arXiv:1511.04385v3 [quant-ph] 2 Mar 2017 e loihs trtrsannrva atro ninteger an of factor nontrivial a N returns factoring classical it Like algorithms, computers. quantum of plication ntelnt of polynomially length just the increases in runtime efficiently—its this unu uruiea h er fSA h quantum the the calcu- SFA, lates efficiently QOFA of (QOFA). algorithm heart the finding to the order due at is speed-up subroutine This quantum algorithms. classical best the teger eueQF ofidteorder the find to QOFA use we orm integers coprime aearayfudannrva atrof factor nontrivial a found already have vn(hc cuswt rbblt tleast at probability with occurs (which even omndivisor common ortr iio fteorder.) the of divisor a return to operator modulo o.I h nieyeetthat event unlikely the In dom. atrof factor a loih 41] nti etrw aeadffrn ap- the applying SFA. different to by of theory a failure number of take in probability results we elementary the letter reduce this we In proach: [4–10]. algorithm eanhdwt ieetrno au of value random different if a with or relaunched found, not is factor i hrsfcoigagrtm(F)[]i rmsn ap- promising a is [1] (SFA) algorithm factoring Shor’s F rcesa olw:a integer an follows: as proceeds SFA u anrsl concerns result main Our the of part quantum the on done been has work Much > = Q 0 > r u,ulk t lsia oneprs F does SFA counterparts, classical its unlike But, . i k =1 3 order cl oyehiu/I n ntttntoa erecherch de national Institut and Polytechnique/LIX École 0 p i e N uhthat such motn ls fnmesue ncytgah.Wt uto just With cryptography. in used numbers of class important osrc ntelb n nte(niey aeo alr,t failure, of case (unlikely) the randoml in a and need lab; modification. not the does in it impro SFA, construct speed-up, unlike a as advantages: well practical As semiprimes. safe factors always od) vns,w rsn oesml ubrtertctri theoretic number simple some general present for algorithm we best so, the Even still words). is SFA that conclude and otnsuigeeetr eut nnme hoy improv theory, number in factors. results elementary using routines unu ehnc esu efr ffiinl.SAtu consi thus a SFA is efficiently. heart perform its us At lets encryption. mechanics contemporary quantum undermine to tial ihpoaiiyu to up probability with gorithm i hr the where , ecnie eeaiigti eutt te ae,althou cases, other to result this generalizing consider We h eutn unu atrn loih sbte hnSF than better is algorithm factoring quantum resulting The hrsfcoigagrtm(F) yisaiiyt efficient to ability its by (SFA), algorithm factoring Shor’s a egvnby given be may fa integer an of I rcie OAi nyguaranteed only is QOFA practice, (In . .INTRODUCTION I. a N of rdrcGrosshans, Frédéric and sopsdt uepnnilyfor subexponentially to opposed as , atrn aeSmpie ihaSnl unu Query Quantum Single a with Semiprimes Safe Factoring a QF) okne ycasclruie hc,gvnteor the given which, routines classical by bookended (QOFA), and a N r 2 OArtrstesals in- smallest the returns QOFA , r p TI—TlcmPrseh 3aeu ’tle 51,Paris, 75013, d’Italie, avenue 23 ParisTech, Télécom — LTCI mod N i sod hntepoeueis procedure the then odd, is aesemiprimes safe r rms with primes, are sgetrthan greater is ) a N modulo N ahn nv ai-aly 10 ra,France Orsay, 91405 Paris-Saclay, Univ. Cachan, ENS r 1 1 = gcd( gcd( 1 of aoaor iéCto,CR,Ui.Paris-Sud, Univ. CNRS, Cotton, Aimé Laboratoire / 2 a hs lsia otnsfi,adQF utb eu.W mo We rerun. be must QOFA and fail, routines classical these , where , 1 ,N a, a a modulo r/ hmsLawson, Thomas N scoe tran- at chosen is 4 2 NI n cl Polytechnique/LIX École and INRIA hti,given is, that : N ) ± classical endhere defined , Otherwise, . (the a p 1 mod 1 1 i N , [1–3]. N hnwe then , / 6= Dtd ac ,2017) 3, March (Dated: 2 greatest If . ) ,then ), p fa If . sthe is j part and r is 2 rnosMorain, François OA atr aesemiprimes safe factors QOFA, probability. 1 lsia otnsfi ofco hs ubr afthe half numbers these factor to fail routines classical ob h product the be to p rmswr nrdcdb oheGrani e study [11]. her theorem in last Germain Fermat’s Sophie of by introduced were primes rmscmsfo h adest atrterproducts their factor “ to Pollard’s hardness using the from comes primes togprimes strong fqartcrsde modulo residues hash quadratic random a of that come fact properties the Both from attack assumption. message RSA chosen strong adaptive the security under an the against prove scheme the to of importantly, more and, generation hu intr cee[6,weetepiaiyof primality the Cramer– where the [16], in scheme q used signature are Shoup semiprimes safe semiprimes, National the [15]. in 186-4 recommended FIPS still Standard’s are of Institute they contested if is even recommendation [14], this that but such primes factors prime prime strong is large to related that led cryptography, the This RSA using reason. for this of for recommendation factor held to the widely discovery hardest were the the they being Until [13], as factorization theory. well curve number are elliptic and of of prime, terms strong in all of defined strongest the are primes ag rm atr The factor. prime large 1 2 − epeeta loih hc,gvnoecl to call one given which, algorithm an present We hyaenwcalled now are They neednl fterrltosi ostrong to relationship their of Independently fteform the of and 4 nifraiu te uoaiu (INRIA) automatique en et informatique en e /N igecec ie u loih other, algorithm our gives efficiency ving n h ieiodta hyrtr the return they that likelihood the ing ubr nnsf eirms nother in semiprimes, safe (non numbers yfco ag ubr,hstepoten- the has numbers, large factor ly esm ici a errn without rerun, be can circuit same he ncnrs,frasnl ur fQF,SFA’s QOFA, of query single a for contrast, In . q ecl oQF,oragrtmalmost algorithm our QOFA, to call ne hw ontfidasml extension, simple a find not do we gh 2 k o mrvn F nti case. this in SFA improving for cks ikdipt aigi ipe to simpler it making input, picked y rcs aldodrfidn,which finding, order called process tfcoigsf eirms an semiprimes, safe factoring at A lost euetecs ftesignature the of cost the reduce to allows t fa of sts —primes 3 p p n ejmnSmith Benjamin and e,rtr h atr.But, factors. the return der, i − N 2 = unu re nigal- finding order quantum 1 atrn loih 1] h safe The [12]. algorithm factoring ” = q p safe i p strong uhthat such France 1 1 + p 2 eas fterrlto to relation their of because where , ftosf primes safe two of and N N h iythese dify p eeae h group the generates ihoverwhelming with ihprobability with safe 4 − q i 1 spie Safe prime. is aeo these of name a tlata least at has p − p 1 1 and has ≈ 2 time. Two concepts from elementary number theory will be At the core of our algorithm is the simple observation essential throughout this letter. In the following that for these numbers, the output d of QOFA always k divides 2q1q2, and all divisors of 2q1q2, except 1 and 2, ei N = Y pi , allow to compute p1 and p2. This information, contained in d, is not used optimally by SFA. Interestingly, the i=1 property that makes safe semiprimes the hardest num- where the pi are distinct primes. The first important bers to factor using Pollard’s classical p 1 algorithm is concept is the Euler φ function, exactly that which makes them easy to− factor with our k quantum algorithm. We also consider moving from the i− φ(N)= pe 1(p 1), (1) special case of safe semiprimes to general numbers. Al- Y i i − i=1 though the proofs do not extend naturally, we find a few tricks that may make factoring general numbers easier. which gives the number of integers x in [1,N] such that The idea of modifying the classical parts of SFA so gcd(x, N)=1. The second is the Carmichael λ func- as to reduce the dependence on QOFA is not new, al- tion, λ(N), defined as the smallest integer such that though previous studies fine-tune the algorithm, rather xλ(N) mod N = 1 for every x satisfying gcd(x, N)=1. than re-think part of it, as we try to do. References [17– It follows that if r is the order of some a modulo N, then 19] discuss how best to pick a to maximize the probability r λ(N). Carmichael’s theorem shows that if N factors | of factoring. References [2, 20] increase efficiency by ex- as above, then tracting r from failed outputs of QOFA. These results e1 ek offer practical advantages beyond simple theoretical im- λ(N) = lcm(λ(p1 ),...,λ(pk )) , (2) provements: although efficient in theory, in practice each where call to QOFA needs an individual experiment, which is ei ei time-consuming and costly in resources. Indeed, for some λ(pi )= φ(pi ) for odd primes pi, (3) architectures—photonics, for instance—each experiment 1 − λ(2ei )= φ(2ei )=2ei 2 for e > 2, (4) requires a new circuit. 2 i Beyond its low failure rate, our algorithm has two ad- 1 2 vantages when factoring safe semiprimes (and possibly a and λ(2 )=1, λ(2 )=2. larger class of numbers). The first is that rather than picking the value of a randomly, we can keep it constant. In this letter we use a =2, but other sensible choices can III. FACTORING SAFE SEMIPRIMES be made. The second is that, when our algorithm does fail, exactly the same circuit can be used again, unlike A semiprime is a product of two primes, hence finding SFA which needs to be reset with a different value of a. any nontrivial factor of a semiprime amounts to find- We note that this is not the first time specific values ing its complete prime factorization. An odd prime p is called safe if (p 1)/2 is also prime (note that p 1 is of a have been used in investigations of SFA. Experi- − − mentalists, held back by young technology, have so far always divisible by 2 when p is odd, so p being safe can be understood to mean that p 1 is “as close to prime picked values of a that let them simplify the circuit and − focus on certain interesting parts of the algorithm [4–10]. as possible”). A safe semiprime is a product of two safe Reference [21] highlighted the danger of this approach, primes. arguing that the value of a should not rely on knowledge of the factors. We emphasize that the success of our al- gorithm does not rely on knowing the factors in advance: A. Semiprimes and Euler’s φ function our value a = 2 is obviously independent of the number being factored. If N = p1p2 is a semiprime [22] (including—but not restricted to—the case of safe semiprimes), then knowing φ(N) is sufficient for finding a factor of N. Indeed, the II. NUMBER THEORETIC TOOLS factors can be found immediately and deterministically. In this case φ(N)= N +1 (p1 + p2) which, when solved simultaneously with N = p−p , gives a factor. Explicitly, We write x y to mean x is a divisor of y: that is, 1 2 expanding the product (X p )(X p ) shows that p there exists an| integer z such that y = xz. A positive 1 2 1 and p are the solutions of− the quadratic− equation integer is prime if it has no divisors other than itself 2 2 and 1. If y1,...,yk are integers, then gcd(y1,...,yk) de- X (N φ(N)+1)X + N =0 . (5) notes their greatest common divisor: that is, the largest − − positive integer x such that x y for all 1 i k. Du- For general N = k pei , Miller [23] has shown that | i ≤ ≤ Qi=1 i ally, lcm(y1,...,yk) denotes the least common multiple knowing both N and φ(N) lets us efficiently factor N of the yi: that is, the smallest positive integer x such that probabilistically, or deterministically under the extended y x for all 1 i k. Riemann hypothesis. i | ≤ ≤ 3
1/2. The probability would be exactly 1/2 if QOFA TABLE I: The possible multiplicative orders for integers mod- ≤were a perfect order finding algorithm: looking at Table I, ulo safe semiprimes N = p1p2 (where pi = 2qi + 1 with 1 2 1 2 we see that for a given a we have P (r is even)=3/4, but p , p , q , and q all prime). The number of integers is de- r/2 duced from the isomorphism between the multiplicative group then P (a 1 (mod N)) = 2/3; so the probability × 6≡ − (Z/nZ) and the product of cyclic groups C2q1 C2q2 . that a uniformly randomly chosen a yields a factor is × 3/4 2/3=1/2. Taking QOFA imperfection into account (that· is, the fact that QOFA sometimes returns a proper Number of integers r Restrictions on a divisor of ordN (a)) decreases this probability. It follows 1 a < N of order r ≤ that if N is a safe semiprime, then the expected number 1 1 a = 1 of iterations of SFA—and hence the expected number of a = N 1 and two calls to QOFA—is 2. When a = 2 is fixed and the 2 3 − ≥ other a √N + 1 > 2 safe semiprime is chosen randomly, SFA is conjectured ≥ to succeed with probability 1 . A numerical investigation 1 1 2 q q 1 a = 2 12 − 6 of all the 960,392,564 safe primes pi 10 indeed gives q2 q2 1 a = 2 1 −10 ≤ − 6 success probability 2 2.06 10 . 2q1 3(q1 1) a = 2 − × − 6 2q2 3(q2 1) a = 2 − 6 q1q2 (q1 1)(q2 1) C. Factoring safe semiprimes with one call to − − 2q1q2 3(q1 1)(q2 1) QOFA − − We propose a change in the classical part of SFA. This leads to a new, simple quantum factoring algorithm B. Shor’s factoring algorithm for safe semiprimes which almost always succeeds in factoring a safe semi- prime N = p1p2 = (2q1 + 1)(2q2 + 1) with exactly one Let N = p1p2 be a safe semiprime, so p1 =2q1 +1 and call to QOFA. p2 = 2q2 +1 with q1 and q2 both prime. SFA chooses a The algorithm is given in pseudocode in Algorithm 1. random residue a modulo N and attempts to compute its It is based on Lemma 1 which shows that the only two order r using a call to QOFA. SFA iterates this process possible values for ordN (2) are q1q2 and 2q1q2, and that until r is even and ar/2 is not congruent to 1 modulo QOFA returns a useful factor of ordN (2) with extremely r/2 − N; if r = ordN (a), then gcd(a 1,N) yields a factor high probability. of N (either p or p ). − 1 2 Lemma 1. We have φ(N)=4q q and λ(N)=2q q . As noted Let N = p1p2 = (2q1 + 1)(2q2 + 1) be a safe 1 2 1 2 semiprime, with q = q and q , q > 2 (so in particular, above, if r is the order of some a modulo N, then r 1 6 2 1 2 | p1 and p2 are distinct safe primes greater than 3). Then λ(N); so r must be one of the eight divisors of 2q1q2. Their frequencies are listed in Table I. 1. ordN (2) is either q1q2 or 2q1q2. Despite its name, QOFA does not always return the order of a modulo N. In practice, the quantum Fourier 2. QOFA yields d q1, q2, q1q2, 2q1, 2q2, 2q1q2 with transform (QFT) in QOFA yields an approximation of probability 1 ∈1 { 1 4 ; otherwise, d }1, 2 . − q1q2 ∼ − N ∈{ } the fraction t/ ordN (a) for some integer t uniformly ran- domly chosen from 1,..., ordN (a) [3]. The quality of Proof. Referring to Table I, we know that there are only this approximation depends{ on the implementation} of the eight possibilities for the order of an integer modulo N: QFT: the output is always a bit granular and blurred, namely, the four odd values 1, q1, q2, and q1q2, and the depending on the number of qubits [2, 3, 20]; circuits four even values 2, 2q1, 2q2, and 2q1q2. But ordN (2) approximating the QFT are available to save resources can never be 1 or 2, since N > 3. Now, note that at the expense of precision [24–26]. In all theses cases; ord (2) = lcm(ord 1 (2), ord 2 (2)) (since p = p ) and N p p 1 6 2 the exact value of the output of an ideal QFT can be ord i (2) λ(p )=2q . Hence, ord (2) cannot be q , p | i i N 1 found with high probability by trying values neighboring q , 2q , or 2q , since otherwise ord 2 (2) would in 1, 2 , 2 1 2 p { } close to the output [2, 20]. As our primary theoretical which contradicts p2 > 5. The only remaining possibili- concern is independent of this implementation-dependent ties for ordN (2) are q1q2 and 2q1q2, which proves the first consideration, we simplify our theoretical analysis by as- statement. suming the implementation to actually give us t/ ordN (a) For the second statement, recall that QOFA returns exactly. QOFA then uses a continued fraction expansion ordN (2)/ gcd(t, ordN (2)) for some uniformly randomly to get d = ordN (a)/ gcd(t, ordN (a)). The probability distributed integer t in 1,..., ord (2) . But we have { N } that this is the true order depends visibly on the number just seen that the value of ordN (2) can only be q1q2 or of nontrivial divisors of ordN (a). 2q1q2. If ordN (2) = q1q2 then QOFA only returns 1 if We can use Table I to prove that if N is a safe semi- t = q1q2, which occurs with probability 1/(q1q2); it can- prime and we sample a uniformly at random, then each not return 2. If ordN (2) = 2q1q2 then QOFA returns 1 iteration of SFA yields a factor of N with probability if t =2q1q2 and 2 if t = q1q2; the probability of t taking 4 one of these two values is 2/(2q1q2)=1/(q1q2). Hence, Algorithm 1 Given a safe semiprime N = p1p2, where regardless of the true value of ordN (2), the probability of p1 =2q1 +1 and p2 =2q2 +1 with p1, p2, q1, and q2 all having a “bad” t leading to a result of 1 or 2 is 1/(q q ), distinct primes, returns p ,p or Failure 1 2 { 1 2} which tends to 4/N for large N. 1: function FactorSafeSemiprime(N) 2: if 5 N then return 5, N/5 | { } Let d be the result of QOFA applied to 2 modulo N. 3: d Qofa(2, N) Our algorithm then attempts to recover the factors of 4: if ←2 d then s d N from d. The cases of odd and even d are virtually 5: else| s 2d ← ← identical, and we can unify them by setting s = d if d 6: if s = 2 then return Failure ⊲ Prob. 1/(q1q2) is even, and s = 2d if d is odd; then s = 2, 2q1, 2q2, 7: if s
[1] P. W. Shor, “Algorithms for quantum computation: Dis- Q. Zhou, and J. L. O’Brien, “Experimental realization crete logarithms and factoring,” in Proc. 35th Annu. of Shor’s quantum factoring algorithm using qubit recy- Symp. Foundations of Computer Science and IEEE Com- cling,” Nat Photon, vol. 6, pp. 773–776, 11 2012. puter Society and Los Alamitos and CA, pp. 124–134, [9] E. Lucero, R. Barends, Y. Chen, J. Kelly, M. Mariantoni, 1994. Ed. S. Goldwasser. A. Megrant, P. O’Malley, D. Sank, A. Vainsencher, [2] P. W. Shor, “Polynomial time algorithms for prime fac- J. Wenner, T. White, Y. Yin, A. N. Cleland, and torization and discrete logarithms on a quantum com- J. M. Martinis, “Computing prime factors with a Joseph- puter,” SIAM J. Sci. Statist. Comput., vol. 26, p. 1484, son phase qubit quantum processor,” Nat Phys, vol. 8, 1997. pp. 719–723, 10 2012. [3] M. A. Nielsen and I. L. Chuang, Quantum Computation [10] T. Monz, D. Nigg, E. A. Martinez, M. F. Brandl, and Quantum Information. Cambridge U.P., 2000. P. Schindler, R. Rines, S. X. Wang, I. L. Chuang, and [4] L. M. K. Vandersypen, M. Steffen, G. Breyta, C. S. Yan- R. Blatt, “Realization of a scalable Shor algorithm,” Sci- noni, M. H. Sherwood, and I. L. Chuang, “Experimental ence, vol. 351, no. 6277, pp. 1068–1070, 2016. realization of Shor’s quantum factoring algorithm using [11] R. Laubenbacher and D. Pengelley, “‘Voici ce que j’ai nuclear magnetic resonance,” Nature, vol. 414, no. 6866, trouvé:’ Sophie Germain’s grand plan to prove Fer- pp. 883–887, 2001. mat’s last theorem,” Historia Mathematica, vol. 37, no. 4, [5] C.-Y. Lu, D. E. Browne, T. Yang, and J.-W. Pan, pp. 641–692, 2010. “Demonstration of a compiled version of Shor’s quantum [12] J. M. Pollard, “Theorems on factorization and primal- factoring algorithm using photonic qubits,” Phys. Rev. ity testing,” Mathematical Proceedings of the Cambridge Lett., vol. 99, no. 25, p. 250504, 2007. Philosophical Society, vol. 76, pp. 3049–3052, 1974. [6] B. P. Lanyon, T. J. Weinhold, N. K. Langford, M. Barbi- [13] H. W. Lenstra, Jr., “Factoring integers with elliptic eri, D. F. V. James, A. Gilchrist, and A. G. White, “Ex- curves,” Ann. of Math. (2), vol. 126, no. 3, pp. 649–673, perimental demonstration of a compiled version of Shor’s 1987. algorithm with quantum entanglement,” Phys. Rev. Lett., [14] R. L. Rivest and R. D. Silverman, “Are ‘strong’ primes vol. 99, p. 250505, Dec 2007. needed for RSA?.” Cryptology ePrint Archive, Report [7] A. Politi, J. C. F. Matthews, and J. L. O’Brien, “Shor’s 2001/007, 2001. quantum factoring algorithm on a photonic chip,” Sci- [15] National Institute of Standards and Technology, FIPS ence, vol. 325, no. 5945, p. 1221, 2009. PUB 186-4: Digital Signature Standard (DSS). Gaithers- [8] E. Martin-Lopez, A. Laing, T. Lawson, R. Alvarez, X.- burg, MD 20899–8900, USA: National Institute of Stan- 6
dards and Technology, July 2013. [22] R. L. Rivest, A. Shamir, and L. Adleman, “A method [16] R. Cramer and V. Shoup, “Signature schemes based on for obtaining digital signatures and public-key cryptosys- the strong RSA assumption,” ACM Trans. Inf. Syst. Se- tems,” Communications of the ACM, vol. 21, pp. 120– cur., vol. 3, pp. 161–185, Aug. 2000. 126, 1978. [17] G. Leander, “Improving the Success Probability for [23] G. L. Miller, “Riemann’s hypothesis and tests for primal- Shor’s Factoring Algorithm,” arXiv:quant-ph/0208183, ity,” Journal of Computer and System Sciences, vol. 13, Aug. 2002. no. 3, pp. 300 – 317, 1976. [18] I. L. Markov and M. Saeedi, “Constant-optimized quan- [24] D. Coppersmith, “An approximate Fourier transform use- tum circuits for modular multiplication and exponentia- ful in quantum factoring,” Tech. Rep. RC 19642, IBM, tion,” Quantum Info. Comput., vol. 12, pp. 361–394, May 1994. 2012. [25] R. Cleve and J. Watrous, “Fast parallel circuits for the [19] T. Lawson, “Odd orders in Shor’s factoring algorithm,” quantum Fourier transform,” in Proceedings 41st An- Quantum Information Processing, vol. 14, no. 3, pp. 831– nual Symposium on Foundations of Computer Science, 838, 2015. pp. 526–536, 2000. [20] E. Knill, “On Shor’s quantum factor finding algorithm: [26] D. Cheung, “Improved bounds for the approximate Increasing the probability of success and tradeoffs involv- QFT,” in Proceedings of the Winter International Synpo- ing the Fourier transform modulus,” Tech. Rep. LAUR- sium on Information and Communication Technologies, 95-3350, Los Alamos National Laboratory, 1995. WISICT ’04, pp. 1–6, Trinity College Dublin, 2004. [21] J. A. Smolin, G. Smith, and A. Vargo, “Oversimplifying quantum factoring,” Nature, vol. 499, pp. 163–165, 2013.