Quantum Algorithms for Computing Short Discrete Logarithms and Factoring RSA Integers

Abstract

We generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå [2] so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand. Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This gives rise to an algorithm for factoring RSA integers that is less complex than Shor’s general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer. In both our algorithm and Shor’s algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an n bit integer, the exponent is of length 2n bits in Shor’s algorithm, compared to slightly more than n/2 bits in our algorithm.

A Appendix

In this appendix we provide graphical visualizations of some of the quantum circuits described earlier so as to facilitate the reader’s comprehension.

All circuits below use the standard algorithm for exponentiation and one control qubit for each group operation as described in Sect. 3.13. Recall that a single qubit may be used to control all operations as described by Mosca and Ekert [6]. This reduces the topmost registers in the figures to a single qubit.

We assume below that t qubits is sufficient to represent group elements and to perform the required group operations. Furthermore, we introduce the controlled operator \(U_v\) that upon input of \(\left| \, u \, \right\rangle \) where \(u, v \in {\mathbb {G}}\) outputs \(\left| \, u \odot v \, \right\rangle \) if the control qubit is \(\left| \, 1 \, \right\rangle \) and \(\left| \, u \, \right\rangle \) otherwise.

Fig. 1.

A quantum circuit for the quantum stage in the algorithm for computing short discrete logarithms described in Sect. 3.

Fig. 2.

A quantum circuit for the quantum stage in Shor’s algorithm for computing general discrete logarithms [2, 8, 9]. It is identical to the circuit in Fig. 1, except that the exponent lengths and register sizes are larger. In this figure, l denotes the length in bits of the order of \({\mathbb {G}}\). The circuit in Fig. 1 has an advantage when \(l \ggg \ell +m/2\).

Fig. 3.

A quantum circuit for the quantum stage in the order finding algorithm that is part of Shor’s factoring algorithm [8, 9]. In this figure, x is a random integer, n denotes the length in bits of the integer N to be factored and we assume \({\mathbb {G}} \subseteq {\mathbb {Z}}^*_N\).