quantum algorithms for factoring and post-quantum rsa · post-quantum rsa is a variation of rsa,...

MSc Mathematics

Master Thesis

Quantum algorithms for factoring andPost-Quantum RSA

Author: Daily supervisor:Casper Gyurik prof. dr. Ronald de Wolf

Examination date: Examiner:August 31, 2018 dr. Michael Walter

Korteweg-de Vries Institute forMathematics

Centrum voor Wiskunde enInformatica

Abstract

Post-Quantum RSA is a variation of RSA, proposed by Bernstein et al. [4], that issupposed to better withstand attacks by a quantum computer compared to RSA as usedtoday. This thesis investigates the security of Post-Quantum RSA in the presence oflarge-scale quantum computers. Particularly, we try to break Post-Quantum RSA byattempting to find a quantum algorithm that finds a non-trivial factor of an n-bit Post-Quantum RSA modulus in O(n2−ε) steps, for some ε ∈ (0, 1). First, we try to speed upShor’s algorithm by using elements of relatively low multiplicative order. Afterwards,we consider a unification of Lenstra’s elliptic curve factorization method (ECM) andShor’s order-finding algorithm. Finally, we discuss how to speed up Shor’s algorithmwhen you have a certain number of processors at your disposal, that can perform eitherclassical or quantum operations in parallel. Unfortunately, none of these approachesresult in a quantum algorithm that finds a non-trivial factor of an n-bit Post-QuantumRSA modulus in O(n2−ε) steps, for some ε ∈ (0, 1). However, we do show that if Nhas only small prime power divisors and ϕ(N) = # (Z/NZ)∗ has a rather large smoothfactor, then we can speed up Shor’s algorithm by adding a classical precomputation step.Moreover, in some cases this classical precomputation step can also be used to speed upthe unification of Lenstra’s ECM and Shor’s order-finding algorithm.

Title: Quantum algorithms for factoring and Post-Quantum RSAAuthor: Casper Gyurik, [email protected], 10334149Daily supervisor: prof. dr. Ronald de WolfExaminer: dr. Michael WalterSecond Examiner: dr. Maris OzolsExamination date: August 31, 2018

Korteweg-de Vries Institute for MathematicsUniversity of AmsterdamScience Park 105-107, 1098 XG Amsterdamhttp://kdvi.uva.nl

Centrum voor Wiskunde en InformaticaScience Park 123, 1098 XG Amsterdamhttp://www.cwi.nl

2

http://kdvi.uva.nl

http://www.cwi.nl

Contents

1 Introduction 51.1 Public-key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Quantum computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2.1 Quantum mechanics . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2.2 Quantum speedups . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.3 Interplay between quantum computing and cryptography . . . . . . . . . 9

2 Post-Quantum RSA 122.1 The RSA cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.1.1 Using a k-prime modulus and the cost of decryption . . . . . . . . 132.2 Attacks against RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2.1 Factoring and the RSA problem . . . . . . . . . . . . . . . . . . . 142.2.2 Shor’s algorithm and GEECM . . . . . . . . . . . . . . . . . . . . 15

2.3 Post-Quantum RSA parameters . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Attempts to speed up Shor’s algorithm 173.1 Recap of Shor’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1.1 Reduction from factoring to order-finding in (Z/NZ)∗ . . . . . . . 173.1.2 Solving the order-finding problem . . . . . . . . . . . . . . . . . . . 18

3.2 Using elements of low order . . . . . . . . . . . . . . . . . . . . . . . . . . 203.2.1 Adding a classical precomputation step . . . . . . . . . . . . . . . 21

3.3 Using a subsignal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Lenstra’s elliptic curve factorization method and quantum enhance-ments 244.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.2 Lenstra’s elliptic curve factorization method and GEECM . . . . . . . . . 27

4.2.1 Grover plus Lenstra’s elliptic curve method . . . . . . . . . . . . . 304.3 Unifying Lenstra’s elliptic curve factorization method and Shor’s order-

finding algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5 Parallelization of Shor’s algorithm 335.1 Parallel quantum Fourier transform . . . . . . . . . . . . . . . . . . . . . . 335.2 Parallel modular exponentiation . . . . . . . . . . . . . . . . . . . . . . . 37

5.2.1 Classical precomputation of squares . . . . . . . . . . . . . . . . . 385.2.2 Iterated multiplication of squares . . . . . . . . . . . . . . . . . . . 40

3

6 Conclusion 426.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Popular summary 45

4

1 Introduction

All of the computers we use today perform their computations based on classical physics.That is, they use bits and logical gates to perform their computations. However, thepromise of a so-called quantum computer seems to be within reach. In contrast to to-day’s computers, a quantum computer performs its computations by exploiting quantum-mechanical principles. An important objective of quantum computation, the field thatinvestigates the computational power of quantum computers, is to find quantum algo-rithms that outperform any classical algorithm solving the same problem. It has alreadybeen shown that large-scale quantum computers can solve factoring and the discrete-logarithm problem in polynomial time, which is exponentially faster than the currentlybest known classical algorithm for these problems.

There is an interesting interplay between the field of quantum computation and thefield of cryptography. On the one hand, because quantum computers can solve someimportant problems far more efficiently than classical computers currently are able to,the security of most so-called public-key cryptosystems used today will be broken. Onthe other hand, one can exploit quantum-mechanical principles in order to performcryptographic tasks, leading for example to cryptographic systems that are unbreakableeven for quantum computers.

In Section 1.1, we give a brief introduction to public-key cryptography and the RSAcryptosystem. Subsequently, in Section 1.2, we give a brief introduction to the principlesof quantum mechanics upon which quantum computers are based and we briefly discusstwo quantum algorithms that are faster than any (known) classical algorithm solving thesame problem. Finally, in Section 1.3, we further explore the interplay between quantumcomputing and cryptography, at the end of which we give an overview of the contentsof this thesis.

1.1 Public-key cryptography

In today’s digital world, cryptographic systems are used for many important tasks. Forinstance, they are used to securely perform online banking and to protect our medicaldata. Among the currently used cryptographic systems, many are so-called public-keycryptosystems. In this section, we discuss the idea behind public-key cryptosystems andwe consider a particular public-key cryptosystem called RSA.

Suppose Alice wants to send a message to Bob over a public channel, without allowingan eavesdropper Eve to get any information about the message from tapping the channel.To do so using a public-key cryptosystem, Bob generates a public key and a private key,and he publishes his public key but keeps the private key to himself. With this publickey anyone can encrypt a message they want to send to Bob. The idea behind public-key

5

cryptosystems is that, when using a large enough key, an eavesdropper Eve should onlybe able to decrypt a ciphertext if she knows the private key. To achieve this, public-key cryptosystems often rely on mathematical problems and computational hardnessassumptions. That is, public-key cryptosystems are designed in such a way that todecrypt a ciphertext you have to solve a problem that is assumed to be too hard to solvein a reasonable amount of time without knowing the private key. However, if you doknow the private key, then you should be able to efficiently solve this problem and thusdecrypt the ciphertext.

An example of a widely-used public-key cryptosystem is the RSA cryptosystem, namedafter the initials of the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, whowere the first to publicly describe the algorithm in 1978 [17]. The public key used by RSAis a pair of integers (e,N), where N is an n-bit integer that is the product of two equally-sized prime numbers, and e is some auxiliary value. To encrypt a message with thispublic key and to decrypt a ciphertext with the corresponding private key, the user hasto perform a modular exponentiation modulo N . This modular exponentiation can beperformed in O(n2) steps using the Schonhage-Strassen algorithm for multiplication [19]and the square-and-multiply method for exponentiation. Currently, the best-knownmethod to decrypt a ciphertext without knowing the private key involves finding theprime factors of the integer N in the public key. The best-known classical algorithm forfactoring large n-bit integers has an expected running time of roughly 2n

1/3[13]. Since

this expected running time is subexponential in n, whereas the usage cost of RSA isonly quadratic in n, we can create a large gap between the usage cost of RSA and thecost of decrypting a ciphertext without knowing the private key, by making our key sizen sufficiently large. It is because of this ability to create a gap between the usage costand attack cost that the security of RSA is said to be based upon the computationalhardness of factoring. For more details on the key generation, encryption, decryptionand security of RSA we refer to Section 2.1 and Section 2.2.

As mentioned before, it has already been shown that large-scale quantum comput-ers can solve factoring and the discrete-logarithm problem in polynomial time, whichis exponentially faster than the best-known classical algorithm for these problems. Be-cause almost all of the currently employed public-key cryptosystems are either basedon factoring or the discrete-logarithm problem, these systems can all be broken if ascalable quantum computer is built. In Section 1.3, we will briefly discuss the field ofpost-quantum cryptography which aims to design new public-key cryptosystems basedon mathematical problems which are believed to be hard even for quantum computers.

1.2 Quantum computation

In this section we give a very brief introduction to the field of quantum computation,which investigates the computational power of quantum computers. In Section 1.2.1,we give a brief introduction to the quantum-mechanical principles upon which quantumcomputers are based. Afterwards, in Section 1.2.2, we briefly mention two quantumalgorithms that significantly outperform their (best-known) classical counterpart.

6

1.2.1 Quantum mechanics

As mentioned before, quantum computers perform their computations based on quantum-mechanical principles. Their unit of information is called a qubit, which can be in aso-called superposition of classical states. In order to perform computations with thesequbits, we can either apply a measurement or a unitary operation to them. We nowbriefly introduce each of these quantum-mechanical principles.

Qubits and superposition

In classical computation the unit of information is a bit, in quantum computation theunit of information is called a qubit. A bit is either in the state 0 or 1, whereas a qubitcan be in a superposition of two states. Intuitively, by a superposition of two states wemean that a qubit is in two states at the same time. Formally, a qubit is a unit vector

|ψ〉 = α |0〉+ β |1〉 ∈ C2.

Here α is called the amplitude of |0〉 and β the amplitude of |1〉. We can view |ψ〉 asbeing in the state |0〉 with amplitude α and in state |1〉 with amplitude β. Generally,quantum computers work with a k-qubit state, which is a unit vector

|ψ〉 =∑

i∈0,1kαi |i〉 ∈

(C2)⊗k ' C2k .

Again, we can view |ψ〉 as being in the state |i〉 with amplitude αi.

Measurements

There are multiple ways to perform measurements on quantum states. In this thesis wewill only be concerned with measurements with respect to a basis. When we measure ourqubit α |0〉+ β |1〉 in the so-called computational basis |0〉 , |1〉, we get outcome 0 withprobability |α|2 and outcome 1 with probability |β2|. Since |α|2 + |β|2 = 1, this indeedcorrectly defines a probability distribution.

Formally, when measuring a k-qubit state |ψ〉 =∑

i∈0,1k αi |i〉 in an orthonormal

basis of C2k given by B = |φi〉 | i ∈ 0, 1k, we get that the outcome is distributed as

Pr|ψ〉 (outcome of measurement is i) = ‖ |φi〉〈φi| |ψ〉 ‖2.

Moreover, if the outcome of the measurement is i, then our state |ψ〉 collapses to thestate |φi〉. That is, after applying the measurement to our system in the state |ψ〉 andreceiving outcome i, our system will be in the state |φi〉.

Unitary evolution

Besides measuring our qubits, we can also apply operations to them. The postulatesof quantum mechanics only allow linear operations to be applied to quantum states.

7

Moreover, since measuring the resulting quantum state should also give a probabil-ity distribution, we are only allowed to apply norm-preserving operations. These twoconstraints imply that the operation must be a unitary transformation. A unitary trans-formation is a linear transformation U that is norm-preserving, or equivalently a lineartransformation that satisfies U∗ = U−1.

We can view a quantum algorithm as a combination of measurements and unitariesbeing applied in succession to some quantum state. The cost of a quantum algorithmis usually expressed in the number of so-called elementary gates required to imple-ment the quantum algorithm. Here a gate is a unitary that acts on a small number ofqubits. Examples of single-qubit elementary gates are the Hadamard (H), bit-flip (X)and phase (Z) gates, which are expressed by the following unitary matrices

H =1√2

[1 11 −1

], X =

[0 11 0

], Z =

[1 00 −1

],

An example of an elementary two-qubit gate is the controlled-not (CNOT ) gate

CNOT =

1 0 0 00 1 0 00 0 0 10 0 1 0

.1.2.2 Quantum speedups

In this section we briefly mention two famous quantum algorithms. We first mentionGrover’s search algorithm, which searches an unordered database quadratically fasterthan any classical algorithm. Afterwards, we mention Shor’s algorithm, which solves thefactoring and discrete-logarithm problem exponentially faster than the currently bestknown classical algorithm.

