|
|
|
|
is given and known to be composite, find a
non-trivial factor of it, that is, 
such that 
divides (
). 
bits; this is exponential with the input size
as 
. See Lenstra and Lenstra
_[87], Gruska
_[67]. There
exist sub-exponential O(
) randomized algorithms
for factoring.
(typically of 512
or 1024 digits). Encription seems to be secure provided it is not feasible
to get from their product
.
The RSA
method is one of the most popular public key systems and is implemented in
many communication programs. 
| Year/Number of bits |  |
 |
4096 |
| _ |  |
|
|
| 2006 |  years
|
 years
|
 years
|
|
|
|
|
| 2024 |  years
|
 years
|
 years
|
|
|
|
|
| 2042 |  days
|
 years
|
 years
|
and let us find an integer 
such that 
,
and 
, 
. If is an integer satisfying the above conditions, then 
is a multiple of , but 
is
not divisible by nor is 
, so there exists a non-trivial factor of that divides say or . A factor of can then be found by Euclid’s algorithm
in O(
) time: we compute 
and 
. 
, then 
is a solution of 
that verifies the above requirements; 
, 
so 5 and 3 are non-trivial divisors of 15. 
be the set of all integers in the interval 
co-primes with , that is 
.
Pick
in
and define the function
(
).
is periodic,
that is there exists an integer 
such that
, for every 
. The smallest such that 
is called the order of and is denoted
by 
. is even, then the equation
is a multiple
of , hence, unless 
or 
both factors of the product must have a non-trivial factor in common with . Consequently, the following algorithm can be used: 
.
, then we have
a factor of and stop. of the function
. is odd or 
or 
,
to get a factor of 
and stop. _
, where 
is a prime and 
, if 
and 
, then
is odd or or . So, this case is excluded by the above algorithm. However,
we don’t lose generality because power of primes can be factorized by conventional
computers in polynomial time. by computing and ? This
question is answered by the following evaluations (see, for example, Shor
_[122] or Gruska
[67]): 
 |
Assume that
is not a power of a prime. If is selected uniformly distributed in , then the probability to find a even such that  and  is greater or equal to  . |
|
If is odd and is selected uniformly distributed in , then the probability that is even is greater or equal to  . |
|
The probability
of picking an element , uniformly distributed
in , such that is even, and is greater or equal to . |
If there is a polynomial time deterministic/probabilistic/quantum
algorithm to compute the period of the function , for every  , then there exists a deterministic/probabilistic/quantum
algorithm to factorize any integer . |
! Next we will follow Shor
_[122] in presenting
a polynomial time quantum algorithm to compute the period of the function
. 
be quantum function 
of the integer function 
with the unknown period 
. To determine , we need two registers, with the sizes of 
and 
qubits,
which should be reset to 
. 
, a homogenous superposition of all basis vectors
in the first register by applying an operator 
: 
to the resulting state gives:
with 
reduces the state to 
, where 
is the largest integer
such that 
, and 
is chosen randomly (by measurement).
So, 
. The post-measurement
state 
of the first register
consists only of basis vectors of the form 
. Reason: 
, for all 
. 
then 
is a multiple of , then 
if 
is a multiple of 
, and 
otherwise. But even
if is not a power of 
, the spectrum of 
shows distinct peaks with a period of because 
qubits when : it guarantees
at least 
elements in the above sum and
thus a peak width of order O
. 
close to 
with 
. This can be written as 
. We can think of this result as a rational approximation
with 
for dyadic number 
. An efficient classical algorithm for solving
this problem using continued fractions is described in Hardy and Wright [
68] and is implemented in the denominator function. 
and are
only determined by 
if 
. The probability that and are
co-prime is greater then 
, so only O
trials are necessary to achieve a probability of success as close to one
as desired; in fact, as observed by Shor _[122], the expected number of trials can be
decreased to a constant.
Number of bits |
|
|
4,096 |
| Number of qubits
|
 years |
 years |
 years |
| Number of gates |
 years |
 years |
 years |
| Factoring time |
 mins |
36 min |
 hours |
Cf. Vazirani
_[139].
It is not known whether
breaking RSA is as hard as factoring.
The greatest common divisor 
of 
can be computed by the scheme: 
 |
 |
|
|
This set is
a group under the multiplication (
).
Recall that 
is the set of all integers in the interval
co-primes with 
.
If the supposed period 
derived form the rational approximation 
is odd or 
, then one could try to expand
by some integer factor
in order to guess the actual period 
.
