Cracking RSA with Quantum Computing Max Ovsiankin May 9, 2018 Max - - PowerPoint PPT Presentation

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Cracking RSA with Quantum Computing

Max Ovsiankin May 9, 2018

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Outline

1

The Setting

2

Classical Computers

3

Quantum Computers

4

Shor’s Algorithm

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

The Setting

RSA is a commonly used set of algorithms that provides security when sending encrypted messages.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

The Setting

RSA is a commonly used set of algorithms that provides security when sending encrypted messages. Crucially, the security of RSA depends on the hardness of factoring a number N = pq, where p and q are large prime numbers (’secrecy’).

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

The Setting

RSA is a commonly used set of algorithms that provides security when sending encrypted messages. Crucially, the security of RSA depends on the hardness of factoring a number N = pq, where p and q are large prime numbers (’secrecy’).

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

The Setting

An assumption of RSA security (that follows from P = NP) is that prime numbers cannot be factored with a polynomial-time algorithm in the number of bits of N.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

The Setting

An assumption of RSA security (that follows from P = NP) is that prime numbers cannot be factored with a polynomial-time algorithm in the number of bits of N. Quantum computers are able to factor in polynomial time. This talk will focus on explaining how quantum algorithms work, building up to Shor’s famous algorithm for factoring.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like

Equivalent to a circuit whose representation can be quickly computed:

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like

We can think of a circuit as having n registers, each of which contain 0 or 1. A possible state of these n registers is an element

• f {0, 1}n (n-length bitstring). Then the action of a gate can be

described as a matrix of 0s and 1s.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: NOT gate

NOT gate: NOT(0) = 1 NOT(1) = 0

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: NOT gate

NOT gate: NOT(0) = 1 NOT(1) = 0 Let’s relabel 0 = 1

• , 1 =

1

• .

Elements of a 2-element vector space, as there are 2 possibilities for bits.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: NOT gate

NOT gate: NOT 1

• =

1

• NOT

1

• =

1

• This strongly suggests we can consider it as a matrix:

NOT = 1 1

• Max Ovsiankin

Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

AND gate: AND (0, 0) = 0 AND (0, 1) = 0 AND (1, 0) = 0 AND (1, 1) = 1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

For two input bits, there are 4 = 22 possible states. (0, 0) = |00 = |0 ⊗ |0 (0, 1) = |01 = |0 ⊗ |1 (1, 0) = |10 = |1 ⊗ |0 (0, 1) = |11 = |1 ⊗ |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

AND (|00) = |0 AND (|01) = |0 AND (|10) = |0 AND (|11) = |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

AND (1 |00 + 0 |01 + 0 |10 + 0 |11) = 1 |0 + 0 |1 AND (0 |00 + 1 |01 + 0 |10 + 0 |11) = 1 |0 + 0 |1 AND (0 |00 + 0 |01 + 1 |10 + 0 |11) = 1 |0 + 0 |1 AND (0 |00 + 0 |01 + 0 |10 + 1 |11) = 0 |0 + 1 |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

1 1 1 1

• (1 |00 + 0 |01 + 0 |10 + 0 |11) = 1 |0 + 0 |1

1 1 1 1

• (0 |00 + 1 |01 + 0 |10 + 0 |11) = 1 |0 + 0 |1

1 1 1 1

• (0 |00 + 0 |01 + 1 |10 + 0 |11) = 1 |0 + 0 |1

1 1 1 1

• (0 |00 + 0 |01 + 0 |10 + 1 |11) = 0 |0 + 1 |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What Computers Look Like: AND gate

Okay, we have a vector space now. What about linear combinations? 1 1 1 1 1 2 |00 + 0 |01 + 1 4 |10 + 1 4 |11

• = ???

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What changes for Quantum?

The state of an n-bit classical computer is a vector in R2n with

• nly one coefficient nonzero. (we already saw this in explaining

classical computers)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What changes for Quantum?

The state of an n-bit classical computer is a vector in R2n with

• nly one coefficient nonzero. (we already saw this in explaining

classical computers) The state of an n-qubit quantum computer is a vector in C2n that is normalized (this reflects the underlying quantum property of superposition): a0 |00 + a1 |01 + a2 |10 + a3 |11 with ai ∈ C and n−1

i=0 |ai|2 = 1 (unit vectors)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What changes for Quantum?

The operation we perform on a n-qubit ‘register’ is to measure it.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What changes for Quantum?

The operation we perform on a n-qubit ‘register’ is to measure it. a0 |00 + a1 |01 + a2 |10 + a3 |11

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

What changes for Quantum?

The operation we perform on a n-qubit ‘register’ is to measure it. a0 |00 + a1 |01 + a2 |10 + a3 |11 This produces |00 with probability |a0|2, |01 with probability |a1|2, etc.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Quantum Gates

Our quantum gates now take unit complex vectors to unit complex vectors (they are exactly the unitary matrices)!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Quantum Gates

Our quantum gates now take unit complex vectors to unit complex vectors (they are exactly the unitary matrices)! Hadmard 1 √ 2 1 1 1 −1

• Max Ovsiankin

Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Quantum Gates

Our quantum gates now take unit complex vectors to unit complex vectors (they are exactly the unitary matrices)! Hadmard 1 √ 2 1 1 1 −1

• c-NOT

    1 1 1 1    

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Quantum Gates

Our quantum gates now take unit complex vectors to unit complex vectors (they are exactly the unitary matrices)! Hadmard 1 √ 2 1 1 1 −1

• c-NOT

    1 1 1 1     Phase Rotation 1 ei π

4

• Max Ovsiankin

Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Comparison to Classical

NOT (1 |0 + 0 |1) = 0 |0 + 1 |1 NOT (0 |0 + 1 |1) = 1 |0 + 0 |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Comparison to Classical

1 1

• (1 |0 + 0 |1) = 1 |0 + 0 |1

1 1

• (0 |0 + 1 |1) = 0 |0 + 1 |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Comparison to Classical

Superposition! 1 1 1 √ 2 |0 + 1 √ 2 |1

• =

1 √ 2 (|0 + |1) Like applying the gate twice ‘at the same time’!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

c-NOT

Want a gate to ‘conditionally’ apply its effect. Control bit controls whether gate act, and the gate acts on the second bit.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

    1 1 1 1     (|0 ⊗ |0) = |0 ⊗ |0     1 1 1 1     (|0 ⊗ |1) = |0 ⊗ |1

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

    1 1 1 1     (|1 ⊗ |0) = |1 ⊗ |1     1 1 1 1     (|1 ⊗ |1) = |1 ⊗ |0

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

Phase-estimate Input: ω ∈ [0, 1] unknown. We get a state of the form |ψ = 1 √ 2

n 2n−1

• i=0

e2πiωy |y Output: An estimate of ω.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

Phase-estimate Input: ω ∈ [0, 1] unknown. We get a state of the form |ψ = 1 √ 2

n 2n−1

• i=0

e2πiωy |y Output: An estimate of ω. What does the output even look like? Need to approximate ω with n bits when measured.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

Phase-estimate Input: ω ∈ [0, 1] unknown. We get a state of the form |ψ = 1 √ 2

n 2n−1

• i=0

e2πiωy |y Output: An estimate of ω = 0.x1x2 . . . xn = x

2n for

x ∈ {0, 1, 2, . . . , 2n − 1}

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

It turns out 1 √ 2

n 2n−1

• i=0

e2πiωy |y = 1 √ 2

n

• |0 + e2πi0.xn |1
• ⊗
• |0 + e2πi0.xn−1xn |1
• ⊗ . . .

⊗

• |0 + e2πi0.x2x3...xn−1 |1
• ⊗
• |0 + e2πi0.x1x2...xn |1
• Max Ovsiankin

Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

It turns out 1 √ 2

n 2n−1

• i=0

e2πiωy |y = 1 √ 2

n

• |0 + e2πi0.xn |1
• ⊗
• |0 + e2πi0.xn−1xn |1
• ⊗ . . .

⊗

• |0 + e2πi0.x2x3...xn−1 |1
• ⊗
• |0 + e2πi0.x1x2...xn |1
• Idea: ‘pull’ xi out one by one, then remove them from the

remaining bits.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

Implementation (we will examine what happens):

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

H = 1 √ 2 1 1 1 −1

• Looking at

H 1 √ 2 (|0 + e2πi(0.x2) |1) = H 1 √ 2 (|0 + (−1)x2 |1) = |x2

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

H = 1 √ 2 1 1 1 −1

• Looking at

H 1 √ 2 (|0 + e2πi(0.x2) |1) = H 1 √ 2 (|0 + (−1)x2 |1) = |x2 So H ‘pulls’ x2 out for us, into a qbit!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

We have |x2 after the first H, and we want to ‘eliminate’ it from the 2nd qubit:

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

R−1

2

= 1 e−2πi(0.01)

• R2 only rotates the phase on |1.

Action when x2 = 1: R−1

2

1 √ 2 (|0 + e2πi(0.x11) |1) = 1 √ 2 (|0 + e2πi(0.x10) |1)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

R−1

2

= 1 e−2πi(0.01)

• R2 only rotates the phase on |1.

Action when x2 = 1: R−1

2

1 √ 2 (|0 + e2πi(0.x11) |1) = 1 √ 2 (|0 + e2πi(0.x10) |1) So we want to perform R−1

2

• nly when x2 = 1! So we use c-R−1

2

instead.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation

We are finished!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation technicalities

This analysis is really incomplete: We only saw the action ω = 0.x1x2. What if ω is actually like 2/3, and cannot be written as x/2n?

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation technicalities

This analysis is really incomplete: We only saw the action ω = 0.x1x2. What if ω is actually like 2/3, and cannot be written as x/2n? Circuit gets more and more complicated for more qubits, but follows the same idea of ‘pulling’ then repeatedly eliminating.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation backwards: QFT

When ω ≈ 0.x1x2, . . . xn, phase estimation now gives us 1 √ 2

n 2n−1

• i=0

e2πiωy |y → |x1x2 . . . xn With high probability.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation backwards: QFT

When ω ≈ 0.x1x2, . . . xn, phase estimation now gives us 1 √ 2

n 2n−1

• i=0

e2πiωy |y → |x1x2 . . . xn With high probability. If we just reverse the circuit, we get |x1x2 . . . xn → 1 √ 2

n 2n−1

• i=0

e2πiωy |y

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Phase estimation backwards: QFT

When ω ≈ 0.x1x2, . . . xn, phase estimation now gives us 1 √ 2

n 2n−1

• i=0

e2πiωy |y → |x1x2 . . . xn With high probability. If we just reverse the circuit, we get |x1x2 . . . xn → 1 √ 2

n 2n−1

• i=0

e2πiωy |y This replicates the behavior of the discrete fourier transform in a quantum implementation, hence QFT. Phase estimation is called “QFT−1”.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Back to factoring

Factor Input: N = pq Output: A factor of N, which is either p or q.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Back to factoring

Factor Input: N = pq Output: A factor of N, which is either p or q. It turns out this reduces (probabilistically) to a problem called Order-find (if we have a fast algorithm for Order-find, we can use it as a black box to implement Factor)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Back to factoring

Factor Input: N = pq Output: A factor of N, which is either p or q. It turns out this reduces (probabilistically) to a problem called Order-find (if we have a fast algorithm for Order-find, we can use it as a black box to implement Factor) The idea of reductions is very common in computer science, we write Factor → Order-find

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order finding

Order-find Input: a, N with gcd(a, N) = 1. Output: Minimum r such that ar = 1 (mod N)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order finding

Order-find Input: a, N with gcd(a, N) = 1. Output: Minimum r such that ar = 1 (mod N) How come Factor → Order-find?

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Factor → Order-find?

We can pick elements a ∈ {0, . . . N − 1} randomly.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Factor → Order-find?

We can pick elements a ∈ {0, . . . N − 1} randomly. Checking that gcd(a, N) = 1 is really quick to do classically (Euclid GCD algorithm).

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Factor → Order-find?

We can pick elements a ∈ {0, . . . N − 1} randomly. Checking that gcd(a, N) = 1 is really quick to do classically (Euclid GCD algorithm). If the order of a is even, then we’ve lucked out!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Factor → Order-find?

We can pick elements a ∈ {0, . . . N − 1} randomly. Checking that gcd(a, N) = 1 is really quick to do classically (Euclid GCD algorithm). If the order of a is even, then we’ve lucked out! ar ≡ 1 (mod N) (ar/2)2 − 1 ≡ 0 (mod N) (ar/2 + 1)(ar/2 − 1) ≡ 0 (mod N)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Factor → Order-find?

We can pick elements a ∈ {0, . . . N − 1} randomly. Checking that gcd(a, N) = 1 is really quick to do classically (Euclid GCD algorithm). If the order of a is even, then we’ve lucked out! ar ≡ 1 (mod N) (ar/2)2 − 1 ≡ 0 (mod N) (ar/2 + 1)(ar/2 − 1) ≡ 0 (mod N) We’ve just factorized N! ar/2 + 1 and ar/2 − 1 are almost always nontrivial (meaning not 1 and N) factors.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

How can we get r, the order, from a quantum algorithm?

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

How can we get r, the order, from a quantum algorithm? Consider Ua : |s → |sa (mod N)

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

How can we get r, the order, from a quantum algorithm? Consider Ua : |s → |sa (mod N) Ur

a : |s → |sar (mod N) = |s

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

How can we get r, the order, from a quantum algorithm? Consider Ua : |s → |sa (mod N) Ur

a : |s → |sar (mod N) = |s

So Ur

a = I!

This means its eigenvalues are all rth roots of unity, i.e. complex numbers of the form e2πik/r, k ∈ {0, . . . , r − 1}

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

For an eigenvector of Ua, |ψ Ua |ψ = e2πik/r |ψ

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Order-find → Eigenvalue-estimate

For an eigenvector of Ua, |ψ Ua |ψ = e2πik/r |ψ Modulo some details (k, ψ), we already have a way to estimate ω = k/r from phases!!

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation

Eigenvalue-estimate Input: A unitary operator U implemented in quantum gates, and an eigenvector |ψ Output: ω such that U |ψ = e2πiω |ψ

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation

Eigenvalue-estimate Input: A unitary operator U implemented in quantum gates, and an eigenvector |ψ Output: ω such that U |ψ = e2πiω |ψ (as before, estimated as ω = x

2n with x ∈ {0, . . . , 2n − 1}

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation

Eigenvalue-estimate Input: A unitary operator U implemented in quantum gates, and an eigenvector |ψ Output: ω such that U |ψ = e2πiω |ψ (as before, estimated as ω = x

2n with x ∈ {0, . . . , 2n − 1}

Idea: Apply U repeatedly, so we get a quantum state where we can estimate ω from our phase estimation algorithm

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

U |ψ = e2πi0.x1...xn |ψ

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

U |ψ = e2πi0.x1...xn |ψ U2 |ψ = (e2πi0.x1...xn)2 |ψ = e2πix1.x2...xn−1 |ψ = e2πi0.x2...xn−1 |ψ

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

U |ψ = e2πi0.x1...xn |ψ U2 |ψ = (e2πi0.x1...xn)2 |ψ = e2πix1.x2...xn−1 |ψ = e2πi0.x2...xn−1 |ψ U2j |ψ = e2πi0.xj...xn−j |ψ

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

U |ψ = e2πi0.x1...xn |ψ U2 |ψ = (e2πi0.x1...xn)2 |ψ = e2πix1.x2...xn−1 |ψ = e2πi0.x2...xn−1 |ψ U2j |ψ = e2πi0.xj...xn−j |ψ So we can use c-U2j to get the individual qu-bits in the state we want for eigenvalue estimation.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

So here is our way to ‘set up’ the states for estimation:

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Eigenvalue estimation implementation

It turns out QFT sets up 0 states to |0+|1

2

, so here is our entire diagram (including actually doing phase estimation):

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Shor’s ‘entire’ algorithm

We have talked about a way to implement Shor’s algorithm (ignoring crucial details like time complexity and correctness): Factor → Order-find → Eigenvalue-estimate → Phase-estimate

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Implications

Factoring numbers quickly breaks security assumptions of RSA.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Implications

Factoring numbers quickly breaks security assumptions of RSA. This isn’t a huge deal yet. The largest number factored with Shor’s algorithm is 21, RSA numbers are on the order of 21024.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

Implications

Factoring numbers quickly breaks security assumptions of RSA. This isn’t a huge deal yet. The largest number factored with Shor’s algorithm is 21, RSA numbers are on the order of 21024. But be careful what you tell people about in 20 years.

Max Ovsiankin Cracking RSA with Quantum Computing

The Setting Classical Computers Quantum Computers Shor’s Algorithm

End

Thank you! Diagrams and much of material from ‘An Introduction to Quantum Computing’, Kaye, Laflamme, Mosca

Max Ovsiankin Cracking RSA with Quantum Computing