Grover’s search algorithm

Suppose we are given some x ∈ 0, 1N and our goal is to find an i such that xi = 1.We can view this problem as a simplification of the problem of searching an unordereddatabase of size N . The cost of this search problem is measured by the number of queriesthe algorithm requires, i.e., the number of times we check whether some xi is 0 or 1.In 1996, Lov Grover showed that a quantum computer can solve this search problemin O(

√N) queries [7]. One can show that any classical randomized algorithm would

need Θ(N) queries to solve the same search problem. The idea behind Grover’s searchalgorithm is that a quantum computer can query the database “in superposition” andamplify the amplitudes of the states |i〉 that correspond to the i with xi = 1.

Shor’s algorithm

In 1994, Peter Shor published a paper in which he describes a polynomial-time quan-tum algorithm for the factoring and discrete logarithm problem [21]. This algorithm is

8

exponentially faster than the currently best-known classical algorithm for these prob-lems. The main high-level idea of Shor’s algorithm is to reduce both the factoring anddiscrete logarithm problem to the problem of period finding, which as Shor shows canbe efficiently solved using a quantum computer by exploiting the power of the so-calledquantum Fourier transform. Here “reduced” means that an efficient algorithm for theproblem of period-finding implies an efficient algorithm for factoring and the discretelogarithm problem. For more details on Shor’s algorithm we refer to Section 3.1.

1.3 Interplay between quantum computing andcryptography

The development of quantum algorithms and quantum computers threatens the securityof most public-key cryptosystems used today. However, this development has also led tonew opportunities for cryptography where one exploits quantum-mechanical principlesin order to perform cryptographic tasks. In this section, we briefly discuss how to remedythis threat of quantum algorithms and quantum computers to cryptography.

We begin with briefly discussing the field of quantum cryptography. Quantum cryptog-raphy is the art and science of exploiting the quantum-mechanical principles discussedin Section 1.2 in order to perform cryptographic tasks. The most well-known example ofthis discipline is quantum key distribution (QKD). Quantum key distribution enables twoparties to produce a shared random secret key. A famous example of a QKD protocolis the BB84 protocol by Charles Bennett and Gilles Brassard [2]. This protocol was thefirst to show how quantum mechanical principles, such as the collapsing of a quantumstate after a measurement, could be used for an information-theoretically secure keyagreement protocol. Here “information-theoretically secure” means that an eavesdrop-per learns no information about the key at all from tapping the public channel over whichthe key is being established, no matter how much computational power this eavesdropperhas. When only allowing classical communication, such an information-theoretically se-cure protocol is excluded by an impossibility result by Claude Shannon [20]. SometimesQKD is equated with quantum cryptography, as it is the most well-known example ofquantum cryptography. However, there exist many other uses of quantum-mechanicalprinciples in cryptography, a great survey of which is given by Anne Broadbent andChristian Schaffner [18].

Next, we discuss the field of post-quantum cryptography. Almost all public-key cryp-tosystems used today are either based on the factoring or the discrete logarithm problem.Therefore, all these systems can be broken using Shor’s algorithm. Post-quantum cryp-tography searches for new public-key cryptosystems based on mathematical problemswhich are believed to be hard even for quantum computers. As part of this, the USNational Institute for Standards in Technology (NIST) has initiated a competition todetermine new standards for such quantum-resistant public-key cryptosystems. Someof the main contenders in this competition are lattice-based cryptography, supersingularelliptic curve isogeny cryptography and multivariate cryptography.

Another contender in the NIST competition for post-quantum cryptography is the

9

so-called Post-Quantum RSA cryptosystem by Daniel Bernstein et al. [4]. As discussedin Section 1.1, RSA as used today has a usage cost that is roughly quadratic in the sizeof the key. Since the attack cost of RSA with Shor’s algorithm is also roughly quadraticin the size of the key, the RSA cryptosystem as used today will have no security inthe presence of large-scale quantum computers. However, Bernstein et al. show thatby letting the integer N in the public key be the product of many equally-sized primesinstead of two, one can achieve a usage cost of an n-bit key that is essentially linear in n.This again creates a gap between the usage cost and the attack cost, namely, for Post-Quantum RSA the attack cost is essentially quadratic in the usage cost. Nevertheless,this gap is only quadratic, whereas the pre-quantum gap was exponential, forcing theuser of Post-Quantum RSA to use rather large keys.

In this thesis, we investigate the security of Post-Quantum RSA. First, in Chapter 2,we discuss the Post-Quantum RSA cryptosystem in more detail. Afterwards, we tryseveral attempts at finding an attack that reduces the exponent 2 in the relation be-tween the attack cost and the usage cost. That is, we try several attempts at finding aquantum algorithm that factors an n-bit Post-Quantum RSA modulus in O(n2−ε) steps,for some ε ∈ (0, 1). Here f(n) ∈ O(g(n)) is shorthand for: there exists a k ≥ 0 suchthat f(n) ∈ O(g(n) logk(g(n))).

In Chapter 3, we try to speed up Shor’s algorithm. In Lemma 3.2, we show that byusing elements x ∈ (Z/NZ)∗ of sufficiently low order, we can speed up Shor’s algorithm.We try adding a classical precomputation step to construct elements of sufficiently loworder in Section 3.2.1. We show in Corollary 3.6 that such a classical precomputationstep works for Post-Quantum RSA keys N for which ϕ(N) has a large smooth factor.

Subsequently, in Chapter 4, we try to speed up Lenstra’s elliptic curve factorizationmethod (ECM) using quantum techniques. In Section 4.3, we discuss a new algorithmfor factoring that unifies Lenstra’s ECM and Shor’s order-finding algorithm. That is, wediscuss a quantum algorithm that finds a non-trivial factor of an integer N by findingthe order of an element in a group consisting of points on an elliptic curve over (Z/NZ).In general, this algorithm will not be faster than the usual version of Shor’s algorithm.However, there is a possible advantage here that for each N we can try multiple differentelliptic curves over (Z/NZ) to try and find one for which the corresponding order-findingproblem can be solved more efficiently, for example by adding a classical precomputationstep as described in Section 3.2.1.

Lastly, in Chapter 5, we discuss the security of the Post-Quantum RSA cryptosystemin the special case where the adversary has a certain number of processors as his dis-posal. In particular, we discuss a parallelization of Shor’s algorithm. The bottleneck ofthis parallel version of Shor’s algorithm remains the modular exponentiation step. InSection 5.2, we discuss a parallelization of the Schonhage-Strassen algorithm for multi-plying large integers. With this parallelization of the Schonhage-Strassen algorithm, wecan perform the modular exponentiation step using P ≤ n log n log logn processors inO(n2(log n)2 log log n/P ) steps. Here we assume that each processor can at each timestep perform any operation on any set of qubits/bits.

Unfortunately, none of our attempts resulted in a quantum algorithm that factors ann-bit integer in O(n2−ε) steps, for some ε ∈ (0, 1). Even in the special case where the

10

number we wish to factor is an n-bit Post-Quantum RSA modulus, we were unable tofind a quantum algorithm that does so in O(n2−ε) steps. However, in Corollary 3.6, wedo show that if N has only small prime power divisors and ϕ(N) = # (Z/NZ)∗ has arather large smooth factor, then we can speed up Shor’s algorithm by adding a classicalprecomputation step. Moreover, in some cases this classical precomputation step canalso be used to speed up the unification of Lenstra’s ECM and Shor’s algorithm.

11

2 Post-Quantum RSA

In this chapter we discuss a variant of RSA called Post-Quantum RSA, which was pro-posed by Bernstein, Heninger, Lou and Valenta [4]. RSA is a public-key cryptosystemwhose security is based on the hardness of factoring. Whenever scalable quantum com-puters will be realized, Shor’s algorithm (a quantum algorithm for factoring) will breakthe variant of RSA that is used today. However, as Bernstein et al. show, it turns outthat one can still modify RSA to obtain a cryptosystem where the cost for the attackeris essentially quadratic in the cost for the user.

This quadratic gap is far from the exponential gap that RSA presently has. Theuse of Post-Quantum RSA would therefore require much bigger key sizes than before.However, the advantage of Post-Quantum RSA is that switching to Post-Quantum RSAwill be less difficult than switching to other post-quantum cryptography alternatives,since RSA is already widely used today.

In Section 2.1, we discuss the basic operations of RSA and touch upon the adjustmentsmade by Post-Quantum RSA. Afterwards, in Section 2.2, we discuss the best-knownattacks on RSA. Finally, in Section 2.3, we derive the parameters of Post-Quantum RSAand we discuss the security of the resulting cryptosystem.

2.1 The RSA cryptosystem

In this section we discuss the RSA cryptosystem. We begin by giving a recap of thebasic operations of RSA. Afterwards, we discuss a technique for speeding up RSA thatis fundamental for Post-Quantum RSA, namely the use of a k-prime modulus.

The RSA cryptosystem is a public-key cryptosystem that can be used to securely sendmessages over a public channel. It uses two different keys, one to encrypt messages andone to decrypt ciphertexts. The encryption key is public (i.e., everybody has access toit) and is called the public key. The decryption key is private (i.e., only the person thatis supposed to receive the message has access to it) and is called the private key.

The public key used in RSA is represented by a tuple (e,N), consisting of a largecomposite integer N (called the modulus) and some integer e in (Z/ϕ(N)Z)∗, whereϕ(N) = # (Z/NZ)∗ denotes the Euler totient. The corresponding private key is rep-resented by the unique integer d in (Z/ϕ(N)Z)∗ that satisfies the equation ed ≡ 1mod ϕ(N). They are generated as follows:

RSA key generation

1. Choose at random two distinct prime numbers p and q of equal size.

2. Compute N = pq and ϕ(N) = (p− 1)(q − 1).

12

3. Choose at random an integer e ∈ (Z/ϕ(N)Z)∗.

4. Solve de ≡ 1 mod ϕ(N) for d, using the extended Euclidean algorithm.

In order to encrypt a message using RSA, we must first turn our message into someinteger m in (Z/NZ)∗. A common way of doing this is using “Optimal asymmetricencryption padding” [1]. After we have turned our message into an integer m, we canencrypt and decrypt it as follows:

RSA encryption and decryption

Encrypt(e,N)(m) ≡ me mod N,

Decryptd,(e,N)(c) ≡ cd mod N.

To see that this correctly defines a cryptosystem, i.e., that for all messages m in (Z/NZ)∗

we have that Decrypt(Encrypt(m)) = m, we derive that

Decrypt(Encrypt(m)) ≡ med ≡ m1+`·ϕ(N) ≡ m ·(mϕ(N)

)`≡ m · 1` ≡ m mod N.

The second equality follows from the fact that ed ≡ 1 mod ϕ(N), and the fourth equalityfollows from Euler’s theorem, which states that xϕ(N) ≡ 1 mod N for all x ∈ (Z/NZ)∗.

2.1.1 Using a k-prime modulus and the cost of decryption

One way to modify RSA is by letting the modulus be the product of k ≥ 3 distinctprimes of equal size. We call such a modulus a k-prime modulus. The use of a k-primemodulus, for suitable k, lies at the heart of Post-Quantum RSA.

The reason for using a k-prime modulus is that it allows the user to more effi-ciently decrypt ciphertexts. To demonstrate this, consider an n-bit k-prime modulusN = p1 · · · pk, where the pi are distinct distinct primes of size p. Suppose we fix thesize of N but not the number of prime factors k. When decrypting a ciphertext usingRSA, one wants to compute cd mod N , for some c ∈ (Z/NZ)∗ and d ∈ (Z/ϕ(N)Z)∗. Anefficient way to do this is to first compute cd mod (pi−1) mod pi, for i = 1, . . . , k, and thencombine them into cd mod N by applying the Chinese remainder theorem. Applyingthe Chinese remainder theorem like that can be done in O(n(log n)2) = O(n) steps [3].Moreover, using the square-and-multiply method together with the Schonhage-Strassenalgorithm, we can perform the modular exponentiations modulo pi in

O(k · (log p)2(log log p)(log log log p)

)= O

(k ·(nk

)2)

= O

(n2

k

)steps.

Thus, by increasing the number of prime factors in our modulus, we save on the timerequired to decrypt a message.

13

2.2 Attacks against RSA

The security of RSA is determined by the gap between the cost of key generation,encryption and decryption (the usage cost) and the cost of successfully decrypting aciphertext without knowledge of the private key (the attack cost). In this section wediscuss the attack cost of RSA. First, we show that you can attack RSA by factoring themodulus. Afterwards, we discuss the two top threats to RSA, namely Shor’s algorithmand GEECM (Grover plus ECM using Edwards curves).

2.2.1 Factoring and the RSA problem

In the case of RSA, the attack cost is determined by the difficulty of solving the RSAproblem, which can be formally stated as follows.

The RSA problem.Input: An RSA public key (e,N) and ciphertext c ∈ (Z/NZ)∗.Goal: Find the corresponding message, i.e., find m such that me ≡ c mod N .

Currently, the best-known attacks against RSA are algorithms for the factoring problem.The factoring problem can be formally stated as follows.

The factoring problemInput: A composite integer N .Goal: Find the prime decomposition of N .

The reduction from the RSA problem to factoring is as follows. Assume we are using ak-prime modulus N . Then, given the prime factorization N = p1 · · · pk, we can computeϕ(N) =

∏ki=1(pi − 1). This allows us to use the extended Euclidean algorithm to find

the d ∈ (Z/ϕ(N)Z)∗ that solves the equation ed ≡ 1 mod ϕ(N). This then allows usto recover the message by computing m = cd mod N . It remains an open questionwhether factoring is as hard as the RSA problem.

It is interesting to note that if we are given only one prime factor of a k-prime modu-lus N , then we can still learn something about the encrypted message. To demonstratethis, let c = me mod N be a ciphertext that is encrypted using a k-prime modulus N ,and suppose we are given a prime factor pi | N . Since ed ≡ 1 mod φ(N), we know thated ≡ 1 mod (pi − 1). Moreover, since we know the values of e and (pi − 1), we cancompute di = d mod (pi − 1), by using the extended Euclidean algorithm to computethe multiplicative inverse of e modulo (pi−1). Now notice that using di we can compute

mi = m mod pi = cd mod pi = cd mod (pi−1) mod pi = cdi mod pi.

Thus, for each prime factor pi | N that we know, we can compute the value of mmodulo pi. Note that knowing the value of m modulo pi eliminates many potentialmessages m.

14

2.2.2 Shor’s algorithm and GEECM

For RSA with a k-prime modulus, the top threats (i.e., the fastest algorithms to factorthe modulus) are Shor’s algorithm and GEECM. Both algorithms are discussed in moredetail in Chapter 3 and 4, respectively.

Shor’s algorithm, discovered by Peter Shor in 1994 [21], is a quantum algorithm thatfinds a factor of a composite n-bit integer in time O(n2 log n log log n) = O(n2). It isconsiderably faster than any known classical algorithms for factoring, as the currentlybest known classical randomized algorithm for factoring runs in time roughly 2n

1/3[13].

Comparing the usage cost in Section 2.1.1 with the runtime of Shor’s algorithm, it is clearthat RSA as used today (i.e., with a 2-prime modulus) is broken by Shor’s algorithm,since the usage cost is essentially equal to the attack cost. Therefore, in order to obtaina gap between the usage cost and attack cost in the presence of Shor’s algorithm, wehave to use a k-prime modulus for k sufficiently large.

However, Shor’s algorithm gets outperformed by GEECM when factoring a k-primemodulus if k is too large. GEECM, proposed by Bernstein et al. [4], finds a factor of an n-bit modulus consisting of k primes of size p in time L1+o(1), where L = exp

√log p log log p.

Notice that, in contrast to Shor’s algorithm, the runtime of GEECM depends on the sizeof the prime factors of the number we wish to factor. This implies that we cannot pick ktoo large, since for very large values of k, GEECM will be able to very efficiently factorthe k-prime modulus and thus break the cryptosystem.

2.3 Post-Quantum RSA parameters

Post-Quantum RSA modifies RSA by using a k-prime modulus for some fairly large k,and a constant encryption exponent, e.g., e = 3. In this section, we derive the parametersof Post-Quantum RSA, and we discuss the resulting security. The goal is to determinethe value of k that maximizes the gap between the usage cost and the attack cost.

First, let’s recap the usage cost of RSA with an n-bit, k-prime modulus N . By lettingthe encryption exponent be some small constant, e.g., e = 3, we get that encryptingonly costs us a small constant number of multiplications modulo N , which can be donein O(n) steps. Bernstein et al. proposes a key generation algorithm that generates ann-bit, k-prime modulus in O(n) steps [4]. As we saw in Section 2.1.1, we can decrypt amessage in O(n2k−1) steps.

Next, let’s recap the attack cost of RSA with an n-bit modulus consisting of k primesof size p. As we discussed in the Section 2.2, Shor’s algorithm can break RSA inO(n2 log n log log n) = O(n2) steps, and GEECM can break RSA in L1+o(1) steps, whereL = exp

√log p log log p. Thus, the attack time of RSA with a k-prime modulus is either

the runtime of Shor’s algorithm or the runtime of GEECM, depending on which one isfaster for that specific value of k.

In order to minimize the usage cost, we want to pick k as big as possible. However,we don’t want the attack cost to decrease too much by doing so. In other words, wedon’t want to pick k too big such that GEECM will outperform Shor’s algorithm. The

15

cutoff lies atk ∈ n

(log n)2+o(1),

which is the value for k used in Post-Quantum RSA.If we plug in this value for k, then the usage cost becomes O(n). Moreover, breaking

Post-Quantum RSA using either Shor’s algorithm or GEECM would require an amountof steps that is roughly quadratic in n. Thus, the attack cost is essentially quadraticin the usage cost. This is a lot worse then the exponential gap RSA had before Shor’salgorithm. However, it is an improvement over the version of RSA that is used today(i.e., with a 2-prime modulus), where the usage cost is essentially equal to the attackcost.

A question that arises is whether there exists a quantum algorithm for factoring thatoutperforms Shor’s algorithm on the modulus used by Post-Quantum RSA. In otherwords: are there quantum algorithms for factoring that are faster than Shor’s algorithmin the special case where the number we wish to factor has many small prime factors?In Chapter 3, we discuss a few attempts to speedup Shor’s algorithm for the specialcase that the number we wish to factor has many small prime factors. Afterwards, inChapter 4, we consider an attempt at finding a better quantum enhancement of ECMby unifying it with Shor’s algorithm.

16

3 Attempts to speed up Shor’salgorithm

In this chapter we discuss two attempts to speed up Shor’s algorithm. In particular,motivated by the newly proposed cryptosystem Post-Quantum RSA discussed in Chap-ter 2, we study the special case where the number we wish to factor is composed of manyfairly small prime factors.

At present, the attack cost of Post-Quantum RSA is essentially quadratic in its usagecost. We would like to find out whether we can reduce this exponent 2. Particularly, weinvestigate if we can adjust Shor’s algorithm so that it can factor an n-bit Post-QuantumRSA modulus in O(n2−ε) steps, for some ε ∈ (0, 1).

In Section 3.1, we give a recap of Shor’s algorithm and discuss its cost. Subsequently, inSection 3.2, we discuss an attempt to use elements of low multiplicative order modulo Nto more efficiently find a non-trivial factor of N . Finally, in Section 3.3, we discuss anattempt in which we apply the final steps of Shor’s algorithm to a quantum state thatis cheaper to prepare but still closely related to the state normally used.

3.1 Recap of Shor’s algorithm

In this section we recapitulate the polynomial-time quantum algorithm for factoring byPeter Shor [21]. We begin by discussing the important observation by Shor that anefficient algorithm for the so-called order-finding problem implies an efficient algorithmfor factoring. Afterwards, we describe Shor’s order-finding algorithm and discuss itscost.

3.1.1 Reduction from factoring to order-finding in (Z/NZ)∗

First, we consider the so-called order-finding problem. As we will show later, it turnsout that factoring can be reduced to the order-finding problem. Reduced means thatan efficient algorithm for the order-finding problem implies an efficient algorithm forfactoring. The order-finding problem can be formally defined as follows:

The order-finding problem.Input: An n-bit integer N and some x ∈ (Z/NZ)∗.Goal: Find the order of x, i.e. find the least r ∈ Z≥1 such that xr ≡ 1 mod N .

Suppose we wish to factor some composite integer N . Solving the above order-findingproblem will give us a factor of N as follows. Assuming N is odd, it can be shown thatwith probability ≥ 1/2, the order r is even and xr/2 ± 1 are not multiples of N . Note

17

that in this case we have

xr ≡ 1 mod N ⇐⇒ (xr/2 + 1)(xr/2 − 1) ≡ 0 mod N.

In particular, we have two non-zero elements of the ring (Z/NZ) that multiply to zero.This implies that both these elements do not have a multiplicative inverse, which isequivalent to saying that gcd(xr/2 ± 1, N) 6= 1, N . Computing these greatest commondivisors, which can be done efficiently using the Euclidean algorithm, gives us a non-trivial factor of N .

3.1.2 Solving the order-finding problem

We now discuss the algorithm by Peter Shor that solves the order-finding problem definedin Section 3.1.1. The main building blocks of this algorithm are the quantum Fouriertransform (QFT) and the unitary Ox,N that maps |a〉 |0〉 7→ |a〉 |xa mod N〉, where x isthe element of (Z/NZ)∗ whose order we want to find. The steps of Shor’s order-findingalgorithm are as follows.

Shor’s order-finding algorithm

Step 1: Pick some q = 2` such that N2 < q ≤ 2N2.

Step 2: Start with the state |0`〉 |0n〉 and apply the QFT to the first register to buildthe uniform superposition

1√q

q−1∑a=0

|a〉 |0n〉 .

Step 3: Apply the unitary Ox,N to build the state

|ψ〉 =1√q

q−1∑a=0

|a〉 |xa mod N〉 . (3.1)

Step 4: Measure the second register and discard it. Suppose the outcome of thismeasurement was y ∈ (Z/NZ)∗, then the resulting state is

1√m

m−1∑j=0

|jr + s〉 ,

where s is the least integer 0 ≤ s < q such that xs ≡ y mod N , and m is thenumber of integers 0 ≤ a < q that satisfy xa ≡ y mod N .

Step 5: Apply the QFT again and measure the state in the computational basis.

Step 6: Do some classical post-processing to obtain the order of x.

18

To show how Shor’s order-finding algorithm finds the order of our x ∈ (Z/NZ)∗, wenow look at the outcome of the measurement in Step 5 of the algorithm.

Lemma 3.1. With high probability the measurement in Step 5 of Shor’s order-findingalgorithm yields an integer b such that∣∣∣∣ bq − c

r

∣∣∣∣ ≤ 1

2q,

for some c.

Proof. After applying the QFT in Step 5 of Shor’s order-finding algorithm, our systemwill be in the state

|ψ〉 =1√m

m−1∑j=0

1√q

q−1∑b=0

e2πi(jr+s)b/q |b〉 =1√mq

q−1∑b=0

e2πisb/q

m−1∑j=0

e2πirb/q

|b〉 .When measuring this state, the probability that the measurement yields b is given by∣∣∣∣∣∣ 1√mq

m−1∑j=0

e2πijrb/q

∣∣∣∣∣∣2

=

∣∣∣∣∣∣ 1√mq

m−1∑j=0

(e2πirb/q

)j∣∣∣∣∣∣2

=

∣∣∣∣∣∣ 1√mq

m−1∑j=0

(e2πirbq/q

)j∣∣∣∣∣∣2

, (3.2)

where rbq is the residue which is congruent to rb mod q and is in the range −q/2 <rbq ≤ q/2. It turns out that if rbq is small, then the expression in Equation 3.2 islarge. This can be shown by approximating the sum in Equation 3.2 by an integral asis done in Section 5 of [21]. In particular, one can show that the probability that themeasurement yields some b will be at least 1/3r2 if

−r2≤ rbq ≤

r

2.

By the definition of rbq, the above expression is equivalent to saying that there isexists some c such that

−r2≤ rb− cq ≤ r

2.

Diving by rq and rearranging the terms gives∣∣∣∣ bq − c

r

∣∣∣∣ ≤ 1

2q.

Using this measurement outcome b from Lemma 3.1, we can compute r = ord(x) asfollows. Since any two distinct fractions with denominator ≤ N must be at least 1/N2 >1/q apart, we conclude from Lemma 3.1 that c/r is the only fraction with denominator≤ N at distance ≤ 1/2q from b/q. Applying a method called the “continued fractionexpansion” to b/q then efficiently gives us c/r since this is the fraction with denominator≤ N that is closest to b/q. With probability Ω(1/ log log r) we have gcd(c, r) = 1, inwhich case writing the fraction c/r in lowest terms yields r.

19

Cost of Shor’s order-finding algorithm

Let us now look at the cost of Shor’s order-finding algorithm when N is an n-bit integer.Both Step 2 and Step 5 involve applying the QFT on ` qubits. This can be approximatedwell enough using O(n log n) gates [9]. The bottleneck of Shor’s order-finding algorithmalgorithm lies in Step 3. Namely, to implement the unitary Ox,N we have to computethe modular exponentiation xa mod N , for a ∈ NO(1). Using the square-and-multiplymethod, this costs us O(n) modular multiplications modulo N . Each of these modularmultiplications can be done in O(n log(n) log log(n)) steps using the Schonhage-Strassenalgorithm. Therefore, Step 3 can be performed in O(n2 log(n) log log(n)) steps. Asdiscussed below Lemma 3.1, with probability Ω(1/ log log r) the outcome of the mea-surement in Step 5 allows us to efficiently compute the order of x. So, an expectednumber of O(log n) repetitions of Shor’s order-finding algorithm is sufficient to find theorder of x. Accordingly, Shor’s order-finding algorithm solves the order-finding problemusing an expected number of O

(n2(log(n))2 log log(n)

)steps.

As mentioned above, the bottleneck of Shor’s order-finding algorithm lies in the com-putation of xa mod N , for a ∈ NO(1). The common theme among our attempts tospeed up Shor’s algorithm is that they try to get around as much of this modular expo-nentiation step as possible. In the next section, we discuss a way to decrease the size ofthe exponent a by considering elements x ∈ (Z/NZ)∗ of sufficiently low order.

3.2 Using elements of low order

Suppose we have an element x ∈ (Z/NZ)∗ of which we know that its order is boundedabove by some R N . Then, it turns out that we can adapt Shor’s order-findingalgorithm to more efficiently find the order of x.

Lemma 3.2. Let N be an n-bit integer, and let x ∈ (Z/NZ)∗ be an element whose orderr is bounded above by R. If we pick some qR = 2` such that R2 < qR ≤ 2R2, and weapply Steps 4 through 6 of Shor’s order-finding algorithm to the state

|ψR〉 =1√qR

qR−1∑a=0

|a〉 |xa mod N〉 ,

then we still obtain the order of x.

Proof. By a reasoning analogous to the proof of Lemma 3.1, one can show that withhigh probability the measurement in Step 5 yields a b such that∣∣∣∣ bqR − c

r

∣∣∣∣ ≤ 1

2qR. (3.3)

Because any two fractions with denominator ≤ R must be at least 1/R2 > 1/qR apart,we deduce from Equation 3.3 that c/r is the fraction with denominator ≤ R that isclosest to b/qR. Applying the “continued fraction expansion” to b/qR then efficientlygives us c/r. With probability Ω(1/ log log r) we have gcd(c, r) = 1, in which casewriting the fraction c/r in lowest terms yields r.

20

Looking at the cost of Shor’s order-finding algorithm in Section 3.1.2, we observethat we can find the order of x in Lemma 3.2 in O (log(R) · n log(n) log log(n)) steps.Furthermore, the computation of the greatest common divisor gcd(xr/2 ± 1, N), wherer is the order of x, can be done in O(n) steps. This results in the following corollary.

Corollary 3.3. Let N be an n-bit composite integer and suppose we are given somex ∈ (Z/NZ)∗ whose order is bounded above by 2n

1−ε, for some ε ∈ (0, 1). Then, there is a

quantum algorithm that can find a non-trivial factor of N in O(n2−ε(log(n))2 log log(n)

)steps.

Motivated by Corollary 3.3, we look at the orders of the elements in (Z/NZ)∗. Un-fortunately, it turns out that most elements in (Z/NZ)∗ will have an order that is closeto N , as illustrated by the following theorem.

Theorem 3.4. Let x ∈ Z>0 and let ordN (x) denote the order of x in (Z/NZ)∗. Thenthe number of N ≤ y such that ordN (x) ∈ O(N1−ε) is o(y).

Proof. See Theorem 2 in [10].

Thus, to find an element of sufficiently low order, we likely have to try harder thantrying different elements uniformly at random. In the following section, we discuss anattempt to construct elements of low order using a classical precomputation step. Herea “low” order means an order that is considerably less than N .

3.2.1 Adding a classical precomputation step

Let N = p1 · · · pk be a Post-Quantum RSA modulus. Since all of the pi’s are relativelysmall compared to N , it could be the case that ϕ(N) =

∏ki=1(pi − 1) has a pretty large

factor that is completely built up from even smaller primes. If this is the case, it turnsout that we can construct elements of low multiplicative order modulo N using a classicalprecomputation step.

A positive integer is called w-smooth if none of its prime factors is greater than w.To demonstrate how to construct elements of low order, let N be an n-bit integer suchthat for each prime power q | N we have q ≤ v, and let sw denote the (unique) largestw-smooth factor of ϕ(N) = # (Z/NZ)∗. We first pick a random element x ∈ (Z/NZ)∗.Then we let λ =

∏wr=2 r

e(r), where e(r) := mine ∈ Z>0 | re ≥ v, and compute

xλ mod N. (3.4)

One way of doing this is by setting x1 = x and then computing xr := xre(r)

r−1 mod N ,for r = 2, . . . , w. Using the square-and-multiply method and the Schonhage-Strassenalgorithm we can do so in time

O

(w∑r=2

log(re(r))n log(n) log log(n)

)= O

(w∑i=2

log(v)n log(n) log log(n)

)= O (w log(v)n log(n) log log(n)) .

The result of this precomputation step is as follows.

21

Lemma 3.5. The element xλ ∈ (Z/NZ)∗ defined in Equation 3.4 satisfies

ordN (xλ) ≤ N

sw.

Proof. Let N = pe11 · · · pekk be the prime factorization of N . By the Chinese remainder

theorem we know that

ordN (xλ) = lcmordpe11(xλ), . . . , ordpekk

(xλ) ≤k∏i=1

ordpeii(xλ), (3.5)

Write ϕ(peii ) = si,w · ti and ordpeii(x) = si,w · ti, where si,w is the (unique) largest w-

smooth factor of ϕ(peii ) and si,w is the (unique) largest w-smooth factor of ordpeii(x).

Because ordpeii(x) | ϕ(peii ), we have that si,w | si,w and ti | ti. Moreover, by our definition

of λ we have that

ordpeii(xλ) =

ordpeii(x)

gcd(ordpeii(x), λ)

=si,w · tisi,w

= ti ≤ ti =ϕ(peii )

si,w. (3.6)

Combining Equation 3.5 and Equation 3.6 now yields

ordN (xλ) ≤k∏i=1

ordpeii(xλ) ≤

k∏i=1

ϕ(peii )

siw=

∏ki=1 ϕ(peii )∏ki=1 s

iw

=ϕ(N)

sw≤ N

sw.

Combining Lemma 3.5 with Corollary 3.3 results in the following corollary.

Corollary 3.6. Let N be an n-bit Post-Quantum RSA modulus and ε ∈ (0, 1). If thegroup order ϕ(N) = # (Z/NZ)∗ has an n1−ε-smooth factor of size 2n−n

1−ε, then there

is a quantum algorithm that can find a non-trivial factor of N in O(n2−ε) steps.

Proof. In this case we have w = n1−ε and v = log(n)2+o(1). Therefore, the cost ofcomputing xλ as in Equation 3.4 is given by

O(w log(v)n log(n) log log(n)) = O(n1−ε log(log(n)2)n log(n) log log(n))

= O(n2−ε log(n)(log log(n))2) = O(n2−ε).

Moreover, by Lemma 3.5 the order of xλ satisfies ordN (xλ) ≤ 2n1−ε

. Therefore, byCorollary 3.3 we can find a non-trivial factor of N in O(n2−ε) steps using xλ.

3.3 Using a subsignal

The bottleneck of Shor’s order-finding algorithm lies in the preparation of the state |ψ〉from Equation 3.1. Another way to speed up Shor’s algorithm would be to consider

22

states that are cheaper to prepare, but that are still closely related to |ψ〉. In thissection, we consider a certain set of such states.

Let N be an n-bit integer and let x be an element of (Z/NZ)∗. As in Shor’s order-finding algorithm, pick some q = 2` such that N2 < q ≤ 2N2. For any subset A ⊆0, . . . , q − 1 we can define the state

|ψA〉 :=1√|A|

∑a∈A|a〉 |xa mod N〉 . (3.7)

One way to view such a state |ψA〉 is as a subsignal of the signal state |ψ〉 from Equa-tion 3.1. Suppose our subset A satisfies the following two properties:

(i) |ψA〉 can be prepared in O(n2−ε(log(n))2 log log(n)

)steps, for some ε > 0.

(ii) If we apply Steps 4 through 6 of Shor’s order-finding algorithm to |ψA〉, we canstill obtain the order of x.

Then this subset A would allows us to find a factor of N in O(n2−ε(log(n))2 log log(n))steps. It could be the subject of future research to see if there exists a subset A thatsatisfies the above two properties. In the rest of this section, we very briefly mentiontwo attempts at finding a subset A that satisfies the above two properties.

Only the beginning of the signal

The state |ψR〉 from Lemma 3.2 is the same as the state |ψA〉 for A = 0, . . . , qR − 1.As discussed in Section 3.2, if R is sufficiently small, then we can prepare this state inO(n2−ε log(n) log log(n)) steps. However, if the order of x is not bounded above by R,then we have no guarantee that we will be able to determine the order of x by applyingSteps 4 through 6 of Shor’s order-finding algorithm to this state |ψA〉.

Hamming weight

Consider A = x ∈ 0, 12n | H(x) ≤√n, where H denotes the Hamming weight. Using

the square-and-multiply method, we can compute xa mod N , for a ∈ A, in 2n +√n

multiplications modulo N . This is less than the 4n multiplications modulo N requiredto compute xa mod N , for a ∈ 0, . . . , q − 1. However, we still will not be able toprepare the state |ψA〉 using only the required O(n2−ε(log(n))2 log log(n)) steps.

23

4 Lenstra’s elliptic curve factorizationmethod and quantum enhancements

In this chapter we discuss Lenstra’s elliptic curve factorization method and investigatehow we can enhance this algorithm using quantum techniques. More specifically, westudy GEECM, a quantum enhancement of Lenstra’s elliptic curve factorization methodproposed by Bernstein et al. [4], and discuss a way to unify Lenstra’s elliptic curvefactorization method and Shor’s order-finding algorithm.

In Section 4.1, we give an introduction to the theory of elliptic curves over (Z/NZ) andcollect some important results. In Section 4.2, we discuss how Lenstra’s elliptic curvefactorization method solves the factoring problem and how GEECM accelerates thisalgorithm using quantum techniques. Finally, in Section 4.3, we consider a unificationof Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm thatfinds a non-trivial factor of a squarefree integer N by computing the order of a point onan elliptic curve over (Z/NZ).

4.1 Preliminaries

Let N be a positive integer such that gcd(6, N) = 1. In this section we give an introduc-tion to the theory of elliptic curves over the ring (Z/NZ). First we state the necessarydefinitions and afterwards we state the results that are required to study the algorithmsin the rest of this chapter.

In order to give the definition of an elliptic curve over the ring (Z/NZ), we first needto define the so-called projective space over (Z/NZ).

Definition 4.1. The `-dimensional projective space over (Z/NZ), denoted P`(Z/NZ),is given by

(a0, . . . , a`) ∈ (Z/NZ)`+1 | gcd(a0, . . . , a`, N) = 1/ ∼,

where (a0, . . . , a`) ∼ (b0, . . . , b`) iff there exists a u ∈ (Z/NZ)∗ with uai = bi, ∀i.

Remark. The equivalence class of (a0, . . . , a`) is denoted by (a0 : . . . : a`).

An elliptic curve over (Z/NZ) is parameterized by a pair in (Z/NZ)2. The set ofpoints of an elliptic curve is a subset of the 2-dimensional projective space over (Z/NZ).

Definition 4.2. (i) An elliptic curve E = Ea,b over (Z/NZ) is a pair (a, b) ∈ (Z/NZ)2

such that 4a3 + 27b2 ∈ (Z/NZ)∗.

24

(ii) The set of points E(Z/NZ) of an elliptic curve E = Ea,b over (Z/NZ) is given by

E(Z/NZ) = Ea,b(Z/NZ) = (x : y : z) ∈ P2(Z/NZ) | y2z = x3 + axz2 + bz3.

Remark. • We require gcd(6, N) = 1 only to simplify the exposition. Namely, forintegers N with gcd(6, N) 6= 1, one has to work with more general equations forthe set of points of an elliptic curve than the so-called Weierstrass equations givenby y2z = x3 + axz2 + bz3, see Chapter 3 of [22].

• The expression 4a3 +27b3 is related to the discriminant of the curve defined by theWeierstrass equation y2z = x3 + axz2 + bz3. Its invertibility determines whetheror not the curve defined by the corresponding Weierstrass equation is singular ornot, i.e., whether the curve has cusps, self-intersections or isolated points. Since anelliptic curve is non-singular by definition, it is required that 4a3+27b2 ∈ (Z/NZ)∗.

It turns out that the set of points of an elliptic curve has an Abelian group structure.This group structure lies at the heart of Lenstra’s elliptic curve factorization methodand will be used to unify Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm.

Theorem 4.3. The set of points of an elliptic curve E(Z/NZ) has an Abelian groupstructure with O = (0 : 1 : 0) as the neutral element.

Proof. See Theorem 2.7 in [23].

Throughout the rest of this chapter we will write the group law on E(Z/NZ) additively.In the next proposition we give an overview of how to compute the sum of two pointson E(Z/NZ) according to the group law.

Definition 4.4. R0 := Z[X1, Y1, Z1, X2, Y2, Z2, A,B]/(F1, F2), where Fi = Y 2i Zi−X3

i −AXiZ

2i −BZ3

i .

Proposition 4.5. There exist nine polynomials Si, Ti, Ui ∈ R0, i = 1, 2, 3, with thefollowing property. For any elliptic curve Ea,b over (Z/NZ), and any two points P1 =(x1 : y1 : z1), P2 = (x2 : y2 : z2) on Ea,b, if we define

si := Si(x1, y1, z1, x2, y2, z2, a, b),

ti := Ti(x1, y1, z1, x2, y2, z2, a, b),

ui := Ui(x1, y1, z1, x2, y2, z2, a, b),

and

M :=

s1 t1 u1

s2 t2 u2

s3 t3 u3

,

then there exists a (Z/NZ)-linear combination (s0, t0, u0) of the rows of M which sat-isfies gcd(s0, t0, u0, N) = 1. Furthermore, (s0, t0, u0) is unique up to multiplication byu ∈ (Z/NZ)∗, and the group law from Theorem 4.3 satisfies P1 + P2 = (s0 : t0 : u0).

25

Proof. See Section 3 in [14].

Remark. For nine explicit polynomials S1, S2, . . . , U3 with the above property see [11].

Since we will use the group structure on E(Z/NZ) in our algorithms, we would like toknow how much it costs to add two points. To compute the entries of the matrix M fromProposition 4.5, we need to evaluate nine polynomials of finite degree in the ring (Z/NZ).Using the Schonhage-Strassen algorithm we can do so in a total number of steps that ispolynomial in log(N). Subsequently, we need to find the linear combination of the rowsof M that is asserted to exist in Proposition 4.5. Lenstra describes an algorithm thatfinds this linear combination of rows using a total number of steps that is bounded bya polynomial function of log(N) [14]. Accordingly, we can add two points on E(Z/NZ)using a total number of steps that is polynomial in log(N).

In the rest of this section, we will state results about elliptic curves over (Z/NZ) thatwe will use in the analysis of the algorithms in the rest of this chapter. First off, it turnsout that if we consider an elliptic curve over a finite field, then O is the only point onthe elliptic curve whose z-coordinate is zero.

Lemma 4.6. Let p be a prime and let E be an elliptic curve over (Z/pZ). Then O isthe only element (x : y : z) ∈ E(Z/pZ) with z = 0.

Proof. Suppose (x : y : 0) ∈ E(Z/pZ). By the equation defining our elliptic curve, weget that x3 = 0. Since (Z/pZ) is a field, x3 = 0 implies that x = 0. Because (0 : 0 : 0) isnot an element of P2(Z/pZ), we must have that y 6= 0 and so (0 : y : 0) = (0 : 1 : 0).

Next, we state the famous result by Hasse that provides an estimate of the number ofpoints on an elliptic curve over a finite field.

Theorem 4.7. Let p be a prime. For all elliptic curves E over (Z/pZ) we have

#E(Z/pZ) ∈ [p+ 1− 2√p, p+ 1 + 2

√p]

Proof. See Theorem 9.2 in [23].

Lastly, we state a generalization of the Chinese Remainder Theorem to elliptic curvesover (Z/NZ).

Lemma 4.8. (i) For each prime power q | N , we have the following group morphism

πq : Ea,b(Z/NZ)→ Ea,b(Z/qZ),

(x : y : z) 7→ (x mod q : y mod q : z mod q),

where a = a mod q, and b = b mod q.

(ii) Let N = pe11 · · · pekk be the prime factorization of N , then we have the following

group isomorphism

π :=k

×i=1

πpeii: Ea,b(Z/NZ)

∼−→ Ea1,b1(Z/pe11 Z)× · · · × Eak,bk(Z/pekk Z),

P 7→(πpe11

(P ), . . . , πpekk(P )),

26

where ai = a mod peii , and bi = b mod peii .

Proof. Follows from Proposition 4.5 and the Chinese Remainder Theorem.

4.2 Lenstra’s elliptic curve factorization method andGEECM

In this section we discuss Lenstra’s elliptic curve factorization method (ECM) and aquantum enhancement called GEECM proposed by Bernstein et al. [4]. To start with,we consider another algorithm for factoring that closely resembles Lenstra’s elliptic curvefactorization method, namely, Pollard’s p− 1 algorithm.

Pollard’s p− 1 algorithm.

Step 1: Choose a number λ that is composed of small primes, e.g., λ = lcm(1, . . . , B),for some bound B.

Step 2: Choose at random some a ∈ (Z/NZ)∗.

Step 3: Compute gλ = gcd(aλ − 1, N).

To understand why and when this algorithm works, suppose that N has two primefactors p and q such that:

(i) p− 1 | λ,

(ii) aλ 6≡ 1 mod q.

Then, it follows from (i) and Fermat’s little theorem that aλ ≡ 1 mod p. This impliesthat p | gλ. Moreover, it follows from (ii) that q - gλ. Combining this we notice thatp ≤ gλ < N . So, in the case that both (i) and (ii) hold, the algorithm will give us anon-trivial factor gλ of N .

Notice that (i) only holds when p − 1 is completely built up from small primes. Itturns out that Pollard’s p − 1 algorithm will most likely not work if (i) does not hold.Hence, Pollard’s p− 1 algorithm only works for N that have a prime factor p such thatp− 1 is completely built up from small primes.

To remedy the fact that Pollard’s p− 1 algorithm only works for certain N , Lenstra’selliptic curve factorization method uses the structure of the groups Ea,b(Z/NZ) insteadof the multiplicative group (Z/NZ)∗. The advantage of this is that if one curve doesn’twork, we can always try another.

Lenstra’s elliptic curve factorization method has two parameters v and w. The pa-rameter v is an upper bound for the size of the prime factor we want to find. The otherparameter w determines the cost and success probability of one round in the algorithm.

27

Lenstra’s elliptic curve method.

Step 1: Choose an elliptic curve Ea,b over (Z/NZ) and some point P = (x0 : y0 : 1)on the elliptic curve.

Step 2: Let e(r) = maxe | re ≤ (√v + 1)2, λ =

∏wr=2 r

e(r) and compute

λ · P = (xλ : yλ : zλ).

Step 3: Compute gλ = gcd(zλ, N). If gλ = 1 or N , then repeat from Step 1.

Let us go over the steps one by one. In Step 1, we choose an elliptic curve over(Z/NZ) and some point on this curve. This can we done by choosing x0, y0, a ∈ (Z/NZ)uniformly at random, and putting b = y2

0 − x30 − ax0. If 4a3 + 27b2 ∈ (Z/NZ)∗, then we

have successfully chosen an elliptic curve Ea,b with the point (x0 : y0 : 1) on it.In Step 2, we have to compute a multiple of the point P according to the group struc-

ture on Ea,b(Z/NZ). We add two points on Ea,b(Z/NZ) using the technique describedin Proposition 4.5. As discussed below that proposition, the number of steps requiredto add two points on E(Z/NZ) is bounded by a polynomial in log(N). To compute Pλ,we set P1 = P and compute Pr = re(r)Pr−1, for r = 2, . . . , w. We compute each inter-mediate multiple Pr using the so-called double-and-add method. The double-and-addmethod computes a multiple dQ, for d ∈ N and Q ∈ E(Z/NZ), as follows.

Double-and-add method

Step 1: Take the binary representation d =∑k−1

i=0 di2i, di ∈ 0, 1 and k = dlog de.

Step 2: Compute 2Q = Q+Q, 4Q = 2Q+ 2Q, . . . , 2k−1Q = 2k−2Q+ 2k−2Q.

Step 3: Compute dQ =∑k−1

i=0 di · (2iQ).

Using the double-and-add method to compute each intermediate multiple, we can per-form Step 2 using

O

(w∑r=2

log(re(r))

)= O (w log(v))

additions on Ea,b(Z/NZ).To understand why and when Lenstra’s elliptic curve factorization method works,

suppose that N has two prime factors p and q such that:

(i) #Ea,b(Z/pZ) | λ,

(ii) πq(Pλ) 6= O, where πq is the group homomorphism from Lemma 4.8.

28

Then, it follows from (i) and Legendre’s theorem that πp(λ · P ) = O. This implies thatp | zλ. Moreover, it follows from (ii) and Lemma 4.6 that q - zλ. Combining this wenotice that p ≤ gλ < N . So, in the case that both (i) and (ii) hold, the algorithm willgive us a non-trivial factor gλ of N .

So, to analyze the number of elliptic curves we have to try until gλ is a non-trivialfactor of N , we have to examine the probability that (i) and (ii) hold. In the rest of thissection we will give an overview of how this probability is determined. For more detailswe refer to Section 12 of the lecture notes on elliptic curves and factorization algorithmsby van der Lingen [23].

By Theorem 4.7, we know that #Ea,b(Z/pZ) lies in the interval [p+1−2√p, p+1+2

√p].

Therefore, by our definition of λ, if #Ea,b(Z/pZ) is completely built up from primes≤ w and p ≤ v, then (i) must hold. To ensure that p ≤ v, we can either use some priorknowledge about N or we can set v = d

√Ne. Therefore, the probability that (i) holds

is given by the probability that #Ea,b(Z/pZ) is completely built up from primes ≤ w.As in Section 3.2.1, we shall refer to an integer that is completely built up from primes≤ w as a w-smooth integer.

It turns out that the values around the middle of the interval from Theorem 4.7 appearroughly an equal number of times as a value for #E(Z/pZ), see Corollary 12.5 in [23].Using this, one can show that the success probability of one round of the algorithmis at least cf(w)/ log(v), where c is some constant and f(w) is the probability that auniformly random integer in the interval (p + 1 −√p, p + 1 +

√p) is w-smooth. It is a

conjecture by Lenstra that f(w) ≈ g(w), where g(w) is the probability that a uniformlyrandom integer in the interval [0, p] is w-smooth.

To examine the probability that a uniformly distributed random integer in the inter-val [1, p] is w-smooth, we define

L(x) = e√

log(x) log log(x).

A theorem of Canfield, Erdos, and Pomerance [5] implies the following. Let c be apositive real number. Then the probability that a uniformly random integer in theinterval [0, x] is L(x)c-smooth is 1/L(x)1/2c+o(1), for x → ∞. Hence, the expectednumber of additions on an elliptic curve over (Z/NZ) required by Lenstra’s ellipticcurve factorization method is

O(w log(v) · f(w)−1 log(v)

)= O

(w log(v) · L(v)1/2c+o(1) log(v)

)= O

(L(v)c+o(1) log(v)2 · L(v)1/2c+o(1)

)≈ O

(L(v)c+1/2c+o(1)

).

This expression takes its minimum value for c = 1/√

2. Plugging this in, we find thatLenstra’s elliptic curve factorization method finds any v-smooth non-trivial factor of Nby computing an expected number of L(v)

√2+o(1) additions on an elliptic curve.

The advantage of Lenstra’s ECM is that its running time depends on the size of thesmallest prime factor of N . Therefore, it is particularly suitable for factoring integers

29

with a relatively small prime factor. Since RSA as used today uses a modulus that isthe product of two primes of equal size, this algorithm was of little cryptographic rele-vance. However, since Post-Quantum RSA introduces a modulus that is the product ofmany fairly small primes, Lenstra’s ECM has recently become relevant for cryptographicpurposes.

4.2.1 Grover plus Lenstra’s elliptic curve method

In this section we discuss a quantum enhancement of Lenstra’s elliptic curve factorizationmethod, called GEECM, proposed by Bernstein et al. [4]. It improves upon Lenstra’selliptic curve factorization method by using Grover’s algorithm to more efficiently searchthrough the elliptic curves over (Z/NZ).

Suppose f : A→ 0, 1 is a function on a finite set A such that #f−1(1) = #A/R.Then, as discussed in Section 1.2.2, Grover’s algorithm can find an a ∈ A such thatf(a) = 1 using an expected number of

√R evaluations of f . Consider, in particular, the

function f whose input is an elliptic curve E over (Z/NZ) and whose output is given by

f (E) =

1 if Steps 2 and 3 of Lenstra’s ECM using E finds a non-trivial factor of N,

0 otherwise.

As discussed at the end of Section 4.2, if we let w = L(v)c+o(1), then an elliptic curve Esatisfies f(E) = 1 with probability 1/L(v)1/2c+o(1). Accordingly, Grover’s algorithm canfind an elliptic curve E such that f(E) = 1 using an expected number of L(v)1/4c+o(1)

evaluations of f . Since each evaluation of f costs w additions on an elliptic curve over(Z/NZ), Grover’s algorithm finds an elliptic curve E such that f(E) = 1 using anexpected number of L(v)c+1/4c+o(1) additions on an elliptic curve over (Z/NZ). Thisexpression takes its minimum value for c = 1/2. Plugging this in, we find that GEECMfinds a non-trivial factor of N using an expected number of L(v)1+o(1) additions on anelliptic curve over (Z/NZ).

4.3 Unifying Lenstra’s elliptic curve factorization methodand Shor’s order-finding algorithm

In this section we discuss a way to unify Lenstra’s elliptic curve factorization method andShor’s order-finding algorithm. In particular, we show that one can find a non-trivial fac-tor of a squarefree integer N by solving the order-finding problem in the group E(Z/NZ).

Let N be a squarefree n-bit integer. Analogous to the order-finding problem definedin Section 3.1.1, we can also define the order-finding problem for the group E(Z/NZ).

The order-finding problem.Input: An integer N , an elliptic curve E over (Z/NZ) and some P ∈ E(Z/NZ).Goal: Find the order of P , i.e., the least r ∈ Z≥1 such that r · P = (0 : 1 : 0).

30

It turns out that factoring can also be reduced to the above order-finding problem.Again by “reduced” we mean that an efficient algorithm for the order-finding problemimplies an efficient algorithm for factoring. To show that factoring can be reduced tothe above order-finding problem we need the following lemma.

Lemma 4.9. Let P ∈ E(Z/NZ) be a point of order r. Suppose

(C1) r is even,

(C2) there exists a prime p | N such that Q := r2P = (x : y : z) satisfies πp(Q) = O.

Then, g = gcd(z,N) is a non-trivial factor of N .

Proof. From (C1) it follows that p | z and thus that p | g. Since r is the least positiveinteger such that r · P = O, it follows from the group isomorphism in Lemma 4.8 thatthere exists some prime q | N such that πq(Q) 6= O. By Lemma 4.6 this implies thatq - z and thus that q - g. This shows that p ≤ g < N . Therefore, g is indeed a non-trivialfactor of N .

From the above lemma we deduce that if (C1) and (C2) hold, then we can computea non-trivial factor of N using the order of P . So, to complete the proof that factoringcan be reduced to the order-finding problem defined in this section, we need a lowerbound for the probability that both (C1) and (C2) hold.

Proposition 4.10. Suppose we choose uniformly at random some (x, y, a) ∈ (Z/NZ).Define P = (x : y : 1), b = y2 − x3 − ax and let r denote the order of P . Then,

Pr[4a3 + 27b2 6∈ (Z/NZ)∗ ∨ ((C1) ∧ (C2))

]≥ 1

10.

Proof. See Proposition 1 in [15].

Remark. Note that if ∆ = 4a3 + 27b2 6∈ (Z/NZ)∗, then gcd(∆, N) is a non-trivial factorof N and so we are still able to find a non-trivial factor of N in this case.

By combining Lemma 4.9 and Proposition 4.10, we find that if P is a point on anelliptic curve over (Z/NZ) of order r, then with high probability r is even and gcd(z,N)is a non-trivial factor of N , where r

2P = (x : y : z). We compute this non-trivial factorby computing Q = r

2P and subsequently computing a greatest common divisor. Usingthe technique described in Proposition 4.5 together with the Euclidean algorithm we cando so using a total number of steps that is polynomial in n. Hence, factoring can indeedbe reduced to the order-finding problem defined at the beginning of this section.

This reduction results in a new method of finding a non-trivial factor of N , namely,by running Shor’s order-finding algorithm in a group Ea,b(Z/NZ) for random a and b.That is to say, instead of applying the unitary Ox,N as in Section 3.1.2, we apply theunitary that maps |a〉 |03n〉 7→ |a〉 |a · P 〉, where P is a point on Ea,b(Z/NZ).

A potential advantage of this method compared to the usual version of Shor’s order-finding algorithm is that we can try multiple elliptic curves until we find one for which

31

the corresponding order-finding problem can be solved more efficiently. Whereas thegroup structure of (Z/NZ)∗ is completely fixed by N , by trying multiple elliptic curveswe can look for a group structure in which we can more efficiently solve the order-findingproblem.

For example, we could try multiple elliptic curves until we find one such that theexponent of the group defined by this elliptic curve is sufficiently low. Because, if this isthe case, then an approach similar to that of Lemma 3.2 will allow us to more efficientlyfind a non-trivial factor of N . Alternatively, we could try multiple elliptic curves untilwe find one such that a classical precomputation step as in Section 3.2.1 will constructan element of sufficiently low order. That is, we could try multiple elliptic curves untilwe find an elliptic curve E such that #E(Z/NZ) has a large enough factor that iscompletely built up from small primes. In both cases, we can use Grover’s algorithm ina way similar to the way discussed in Section 4.2.1 to more efficiently search throughthe elliptic curves over (Z/NZ).

The cost of Shor’s order-finding algorithm depends largely on the cost of implementingthe unitary that carries out the group operation. Another potential advantage of runningShor’s order-finding algorithm in a group Ea,b(Z/NZ) is that there might be an efficientway to implement this unitary for this group. For the group (Z/NZ)∗, we found no wayaround using the square-and-multiply method to implement the unitary that carries outthe group operation. However, it could be the case that there is a more efficient wayto implement the corresponding unitary for the group E(Z/NZ) and therefore moreefficiently find a non-trivial factor of N .

32

5 Parallelization of Shor’s algorithm

As discussed in Chapter 2, the use of Post-Quantum RSA requires a lot of computationalresources since the required key size is rather large. Therefore, we should also considerthe security of Post-Quantum RSA when up against an adversary with additional com-putational resources. In this chapter, we discuss the security of Post-Quantum RSA inthe special case where the adversary has a certain number of processors at his disposalthat can perform either classical or quantum operations in parallel. In particular, wediscuss how to parallelize Shor’s algorithm to run on multiple processors and we discussthe speedup we can achieve this way.

In our recap of Shor’s algorithm in Section 3.1, we saw that the quantum part ofShor’s algorithm mainly consists of the quantum Fourier transform (QFT) and a modularexponentiation step (Step 3 in Section 3.1.2). Therefore, in order to parallelize Shor’salgorithm, we need to parallelize both the QFT and the modular exponentiation step.Richard Cleve and John Watrous have shown how to parallelize the quantum Fouriertransform [6]. Moreover, they have also shown that sufficient classical precomputationallows parallelization of the part of the quantum circuit associated with the modularexponentiation step. Throughout this section, we assume that we have P processorsrunning in parallel, each of which can at each time step perform any operation on anyset of qubits/bits.

We begin, in Section 5.1, by discussing the parallelization of the quantum Fouriertransform proposed by Cleve and Watrous. Afterwards, in Section 5.2, we discuss a wayto parallelize the classical precomputation that allows parallelization of the part of thequantum circuit associated with the modular exponentiation step, and we discuss howCleve and Watrous use the outcome of this classical precomputation step to achieve thisparallelization of the part of the quantum circuit associated with the modular exponen-tiation step.

5.1 Parallel quantum Fourier transform

In this section we give an overview of how Cleve and Watrous parallelize the quantumFourier transform in their paper [6]. Their main result is as follows.

Theorem 5.1. For any n and ε there is a quantum circuit approximating the QFT onn-qubits with precision ε that has size O(n log(n/ε)) and depth O(log(n) + log log(1/ε)).

By an approximation of the QFT with precision ε, we mean a unitary V (possibly actingon additional auxiliary qubits) with the following property: for any input quantumstate, the Euclidean distance between applying the QFT to the state and V to the

33

state is as most ε (in the space that includes the input/output qubits and the auxiliaryqubits). Theorem 5.1 implies that there exists a quantum circuit that approximates theQFT on n qubits to within an arbitrary inverse polynomial, with size O(n log n) anddepth O(log n). The quantum circuit they propose requires O(n log n) qubits. It canbe shown that by simplifying their construction, the required number of qubits can bereduced to O(n) [8]. The resulting circuit that approximates the QFT to within anarbitrary inverse polynomial has width O(n) and depth O(log(n)). When using P ≤ nprocessors, each of which can at each time step perform any operation on any set ofqubits, we can approximate the QFT to within an arbitrary inverse polynomial in

O

(n log(n)

P

)steps.

We now give an overview of how Cleve and Watrous constructed this parallel circuitfor the approximation of the QFT. First off, recall that the QFT on n qubits is theunitary operation that maps

|x〉 QFT7→ |ψx〉 :=1√2n

2n−1∑y=0

(e2πi/2n)x·y |y〉 , ∀x ∈ 0, . . . , 2n − 1.

In keeping with [6], we shall refer to |ψx〉 as the Fourier basis state with phase parame-ter x. The idea behind the parallel circuit is to perform the QFT as follows.

Parallel version of the QFT

Step 1: Create the Fourier basis state

|x〉 |0〉 7→ |x〉 |ψx〉 .

Step 2: Copy the Fourier basis state

|x〉 |ψx〉 7→ |x〉 |ψx〉 |ψx〉 |ψx〉 .

Step 3: Erase the computational basis state

|x〉 |ψx〉 |ψx〉 |ψx〉 7→ |0〉 |ψx〉 |ψx〉 |ψx〉 .

Step 4: Reverse step 2|0〉 |ψx〉 |ψx〉 |ψx〉 7→ |0〉 |ψx〉 .

The reason for performing the QFT this way is that each of the above steps can beparallelized nicely. In the remainder of this section, we go through each of the steps andwe discuss how they are parallelized. Notice that by parallelizing Step 2 we automaticallyparallelize Step 4, because Step 4 just performs the inverse of the mapping in Step 2.

34

Step 1: Creating the Fourier basis state

For the first step we have to implement the mapping

|x〉 |0〉 7→ |x〉 |ψx〉 , ∀x ∈ 0, . . . , 2n − 1. (5.1)

By identifying each x ∈ 0, . . . , 2n−1 with its binary representation xn−1 . . . x1x0 ∈ 0, 1n,we can factor the Fourier basis state |ψx〉 as follows

|ψx〉 = |ψxn−1...x1x0〉 = |µ0.x0〉 |µ0.x1x0〉 · · · |µ0.xn−1...x1x0〉 , (5.2)

where we define |µ0.xj ...x1x0〉 := 1√2(|0〉+ e2πi(0.xj ...x1x0) |1〉), in keeping with [6]. In fact,

the circuit that is commonly used to perform the QFT is based upon the factorizationof the Fourier basis state in Equation 5.2. By this factorization in Equation 5.2, itsuffices to approximate the states |µ0.x0〉 , . . . , |µ0.xn−1...x1x0〉 individually. The circuitsuggested by Figure 5.1 prepares the state |µ0.xj ...xj−k+1

〉, which for k ∈ O(log(n/ε)) is

an approximation of the state |µ0.xj ...x0〉 with precision (ε/n)O(1). By an approximationof a state |ψ〉 with precision ε, we mean a state |ψ′〉 such that the Euclidean distancebetween |ψ〉 and |ψ′〉 is at most ε. These approximations of |µ0.xj ...x0〉 allow us toapproximate the state |ψx〉 with precision O(ε). With our setting k ∈ O(log(n/ε)), thesize of the resulting circuit is O(n log(n/ε)) and the depth is O(log log(n/ε)). In thiscircuit, two solid dots connected by a line correspond to a controlled-phase shift gate,which is a 2-qubit gate that maps

|x〉 |y〉 cP (θ)7→ e2πiθxy |x〉 |y〉 .

In the circuit suggested by Figure 5.1, the phase θ corresponding to the controlled-phaseshift gate acting on |xi〉 is given by θ = 2i−j−1. In short, the circuit suggested byFigure 5.1 performs the following series of operations

|0k〉 Apply H and k CNOT gates−−−−−−−−−−−−−−−−−−→ 1√2

(|0k〉+ |1k〉)

Apply phase ωx to |1k〉 in parallel−−−−−−−−−−−−−−−−−−−−−→ 1√2

(|0k〉+ ωx |1k〉)

Apply k CNOT gates−−−−−−−−−−−−−→ |µ0.xj ...xj−k+1〉 ⊗ |0k〉 .

To allow multiple copies of the circuit suggested in Figure 5.1 to run in parallel, wemust first make k copies of each of the qubits |xn−1〉 , . . . , |x1〉 , |x0〉. Note that we canperform the mapping |xi〉 |0〉k 7→ |xi〉k+1 using a circuit of size O(k) and depth O(log k)consisting only of CNOT gates. We conclude that the mapping in Equation 5.1 can beperformed by a circuit of size O(n log(n/ε)) and depth O(log log(n/ε)).

Step 2: Copying the Fourier basis state

While Cleve and Watrous use O(log(n/ε)) copies of the Fourier basis state, it can beshown that three copies of the Fourier basis state is sufficient to approximate the mapping

35

uuuu

ue

uuee

uuee

ue

uuuu

H |µ0.xj ···xj−k+1〉|0〉

|xj−k+1〉

|xj〉

|xj−k+1〉

......

|xj〉

|0k−1〉 |0k−1〉

Figure 5.1: Quantum circuit for the approximation of |µ0.xj ... x0〉, taken from [6].

in Step 3 of the parallel version of the QFT to within an arbitrary inverse polynomial [8].Therefore, for the second step we have to implement the following mapping and applyit twice

|x〉 |ψx〉 |0n〉 7→ |x〉 |ψx〉 |ψx〉 . (5.3)

To do so, first consider the (reversible) addition and (reversible) substraction operations

|x〉 |y〉 add7→ |x+ y mod 2n〉 |y〉

|x〉 |y〉 sub7→ |x− y mod 2n〉 |y〉

Note that using the (reversible) substraction operation we can implement the mapping

|ψx〉 |ψy〉sub7→ |ψx〉 |ψx+y〉 , (5.4)

since

|ψx〉 |ψy〉 =

(2n−1∑i=0

ωxi2n |i〉

)⊗

2n−1∑j=0

ωyj2n |j〉

=

2n−1∑i,j=0

ωix+jy2n |i〉 |j〉

sub7→2n−1∑i,j=0

ωix+jy2n |i− j mod 2n〉 |j〉

=2n−1∑i,j=0

ω(i−j)x+j(x+y)2n |i− j mod 2n〉 |j〉

=

(2n−1∑i=0

ωxi2n |i〉

)⊗

2n−1∑j=0

ωj(x+y)2n |j〉

= |ψx〉 |ψx+y〉 .

36

Moreover, by applying H⊗n to the second register of the state |ψx〉 |0n〉, we can create thestate |ψx〉 |ψ0〉, which can be mapped to |ψx〉 |ψx〉 by using the (reversible) substractionoperation as in Equation 5.4. Therefore, to implement the mapping in Equation 5.3, itsuffices to implement the (reversible) substraction operation. One can construct a quan-tum circuit of size O(n) and depth O(log n) for the (reversible) substraction operations,by appealing to classical results about the complexity of arithmetic [16].

Step 3: Erasing the computational basis state

For this step we have to approximate the following mapping

|x〉 |ψx〉 |ψx〉 |ψx〉 7→ |0〉 |ψx〉 |ψx〉 |ψx〉 . (5.5)

The circuit suggested by Figure 5.2 at the end of this section approximates the mappingin Equation 5.5. It does so by performing a collection of exact QFTs on 2k qubits,for k = O(log n), and afterwards taking the leading k bits of each of the outcomes ofthe QFTs and xoring them into the corresponding part of the binary representationof x = xn−1 . . . x1x0, thereby ’erasing’ this part of the binary representation of x (i.e.,setting it to 0) and eventually setting the register that contained the state |x〉 to anapproximation of the state |0n〉. The circuit suggested in Figure 5.2 has size O(n log n)and depth O(log n). For more details on why the leading k bits of each of the outcomesof the QFTs in this circuit are a good enough approximation of the corresponding partsof the binary representation of x, we refer to Section 4.1 in [8].

5.2 Parallel modular exponentiation

The part of Shor’s algorithm that remains to be parallelized is the modular exponen-tiation step. Whether or not modular exponentiation can be entirely parallelized is along-standing open question and the parallel complexity of exponentiation is not wellunderstood. However, Cleve and Watrous show that a polynomial-time classical precom-putation step allows parallelization of the quantum circuit associated with the modularexponentiation step. In Section 5.2.1, we discuss how to parallelize this polynomial-timeclassical precomputation step by discussing a parallelization of the Schonhage-Strassenalgorithm for multiplying large integers [19]. Afterwards, in Section 5.2.2, we discusshow this polynomial-time classical precomputation allows parallelization of the quantumcircuit associated with the modular exponentiation step.

We assume again that we have P processors running in parallel, each of which can ateach time step perform any operation to any set of bits. The bottleneck of this parallelversion of Shor’s algorithm is still the modular exponentiation step. In particular, thecost of the classical precomputation step is the highest, which using P ≤ n log n log lognprocessors can be computed in

O

(n2(log n)2 log log n

P

)steps.

37

5.2.1 Classical precomputation of squares

Suppose we want to find a non-trivial factor of an n-bit integer N by finding the orderof the element a ∈ (Z/NZ)∗ using Shor’s order-finding algorithm. The precomputationthat is used to parallelize the part of the quantum circuit associated with the modularexponentiation step is the computation of the powers

b0 := a mod N, b1 := a2 mod N, . . . , b2n−1 := a22n−1mod N.

To compute these powers we will (sequentially) compute 2n squares of n-bit integers andreduce each of them modulo N . We will parallelize this computation by parallelizing thecomputation of the squares. To do so, we will use a parallelization of the Schonhage-Strassen algorithm for multiplying large integers. Note that a reduction modulo N canbe computed using O(1) n-bit integer multiplications, see Section 17 of [3], and can thusalso be performed using this parallelization of the Schonhage-Strassen algorithm.

The Schonhage-Strassen algorithm is a recursive algorithm that computes the productof two n-bit integers modulo 2n + 1 for any n of the form

n = 2`β, (5.6)

where ` and β are integers and β ≤ 4 log n + 2. We can use this algorithm to obtainthe exact product of two n′-bit integers by setting n to be the power of 2 in the range2n′ < n ≤ 4n′, and computing the product modulo 2n + 1. In the remainder of thissection, we describe how the Schonhage-Strassen algorithm computes the square of ann-bit integer modulo 2n − 1, and how much this costs when using multiple processors.

Let a denote the n-bit integer we wish to square modulo 2n + 1. First, we representour integer a as the polynomial

a = ar−1xr−1 + · · ·+ a1x+ a0, (5.7)

where r is the power of 2 in the interval√n/ log n < r ≤ 2

√n/ log n, s = n/r, x = 2s,

and all the ai are s-bit integers. Note that we can efficiently compute this representationfrom the binary representation of a. The square a2 mod 2n+1 is given by the following.

Lemma 5.2. For any n-bit integer a as in Equation 5.7,

a2 ≡ br−1xr−1 + · · ·+ b1x+ b0 mod 2n + 1, (5.8)

where

bk =∑

i,j : i+j=k

aiaj −∑

i,j : i+j=k+r

aiaj . (5.9)

Proof. First, we notice that

a2 =

(r−1∑i=0

aixi

)(r−1∑i=0

aixi

)=

2r−1∑k=0

ckxk,

38

whereck =

∑i,j : i+j=k

aiaj .

Now, using the fact that

xr = 2rs = 2n ≡ −1 mod 2n + 1,

we indeed find that

a2 =

2r−1∑k=0

ckxk ≡

r−1∑k=0

(ck − ck+r)xk mod 2n + 1

≡r−1∑k=0

bkxk mod 2n + 1.

The vector (b0, . . . , br−1) defined in Equation 5.9 is known as the negative wrappedconvolution of the vector ~a = (a0, . . . , ar−1) with itself. The Schonhage-Strassen algo-rithm computes this negative wrapped convolution modulo 2t + 1, for a specially chosenvalue of t, using the following form of the discrete Fourier transform.

Definition 5.3. Let ~c = (c0, . . . , cr−1)T , we define the discrete Fourier transform Fr asthe operation that maps Fr~c = ~d, where ~dj =

∑r−1i=0 ciω

ij and ω = 22t/r.

In particular, we will set t to be the unique integer multiple of r in the range

2s+ log r + 1 < t ≤ 2s+ log r + r + 1.

We do so because this value of t is large enough to allow us to immediately computebk given the value of bk modulo 2t + 1. Also, one can show that this value of t is ofthe form specified in Equation 5.6. The Schonhage-Strassen algorithm computes thenegative wrapped convolution of ~a with itself using the following lemma.

Lemma 5.4. For any ~a = (a0, . . . , ar−1)T ,

Fr

(~Ψ · ~a

)· Fr

(~Ψ · ~a

)= Fr

(~Ψ · b

), (5.10)

where · denotes the componentwise product of two vectors, b denotes the negative wrappedconvolution of a with itself, ~Ψ = (1, ψ, ψ2, . . . , ψr−1)T and ψ =

√ω = 2t/r.

Proof. See Lemma 3.56 in [12].

So, to compute the negative wrapped convolution of ~a with itself, the Schonhage-Strassen algorithm performs the following steps. First, it componentwise multiplies thevector (a0, . . . , ar−1) with ~Ψ. Thanks to the special form of ~Ψ, this only involves mul-tiplications by powers of 2 and can therefore be efficiently implemented as bitshifts.

39

Subsequently, it computes the discrete Fourier transform Fr(~Ψ ·~a). This can be done inO(log n) steps using O(n log n) processors by a parallel version of the fast Fourier trans-form (FFT), see Section 3.7 in [12]. Once this discrete Fourier transform is computed,the Schonhage-Strassen algorithm recursively calls itself to componentwise multiply thevector Fr(~Ψ ·~a) with itself. Note here that the r entries of Fr(~Ψ ·~a) are all t-bit integers.Afterwards, it applies the inverse Fourier transform to the resulting vector. This inverseFourier transform can also be done in O(log n) steps using O(n log n) processors by thesame parallel version of the FFT. Next, it goes from ~Ψ ·~b to ~b by componentwise mul-tiplying the vector ~Ψ ·~b with the vector (1, ψ2r−1, ψ2r−2, . . . , ψr+1)T . Again, this onlyinvolves multiplication by powers of 2 and can therefore be efficiently implemented asbitshifts. Once the negative wrapped convolution of ~a with itself is computed, we cancompute a2 mod 2n+1 by evaluating the polynomial from Equation 5.8 at x = 2s. Thiscan be done in O(log n) steps using O(n) processors, see Section 3.7 in [12].

Overall, the algorithm uses O(log n) steps and O(n log n) processors in addition to ther calls to itself to multiply t-bit integers modulo 2t+1. Hence, the total number of stepsT (n) and processors P(n) needed by this algorithm are bounded by the recurrences

T (n) ≤ T (t) +O(log n),

P(n) ≤ rP(t) +O(n log n),

where t ∈ O(n2/3). Solving these recurrences results in T (n) = O(log n) and P(n) =O(n log n log logn). Therefore, when using P ≤ n log n log log n processors, each of whichcan at each time step perform any operation on any set of bits, we can square an n-bitinteger in

O

(n(log n)2 log log n

P

)steps.

This allows us to complete the precomputation step in

O

(n · n(log n)2 log logn

P

)steps.

5.2.2 Iterated multiplication of squares

If we have precomputed the powers bi = a2i mod N for i = 0, . . . , 2n−1, then computingthe modular exponentiation ax mod N reduces to applying a unitary that maps

|b0〉 |b1〉 . . . |b2n−1〉 |x〉 |0n〉 7→ |b0〉 |b1〉 . . . |b2n−1〉 |x〉 |bx00 · bx11 · · · b

x2n−1

2n−1 〉 . (5.11)

The most straightforward way to do this in parallel is to perform pairwise multiplicationfollowing the structure of a binary tree. If we use the parallel version of the Schonhage-Strassen algorithm, as discussed in the previous section, to perform the multiplications,then this will result in a circuit of depth O((log n)2) and size O(n2(log n)2 log logn).

40

Figure 5.2: Quantum circuit for the approximation of the mapping in Equation 5.5, takenfrom [8]. 41

6 Conclusion

As discussed in Chapter 1, Shor’s algorithm allows large-scale quantum computers tobreak the version of RSA that is used today. In Chapter 2 we discussed Post-QuantumRSA, the newly proposed variant of RSA by Bernstein et al. that is supposed to betterwithstand attacks by a quantum computer compared to RSA as used today [4]. Themain idea behind Post-Quantum RSA is that, if we let the modulus be a product of manyequally-sized primes instead of only two primes, then we are able to save on the usagecost and therefore create a larger gap between the attack cost and the usage cost. Bypushing this technique for speeding up RSA to its extreme, Post-Quantum RSA achievesan attack cost that is essentially quadratic in its usage cost, even in the presence of large-scale quantum computers. To be more specific, the usage cost of Post-Quantum RSAwith an n-bit modulus is O(n), whereas the best-known attack requires O(n2) steps. Toachieve this, an n-bit Post-Quantum RSA modulus is a product of distinct primes whereeach prime has (log(n))2+o(1) bits. The goal for the rest of this thesis was to find outif we could speed up two known algorithms for factoring, namely Shor’s algorithm andLenstra’s elliptic curve factorization method, to develop a sub-quadratic attack againstPost-Quantum RSA. In other words, we tried to find a quantum algorithm that can finda non-trivial factor of an n-bit Post-Quantum RSA modulus in O(n2−ε) steps, for someε ∈ (0, 1).

We began, in Chapter 3, by discussing Shor’s algorithm and ways to speed up Shor’salgorithm. In Section 3.1.2, we noted that the bottleneck of Shor’s algorithm is themodular exponentiation step. Namely, to find a factor of an integer N using Shor’salgorithm, the most costly step is computing xa mod N for some x ∈ (Z/NZ)∗ anda ∈ NO(1). In Lemma 3.2, we showed that if x has a sufficiently low order, then we canget around this expensive modular exponentiation, since in this case we can decreasethe size of the exponent a. Unfortunately, we established that trying random elementsx ∈ (Z/NZ)∗ until we get one of sufficiently low order will likely not result in a moreefficient algorithm for factoring. However, in Section 3.2.1, we showed that in somecases we are able to construct an element of sufficiently low order using a classicalprecomputation step. Particularly, in Corollary 3.6, we showed that if an n-bit Post-Quantum RSA modulus N is such that ϕ(N) = # (Z/NZ)∗ has an n1−ε-smooth factorof size 2n−n

1−εfor some ε ∈ (0, 1), then we can find a factor of N in time O(n2−ε).

Subsequently, in Chapter 4, we discussed Lenstra’s elliptic curve factorization method(ECM) and ways to improve this algorithm using quantum techniques. In Section 4.2,we showed how Lenstra’s ECM searches through the set of elliptic curves over (Z/NZ)until it finds one on which a computation similar to the one in Pollard’s p− 1 algorithmfinds a non-trivial factor of N . Following this, in Section 4.2.1, we showed how GEECM(the quantum enhancement of Lenstra’s ECM proposed by Bernstein et al. [4]) improves

42

the efficiency of Lenstra’s ECM by using Grover’s search algorithm to more efficientlysearch through the set of elliptic curves over (Z/NZ). Afterwards, in Section 4.3, weshowed that solving the order-finding problem in a group consisting of points on anelliptic curve over (Z/NZ) will with high probability allow us to efficiently compute anon-trivial factor of N . Therefore, by running Shor’s order-finding algorithm in a groupconsisting of points on an elliptic curve over (Z/NZ), we can with high probabilitycompute a non-trivial factor of N . The bottleneck of this new algorithm for factoring isthe cost of computing a large multiple of a point on an elliptic curve according to theadditively written group law. The methods to speed up Shor’s order-finding algorithmdiscussed in Chapter 3 also apply when running Shor’s order-finding algorithm in agroup consisting of points on an elliptic curve. The possible benefit of running Shor’sorder-finding algorithm in a group consisting of points on an elliptic curve is that we cantry multiple elliptic curves until we find one for which the corresponding order-findingproblem can be solved more efficiently. For example, we can try different elliptic curvesuntil a precomputation step similar to the one discussed in Section 3.2.1 results in anelement of sufficiently low order.

Finally, in Chapter 5, we discussed the security of Post-Quantum RSA in the specialcase where the adversary has a certain number of processors at his disposal. Particularly,we discussed how to break Post-Quantum RSA by using a parallel version of Shor’salgorithm. We showed that we can factor an n-bit integer using P ≤ n log n log lognprocessors in O(n2(log n)2 log logn/P ) steps. Here we assume that each processor canat each time step perform any operation on any set of qubits/bits.

Unfortunately, we were unable to reduce the attack time of Post-Quantum RSA. Noneof our attempts resulted in a quantum algorithm that finds a non-trivial factor of ann-bit integer in O(n2−ε) steps, for some ε ∈ (0, 1). Even in the special case where thenumber we wish to factor is a Post-Quantum RSA modulus, we were unable to find aquantum algorithm that does so in O(n2−ε) steps. However, in Corollary 3.6 we do showthat if N has only small prime power divisors and ϕ(N) = # (Z/NZ)∗ has a rather largesmooth factor, then by adding a classical precomputation step to Shor’s algorithm wecan find a non-trivial factor of N in O(n2−ε) steps, for some ε ∈ (0, 1). Moreover, it ispossible to combine this idea of a classical precomputation step with the unification ofLenstra’s ECM and Shor’s algorithm proposed in Section 4.3.

6.1 Future work

Throughout this thesis we also considered a couple of related open questions. In Sec-tion 3.3, we considered a very general open question regarding the existence of an effi-ciently preparable quantum state that contains sufficient information for us to find theorder of an element of (Z/NZ)∗. To be more precise, let N be an n-bit integer, let x bean element of (Z/NZ)∗ and as in Shor’s order-finding algorithm pick some q = 2` suchthat N2 < q ≤ 2N2. Then, for any subset A ⊆ 0. . . . , q − 1 we can define the state

|ψA〉 :=1√A

∑a∈A|a〉 |xa mod N〉 .

43

The way we view |ψA〉 is as a subsignal of the state |ψ〉 from Equation 3.1, which isnormally used in Shor’s algorithm. It could be interesting to see whether there exists asubset A such that

(i) |ψA〉 can be prepared in O(n2−ε) steps, for some ε > 0.

(ii) If we apply Steps 4 through 6 of Shor’s order-finding algorithm as stated in Sec-tion 3.1.2 to |ψA〉, we can still obtain the order of x.

It is clear that any A satisfying the above two properties would allow us to find a non-trivial factor of N in time O(n2−ε).

Afterwards, in Section 4.3, we considered the possible benefits of running Shor’s order-finding algorithm in a group consisting of points on an elliptic curve over (Z/NZ) insteadof running it in the group (Z/NZ)∗. One of the questions that arose here was when aclassical precomputation step similar to the one discussed in Section 3.2.1 would work ina group consisting of points on an elliptic curve. It could be interesting to determine theprobability that the precomputation step from Section 3.2.1 will construct an elementof sufficiently low order on a randomly chosen elliptic curve. Or maybe we can comeup with a less expensive precomputation step that sufficiently decreases the order of theelement that works with even higher probability.

44

Popular summary

Today many computer programs use the so-called RSA cryptosystem to encrypt anddecrypt messages. A user of RSA creates and publishes the product of two large primenumbers N = pq, and keeps the prime factors p and q secret. Anyone can use the valueof N to encrypt a message, and if the primes p and q are large enough, it is assumedthat only someone with knowledge of the values of p and q can decrypt the ciphertext.Because modern-day computers can take many years to find the prime factors of a largeenough integer, a message encrypted with RSA stays secure for a long time.

However, Peter Shor discovered in 1994 that by using a so-called quantum computer,we can find the prime factors of a large integer a lot quicker. A quantum computer is acomputer that is based on quantum-mechanical principles. Whereas common computersuse binary bits, each of which is either in the state 0 or 1, a quantum computer usesquantum bits or qubits, which can be in a superposition of states. A qubit is a unitvector ( αβ ) ∈ C2. A quantum computer operates on it qubits using quantum gates (i.e.,unitary operations) and measurements. When measuring our qubit ( αβ ), the outcomewill be 0 with probability |α|2 and 1 with probability |β|2. The result of Peter Shorimplies that, if quantum computers become reality one day, then RSA will no longerbe secure. However, it was recently proposed Bernstein et al. that by adapting RSAone can still achieve some security, even in the presence of quantum computers. Thisadaptation is called Post-Quantum RSA [4].

In this thesis, we investigate if Post-Quantum RSA is indeed still secure by trying tofind an attack on Post-Quantum RSA that would take sub-quadratic time. Particularly,we investigate whether the adaptations made to RSA have caused any vulnerabilities. Wedo so by looking at two quantum algorithms for factoring and investigating whether wecan adapt these algorithms to faster attack Post-Quantum RSA by trying to exploit theadaptations made to the usual RSA. Both the quantum algorithms we discuss find a non-trivial factor of an integer N by exploiting certain algebraic structures to construct aninteger x whose residue class x mod N does not lie in (Z/NZ)∗. That is, they constructan integer x such that gcd(x,N) is a non-trivial factor of N . One of the algorithms,namely Shor’s algorithm, does so by finding the order of an element in (Z/NZ)∗. Theother algorithm, that is Lenstra’s elliptic curve factorization method, uses the theoryof elliptic curves to construct such an integer x. Unfortunately, mostly due to the highcost of computing high powers of elements in (Z/NZ)∗, none of our attempts resultedin a sub-quadratic time quantum algorithm for factoring and thus we were unable toimprove the attack-time of Post-Quantum RSA.

45

Bibliography

[1] M. Bellare and P. Rogaway. Optimal asymmetric encryption – how to encryptwith RSA. In Proceedings of the 1994 Workshop on the Theory and Application ofCryptographic Techniques, EUROCRYPT ’94, 1994.

[2] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distributionand coin tossing. In Proceedings of the IEEE International Conference on Comput-ers, Systems and Signal Processing, pages 175–179, 1984.

[3] D. Bernstein. Fast multiplication and its applications. Algorithmic Number Theory,44, 2008.

[4] D. Bernstein, N. Heninger, P. Lou, and L. Valenta. Post-quantum RSA. In Pro-ceedings of the 8th International Workshop on Post-Quantum Cryptography, 2017.eprint.iacr.org/2017/351.

[5] E. Canfield, P. Erdos, and C. Pomerance. On a problem of oppenheim concerning’factorisatio numerorum’. Journal of Number Theory 17, 1983.

[6] R. Cleve and J. Watrous. Fast parallel circuits for the quantum Fourier transform.In Proceedings of 41st IEEE FOCS, pages 526–536, 2000. quant-ph/0006004.

[7] L. K. Grover. A fast quantum mechanical algorithm for database search. In Pro-ceedings of 28th ACM STOC, pages 212–219, 1996. quant-ph/9605043.

[8] L. Hales. The Quantum Fourier Transform and Extensions of the Abelian HiddenSubgroup Problem. PhD thesis, UC Berkeley, 2002. quant-ph/0212002.

[9] L. Hales and S. Hallgren. An improved quantum Fourier transform algorithm andapplications. In Proceedings of 41st IEEE FOCS, pages 515–525, 2000.

[10] P. Kurlberg. On the order of unimodular matrices modulo integers. Acta Arith-metica, 110(2), 2002.

[11] H. Lange and W. Ruppert. Complete systems of addition laws on abelian varieties.Inventiones Mathematicae, 79, 1985.

[12] F. Leighton. Introduction to parallel algorithms and architectures: array, trees,hypercubes. Morgan Kaufmann, San Francisco, 1992.

[13] A. Lenstra and H. Lenstra, Jr. The Development of the Number Field Sieve, volume1554 of Lecture Notes in Mathematics. Springer, 1993.

46

eprint.iacr.org/2017/351

[14] H. Lenstra. Elliptic curves and number-theoretic algorithms. In Proceedings of theInternational Congress of Mathematicians, 1986.

[15] S. Martin, P. Morillo, and J. Villar. Computing the order of points on an ellipticcurve modulo n is as difficult as factoring n. Applied Mathematics Letters, 14:341–346, 2001.

[16] Y. Ofman. On the algorithmic complexity of discrete functions. Soviet PhysicsDoklady, 7(1):589–591, 1963.

[17] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signaturesand public key cryptosystems. Communications of the ACM, 21:120–126, 1978.

[18] C. Schaffner and A. Broadbent. Quantum cryptography beyond quantum key dis-tribution. Designs, Codes and Cryptography, 78:351–382, 2016.

[19] A. Schonhage and V. Strassen. Schnelle Multiplikation grosser Zahlen. Computing,7:281–292, 1971.

[20] C. E. Shannon. Communication theory of secrecy systems. Bell System TechnicalJournal, 28:656–715, 1949.

[21] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete log-arithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509,1997. Earlier version in FOCS’94. quant-ph/9508027.

[22] J. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts inMathematics. Springer, Dordrecht, second edition, 2009.

[23] J. van der Lingen. Elliptic curves and factorization algorithms, January 1987. Avail-able at http://www.math.leidenuniv.nl/~hwl/PUBLICATIONS/Lingen/result.

pdf.

47

http://www.math.leidenuniv.nl/~hwl/PUBLICATIONS/Lingen/result.pdf

http://www.math.leidenuniv.nl/~hwl/PUBLICATIONS/Lingen/result.pdf

quantum algorithms for factoring and post-quantum rsa · post-quantum rsa is a variation of rsa,...

Documents