Quantum algorithms for factoring and Post-Quantum RSA

(1)

MSc Mathematics

Master Thesis

Quantum algorithms for factoring and

Post-Quantum RSA

Author: Daily supervisor:

Casper Gyurik

prof. dr. Ronald de Wolf

Examination date: Examiner:

(2)

Abstract

Post-Quantum RSA is a variation of RSA, proposed by Bernstein et al. [4], that is supposed to better withstand attacks by a quantum computer compared to RSA as used today. This thesis investigates the security of Post-Quantum RSA in the presence of large-scale quantum computers. Particularly, we try to break Post-Quantum RSA by attempting to find a quantum algorithm that finds a non-trivial factor of an n-bit Post-Quantum RSA modulus in eO(n2−) steps, for some ∈ (0, 1). First, we try to speed up Shor’s algorithm by using elements of relatively low multiplicative order. Afterwards, we consider a unification of Lenstra’s elliptic curve factorization method (ECM) and Shor’s order-finding algorithm. Finally, we discuss how to speed up Shor’s algorithm when you have a certain number of processors at your disposal, that can perform either classical or quantum operations in parallel. Unfortunately, none of these approaches result in a quantum algorithm that finds a non-trivial factor of an n-bit Post-Quantum RSA modulus in eO(n2−) steps, for some ∈ (0, 1). However, we do show that if N has only small prime power divisors and ϕ(N ) = # (Z/N Z)∗ has a rather large smooth factor, then we can speed up Shor’s algorithm by adding a classical precomputation step. Moreover, in some cases this classical precomputation step can also be used to speed up the unification of Lenstra’s ECM and Shor’s order-finding algorithm.

Title: Quantum algorithms for factoring and Post-Quantum RSA Author: Casper Gyurik, cgyurik@gmail.com, 10334149

Daily supervisor: prof. dr. Ronald de Wolf Examiner: dr. Michael Walter

Second Examiner: dr. M¯aris Ozols Examination date: August 31, 2018

Korteweg-de Vries Institute for Mathematics University of Amsterdam

Science Park 105-107, 1098 XG Amsterdam http://kdvi.uva.nl

Centrum voor Wiskunde en Informatica Science Park 123, 1098 XG Amsterdam http://www.cwi.nl

(3)

1 Introduction

All of the computers we use today perform their computations based on classical physics. That is, they use bits and logical gates to perform their computations. However, the promise of a so-called quantum computer seems to be within reach. In contrast to to-day’s computers, a quantum computer performs its computations by exploiting quantum-mechanical principles. An important objective of quantum computation, the field that investigates the computational power of quantum computers, is to find quantum algo-rithms that outperform any classical algorithm solving the same problem. It has already been shown that large-scale quantum computers can solve factoring and the discrete-logarithm problem in polynomial time, which is exponentially faster than the currently best known classical algorithm for these problems.

There is an interesting interplay between the field of quantum computation and the field of cryptography. On the one hand, because quantum computers can solve some important problems far more efficiently than classical computers currently are able to, the security of most so-called public-key cryptosystems used today will be broken. On the other hand, one can exploit quantum-mechanical principles in order to perform cryptographic tasks, leading for example to cryptographic systems that are unbreakable even for quantum computers.

In Section 1.1, we give a brief introduction to public-key cryptography and the RSA cryptosystem. Subsequently, in Section 1.2, we give a brief introduction to the principles of quantum mechanics upon which quantum computers are based and we briefly discuss two quantum algorithms that are faster than any (known) classical algorithm solving the same problem. Finally, in Section 1.3, we further explore the interplay between quantum computing and cryptography, at the end of which we give an overview of the contents of this thesis.

1.1 Public-key cryptography

In today’s digital world, cryptographic systems are used for many important tasks. For instance, they are used to securely perform online banking and to protect our medical data. Among the currently used cryptographic systems, many are so-called public-key cryptosystems. In this section, we discuss the idea behind public-key cryptosystems and we consider a particular public-key cryptosystem called RSA.

Suppose Alice wants to send a message to Bob over a public channel, without allowing an eavesdropper Eve to get any information about the message from tapping the channel. To do so using a public-key cryptosystem, Bob generates a public key and a private key, and he publishes his public key but keeps the private key to himself. With this public

(6)

cryptosystems is that, when using a large enough key, an eavesdropper Eve should only be able to decrypt a ciphertext if she knows the private key. To achieve this, public-key cryptosystems often rely on mathematical problems and computational hardness assumptions. That is, public-key cryptosystems are designed in such a way that to decrypt a ciphertext you have to solve a problem that is assumed to be too hard to solve in a reasonable amount of time without knowing the private key. However, if you do know the private key, then you should be able to efficiently solve this problem and thus decrypt the ciphertext.

An example of a widely-used public-key cryptosystem is the RSA cryptosystem, named after the initials of the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who were the first to publicly describe the algorithm in 1978 [17]. The public key used by RSA is a pair of integers (e, N ), where N is an n-bit integer that is the product of two equally-sized prime numbers, and e is some auxiliary value. To encrypt a message with this public key and to decrypt a ciphertext with the corresponding private key, the user has to perform a modular exponentiation modulo N . This modular exponentiation can be performed in eO(n2) steps using the Sch¨onhage-Strassen algorithm for multiplication [19] and the square-and-multiply method for exponentiation. Currently, the best-known method to decrypt a ciphertext without knowing the private key involves finding the prime factors of the integer N in the public key. The best-known classical algorithm for factoring large n-bit integers has an expected running time of roughly 2n1/3 [13]. Since this expected running time is subexponential in n, whereas the usage cost of RSA is only quadratic in n, we can create a large gap between the usage cost of RSA and the cost of decrypting a ciphertext without knowing the private key, by making our key size n sufficiently large. It is because of this ability to create a gap between the usage cost and attack cost that the security of RSA is said to be based upon the computational hardness of factoring. For more details on the key generation, encryption, decryption and security of RSA we refer to Section 2.1 and Section 2.2.

As mentioned before, it has already been shown that large-scale quantum comput-ers can solve factoring and the discrete-logarithm problem in polynomial time, which is exponentially faster than the best-known classical algorithm for these problems. Be-cause almost all of the currently employed public-key cryptosystems are either based on factoring or the discrete-logarithm problem, these systems can all be broken if a scalable quantum computer is built. In Section 1.3, we will briefly discuss the field of post-quantum cryptography which aims to design new public-key cryptosystems based on mathematical problems which are believed to be hard even for quantum computers.

1.2 Quantum computation

In this section we give a very brief introduction to the field of quantum computation, which investigates the computational power of quantum computers. In Section 1.2.1, we give a brief introduction to the quantum-mechanical principles upon which quantum computers are based. Afterwards, in Section 1.2.2, we briefly mention two quantum algorithms that significantly outperform their (best-known) classical counterpart.

(7)

1.2.1 Quantum mechanics

As mentioned before, quantum computers perform their computations based on quantum-mechanical principles. Their unit of information is called a qubit, which can be in a so-called superposition of classical states. In order to perform computations with these qubits, we can either apply a measurement or a unitary operation to them. We now briefly introduce each of these quantum-mechanical principles.

Qubits and superposition

In classical computation the unit of information is a bit, in quantum computation the unit of information is called a qubit. A bit is either in the state 0 or 1, whereas a qubit can be in a superposition of two states. Intuitively, by a superposition of two states we mean that a qubit is in two states at the same time. Formally, a qubit is a unit vector

|ψi = α |0i + β |1i ∈ C2_.

|ψi = X

i∈{0,1}k

αi|ii ∈ C2

⊗k

' C2k.

Again, we can view |ψi as being in the state |ii with amplitude αi.

Measurements

There are multiple ways to perform measurements on quantum states. In this thesis we will only be concerned with measurements with respect to a basis. When we measure our qubit α |0i + β |1i in the so-called computational basis {|0i , |1i}, we get outcome 0 with probability |α|2 and outcome 1 with probability |β2|. Since |α|2_{+ |β|}2 _{= 1, this indeed}

correctly defines a probability distribution.

Formally, when measuring a k-qubit state |ψi = P

i∈{0,1}kαi|ii in an orthonormal

basis of C2k given by B = {|φii | i ∈ {0, 1}k}, we get that the outcome is distributed as

Pr|ψi(outcome of measurement is i) = k |φii hφi| |ψi k2.

Moreover, if the outcome of the measurement is i, then our state |ψi collapses to the state |φii. That is, after applying the measurement to our system in the state |ψi and

receiving outcome i, our system will be in the state |φii.

Unitary evolution

Besides measuring our qubits, we can also apply operations to them. The postulates of quantum mechanics only allow linear operations to be applied to quantum states.

(8)

Moreover, since measuring the resulting quantum state should also give a probabil-ity distribution, we are only allowed to apply norm-preserving operations. These two constraints imply that the operation must be a unitary transformation. A unitary trans-formation is a linear transtrans-formation U that is norm-preserving, or equivalently a linear transformation that satisfies U∗ = U−1.

We can view a quantum algorithm as a combination of measurements and unitaries being applied in succession to some quantum state. The cost of a quantum algorithm is usually expressed in the number of so-called elementary gates required to imple-ment the quantum algorithm. Here a gate is a unitary that acts on a small number of qubits. Examples of single-qubit elementary gates are the Hadamard (H), bit-flip (X) and phase (Z) gates, which are expressed by the following unitary matrices

H = √1 2 1 1 1 −1 , X =0 1 1 0 , Z =1 0 0 −1 ,

An example of an elementary two-qubit gate is the controlled-not (CN OT ) gate

CN OT =     1 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0     . 1.2.2 Quantum speedups

In this section we briefly mention two famous quantum algorithms. We first mention Grover’s search algorithm, which searches an unordered database quadratically faster than any classical algorithm. Afterwards, we mention Shor’s algorithm, which solves the factoring and discrete-logarithm problem exponentially faster than the currently best known classical algorithm.

Grover’s search algorithm

Suppose we are given some x ∈ {0, 1}N and our goal is to find an i such that xi = 1.

We can view this problem as a simplification of the problem of searching an unordered database of size N . The cost of this search problem is measured by the number of queries the algorithm requires, i.e., the number of times we check whether some xi is 0 or 1.

In 1996, Lov Grover showed that a quantum computer can solve this search problem in O(√N ) queries [7]. One can show that any classical randomized algorithm would need Θ(N ) queries to solve the same search problem. The idea behind Grover’s search algorithm is that a quantum computer can query the database “in superposition” and amplify the amplitudes of the states |ii that correspond to the i with xi = 1.

Shor’s algorithm

In 1994, Peter Shor published a paper in which he describes a polynomial-time quan-tum algorithm for the factoring and discrete logarithm problem [21]. This algorithm is

(9)

exponentially faster than the currently best-known classical algorithm for these prob-lems. The main high-level idea of Shor’s algorithm is to reduce both the factoring and discrete logarithm problem to the problem of period finding, which as Shor shows can be efficiently solved using a quantum computer by exploiting the power of the so-called quantum Fourier transform. Here “reduced” means that an efficient algorithm for the problem of period-finding implies an efficient algorithm for factoring and the discrete logarithm problem. For more details on Shor’s algorithm we refer to Section 3.1.

1.3 Interplay between quantum computing and

cryptography

The development of quantum algorithms and quantum computers threatens the security of most public-key cryptosystems used today. However, this development has also led to new opportunities for cryptography where one exploits quantum-mechanical principles in order to perform cryptographic tasks. In this section, we briefly discuss how to remedy this threat of quantum algorithms and quantum computers to cryptography.

We begin with briefly discussing the field of quantum cryptography. Quantum cryptog-raphy is the art and science of exploiting the quantum-mechanical principles discussed in Section 1.2 in order to perform cryptographic tasks. The most well-known example of this discipline is quantum key distribution (QKD). Quantum key distribution enables two parties to produce a shared random secret key. A famous example of a QKD protocol is the BB84 protocol by Charles Bennett and Gilles Brassard [2]. This protocol was the first to show how quantum mechanical principles, such as the collapsing of a quantum state after a measurement, could be used for an information-theoretically secure key agreement protocol. Here “information-theoretically secure” means that an eavesdrop-per learns no information about the key at all from tapping the public channel over which the key is being established, no matter how much computational power this eavesdropper has. When only allowing classical communication, such an information-theoretically se-cure protocol is excluded by an impossibility result by Claude Shannon [20]. Sometimes QKD is equated with quantum cryptography, as it is the most well-known example of quantum cryptography. However, there exist many other uses of quantum-mechanical principles in cryptography, a great survey of which is given by Anne Broadbent and Christian Schaffner [18].

Next, we discuss the field of post-quantum cryptography. Almost all public-key cryp-tosystems used today are either based on the factoring or the discrete logarithm problem. Therefore, all these systems can be broken using Shor’s algorithm. Post-quantum cryp-tography searches for new public-key cryptosystems based on mathematical problems which are believed to be hard even for quantum computers. As part of this, the US National Institute for Standards in Technology (NIST) has initiated a competition to determine new standards for such quantum-resistant public-key cryptosystems. Some of the main contenders in this competition are lattice-based cryptography, supersingular elliptic curve isogeny cryptography and multivariate cryptography.

(10)

so-called Post-Quantum RSA cryptosystem by Daniel Bernstein et al. [4]. As discussed in Section 1.1, RSA as used today has a usage cost that is roughly quadratic in the size of the key. Since the attack cost of RSA with Shor’s algorithm is also roughly quadratic in the size of the key, the RSA cryptosystem as used today will have no security in the presence of large-scale quantum computers. However, Bernstein et al. show that by letting the integer N in the public key be the product of many equally-sized primes instead of two, one can achieve a usage cost of an n-bit key that is essentially linear in n. This again creates a gap between the usage cost and the attack cost, namely, for Post-Quantum RSA the attack cost is essentially quadratic in the usage cost. Nevertheless, this gap is only quadratic, whereas the pre-quantum gap was exponential, forcing the user of Post-Quantum RSA to use rather large keys.

In this thesis, we investigate the security of Post-Quantum RSA. First, in Chapter 2, we discuss the Post-Quantum RSA cryptosystem in more detail. Afterwards, we try several attempts at finding an attack that reduces the exponent 2 in the relation be-tween the attack cost and the usage cost. That is, we try several attempts at finding a quantum algorithm that factors an n-bit Post-Quantum RSA modulus in eO(n2−) steps, for some ∈ (0, 1). Here f (n) ∈ eO(g(n)) is shorthand for: there exists a k ≥ 0 such that f (n) ∈ O(g(n) logk(g(n))).

In Chapter 3, we try to speed up Shor’s algorithm. In Lemma 3.2, we show that by using elements x ∈ (Z/N Z)∗ of sufficiently low order, we can speed up Shor’s algorithm. We try adding a classical precomputation step to construct elements of sufficiently low order in Section 3.2.1. We show in Corollary 3.6 that such a classical precomputation step works for Post-Quantum RSA keys N for which ϕ(N ) has a large smooth factor.

Subsequently, in Chapter 4, we try to speed up Lenstra’s elliptic curve factorization method (ECM) using quantum techniques. In Section 4.3, we discuss a new algorithm for factoring that unifies Lenstra’s ECM and Shor’s order-finding algorithm. That is, we discuss a quantum algorithm that finds a non-trivial factor of an integer N by finding the order of an element in a group consisting of points on an elliptic curve over (Z/N Z). In general, this algorithm will not be faster than the usual version of Shor’s algorithm. However, there is a possible advantage here that for each N we can try multiple different elliptic curves over (Z/N Z) to try and find one for which the corresponding order-finding problem can be solved more efficiently, for example by adding a classical precomputation step as described in Section 3.2.1.

Lastly, in Chapter 5, we discuss the security of the Post-Quantum RSA cryptosystem in the special case where the adversary has a certain number of processors as his dis-posal. In particular, we discuss a parallelization of Shor’s algorithm. The bottleneck of this parallel version of Shor’s algorithm remains the modular exponentiation step. In Section 5.2, we discuss a parallelization of the Sch¨onhage-Strassen algorithm for multi-plying large integers. With this parallelization of the Sch¨onhage-Strassen algorithm, we can perform the modular exponentiation step using P ≤ n log n log log n processors in O(n2(log n)2log log n/P ) steps. Here we assume that each processor can at each time step perform any operation on any set of qubits/bits.

Unfortunately, none of our attempts resulted in a quantum algorithm that factors an n-bit integer in eO(n2−) steps, for some ∈ (0, 1). Even in the special case where the

(11)

number we wish to factor is an n-bit Post-Quantum RSA modulus, we were unable to find a quantum algorithm that does so in eO(n2−) steps. However, in Corollary 3.6, we do show that if N has only small prime power divisors and ϕ(N ) = # (Z/N Z)∗ has a rather large smooth factor, then we can speed up Shor’s algorithm by adding a classical precomputation step. Moreover, in some cases this classical precomputation step can also be used to speed up the unification of Lenstra’s ECM and Shor’s algorithm.

(12)

2 Post-Quantum RSA

In this chapter we discuss a variant of RSA called Post-Quantum RSA, which was pro-posed by Bernstein, Heninger, Lou and Valenta [4]. RSA is a public-key cryptosystem whose security is based on the hardness of factoring. Whenever scalable quantum com-puters will be realized, Shor’s algorithm (a quantum algorithm for factoring) will break the variant of RSA that is used today. However, as Bernstein et al. show, it turns out that one can still modify RSA to obtain a cryptosystem where the cost for the attacker is essentially quadratic in the cost for the user.

This quadratic gap is far from the exponential gap that RSA presently has. The use of Post-Quantum RSA would therefore require much bigger key sizes than before. However, the advantage of Post-Quantum RSA is that switching to Post-Quantum RSA will be less difficult than switching to other post-quantum cryptography alternatives, since RSA is already widely used today.

In Section 2.1, we discuss the basic operations of RSA and touch upon the adjustments made by Post-Quantum RSA. Afterwards, in Section 2.2, we discuss the best-known attacks on RSA. Finally, in Section 2.3, we derive the parameters of Post-Quantum RSA and we discuss the security of the resulting cryptosystem.

2.1 The RSA cryptosystem

In this section we discuss the RSA cryptosystem. We begin by giving a recap of the basic operations of RSA. Afterwards, we discuss a technique for speeding up RSA that is fundamental for Post-Quantum RSA, namely the use of a k-prime modulus.

The RSA cryptosystem is a public-key cryptosystem that can be used to securely send messages over a public channel. It uses two different keys, one to encrypt messages and one to decrypt ciphertexts. The encryption key is public (i.e., everybody has access to it) and is called the public key. The decryption key is private (i.e., only the person that is supposed to receive the message has access to it) and is called the private key.

The public key used in RSA is represented by a tuple (e, N ), consisting of a large composite integer N (called the modulus) and some integer e in (Z/ϕ(N )Z)∗, where ϕ(N ) = # (Z/N Z)∗ denotes the Euler totient. The corresponding private key is rep-resented by the unique integer d in (Z/ϕ(N )Z)∗ that satisfies the equation ed ≡ 1 mod ϕ(N ). They are generated as follows:

RSA key generation

1. Choose at random two distinct prime numbers p and q of equal size. 2. Compute N = pq and ϕ(N ) = (p − 1)(q − 1).

(13)

3. Choose at random an integer e ∈ (Z/ϕ(N )Z)∗.

4. Solve de ≡ 1 mod ϕ(N ) for d, using the extended Euclidean algorithm.

In order to encrypt a message using RSA, we must first turn our message into some integer m in (Z/N Z)∗. A common way of doing this is using “Optimal asymmetric encryption padding” [1]. After we have turned our message into an integer m, we can encrypt and decrypt it as follows:

RSA encryption and decryption

Encrypt_{(e,N )}(m) ≡ me mod N, Decrypt_{d,(e,N )}(c) ≡ cd mod N.

To see that this correctly defines a cryptosystem, i.e., that for all messages m in (Z/N Z)∗ we have that Decrypt(Encrypt(m)) = m, we derive that

Decrypt(Encrypt(m)) ≡ med ≡ m1+`·ϕ(N ) ≡ m ·mϕ(N ) `

≡ m · 1`≡ m mod N. The second equality follows from the fact that ed ≡ 1 mod ϕ(N ), and the fourth equality follows from Euler’s theorem, which states that xϕ(N )≡ 1 mod N for all x ∈ (Z/NZ)∗.

2.1.1 Using a k-prime modulus and the cost of decryption

One way to modify RSA is by letting the modulus be the product of k ≥ 3 distinct primes of equal size. We call such a modulus a k-prime modulus. The use of a k-prime modulus, for suitable k, lies at the heart of Post-Quantum RSA.

The reason for using a k-prime modulus is that it allows the user to more effi-ciently decrypt ciphertexts. To demonstrate this, consider an n-bit k-prime modulus N = p1· · · pk, where the pi are distinct distinct primes of size p. Suppose we fix the

size of N but not the number of prime factors k. When decrypting a ciphertext using RSA, one wants to compute cd mod N , for some c ∈ (Z/N Z)∗and d ∈ (Z/ϕ(N )Z)∗. An efficient way to do this is to first compute cd mod (pi−1) _{mod p}

i, for i = 1, . . . , k, and then

combine them into cd _{mod N by applying the Chinese remainder theorem. Applying}

the Chinese remainder theorem like that can be done in O(n(log n)2) = eO(n) steps [3]. Moreover, using the square-and-multiply method together with the Sch¨onhage-Strassen algorithm, we can perform the modular exponentiations modulo pi in

O k · (log p)2(log log p)(log log log p) =Oe k ·n k 2 = eO n 2 k steps.

Thus, by increasing the number of prime factors in our modulus, we save on the time required to decrypt a message.

(14)

2.2 Attacks against RSA

The security of RSA is determined by the gap between the cost of key generation, encryption and decryption (the usage cost ) and the cost of successfully decrypting a ciphertext without knowledge of the private key (the attack cost ). In this section we discuss the attack cost of RSA. First, we show that you can attack RSA by factoring the modulus. Afterwards, we discuss the two top threats to RSA, namely Shor’s algorithm and GEECM (Grover plus ECM using Edwards curves).

2.2.1 Factoring and the RSA problem

In the case of RSA, the attack cost is determined by the difficulty of solving the RSA problem, which can be formally stated as follows.

The RSA problem.

Input: An RSA public key (e, N ) and ciphertext c ∈ (Z/N Z)∗.

Goal: Find the corresponding message, i.e., find m such that me≡ c mod N . Currently, the best-known attacks against RSA are algorithms for the factoring problem. The factoring problem can be formally stated as follows.

The factoring problem

Input: A composite integer N .

Goal: Find the prime decomposition of N .

The reduction from the RSA problem to factoring is as follows. Assume we are using a k-prime modulus N . Then, given the prime factorization N = p1· · · pk, we can compute

ϕ(N ) =Qk

i=1(pi− 1). This allows us to use the extended Euclidean algorithm to find

the d ∈ (Z/ϕ(N )Z)∗ that solves the equation ed ≡ 1 mod ϕ(N ). This then allows us to recover the message by computing m = cd mod N . It remains an open question whether factoring is as hard as the RSA problem.

It is interesting to note that if we are given only one prime factor of a k-prime modu-lus N , then we can still learn something about the encrypted message. To demonstrate this, let c = me mod N be a ciphertext that is encrypted using a k-prime modulus N , and suppose we are given a prime factor pi | N . Since ed ≡ 1 mod φ(N ), we know that

ed ≡ 1 mod (pi − 1). Moreover, since we know the values of e and (pi− 1), we can

compute ¯di = d mod (pi− 1), by using the extended Euclidean algorithm to compute

the multiplicative inverse of e modulo (pi− 1). Now notice that using ¯di we can compute

¯

mi= m mod pi= cd mod pi = cd mod (pi−1) mod pi = c ¯

di _{mod p}

i.

Thus, for each prime factor pi | N that we know, we can compute the value of m

modulo pi. Note that knowing the value of m modulo pi eliminates many potential

(15)

2.2.2 Shor’s algorithm and GEECM

For RSA with a k-prime modulus, the top threats (i.e., the fastest algorithms to factor the modulus) are Shor’s algorithm and GEECM. Both algorithms are discussed in more detail in Chapter 3 and 4, respectively.

Shor’s algorithm, discovered by Peter Shor in 1994 [21], is a quantum algorithm that finds a factor of a composite n-bit integer in time O(n2log n log log n) = eO(n2). It is considerably faster than any known classical algorithms for factoring, as the currently best known classical randomized algorithm for factoring runs in time roughly 2n1/3 [13]. Comparing the usage cost in Section 2.1.1 with the runtime of Shor’s algorithm, it is clear that RSA as used today (i.e., with a 2-prime modulus) is broken by Shor’s algorithm, since the usage cost is essentially equal to the attack cost. Therefore, in order to obtain a gap between the usage cost and attack cost in the presence of Shor’s algorithm, we have to use a k-prime modulus for k sufficiently large.

However, Shor’s algorithm gets outperformed by GEECM when factoring a k-prime modulus if k is too large. GEECM, proposed by Bernstein et al. [4], finds a factor of an n-bit modulus consisting of k primes of size p in time L1+o(1), where L = exp√log p log log p. Notice that, in contrast to Shor’s algorithm, the runtime of GEECM depends on the size of the prime factors of the number we wish to factor. This implies that we cannot pick k too large, since for very large values of k, GEECM will be able to very efficiently factor the k-prime modulus and thus break the cryptosystem.

2.3 Post-Quantum RSA parameters

Post-Quantum RSA modifies RSA by using a k-prime modulus for some fairly large k, and a constant encryption exponent, e.g., e = 3. In this section, we derive the parameters of Post-Quantum RSA, and we discuss the resulting security. The goal is to determine the value of k that maximizes the gap between the usage cost and the attack cost.

First, let’s recap the usage cost of RSA with an n-bit, k-prime modulus N . By letting the encryption exponent be some small constant, e.g., e = 3, we get that encrypting only costs us a small constant number of multiplications modulo N , which can be done in eO(n) steps. Bernstein et al. proposes a key generation algorithm that generates an n-bit, k-prime modulus in eO(n) steps [4]. As we saw in Section 2.1.1, we can decrypt a message in eO(n2k−1) steps.

Next, let’s recap the attack cost of RSA with an n-bit modulus consisting of k primes of size p. As we discussed in the Section 2.2, Shor’s algorithm can break RSA in O(n2log n log log n) = eO(n2) steps, and GEECM can break RSA in L1+o(1)steps, where L = exp√log p log log p. Thus, the attack time of RSA with a k-prime modulus is either the runtime of Shor’s algorithm or the runtime of GEECM, depending on which one is faster for that specific value of k.

In order to minimize the usage cost, we want to pick k as big as possible. However, we don’t want the attack cost to decrease too much by doing so. In other words, we don’t want to pick k too big such that GEECM will outperform Shor’s algorithm. The

(16)

cutoff lies at

k ∈ n (log n)2+o(1),

which is the value for k used in Post-Quantum RSA.

If we plug in this value for k, then the usage cost becomes eO(n). Moreover, breaking Post-Quantum RSA using either Shor’s algorithm or GEECM would require an amount of steps that is roughly quadratic in n. Thus, the attack cost is essentially quadratic in the usage cost. This is a lot worse then the exponential gap RSA had before Shor’s algorithm. However, it is an improvement over the version of RSA that is used today (i.e., with a 2-prime modulus), where the usage cost is essentially equal to the attack cost.

A question that arises is whether there exists a quantum algorithm for factoring that outperforms Shor’s algorithm on the modulus used by Post-Quantum RSA. In other words: are there quantum algorithms for factoring that are faster than Shor’s algorithm in the special case where the number we wish to factor has many small prime factors? In Chapter 3, we discuss a few attempts to speedup Shor’s algorithm for the special case that the number we wish to factor has many small prime factors. Afterwards, in Chapter 4, we consider an attempt at finding a better quantum enhancement of ECM by unifying it with Shor’s algorithm.

(17)

3 Attempts to speed up Shor’s

algorithm

In this chapter we discuss two attempts to speed up Shor’s algorithm. In particular, motivated by the newly proposed cryptosystem Post-Quantum RSA discussed in Chap-ter 2, we study the special case where the number we wish to factor is composed of many fairly small prime factors.

At present, the attack cost of Post-Quantum RSA is essentially quadratic in its usage cost. We would like to find out whether we can reduce this exponent 2. Particularly, we investigate if we can adjust Shor’s algorithm so that it can factor an n-bit Post-Quantum RSA modulus in eO(n2−_{) steps, for some ∈ (0, 1).}

In Section 3.1, we give a recap of Shor’s algorithm and discuss its cost. Subsequently, in Section 3.2, we discuss an attempt to use elements of low multiplicative order modulo N to more efficiently find a non-trivial factor of N . Finally, in Section 3.3, we discuss an attempt in which we apply the final steps of Shor’s algorithm to a quantum state that is cheaper to prepare but still closely related to the state normally used.

3.1 Recap of Shor’s algorithm

In this section we recapitulate the polynomial-time quantum algorithm for factoring by Peter Shor [21]. We begin by discussing the important observation by Shor that an efficient algorithm for the so-called order-finding problem implies an efficient algorithm for factoring. Afterwards, we describe Shor’s order-finding algorithm and discuss its cost.

3.1.1 Reduction from factoring to order-finding in (Z/NZ)∗

First, we consider the so-called order-finding problem. As we will show later, it turns out that factoring can be reduced to the order-finding problem. Reduced means that an efficient algorithm for the order-finding problem implies an efficient algorithm for factoring. The order-finding problem can be formally defined as follows:

The order-finding problem.

Input: An n-bit integer N and some x ∈ (Z/N Z)∗.

Goal: Find the order of x, i.e. find the least r ∈ Z≥1 such that xr ≡ 1 mod N .

Suppose we wish to factor some composite integer N . Solving the above order-finding problem will give us a factor of N as follows. Assuming N is odd, it can be shown that with probability ≥ 1/2, the order r is even and xr/2± 1 are not multiples of N . Note

(18)

that in this case we have

xr≡ 1 mod N ⇐⇒ (xr/2+ 1)(xr/2− 1) ≡ 0 mod N.

In particular, we have two non-zero elements of the ring (Z/N Z) that multiply to zero. This implies that both these elements do not have a multiplicative inverse, which is equivalent to saying that gcd(xr/2± 1, N ) 6= 1, N . Computing these greatest common divisors, which can be done efficiently using the Euclidean algorithm, gives us a non-trivial factor of N .

3.1.2 Solving the order-finding problem

We now discuss the algorithm by Peter Shor that solves the order-finding problem defined in Section 3.1.1. The main building blocks of this algorithm are the quantum Fourier transform (QFT) and the unitary Ox,N that maps |ai |0i 7→ |ai |xa mod N i, where x is

the element of (Z/N Z)∗ whose order we want to find. The steps of Shor’s order-finding algorithm are as follows.

Shor’s order-finding algorithm

Step 1: Pick some q = 2` such that N2< q ≤ 2N2.

Step 2: Start with the state |0`i |0n_{i and apply the QFT to the first register to build}

the uniform superposition

1 √ q q−1 X a=0 |ai |0ni .

Step 3: Apply the unitary Ox,N to build the state

|ψi = √1 q q−1 X a=0 |ai |xa mod N i . (3.1)

Step 4: Measure the second register and discard it. Suppose the outcome of this measurement was y ∈ (Z/N Z)∗, then the resulting state is

1 √ m m−1 X j=0 |jr + si ,

where s is the least integer 0 ≤ s < q such that xs≡ y mod N , and m is the number of integers 0 ≤ a < q that satisfy xa≡ y mod N .

Step 5: Apply the QFT again and measure the state in the computational basis. Step 6: Do some classical post-processing to obtain the order of x.

(19)

To show how Shor’s order-finding algorithm finds the order of our x ∈ (Z/N Z)∗, we now look at the outcome of the measurement in Step 5 of the algorithm.

Lemma 3.1. With high probability the measurement in Step 5 of Shor’s order-finding algorithm yields an integer b such that

b q − c r ≤ 1 2q, for some c.

Proof. After applying the QFT in Step 5 of Shor’s order-finding algorithm, our system will be in the state

|ψi = √1 m m−1 X j=0 1 √ q q−1 X b=0 e2πi(jr+s)b/q|bi = √1 mq q−1 X b=0 e2πisb/q   m−1 X j=0 e2πirb/q  |bi . When measuring this state, the probability that the measurement yields b is given by

1 √ mq m−1 X j=0 e2πijrb/q 2 = 1 √ mq m−1 X j=0 e2πirb/qj 2 = 1 √ mq m−1 X j=0 e2πi{rb}q/qj 2 , (3.2)

where {rb}q is the residue which is congruent to rb mod q and is in the range −q/2 <

{rb}q ≤ q/2. It turns out that if {rb}q is small, then the expression in Equation 3.2 is

large. This can be shown by approximating the sum in Equation 3.2 by an integral as is done in Section 5 of [21]. In particular, one can show that the probability that the measurement yields some b will be at least 1/3r2 if

−r

2 ≤ {rb}q≤ r 2.

By the definition of {rb}q, the above expression is equivalent to saying that there is

exists some c such that

−r

2 ≤ rb − cq ≤ r 2. Diving by rq and rearranging the terms gives

b q − c r ≤ 1 2q.

Using this measurement outcome b from Lemma 3.1, we can compute r = ord(x) as follows. Since any two distinct fractions with denominator ≤ N must be at least 1/N2> 1/q apart, we conclude from Lemma 3.1 that c/r is the only fraction with denominator ≤ N at distance ≤ 1/2q from b/q. Applying a method called the “continued fraction expansion” to b/q then efficiently gives us c/r since this is the fraction with denominator ≤ N that is closest to b/q. With probability Ω(1/ log log r) we have gcd(c, r) = 1, in

(20)

Cost of Shor’s order-finding algorithm

Let us now look at the cost of Shor’s order-finding algorithm when N is an n-bit integer. Both Step 2 and Step 5 involve applying the QFT on ` qubits. This can be approximated well enough using O(n log n) gates [9]. The bottleneck of Shor’s order-finding algorithm algorithm lies in Step 3. Namely, to implement the unitary Ox,N we have to compute

the modular exponentiation xa mod N , for a ∈ NO(1). Using the square-and-multiply method, this costs us O(n) modular multiplications modulo N . Each of these modular multiplications can be done in O(n log(n) log log(n)) steps using the Sch¨onhage-Strassen algorithm. Therefore, Step 3 can be performed in O(n2log(n) log log(n)) steps. As discussed below Lemma 3.1, with probability Ω(1/ log log r) the outcome of the mea-surement in Step 5 allows us to efficiently compute the order of x. So, an expected number of O(log n) repetitions of Shor’s order-finding algorithm is sufficient to find the order of x. Accordingly, Shor’s order-finding algorithm solves the order-finding problem using an expected number of O n2(log(n))2log log(n) steps.

As mentioned above, the bottleneck of Shor’s order-finding algorithm lies in the com-putation of xa mod N , for a ∈ NO(1). The common theme among our attempts to speed up Shor’s algorithm is that they try to get around as much of this modular expo-nentiation step as possible. In the next section, we discuss a way to decrease the size of the exponent a by considering elements x ∈ (Z/N Z)∗ of sufficiently low order.

3.2 Using elements of low order

Suppose we have an element x ∈ (Z/N Z)∗ of which we know that its order is bounded above by some R N . Then, it turns out that we can adapt Shor’s order-finding algorithm to more efficiently find the order of x.

Lemma 3.2. Let N be an n-bit integer, and let x ∈ (Z/N Z)∗ be an element whose order r is bounded above by R. If we pick some qR = 2` such that R2 < qR ≤ 2R2, and we

apply Steps 4 through 6 of Shor’s order-finding algorithm to the state |ψRi = 1 √ qR qR−1 X a=0 |ai |xa mod N i , then we still obtain the order of x.

Proof. By a reasoning analogous to the proof of Lemma 3.1, one can show that with high probability the measurement in Step 5 yields a b such that

b qR − c r ≤ 1 2qR . (3.3)

Because any two fractions with denominator ≤ R must be at least 1/R2 > 1/qR apart,

we deduce from Equation 3.3 that c/r is the fraction with denominator ≤ R that is closest to b/qR. Applying the “continued fraction expansion” to b/qR then efficiently

gives us c/r. With probability Ω(1/ log log r) we have gcd(c, r) = 1, in which case writing the fraction c/r in lowest terms yields r.

(21)

Looking at the cost of Shor’s order-finding algorithm in Section 3.1.2, we observe that we can find the order of x in Lemma 3.2 in O (log(R) · n log(n) log log(n)) steps. Furthermore, the computation of the greatest common divisor gcd(xr/2± 1, N ), where r is the order of x, can be done in eO(n) steps. This results in the following corollary. Corollary 3.3. Let N be an n-bit composite integer and suppose we are given some x ∈ (Z/N Z)∗ whose order is bounded above by 2n1−, for some ∈ (0, 1). Then, there is a quantum algorithm that can find a non-trivial factor of N in O n2−(log(n))2log log(n) steps.

Motivated by Corollary 3.3, we look at the orders of the elements in (Z/N Z)∗. Un-fortunately, it turns out that most elements in (Z/N Z)∗ will have an order that is close to N , as illustrated by the following theorem.

Theorem 3.4. Let x ∈ Z>0 and let ordN(x) denote the order of x in (Z/N Z)∗. Then

the number of N ≤ y such that ordN(x) ∈ O(N1−) is o(y).

Proof. See Theorem 2 in [10].

Thus, to find an element of sufficiently low order, we likely have to try harder than trying different elements uniformly at random. In the following section, we discuss an attempt to construct elements of low order using a classical precomputation step. Here a “low” order means an order that is considerably less than N .

3.2.1 Adding a classical precomputation step

Let N = p1· · · pk be a Post-Quantum RSA modulus. Since all of the pi’s are relatively

small compared to N , it could be the case that ϕ(N ) =Qk

i=1(pi− 1) has a pretty large

factor that is completely built up from even smaller primes. If this is the case, it turns out that we can construct elements of low multiplicative order modulo N using a classical precomputation step.

A positive integer is called w-smooth if none of its prime factors is greater than w. To demonstrate how to construct elements of low order, let N be an n-bit integer such that for each prime power q | N we have q ≤ v, and let sw denote the (unique) largest

w-smooth factor of ϕ(N ) = # (Z/N Z)∗. We first pick a random element x ∈ (Z/N Z)∗. Then we let λ =Qw

r=2re(r), where e(r) := min{e ∈ Z>0 | re≥ v}, and compute

xλ mod N. (3.4) One way of doing this is by setting x1 = x and then computing xr := xr

e(r)

r−1 mod N ,

for r = 2, . . . , w. Using the square-and-multiply method and the Sch¨onhage-Strassen algorithm we can do so in time

O

w

X

r=2

log(re(r))n log(n) log log(n) !

= O

w

X

i=2

log(v)n log(n) log log(n) !

(22)

Lemma 3.5. The element xλ ∈ (Z/NZ)∗ defined in Equation 3.4 satisfies ordN(xλ) ≤ N sw . Proof. Let N = pe1 1 · · · p ek

k be the prime factorization of N . By the Chinese remainder

theorem we know that

ordN(xλ) = lcm{ord_pe1 1 (x λ_{), . . . , ord} pek_k (x λ_{)} ≤} k Y i=1 ord_pei i (x λ_), _(3.5) Write ϕ(pei

i ) = si,w· ti and ordpei_i (x) = sgi,w· ˜ti, where si,w is the (unique) largest w-smooth factor of ϕ(pei

i ) and sgi,w is the (unique) largest w-smooth factor of ordpei

i (x).

Because ord_pei

i (x) | ϕ(p

ei

i ), we have thatsgi,w| si,w and ˜ti | ti. Moreover, by our definition of λ we have that ord_pei i (x λ_{) =} ordpeii (x) gcd(ord_pei i (x), λ) = sgi,w· ˜ti g si,w = ˜ti ≤ ti = ϕ(pei i ) si,w . (3.6)

Combining Equation 3.5 and Equation 3.6 now yields

ordN(xλ) ≤ k Y i=1 ord_pei i (x λ_{) ≤} k Y i=1 ϕ(pei i ) si w = Qk i=1ϕ(p ei i ) Qk i=1siw = ϕ(N ) sw ≤ N sw .

Combining Lemma 3.5 with Corollary 3.3 results in the following corollary.

Corollary 3.6. Let N be an n-bit Post-Quantum RSA modulus and ∈ (0, 1). If the group order ϕ(N ) = # (Z/N Z)∗ has an n1−-smooth factor of size 2n−n1−, then there is a quantum algorithm that can find a non-trivial factor of N in eO(n2−) steps. Proof. In this case we have w = n1− and v = log(n)2+o(1). Therefore, the cost of computing xλ as in Equation 3.4 is given by

O(w log(v)n log(n) log log(n)) = O(n1−log(log(n)2)n log(n) log log(n)) = O(n2−log(n)(log log(n))2) = eO(n2−). Moreover, by Lemma 3.5 the order of xλ satisfies ordN(xλ) ≤ 2n

1−

. Therefore, by Corollary 3.3 we can find a non-trivial factor of N in eO(n2−_{) steps using x}λ_.

3.3 Using a subsignal

The bottleneck of Shor’s order-finding algorithm lies in the preparation of the state |ψi from Equation 3.1. Another way to speed up Shor’s algorithm would be to consider

(23)

states that are cheaper to prepare, but that are still closely related to |ψi. In this section, we consider a certain set of such states.

Let N be an n-bit integer and let x be an element of (Z/N Z)∗. As in Shor’s order-finding algorithm, pick some q = 2` such that N2 < q ≤ 2N2. For any subset A ⊆ {0, . . . , q − 1} we can define the state

|ψ_Ai := 1 p|A|

X

a∈A

|ai |xa _{mod N i .} _(3.7)

One way to view such a state |ψAi is as a subsignal of the signal state |ψi from

Equa-tion 3.1. Suppose our subset A satisfies the following two properties:

(i) |ψAi can be prepared in O n2−(log(n))2log log(n) steps, for some > 0.

(ii) If we apply Steps 4 through 6 of Shor’s order-finding algorithm to |ψAi, we can

still obtain the order of x.

Then this subset A would allows us to find a factor of N in O(n2−(log(n))2log log(n)) steps. It could be the subject of future research to see if there exists a subset A that satisfies the above two properties. In the rest of this section, we very briefly mention two attempts at finding a subset A that satisfies the above two properties.

Only the beginning of the signal

The state |ψRi from Lemma 3.2 is the same as the state |ψAi for A = {0, . . . , qR− 1}.

As discussed in Section 3.2, if R is sufficiently small, then we can prepare this state in O(n2−_{log(n) log log(n)) steps. However, if the order of x is not bounded above by R,}

then we have no guarantee that we will be able to determine the order of x by applying Steps 4 through 6 of Shor’s order-finding algorithm to this state |ψAi.

Hamming weight

Consider A = {x ∈ {0, 1}2n | H(x) ≤√n}, where H denotes the Hamming weight. Using the square-and-multiply method, we can compute xa mod N , for a ∈ A, in 2n +√n multiplications modulo N . This is less than the 4n multiplications modulo N required to compute xa mod N , for a ∈ {0, . . . , q − 1}. However, we still will not be able to prepare the state |ψAi using only the required O(n2−(log(n))2log log(n)) steps.

(24)

4 Lenstra’s elliptic curve factorization

method and quantum enhancements

In this chapter we discuss Lenstra’s elliptic curve factorization method and investigate how we can enhance this algorithm using quantum techniques. More specifically, we study GEECM, a quantum enhancement of Lenstra’s elliptic curve factorization method proposed by Bernstein et al. [4], and discuss a way to unify Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm.

In Section 4.1, we give an introduction to the theory of elliptic curves over (Z/N Z) and collect some important results. In Section 4.2, we discuss how Lenstra’s elliptic curve factorization method solves the factoring problem and how GEECM accelerates this algorithm using quantum techniques. Finally, in Section 4.3, we consider a unification of Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm that finds a non-trivial factor of a squarefree integer N by computing the order of a point on an elliptic curve over (Z/N Z).

4.1 Preliminaries

Let N be a positive integer such that gcd(6, N ) = 1. In this section we give an introduc-tion to the theory of elliptic curves over the ring (Z/N Z). First we state the necessary definitions and afterwards we state the results that are required to study the algorithms in the rest of this chapter.

In order to give the definition of an elliptic curve over the ring (Z/N Z), we first need to define the so-called projective space over (Z/N Z).

Definition 4.1. The `-dimensional projective space over (Z/N Z), denoted P`(Z/N Z), is given by

{(a₀, . . . , a`) ∈ (Z/N Z)`+1| gcd(a0, . . . , a`, N ) = 1}/ ∼,

where (a0, . . . , a`) ∼ (b0, . . . , b`) iff there exists a u ∈ (Z/N Z)∗ with uai = bi, ∀i.

Remark. The equivalence class of (a0, . . . , a`) is denoted by (a0 : . . . : a`).

An elliptic curve over (Z/N Z) is parameterized by a pair in (Z/N Z)2. The set of points of an elliptic curve is a subset of the 2-dimensional projective space over (Z/N Z). Definition 4.2. (i) An elliptic curve E = Ea,bover (Z/N Z) is a pair (a, b) ∈ (Z/N Z)2

(25)

(ii) The set of points E(Z/N Z) of an elliptic curve E = Ea,b over (Z/N Z) is given by

E(Z/N Z) = Ea,b(Z/N Z) = {(x : y : z) ∈ P2(Z/N Z) | y2z = x3+ axz2+ bz3}.

Remark. • We require gcd(6, N ) = 1 only to simplify the exposition. Namely, for integers N with gcd(6, N ) 6= 1, one has to work with more general equations for the set of points of an elliptic curve than the so-called Weierstrass equations given by y2z = x3+ axz2+ bz3, see Chapter 3 of [22].

• The expression 4a3_{+ 27b}3_{is related to the discriminant of the curve defined by the}

Weierstrass equation y2z = x3 + axz2+ bz3. Its invertibility determines whether or not the curve defined by the corresponding Weierstrass equation is singular or not, i.e., whether the curve has cusps, self-intersections or isolated points. Since an elliptic curve is non-singular by definition, it is required that 4a3+27b2 ∈ (Z/NZ)∗. It turns out that the set of points of an elliptic curve has an Abelian group structure. This group structure lies at the heart of Lenstra’s elliptic curve factorization method and will be used to unify Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm.

Theorem 4.3. The set of points of an elliptic curve E(Z/N Z) has an Abelian group structure with O = (0 : 1 : 0) as the neutral element.

Proof. See Theorem 2.7 in [23].

Throughout the rest of this chapter we will write the group law on E(Z/N Z) additively. In the next proposition we give an overview of how to compute the sum of two points on E(Z/N Z) according to the group law.

Definition 4.4. R0:= Z[X1, Y1, Z1, X2, Y2, Z2, A, B]/(F1, F2), where Fi = Yi2Zi− Xi3−

AXiZ_i2− BZ_i3.

Proposition 4.5. There exist nine polynomials Si, Ti, Ui ∈ R0, i = 1, 2, 3, with the

following property. For any elliptic curve Ea,b over (Z/N Z), and any two points P1 =

(x1: y1 : z1), P2 = (x2: y2 : z2) on Ea,b, if we define si := Si(x1, y1, z1, x2, y2, z2, a, b), ti := Ti(x1, y1, z1, x2, y2, z2, a, b), ui := Ui(x1, y1, z1, x2, y2, z2, a, b), and M :=   s1 t1 u1 s2 t2 u2 s3 t3 u3  ,

then there exists a (Z/N Z)-linear combination (s0, t0, u0) of the rows of M which

sat-isfies gcd(s0, t0, u0, N ) = 1. Furthermore, (s0, t0, u0) is unique up to multiplication by ∗

(26)

Proof. See Section 3 in [14].

Remark. For nine explicit polynomials S1, S2, . . . , U3 with the above property see [11].

Since we will use the group structure on E(Z/N Z) in our algorithms, we would like to know how much it costs to add two points. To compute the entries of the matrix M from Proposition 4.5, we need to evaluate nine polynomials of finite degree in the ring (Z/N Z). Using the Sch¨onhage-Strassen algorithm we can do so in a total number of steps that is polynomial in log(N ). Subsequently, we need to find the linear combination of the rows of M that is asserted to exist in Proposition 4.5. Lenstra describes an algorithm that finds this linear combination of rows using a total number of steps that is bounded by a polynomial function of log(N ) [14]. Accordingly, we can add two points on E(Z/N Z) using a total number of steps that is polynomial in log(N ).

In the rest of this section, we will state results about elliptic curves over (Z/N Z) that we will use in the analysis of the algorithms in the rest of this chapter. First off, it turns out that if we consider an elliptic curve over a finite field, then O is the only point on the elliptic curve whose z-coordinate is zero.

Lemma 4.6. Let p be a prime and let E be an elliptic curve over (Z/pZ). Then O is the only element (x : y : z) ∈ E(Z/pZ) with z = 0.

Proof. Suppose (x : y : 0) ∈ E(Z/pZ). By the equation defining our elliptic curve, we get that x3= 0. Since (Z/pZ) is a field, x3 = 0 implies that x = 0. Because (0 : 0 : 0) is not an element of P2(Z/pZ), we must have that y 6= 0 and so (0 : y : 0) = (0 : 1 : 0).

Next, we state the famous result by Hasse that provides an estimate of the number of points on an elliptic curve over a finite field.

Theorem 4.7. Let p be a prime. For all elliptic curves E over (Z/pZ) we have #E(Z/pZ) ∈ [p + 1 − 2√p, p + 1 + 2√p]

Proof. See Theorem 9.2 in [23].

Lastly, we state a generalization of the Chinese Remainder Theorem to elliptic curves over (Z/N Z).

Lemma 4.8. (i) For each prime power q | N , we have the following group morphism πq: Ea,b(Z/N Z) → Ea,¯¯b(Z/qZ),

(x : y : z) 7→ (x mod q : y mod q : z mod q), where ¯a = a mod q, and ¯b = b mod q.

(ii) Let N = pe1

1 · · · p ek

k be the prime factorization of N , then we have the following

group isomorphism π := k

×

i=1 π_pei i : Ea,b(Z/N Z) ∼ −→ E_¯_a 1,¯b1(Z/p e1 1 Z) × · · · × E¯ak,¯bk(Z/p ek k Z), P 7→ π_pe1 1 (P ), . . . , πpekk (P ) ,

(27)

where ¯ai= a mod peii, and ¯bi = b mod peii.

Proof. Follows from Proposition 4.5 and the Chinese Remainder Theorem.

4.2 Lenstra’s elliptic curve factorization method and

GEECM

In this section we discuss Lenstra’s elliptic curve factorization method (ECM) and a quantum enhancement called GEECM proposed by Bernstein et al. [4]. To start with, we consider another algorithm for factoring that closely resembles Lenstra’s elliptic curve factorization method, namely, Pollard’s p − 1 algorithm.

Pollard’s p − 1 algorithm.

Step 1: Choose a number λ that is composed of small primes, e.g., λ = lcm(1, . . . , B), for some bound B.

Step 2: Choose at random some a ∈ (Z/N Z)∗. Step 3: Compute gλ = gcd(aλ− 1, N ).

To understand why and when this algorithm works, suppose that N has two prime factors p and q such that:

(i) p − 1 | λ, (ii) aλ 6≡ 1 mod q.

Then, it follows from (i) and Fermat’s little theorem that aλ ≡ 1 mod p. This implies that p | gλ. Moreover, it follows from (ii) that q - gλ. Combining this we notice that

p ≤ gλ < N . So, in the case that both (i) and (ii) hold, the algorithm will give us a

non-trivial factor gλ of N .

Notice that (i) only holds when p − 1 is completely built up from small primes. It turns out that Pollard’s p − 1 algorithm will most likely not work if (i) does not hold. Hence, Pollard’s p − 1 algorithm only works for N that have a prime factor p such that p − 1 is completely built up from small primes.

To remedy the fact that Pollard’s p − 1 algorithm only works for certain N , Lenstra’s elliptic curve factorization method uses the structure of the groups Ea,b(Z/N Z) instead

of the multiplicative group (Z/N Z)∗. The advantage of this is that if one curve doesn’t work, we can always try another.

Lenstra’s elliptic curve factorization method has two parameters v and w. The pa-rameter v is an upper bound for the size of the prime factor we want to find. The other parameter w determines the cost and success probability of one round in the algorithm.

(28)

Lenstra’s elliptic curve method.

Step 1: Choose an elliptic curve Ea,b over (Z/N Z) and some point P = (x0 : y0 : 1)

on the elliptic curve.

Step 2: Let e(r) = max{e | re≤ (√v + 1)2}, λ =Qw

r=2re(r) and compute

λ · P = (xλ: yλ : zλ).

Step 3: Compute gλ = gcd(zλ, N ). If gλ= 1 or N , then repeat from Step 1.

Let us go over the steps one by one. In Step 1, we choose an elliptic curve over (Z/N Z) and some point on this curve. This can we done by choosing x0, y0, a ∈ (Z/N Z)

uniformly at random, and putting b = y₀2− x3

0− ax0. If 4a3+ 27b2 ∈ (Z/NZ)∗, then we

have successfully chosen an elliptic curve Ea,b with the point (x0: y0 : 1) on it.

In Step 2, we have to compute a multiple of the point P according to the group struc-ture on Ea,b(Z/N Z). We add two points on Ea,b(Z/N Z) using the technique described

in Proposition 4.5. As discussed below that proposition, the number of steps required to add two points on E(Z/N Z) is bounded by a polynomial in log(N ). To compute Pλ,

we set P1 = P and compute Pr = re(r)Pr−1, for r = 2, . . . , w. We compute each

inter-mediate multiple Pr using the so-called double-and-add method. The double-and-add

method computes a multiple dQ, for d ∈ N and Q ∈ E(Z/N Z), as follows. Double-and-add method

Step 1: Take the binary representation d =Pk−1

i=0 di2i, di ∈ {0, 1} and k = dlog de.

Step 2: Compute 2Q = Q + Q, 4Q = 2Q + 2Q, . . . , 2k−1Q = 2k−2Q + 2k−2Q. Step 3: Compute dQ =Pk−1

i=0 di· (2iQ).

Using the double-and-add method to compute each intermediate multiple, we can per-form Step 2 using

O w X r=2 log(re(r)) ! = O (w log(v)) additions on Ea,b(Z/N Z).

To understand why and when Lenstra’s elliptic curve factorization method works, suppose that N has two prime factors p and q such that:

(i) #Ea,b(Z/pZ) | λ,

(29)

Then, it follows from (i) and Legendre’s theorem that πp(λ · P ) = O. This implies that

p | zλ. Moreover, it follows from (ii) and Lemma 4.6 that q - zλ. Combining this we

notice that p ≤ gλ < N . So, in the case that both (i) and (ii) hold, the algorithm will

give us a non-trivial factor gλ of N .

So, to analyze the number of elliptic curves we have to try until gλ is a non-trivial

factor of N , we have to examine the probability that (i) and (ii) hold. In the rest of this section we will give an overview of how this probability is determined. For more details we refer to Section 12 of the lecture notes on elliptic curves and factorization algorithms by van der Lingen [23].

By Theorem 4.7, we know that #Ea,b(Z/pZ) lies in the interval [p+1−2

√

p, p+1+2√p]. Therefore, by our definition of λ, if #Ea,b(Z/pZ) is completely built up from primes

≤ w and p ≤ v, then (i) must hold. To ensure that p ≤ v, we can either use some prior knowledge about N or we can set v = d√N e. Therefore, the probability that (i) holds is given by the probability that #Ea,b(Z/pZ) is completely built up from primes ≤ w.

As in Section 3.2.1, we shall refer to an integer that is completely built up from primes ≤ w as a w-smooth integer.

It turns out that the values around the middle of the interval from Theorem 4.7 appear roughly an equal number of times as a value for #E(Z/pZ), see Corollary 12.5 in [23]. Using this, one can show that the success probability of one round of the algorithm is at least cf (w)/ log(v), where c is some constant and f (w) is the probability that a uniformly random integer in the interval (p + 1 −√p, p + 1 +√p) is w-smooth. It is a conjecture by Lenstra that f (w) ≈ g(w), where g(w) is the probability that a uniformly random integer in the interval [0, p] is w-smooth.

To examine the probability that a uniformly distributed random integer in the inter-val [1, p] is w-smooth, we define

L(x) = e √

log(x) log log(x)_.

A theorem of Canfield, Erd¨os, and Pomerance [5] implies the following. Let c be a positive real number. Then the probability that a uniformly random integer in the interval [0, x] is L(x)c-smooth is 1/L(x)1/2c+o(1), for x → ∞. Hence, the expected number of additions on an elliptic curve over (Z/N Z) required by Lenstra’s elliptic curve factorization method is

O w log(v) · f (w)−1log(v) = Ow log(v) · L(v)1/2c+o(1)log(v) = O

L(v)c+o(1)log(v)2· L(v)1/2c+o(1) ≈ OL(v)c+1/2c+o(1)

.

This expression takes its minimum value for c = 1/√2. Plugging this in, we find that Lenstra’s elliptic curve factorization method finds any v-smooth non-trivial factor of N by computing an expected number of L(v)

√

2+o(1)_{additions on an elliptic curve.}

(30)

with a relatively small prime factor. Since RSA as used today uses a modulus that is the product of two primes of equal size, this algorithm was of little cryptographic rele-vance. However, since Post-Quantum RSA introduces a modulus that is the product of many fairly small primes, Lenstra’s ECM has recently become relevant for cryptographic purposes.

4.2.1 Grover plus Lenstra’s elliptic curve method

In this section we discuss a quantum enhancement of Lenstra’s elliptic curve factorization method, called GEECM, proposed by Bernstein et al. [4]. It improves upon Lenstra’s elliptic curve factorization method by using Grover’s algorithm to more efficiently search through the elliptic curves over (Z/N Z).

Suppose f : A → {0, 1} is a function on a finite set A such that #f−1({1}) = #A/R. Then, as discussed in Section 1.2.2, Grover’s algorithm can find an a ∈ A such that f (a) = 1 using an expected number of√R evaluations of f . Consider, in particular, the function f whose input is an elliptic curve E over (Z/N Z) and whose output is given by

f (E) = (

1 if Steps 2 and 3 of Lenstra’s ECM using E finds a non-trivial factor of N , 0 otherwise.

As discussed at the end of Section 4.2, if we let w = L(v)c+o(1), then an elliptic curve E satisfies f (E) = 1 with probability 1/L(v)1/2c+o(1). Accordingly, Grover’s algorithm can find an elliptic curve E such that f (E) = 1 using an expected number of L(v)1/4c+o(1)

evaluations of f . Since each evaluation of f costs w additions on an elliptic curve over (Z/N Z), Grover’s algorithm finds an elliptic curve E such that f (E) = 1 using an expected number of L(v)c+1/4c+o(1) _{additions on an elliptic curve over (Z/N Z). This}

expression takes its minimum value for c = 1/2. Plugging this in, we find that GEECM finds a non-trivial factor of N using an expected number of L(v)1+o(1) additions on an elliptic curve over (Z/N Z).

4.3 Unifying Lenstra’s elliptic curve factorization method

and Shor’s order-finding algorithm

In this section we discuss a way to unify Lenstra’s elliptic curve factorization method and Shor’s order-finding algorithm. In particular, we show that one can find a non-trivial fac-tor of a squarefree integer N by solving the order-finding problem in the group E(Z/N Z). Let N be a squarefree n-bit integer. Analogous to the order-finding problem defined in Section 3.1.1, we can also define the order-finding problem for the group E(Z/N Z).

The order-finding problem.

Input: An integer N , an elliptic curve E over (Z/N Z) and some P ∈ E(Z/N Z). Goal: Find the order of P , i.e., the least r ∈ Z≥1 such that r · P = (0 : 1 : 0).

(31)

It turns out that factoring can also be reduced to the above order-finding problem. Again by “reduced” we mean that an efficient algorithm for the order-finding problem implies an efficient algorithm for factoring. To show that factoring can be reduced to the above order-finding problem we need the following lemma.

Lemma 4.9. Let P ∈ E(Z/N Z) be a point of order r. Suppose (C1) r is even,

(C2) there exists a prime p | N such that Q := r₂P = (x : y : z) satisfies πp(Q) = O.

Then, g = gcd(z, N ) is a non-trivial factor of N .

Proof. From (C1) it follows that p | z and thus that p | g. Since r is the least positive integer such that r · P = O, it follows from the group isomorphism in Lemma 4.8 that there exists some prime q | N such that πq(Q) 6= O. By Lemma 4.6 this implies that

q - z and thus that q - g. This shows that p ≤ g < N . Therefore, g is indeed a non-trivial factor of N .

From the above lemma we deduce that if (C1) and (C2) hold, then we can compute a non-trivial factor of N using the order of P . So, to complete the proof that factoring can be reduced to the order-finding problem defined in this section, we need a lower bound for the probability that both (C1) and (C2) hold.

Proposition 4.10. Suppose we choose uniformly at random some (x, y, a) ∈ (Z/N Z). Define P = (x : y : 1), b = y2− x3_{− ax and let r denote the order of P . Then,}

Pr4a3+ 27b2 6∈ (Z/NZ)∗∨ ((C1) ∧ (C2)) ≥ 1 10. Proof. See Proposition 1 in [15].

Remark. Note that if ∆ = 4a3+ 27b26∈ (Z/NZ)∗, then gcd(∆, N ) is a non-trivial factor of N and so we are still able to find a non-trivial factor of N in this case.

By combining Lemma 4.9 and Proposition 4.10, we find that if P is a point on an elliptic curve over (Z/N Z) of order r, then with high probability r is even and gcd(z, N ) is a non-trivial factor of N , where r₂P = (x : y : z). We compute this non-trivial factor by computing Q = r₂P and subsequently computing a greatest common divisor. Using the technique described in Proposition 4.5 together with the Euclidean algorithm we can do so using a total number of steps that is polynomial in n. Hence, factoring can indeed be reduced to the order-finding problem defined at the beginning of this section.

This reduction results in a new method of finding a non-trivial factor of N , namely, by running Shor’s order-finding algorithm in a group Ea,b(Z/N Z) for random a and b.

That is to say, instead of applying the unitary Ox,N as in Section 3.1.2, we apply the

unitary that maps |ai |03ni 7→ |ai |a · P i, where P is a point on E_a,b_{(Z/N Z).}

(32)

order-the corresponding order-finding problem can be solved more efficiently. Whereas order-the group structure of (Z/N Z)∗ is completely fixed by N , by trying multiple elliptic curves we can look for a group structure in which we can more efficiently solve the order-finding problem.

For example, we could try multiple elliptic curves until we find one such that the exponent of the group defined by this elliptic curve is sufficiently low. Because, if this is the case, then an approach similar to that of Lemma 3.2 will allow us to more efficiently find a non-trivial factor of N . Alternatively, we could try multiple elliptic curves until we find one such that a classical precomputation step as in Section 3.2.1 will construct an element of sufficiently low order. That is, we could try multiple elliptic curves until we find an elliptic curve E such that #E(Z/N Z) has a large enough factor that is completely built up from small primes. In both cases, we can use Grover’s algorithm in a way similar to the way discussed in Section 4.2.1 to more efficiently search through the elliptic curves over (Z/N Z).

The cost of Shor’s order-finding algorithm depends largely on the cost of implementing the unitary that carries out the group operation. Another potential advantage of running Shor’s order-finding algorithm in a group Ea,b(Z/N Z) is that there might be an efficient

way to implement this unitary for this group. For the group (Z/N Z)∗, we found no way around using the square-and-multiply method to implement the unitary that carries out the group operation. However, it could be the case that there is a more efficient way to implement the corresponding unitary for the group E(Z/N Z) and therefore more efficiently find a non-trivial factor of N .

(33)

5 Parallelization of Shor’s algorithm

As discussed in Chapter 2, the use of Post-Quantum RSA requires a lot of computational resources since the required key size is rather large. Therefore, we should also consider the security of Post-Quantum RSA when up against an adversary with additional com-putational resources. In this chapter, we discuss the security of Post-Quantum RSA in the special case where the adversary has a certain number of processors at his disposal that can perform either classical or quantum operations in parallel. In particular, we discuss how to parallelize Shor’s algorithm to run on multiple processors and we discuss the speedup we can achieve this way.

In our recap of Shor’s algorithm in Section 3.1, we saw that the quantum part of Shor’s algorithm mainly consists of the quantum Fourier transform (QFT) and a modular exponentiation step (Step 3 in Section 3.1.2). Therefore, in order to parallelize Shor’s algorithm, we need to parallelize both the QFT and the modular exponentiation step. Richard Cleve and John Watrous have shown how to parallelize the quantum Fourier transform [6]. Moreover, they have also shown that sufficient classical precomputation allows parallelization of the part of the quantum circuit associated with the modular exponentiation step. Throughout this section, we assume that we have P processors running in parallel, each of which can at each time step perform any operation on any set of qubits/bits.

We begin, in Section 5.1, by discussing the parallelization of the quantum Fourier transform proposed by Cleve and Watrous. Afterwards, in Section 5.2, we discuss a way to parallelize the classical precomputation that allows parallelization of the part of the quantum circuit associated with the modular exponentiation step, and we discuss how Cleve and Watrous use the outcome of this classical precomputation step to achieve this parallelization of the part of the quantum circuit associated with the modular exponen-tiation step.

5.1 Parallel quantum Fourier transform

In this section we give an overview of how Cleve and Watrous parallelize the quantum Fourier transform in their paper [6]. Their main result is as follows.

Theorem 5.1. For any n and there is a quantum circuit approximating the QFT on n-qubits with precision that has size O(n log(n/)) and depth O(log(n) + log log(1/)). By an approximation of the QFT with precision , we mean a unitary V (possibly acting on additional auxiliary qubits) with the following property: for any input quantum state, the Euclidean distance between applying the QFT to the state and V to the

Quantum algorithms for factoring and Post-Quantum RSA

MSc Mathematics

Master Thesis