulication [], Shor introduced polynomial time quantum computer algorithms for factoring integers over Z and for computing discrete logarithms in the multiplicative group F p of the finite field F p. Although Shor s algorithm for computing discrete logarithms was originally descried for F p, it may e generalized to any finite aelian group, provided the group operation may e implemented efficiently using quantum circuits. This generalization was first descried y Boneh and Lipton []. Shor s algorithms may furthermore e generalized y perceiving them as algorithms for solving special instances of the finite aelian hidden sugroup prolem [4]. KTH Royal Institute of Technology, SE Stockholm, Sweden and Swedish NCSA, Swedish Armed Forces, SE Stockholm, Sweden. Use ekera@kth.se to author.

2 Virtually all asymmetric cryptographic schemes that are widely deployed today rely on the computational intractaility of either the integer factoring prolem or the discrete logarithm prolem in some aelian group that meets the aove criteria. Consequently the work of Shor has the potential to greatly impact the field of asymmetric cryptography. In this paper, we revisit Shor s algorithm for solving the discrete logarithm prolem. In section. elow, we introduce the discrete logarithm prolem, discuss the choice of groups and introduce a special case of the discrete logarithm prolem that we study in this paper along with a rationale for why it merits study. In section. we proceed to descrie our contriutions and in section.3 we give an overview of the remainder of this paper.. The discrete logarithm prolem To formally introduce the discrete logarithm prolem, let G under e a group generated y g, and let x = [d] g = g g g g. }{{} d times Given x, a generator g and a description of G and the discrete logarithm prolem is to compute d = log g x. Different groups are used to instantiate cryptographic schemes that rely on the computational intractaility of the discrete logarithm prolem. Common choices include sugroups of F p and elliptic curve groups E(K) on Weierstrass form, Edwards form, twisted Edwards form or Montgomery form, where K is some field such as F p or F n. The racket notation that we have introduced aove is commonly used in the literature to denote repeated application of the group operation regardless of whether the group is written multiplicatively or additively. In F p we have [d] g = g d mod p. In the case of elliptic curve groups [d] g denotes repeated addition of the point g to itself d times... Groups of prime order q As was first descried y Pohlig and Hellman [7], the discrete logarithm prolem in a finite aelian group may e decomposed into multiple discrete logarithm prolems in sugroups of prime order or prime power order to the parent group, assuming the factorization of its order is known. The complexities of solving these prolems depend in general on the sizes of the sugroups. Once the discrete logarithm prolems in these sugroups have een solved, the results may e comined using the Chinese remainder theorem to yield a solution to the discrete logarithm prolem in the parent group. Consequently, prime order groups are used more or less exclusively when instantiating cryptographic schemes that rely on the conjectured computational intractaility of the discrete logarithm prolem. We therefore primarily consider prime order groups in this paper... Sugroups of prime order to F p To compute discrete logarithms in prime order q sugroups of F p for large prime p that are not on special form, the est classical algorithm is the general numer

3 field sieve (GNFS). The time complexity of the GNFS when adapted to compute discrete logarithms is O(exp[( 64 9 ) 3 (ln p) 3 (ln ln p) 3 ]) as shown in Schirokauer s [9] improvements of Gordon s [] original adaptation. Another option in the classical setting is to use cycle finding algorithms such as Pollard-ρ, the time complexity of which is O ( ) q, or Pollard-λ, the time complexity of which is O( d). Pollard s algorithms [8] are generic in the sense that they solve the discrete logarithm prolem in any prime order group. In instantiations of cryptographic schemes that rely on the computational intractaility of the discrete logarithm prolem, the prime p must hence e selected sufficiently large to resist attacks ased on the GNFS, whilst d and q must only e selected sufficiently large for attacks ased on the cycle finding algorithms to have higher time complexity than attacks ased on the GNFS. Hence, it is possile to select q p. Such group are often referred to as Schnorr groups. In instantiations, it is typically either the case that q p, or that q p where often p = q + is a so-called safe prime. With respect to known classical attacks, these options offer a comparale level of security. Since d < q < p it is possile to always select d q. However, in the case where q p it is advantageous to select d so that d q p as opposed to d q p, since d eing small speeds up the modular arithmetic. Again, with respect to classical attacks, these options offer a comparale level of security. For a more in-depth analysis, see the work [6] of van Oorschot and Wiener...3 On our interest in the special case d q If Shor s original algorithm is used to compute discrete logarithms in sugroups of prime order q to F p on a quantum computer, the complexity of the algorithm depends on p. This implies that the case q p is as complex as the case q p, which is not in analogy with the classical algorithms. If the algorithm is modified to instead compute discrete logarithms in groups of prime order q, as in section 4, its complexity can e made to depend on p and q so that the case q p ecomes less complex than the case q p. However, the complexity still does not depend on d. This implies that the case d q p is more complex than the case d q p, which again is not in analogy with the classical algorithms. This oservation, coupled with the oservation that using small d is advantageous in practical implementations for performance reasons, served as one of our motivations for modifying Shor s algorithm to compute discrete logarithms in the special case where d q. Another motivation was our interest in understanding how the complexity of computing discrete logarithms in elliptic curve groups relates to the complexity of computing discrete logarithms in sugroups of F p...4 Discrete logarithms on short intervals In cases where d is not short in the sense that d q, ut is known to e constrained to some short interval d d < d, it must e the case that x = [d] g = [d ] g [d d ] g x = x [ d ]g = [d d ] g = [d ] g. To compute d in such cases, it is hence possile to first compute x, to then compute the discrete logarithm d, that is on the interval 0 d < (d d ) and hence short, from x and g, and to finally compute d = d + d. 3

4 This implies that any algorithm for efficiently computing d when d q may e used to also efficiently compute d when d is on a short interval.. Our contriutions In this paper, we revisit Shor s algorithm for computing discrete logarithms in F p on a quantum computer and modify it to compute logarithms d in groups of prime order q in the special case where d q. As a stepping stone to performing this modification, we first introduce a modified algorithm for computing logarithms on the general interval 0 < d < q for comparison. We provide a complete analysis of our algorithms, oth in the special case where d q and in the general case. In particular, we demonstrate conservative lower ounds on their success proailities using simple proof techniques. Shor s original algorithm for computing discrete logarithms uses two index registers that are initialized to a superposition of p states. This translates into a superposition of q states in the case where the group order is a prime q. Our algorithms instead initialize these registers to a uniform superposition of all states. This may e advantageous from an implementation perspective since a uniform superposition of all states may e efficiently induced, for example y applying the Hadamard transform to the zero state. In the special case where d q, our algorithm uses 3 log d quits for the two index registers and requires the computation of two QFTs of size log d and log d respectively, compared to log q quits for the index registers and two QFTs oth of size log q in the general case. A quantum circuit capale of computing [e] g = [a] g [ ] x is furthermore required, where x = [d] g, and where 0 a < log d and 0 < log d in the special case, compared to 0 a, < log q in the general case. These results imply that the complexity of computing discrete logarithms in prime order groups on a quantum computer can e made to depend not only on the choice of group, and on its order q, ut also on the logarithm d. In the special case where d q, our algorithm does not require q to e prime. Hence the algorithm generalizes to finite aelian groups..3 Overview of this paper In section elow we introduce some notation that is used throughout this paper and in section 3 we provide a rief introduction to quantum computing. In section 4 we proceed to descrie our algorithm for computing discrete logarithms in groups of prime order q in the general case where 0 < d < q, and in section 5 we descrie our modified algorithm for the special case d q. We conclude the paper and summarize the results in section 6. Notation In this section, we introduce some notation for norms, rounding operations and modular reduction operations that are used throughout this paper. u denotes u rounded to the closest integer. u denotes u rounded to the closest integer less than or equal to u. 4

5 u denotes u rounded to the closest integer greater than or equal to u. u mod n denotes u reduced modulo n and constrained to the interval 0 u mod n < n. {u} n denotes u reduced modulo n and constrained to the interval n/ {u} n < n/. u mod = u u denotes the fractional part of u. a + i = a + where a, R denotes the Euclidean norm of a + i which is equivalent to the asolute value of a when is zero. If u = (u 0,..., u n ) R n is a vector then u = u u n denotes the Euclidean norm of u. 3 Quantum computing In this section, we provide a rief introduction to quantum computing and introduce some notation and terminology that is used throughout this paper. The contents of this section is to some extent a layman s description of quantum computing, in that it may leave out or overly simplify important details. There is much more to e said on the topic of quantum computing. However, such elaorations are eyond the scope of this paper. For more information, the reader is instead referred to [3]. The extended paper [] y Shor also contains a very good introduction and many references to the literature. 3. Quantum systems In a classical electronic computer, a register that consists of n its may assume any one of n distinct states j for 0 j < l. The current state of the register may e oserved at any time y reading the register. In a quantum computer, information is represented using quits; not its. A register of n quits may e in a superposition of n distinct states. Each state is denoted j for 0 j < n and a superposition of states, often referred to as a quantum system, is written as a sum Ψ = n j = 0 c j j where c j C and n j = 0 c j = that we shall refer to as the system function. Each complex amplitude c j may e written on the form c j = a j e iθj, where a j R is a non-negative real amplitude and 0 θ j < π is a phase, so the system function may equivalently e written on the form Ψ = n j = 0 a j e iθj j where n j = 0 a j =. 5

6 3. Measurements Similar to reading a register in a classical computer, the quits in a register may e oserved y measuring the quantum system. The result of such a measurement is to collapse the quantum system, and hence the system function, to a distinct state. The proaility of the system function Ψ collapsing to j is c j = a j. 3.3 Quantum circuits It is possile to operate on the quits that make up a quantum system using quantum circuits. Such circuits are not entirely dissimilar from the electrical circuits used to perform operations on it registers in classical computers Quantum operators For a quantum circuit to e physically permissile it must e reversile and it must preserve the normalization of the system function. If the system function Ψ that descries the state of the quantum system is perceived as a column vector of n complex amplitudes c j then the set of all permissile quantum circuits is descried y the set of all unitary n n matrices with elements in C. Executing the circuit descried y U with respect to a quantum system that is descried y the system function Ψ transforms the quantum system into a new quantum system that is descried y the system function U Ψ. Therefore the unitary matrix U is said to e a quantum operator Constructing quantum circuits Any two quantum operators may e aritrarily composed under multiplication since the product of any two unitary matrices is itself a unitary matrix. It may furthermore e shown that large quantum operators may e uilt from smaller operators y taking matrix tensor products. A quantum circuit for a large register may hence e constructed y taking products of and tensoring small quantum operators that act as uilding locks. A set of quantum operators is said to e universal if any circuit, up to some degree of precision, may e constructed using only operators from the set. The quantum algorithms in this paper are expressed in purely mathematical terms. To e executed on a physical quantum computer, these algorithms must first e compiled into circuits that can e realized physically y the computer. 3.4 Quantum-mechanical entanglement Two quantum systems are said to e separale if and only if the system function may e written as a tensor product Ψ = Ψ Ψ where Ψ involves only states from a first register and Ψ involves only states from a second register. Otherwise, the two systems are said to e entangled. Entangled systems are written on the form Ψ = Ψ, Ψ. Separale systems may e written on the form Ψ = Ψ Ψ = Ψ Ψ. If Ψ and Ψ are two entangled systems, the proaility distriutions that the systems represent are dependent, so that if Ψ is oserved and it 6

7 collapses to some distinct state j then Ψ collapses accordingly to a system that represents the original proaility distriution conditioned on Ψ = j. The aility of quantum systems to e in superpositions of many different quantum states simultaneously, of quantum circuits to operate on all states in a quantum system simultaneously, and of quantum systems to e entangled, seemingly enales quantum computers to perform certain computations much faster than is theoretically possile with classical computers. 3.5 Proaility amplification Given a quantum system in some known initial state, the purpose of a quantum circuit is to amplify the amplitudes of a set of desired states, and to suppress the amplitudes of all other states, so that when the system is oserved, the proaility is large that it will collapse to a desired state. This concept is commonly referred to as proaility amplification The quantum Fourier transform In Shor s algorithms, that are the focus of this paper, the discrete quantum Fourier transform (QFT) is used to to achieve proaility amplification. The QFT maps each state in an n quit register to j QFT n e πi jk/n k n k = 0 so the QFT maps the system function Ψ = n j = 0 c j j QFT n n n j = 0 k = 0 c j e πi jk/n k. It is easy to see that the QFT is a unitary operator and hence permissile. It is furthermore efficient from an implementation perspective, see Shor s original paper [] for more information Constructive interference If the aove system is oserved, the proaility of it collapsing to k is n n j = 0 πi jk/n c j e. Perceive the terms in the sum as vectors in C. If the vectors are of approximately the same norm and point in approximately the same direction, then the norm of their sum is likely to e great giving rise to a large proaility. For k such that this is indeed the case, constructive interference is said to arise. The claim elow summarizes the notion of constructive interference that we use in this paper. Note that in our case, all vectors in the sum are unit vectors. 7

8 Claim. Let θ j for 0 j < N e phase angles such that θ j π 4. Then N e iθj N. j = 0 Proof. N j = 0 e iθj = N j = 0 (cos θ j + i sin θ j ) N j = 0 cos θ j N since for j on the interval 0 j < N we have θ j π 4 cos θ j which implies and so the claim follows. 4 Computing d in the general case In this section we explain in detail how Shor s original algorithm for computing discrete logarithms in F p may e adapted to computing discrete logarithms in a group G of known prime order q provided that the group operation, and in particular the exponentiations, may e implemented efficiently using quantum circuits. Shor descries [] how this may e accomplished for F p. Upon input of a generator g of G and an element x = [d] g where 0 < d < q the algorithm computes the discrete logarithm d. The algorithm consists of two parts; a quantum algorithm and a classical algorithm. The quantum algorithm is descried in section 4.. It accepts as input a generator g and an element x = [d] g and produces as output a pair (j, k) and an element [e] g that is ignored. In section 4.. we identify a suset of pairs that we call good pairs and analyze the proaility of a good pair eing returned. The classical algorithm is descried in section 4.. It accepts as input the pair (j, k) output y the quantum algorithm and yields the discrete logarithm d if the pair (j, k) is good and if it fulfills certain additional criteria that are elaorated on in section The quantum algorithm for computing (j, k) In this section we provide a detailed description of the quantum algorithm that upon input of g and x = [d] g outputs a pair (j, k).. Let l e the largest positive integer such that l < q and let Ψ = l l l a = 0 = 0 a 0 where the first two registers are of length l quits. 8

9 . Compute [a] g [ ] x and store the result in the third register Ψ = l = l l l a = 0 = 0 l l a = 0 = 0 a,, [a] g [ ] x a,, [a d] g. 3. Compute two QFTs of size l of the first two registers to otain Ψ = l l l l a = 0 = 0 l l a,, [a d] g l l a = 0 = 0 j = 0 k = 0 QFT e πi (aj+k)/l j, k, [a d] g. 4. Oserve the system in a measurement to otain (j, k) and [e] g. Note that the size of the two first registers and the size of the QFT is determined y the order q of the group. The actual choice of group only affects the memory and time complexity of computing and storing [a] g [ ] x. Note furthermore that we assume in step that the third register is of sufficient length in quits to hold the result of the computation, that is the representation of elements of G. We also assume that the group operation, and in particular the exponentiation operations, may e implemented efficiently using quantum circuits and that we have sufficient ancillary quits as required to perform the computation. The aove algorithm is different from Shor s original algorithm in that it is descried in general terms for a group G of prime order q, in that l = log q and in that the algorithm initializes the system to the uniform distriution over all l states as opposed to a uniform distriution over q states. 4.. Analysis of the proaility distriution Let e = a d mod q. When the system aove is oserved, the state j, k, [e] g is otained with proaility 4l [ ] πi exp (aj + k) l a where the sum is over all pairs (a, ) that produce this specific e.. Since e = a d mod q we have a = e + d mod q so e + d aj + k = ((e + d) mod q)j + k = ej + dj jq + k q since u mod q = u u/q q. Therefore the proaility may e written 4l [ ( πi e + d exp l ej + (dj + k) jq)]. q 9

10 . Extracting the term containing e yields [ 4l πi exp ] l ej } {{ } = 3. Centering around zero yields [ ( πi exp l (dj + k) 4l [ ( πi ( exp + l l l ) (dj + k) 4l e πi(dj+k) }{{} = 4. This proaility may e written e + d e + d [ ( πi ( exp l ) l (dj + k) 4l [ ( πi ( exp l ) l (dj + k) q e + d q q jq)]. jq)] = e + d q {jq} l)] jq)]. since adding or sutracting multiples of l has no effect; it is equivalent to shifting the phase angle y a multiple of π. We will defer further analysis of the distriution to the proof of lemma in section 4..4 and instead proceed to introduce the notion of a good pair. 4.. The notion of a good pair (j, k) In this section, we introduce the notion of a good pair. In the following sections, we will proceed to lower-ound the numer of good pairs, to lower-ound the proaility of otaining a good pair from a single execution of the algorithm, and to demonstrate that d may e computed from a good pair. It may not yet e apparent why we choose the elow definition of a good pair ut we will see shortly, when we reach the proof of lemma in section 4..4, that there is a good rationale for selecting this particular definition. Definition. A pair (j, k) where j is an integer on the interval 0 j < l is said to e good if j is such that {jq} l l 4 and {jq} d l q f j 3 for some f j Z and k f j dj (mod l ). Note that k is a function of j. Hence j is distinct for each good pair Lower-ounding the numer of good pairs (j, k) Lemma. There are at least l 8 + good pairs (j, k). 0

11 Proof. From definition it follows that a pair (j, k) where j is an integer on the interval 0 j < l and k = f j dj mod l is good if {jq} l l 4 and α{jq} l α{jq} l 3 where α = d q R. To lower-ound the numer of j that meet this definition, consider the points p j = (x j, y j ) = ({jq} l, α{jq} l mod ) plotted in a two-dimensional space for 0 j < l where l / x j < l / and 0 y j < and partition the space into rectangles of side length l 4 in the x-direction and 3 in the y-direction. If p j and p j are any two points {j q} l {j q} l {(j j )q} l (mod l ). () Furthermore, if p j and p j fall within the same rectangle {j q} l {j q} l l 4. () As two numers that are equal modulo l and oth less than l are in fact equal, equations () and () imply {j q} l {j q} l = {(j j )q} l l 4. (3) Analogously, if p j and p j are any two points ( α{j q} l mod ) ( α{j q} l mod ) α ({j q} l {j q} l) (mod ). (4) Furthermore, if p j and p j fall within the same rectangle ( α{j q} l mod ) ( α{j q} l mod ) 3. (5) In conjunction (4) and (5) imply which y (3) reduces to ( α{j q} l mod ) ( α{j q} l mod ) = α({j q} l {j q} l) mod 3 α{(j j )q} l mod 3. Hence, if p j and p j are in the same rectangle, with j j, and we let j = j j and k = (f j dj ) mod l where f j = α{j q} l then (j, k ) is a good pair since 0 j < l and {j q} l l 4 and α{j q} l α{j q} l 3. Our goal is now to count the numer of points that fulfill these conditions.

12 Let R i denote the numer of points that fall into rectangle i. There are then R i (R i + ) > R i pairwise cominations (p j, p j ) of the R i points in rectangle i such that j j. To lower-ound the numer of good pairs (j, k), we therefore lower-ound 7 i = 0 which is easy using the Cauchy-Schwarz inequality since 7 l = i = 0 R i 7 i = 0 R i 7 i = 0 R i as there are ( l / l 4 ) (/ 3 ) = 7 rectangles. 7 i = 0 R i l 8 We have demonstrated that for two points p j and p j that fall within the same rectangle and that are such that j j the pair (j, k ) is a good. Furthermore, we have shown that there are more than l 8 such pairs as the equality in (6) is strict. However, these pairs appear with multiplicity. More specifically, if j and j j give rise to the good pair (j, k ) then so do j + u and j + u for any integer u such that 0 j + u j + u < l so each good pair is counted with multiplicity at most l. From this oservation it follows that there are more than l 8 / l = l 8 distinct good pairs, and so the lemma follows Lower-ounding the proaility of a good pair (j, k) To lower-ound the proaility of a good pair we first need to lower-ound the numer of pairs (a, ) that yield a certain e. Definition. Let T e denote the numer of pairs (a, ) such that e a d (mod q) where a, are integers on the interval 0 a, < l. Claim. q e = 0 T e = l. Proof. Since a, may independently assume l values, there are l distinct pairs (a, ), from which the aove claim follows. Claim 3. q e = 0 T e 4l q. (6)

13 Proof. The claim follows from the Cauchy Schwarz inequality and claim since 4l = ( q e = 0 T e ) ( q e = 0 ) ( q e = 0 T e ) q e = 0 T e 4l q. We are now ready to demonstrate a lower-ound the proaility of otaining a good pair using the aove definition and claims. Lemma. The proaility of otaining a specific good pair (j, k) from a single execution of the algorithm in section 4. is at least q. Proof. The proaility of oserving the pair (j, k) and [e] g is 4l [ ( πi ( exp l ) l (dj + k) e + d q {jq} l)]. For a good pair k = f j dj mod l so the proaility then reduces to 4l [ ( πi ( exp l ) l f j e + d q {jq} l)]. If an additional constant term is inserted to shift the gloal phase 4l e πi {jq} l d q [ ( πi exp }{{} l ( l )f j = 4l [ πi exp l ( ( l )f j e + d q e + d {jq} l + l {jq} l then y the triangle inequality e + d {jq} ( l )f l j l d {jq} q l q ( e + d {jq} d ) ( + l q q ( l ) {jq} l Since e = a d mod q we have that 0 e < q which implies d e + d q d e + d q q + d q q q {jq} l)] = d q )] ) d q f j.. Furthermore, for a good pair {jq} l l 4 and ( ) {jq} d l q f j 3 ( d l ) {jq} l q f j l 4 3

14 where we have used that 0 < l. Comining the aove results yields e + d {jq} ( l )f l j l d {jq} q l q {jq} + l l 4 l 3 It therefore follows from claim in section 3.5. that the sum 4l [ ( πi e + d exp l f j {jq} q l)] = 4l e iθ T e 4 l since θ π/8 = π/4 for all T e values of. Summing over all e, we otain q e = 0 Te 4l 4l q y claim 3 and so the lemma follows. 4l = q We note that the proof of lemma, although developed independently, ears some resemlance to a proof in the generalization y Boneh and Lipton []. 4. Computing d from a good pair (j, k) In this section, we specify a classical algorithm that upon input of a good pair (j, k), that results from the execution of the quantum algorithm in section 4. with g and x = [d] g as input, computes and outputs d assuming j 0.. Compute and return kq d l t (mod q) where t = {jq} jq l l Z. Note that this is exactly the same algorithm as was originally proposed y Shor. 4.. Proof of correctness In this section we provide a proof of correctness for the aove algorithm. Lemma 3. For any good pair (j, k) such that j 0 it holds that kq d l t (mod q) where t = {jq} jq l l Z. Proof. For a good pair we have y definition that {jq} d l q f j d 3 {jq} l q f j = δ where δ 3 is an error term, and furthermore which yields k f j dj (mod l ) d {jq} l q k dj + nl = δ. 4

15 Multiplying y q yields {jq} ld kq djq + nq l = δq. Re-arranging terms and dividing y l yields d {jq} l jq l } {{ } t Z kq δq + nq = l l. Rounding oth sides to the nearest integer yields dt + kq l + nq = dt kq l + nq = and hence dt + kq l 0 (mod q) from which the result in the lemma follows kq d l t (mod q) δq l = 0 provided that t 0 (mod q). Since j > 0 we have jq > l and {jq} l l / which implies 0 < t. Furthermore t = {jq} l jq l + jq l + (l )q l + q q }{{} l < q. > Hence 0 < t < q which implies t 0 (mod q) and so the lemma follows. 4.3 Main result Theorem summarizes the main result in this section. Theorem. Assume that the algorithm in section 4. is executed once on a quantum computer with g and x = [d] g as input, and that it yields some pair (j, k) as output. If this pair (j, k) is then fed as input to the classical algorithm in section 4., it will output d with proaility at least 0. Proof. By lemma the proaility of otaining a specific good pair (j, k) as a result of a single execution of the quantum algorithm in section 4. is at least /(q). By lemma there are at least l 8 + good pairs (j, k). By definition the value of j is distinct for each good pair. It therefore follows from lemmas and and from definition that the proaility of otaining some good pair (j, k) such that j 0 must e at least l 8 q 0 where we have used that l /q /. By lemma 3 the classical algorithm in section 4. returns d for all good pairs (j, k) such that j 0 and so the theorem follows. 5

16 It should e stressed that we have have not sought the est lower ound on the success proaility in this paper. Rather we have sought a lower ound that is easy to prove and that is sufficiently good to show that the algorithm is practical. We expect the actual success proaility to e much greater than what is indicated y the ound. 5 Computing d in the special case where d q In this section, we descrie how the algorithm in section 4 may modified to e more efficient in the special case where d q. More specifically, we consider the special case where q l + ( l )d and where d is on the interval 0 < d < l for some integer l. Note that l is now different from l in section 4. As in section 4, the algorithm may e said to consist of a quantum part and a classical part. The quantum algorithm is descried in section 5.. It accepts as input a generator g and an element x = [d] g and produces as output a pair (j, k) and an element [e] g that is ignored. The algorithm in section 5. is similar to the algorithm in section 4.. The two index registers are however now of length l and l quits, compared to oth eing of length log q quits in section 4.. Consequently, when [a] g [ ] x is now computed 0 a < l and 0 < l compared to 0 a, < log q in section 4.. Furthermore, the two QFTs are now of size l and l, compared to oth eing of size log q in section 4.. The classical algorithm is descried in section 5.. It accepts as input the pair (j, k) output y the quantum algorithm and yields the discrete logarithm d if the pair (j, k) is good and if it fulfills certain additional criteria that are elaorated on in section 5.. The algorithm in section 5. is quite different from the algorithm in section 4. in that is uses lattice-ased techniques to recover d from (j, k). 5. The quantum algorithm for computing (j, k) In this section we provide a detailed description of the quantum algorithm that upon input of g and x = [d] g outputs a pair (j, k).. Let Ψ = 3l l l a = 0 = 0 a 0 where the first and second registers are of length l and l quits. 6

17 . Compute [a] g [ ] x and store the result in the third register Ψ = 3l = 3l l l a = 0 = 0 l l a = 0 = 0 a,, [a] g [ ] x a,, [a d] g. 3. Compute a QFT of size l of the first register and a QFT of size l of the second register to otain Ψ = 3l 6l l l a = 0 = 0 l l a,, [a d] g l l a = 0 = 0 j = 0 k = 0 QFT e πi (aj+l k)/ l j, k, [a d] g. 4. Oserve the system in a measurement to otain (j, k) and [e] g. Note that the size of the two first registers and the size of the QFT is now determined y d and not y q as was the case in section Analysis of the proaility distriution When the system aove is oserved, the state j, k, [e] g, where e = a d, is otained with proaility 6l a [ πi exp l (aj + l k) where the sum is over all pairs (a, ) that produce this specific e. Note that the assumption that q l + ( l )d implies that no reduction modulo q occurs when e is computed. In what follows, we re-write the aove expression for the proaility on a form that is easier to use in practice.. Since e = a d we have a = e + d so the proaility may e written 6l ] [ πi exp l ((e + d)j + l k) where the sum is over all in the set { 0 < l 0 a = e + d < l }.. Extracting the term containing e yields ] [ ] 6l πi exp [ πi ej l exp }{{} l ( dj + l k ) ] =. 7

18 3. Centering around zero yields 6l [ πi ( exp + l l l ) ] (dj + l k) = [ ] 6l πi exp l (dj + [ πi ( l k) exp l ) ] }{{} l (dj + l k). = 4. This proaility may e written 6l [ πi ( exp l ) l {dj + l k} l ] since adding or sutracting multiples of l has no effect; it is equivalent to shifting the phase angle y a multiple of π. 5.. The notion of a good pair (j, k) By claim this sum should e large when {dj + l k} l l since this condition implies that the angle is less than or equal to π/4. This oservation serves as our motivation for introducing the elow notion of a good pair, and for proceeding in the following sections to lower-ound the numer of good pairs and the proaility of otaining a specific good pair. Definition 3. A pair (j, k), where j is an integer such that 0 j < l and k = (dj mod l )/ l mod l is said to e good if {dj + l k} l l. Note that k is a function of j. Hence j is distinct for each good pair Lower-ounding the numer of good pairs (j, k) Lemma 4. There are at least l good pairs. Proof. First note that for a good pair {dj + l k} l = {dj} l l since k = (dj mod l )/ l mod l. Let κ e the greatest power of two that divides d. Since d < l it must e that κ l. As j runs through all integers 0 j < l, the function dj mod l assumes the value of each multiple of κ exactly l+κ times. Assume that κ = l. Then the only possile values are 0 and l. Only zero gives rise to a good pair, so with multiplicity there are l+κ = l integers j such that (j, k) is a good pair. Assume that κ < l. Then only the l κ + values congruent to values on [ l, l ] are such that {dj} l l, so with multiplicity l+κ there are l+κ ( l κ + ) l integers j such that (j, k) is a good pair. 8

19 5..4 Lower-ounding the proaility of a good pair (j, k) To lower-ound the proaility of a good pair we first need to lower-ound the numer of pairs (a, ) that yield a certain e. Definition 4. Let T e denote the numer of pairs (a, ) such that e = a d where a, are integers on the intervals 0 a < l and 0 < l. Claim 4. e = a d < l Proof. The claim follows from 0 a < l, 0 < l and 0 < d < l. Claim 5. l e = l T e = 3l. Proof. Since a, may independently assume l and l values respectively, there are 3l distinct pairs (a, ). From this fact and claim 4 the claim follows. Claim 6. l e = l T e 4l. Proof. The claim follows from the Cauchy Schwarz inequality and claim 5 since 6l = l e = l T e l e = l l e = l T e l e = l T e 4l. We are now ready to demonstrate a lower-ound on the proaility of otaining a good pair using the aove definition and claims. Lemma 5. The proaility of otaining a specific good pair (j, k) from a single execution of the algorithm in section 5. is at least l. Proof. For a good pair π l ( l ) {dj + l k} l π l+ l π 4 for any integer on the interval 0 < l. It therefore follows from claim in section 3.5. that the proaility 6l [ ] πi exp l ( l ) {dj + l k} l T e 6l 9

20 for a specific e. Summing this over all e and using claim 6 yields l Te l 6l e = l from which the lemma follows. 5. Computing d from a good pair (j, k) In this section, we specify a classical algorithm that upon input of a good pair (j, k), that results from a single execution of the algorithm in section 5. with g and x = [d] g as input, computes and outputs d. The algorithm uses lattice-ased techniques. To introduce the algorithm, we first need to define the lattice L(j). Definition 5. Let L(j) e the integer lattice generated y the row span of [ ] 4j 4 l. 0 The algorithm proceeds as follows to recover d from (j, k) using L(j).. Let v = (4 { l k} l, 0) Z. For all vectors u L(j) such that u v < l test if the second component of u is d. If so return d. This test may e performed y checking if x = [d] g.. If d is not found in step, or when more than 3 vectors have een explored, the algorithm fails. 5.. Rationale and analysis For any m Z the vector u = (4 ({dj} l + m l ), d) L(j). The aove algorithm performs an exhaustive search of all vectors in L(j) at distance at most l from v to find u for some m. It then recovers d as the second component of u. The search will succeed in finding u if u v = 4 ({dj} l + m l { l k} l) + d = 4 ({dj + l k} l) + d < l since d < l and {dj + l k} l l y the definition of a good pair, and since m may e freely selected to otain equality. Whether the search is computationally feasile depends on the numer of vectors in L(j) that lie within distance l of v. Lemma 6 elow relates this numer to the norm of the shortest non-zero vector in the lattice. To introduce the lemma, we first need some additional details. Definition 6. Let s e the shortest non-zero vector in L(j), and let s e the shortest non-zero vector in L(j) that is linearly independent to s. 0

21 The vectors s and s form a reduced asis for L(j). Such a asis may e computed using standard lattice asis reduction algorithms such as Lenstra- Lenstra-Lováz (LLL) [5]. Definition 7. Let s // e the component of s parallel to s and let s e the component of s orthogonal to s. Claim 7. The angle α etween s and s is such that π 3 α π 3. Proof. From definition 6, it follows that s // s / and s s, so s // = s cos α s / s / cos α from which the claim follows, y solving for α on the interval 0 α π. Lemma 6. For v R the numer of lattice vectors u L(j) within distance l of v is lower-ounded y max (, ) l +. s Proof. Any vector in L(j) may e written on the form i s +i s where i, i Z. For fixed i Z and variale i Z the vectors i s + i s L(j) are on a line l in R. The numer of vectors on l in any circle with radius l is at most l s +. The orthogonal distance etween two consecutive lines on the aove form is s. The vector v R may e written on the form v = a s + a s for some a, a R. For l to at all intersect the circle of radius l around v it must therefore e that i a s l and this is the case for at most l s +. different i. Hence, there are at most ( ) ( l ) l S = + s s + (7) vectors in L(j) within distance l of v. From claim 7 it follows that the angle α etween s and s is such that π 3 α π 3 s = s sin α 3 s which inserted into equation (7) yields ( ) ( l S + s 3 ) 4 l +. (8) s

22 Furthermore, the area of the fundamental parallelogram in L(j) is s s = det L(j) = 4 l s = 4 l / s which inserted into equation (7) yields ( ) ( l ) s S = + +. (9) s l Assume that s > l. Then, equation (8) implies S. Conversely, assume that s l. Then, equation (9) implies l S = + s and so the lemma follows y taking the maximum. To perform the search in practice, all vectors on the form i s + i s where i, i Z that lie within distance of l of v are exhaustively searched. The starting point is easily found y writing v = a s + a s where a, a R and rounding a, a to the nearest integers. Basis reduction algorithms such as LLL are practical for lattices of dimension two so it is practical to compute s and s. Therefore the aove algorithm is practical if s is large in relation to l so that the search space is small. To demonstrate that the algorithm is practical we lower-ound s y first introducing the notion of good integers j. Definition 8. An integer j on the interval 0 j < l is said to e ad if there exists an integer ξ on the interval 0 < ξ < l 3 such that {ξj} l < l 5. Otherwise, j is said to e good. Lemma 7. If j is good then the shortest non-zero vector s L(j) has norm s l 3. Proof. The shortest non-zero vector s L(j) may e written on the form s = [ ξ λ ] [ ] 4j 4 l = [ 4 (ξj + λ 0 l ) ξ ] = [ 4 {ξj} l ξ ] where λ must e used to reduce ξj modulo l constrained to the interval l / {ξj} l < l / so that 4 {ξj} l is minimized. Hence s = (4 {ξj} l) + ξ which implies that s 4 {ξj} l and that s ξ. Since {u} l = { u} l for all u Z we only consider positive ξ. If j is good then {ξj} l l 5 for all 0 < ξ < l 3 y definition 8 and so the lemma follows. This implies that if j is good then the exhaustive search needs explore only a small numer of vectors to recover u and hence d.

23 5.. Proof of correctness Lemma 8 summarizes the aove analysis and provides a proof of correctness. Lemma 8. Assume that the algorithm in section 5. is executed once on a quantum computer with g and x = [d] g as input, and that it yields some good pair (j, k) as output that is such that the integer j is good. If this pair (j, k) is fed as input to the classical algorithm in section 5. it will output d. Proof. It follows from the analysis in section 5.. that if the algorithm exhausts all vectors within distance l of v it will recover u and hence d. The search is practical if there are not too many vectors within distance l of v. By lemma 6 there are at most max (, l s + ) ( max, 3 ) + = 3 vectors within distance l of v where we have used that y lemma 7 the norm s l 3 for good j. As per the specification, the algorithm will not fail efore having exhausted all 3 vectors, and so the lemma follows Upper-ounding the numer of ad integers j As a final step, we need to demonstrate an upper ound on the numer of ad j, as this ound is needed to demonstrate a lower ound on the overall success proaility of the algorithm in section 5.3. Claim 8. For a fixed ξ on the interval 0 < ξ < l 3 there are less than l 4 integers j on the interval 0 j < l such that {ξj} l < l 5. Proof. Let κ e the largest power of two that divides ξ. Since ξ < l 3 it must e that κ < l 3. As j runs through all integers 0 j < l, the function ξj mod l assumes the value of each multiple of κ exactly l κ times. Only the l κ 5 values congruent to values on ( l 5, l 5 ) are such that {ξj} l < l 5 so with multiplicity κ there are κ ( l κ 5 ) < l 4 integers j such that {ξj} l < l 5 for a fixed ξ. Lemma 9. There are less than l 7 ad integers j. Proof. By definition 8 there are l 3 values of ξ since 0 < ξ < l 3 and y claim 8 there are less than l 4 ad integers j for a fixed ξ. In total, there are therefore less than ( l 3 ) l 4 < l 7 ad integers j. 5.3 Main result Theorem summarizes the main result in this section. Theorem. Assume that the algorithm in section 5. is executed once on a quantum computer with g and x = [d] g as input, and that it yields some pair (j, k) as output. If this pair (j, k) is fed as input to the classical algorithm in section 5., it will output d with proaility at least 3 ( 6 ). 3

24 Proof. By lemma 4 there are at least l good pairs (j, k). It follows from definition 3 of a good pair that j is distinct. By lemma 9 there are less than l 7 ad j. It follows that there must e at least l l 7 good pairs (j, k) for which j is good. By lemma 5 the proaility of otaining a specific good pair from a single execution of the algorithm in section 5. is at least l. The proaility of otaining a good pair (j, k) for which j is good must therefore e at least l ( l l 7 ) = 3 ( 6 ). By lemma 8 the classical algorithm in section 5. will upon input of a pair (j, k) for which j is good output d and so the theorem follows. Again, it should e stressed that we have have not sought the est lower ound on the success proaility in this paper. 5.4 Generalizations and oservations We remark that we have not used that q is a prime in the algorithm. Hence, the algorithm generalizes to finite aelian groups. Furthermore, we remark that we have in fact not assumed q to e explicitly known in the algorithm. We have only assumed that q l + ( l )d On whether q has to e explicitly known The aove oservation not withstanding, q may need to e explicitly known for reasons that are not immediately apparent from the algorithm description. For instance, to efficiently implement the exponentiations, the inverses [ ] x and [ ] g may have to e pre-computed classically and [ ] x = [q ] x for any finite aelian group of order q. However, there may e other ways to compute inverses, depending on the group. In the special case of sugroups of order q to F p, for example, knowing p is sufficient since [ ] x = [q ] x = [(p ) ] x. 6 Summary and conclusion We have revisited Shor s algorithm for computing discrete logarithms in F p on a quantum computer and modified it to compute logarithms d in groups of prime order q in the special case where d q. More specifically, we have considered the special case where 0 < d < l and q l + ( l )d. As a stepping stone to performing this modification, we first introduced a modified algorithm for computing logarithms on the general interval 0 < d < q for comparison. We have demonstrated conservative lower ounds on the success proaility in oth the general and special cases using simple proof techniques. In the special case where d q, our algorithm uses 3 log d quits for the two index registers and requires the computation of two QFTs of size log d and log d respectively, compared to log q quits for the index registers and two QFTs oth of size log q in the general case. A quantum circuit capale of computing [e] g = [a] g [ ] x is furthermore required, where x = [d] g, and where 0 a < log d and 0 < log d in the special case, compared to 0 a, < log q in the general case. In 4

25 oth cases, the choice of group operation and element representation affects the complexity of computing and storing [e] g. These results imply that the complexity of computing discrete logarithms in prime order groups on a quantum computer can e made to depend not only on the choice of group, and on its order q, ut also on the logarithm d. In the special case where d q, our algorithm does not require q to e prime, so this result generalizes to finite aelian group. Furthermore, as per the description of the algorithm, q does not need to e explicitly known. The reduction in size of the first two registers is in itself not very significant since many additional quits will typically e required to implement the two exponentiation operations. However, the fact that the exponents that enter into these operations are now short, and that the QFTs are of smaller sizes, reduces the complexity in the special case where d q. Remarks The quantum algorithms in this paper are descried in purely mathematical terms. It is assumed that some quantum registers are first initialized, that a quantum circuit is then executed and that the system is then finally oserved in a measurement. The extent to which the specialized algorithm for the case where d q provides an advantage over the general algorithm depends on how this mathematical description is translated into a physical implementation. Note furthermore that in the case of sugroups of prime order q to F p, for fixed p and d p the general algorithm has lower complexity when d q p than does the specialized algorithm when d q p. It is possile that the specialized algorithm may e further optimized in this respect. Acknowledgments Many thanks to Johan Håstad for providing key comments, suggestions and guidance. A note of thanks also goes to Lennart Brynielsson for correcting several minor errors in early draft versions of this paper. Funding and support for this work was provided y the Swedish NCSA that is a part of the Swedish Armed Forces. References [] D. Boneh, R. J. Lipton, Quantum Cryptanalysis of Hidden Linear Functions, in proceedings from the International Cryptology Conference, Advances in Cryptology CRYPTO 95, volume 963, 995, pp [] D. Gordon, Discrete logarithms in GF(p) using the Numer Field Sieve, in SIAM Journal on Discrete Mathematics, volume 6, 993, pp [3] M. Hirvensalo, Quantum Computing, nd edition, Natural Computing Series, Springer Verlag, 004. [4] R. Josza, Quantum Factoring, Discrete Logarithms, and the Hidden Sugroup Prolem, in Computing in Science and Engineering, volume 3, no, 00, pp

26 [5] A. K. Lenstra, H. W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients, in Mathematische Annalen, volume 6, no 4, 98, p.p [6] P. C. van Oorschot, M. J. Wiener, On Diffie-Hellman Key Agreement with Short Exponents, in proceedings from the International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology EUROCRYPT 96, volume 070, 996, pp [7] S. C. Pohlig, M. E. Hellman, An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance, in IEEE Transactions on Information Theory, volume IT-4, no, 978, pp [8] J. M. Pollard, Monte Carlo Methods for Index Computation (mod p), in Mathematics of Computation, volume 3, no 43, 978, pp [9] O. Schirokauer, Discrete Logarithms and Local Units, in Philosophical Transactions of the Royal Society of London, volume A 345, 993, pp [0] P. W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, in proceeding from the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, Novemer 0, 994, IEEE Computer Society Press, pp [] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, in SIAM Journal of Computing, volume 6, no 5, 997, pp

Similar documents

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Quantum algorithms for computing short discrete logarithms and factoring RSA integers Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short

More information

Lecture 12: Grover s Algorithm

Lecture 12: Grover s Algorithm CPSC 519/619: Quantum Computation John Watrous, University of Calgary Lecture 12: Grover s Algorithm March 7, 2006 We have completed our study of Shor s factoring algorithm. The asic technique ehind Shor

More information

#A50 INTEGERS 14 (2014) ON RATS SEQUENCES IN GENERAL BASES

#A50 INTEGERS 14 (2014) ON RATS SEQUENCES IN GENERAL BASES #A50 INTEGERS 14 (014) ON RATS SEQUENCES IN GENERAL BASES Johann Thiel Dept. of Mathematics, New York City College of Technology, Brooklyn, New York jthiel@citytech.cuny.edu Received: 6/11/13, Revised:

More information

Depth versus Breadth in Convolutional Polar Codes

Depth versus Breadth in Convolutional Polar Codes Depth versus Breadth in Convolutional Polar Codes Maxime Tremlay, Benjamin Bourassa and David Poulin,2 Département de physique & Institut quantique, Université de Sherrooke, Sherrooke, Quéec, Canada JK

More information

Expansion formula using properties of dot product (analogous to FOIL in algebra): u v 2 u v u v u u 2u v v v u 2 2u v v 2

Expansion formula using properties of dot product (analogous to FOIL in algebra): u v 2 u v u v u u 2u v v v u 2 2u v v 2 Least squares: Mathematical theory Below we provide the "vector space" formulation, and solution, of the least squares prolem. While not strictly necessary until we ring in the machinery of matrix algera,

More information

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France

More information

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2 Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................

More information

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection

More information

10 Lorentz Group and Special Relativity

10 Lorentz Group and Special Relativity Physics 129 Lecture 16 Caltech, 02/27/18 Reference: Jones, Groups, Representations, and Physics, Chapter 10. 10 Lorentz Group and Special Relativity Special relativity says, physics laws should look the

More information

New attacks on RSA with Moduli N = p r q

New attacks on RSA with Moduli N = p r q New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr

More information

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,

More information

Attacking the ECDLP with Quantum Computing

Attacking the ECDLP with Quantum Computing Attacking the ECDLP with Quantum Computing Sam Green and Can Kizilkale sam.green@cs.ucsb.edu, cankizilkale@cs.ucsb.edu December 7, 015 CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 1

More information

Minimizing a convex separable exponential function subject to linear equality constraint and bounded variables

Minimizing a convex separable exponential function subject to linear equality constraint and bounded variables Minimizing a convex separale exponential function suect to linear equality constraint and ounded variales Stefan M. Stefanov Department of Mathematics Neofit Rilski South-Western University 2700 Blagoevgrad

More information

Representation theory of SU(2), density operators, purification Michael Walter, University of Amsterdam

Representation theory of SU(2), density operators, purification Michael Walter, University of Amsterdam Symmetry and Quantum Information Feruary 6, 018 Representation theory of S(), density operators, purification Lecture 7 Michael Walter, niversity of Amsterdam Last week, we learned the asic concepts of

More information

The Shortest Vector Problem (Lattice Reduction Algorithms)

The Shortest Vector Problem (Lattice Reduction Algorithms) The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm

More information

Computers and Mathematics with Applications

Computers and Mathematics with Applications Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis

More information

Further Results on Implicit Factoring in Polynomial Time

Further Results on Implicit Factoring in Polynomial Time Further Results on Implicit Factoring in Polynomial Time Santanu Sarkar and Subhamoy Maitra Indian Statistical Institute, 203 B T Road, Kolkata 700 108, India {santanu r, subho}@isical.ac.in Abstract.

More information

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,

More information

ERASMUS UNIVERSITY ROTTERDAM Information concerning the Entrance examination Mathematics level 2 for International Business Administration (IBA)

ERASMUS UNIVERSITY ROTTERDAM Information concerning the Entrance examination Mathematics level 2 for International Business Administration (IBA) ERASMUS UNIVERSITY ROTTERDAM Information concerning the Entrance examination Mathematics level 2 for International Business Administration (IBA) General information Availale time: 2.5 hours (150 minutes).

More information

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * 2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS

More information

Advanced Cryptography Quantum Algorithms Christophe Petit

Advanced Cryptography Quantum Algorithms Christophe Petit The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat

More information

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr

More information

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015 Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best

More information

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but

More information

TIGHT BOUNDS FOR THE FIRST ORDER MARCUM Q-FUNCTION

TIGHT BOUNDS FOR THE FIRST ORDER MARCUM Q-FUNCTION TIGHT BOUNDS FOR THE FIRST ORDER MARCUM Q-FUNCTION Jiangping Wang and Dapeng Wu Department of Electrical and Computer Engineering University of Florida, Gainesville, FL 3611 Correspondence author: Prof.

More information

New Constructions of Sonar Sequences

New Constructions of Sonar Sequences INTERNATIONAL JOURNAL OF BASIC & APPLIED SCIENCES IJBAS-IJENS VOL.:14 NO.:01 12 New Constructions of Sonar Sequences Diego F. Ruiz 1, Carlos A. Trujillo 1, and Yadira Caicedo 2 1 Department of Mathematics,

More information

Math 581 Problem Set 9

Math 581 Problem Set 9 Math 581 Prolem Set 9 1. Let m and n e relatively prime positive integers. (a) Prove that Z/mnZ = Z/mZ Z/nZ as RINGS. (Hint: First Isomorphism Theorem) Proof: Define ϕz Z/mZ Z/nZ y ϕ(x) = ([x] m, [x] n

More information

Essential Maths 1. Macquarie University MAFC_Essential_Maths Page 1 of These notes were prepared by Anne Cooper and Catriona March.

Essential Maths 1. Macquarie University MAFC_Essential_Maths Page 1 of These notes were prepared by Anne Cooper and Catriona March. Essential Maths 1 The information in this document is the minimum assumed knowledge for students undertaking the Macquarie University Masters of Applied Finance, Graduate Diploma of Applied Finance, and

More information

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &

More information

On the Security of Diffie Hellman Bits

On the Security of Diffie Hellman Bits On the Security of Diffie Hellman Bits Maria Isabel González Vasco and Igor E. Shparlinski Abstract. Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a hidden element

More information

A new attack on RSA with a composed decryption exponent

A new attack on RSA with a composed decryption exponent A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr

More information

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic

More information

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Compute the Fourier transform on the first register to get x {0,1} n x 0. CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary

More information

Introduction to Quantum Computing

Introduction to Quantum Computing Introduction to Quantum Computing Part II Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 13, 2011 Overview Outline Grover s Algorithm Quantum search A worked example Simon s algorithm

More information

2 A Fourier Transform for Bivariate Functions

2 A Fourier Transform for Bivariate Functions Stanford University CS59Q: Quantum Computing Handout 0 Luca Trevisan October 5, 0 Lecture 0 In which we present a polynomial time quantum algorithm for the discrete logarithm problem. The Discrete Log

More information

Compactness vs Collusion Resistance in Functional Encryption

Compactness vs Collusion Resistance in Functional Encryption Compactness vs Collusion Resistance in Functional Encryption Baiyu Li Daniele Micciancio April 10, 2017 Astract We present two general constructions that can e used to comine any two functional encryption

More information

9 Knapsack Cryptography

9 Knapsack Cryptography 9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and

More information

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,

More information

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Explicit constructions of quasi-monte Carlo rules for the numerical integration of high dimensional periodic functions

Explicit constructions of quasi-monte Carlo rules for the numerical integration of high dimensional periodic functions Explicit constructions of quasi-monte Carlo rules for the numerical integration of high dimensional periodic functions By J. Dick at Sydney Astract In this paper we give first explicit constructions of

More information

On estimating the lattice security of NTRU

On estimating the lattice security of NTRU On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim

More information

Shor s Prime Factorization Algorithm

Shor s Prime Factorization Algorithm Shor s Prime Factorization Algorithm Bay Area Quantum Computing Meetup - 08/17/2017 Harley Patton Outline Why is factorization important? Shor s Algorithm Reduction to Order Finding Order Finding Algorithm

More information

SVETLANA KATOK AND ILIE UGARCOVICI (Communicated by Jens Marklof)

SVETLANA KATOK AND ILIE UGARCOVICI (Communicated by Jens Marklof) JOURNAL OF MODERN DYNAMICS VOLUME 4, NO. 4, 010, 637 691 doi: 10.3934/jmd.010.4.637 STRUCTURE OF ATTRACTORS FOR (a, )-CONTINUED FRACTION TRANSFORMATIONS SVETLANA KATOK AND ILIE UGARCOVICI (Communicated

More information

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp

More information

Polynomial Degree and Finite Differences

Polynomial Degree and Finite Differences CONDENSED LESSON 7.1 Polynomial Degree and Finite Differences In this lesson, you Learn the terminology associated with polynomials Use the finite differences method to determine the degree of a polynomial

More information

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today: Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how

More information

Module 9: Further Numbers and Equations. Numbers and Indices. The aim of this lesson is to enable you to: work with rational and irrational numbers

Module 9: Further Numbers and Equations. Numbers and Indices. The aim of this lesson is to enable you to: work with rational and irrational numbers Module 9: Further Numers and Equations Lesson Aims The aim of this lesson is to enale you to: wor with rational and irrational numers wor with surds to rationalise the denominator when calculating interest,

More information

1 Systems of Differential Equations

1 Systems of Differential Equations March, 20 7- Systems of Differential Equations Let U e an open suset of R n, I e an open interval in R and : I R n R n e a function from I R n to R n The equation ẋ = ft, x is called a first order ordinary

More information

Imitating quantum mechanics: Qubit-based model for simulation

Imitating quantum mechanics: Qubit-based model for simulation Imitating quantum mechanics: Qubit-based model for simulation Steven Peil nited States Naval Observatory, Washington, DC 2392, SA Received 26 November 27; revised manuscript received 6 January 29; published

More information

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice

More information

Smooth Projective Hashing and Two-Message Oblivious Transfer

Smooth Projective Hashing and Two-Message Oblivious Transfer Smooth Projective Hashing and Two-Message Olivious Transfer Shai Halevi IBM Research Yael Tauman Kalai Microsoft Research Octoer 31, 2010 Astract We present a general framework for constructing two-message

More information

Theoretical Cryptography, Lecture 13

Theoretical Cryptography, Lecture 13 Theoretical Cryptography, Lecture 13 Instructor: Manuel Blum Scribe: Ryan Williams March 1, 2006 1 Today Proof that Z p has a generator Overview of Integer Factoring Discrete Logarithm and Quadratic Residues

More information

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Robert P. Gallant 1, Robert J. Lambert 1, and Scott A. Vanstone 1,2 1 Certicom Research, Canada {rgallant,rlambert,svanstone}@certicom.com

More information

ERASMUS UNIVERSITY ROTTERDAM

ERASMUS UNIVERSITY ROTTERDAM Information concerning Colloquium doctum Mathematics level 2 for International Business Administration (IBA) and International Bachelor Economics & Business Economics (IBEB) General information ERASMUS

More information

Section 8.5. z(t) = be ix(t). (8.5.1) Figure A pendulum. ż = ibẋe ix (8.5.2) (8.5.3) = ( bẋ 2 cos(x) bẍ sin(x)) + i( bẋ 2 sin(x) + bẍ cos(x)).

Section 8.5. z(t) = be ix(t). (8.5.1) Figure A pendulum. ż = ibẋe ix (8.5.2) (8.5.3) = ( bẋ 2 cos(x) bẍ sin(x)) + i( bẋ 2 sin(x) + bẍ cos(x)). Difference Equations to Differential Equations Section 8.5 Applications: Pendulums Mass-Spring Systems In this section we will investigate two applications of our work in Section 8.4. First, we will consider

More information

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International Cryptography in the Quantum Era Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International Postulate #1: Qubit state belongs to Hilbert space of dimension 2 ψ

More information

Discrete quantum random walks

Discrete quantum random walks Quantum Information and Computation: Report Edin Husić edin.husic@ens-lyon.fr Discrete quantum random walks Abstract In this report, we present the ideas behind the notion of quantum random walks. We further

More information

Scheduling Two Agents on a Single Machine: A Parameterized Analysis of NP-hard Problems

Scheduling Two Agents on a Single Machine: A Parameterized Analysis of NP-hard Problems Scheduling Two Agents on a Single Machine: A Parameterized Analysis of NP-hard Prolems Danny Hermelin 1, Judith-Madeleine Kuitza 2, Dvir Shatay 1, Nimrod Talmon 3, and Gerhard Woeginger 4 arxiv:1709.04161v1

More information

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com

More information

Modular Multiplication in GF (p k ) using Lagrange Representation

Modular Multiplication in GF (p k ) using Lagrange Representation Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier

More information

Short Course in Quantum Information Lecture 5

Short Course in Quantum Information Lecture 5 Short Course in Quantum Information Lecture 5 Quantum Algorithms Prof. Andrew Landahl University of New Mexico Course Info All materials downloadable @ website http://info.phys.unm.edu/~deutschgroup/deutschclasses.html

More information

Factoring on a Quantum Computer

Factoring on a Quantum Computer Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.

More information

1Number ONLINE PAGE PROOFS. systems: real and complex. 1.1 Kick off with CAS

1Number ONLINE PAGE PROOFS. systems: real and complex. 1.1 Kick off with CAS 1Numer systems: real and complex 1.1 Kick off with CAS 1. Review of set notation 1.3 Properties of surds 1. The set of complex numers 1.5 Multiplication and division of complex numers 1.6 Representing

More information

Solving Systems of Linear Equations Symbolically

Solving Systems of Linear Equations Symbolically " Solving Systems of Linear Equations Symolically Every day of the year, thousands of airline flights crisscross the United States to connect large and small cities. Each flight follows a plan filed with

More information

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary

More information

Structuring Unreliable Radio Networks

Structuring Unreliable Radio Networks Structuring Unreliale Radio Networks Keren Censor-Hillel Seth Gilert Faian Kuhn Nancy Lynch Calvin Newport March 29, 2011 Astract In this paper we study the prolem of uilding a connected dominating set

More information

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of

More information

Mathematical analysis of the computational complexity of integer sub-decomposition algorithm

Mathematical analysis of the computational complexity of integer sub-decomposition algorithm Journal of Physics: Conference Series PAPER OPEN ACCESS Mathematical analysis of the computational complexity of integer sub-decomposition algorithm To cite this article: Ruma Kareem K Ajeena and Hailiza

More information

Fault Attacks Against emv Signatures

Fault Attacks Against emv Signatures Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,

More information

STRONG NORMALITY AND GENERALIZED COPELAND ERDŐS NUMBERS

STRONG NORMALITY AND GENERALIZED COPELAND ERDŐS NUMBERS #A INTEGERS 6 (206) STRONG NORMALITY AND GENERALIZED COPELAND ERDŐS NUMBERS Elliot Catt School of Mathematical and Physical Sciences, The University of Newcastle, Callaghan, New South Wales, Australia

More information

Differential Geometry of Surfaces

Differential Geometry of Surfaces Differential Geometry of urfaces Jordan mith and Carlo équin C Diision, UC Berkeley Introduction These are notes on differential geometry of surfaces ased on reading Greiner et al. n. d.. Differential

More information

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Xavier Bonnetain 1,2 and André Schrottenloher 2 1 Sorbonne Université, Collège Doctoral, F-75005 Paris, France 2 Inria, France Abstract.

More information

Luis Manuel Santana Gallego 100 Investigation and simulation of the clock skew in modern integrated circuits. Clock Skew Model

Luis Manuel Santana Gallego 100 Investigation and simulation of the clock skew in modern integrated circuits. Clock Skew Model Luis Manuel Santana Gallego 100 Appendix 3 Clock Skew Model Xiaohong Jiang and Susumu Horiguchi [JIA-01] 1. Introduction The evolution of VLSI chips toward larger die sizes and faster clock speeds makes

More information

Lecture 6: Cryptanalysis of public-key algorithms.,

Lecture 6: Cryptanalysis of public-key algorithms., T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number

More information

Breaking Plain ElGamal and Plain RSA Encryption

Breaking Plain ElGamal and Plain RSA Encryption Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain

More information

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA M. Jason Hinek School of Computer Science, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada. mjhinek@alumni.uwaterloo.ca

More information

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017 Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation

More information

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Curves, Cryptography, and Primes of the Form x 2 + y 2 D Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.

More information

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate

More information

Determinants of generalized binary band matrices

Determinants of generalized binary band matrices Determinants of generalized inary and matrices Dmitry Efimov arxiv:17005655v1 [mathra] 18 Fe 017 Department of Mathematics, Komi Science Centre UrD RAS, Syktyvkar, Russia Astract Under inary matrices we

More information

QUANTUM PHASE ESTIMATION WITH ARBITRARY CONSTANT-PRECISION PHASE SHIFT OPERATORS

QUANTUM PHASE ESTIMATION WITH ARBITRARY CONSTANT-PRECISION PHASE SHIFT OPERATORS Quantum Information and Computation, Vol., No. 9&0 (0) 0864 0875 c Rinton Press QUANTUM PHASE ESTIMATION WITH ARBITRARY CONSTANT-PRECISION PHASE SHIFT OPERATORS HAMED AHMADI Department of Mathematics,

More information

Lecture 6 January 15, 2014

Lecture 6 January 15, 2014 Advanced Graph Algorithms Jan-Apr 2014 Lecture 6 January 15, 2014 Lecturer: Saket Sourah Scrie: Prafullkumar P Tale 1 Overview In the last lecture we defined simple tree decomposition and stated that for

More information

Lecture 10: Eigenvalue Estimation

Lecture 10: Eigenvalue Estimation CS 880: Quantum Information Processing 9/7/010 Lecture 10: Eigenvalue Estimation Instructor: Dieter van Melkebeek Scribe: Dalibor Zelený Last time we discussed the quantum Fourier transform, and introduced

More information

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013 1 h 219b/CS 219b Exercises Due: Wednesday 20 November 2013 3.1 Universal quantum gates I In this exercise and the two that follow, we will establish that several simple sets of gates are universal for

More information

Weighted Threshold Secret Sharing Based on the Chinese Remainder Theorem

Weighted Threshold Secret Sharing Based on the Chinese Remainder Theorem Weighted Threshold Secret Sharing Based on the Chinese Remainder Theorem Sorin Iftene and Ioana Boureanu Faculty of Computer Science Al. I. Cuza University Iaşi, Romania {siftene,iboureanu}@infoiasi.ro

More information

Graphs and polynomials

Graphs and polynomials 5_6_56_MQVMM - _t Page Frida, Novemer 8, 5 :5 AM MQ Maths Methods / Final Pages / 8//5 Graphs and polnomials VCEcoverage Areas of stud Units & Functions and graphs Algera In this chapter A The inomial

More information

Optimal Routing in Chord

Optimal Routing in Chord Optimal Routing in Chord Prasanna Ganesan Gurmeet Singh Manku Astract We propose optimal routing algorithms for Chord [1], a popular topology for routing in peer-to-peer networks. Chord is an undirected

More information

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical

More information

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India

More information

Lecture 1 & 2: Integer and Modular Arithmetic

Lecture 1 & 2: Integer and Modular Arithmetic CS681: Computational Numer Theory and Algera (Fall 009) Lecture 1 & : Integer and Modular Arithmetic July 30, 009 Lecturer: Manindra Agrawal Scrie: Purushottam Kar 1 Integer Arithmetic Efficient recipes

More information

Upper Bounds for Stern s Diatomic Sequence and Related Sequences

Upper Bounds for Stern s Diatomic Sequence and Related Sequences Upper Bounds for Stern s Diatomic Sequence and Related Sequences Colin Defant Department of Mathematics University of Florida, U.S.A. cdefant@ufl.edu Sumitted: Jun 18, 01; Accepted: Oct, 016; Pulished:

More information

MCS 115 Exam 2 Solutions Apr 26, 2018

MCS 115 Exam 2 Solutions Apr 26, 2018 MCS 11 Exam Solutions Apr 6, 018 1 (10 pts) Suppose you have an infinitely large arrel and a pile of infinitely many ping-pong alls, laeled with the positive integers 1,,3,, much like in the ping-pong

More information

Diophantine equations via weighted LLL algorithm

Diophantine equations via weighted LLL algorithm Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory

More information

Looking back at lattice-based cryptanalysis

Looking back at lattice-based cryptanalysis September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis

More information

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic Curves Spring 2013 Lecture #12 03/19/2013 18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring

More information

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.

More information

Instantaneous Measurement of Nonlocal Variables

Instantaneous Measurement of Nonlocal Variables Instantaneous Measurement of Nonlocal Variales Richard A. Low richard@wentnet.com August 006 Astract We ask the question: is it possile to measure nonlocal properties of a state instantaneously? Relativistic

More information

Topological structures and phases. in U(1) gauge theory. Abstract. We show that topological properties of minimal Dirac sheets as well as of

Topological structures and phases. in U(1) gauge theory. Abstract. We show that topological properties of minimal Dirac sheets as well as of BUHEP-94-35 Decemer 1994 Topological structures and phases in U(1) gauge theory Werner Kerler a, Claudio Rei and Andreas Weer a a Fachereich Physik, Universitat Marurg, D-35032 Marurg, Germany Department

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback