[PPT] - Challenges in def bubblesort(x): quantum algorithms for for j in PowerPoint Presentation

SLIDE 1

1

Challenges in quantum algorithms for integer factorization

D. J. Bernstein

University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array?

def blindsort(x): while not issorted(x): permuterandomly(x)

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story?

SLIDE 2

1

Challenges in quantum algorithms for integer factorization

D. J. Bernstein

University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array?

def blindsort(x): while not issorted(x): permuterandomly(x)

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal.

SLIDE 3

1

Challenges in quantum algorithms for integer factorization Bernstein University of Illinois at Chicago Prelude: What is the fastest rithm to sort an array?

blindsort(x): not issorted(x): permuterandomly(x)

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal. Analogous: algorithm Shor’s algo Huge speedup b2(log b) to factor using standa for fast integer Is this the

SLIDE 4

1

rithms for rization Illinois at Chicago is the fastest rt an array?

blindsort(x): issorted(x): permuterandomly(x)

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal. Analogous: What algorithm to factor Shor’s algorithm tak Huge speedup over b2(log b)1+o(1) qubit to factor b-bit integer, using standard sub for fast integer arithmetic. Is this the end of the

SLIDE 5

1

Chicago fastest y?

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal. Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story?

SLIDE 6

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal.

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story?

SLIDE 7

2

def bubblesort(x): for j in range(len(x)): for i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1]) )

bubblesort takes poly time. Θ(n2) comparisons. Huge speedup over blindsort! Is this the end of the story? No, still not optimal.

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story? No, still not optimal. “Shor’s algorithm: the bubble sort

f integer factorization.”

SLIDE 8

2

bubblesort(x): in range(len(x)): i in reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1])

bubblesort takes poly time. comparisons. speedup over blindsort! the end of the story? still not optimal.

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story? No, still not optimal. “Shor’s algorithm: the bubble sort

f integer factorization.”

A simple suboptimalit Find a prime

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

SLIDE 9

2

bubblesort(x): range(len(x)): reversed(range(j)): x[i],x[i+1] = ( min(x[i],x[i+1]), max(x[i],x[i+1])

es poly time. risons.

ver blindsort!
f the story?
ptimal.

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story? No, still not optimal. “Shor’s algorithm: the bubble sort

f integer factorization.”

A simple exercise to suboptimality of Sh Find a prime diviso

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

SLIDE 10

2

range(len(x)): reversed(range(j)): min(x[i],x[i+1]),

time. blindsort! ry?

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story? No, still not optimal. “Shor’s algorithm: the bubble sort

f integer factorization.”

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

SLIDE 11

3

Analogous: What is the fastest algorithm to factor integers? Shor’s algorithm takes poly time. Huge speedup over NFS! b2(log b)1+o(1) qubit operations to factor b-bit integer, using standard subroutines for fast integer arithmetic. Is this the end of the story? No, still not optimal. “Shor’s algorithm: the bubble sort

f integer factorization.”

4

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

SLIDE 12

3

Analogous: What is the fastest rithm to factor integers? algorithm takes poly time. speedup over NFS! b)1+o(1) qubit operations factor b-bit integer, standard subroutines fast integer arithmetic. the end of the story? still not optimal. r’s algorithm: the bubble sort integer factorization.”

4

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

Important factorization

Maybe
Maybe
Maybe
Maybe
Maybe
Maybe

Important (even assuming

Qubits.
Area (“
Qubit
Depth.
Time (“

SLIDE 13

3

What is the fastest factor integers? takes poly time.

ver NFS!

qubit operations integer, subroutines rithmetic.

f the story?
ptimal.

rithm: the bubble sort rization.”

4

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

Important variations factorization problem:

Maybe need one
Maybe need all facto
Maybe factors are
Maybe factors are
Maybe there are
Maybe inputs in

Important variations (even assuming perfec

Qubits.
Area (“A”, including
Qubit operations
Depth.
Time (“T”: latency).

SLIDE 14

3

fastest integers?

ly time.

erations ry? bubble sort

4

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

SLIDE 15

4

A simple exercise to illustrate suboptimality of Shor’s algorithm: Find a prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

5

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire area).
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

SLIDE 16

4

simple exercise to illustrate

ptimality of Shor’s algorithm:

prime divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

5

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire area).
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

Short-term 1995 Kitaev, Barenco–Ek Chari–Devabhaktuni–Preskill, 1998 Zalk 2000 Park 2002 Kitaev–Shen–Vy Beaurega Kunihiro, 2014 Svo 2015 Grosshans–La Smith, 2016 Svore, 2017 Johnston: factors out

SLIDE 17

4

exercise to illustrate Shor’s algorithm: divisor of ¨ 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159 19561814675142691239748940907186494231961567945208

5

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire area).
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

Short-term RSA securit 1995 Kitaev, 1996 Barenco–Ekert, 1996 Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ek 2000 Parker–Plenio, 2002 Kitaev–Shen–Vy Beauregard, 2006 Kunihiro, 2010 Ah 2014 Svore–Hastings–F 2015 Grosshans–La Smith, 2016 H¨ aner–Ro Svore, 2017 Eker˚ a–H Johnston: try to squeeze factors out of Shor’s

SLIDE 18

4

illustrate algorithm: 103009ı ˝ .

31415926535897932384626433832795028841971693993751058209749445923078164062862089 98628034825342117067982148086513282306647093844609550582231725359408128481117450 28410270193852110555964462294895493038196442881097566593344612847564823378678316 52712019091456485669234603486104543266482133936072602491412737245870066063155881 74881520920962829254091715364367892590360011330530548820466521384146951941511609 43305727036575959195309218611738193261179310511854807446237996274956735188575272 48912279381830119491298336733624406566430860213949463952247371907021798609437027 70539217176293176752384674818467669405132000568127145263560827785771342757789609 17363717872146844090122495343014654958537105079227968925892354201995611212902196 08640344181598136297747713099605187072113499999983729780499510597317328160963185 95024459455346908302642522308253344685035261931188171010003137838752886587533208 38142061717766914730359825349042875546873115956286388235378759375195778185778053 21712268066130019278766111959092164201989380952572010654858632788659361533818279 68230301952035301852968995773622599413891249721775283479131515574857242454150695 95082953311686172785588907509838175463746493931925506040092770167113900984882401 28583616035637076601047101819429555961989467678374494482553797747268471040475346 46208046684259069491293313677028989152104752162056966024058038150193511253382430 03558764024749647326391419927260426992279678235478163600934172164121992458631503 02861829745557067498385054945885869269956909272107975093029553211653449872027559 60236480665499119881834797753566369807426542527862551818417574672890977772793800 08164706001614524919217321721477235014144197356854816136115735255213347574184946 84385233239073941433345477624168625189835694855620992192221842725502542568876717 90494601653466804988627232791786085784383827967976681454100953883786360950680064 22512520511739298489608412848862694560424196528502221066118630674427862203919494 50471237137869609563643719172874677646575739624138908658326459958133904780275900 99465764078951269468398352595709825822620522489407726719478268482601476990902640 13639443745530506820349625245174939965143142980919065925093722169646151570985838 74105978859597729754989301617539284681382686838689427741559918559252459539594310 49972524680845987273644695848653836736222626099124608051243884390451244136549762 78079771569143599770012961608944169486855584840635342207222582848864815845602850 60168427394522674676788952521385225499546667278239864565961163548862305774564980 35593634568174324112515076069479451096596094025228879710893145669136867228748940 56010150330861792868092087476091782493858900971490967598526136554978189312978482 16829989487226588048575640142704775551323796414515237462343645428584447952658678 21051141354735739523113427166102135969536231442952484937187110145765403590279934 40374200731057853906219838744780847848968332144571386875194350643021845319104848 10053706146806749192781911979399520614196634287544406437451237181921799983910159

5

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire area).
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ek 2000 Parker–Plenio, 2001 Se 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Mo Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

SLIDE 19

5

Important variations in the factorization problem:

Maybe need one factor.
Maybe need all factors.
Maybe factors are small.
Maybe factors are large.
Maybe there are many inputs.
Maybe inputs in superposition.

Important variations in metrics (even assuming perfect devices):

Qubits.
Area (“A”, including wire area).
Qubit operations (“gates”).
Depth.
Time (“T”: latency).

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

SLIDE 20

5

rtant variations in the rization problem: ybe need one factor. ybe need all factors. ybe factors are small. ybe factors are large. ybe there are many inputs. ybe inputs in superposition. rtant variations in metrics assuming perfect devices): Qubits. (“A”, including wire area). Qubit operations (“gates”). Depth. Time (“T”: latency).

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm. 2003 Beaurega : : : 2016 2b + 2 qubits; Toffoli gates; CNOT gates;

SLIDE 21

5

riations in the roblem:

ne factor.

all factors. are small. are large. re many inputs. in superposition. riations in metrics perfect devices): including wire area). erations (“gates”). latency).

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm. 2003 Beauregard: : : : 2016 H¨ aner–Ro 2b + 2 qubits; 64b Toffoli gates; simila CNOT gates; depth

SLIDE 22

5

the small. inputs.

sition.

metrics devices): wire area). (“gates”).

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm. 2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svo 2b + 2 qubits; 64b3(lg b + O Toffoli gates; similar number CNOT gates; depth O(b3).

SLIDE 23

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3).

SLIDE 24

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits?

SLIDE 25

6

Short-term RSA security 1995 Kitaev, 1996 Vedral– Barenco–Ekert, 1996 Beckman– Chari–Devabhaktuni–Preskill, 1998 Zalka, 1999 Mosca–Ekert, 2000 Parker–Plenio, 2001 Seifert, 2002 Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, 2014 Svore–Hastings–Freedman, 2015 Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– Svore, 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant factors out of Shor’s algorithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

SLIDE 26

6

rt-term RSA security Kitaev, 1996 Vedral– renco–Ekert, 1996 Beckman– ri–Devabhaktuni–Preskill, Zalka, 1999 Mosca–Ekert, arker–Plenio, 2001 Seifert, Kitaev–Shen–Vyalyi, 2003 Beauregard, 2006 Takahashi– Kunihiro, 2010 Ahmadi–Chiang, Svore–Hastings–Freedman, Grosshans–Lawson–Morain– Smith, 2016 H¨ aner–Roetteler– 2017 Eker˚ a–H˚ astad, 2017 Johnston: try to squeeze constant

ut of Shor’s algorithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits. NFS takes with p = log L = (log Analysis very roughly

SLIDE 27

6

security 1996 Vedral– 1996 Beckman– ri–Devabhaktuni–Preskill, 1999 Mosca–Ekert, er–Plenio, 2001 Seifert, Kitaev–Shen–Vyalyi, 2003 2006 Takahashi– Ahmadi–Chiang, re–Hastings–Freedman, Grosshans–Lawson–Morain– aner–Roetteler– er˚ a–H˚ astad, 2017 squeeze constant Shor’s algorithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits. NFS takes Lp+o(1) with p = 3 p 92 + 26 log L = (log 2b)1=3 Analysis for b = 2048 very roughly 2112 op

SLIDE 28

6

Beckman– ri–Devabhaktuni–Preskill, Mosca–Ekert, Seifert, 2003 hashi– di–Chiang, reedman,

rain–

etteler– astad, 2017 constant rithm.

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits. NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > log L = (log 2b)1=3(log log 2b Analysis for b = 2048 (not easy!): very roughly 2112 operations.

SLIDE 29

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations.

SLIDE 30

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits).

SLIDE 31

7

2003 Beauregard: 2b + 3 qubits. : : : 2016 H¨ aner–Roetteler–Svore: 2b + 2 qubits; 64b3(lg b + O(1)) Toffoli gates; similar number of CNOT gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits for controlled mulmod. e.g. 4096 qubits for b = 2048, very common RSA key size. So 2048-bit factorization needs 4096 qubits? No: NFS uses 0 qubits.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits?

SLIDE 32

7

Beauregard: 2b + 3 qubits. 2016 H¨ aner–Roetteler–Svore: qubits; 64b3(lg b + O(1)) gates; similar number of gates; depth O(b3). Conventional wisdom: cannot avoid 2b qubits

ntrolled mulmod.

4096 qubits for b = 2048, common RSA key size. 2048-bit factorization 4096 qubits? NFS uses 0 qubits.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits? Counting

versimplified

communication See, e.g., theorem

SLIDE 33

7

rd: 2b + 3 qubits. aner–Roetteler–Svore: 64b3(lg b + O(1)) similar number of depth O(b3). wisdom: qubits mulmod. for b = 2048, RSA key size. factorization qubits? qubits.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits? Counting operations

versimplified cost

communication costs See, e.g., 1981 Brent–Kung theorem for realistic

SLIDE 34

7

qubits. etteler–Svore: O(1)) er of ). 2048, size.

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits? Counting operations is an

versimplified cost model: igno

communication costs, parallelism. See, e.g., 1981 Brent–Kung theorem for realistic chip mo

SLIDE 35

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits?

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model.

SLIDE 36

8

NFS takes Lp+o(1) operations with p = 3 p 92 + 26 √ 13=3 > 1:9, log L = (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): very roughly 2112 operations. 2017 Bernstein–Biasse–Mosca: Lq+o(1) operations with q = 3 p 8=3 ≈ 1:387, using b2=3+o(1) qubits (and many non-quantum bits). Open: Analyze for b = 2048. Fewer than 4096 qubits? Fewer than 2048 qubits?

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048.

SLIDE 37

8

takes Lp+o(1) operations = 3 p 92 + 26 √ 13=3 > 1:9, (log 2b)1=3(log log 2b)2=3. Analysis for b = 2048 (not easy!): roughly 2112 operations. Bernstein–Biasse–Mosca:

(1) operations

= 3 p 8=3 ≈ 1:387, b2=3+o(1) qubits many non-quantum bits). Analyze for b = 2048. than 4096 qubits? than 2048 qubits?

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048. Actually Lower cost Lower cost

SLIDE 38

8

(1) operations

26 √ 13=3 > 1:9,

=3(log log 2b)2=3.

2048 (not easy!):

perations.

Bernstein–Biasse–Mosca: erations ≈ 1:387, qubits

n-quantum bits).

for b = 2048. qubits? qubits?

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048. Actually have many Lower cost for some Lower cost for many

SLIDE 39

8

erations > 1:9, 2b)2=3. (not easy!): erations. Bernstein–Biasse–Mosca: bits). 2048.

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048. Actually have many inputs. Lower cost for some output? Lower cost for many outputs?

SLIDE 40

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs?

SLIDE 41

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations.

SLIDE 42

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input.

SLIDE 43

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. See, e.g., 1981 Brent–Kung AT theorem for realistic chip model. NFS suffers somewhat from communication costs inside big linear-algebra subroutine. 2001 Bernstein: AT = Lp′+o(1) with p′ ≈ 1:976. 2017 Bernstein–Biasse–Mosca: AT = Lq′+o(1) with q′ ≈ 1:456 using b2=3+o(1) qubits. Open: Analyze for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers?

SLIDE 44

9

Counting operations is an

versimplified cost model: ignores

communication costs, parallelism. e.g., 1981 Brent–Kung AT rem for realistic chip model. suffers somewhat from communication costs inside linear-algebra subroutine. Bernstein: Lp′+o(1) with p′ ≈ 1:976. Bernstein–Biasse–Mosca: Lq′+o(1) with q′ ≈ 1:456 b2=3+o(1) qubits. Analyze for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers? Long-term Long histo in integer Long histo switching not far b

SLIDE 45

9

erations is an cost model: ignores costs, parallelism. Brent–Kung AT realistic chip model. somewhat from costs inside ra subroutine. with p′ ≈ 1:976. Bernstein–Biasse–Mosca: with q′ ≈ 1:456 qubits. for b = 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers? Long-term RSA securit Long history of advances in integer factorization. Long history of RSA switching to larger not far beyond brok

SLIDE 46

9

ignores rallelism. Brent–Kung AT model. from inside routine. 1:976. Bernstein–Biasse–Mosca: 1:456 2048.

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers? Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes.

SLIDE 47

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers?

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes.

SLIDE 48

10

Actually have many inputs. Lower cost for some output? Lower cost for many outputs? 1993 Coppersmith: L1:638:::+o(1) operations after precomp(b) involving L2:006:::+o(1) operations. 2014 Bernstein–Lange: AT = L2:204:::+o(1) to factor L0:5+o(1) inputs; L1:704:::+o(1) per input. Open: Any quantum speedups for factoring many integers?

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

SLIDE 49

10

Actually have many inputs. cost for some output? cost for many outputs? Coppersmith:

:::+o(1) operations

recomp(b) involving

:::+o(1) operations.

Bernstein–Lange: L2:204:::+o(1) factor L0:5+o(1) inputs;

:::+o(1) per input.

Any quantum speedups factoring many integers?

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!” We consider quantum we also consider

f users

SLIDE 50

10

many inputs. some output? many outputs? ersmith: erations ) involving erations. Bernstein–Lange:

(1) (1) inputs;

input. quantum speedups many integers?

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!” We consider possible quantum computers. we also consider possible

f users wanting to

SLIDE 51

10

inputs.

utput?
utputs?

eedups integers?

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!” We consider possible impact quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

SLIDE 52

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

SLIDE 53

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates.

SLIDE 54

11

Long-term RSA security Long history of advances in integer factorization. Long history of RSA users switching to larger key sizes, not far beyond broken sizes. “Expert” cryptographers: “Obviously they won’t react to Shor’s algorithm this way! They’ll switch to codes, lattices, etc. long before quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Much faster to generate.

SLIDE 55

11

Long-term RSA security history of advances integer factorization. history of RSA users switching to larger key sizes, r beyond broken sizes. ert” cryptographers: “Obviously they won’t react to algorithm this way! They’ll to codes, lattices, etc. long quantum computers break RSA-2048! We don’t need to analyze the security of RSA-4096, RSA-8192, RSA-16384, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Much faster to generate. The secret 4096 bits 1024 bits Important keygen, signing, Is this a ECM finds using L

√

where log Beats Sho (log log mo Public ECM 274-bit facto

SLIDE 56

11

security advances rization. RSA users rger key sizes, roken sizes. cryptographers: won’t react to this way! They’ll lattices, etc. long computers break don’t need to security of RSA-4096, RSA-16384, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Much faster to generate. The secret primes 4096 bits in terabyte 1024 bits in gigabyte Important time-saver keygen, signing, decryption. Is this a weakness? ECM finds any prime using L

√ 2+o(1) mulmo

where log L = (log Beats Shor for log (log log modulus)2+ Public ECM record: 274-bit factor of 7

SLIDE 57

11

sizes, sizes. react to They’ll

etc. long

computers break to A-4096, etc.!”

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Much faster to generate. The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1.

SLIDE 58

12

We consider possible impact of quantum computers. Shouldn’t we also consider possible impact

f users wanting to stick to RSA?

2017 Bernstein–Heninger–Lou– Valenta “Post-quantum RSA” (pqRSA): Generated 1-terabyte RSA key; 2000000 core-hours. Shor’s algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– Valenta: Draft NIST submission proposing 1-gigabyte RSA keys. Much faster to generate.

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1.

SLIDE 59

12

consider possible impact of quantum computers. Shouldn’t also consider possible impact users wanting to stick to RSA? Bernstein–Heninger–Lou– alenta “Post-quantum RSA” qRSA): Generated 1-terabyte ey; 2000000 core-hours. algorithm: >2100 gates. Bernstein–Fried–Heninger–Lou– alenta: Draft NIST submission

sing 1-gigabyte RSA keys.

faster to generate.

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1. Analysis >2125 mulmo and 233-bit 223 target finding just

SLIDE 60

12

ssible impact of
computers. Shouldn’t

possible impact to stick to RSA? Bernstein–Heninger–Lou–

st-quantum RSA”

Generated 1-terabyte 2000000 core-hours. rithm: >2100 gates. ried–Heninger–Lou– NIST submission 1-gigabyte RSA keys. generate.

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1. Analysis for y ≈ 21024 >2125 mulmods, huge and 233-bit mulmo 223 target primes, finding just one isn’t

SLIDE 61

12

impact of Shouldn’t impact to RSA? Bernstein–Heninger–Lou– RSA” 1-terabyte re-hours. gates. ried–Heninger–Lou– submission keys.

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1. Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough.

SLIDE 62

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough.

SLIDE 63

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods.

SLIDE 64

13

The secret primes are small: 4096 bits in terabyte key; 1024 bits in gigabyte key. Important time-saver in keygen, signing, decryption. Is this a weakness? ECM finds any prime <y using L

√ 2+o(1) mulmods,

where log L = (log y log log y)1=2. Beats Shor for log y below (log log modulus)2+o(1). Public ECM record: 274-bit factor of 7337 + 1.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

SLIDE 65

13

secret primes are small: bits in terabyte key; bits in gigabyte key. rtant time-saver in eygen, signing, decryption. a weakness? finds any prime <y L

√ 2+o(1) mulmods,

log L = (log y log log y)1=2. Shor for log y below log modulus)2+o(1). ECM record: 274-bit factor of 7337 + 1.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors? Minimum NIST allo submissions: search fo Is a gigab Shor’s algo

SLIDE 66

13

rimes are small: terabyte key; gigabyte key. time-saver in decryption. eakness? rime <y mulmods, (log y log log y)1=2. log y below dulus)2+o(1). record: 7337 + 1.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors? Minimum security NIST allows for post-quantum submissions: brute-fo search for a 128-bit Is a gigabyte key so Shor’s algorithm to

SLIDE 67

13

small: decryption. log y)1=2.

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors? Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key Is a gigabyte key so difficult Shor’s algorithm to break?

SLIDE 68

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break?

SLIDE 69

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this.

SLIDE 70

14

Analysis for y ≈ 21024: >2125 mulmods, huge depth; and 233-bit mulmod is slow. 223 target primes, but finding just one isn’t enough. 2017 Bernstein–Heninger–Lou– Valenta: Grover+ECM finds any prime <y using L1+o(1) mulmods. Seems swamped by overhead. Open: Better ways for quantum algorithms to find small factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this. But Shor’s algorithm can (with more qubits) use faster mulmods.

SLIDE 71

14

Analysis for y ≈ 21024: mulmods, huge depth;

33-bit mulmod is slow.

rget primes, but just one isn’t enough. Bernstein–Heninger–Lou– alenta: Grover+ECM any prime <y L1+o(1) mulmods. swamped by overhead. Better ways for quantum rithms to find small factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this. But Shor’s algorithm can (with more qubits) use faster mulmods. NIST allo assume reasonable “Plausible range from approximate presently computing expected a year) through (the app that current architectures in a decade), logical gates

SLIDE 72

14

21024: ds, huge depth; mulmod is slow. rimes, but isn’t enough. Bernstein–Heninger–Lou– Grover+ECM <y mulmods. by overhead. ays for quantum find small factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this. But Shor’s algorithm can (with more qubits) use faster mulmods. NIST allows submissions assume reasonable “Plausible values fo range from 240 logical approximate numb presently envisioned computing architectures expected to serially a year) through 264 (the approximate numb that current classical architectures can p in a decade), to no logical gates : : : ”

SLIDE 73

14

depth; w. enough. Bernstein–Heninger–Lou–

verhead.

quantum factors?

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this. But Shor’s algorithm can (with more qubits) use faster mulmods. NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates approximate number of gates presently envisioned quantum computing architectures are expected to serially perform a year) through 264 logical gates (the approximate number of that current classical computing architectures can perform serially in a decade), to no more than logical gates : : : ”

SLIDE 74

15

Minimum security level that NIST allows for post-quantum submissions: brute-force/Grover search for a 128-bit AES key. Is a gigabyte key so difficult for Shor’s algorithm to break? 64b3 lg b ≈ 2110 for b = 233. Not totally implausible to argue that Grover’s algorithm could break AES-128 faster than this. But Shor’s algorithm can (with more qubits) use faster mulmods.

16

NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates (the approximate number of gates that presently envisioned quantum computing architectures are expected to serially perform in a year) through 264 logical gates (the approximate number of gates that current classical computing architectures can perform serially in a decade), to no more than 296 logical gates : : : ”

SLIDE 75

15

Minimum security level that allows for post-quantum submissions: brute-force/Grover for a 128-bit AES key. gigabyte key so difficult for algorithm to break? b ≈ 2110 for b = 233. totally implausible to argue Grover’s algorithm could AES-128 faster than this. Shor’s algorithm can (with qubits) use faster mulmods.

16

NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates (the approximate number of gates that presently envisioned quantum computing architectures are expected to serially perform in a year) through 264 logical gates (the approximate number of gates that current classical computing architectures can perform serially in a decade), to no more than 296 logical gates : : : ” What is for b-bit Light tak to cross 1981 Brent–Kung AT ≥ small even if wire (Work around faster-than-light through Haven’t even if reversible avoids FTL

SLIDE 76

15

security level that post-quantum rute-force/Grover 128-bit AES key. so difficult for to break? for b = 233. implausible to argue algorithm could faster than this. rithm can (with faster mulmods.

16

NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates (the approximate number of gates that presently envisioned quantum computing architectures are expected to serially perform in a year) through 264 logical gates (the approximate number of gates that current classical computing architectures can perform serially in a decade), to no more than 296 logical gates : : : ” What is the minimum for b-bit integer multiplication? Light takes time Ω( to cross a b1=2 × b 1981 Brent–Kung AT ≥ small constant even if wire latency (Work around obstacles faster-than-light communication through long-distance Haven’t seen plausible even if reversible computation avoids FTL impossibilit

SLIDE 77

15

that

st-quantum

e/Grover ey. difficult for

33. argue could this. (with ulmods.

16

NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates (the approximate number of gates that presently envisioned quantum computing architectures are expected to serially perform in a year) through 264 logical gates (the approximate number of gates that current classical computing architectures can perform serially in a decade), to no more than 296 logical gates : : : ” What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility pro

SLIDE 78

16

NIST allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH range from 240 logical gates (the approximate number of gates that presently envisioned quantum computing architectures are expected to serially perform in a year) through 264 logical gates (the approximate number of gates that current classical computing architectures can perform serially in a decade), to no more than 296 logical gates : : : ”

17

What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility proofs.)

SLIDE 79

16

allows submissions to assume reasonable time limits: “Plausible values for MAXDEPTH from 240 logical gates (the ximate number of gates that resently envisioned quantum computing architectures are ected to serially perform in r) through 264 logical gates approximate number of gates current classical computing rchitectures can perform serially decade), to no more than 296 gates : : : ”

17

What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility proofs.) What is for Shor’s Main bottleneck: for 2b-bit Traditiona controlled a and 1=a a2 mod N a4 mod N Can multiply using many but hard computation

SLIDE 80

16

submissions to reasonable time limits: values for MAXDEPTH logical gates (the number of gates that envisioned quantum hitectures are serially perform in 264 logical gates ximate number of gates classical computing perform serially no more than 296 ”

17

What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility proofs.) What is the minimum for Shor’s algorithm? Main bottleneck: a for 2b-bit superposition Traditional approach: controlled multiplications a and 1=a mod N; a2 mod N and 1=a a4 mod N and 1=a Can multiply these using many more qubits; but hard to parallelize computation of a2i

SLIDE 81

16

to limits: MAXDEPTH gates (the gates that quantum re rm in logical gates

f gates

computing serially than 296

17

What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility proofs.) What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N.

SLIDE 82

17

What is the minimum time for b-bit integer multiplication? Light takes time Ω(b1=2) to cross a b1=2 × b1=2 chip. 1981 Brent–Kung AT theorem: AT ≥ small constant · b3=2, even if wire latency is 0. (Work around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, even if reversible computation avoids FTL impossibility proofs.)

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N.

SLIDE 83

17

is the minimum time

bit integer multiplication?

takes time Ω(b1=2) cross a b1=2 × b1=2 chip. Brent–Kung AT theorem: small constant · b3=2, if wire latency is 0. around obstacles using faster-than-light communication through long-distance EPR pairs? Haven’t seen plausible designs, if reversible computation FTL impossibility proofs.)

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N. Why gigab big enough beyond the under reasonable Gigabyte millions of than 2048-bit These algo billions of More cost

SLIDE 84

17

minimum time multiplication? Ω(b1=2) b1=2 chip. Brent–Kung AT theorem: constant · b3=2, latency is 0.

bstacles using

communication long-distance EPR pairs? plausible designs, computation

ssibility proofs.)

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N. Why gigabyte keys big enough to push beyond the 264 limit, under reasonable a Gigabyte inputs are millions of times la than 2048-bit inputs These algorithms will billions of times longer. More cost to find all

SLIDE 85

17

time multiplication? chip. theorem: , using communication pairs? designs, computation roofs.)

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N. Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumption Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes.

SLIDE 86

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N.

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes.

SLIDE 87

18

What is the minimum time for Shor’s algorithm? Main bottleneck: ae mod N for 2b-bit superposition e. Traditional approach: series of controlled multiplications by a and 1=a mod N; a2 mod N and 1=a2 mod N; a4 mod N and 1=a4 mod N; etc. Can multiply these in parallel, using many more qubits; but hard to parallelize initial computation of a2i mod N.

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

SLIDE 88

18

is the minimum time Shor’s algorithm? bottleneck: ae mod N

bit superposition e.

raditional approach: series of controlled multiplications by 1=a mod N; d N and 1=a2 mod N; d N and 1=a4 mod N; etc. multiply these in parallel, many more qubits; rd to parallelize initial computation of a2i mod N.

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization? NIST’s middle is defined

SLIDE 89

18

minimum time rithm?

ttleneck: ae mod N
sition e.

roach: series of multiplications by ; =a2 mod N; =a4 mod N; etc. these in parallel, re qubits; rallelize initial a2i mod N.

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization? NIST’s middle securit is defined by an AES-192

SLIDE 90

18

time N series of by ; ; etc. rallel, initial .

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization? NIST’s middle security level is defined by an AES-192 key

SLIDE 91

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

20

NIST’s middle security level is defined by an AES-192 key.

SLIDE 92

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores.

SLIDE 93

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results.

SLIDE 94

19

Why gigabyte keys are reasonable: big enough to push latency beyond the 264 limit, under reasonable assumptions. Gigabyte inputs are millions of times larger than 2048-bit inputs. These algorithms will take billions of times longer. More cost to find all primes. Open: What is minimum time for integer factorization?

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit?

SLIDE 95

19

gigabyte keys are reasonable: enough to push latency

nd the 264 limit,

reasonable assumptions. yte inputs are millions of times larger 2048-bit inputs. algorithms will take billions of times longer. cost to find all primes. What is minimum time integer factorization?

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit? Some imp (2017 Bernstein–Biasse–Mosca) Consider factoring (pj −1)p Unit group Z=2t1 ×

SLIDE 96

19

eys are reasonable: push latency limit, assumptions. are larger inputs. rithms will take longer. find all primes. minimum time rization?

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit? Some improvements (2017 Bernstein–Biasse–Mosca) Consider Shor’s algo factoring N = pe1

1 (pj −1)p

ej−1 j

as 2t Unit group is isomo Z=2t1 × · · · × Z=2

SLIDE 97

19

reasonable: latency umptions. rimes. time

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit? Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . W

(pj −1)p

ej−1 j

as 2tj uj with u Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1

SLIDE 98

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit?

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·.

SLIDE 99

20

NIST’s middle security level is defined by an AES-192 key. With maximum depth 264, finding an AES-192 key requires ≈2144 cores. This is nonsense! There is not enough time to broadcast the input to 2144 parallel computations, and not enough time to collect the results. Is NIST implicitly assuming a higher latency limit?

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc.

SLIDE 100

20

NIST’s middle security level defined by an AES-192 key. maximum depth 264, an AES-192 key requires ≈2144 cores. nonsense! There is enough time to broadcast input to 2144 parallel computations, and not enough to collect the results. NIST implicitly assuming higher latency limit?

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc. Shor compu Divisible cj < max Factoriza

equal. Chance

SLIDE 101

20

security level AES-192 key. depth 264, AES-192 key cores. nonsense! There is to broadcast parallel and not enough the results. implicitly assuming limit?

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc. Shor computes gcd Divisible by pj exactly cj < max{c1; : : : ; c Factorization fails

equal. Chance ≤1=

SLIDE 102

20

level key. , roadcast enough assuming

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc. Shor computes gcd{N; ar=2 − Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

SLIDE 103

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc.

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

SLIDE 104

21

Some improvements to Shor (2017 Bernstein–Biasse–Mosca) Consider Shor’s algorithm factoring N = pe1

1 · · · pef f . Write

(pj −1)p

ej−1 j

as 2tj uj with uj odd. Unit group is isomorphic to Z=2t1 × · · · × Z=2tf × Z=u1 × · · ·. Shor’s algorithm (hopefully) computes order r of random unit. Order 2cj in Z=2tj is 2tj with probability 1=2; 2tj−1 with probability 1=4; etc.

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

More subtle problem: Factorization is likely to split off some of the primes with maximum tj. Can iterate Shor’s algorithm enough times to completely

factor. Many full-size iterations;

many more for adversarial inputs.

SLIDE 105

21

improvements to Shor Bernstein–Biasse–Mosca) Consider Shor’s algorithm ring N = pe1

1 · · · pef f . Write

1)p

ej−1 j

as 2tj uj with uj odd. group is isomorphic to × · · · × Z=2tf × Z=u1 × · · ·. algorithm (hopefully) computes order r of random unit. 2cj in Z=2tj is with probability 1=2; with probability 1=4; etc.

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

More subtle problem: Factorization is likely to split off some of the primes with maximum tj. Can iterate Shor’s algorithm enough times to completely

factor. Many full-size iterations;

many more for adversarial inputs. Better metho primality with ar=2 : : : , ad + This splits Any two ≥1=2 of Factors a Much less Also “pa Run several giving several Then facto

SLIDE 106

21

rovements to Shor Bernstein–Biasse–Mosca) algorithm

1 · · · pef

f . Write

2tj uj with uj odd. isomorphic to =2tf × Z=u1 × · · ·. (hopefully) r of random unit.

tj is

bability 1=2;

ability 1=4; etc.

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

More subtle problem: Factorization is likely to split off some of the primes with maximum tj. Can iterate Shor’s algorithm enough times to completely

factor. Many full-size iterations;

many more for adversarial inputs. Better method, inspired primality testing: compute with ar=2 + 1, ar=4 : : : , ad + 1, ad − 1, This splits pj according Any two primes have ≥1=2 of being split. Factors are around Much less overhead Also “parallel construction”: Run several times giving several facto Then factor into cop

SLIDE 107

21

Shor Bernstein–Biasse–Mosca) Write uj odd. to =u1 × · · ·. efully) random unit. 4; etc.

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

More subtle problem: Factorization is likely to split off some of the primes with maximum tj. Can iterate Shor’s algorithm enough times to completely

factor. Many full-size iterations;

many more for adversarial inputs. Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 : : : , ad + 1, ad − 1, with odd This splits pj according to cj Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes.

SLIDE 108

22

Shor computes gcd{N; ar=2 − 1}. Divisible by pj exactly when cj < max{c1; : : : ; cf }. Factorization fails iff all cj are

equal. Chance ≤1=2f −1.

More subtle problem: Factorization is likely to split off some of the primes with maximum tj. Can iterate Shor’s algorithm enough times to completely

factor. Many full-size iterations;

many more for adversarial inputs.

23

Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 + 1, : : : , ad + 1, ad − 1, with odd d. This splits pj according to cj. Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes.

SLIDE 109

22

mputes gcd{N; ar=2 − 1}.

Divisible by pj exactly when max{c1; : : : ; cf }. rization fails iff all cj are Chance ≤1=2f −1. subtle problem: rization is likely to

ff some of the

with maximum tj. iterate Shor’s algorithm enough times to completely Many full-size iterations; more for adversarial inputs.

23

Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 + 1, : : : , ad + 1, ad − 1, with odd d. This splits pj according to cj. Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes. These metho Didn’t w We actua to search numbers Oracle fo factor th to recognize We tweak work in sup with qubit fractions,

SLIDE 110

22

gcd{N; ar=2 − 1}. exactly when ; cf }. fails iff all cj are 1=2f −1. roblem: likely to the maximum tj. r’s algorithm completely full-size iterations; adversarial inputs.

23

Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 + 1, : : : , ad + 1, ad − 1, with odd d. This splits pj according to cj. Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes. These methods use Didn’t we claim b2 We actually use Grover’s to search for smooth numbers in NFS. Oracle for Grover’s factor thoroughly enough to recognize smooth We tweak (improved) work in superposition. with qubit budget fractions, power detection,

SLIDE 111

22

− 1}. when are rithm completely iterations; inputs.

23

Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 + 1, : : : , ad + 1, ad − 1, with odd d. This splits pj according to cj. Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes. These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s me to search for smooth b2=3+o numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc.

SLIDE 112

23

Better method, inspired by primality testing: compute gcd with ar=2 + 1, ar=4 + 1, ar=8 + 1, : : : , ad + 1, ad − 1, with odd d. This splits pj according to cj. Any two primes have chance ≥1=2 of being split. Factors are around half size. Much less overhead for recursion. Also “parallel construction”: Run several times in parallel, giving several factorizations. Then factor into coprimes.

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc.

SLIDE 113

23

method, inspired by rimality testing: compute gcd

=2 + 1, ar=4 + 1, ar=8 + 1,

+ 1, ad − 1, with odd d. splits pj according to cj.

primes have chance
f being split.

rs are around half size. less overhead for recursion. “parallel construction”: several times in parallel, several factorizations. factor into coprimes.

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc. A different randomness Shor’s algo (Z=N)∗ with for a random

SLIDE 114

23

inspired by testing: compute gcd

=4 + 1, ar=8 + 1,

− 1, with odd d. according to cj. have chance split. nd half size.

verhead for recursion.

construction”: times in parallel, factorizations. coprimes.

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc. A different way to randomness of facto Shor’s algorithm: replace (Z=N)∗ with E(Z= for a random elliptic

SLIDE 115

23

y gcd

=8 + 1,

dd d.

cj. chance size. recursion. construction”: allel, rizations. rimes.

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc. A different way to improve randomness of factorizations Shor’s algorithm: replace group (Z=N)∗ with E(Z=N) for a random elliptic curve E

SLIDE 116

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc.

25

A different way to improve randomness of factorizations in Shor’s algorithm: replace group (Z=N)∗ with E(Z=N) for a random elliptic curve E.

SLIDE 117

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc.

25

A different way to improve randomness of factorizations in Shor’s algorithm: replace group (Z=N)∗ with E(Z=N) for a random elliptic curve E. Gal Dor suggests unifying Grover+ECM with Shor: e.g., compute esP on E(Z=N) where e is superposition of scalars, s is smooth scalar, E is superposition of curves.

SLIDE 118

24

These methods use >b qubits. Didn’t we claim b2=3+o(1) qubits? We actually use Grover’s method to search for smooth b2=3+o(1)-bit numbers in NFS. Oracle for Grover’s method: factor thoroughly enough to recognize smooth inputs. We tweak (improved) Shor to work in superposition. Careful with qubit budget for continued fractions, power detection, etc.

25

A different way to improve randomness of factorizations in Shor’s algorithm: replace group (Z=N)∗ with E(Z=N) for a random elliptic curve E. Gal Dor suggests unifying Grover+ECM with Shor: e.g., compute esP on E(Z=N) where e is superposition of scalars, s is smooth scalar, E is superposition of curves. Open: What are minimum costs for this unification?