Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Similar documents
Shor s Prime Factorization Algorithm

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

1. Algebra 1.7. Prime numbers

Factorization & Primality Testing

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Introduction to Number Theory. The study of the integers

Introduction to Quantum Computing

Cryptography: Joining the RSA Cryptosystem

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Short Course in Quantum Information Lecture 5

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

Lecture note 8: Quantum Algorithms

Theoretical Cryptography, Lecture 13

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Applied Cryptography and Computer Security CSE 664 Spring 2017

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Advanced Algorithms and Complexity Course Project Report

Classical RSA algorithm

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Measuring progress in Shor s factoring algorithm

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Quantum Computers. Peter Shor MIT

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

C/CS/Phys 191 Shor s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Ma/CS 6a Class 4: Primality Testing

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Applied Cryptography and Computer Security CSE 664 Spring 2018

Phase estimation. p. 1/24

5: The Integers (An introduction to Number Theory)

Factoring on a Quantum Computer

Quantum Computing and Shor s Algorithm

4 Number Theory and Cryptography

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Shor s Quantum Factorization Algorithm

Shor Factorization Algorithm

3 The fundamentals: Algorithms, the integers, and matrices

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

CPSC 467b: Cryptography and Computer Security

First, let's review classical factoring algorithm (again, we will factor N=15 but pick different number)

CPSC 467b: Cryptography and Computer Security

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

2 A Fourier Transform for Bivariate Functions

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Lecture 11 - Basic Number Theory.

QFT, Period Finding & Shor s Algorithm

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

arxiv: v2 [quant-ph] 1 Aug 2017

Quantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity

Advanced Cryptography Quantum Algorithms Christophe Petit

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Lecture 6: Cryptanalysis of public-key algorithms.,

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

arxiv:quant-ph/ v2 22 Jan 2004

APA: Estep, Samuel (2018) "Elliptic Curves" The Kabod 4( 2 (2018)), Article 1. Retrieved from vol4/iss2/1

Basic Algorithms in Number Theory

Introduction to Quantum Computing

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Simon s algorithm (1994)

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

QUANTUM COMPUTATION. Lecture notes. Ashley Montanaro, University of Bristol 1 Introduction 2

Ma/CS 6a Class 4: Primality Testing

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Mathematics of Public Key Cryptography

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Introduction to Quantum Computing

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Quantum Phase Estimation using Multivalued Logic

Senior Math Circles Cryptography and Number Theory Week 2

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Quantum Computation 650 Spring 2009 Lectures The World of Quantum Information. Quantum Information: fundamental principles

ECEN 5022 Cryptography

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Concepts and Algorithms of Scientific and Visual Computing Advanced Computation Models. CS448J, Autumn 2015, Stanford University Dominik L.

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

QIP Note: On the Quantum Fourier Transform and Applications

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Introduction to Cybersecurity Cryptography (Part 5)

Chapter 5: The Integers

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

A New Attack on RSA with Two or Three Decryption Exponents

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

Primes and Factorization

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

A SURVEY OF PRIMALITY TESTS

ADVANCED QUANTUM INFORMATION THEORY

Introduction to Quantum Computing

Basic elements of number theory

Basic elements of number theory

CSC 373: Algorithm Design and Analysis Lecture 30

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

PRIME NUMBERS YANKI LEKILI

Transcription:

Shor s Algorithm Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Integer factorization n = p q (where p, q are prime numbers) is a cryptographic one-way function Classical algorithm with best asymptotic behavior: ( [ General Number]) Field Sieve with superpolynomial scaling: O exp c (ln n) 1 3(ln ln n) 3 2 Basis for commercially important cryptography

Shor s algorithm Factorization algorithm with polynomial complexity Runs only partially on quantum computer with complexity O ( (log n) 2 (log log n)(log log log n) ) Pre- and post-processing on a classical computer Makes use of reduction of factorization problem to order-finding problem Achieves polynomial time with efficiency of Quantum Fourier Transform

Talk outline 1. Classical computer part Sketch of various subroutines Reduction to period-finding problem Full classical algorithm 2. Period-finding on quantum computer Quantum Fourier Transform Period-finding algorithm 3. Example: Factoring 21 4. Summary

Sketch of various subroutines greatest common { divisor: e.g. Euclidean algorithm b if a mod b = 0 gcd(a, b) = gcd(b, a mod b) else with a > b, quadratic in number of digits of a, b. reminder: gcd(a, b) = 1 a, b coprime Test of primality: e.g. Agrawal-Kayal-Saxena 2002, polynomial Prime power test: determine if n = p α, e.g. Bernstein 1997 in O(log n) continued fraction expansion: required to approximate a rational number by an integer fraction, e.g. Hardy and Wright 1979, polynomial

Reduction to period-finding problem, Miller 1976 Find factor of odd n provided some method to calculate the order r of x a mod n, a N: 1. Choose a random x < n. 2. Find order r (somehow) in x r 1 mod n. 3. Compute p, q = gcd(x r 2 ± 1, n) if r even. Since (x r 2 1)(x r 2 + 1) = x r 1 0 mod n. Fails if r odd or x r 2 1 mod n. Yields a factor with p = 1 2 k+1 where k is the number of distinct odd prime factors of n.

Shor s algorithm 1. Determine if n is even, prime or a prime power. If so, exit. 2. Pick a random integer x < n and calculate gcd(x, n). If this is not 1, then we have obtained a factor of n. 3. Quantum algorithm Pick q as the smallest power of 2 with n 2 q < 2n 2. Find period r of x a mod n. Measurement gives us a variable c which has the property c q d r where d N. 4. Determine d, r via continued fraction expansion algorithm. d, r only determined if gcd(d, r) = 1 (reduced fraction). 5. If r is odd, go back to 2. If x r 2 1 mod n go back to 2. Otherwise the factors p, q = gcd(x r 2 ± 1, n).

Quantum Fourier Transform (QFT) Define the QFT with respect to an ONB { x } = { 0,..., q 1 } QF T : x 1 q 1 { } 2πi exp q q x y y = 1 q 1 ω x y y q y=0 Apply QFT to a general state ψ = x α x x : QF T ( ψ ) = 1 q 1 β y y, q where the β y s are the discrete Fourier transform of the amplitudes α x. The QFT is unitary, i.e. y=0 QF T QF T x = x y=0

Quantum Fourier Transform (QFT) Implement QFT on n qubits With the matrix R = 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 e 2πi/N

Period Finding Algorithm Given a periodic function f: {0,..., q 1} {0,..., q 1}, where q = 2 l, the periodicity conditions are Initialize the q.c. with the state Φ I = 0 2l f(a) = f(a + r) r 0 f(a) f(a + s) s < r. Then apply Hadamard gates on the first l qubits and the identity to the others: ( l 1 Φ 0 = H l 1 l 0 2l = 2 ( 0 + 1 )) 0 l = 1 q 1 a 0 l q Apply the unitary that implements the function f (here it is f = x a mod n) Φ 1 = U f Φ 0 = 1 q 1 a f(a) q a=0 a=0

Period Finding Algorithm Imagine one performs a measurement on f(a), then the post measurement state of the first l qubits is r Φ 1 z = a. q a:f(a)=z Remember that f is periodic and choose a 0 = min {a f(a) = z}. Now one can rewrite q/r 1 r Φ 1 z = a 0 + t r q t=0 when assuming that r q (i.e. r divides q).

Period Finding Algorithm Perform the QFT q/r 1 r Φ = QF T 1 ( Φ 1 z ) = z q t=0 = r q 2 q 1 c=0 Remark: if rc = kq for some k N then { exp 2πi q a 0c q 1 1 q } q/r 1 t=0 c=0 exp { } 2πi exp (a 0 + rt)c c q { 2πi } q trc } {{ } α c α c = q r. The probability for measuring a specific c = kq/r: P [c ] = c 2 r Φ = q α 2 c 2 = r q 2 q 2 r = 1 2 r c.

Period Finding Algorithm Overall probability to measure a c of the form kq r c=kq/r c Φ 2 = r 1 r = 1 is then The algorithm output is a natural number that is of the form kq r, with k N.

Example: Factoring n=21 1. Choose x 2. Determine q 3. Initialize first register (r 1 ) 4. Initialize second register (r 2 ) 5. QFT on first register 6. Measurement 7. Continued Fraction Expansion determine r 8. Check r determine factors

1. Choose a random integer x, 1 < x < n if it is not coprime with n, e.g. x = 6: gcd(x, n) = gcd(6, 21) = 3 21/3 = 7 done! if it is coprime with n, e.g. x = 11: gcd(11, 21) = 1 continue!

2. Determine q n 2 = 244! q = 2 l < 2n 2 = 882 q = 512 = 2 9 Initial state consisting of two registers of length l: Φ i = 0 r1 0 r2 = 0 2l

3. Initialize r 1 initialize first register with superposition of all states a( mod q): Φ 0 = 1 511 512 a=0 this corresponds to 1 2 ( 0 + 1 ) on all bits a 0

4. Initialize r 2 initialize second register with superposition of all states x a ( mod n): Φ 1 = 1 511 512 a=0 a 11 a ( mod 21) = 1 512 ( 0 1 + 1 11 + 2 16 + 3 8 +...) a 0 1 2 3 4 5 6 7 8 9 10... 11 a (mod21) 1 11 16 8 4 2 1 11 16 8 4... r = 6, but not yet observable

5. Quantum Fourier Transform apply the QFT on the first register: Φ = 1 512 511 a=0 511 c=0 e 2πiac/512 c 11 a (mod21)

6. Measurement! probability for state c, x k ( mod n), e.g. k = 2 c, 16 to occur: 511 p(c) = 1 2 e 2πiac/512 = 1 2 512 e 2πi(6b+2)c/512 512 a:11 a mod 21=16 b peaks for c = 512 6 d, d Z:

7. Determine the period r Assume we get 427: c q d r Continued fraction expansion: c q = a 0 + 427 512 = 0 + 1 1 + 1 5+ 1 42+ 1 2 = 427 512 d r! 1 1024 1 a 1 + 1, a 2 +... 1 d 0 = a 0, d 1 = 1 + a 0 a 1, d n = a n d n 1 + d n 2 r 0 = 1, r 1 = a 1, r n = a n r n 1 + r n 2, d 0 = 0, d 1 = 1, d 2 = 5, d 3 = 427 r 0 = 1, r 1 = 1, r 2 = 6, r 3 = 512

as d 0 r 0 = 0 and d 1 r 1 = 1 obviously don t work, try d 2 r 2 = 5 6 r = 6 it works! =) for c q = 171 512 we would get d r = 1 3, so using r = 3 this would not work. it only works if d and r are coprime! if it doesn t work, try again!

8. Check r check if r is even check if x r/2 mod n 1 as both holds, we can determine the factors: x r/2 mod n 1 = 11 3 mod 21 1 = 7 x r/2 mod n + 1 = 11 3 mod 21 + 1 = 9 the two factors are gcd(7, 21) = 7 and gcd(9, 21) = 3

Conclusion Shor s algorithm is very important for cryptography, as it can factor large numbers much faster than classical algorithms (polynomial instead of exponential) powerful motivator for quantum computers no practical use yet, as it is not possible yet to design quantum computers that are large enough to factor big numbers

References Shor, Peter W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM journal on computing 26.5 (1997): 1484-1509. Agrawal, Manindra, Neeraj Kayal, and Nitin Saxena. PRIMES is in P. Annals of mathematics (2004): 781-793. Bernstein, Daniel. Detecting perfect powers in essentially linear time. Mathematics of Computation of the American Mathematical Society 67.223 (1998): 1253-1283. Hardy, Godfrey Harold, et al. An introduction to the theory of numbers. Vol. 4. Oxford: Clarendon press, 1979.

Miller, Gary L. Riemann s hypothesis and tests for primality. Journal of computer and system sciences 13.3 (1976): 300-317.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback