# Quantum Algorithms for Computing Short Discrete Logarithms and Factoring RSA Integers

## Abstract

We generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå [2] so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand. Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This gives rise to an algorithm for factoring RSA integers that is less complex than Shor’s general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer. In both our algorithm and Shor’s algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an *n* bit integer, the exponent is of length 2*n* bits in Shor’s algorithm, compared to slightly more than *n*/2 bits in our algorithm.

## Keywords

Discrete logarithms Factoring RSA Shor’s algorithms## Notes

### Acknowledgments

Support for this work was provided by the Swedish NCSA, that is a part of the Swedish Armed Forces, and by the Swedish Research Council (VR). We are grateful to Lennart Brynielsson for many interesting discussions on the topic of this paper. The input of the referees and of Rainer Steinwandt was also helpful.

## References

- 1.Cleve, R., Watrous, J.: Fast parallel circuits for the quantum Fourier transform. In: Proceedings of the 41st Annual Symposium on Foundations of Computer Science, pp. 526–536 (2000)Google Scholar
- 2.Ekerå, M.: Modifying Shor’s algorithm to compute short discrete logarithms. Cryptology ePrint Archive, Report 2016/1128 (2016)Google Scholar
- 3.Håstad, J., Schrift, A., Shamir, A.: The discrete logarithm modulo a composite hides O(n) bits. J. Comput. Syst. Sci.
**47**(3), 376–404 (1993)MathSciNetCrossRefzbMATHGoogle Scholar - 4.Lenstra, H.W., Lenstra, A.K., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann.
**261**, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar - 5.Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Proceedings of the Twenty-Sixth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 276–294 (2015)Google Scholar
- 6.Mosca, M., Ekert, A.: The hidden subgroup problem and eigenvalue estimation on a quantum computer. In: Williams, C.P. (ed.) QCQC 1998. LNCS, vol. 1509, pp. 174–188. Springer, Heidelberg (1999). doi: 10.1007/3-540-49208-9_15 CrossRefGoogle Scholar
- 7.Seifert, J.-P.: Using fewer qubits in Shor’s factorization algorithm via simultaneous diophantine approximation. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 319–327. Springer, Heidelberg (2001). doi: 10.1007/3-540-45353-9_24 CrossRefGoogle Scholar
- 8.Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994)Google Scholar
- 9.Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput.
**26**(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar