Breaking RSA with Quantum Computing

University of Ljubljana Faculty of Mathematics and Physics Breaking RSA with Quantum Computing Blaž Bačnik Under mentorship of dr. Marko Žnidarič Ljubljana, 26 May 2008

Abstract We take a look at RSA encryption algorithm and what makes it secure. Some consideration is given to its current use, showing that it plays an important role in ensuring privacy on the Internet. A way of factoring large numbers with Shor s factorization algorithm is given, as well as a shortcut to directly breaking RSA. Next, we present basics of some of the implementations, their drawbacks and make an estimation of how long will our RSA keys remain safe. Contents 1 Introduction to Quantum Computing 3 2 RSA Encryption 4 2.1 Usage............................... 4 2.2 Mathematical Background.................... 5 2.3 Security considerations...................... 6 3 Shor s factorization 7 3.1 Reduction to order-finding.................... 7 3.2 Factorization........................... 8 3.3 Breaking RSA........................... 9 4 Implementations 10 4.1 Quantum error-correction.................... 11 5 A look to the future 13 2

1 Introduction to Quantum Computing Since the very beginnings of quantum computing in 1980s its fathers, the likes of Richard Feynman and David Deutsch, envisioned the massive computing power of quantum systems. Their power lies in the way data is represented because that allows algorithms to manipulate data in parallel. Such algorithms, called quantum algorithms, do not operate on classical bits representing data where every bit can only take either of the two states, but rather operate on quantum bits, or qubits. Qubits have quantum-mechanical properties, most importantly they can be in superposition. In terms of wavefunction, qubits can be expressed as Ψ = α 0 + β 1. It would seem that as long as we can produce qubits in a superposition of states and we can perform certain operations on them, we should gain unmatched parallelism. But the problem arises when we want to measure the results of our computations. Due to fundamental behaviour of quantum mechanics, measurement causes a collapse of qubit s wavefunction to one of the base states. For that reason we only get result for one of all the possible outcomes of our algorithm and so we have to repeat the whole procedure if we would like to get any of the other possible outcomes. It is actually even worse since we only measure a particular outcome with a certain probability. It might take a lot more measurements, and consequently executions of algorithm, than there are possible outcomes to obtain all the results. So far we haven t actually gained anything. But what if we were able to devise an algorithm whose results would all share same specific property? Then perhaps we would be able to learn something with just a couple of measurements. Indeed, such algorithms exist. Unfortunately, they aren t general instructions to exploit quantum mechanics for arbitrary parallelizable algorithms, due to reasons stated above, but are solutions to specific problems, results of which already possess some nice properties. Today we know of Deutsch-Jozsa, Grover s and Shor s algorithms. While the former served as a base to the other two, it doesn t have any practical use. On the other hand, the latter two do. Especially Shor s algorithm, which could have severe implications in cryptography. 3

2 RSA Encryption RSA is the most widely used coding mechanism for public-key cryptography today. Public-key cryptography is a method of encryption where a person obtains a unique pair of keys. Keys from the pair are related and one, called a public key, they publish for everyone to see. This key is then used to encrypt a message sent to the owner of the key pair. At the same time the other key from the pair, called a private key, must be kept secret as it is used for decrypting messages encrypted with a corresponding public key. 2.1 Usage Public-key encryption schemes are very popular as they are quite practical. They do not require both parties to agree upon a passphrase before-hand as is the case with the well-known method we call a symmetric-key cryptography. In symmetric-key cryptography the same key is used for both encryption as well as decryption. For public-key encryption schemes this means that there is no need to communicate a passphrase which generally requires a different communication channel. Reason for it being that this channel must be trusted and secure. In public-key cryptography all the communication can go through public, untrusted medium, ie. the Internet. One must only authenticate a public key, which is to ensure that the used key actually belongs to the person they want to communicate with. This might still require some form of interaction between the parties, either direct or indirect, but it is a one-time process. This is a major benefit. The key exchange or authentication can also be done via third party that both users trust. This is sometimes referred to as a chain of trust. RSA encryption in particular is used in Public-Key Infrastructure, or PKI for short. PKI serves as a base for securing different electronic transactions, most notably in e-commerce and electronic banking. Lately, governments have started using this technology as well. Of particular interest to readers could be Slovenian euprava as they might be familiar with the service. It utilizes PKI and, consequently, RSA encryption. 4

2.2 Mathematical Background RSA coding algorithm by itself is based on finite groups of integer numbers. Group operation is multiplication modulo N and N is a fixed integer number, usually a product of two prime numbers p and q. RSA public key consists of a pair (e, N), where e is public key exponent. Likewise, a pair (d, N) represents private key, with d being private key exponent respectively. d and e are chosen in a way that ed 1 mod (p 1)(q 1) is true. Encryption is then performed in two steps; message M is mapped to an integer m < N (this is just a trivial technicality) m is then ciphered to c according to the following equation Similarly, for decryption integer m is deciphered from c by relation c m e mod N. (2.1) m c d = (m e ) d = m ed mod N (2.2) and then m is reverse-mapped back to original message M. 5

2.3 Security considerations Strength of a cipher is a measure of how secure it is or, in other words, how hard it is to obtain the original message without prior knowledge of the key needed for decryption. RSA relies on the fact that evaluating equation (2.2) for every possible private key d is computationally expensive, even with efficient algorithms such as square-and-multiply 1. Another assumption that RSA depends on is that no efficient method for factoring large numbers exists. This is important since such a method would greatly simplify equation (2.2) by factoring N. For this reason alone N has to be big and a product of two prime numbers if security is desired. The size of N is usually expressed in bits. Since log 2 N is not always an integer, we define its size in bits n as ceil; n = log 2 N. Typically used N are roughly 300 decimal digits long and corresponding RSA keys consist of 1024 or more bits. The largest number factored as of this writing was RSA-200 which is 663 bits or 200 decimal digits long. While the difference between 663- and 1024-bit key does not seem that big, one must account for the fact that factoring this 663-bit number already took the equivalent of a 75 years work for a single 2.2 GHz personal computer. The best known conventional algorithm number field sieve does not scale too well with n either. It runs in ) O (e ( 649 ) 1/3 n 1/3 (log n) 2/3 (2.3) steps, or non-polynomial time. In comparison, if n is 256 bits or less, N can be factored in a couple of hours on that same personal computer. Adi Shamir, that is S in RSA (named after its inventors), has in collaboration with his colegue devised a device named TWIRL which could hypothetically factor 1024-bit numbers in a time scale of a year 2. Even though at the moment TWIRL is still nothing more than a concept of a highly optimised classical device for factoring numbers, the currently recommended key length is 2048 bits. 4096-bit key implementations are already available as well and these are practically considered unbreakable with conventional computers in the forseeable future. 1 Square-and-multiply is basically an optimized way of evaluating equations (2.1) and (2.2). 2 At the cost of a few dozen million US dollars.[1] 6

3 Shor s factorization In 1994 an algorithm for factoring numbers was presented by Peter Shor of AT&T Research. It requires only O ( n 2 log n log log n ) (3.1) steps for factoring n-bit numbers which is an enormous reduction from exponential time of classical algorithms (2.3). Basically, Shor managed to translate number factoring into order-finding that can be done efficiently with quantum computers. 3.1 Reduction to order-finding Mathematical foundation for Shor s work lies in the same finite group theory that is also the basis of RSA. As said, group operation is multiplication modulo N and group elements are integer numbers. Now suppose that x is coprime to N, meaning that x and N share no common factors. In other words, their greatest common divisor, GCD(x, N), equals 1. Then we can define order of x modulo N as the lowest positive integer r such that holds true. function x r 1 mod N (3.2) This is always possible, since number theory guaranties that f(a) = x a mod N is periodic if x is coprime to N. If then f is a periodic function, it has some period r. Therefore it follows that x 0 x 0+r mod N 1 x r mod N and order r exists, since it is a period of f. Suppose further that r is even. From equation (3.2) it then follows x r 1 mod N ( ) x r 2 2 1 mod N ( ) x r 2 2 1 0 mod N ) ) (x r 2 + 1 (x r 2 1 0 mod N, meaning that N divides (x r/2 + 1)(x r/2 1). As long as 1 < x r/2 < N 1 holds true, then 0 < x r/2 ± 1 < N and, obviously, N cannot divide any of them. Since N does divide their product, at least one of them has to 7

share a non-trivial factor with N. Therefore either GCD(x r/2 + 1, N) or GCD(x r/2 1, N) yields a factor of N. Previously a lot of assumptions were made. First, x has to be chosen to be coprime with N. This can be easily accomplished by choosing a random number from (1, N) and computing GCD(x, N). If GCD(x, N) = 1, x is coprime to N, otherwise a factor of N has just been found. Second, r has to be even and 1 < x r/2 < N 1. According to [2], if x is chosen uniformly at random, it has rather high probability of satisfying these conditions. Actual probability is P 1 1 2 k 1 where k is a number of prime factors of N. Considering worst-case scenario of N being a product of two primes, probability of choosing an appropriate x at random is still good greater than or equal to 0.5. While this makes algorithm probabilistic, it does not pose a serious problem. Use of GCD is acceptable as well, since it can be implemented efficiently, ie. with Euclidean algorithm. 3.2 Factorization The actual algorithm can then be constructed as follows; 1. Find x coprime to N 2. Using Quantum Period Finding obtain order r 3. If r does not satisfy conditions from 3.1, retry by returning to step 1 4. Return factor of N from GCD(x r/2 ± 1, N) It should be noted that all the steps can be performed on a classical computer as they are classical by their nature. The only exception is step 2. This factorization relies on Quantum Period Finding (QPF) to do all the heavy lifting. QPF works by first calculating 2 j powers of x modulo N; x, x 2, x 4, x 8,..., x 2n 1 mod N. This computation is performed by a square-and-multiply algorithm, also known as modular exponentiation or exponentiation by squaring. Next, a register, denoted by z, is prepared in a superposition of states and the following operation is performed x z mod N = (x z 02 0 mod N)(x z 12 1 mod N)... (x z n 12 n 1 mod N). Since, naively speaking, every qubit of z represents both 0 and 1 at the same time, the product x z contains the combination of chosen x to every exponent up to 2 n 1. As there is no way for us to just read the contents from a quantum register due to collapse of wavefunction after measurement, we perform quantum Fourier transform on register z to obtain the period r. 8

To illustrate Shor s algorithm, we will factor number 21. First we choose x = 2, since 2 is a prime number and so it is coprime to 21. Second, we find period r of f(a) = 2 a mod 21. Because we do not have a quantum computer at hand (yet), we make a table of f(a) by conventional means. a 0 1 2 3 4 5 6 f(x) 1 2 4 8 16 11 1 It is obvious that period r is 6 and is even. It also satisfies relation 1 < 2 3 mod 21 < 20 and GCD(8 + 1, 21) = 3 actually yields a factor of 21. In this particular case GCD(8 1, 21) = 7 does as well. 3.3 Breaking RSA Even though RSA encryption can be broken by factoring N, there exists a shortcut. In section 2.2 we said that we encrypt a message by relation c m e mod N. For decrypting this message knowledge of order r of c modulo N is sufficient. To show this, suppose we know d such that Thus we can write for some integer q and e d 1 mod r. (3.3) e d = 1 + qr c d (m e ) d m e d m 1+qr mod N. As m has to be coprime to N for RSA to function, exponentiation of m has to be a periodic function. Exponentiation of c is a periodic function as well and m is part of the set of values that c takes during exponentiation because c d m mod N. This, in turn, means that period of m must be equal to period of c. Strictly speaking, numbers coprime with N form subgroups under group modulo N and order r denotes number of their elements. Since subgroup generated by c contains m = c d and subgroup generated by m contains c = m e, they must be identical, which is the reason their orders are the same. If order of m is r, then m r 1 mod N and m 1+qr m(m r ) q m(1) q m mod N. Now we see that we can obtain d from equation (3.3) with extended Euclidean algorithm if we know the period r of encrypted message c. ( d, N) is then private key pair used for decryption. 9

4 Implementations Figure 1: Molecule used for computation in IBM-sponsored 7-qubit quantum computer being the first to perform Shor s factorization[3] Even though we have seen a couple of actual working implementations of quantum computers, they are generally still more of a proof-of-concept experiments than they are actually useful. The only type of quantum computer constructed that managed to perform Shor s algorithm was NMR-based. It used spins from a single molecule for its quantum register (Figure 1) that was manipulated with radiofrequency pulses and the answer was read from a nuclear magnetic resonance spectrum. Thus, it should not be surprising that it was very limited and NMR is generally not considered a scalable architecture. Figure 2: Superconducting niobium-based quantum computer from D-Wave Systems, Inc. with 16 qubits that cannot perform Shor s factorization[4] In November 2007 Canadian firm D-Wave Systems, Inc. presented a 28-qubit successor to their 16-qubit adiabatic quantum computer (Figure 10

2). With this technique supposedly metals like aluminium and niobium are cooled to superconducting state, so electrons in the metals form Cooper pairs. Qubits are manipulated by slowly varying magnetic field. Nevertheless, this implementation cannot perform Shor s factorization, which caused a lot of controversy. Moreover, the fact that the development team seems reluctant to provide any insight into workings of their computer, led many scientist to doubt wether D-Wave actually have a working quantum computer. Besides, recent research shows that quantum adiabatic computation might have other limitations, such as being too time consuming. Trapped ion quantum computers, being currently the most prominent architecture, work on charged atomic particles that are confined with electromagnetic field and manipulated by laser pulses. Even though every basic operation was experimentally tested and a fair amount of research papers were published, describing scalable trapped ion architectures based on currently available technology, we are still waiting for an operating implementation. A couple of other types of quantum computers are known, some of which are quite interesting, e.g. topological ones. Here, anyon braids form qubits and are considered very stable, since a small perturbation cannot easily change topological properties of the braids. This kind of computer is only theoretical for the moment, although gallium arsenide near absolute zero in strong magnetic field could create braids as indicated by recent research in this field. Obviously, current state of quantum computers does not provide many qubits and for this reason optimization of Shor s algorithm was developed. Instead of previous storage requirements of about 5n (n being number of qubits), algorithm with only 2n + 4 required qubits was presented[5]. Of course this improvement in storage space resulted in increased execution time. This modification, called Linear Nearest Neighbour Qubit Array, now requires O ( n 3) steps, which is still comparable to original algorithm, but we have gotten interaction restrictions to nearest neighbour for free. 4.1 Quantum error-correction Noise presents a problem in every computer system to date and quantum computers are no different. Rules of the game on the other hand are. Standard way of dealing with errors in classical systems is to make copies of data to provide redundancy. But quantum world is governed by no-cloning theorem and collapse of wavefunction upon measurement, so, at the first glance, it would seem that classical methods would not work. Thanks again to Peter Shor, we know of a simple quantum code which can protect against noise. The basic idea is to encode a single qubit on multiple qubits since probability of more qubits simultaneously getting corrupted lowers. We start as we would with classical computers by encoding the 11

bit we wish to protect, in this case on 2 additional qubits. α 0 + β 1 α 000 + β 111 We can then check for a bit flip error with projection operators (bit flip error here signifies that one of the bits changed) P 0 = 000 000 + 111 111 ; no error P 1 = 100 100 + 011 011 ; bit flip on qubit 1 P 2 = 010 010 + 101 101 ; bit flip on qubit 2 P 3 = 001 001 + 110 110 ; bit flip on qubit 3 and we see that measurement does not cause any change to the state (it is the same before and after measurement). So we have found out wether an error occured without disturbing measured state and can then recover original state. This works as long as at most one qubit gets corrupted. We can apply the same procedure for phase flip protection. Phase flip error is when α 0 + β 1 α 0 β 1 happens. If we work in qubit basis + = 1 2 ( 0 + 1 ) = 1 2 ( 0 1 ), phase flip acts like bit flip on + and. So, we can combine both protections into Shor code by first doing phase flip code 0 + ++, 1 and then bit flip code on each qubit + or. We get 0 1 2 ( 000 + 111 )( 000 + 111 )( 000 + 111 ) 2 1 1 2 ( 000 111 )( 000 111 )( 000 111 ) 2 which protects against bit and phase flip. That comes at a cost of 9 qubits for encoding only one. Though, it is most surprising how quantum errorcorrection of a discrete set of errors corrects continuous errors. It should be noted, however, that there exist other error-correction codes, some of which require only 5 qubits. This is theoretical lower bound as well.[6] Besides noise, errors get introduced into quantum computation systems by decoherence. It is result of system s interaction with environment. Since qubits here are coupled to a common quantum reservoir and therefore errors are not independant, error-correction codes do not help, for they assume errors are either independent or mildly dependant in that the probability of errors that affect k qubits drops off exponentially in k.[7] This kind of correlated errors might be what will ultimately keep us from constructing a scalable quantum computer. 12

5 A look to the future Taking into account requirements for quantum error-correction, which seem to be architecture independant, it looks like practically-usable quantum computers will have to handle at least 2048 5 = 10240 qubits in order to have a shot at breaking today s 2048-bit RSA keys. Figure 3: Comparison of Moore s law with experimental data[8] Moore s law (Figure 3) relatively accurately describes a trend of computer hardware nowadays doubling of the number of transistors that can be inexpensively placed on an integrated circuit every two years actually means exponential growth. It describes a mature industry based on a scalable platform. Even if Moore s law held for quantum computers as well, we couldn t really expect to see them in widespread use anytime soon. But reality looks even worse. We are still about three or four orders of magnitude away from 10000-qubit machines and the one architecture that actually works (NMR) doesn t really scale, while the other supposedly functioning (adiabatic) has problems running quantum algorithms, Shor s in particular. Unless there is some breakthrough in the field, it should be obvious that expecting commercially available quantum computers in the next couple of years would be illusory. This is not only true for general-purpose machines, where perhaps a better estimate would be decades, but it holds for specialpurpose devices as well. This should be reason enough not to worry about security of our Internet communications in the near future, at least as far breaking RSA encryption with quantum computing is concerned. 13

References [1] http://people.csail.mit.edu/tromer/twirl/, accessed 10 May 2008 [2] A. Ekert and R. Jozsa: Quantum computation and Shor s factoring algorithm, Reviews of Modern Physics 68, 733-753 (1996) [3] http://domino.research.ibm.com/comm/pr.nsf/pages/news.20011219 quantum.html, accessed 10 May 2008 [4] http://www.sciam.com/article.cfm?id=first-commercial-quantumcomputer, accessed 10 May 2008 [5] Austin G. Fowler, Simon J. Devitt, Lloyd C. L. Hollenberg: Implementation of Shor s Algorithm on a Linear Nearest Neighbour Qubit Array, Quant. Info. Comput. 4, 237-251 (2004) [6] Michael A. Nielsen, Isaac L. Chuang: Quantum Computation and Quantum Information, Cambridge University Press, 2000 [7] Robert Alicki, Michal Horodecki, Pawel Horodecki, Ryszard Horodecki: Dynamical description of quantum computing: generic nonlocality of quantum noise, Phys. Rev. A 65, 062101 (2002) [8] http://en.wikipedia.org/wiki/moore s law, accessed 20 May 2008 [9] http://people.ccmr.cornell.edu/ mermin/qcomp/chap3.pdf, accessed 9 May 2008 14